F5 Herculon SSL Orchestrator Manual
F5®Herculon™SSL Orchestrator™: Setup
Version 13.1-3.0
Table of Contents
What is F5 Herculon SSL Orchestrator?.................................................................................. 5
What is F5 Herculon SSL Orchestrator?............................................................................5
Terminology for Herculon SSL Orchestrator............................................................................7
Terminology for Herculon SSL Orchestrator...................................................................... 7
Configuring the System for F5 Herculon SSL Orchestrator .................................................. 9
Overview: Configuring the system for F5 Herculon SSL Orchestrator...............................9
Using the Herculon SSL Orchestrator setup wizard...........................................................9
Backing up your BIG-IP configuration..............................................................................11
Modifying your Herculon SSL Orchestrator configuration................................................11
Undeploying your Herculon SSL Orchestrator configuration............................................11
Diagnosing your Herculon SSL Orchestrator deployment................................................12
Setting Up a Basic Configuration............................................................................................13
Overview: Setting up a basic configuration......................................................................13
Configuring general properties.........................................................................................13
Configuring logging..........................................................................................................15
Configuring an ingress and egress device on one system...............................................16
Configuring an ingress device (for separate ingress and egress devices).......................18
Configuring an egress device (for separate ingress and egress devices)........................20
Configuring the system for transparent proxy.................................................................. 23
Configuring the system for explicit proxy..........................................................................23
Configuring the system for both transparent and explicit proxies.....................................24
Creating Services, Service Chains, and Classifier Rules..................................................... 27
Overview: Creating services, service chains, and classifier rules....................................27
Creating inline services for service chains.......................................................................27
Creating ICAP services....................................................................................................29
Creating receive-only services for traffic inspection.........................................................30
Creating service chains to link services...........................................................................30
Creating TCP service chain classifier rules..................................................................... 31
Creating UDP service chain classifier rules.....................................................................33
Importing and Exporting Configurations for Deployment....................................................35
Overview: Importing and exporting configurations for deployment.................................. 35
Importing new configurations for deployment.................................................................. 35
Importing past configurations for deployment..................................................................36
Exporting configurations for deployment..........................................................................36
Setting up Herculon SSL Orchestrator in a High Availability Environment ....................... 39
Overview: Setting up Herculon SSL Orchestrator in a high availability environment ......39
Task summary for deploying in a high availability environment........................................40
Installing an updated RPM file...............................................................................41
Configuring the network for high availability..........................................................41
Synchronizing the device group............................................................................ 43
Table of Contents
3
Setting up a basic configuration for deployment....................................................44
Task summary for diagnosing and fixing high availability deployment.............................44
Verifying deployment and viewing logs..................................................................44
Verifying the RPM file version on both devices..................................................... 45
Configuring general properties and redeploying...................................................45
Reviewing error logs and performing recovery steps............................................45
Using Herculon SSL Orchestrator Analytics..........................................................................47
Overview: About Herculon SSL Orchestrator analytics....................................................47
About analytics dashboard capabilities............................................................................47
Timeline capabilities.........................................................................................................48
Customizing timeline capabilities.....................................................................................48
Chart capabilities............................................................................................................. 48
Customizing chart capabilities......................................................................................... 49
Table capabilities..............................................................................................................49
Customizing table capabilities..........................................................................................49
Charting bytes in, bytes out, and hit count over time.......................................................50
Comparing statistics on the top virtual servers................................................................50
Viewing the top sites bypassed........................................................................................51
Viewing the top sites decrypted....................................................................................... 51
Viewing the most used client ciphers and protocols........................................................ 52
Finding where the top server ciphers and protocols are used.........................................52
Scheduling reports to be sent..........................................................................................52
Legal Notices............................................................................................................................ 55
Legal notices....................................................................................................................55
Table of Contents
4
What is F5 Herculon SSL Orchestrator?
What is F5 Herculon SSL Orchestrator?
