Applies To:
Show Versions
F5 SSL Orchestrator
- 16.1.0
Updated Date: 02/01/2024
Summary:
This release note documents the version 9.0 release of F5 SSL Orchestrator.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- Features in SSL Orchestrator
- Fixes
- Known issues
- Install and upgrade SSL Orchestrator
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
| Chassis name |
Platform ID |
|---|---|
| VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 | --- |
| C2100 | --- |
| C2200 | D114 |
| C4400 | J100 |
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
- Advanced Routing
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries, Bourne, and VIPRION platforms:
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 (Bourne) |
| i15000 |
| Chassis name: VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 |
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
Features in SSL Orchestrator
F5 recommends that you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
In this release, SSL Orchestrator 9.0 focuses on performance, quality, and security. It includes improvements to SSLO control plane architecture, custom category lookup, existing features, and new enhanced security capabilities.
SWG as an SSLO service
With BIG-IP 16.1 and SSLO 9.0, we now offer SWG within the SSLO interface, specifically in the F5 tab as part of the Solutions Catalog. This update does not change any of the previous APM + SWG behavior but provides a more user-friendly configuration and management experience when included with SSL Orchestrator, which is the most common forward proxy use case.
Abort support in blocked TLS session
The SSL Orchestrator security policy now contains a new abort option as a blocking action.
Bypass TLS decryption based on SNI
You can now configure a security policy to bypass TLS decryption based on SNI received in ClientHello before any server-side evaluation. A TLS bypass can now be created successfully by SNI/hostname for mutual TLS authentication without breaking the connection.
authorityKeyIdentifier extension support for certificates
SSL Orchestrator now includes an authorityKeyIdentifier (AKI) in the forged server certificate to aid in certificate path discovery at the client. Path discovery is the mechanism that a TLS client performs to find and build a complete chain of trust from the end-entity (leaf) certificate to the explicitly trusted root CA.
SSL profile switching based on ClientHello SNI matches
Allowing an outbound topology to switch its SSL profile based on SNI matches is useful when switching a CA issuer for different tenants or bypassing TLS for mutual TLS sessions by SNI hostname. For BIG-IP 16.1.0, only traffic processing in the data plane is currently supported.
Local OCSP Responder support
In Guided Configuration, you can now configure a local Online Certificate Status Protocol (OCSP) Responder and associate a Local OCSP Responder to a virtual server (that is part of the TMUI). OCSP is an Internet protocol used to obtain the revocation status of a digital certificate. When the validity of a certificate is requested, an OCSP request is sent to an OCSP Responder and checks the specific certificate with a trusted certificate authority. This results in an OCSP response being sent back of good, revoked, or unknown.
Send SSL session logs using log publisher
SSL Orchestrator can now log details of the forged server certificate and pass it to external log consumers using log publisher. TMM generates SSL session logs when the STIP (CC) mode is enabled.
Full-proxy HTTP/2 support through the decrypted service chain
SSL Orchestrator now supports full-proxy HTTP/2 through the decrypted service chain. In this feature, since HTTP/2 is not currently de-multiplexed, the security services must support decrypted HTTP/2.
Verified Accept support in SSLO
SSL Orchestrator now supports Verified Accept in TCP for L2 inbound/outbound topologies. This feature, when enabled, allows the system to test for a valid server-side connection before completing the client-side handshake. The system sends the server a SYN cookie before responding to the client’s SYN and verifies that the pool member is available to accept the connection.
Secure Web Gateway service
Secure Web Gateway can now be configured as part of the SSLO service chain.
Define DNS settings per topology
SSL Orchestrator now allows explicit proxy topologies to define specific DNS resolver settings.
Standalone license permits 20 pool members
SSL Orchestrator standalone license has always limited the number of service pool members to 6 devices. This licensing update now increases that number to 20 pool members.
Proxy TCP Keepalive in SSLO
A new iRule command, TCP::keepalive, allows TCP keep-alive proxy settings to be enabled dynamically. With this feature, the SSL Orchestrator interception rule can now decide based on criteria such as client IP, destination port, or other attributes to enable TCP keep-alive on a connection selectively. This is useful when a client (for example, Citrix Workspace client) requires a keep-alive to stay connected to the upstream server.SSO Control Plane re-architecture
SSL Orchestrator 9.0 includes the following significant improvements to the control plane:- The source-of-truth for the SSL Orchestrator configuration is now stored in the iFile objects. This allows the SSL Orchestrator to utilize native MCP/CMI HA sync functions and support automatic and incremental sync.
- The iApp strictness lock icon has been removed from several objects, excluding network and access objects allowing you to make out-of-band changes freely.
