F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 SSL Orchestrator
  4. F5 SSL Orchestrator Release Notes version 14.1.0-5.4
Release Notes : F5 SSL Orchestrator Release Notes version 14.1.0-5.4

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 14.1.0
Release Notes
Original Publication Date: 03/21/2019 Updated Date: 05/23/2019

Summary:

This release note documents the version 5.4 release of F5 SSL Orchestrator.

Contents:

Platform support

SSL Orchestrator standalone base license is supported on the following platforms:

Platform name Platform ID
i2800 C120
i5800 C121
i10800 C122
i11800 Discovery Extreme C123
i15800 Endeavour D116
High Performance F5 SSL Orchestrator Virtual Edition (VE) options:
  • 8 CPU
  • 16 CPU
 Z100
Note: SSL Orchestrator 5.4 does not work with BIG-IP versions prior to 14.1.0. Refer to the Installing and Upgrading SSL Orchestrator section for complete installation and upgrade information.
Note: SSL Orchestrator standalone base license is not supported on VIPRION chassis.
Note: The supported platform information applies to the most recent release version.

If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:

  • URLF Filtering (subscription)
  • IPI (subscription)
  • Network HSM
  • Access Policy Manager (APM)
Note: For more information about purchasing other module licenses, contact your F5 Sales representative.

F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries and Bourne platforms (not including VIPRION):

Platform name
2000, i2000
4000, i4000
5000, i5000
7000, i7000
10000, i10000
11000, i11000
12000 (Bourne)
i15000
Note: SSL Orchestrator 5.4 does not work with BIG-IP versions prior to 14.1.0. Refer to the Installing and Upgrading SSL Orchestrator section for complete installation and upgrade information.
Note: The supported platform information applies to the most recent release version.

Guided Configuration browser support

The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:

  • Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
  • Mozilla Firefox 55.x
  • Google Chrome 61.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.

Features in SSL Orchestrator

F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.

Note: The SSL Orchestrator upgrade workflow has changed. Reviewing the release note section on Installing and Upgrading SSL Orchestrator provides you with the details necessary for fulling any prerequisites and required steps that streamline the process.

Guided Configuration for SSL Orchestrator

Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Prior to installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.

SSL Orchestrator Topologies

SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complemented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.

  • Outbound transparent proxy
  • Outbound explicit proxy
  • Inbound reverse proxy
  • Outbound layer 2
  • Inbound layer 2

Licensing and Provisioning for SSL Orchestrator Access Integration

Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Virtual Clustered Multiprocessing (vCMP)

SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:

  • Source IP/subnet
  • Destination IP/subnet
  • IP intelligence category - Subscription
  • IP geolocation
  • Host and domain name
  • URL filtering category - Subscription
  • Destination port
  • Protocol

Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.

Deployment Modes

SSL Orchestrator provides multiple deployment modes to address a variety of user needs. It can be deployed in any of the following modes:
  • Single device mode
  • High availability (HA) cluster mode

In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.

SSL Orchestrator Analytics

SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.

Statistics generated:

  • Hit Count
  • Client Bytes Out Per Second
  • Duration
  • Server Bytes In
  • Server Bytes In Per Second
  • Hit Count Per Second
  • Server Bytes Out Per Second
  • Client Bytes In
  • Client Bytes In Per Second
  • Client Bytes Out
  • Server Bytes Out

Statistics are generated for the following dimensions:

  • Client Cipher Names
  • Client Cipher Versions
  • Server Cipher Names
  • Server Cipher Versions
  • Virtual Servers
  • Site IP Addresses
  • Traffic Types
  • Decryption Status
  • Policy Actions
  • Service Paths
  • URL Categories
  • Applications
  • Application Families
  • IP Reputation
  • Destination Countries

L7 Application Protocol Settings

SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.