F5® Herculon™ SSL Orchestrator™ provides an all-in-one appliance solution designed specifically to
optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic,
and maximize the efficient use of that existing security investment. This solution centralizes and
consolidates SSL inspection across complex security architectures, allowing you flexible deployment
options to decrypt and re-encrypt user traffic across the Internet and web-based applications. It supports
policy-based management and steering of traffic flows to third-party security devices such as firewalls,
intrusion prevention systems (IPS), anti-malware, data loss prevention (DLP), and forensics tools. It
provides a wide range of SSL orchestration analytics that you can easily customize across multiple
dimensions based on specified ranges of time.
The Herculon SSL Orchestrator single platform for unified inspection allows for the greatest flexibly
without architectural changes to prevent new blind spots from emerging.
Some of the key functions include:
• Dynamic security service chaining that leverages context-based policies to efficiently deploy security,
reduce administrative overhead, and effectively utilize security resources
• Centralized management of the SSL decrypt and re-encrypt function
• Inspection of all traffic for malware and data exfiltration with a multi-layered approach
• Flexible deployment modes to easily integrate the latest encryption technologies across your entire
security infrastructure
• High availability with best-in-class load-balancing, health monitoring, and SSL offload capabilities
Figure 1: Herculon SSL Orchestrator solution
What is F5 Herculon SSL Orchestrator?
6
Terminology for Herculon SSL Orchestrator
Terminology for Herculon SSL Orchestrator
This section defines some of the terms used in this document.
•Certificate Authority (CA) certificate
This implementation requires a Certificate Authority PKI (public key infrastructure) certificate and
matching private key for SSL Forward Proxy. Your TLS clients must trust this CA certificate to sign
server certificates.
•Decrypt zone
A decrypt zone refers to the network region between separate ingress and egress BIG-IP® devices
where cleartex data is available for inspection. Basically an extra inline service can be placed at the
end of every service chain for additional inspection. You cannot configure a decrypt zone in the
scenario where a single BIG-IP system handles both ingress and egress traffic because the decrypt
zone does not exist.
•Egress device
The egress BIG-IP system is the device (or Sync-Failover device group) that receives the traffic after
a connection traverses the chosen service chain and then routes it to its final destination. In the
scenario where both ingress and egress traffic are handled by the same BIG-IP system, egress refers to
the VLAN(s) where traffic leaves the BIG-IP system to the Internet.
•ICAP services
Each ICAP service uses the ICAP protocol (https://tools.ietf.org/html/rfc3507) to refer HTTP traffic
to one or more Content Adaptation device(s) for inspection and possible modification. You can add an
ICAP service to any TCP service chain, but only HTTP traffic is sent to it, as we do not support ICAP
for other protocols. You can configure up to ten ICAP services using F5® Herculon™ SSL
Orchestrator™. For more information on ICAP services, refer to the Creating ICAP services section.
•Ingress device
The ingress BIG-IP system is the device (or Sync-Failover device group) to which each client sends
traffic. In the scenario where both ingress and egress traffic are handled by the same BIG-IP system,
ingress refers to the VLAN(s) where the client sends traffic. The ingress BIG-IP system (or ingress
VLAN(s)) decrypts the traffic and then based on protocol, source, destination, and so on, classifies it
and passes each connection for inspection based on service chains you will configure (or allows
certain connections to bypass service-chain processing based on your selections).
•Inline services
Inline services pass traffic through one or more service (inspection) devices at Layer2 (MAC)/Bump-
in-the-wire or Layer3 (IP). Each service device communicates with the ingress BIG-IP device over
two VLANs called Inward and Outwardwhich carry traffic toward the intranet and the Internet
respectively. You can configure up to ten inline services, each with multiple defined devices, using
Herculon SSL Orchestrator.
•Receive-only services
Receive-only services refer to services that only receive traffic for inspection, and do not send it back
to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (e.g.
plaintext) passing through it to an inspection device. You can configure up to ten receive-only
services using Herculon SSL Orchestrator. For more information on receive-only services, refer to the
Creating receive-only services for traffic inspection section.
•Service chain classifier rules
Each service chain classifier rule chooses ingress connections to be processed by a service chain you
configure (different classifier rules may send connections to the same chain). Each classifier rule has
four filters.The filters match source (client) IP address, destination (which can be IP address, IP
Intelligence category, IP geolocation, domain name, domain URL Filtering category, or server port),
and application protocol (based on port or protocol detection). Filters can overlap so the
implementation chooses the classifier rule with the most specifc matches for each connection.
