Applies To:
Show Versions
F5 SSL Orchestrator
- 16.1.1
Updated Date: 02/01/2024
Summary:
This release note documents the version 9.1 release of F5 SSL Orchestrator.
For SSL Orchestrator 9.0 release notes, click F5 SSL Orchestrator Release Notes version 16.1.0-9.0.
Contents:
- Platform support
- Guided Configuration browser support
- User documentation for this release
- New Features in SSL Orchestrator 9.1
- Behavior changes
- Fixes
- Known issues
- Install and upgrade SSL Orchestrator
- Contacting F5
- Legal notices
Platform support
SSL Orchestrator standalone base license is supported on the following platforms:
If SSL Orchestrator is the standalone base license installed on your system, you can add the following modules:
- URLF Filtering (subscription)
- IPI (subscription)
- Network HSM
- Access Policy Manager (APM)
- Secure Web Gateway (SWG)
- Advanced Routing
F5 BIG-IP Local Traffic Manager (LTM) base license with SSL Orchestrator as an add-on is supported on any available iSeries, Bourne, and VIPRION platforms:
| Platform name |
|---|
| 2000, i2000 |
| 4000, i4000 |
| 5000, i5000 |
| 7000, i7000 |
| 10000, i10000 |
| 11000, i11000 |
| 12000 (Bourne) |
| i15000 |
| Chassis name: VPR-22XX, VPR-24XX, VPR-4480, VPR-4800 |
Guided Configuration browser support
The Guided Configuration acts as the template for SSL Orchestrator. This release supports the following browsers and versions for use with Guided Configuration for SSL Orchestrator:
- Microsoft Internet Explorer 11.x - Only 32-bit browsers are supported.
- Mozilla Firefox 55.x
- Google Chrome 61.x
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the SSL Orchestrator Documentation page.
New Features in SSL Orchestrator 9.1
F5 recommends you review the entire SSL Orchestrator release notes and setup guide prior to upgrading and configuring a deployment.
Inbound Gateway Mode support
SSL Orchestrator now provides SSL Visibility for inbound connections to servers behind BIG-IP in two modes.
- Gateway Mode: The Gateway mode works like a router where a virtual uses a network address to process incoming connections for the range.
- Application Mode: The Application mode works like a traditional LTM Virtual Server. It creates a virtual listening for a specific IP: Port and processes incoming connections for this IP.
SNI switching with multi SNI support
SNI switching allows a virtual server to contain multiple client SSL profiles, each with its end-entity certificates. The SSL Orchestrator UI now supports selecting multiple SSL profiles to the same virtual for both Inbound and Outbound explicit topologies.
Verified Accept SSL profile optimization
SSL Orchestrator now generates a single SSL profile instead of two profiles for Verified Handshake True (vht) and Verified Handshake False (vhf), greatly simplifying the SSL Orchestrator-generated configurations. By default, the verified Handshake will be enabled for Outbound traffic and disabled for Inbound traffic.
Port Remap enhancement for SSL Orchestrator services
Some security devices require HTTPS (443) traffic to be remapped to HTTP (80) for correct inspection. Previously, the remap setting was applied regardless of bypass/decrypt decisions. With this release, the bypass traffic is not remapped, and the Port remap applies only to the decrypted traffic.
SSL Orchestrator UI lock removed for BIG-IQ
The SSL Orchestrator GUI is now unlocked when the device is added to the BIG-IQ system and can be used for monitoring and other non-SSL Orchestrator functions. Previously, the BIG-IQ did not support the management of SSL Orchestrator 9.0, and above and the GUI was automatically locked to read-only mode.
Support for SSL Orchestrator 9.1 will be added to a future version of BIG-IQ. See the Interoperability Matrix for details.
Proxy Connect allows configuring Explicit proxy topology
Proxy connect allows SSL Orchestrator to forward incoming explicit HTTPS requests to a downstream proxy. Previously, the SSL Orchestrator GUI mistakenly allowed a configuration to perform Proxy Connect to non-explicit (transparent) requests, which caused the UI to malfunction. The GUI has been fixed to allow modification of security policy and add proxy connect data to an Explicit proxy topology.