Fixes

ID number Description
754908 The HTTP header exceeded the maximum allowed size of 32768 bytes. Impact: If the custom HTTP Profile values are not maintained, Response content that is sending a large number of HTTP Headers, or very long HTTP headers will not be allowed through to the client. Workaround: Modify the default values of the HTTP header count & size in the parent HTTP profile fixes the issue: tmsh modify ltm profile http http enforcement { max-header-count 128 max-header-size 65536 }.
759303 The current SSL Orchestrator UI does not have a single click option to delete all the deployment related iAppLX and MCP objects. Impact: User must individually delete every iApp component. Fix: Created a single click option.
759420 In BIG-IP SSL Orchestrator v14.x with the v5.x of Guided Configuration RPM, when URL Categorization is performed, some invalid URL categories are inserted in the Access Policy and results in traffic being blocked. Impact: The user will have a configuration that does not operate properly and blocks traffic where URL categorization is performed. Workaround: The user should remove all categorization where the category indicates "Internet Watch Foundation". After upgrading to 5.4, remove all URL categories where the category indicates "Internet Watch Foundation". A valid list of categories can be found in the UI under Access > Secure Web Gateway > URL Categories . The affected module is SSLO.
759421 After upgrading from v5.0 to v5.4, the L7 Profile and authProfile does not appear in Interception Rules topology: the Profile/L7 Profile Type are set to None and XP IR does not show SWG Access Profile and is also set to None. Impact: Redeploying the Interception Rules without manually correcting the issues may result in a deployment failure. Fix: Upgrade first from v5.0 to v5.3 and redeploy your configuration in v5.3. After that, upgrade again from v5.3 to v5.4 with your configuration.
759773 The F5 SSL Orchestrator fails to resolve hostname in explicit-proxy requests for HTTP sites (it works as expected for HTTPS sites). The client browser returns 404 error Cannot resolve hostname '<website>' in explicit-proxy request. You observe a log message similar to the following example in the /var/log/ltm file: Rule /Common/sslo_explicit_sslo.app/sslo_explicit_sslo-xp <HTTP_PROXY_REQUEST>: Cannot resolve hostname 'f5.com' in explicit-proxy request. Impact: Clients cannot access HTTP sites via the explicit-proxy deployed on the F5 SSL Orchestrator. The HTTP-related client requests are not processed by the F5 SSL Orchestrator; HTTPS traffic works as expected. Fix: Restart the named process manually. To do so, perform the following procedure:
  1. Login to the TMSH utility.
  2. Restart the named process by typing the following command: restart /sys service named.
760760 The SSL Orchestrator Deploy button is greyed out after a user attempts to rearrange the order of the Rules in the Security Policy topology and want to redeploy. The Deploy button is again greyed out when a user attempts to edit a deployed topology and in the Security Policy topology and uses drag and drop to change the order of the Rules. Impact: The user cannot deploy the desired configuration. Fix: The Deploy button is now available when performing the described steps.
761116 The SSL Orchestrator outbound topology configuration disappears from the UI. Workaround: Select iApps > Application Services > Applications LX . The missing topology appears Applications LX screen but with a red icon next to it. Select the check box and click Deploy. When returning to the SSL Orchestrator > Configuration screen, the outbound topology appears again under the Topologies tab.

Install and upgrade SSL Orchestrator

If you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator version 5.4 in the SSL Orchestrator: Setup version 14.1.0-5.0 guide.

If you currently have SSL Orchestrator 5.0 through 5.3 installed, click SSL Orchestration > Configuration > Upgrade SSL Orchestrator and follow the SSL Orchestrator RPM upgrade instructions to import the newest 5.4 version.

To install the F5 SSL Orchestrator 5.4 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide. The Guided Configuration for SSL Orchestrator 5.4 image is packaged with the F5 BIG-IP 14.1.0 image.

To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the SSL Orchestrator recommended upgrade procedure section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.

If you do not follow the recommended upgrade procedure to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, further manual steps are required to reset your environment and undeploy the previous version. See the Upgrade from previous SSL Orchestrator versions using the recovery procedure task steps in the SSL Orchestrator: Setup guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.

These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.

Note: If you are implementing a high availability environment for SSL Orchestrator, review the Setting up SSL Orchestrator in a High Availability Environment section in the SSL Orchestrator: Setup guide for more detailed information.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.
F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.
Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information