- The SSLO architecture now no longer uses the Gossip sync function to sync SSLO REST configuration.
Tabbed interface for service catalog
The security products in the SSL Orchestrator service catalog are now represented in a new de-cluttered tabbed interface, with Inline L2, Inline L3, Inline HTTP, ICAP, TAP, and a new F5 tab. The F5 tab currently includes just one service; Secure Web Gateway.
Guided Configuration for SSL Orchestrator
Guided configuration is meant to guide you through setting up a particular use case on the SSL Orchestrator system. Each template requests minimal input and provides contextual help to assist users during setup. The current version of the Guided Configuration is displayed on the landing page. When a later upgrade becomes available, you can use the available link next to the version number to download it from downloads.f5.com then upload and install Guided Configuration for SSL Orchestrator on BIG-IP. Before installing and upgrading to the latest version of SSL Orchestrator, ensure that you read the release notes and setup guide for any prerequisites, task details, or troubleshooting and recovery steps during installation or upgrade.
Guided Configuration for SSL Orchestrator TLS 1.3 support
TLS 1.3 support is provided in Guided Configuration for SSL Orchestrator for inbound cases, both clientssl and serverssl, for enhanced performance and security.
SSL Orchestrator Topologies
SSL Orchestrator configuration topologies define the type of traffic (transparent or explicit) and the direction of traffic flow (inbound or outbound) you wish to inspect. These deployment settings, which can be modified as needed without undeploying a configuration, are complimented by SSL management settings that assist you in defining inbound decryption and outbound decryption, setting your service types (such as HTTP, ICAP, Layer 2/Layer 3 inline, and receive-only/TAP services) and creating your service policies by defining per-request and per-session policy settings that can be managed through a virtual policy editor.
- Outbound transparent proxy
- Outbound explicit proxy
- Inbound reverse proxy
- Outbound layer 2
- Inbound layer 2
The Existing Application topology is an inbound topology that allows you to create services, service chains, and security policies and attach them to an existing reverse proxy BIG-IP application.
Licensing and Provisioning for SSL Orchestrator Access Integration
Updated SSL Orchestrator Setup Utility with resource provisioning capabilities for licensed and unlicensed modules.
Multi-Layered Security
In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security chain” consisting of multiple services. A typical chain may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, Secure Web Gateways (SWG), and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.
Virtual Clustered Multiprocessing (vCMP)
SSL Orchestrator supports Virtual Clustered Multiprocessing (vCMP) to provision and manage multiple hosted instances of the BIG-IP software on a single hardware platform.
Classification Engine
Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can minimally come from the following:
- Source IP/subnet
- Destination IP/subnet
- IP intelligence category - Subscription
- IP geolocation
- Host and domain name
- URL filtering category - Subscription
- Destination port
- Protocol
Other classifiers with greater flexibility are also available in the SSL Orchestrator VPE and with iRules to optimize and evaluate additional information.
Deployment Modes
- Single device mode
- High availability (HA) active/standby mode
In addition, the system can detect and transparently handle an explicit proxy between SSL Orchestrator and the internet.
SSL Orchestrator Analytics
SSL Orchestrator analytics provide a customizable view into your SSL Orchestrator statistics, and enable you to flexibly choose the information you want to view based on specified ranges of time that you can select and adjust.
Statistics generated:
- Hit Count
- Client Bytes Out Per Second
- Duration
- Server Bytes In
- Server Bytes In Per Second
- Hit Count Per Second
- Server Bytes Out Per Second
- Client Bytes In
- Client Bytes In Per Second
- Client Bytes Out
- Server Bytes Out
Statistics are generated for the following dimensions:
- Client Cipher Names
- Client Cipher Versions
- Server Cipher Names
- Server Cipher Versions
- Virtual Servers
- Site IP Addresses
- Traffic Types
- Decryption Status
- Policy Actions
- Service Paths
- URL Categories
- Applications
- Application Families
- IP Reputation
- Destination Countries
L7 Application Protocol Settings
SSL Orchestrator supports L7 application protocol settings allowing you to select a protocol to listen for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP) to be processed.