Port Lockdown for HA pair allows Custom port
The BIG-IP system allows administrators to configure Port Lockdown settings for Self-IPs to reduce the attack surface by restricting incoming traffic. Previously, any setting besides "Allow All" or "Allow Default" caused the SSL Orchestrator GUI to malfunction and report High Availability failures. With this release, you can deploy/edit the SSL orchestrator configuration with the Port Lockdown settings set to Custom (TCP port 443).
Behavior changes
| ID Number | Description |
|---|---|
| 1020573 | Previously, there were compatibility issues when you upgraded SSL Orchestrator using the UI, as it required that the BIG-IP versions match for an upgrade to proceed. This happened because the UI validation did not allow a change in BIG-IP version numbers when upgrading to a higher RPM number. For example, upgrading 16.1.0-9.1.x to 16.1.1-9.1.x+1 was not allowed because 16.1.0 and 16.1.1 were not equal. Workaround: Users trying to upgrade SSLO below 9.1 versions to 9.1, use the iApps menu (). Fix: With the SSLO 9.1 release, the upgrade behavior has changed. Now, upgrades, where the BIG-IP version numbers are incrementally large, can proceed as long as the RPM numbers (9.1.x) also follow incremental upgrade rules. |
Fixes
| ID number | Description |
|---|---|
| 978821 | Previously, when port re-map was enabled for service inside a service chain, the BIG-IP system occasionally sent decrypted traffic over port 443 instead of the assigned port 80 or 8080. This caused issues with traffic analysis, and unexpected decrypted packets arrived on port 443. Fix: New iRule is now attached to the topology. It allows correct remapping of the port without sending decrypted packets to port 443. |
| 999257 | Previously, bulk HA sync caused SSL Orchestrator config to not reconcile with the MCP value. When multiple changes were done in config in an HA environment which triggered a CMI sync, the SSL Orchestrator config would not update to the latest MCP value due to a race condition. Workaround: To prevent a race condition, manually trigger reconcile by updating and syncing objects in TMUI. Fix: This issue is fixed, and now, the objects are queued up and run sequentially. |
| 1002481 | Fixed the issue where when you deleted a device from service in Guided Configuration, the UI did not show the service in the Service Chain even though the service existed. |
| 1007477 | Previously, topology did not show in the security policy after deployment if the security policy is configured with proxy connect. As a result, the security policy did not display in the dropdown either. Fix: This issue is fixed, and now, explicit proxy topology can be configured with proxy connect. In addition, outbound topology can share the security policy with proxy connect but would not be applicable. Workaround: Topology can be redeployed with a new security policy. |
| 1014785 | Previously, after the SSL Orchestrator was successfully deployed, the GUI showed the state as Not Deployed. Workaround: Refresh the GUI page. Fix: This issue is now fixed, and the GUI no longer shows as Not Deployed. |
| 1022093-1 | Previously, in some cases, redeploying the service with auto-manage Self IP failed. This happened because the Self IP address was re-calculated based on the "tmsh list cm devices" order. This issue is resolved, and now, the Self IP already on the box will be retained during redeployment and will not be re-calculated based on the CM/device order list. |
| 1025845 | Previously, when using Chrome and Firefox, the SSL Orchestrator landing page's top right panel was partially hidden. Workaround: Users can partly see the icons and labels and click on the icons for corresponding functionality. Fix: This issue is fixed, and now, the top margin has been adjusted to let it show completely on the SSL Orchestrator landing page. |
| 1029901 | Previously, you could not delete dependent services or security policies if the policy has multiple parent configurations such as Service Chain and Topology. Fix: This issue is fixed, and now you can delete the service of security policy if it is assigned to multiple Service Chains. |
| 1042437 | Previously, deploying or editing the SSL orchestrator configuration from the UI gave the following error, when the BIG-IP is in HA, and the Self IP used for HA has port lockdown configured as Allow Custom: Invalid BIG-IP high availability (HA) setup This issue is now fixed. |
