Manual Chapter : Managing SSLO Device Configurations

Applies To:

BIG-IQ Centralized Management

  • 8.4.0
back-action Managing SSL Orchestrator Using BIG-IQ

Managing SSLO Device Configurations

Before you begin the process of installing an SSLO RPM upgrade, obtain the SSLO RPM file you are interested in installing to the managed devices by navigating to f5.downloads.com and downloading the relevant files to your local machine.

You may use BIG-IQ Centralized Management to upgrade your SSL Orchestrator RPM version from within BIG-IQ.

  1. From BIG-IQ, navigate to SSL Orchestrator > Devices.

  2. Select the checkbox next to the device or devices you are interested in installing an upgrade SSLO RPM version to.

  3. Select Upgrade SSL Orchestrator.

    A popup will appear.

  4. Click the Choose file button and select an RPM file from your local machine.

  5. Once you have uploaded the file, select Upgrade.

Your managed BIG-IP device will be upgraded to your desired SSLO RPM version.

You may use BIG-IQ to remove all SSL Orchestrator configuration objects from a managed BIG-IP with SSL Orchestrator provisioned. Follow the procedure below to do so.

  1. From BIG-IQ, navigate to Configuration > SSL ORCHESTRATOR > Devices.

  2. Select the device or devices from which you would like to remove configurations objects.

  3. Select Remove SSLO Configurations.

    A popup will appear.

  4. Select OK to remove the SSLO configuration from this device or devices.

    Note: This action is final and cannot be undone.

All SSLO configurations will be removed from this managed BIG-IP device.

From BIG-IQ, you can modify the device configuration for a managed BIG-IP device and view the status of services deployed to a device, and deploy changes to this device.

  1. At the top of the page, view your services deployed in a topology on this device. To make any edits to security service configuration, select the name of the service and you will be directed to a page where you can make edits.

  2. From BIG-IQ, navigate to Configuration > SSL Orchestrator > Devices.

  3. Select a managed BIG-IP device from the Devices list.

    You will be directed to a page where you may configure SSLO BIG-IP device settings.

  4. Under Device Settings, specify whether you want this configuration to support IPv4 addresses or IPv6 addresses from the dropdown menu.

    You must configure IP addresses in the family you select for all IP address fields in this application.

  5. Under the DNS section, select either Internet Authoritative Nameserver to permit the system to send DNS queries directly out to the Internet, you can select Local Forwarding Nameserver.

    Direct resolution can be more reliable than using forwarders but requires outbound UDP+TCP port 53 access to the Internet.

  6. Click the DNSSec Validation checkbox to specify whether you want to use DNSSEC to validate the DNS information.

    F5 recommends using DNSSEC to validate DNS information as it improves security.

  7. If you selected Local Forwarding Nameserver in the above section, add one or more Local DNS Nameserver in the section Local Forwarding NameServer(s).

  8. Under Routing, select Default to allow the system to let all SSL intercept traffic use the default route, or select Create New to route the traffic through a custom Internet gateway. Add an Address and specify the Ratio to define the ratio of traffic sent to each device.

  9. Under the Logging Configuration section, select a logging level for this device from the dropdown menu. You may select from Errors, Normal, or Debug.

  10. You may enable the default log configuration by selecting the checkbox. For Per-Request Policy, FTP, IMAP, POP3, SMTPS, and SSL Orchestrator Generic (generic logs for the SSL Orchestrator configuration), select the level of severity that you would like to log for this data.

  11. Select Deploy to push changes to this managed device.

Your configuration changes will be deployed to the managed BIG-IP device.