For more information on service chain classifier rules, refer to the Creating TCP service chain
classifier rules section and/or the Creating UDP service chain classifier rules section.
•Service chains
Herculon SSL Orchestrator service chains process specific connections based on classifier rules
which look at protocol, source and destination addresses, and so on. These service chains can include
four types of services (Layer 2 inline services, Layer 3 inline services, receive-only services, and
ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).
For more information on service chains, refer to the Creating service chains to link services section.
•SNAT
A SNAT (Secure Network Address Translation) is a feature that defines routable alias IP addresses
that the BIG-IP system substitutes for client IP source addresses when making connections to hosts on
the external network. A SNAT pool is a pool of translation addresses that you can map to one or more
original IP addresses. Translation addresses in a SNAT pool should not be self IP addresses.
•Sync-Failover device group
A Sync-Failover device group (part of the Device Service Clustering (DSC®) functionality) contains
BIG-IP devices that synchronize their configuration data and failover to one another when a device
becomes unavailable. In this configuration, a Sync-Failover device group supports a maximum of two
devices.
•Transparent/Explicit Proxy
You can operate in transparent and/or explicit proxy mode. A transparent proxy intercepts normal
communication without requiring any special client configuration; clients are unaware of the proxy in
the network. In this implementation, the transparent proxy scheme can intercept all types of TLS and
TCP traffic. It can also process UDP and forward other types of IP traffic. The explicit proxy scheme
supports only HTTP(S) per RFC2616. In addition, transparent proxy supports direct routing for
policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) that are dependent on
networking services to support both protocols, while explicit proxy supports manual browser settings
for proxy auto-config (PAC) and Web Proxy Autodiscovery Protocol (WPAD) that require additional
iRule configurations (not included) to provide the PAC/WPAD script content.
Terminology for Herculon SSL Orchestrator
8
Configuring the System for F5 Herculon SSL Orchestrator
Overview: Configuring the system for F5 Herculon SSL Orchestrator
To set up your system for decrypting and encrypting outbound SSL/TLS traffic, you need to use the F5®
Herculon™ SSL Orchestrator™ Setup Wizard which initially guides you through basic minimal setup
configuration. When you have completed the basic setup using the Setup Wizard, the Herculon SSL
Orchestrator configuration utility assists you with the rest of your configuration.
Note: If you are implementing a high availability environment for Herculon SSL Orchestrator, review the
Setting up Herculon SSL Orchestrator in a High Availability Environment section for more detailed
information.
Using the Herculon SSL Orchestrator setup wizard
Before you start this task:
Make sure you set up a management IP address, netmask, and default routing on your system.
Note: If at any time during your configuration you need to return to the F5® Herculon™ SSL
Orchestrator™ Setup Wizard, simply click the F5 logo in the upper-left corner of the configuration utility,
and on the Welcome screen, click the Run the Setup Utility link.
The Herculon SSL Orchestrator Setup Wizard guides you through the basic, minimal setup configuration
for Herculon SSL Orchestrator.
1. On the Welcome screen, click Next.
2. On the License screen, click Activate.
3. On the EULA screen, click Accept.
The license activates and the system reboots for the configuration changes to take effect.
4. After the system reboots, click Continue.
5. On the Device Certificates screen, click Next.
6. On the Platform screen, for the Management Port Configuration setting, click Manual.
The Management Port setting should include the management interface details that were previously
created.
7. In the Host Name field, type the name of this system.
The Host Name must be a fully qualified domain name.
For example, www.siterequest.com.
8. In the User Administration area, type and confirm the Root Account and Admin Account passwords,
and click Next.
The Root Account provides access to the command line, while the Admin Account accesses the user
interface.
The system notifies you to log out and then log back in with your username and new password.
9. Click OK.
The system reboots.
10. (Optional) On the Network Time Protocol (NTP) screen, in the Address field, type the IP address of
the NTP server to synchronize the system clock with an NTP server, and click Add.
11. Click Next.
The Domain Name Server (DNS) screen opens.