| 1054469 | Previously, when the SSL Orchestrator is installed on both the primary and standby BIG-IP devices, the deployment fails for the devices configured with a sync-only group if some devices in the group are down. This issue is fixed, and now, if SSL Orchestrator is installed with a sync-only device group but no sync-failover device group, then the SSL Orchestrator deployment will work as a standalone. All the devices under the sync-only group are now ignored. |
| 1058401 | Previously, per-request policy's SSL Bypass Set agent did not bypass TLS traffic for inbound topology. This issue is now fixed for BIG-IP v16.1.2.2. |
Known issues
| ID number | Description |
|---|---|
| 851133-2 | When using HTTP Service with AutoManage = off, toggling from Create New, to Use Existing, and then back to Create New, turns the validation off for Floating IPs if the user changes Self IP or Netmask. This occurs within To Service Config or From Service Config where the user sets up the Create New with Self IP, Netmask, and Floating IPs (on high availability (HA) device) and toggling to Use Existing and back to Create New. Workaround 1: To turn validations back on, edit Floating IP fields. Workaround 2: Exit the HTTP/L3 Service creation and start a new Service Creation dialog. |
| 947249 | SSL Orchestrator configured for high availability (HA) and with manual config sync, goes to an error state when reverse configSync is done after deleting or deploying operation. Workaround:
|
| 966361 | When a config sync is triggered after an operation in the SSL Orchestrator GUI, if you overwrite the configuration from the peer box, causing reverse sync, the configuration is lost. Important: Always initiate ConfigSync from the device you deleted config to the peer devices. Syncing the other way would result in undesired consequences.
|
| 1024417 | Following the deployment of a topology, if an administrator modifies the associated Virtual Server under Local Traffic so that the source or destination is set to an address list in place of a host, traffic will continue to pass based on the addresses contained within the address list. As of 16.1.0, the SSL Orchestrator Guided Configuration allows changes to deployed objects without the administrator disabling strict updates. In some, within the Interception Rule of the Guided Configuration, the Source Address will show incorrectly as 0.0.0.0%0/0 and Destination Address as %0/0, and the field will show the following error: IP address with must CIDR prefix or optional Route Domain between 0 to 65534 Required. Workaround: To clear the destination field error from the interception rule, the admin needs to set host addresses in place of address lists within the Virtual Server under Local Traffic. Once address lists have been replaced by host addresses within the virtual, any subsequent address changes can be made from the SSL Orchestrator Guided Configuration. |
| 1024737 | When you delete the MCP object from TMUI or TMSH and restart restnoded, you see the following message in the GUI: "SSL Orchestrator is not initialized. Open the TMSH/ssh shell and review errors in /var/log/resnoded/restnoded.log. Resolve all errors before restarting the initialization process by selecting the re-trigger icon. If this is high availability (HA) setup then do not trigger ConfigSync till issue is resolved. Additional configuration changes are not allowed until the configuration is fully initialized. :3: The requested <<deleted MCP object type and name>> was not found." Workaround: Perform the following steps:
|
| 1025317 | For the master key used for securing restricted attributes in SSL Orchestrator, if the BIG-IP system loses the master key or if the master key gets changed, the system cannot retrieve decrypted values for deployed SSL Orchestrator configurations. In addition, editing an old configuration might fail due to an incorrect key for already-decrypted values. Workaround: Delete the deployed configuration and create it again. |
| 1033113 | The SSL Orchestrator iApp does not support editing, deleting, or deployment of multiple items in a configuration. |
| 1041345-1 | The warning message is not clear enough to stop the user from reverse syncing the devices; when trying to trigger a sync from a device, changes were not made. Important: Always initiate ConfigSync from the device you deleted config to the peer devices. Syncing the other way would result in undesired consequences.