Fixes
| ID number | Description |
|---|---|
| 900517 | Previously, with the SSL Orchestrator configured for high availability (HA), the system always performed a full load sync when doing manual incremental sync. Fix: SSL Orchestrator can now be configured to perform incremental sync. |
| 907713 | Fixed the issue where there was an inactive Deploy button when modifying the deployed service. Workaround: Exit the configuration and try again. |
| 913517 | Previously, there was no validation error message when the user entered an ipv6 address in the Client IP Subnet Match field. Fix: This issue is resolved, and now, only valid values are accepted. |
| 918813 | Previously, the SSL Orchestrator configuration deployment failed in the HA environment giving the following error: Topology redeployment failure: sslo_ob_TOPOLOGY_MODIFY Error: Unable to PATCH block from BINDING to BINDING state. Fix: Now, the synchronization of the configuration revisions and data occurs when they are out of sync. The HA infrastructure replication mechanism will result in a working (good) state. |
| 969133 | Previously, when a topology is deployed with FTP selected in the IR step, the related rule was not attached to the SSLO IR. It was initially attached to LTM but was removed when the IR is redeployed. Fix: This issue is resolved, and now, when the topology is deployed with FTP, all the related rules are attached to both SSLO and LTM objects. |
| 969273 | Fixed the issue where after deleting an OCSP responder from the Authentication List tab, it still displayed in the topology flow page. Fix: The deleted OCSP responder no longer shows after deleting the filter string. |
| 974581 | Previously, the SSL Orchestrator did not initialize if there was an issue during startup, upgrade, or restnoded and restjavad re-start. Fix: This issue is resolved, and now, the UI informs about the failure of the initialization process. This will allow you to resolve the error manually and trigger the initialization process again. Workaround: When the initialization process fails, the error message and the upgrade icon on the page's top right turn red and start blinking. Perform the following steps to trigger the initialization process again.
Note: If the device is configured for high availability (HA), do not initiate ConfigSync until the initialization process completes successfully. Fix the issue and trigger the initialization process before proceeding. |
| 992425 | Previously, the outbound topology with custom interception rule failed to deploy with the -in_t iRule in mini-flow modification. Fix: This issue is fixed, and now you can successfully add the -in_t iRule to the custom interception rule in mini-flow modification. |
Known issues
| ID number | Description |
|---|---|
| 913469 | When loading a security policy page to edit an existing rule, sometimes the following error is displayed: Rules are currently non-editable Workaround: Reload the security policy page. |
| 969209 | SSL Orchestrator configuration page shows the following warning message if the UCS files within a failover device group do not contain the same shared blocks. This prevented modifications of SSL Orchestrator configurations. Loading SSL Orchestrator Configuration. Any configuration changes are not allowed till configuration is fully loaded. Workaround: Ensure that UCS files are created on each device within the failover device group at the same time after both devices are in sync. |
| 974945 | When you upgrade the SSL Orchestrator RPM, the BIG-IP system upgrades the configuration to a newer version. If this upgrade process is interrupted by a restnoded or restjavad restart, the upgrade fails with an error. Workaround: Complete the following steps:
|
| 987521 | In the high availability (HA) manual sync mode, when the user deletes the configuration on one device and tries to sync the configuration on a peer device, the operation does not complete successfully. The configuration does not get deleted on the peer device. Workaround: After deleting the configuration from one device, wait for 30 seconds before trying config sync on a peer device. If you already triggered the config sync and the configuration did not get synced, delete the configuration from the peer device manually and start config sync again. |
| 995829 | Clicking on the Fix Issue Manually link in the high availability (HA) screen of SSL Orchestrator fails to open the login screen of the affected device. Workaround: Use the help text and help icons in the high availability (HA) screen to get assistance on how to fix the issues. |
| 997673 | Upgrade fails with the following error when you create different topologies and redeploy them with cross-references of objects from other topologies: Unable to complete the cleanup. You must resolve the error (if any), delete the iApp blocks in error state (if any) from the iApps menu on the left hand side and perform CMI sync. Then resume the upgrade process: click Upgrade.Workaround 1: Complete the following steps:
Workaround 2: Complete the following steps:
|
| 1025845 | When using Chrome and Firefox, the SSLO landing page's top right panel is partially hidden. Workaround: Users can partly see the icons and labels and click on the icons for corresponding functionality. |
Install and upgrade SSL Orchestrator
If you currently have a version of SSL Orchestrator prior to 5.0, or are installing SSL Orchestrator for the first time, refer to the complete installation and upgrade instructions for F5 SSL Orchestrator in the SSL Orchestrator: Setup version 16.1.0-9.0 guide.
To install the F5 SSL Orchestrator 9.0 and you do not have an existing SSL Orchestrator add-on license, or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide.
To upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0, or you have an existing add-on license, follow the recommended upgrade steps found in the Setting up F5 Guided Configuration for SSL Orchestrator section in the SSL Orchestrator: Setup guide. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure, further manual steps are required to reset your environment and undeploy the previous version. See the F5 Guided Configuration for SSL Orchestrator: Upgrade Recovery guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