12. (Optional) To resolve host names on the system, set up the DNS and associated servers:
a) For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server
and click Add.
b) If you use BIND servers, add them in the BIND Forwarder Server List.
c) For local domain lookups to resolve local host names, add them in the DNS Search Domain List.
d) Click Next.
The Internal VLAN screen opens.
Note: If you plan to later use the DNSSEC option in the configuration utility, you must set up DNS
using the Herculon SSL Orchestrator Setup Wizard. Otherwise, this step is optional.
13. Specify the Self IP settings for the internal network:
a) In the Address field, type a self IP address.
b) In the Netmask field, type a network mask for the self IP address.
c) For the Port Lockdown setting, retain the default value.
14. For the VLAN Tag ID setting, retain the recommended default value, auto.
15. For the Interfaces setting:
a) From the VLAN Interfaces list, select an interface number.
b) From the Tagging list, select Tagged or Untagged.
Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
c) Click Add.
16. Click Next.
This completes the configuration of the internal self IP addresses and VLAN, and the External VLAN
screen opens.
17. Specify the Self IP setting for the external network:
a) In the Address field, type a self IP address.
b) In the Netmask field, type a network mask for the self IP address.
c) For the Port Lockdown setting, retain the default value.
18. In the Default Gateway field, type the IP address that you want to use as the default gateway to the
external VLAN.
19. For the VLAN Tag ID setting, retain the recommended default value, auto.
20. Click Next.
This completes the configuration of the external self IP addresses and VLAN.
21. On the Forward Proxy Certificate screen, do the following:
a) In the Certificate Name field, select Create New and type a certificate name.
b) In the Certificate Source field, select either Upload File and click Choose File, or select Paste
Text and copy and paste your certificate source.
c) In the Key Source field, select either Upload File and click Choose File, or select Paste Text and
copy and paste your key source.
d) From the Security Type list, select either Normal or Password.
22. Click Next.
23. On the Logging screen, under Publisher Type, select either local or splunk.
• If you select local as your Publisher Type, specify the Destination as either local-db or local-
syslog and click Next.
Configuring the System for F5 Herculon SSL Orchestrator
10
Note: This determines the destination of your logs as being either a local database or a local
syslog server.
• If you select splunk as your Publisher Type:
a) For Protocol, select either TCP or UDP.
b) Type the IP address and the Port of the splunk server.
c) Click Next.
You are now ready to proceed to the second part of the configuration where you follow additional
instructions to finalize your system for Herculon SSL Orchestrator.
Backing up your BIG-IP configuration
Before beginning the Herculon SSL Orchestrator configuration, or before you make substantial changes,
we strongly recommend you back up the BIG-IP configuration using the following steps. This allows you
to restore the previous configuration in case of any issues.
1. On your system, click System > Archives.
2. To initiate the process of creating a new UCS archive (back up), click Create.
3. In the File Name box, type a name for the file. This name must be a unique name.
4. Click Finished.
5. To restore the configuration from a UCS archive, go to System > Archives.
6. Select the name of the UCS file you want to restore and click Restore.
Your BIG-IP configuration is now safely restored.
Modifying your Herculon SSL Orchestrator configuration
We recommend that you back up your BIG-IP® configuration prior to making any changes to your F5®
Herculon™ SSL Orchestrator™ configuration. Refer to the Backing up the BIG-IP Configuration section
of this document for more information.
You can modify your existing Herculon SSL Orchestrator configuration if you need to make changes.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. Modify your configuration and then click Deploy.
See the Diagnosing your Herculon SSL Orchestrator deployment section for more detailed information
on how to monitor the success or failure of your configuration modification. If successful, your existing
configuration is now updated.
Undeploying your Herculon SSL Orchestrator configuration
We recommend that you back up your BIG-IP® configuration prior to making any modifications to your
F5® Herculon™ SSL Orchestrator™ configuration. Refer to the Backing up the BIG-IP configuration
section of this document for more information.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. Click Undeploy.
F5 Herculon SSL Orchestrator: Setup
11
See the Diagnosing your Herculon SSL Orchestrator deployment section for more detailed information
on how to monitor the success or failure of your device undeployment. If successful, your entire
configuration is now removed from your system.