|
| 1041925 | Swapping the order of the service-device in one transaction will lead to a deployment error. If you delete the first device from a service and then add the same device to the same service and deploy the configuration, the following error message is displayed: Cannot get device index for Ingress_WAF1 in rd65001 - ioctl failed: No such device Workaround: Perform the operations in two transactions as follows:
|
| 1044685 | When using SSL Orchestrator UI to upgrade RPM from 9.0 to 9.1, the following error message displays: Cannot install f5-iappslx-ssl-orchestrator-16.1.1-9.1.23.noarch.rpm, package version should be 16.1.0-x.x.x and higher than 16.1.0-9.0.24 You cannot install a new RPM file due to the package version validation. Workaround: You can upgrade SSL Orchestrator RPM from 9.0 to 9.1 through |
| 1045613 | When editing the iRule list of a service virtual in TMUI or TMSH and redeploying the service from the SSL Orchestrator, all the out-of-band (OOB) modified changes are lost and overwritten. Workaround: Go to service virtual and make the iRule change again. |
| 1045673 | On an HA pair, changing the custom port lockdown from an invalid port to a valid port and clicking the Refresh button on the HA Status page does not refresh the HA Status. Workaround: Navigate back to the SSL Orchestrator Configuration page and click the HA Status icon to reload the page. The HA status will get refreshed. |
| 1047377 | The "server speaks first" traffic does not pass through the SSL Orchestrator, and the connection fails. This happens when the SSL Orchestrator interception rule has an attached service chaining security policy, and port-remap is enabled on at least one service. Workaround: Disable port-remap on service and redeploy. |
| 1048033 | The "server speaks first" traffic does not pass through the SSL Orchestrator, and the connection fails. The service chaining does not work for the service when the port-remap is enabled. Workaround: Disable port-remap on service and redeploy. |
| 1049753 | The HTTP traffic for Inbound application topology fails after upgrading to version 9.1 when interception rules have attached SSL profile(s). Workaround: Manually remove the SSL profile(s) from the interception rule and redeploy the inbound topology. |
| 1050205 | For an Inbound topology, a service with port remap enabled and attached to server chain, redeployment fails with an error when you remove the SSL profiles from the Interception Rule page. This happens because Port Remap requires the Client SSL profile to function. Workaround 1: When removing the SSL profile from the Interception Rule page, remove the Port Remap along with it. This is a temporary solution. Workaround 2: Turn off Port Remap on service or disengage it from the policy or service chain. |
| 1055389 | When SSL Orchestrator is deployed in a HA configuration where Virtual Wire is in use, and the associated Network Trunks have LACP enabled, the traffic fails to pass following an upgrade from 15.1.x to 16.1.x. Workaround: Disable LACP on all Network Trunks used by Virtual Wire before upgrading from 15.1.x to 16.1.x. |
| 1055945 | Adding or removing port re-map to services may force full config-sync during deployment. The config-sync icon in the upper left of the configuration utility turns red, displaying the status "Changes Pending." This occurs on any deployment or re-deployment of an SSL Orchestrator topology where port re-map has been changed from enabled or disabled. |
| 1057929 | Topology with one or more services with port re-map after upgrade from 8.x or 7.x to 9.1 does not pass traffic on all services. |
| 1061109 | For HA devices, sometimes manual sync fails, and the config-sync icon in the upper left of the configuration utility turns red, displaying the status "Changes Pending." In such scenarios, it is crucial to initiate ConfigSync from the device you performed the SSL Orchestrator operation to the peer device. Do NOT sync from the device which does not have SSL Orchestrator operation running. Important: Syncing the incorrect way would result in undesired consequences.
|
Install and upgrade SSL Orchestrator
To install the F5 SSL Orchestrator 9.1 and you do not have an existing SSL Orchestrator add-on license or a previous version of SSL Orchestrator installed, download the image from downloads.f5.com. For complete step-by-step installation instructions, see the BIG-IP Systems: Upgrading Software guide.
Refer to the Update or Upgrade the F5 SSL Orchestrator chapter in the BIG-IP update and upgrade guide, if you have an existing add-on license or want to upgrade to the newest version of SSL Orchestrator from a previous version prior to 5.0. This procedure walks you through the uninstallation and deletion of existing SSL Orchestrator applications and RPM before installing the new ISO image.
If you do not follow the recommended upgrade procedure, further manual steps are required to reset your environment and undeploy the previous version. See the F5 Guided Configuration for SSL Orchestrator: Upgrade Recovery guide based on the previous version of SSL Orchestrator you are upgrading from and your access to the BIG-IP Applications LX menu.
These upgrade steps are required since previously deployed SSL Orchestrator configurations cannot be rolled forward or imported into the new version of SSL Orchestrator. Following one of the recommended upgrade procedures will assist you in preparing your system for a clean installation.
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