Diagnosing your Herculon SSL Orchestrator deployment
You can diagnostically monitor each deployment and undeployment for a device configuration whether
you are deploying a single device or multiple boxes in a high availability (HA) device group. The system
displays an application status message above the network diagram indicating whether your device or
device group has successfully Deployed or suffered an Error.
When there are multiple devices in a device group in an HA scenario, the application status message
displays the state of the deployment as one system. For example, if two out of four devices in a device
group deploy with errors, the application status message displays 2 Error, indicating two devices
suffered an error during deployment.
If you click View Details next to the application status message when you have multiple devices in a
sync group, the Application Status dialog box opens. The Application Status table lists each BIG-IP®
device with individual links to the Diagnostic screen. The Diagnostic screen displays the current device's
deployment information and assists in further diagnosing any issues.
After completing a F5® Herculon™ SSL Orchestrator™ configuration deployment, or if you are
performing an undeployment, you can diagnose your deployment status.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. On the General Properties screen, click either Deploy or Undeploy.
Above the network diagram, the application status displays a spinning wheel with the message
Currently being deployed or Currently being undeployed.
Once the process is complete, the application status message displays Deployed, Undeployed, or
Error.
3. If you have multiple devices in a device group, click View Details. If you are deploying or
undeploying a single device, proceed to step 4.
If your deployment or undeployment is successful, the Diagnostic screen opens.
If your deployment or undeployment is not successful, the Application Status dialog popup opens
showing each BIG-IP device with individual links to the Diagnostic screen.
4. Click OK to close the Application Status dialog popup table, or click the link in the Details column
for a particular device to open the Diagnostic screen.
The Application Diagnostic area shows details for the current device that you selected. This is
information you can use to further diagnose your application status.
5. On the Main tab, click SSL Orchestrator > Configuration, and on the menu bar, click Diagnostic to
view diagnostic information on your current device.
The Diagnostic screen opens.
Configuring the System for F5 Herculon SSL Orchestrator
12
Setting Up a Basic Configuration
Overview: Setting up a basic configuration
This section contains general information that the system needs before you can configure services and
service chains. The F5® Herculon™ SSL Orchestrator™ configuration utility will assist you with
configuring logging settings, setting up ingress and egress devices as one system or separate systems, and
configuring the system for transparent proxy and explicit proxy.
Configuring general properties
You must provide general information that the system needs so that you can then set up ingress and
egress devices, create services and service chains, and create classifier rules using the Herculon SSL
Orchestrator configuration utility.
Note: By default, during the Herculon SSL Orchestrator deployment process, the system database value
for Traffic Management Microkernel (TMM) fast forward is automatically disabled (set to “false”). To
ensure your Herculon SSL Orchestrator deployment works properly, make sure the system database value
for TMM fast forward remains disabled throughout the deployment. If you are not using Herculon SSL
Orchestrator and need the system database value for TMM fast forward enabled, it must be manually
changed.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. For the Application Service Name field, ssloApp is the default name for this configuration.
3. From the Do you want to setup separate ingress and egress devices with a cleartext zone between
them? list, select one of the options:
• If the same BIG-IP system receives both ingress and egress traffic on different networks, use No,
use one BIG-IP device for ingress and egress.
• If you are configuring separate devices for ingress and egress traffic, use Yes, configure separate
ingress and egress BIG-IP devices.
4. From the Which IP address families do you want to support? list, select whether you want this
configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
If you do not choose to support both address families, you must configure IP addresses in the family
you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can
send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
5. From the Which proxy schemes do you want to implement? list, select whether the system operates
in transparent proxy mode, explicit proxy mode, or both.
• Use Implement transparent proxy only for the system to operate in transparent proxy mode.
The transparent proxy scheme can intercept all types of TLS and TCP traffic. It also processes
UDP traffic and forwards all other types of traffic. The transparent proxy requires no client
configuration modifications.
• Use Implement both transparent and explicit proxies for the system to operate in explicit and
transparent proxy modes simultaneously.
• Use Implement explicit proxy only for the system to operate in explicit proxy mode. The explicit
proxy scheme supports only HTTP(S) per RFC2616. If you choose to configure an explicit proxy,
assign a specific IP address and TCP port where the HTTP explicit-proxy clients connect.
Note: When configuring a single device Herculon SSL Orchestrator transparent proxy in front of an
explicit proxy, Herculon SSL Orchestrator can transparently intercept SSL traffic tunneled through an
explicit proxy and selectively forward the decrypted user traffic through the security service chain for
proper inspections. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the
traffic and sends to the explicit proxy. User traffic of certain categories may also be rejected by the
BIG-IP or bypass the security inspections.
Note: When transparently decrypting traffic to upstream explicit proxies in a two device Herculon
SSL Orchestrator deployment, the SSL forward proxy interception only occurs on the ingress device
(decryption, service chaining, and re-encryption occur on the ingress device, while the encrypted
plaintext traffic will pass through the egress device). In addition, all classifier rules apply to traffic
inside HTTP CONNECT tunnels except for rules bypassing SSL during the TLS handshake phase.
Rules bypassing SSL during the TLS handshake phase do not apply because SSL forward proxy
cannot reuse the same HTTP CONNECT tunnel to the explicit proxy for the bypassed flow.
6. From the Do you want to pass UDP traffic through the transparent proxy unexamined? list,
select one of the options:
• Use Yes, pass all UDP traffic unexamined to pass UDP traffic through without inspecting it.
• Use No, manage UDP traffic by classification to configure specific service chain classifier rules
for UDP traffic.
This option is available only if you select Implement transparent proxy only.
7. From the Do you want to pass non-TCP, non-UDP traffic through the transparent proxy? list,
select one of the options:
• Use Yes, pass non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) if you want
the system to pass all traffic that is not TCP or UDP through the transparent proxy. If you choose
this option, this traffic will not be classified or processed by any service chain.
• Use No, block all non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on.) for the
system to block all non-TCP and non-UDP traffic.
This option is available only if you select Implement transparent proxy only.
8. From the Which is the SSL Forward Proxy CA certificate? list, select the Certificate Authority
(CA) certificate that your clients will trust to authenticate intercepted TLS connections.
9. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private
key.
You import the CA certificate and private key while configuring the Setup Wizard. If you did not use
the Setup Wizard, you must import a CA certificate before you can use this functionality.
10. In the What is the private-key passphrase (if any)? field, type the private-key passphrase.
If the key does not have a passphrase, leave the field empty.
11. From the Which CA bundle is used to validate remote server certificates? list, select the CA
bundle that validates the remote server certificates.
The CA bundle is the collection of root and intermediate certificates for the CA you trust to
authenticate servers where your clients might connect. The CA bundle is also known as the local trust
store.
12. From the Should connections to servers with expired certificates be allowed? list, select one of the
two options to determine what happens with connections to servers with expired certificates:
• Use Yes, allow connections to servers with expired certificates to allow connections to the
servers that have expired certificates.
• Use No, forbid connections to servers with expired certificates to prevent connections to
servers that have expired certificates.
Setting Up a Basic Configuration
14
Remote servers can present expired certificates. Allowing connections to servers with expired
certificates can cause a security risk.
13. From the Should connections to servers with untrusted certificates be allowed? list, select one of
the two options to determine what happens with connections to servers with untrusted certificates:
• Use Yes, allow connections to servers with untrusted certificates to allow connections to the
servers that have untrusted certificates.
• Use No, forbid connections to servers with untrusted certificates to prevent connections to
servers that have untrusted certificates.
Remote servers can present untrusted certificates. Allowing connections to servers with untrusted
certificates can cause a security risk.
14. If strict updates should protect the configuration, select the check box for Should strict updates be
enforced for this application?.
If you select this option, you cannot manually modify any settings produced by the application. Once
you disable this option, you can manually change your configuration. You should enable this setting
to avoid misconfigurations that can cause an unusable application.
F5 recommends you enable this setting to avoid misconfigurations that could result in an unusable
application and F5's ability to support your product.
15. Click Save.
You have provided the basic configuration the system requires for Herculon SSL Orchestrator.
You can now set up ingress and egress devices, configure transparent or explicit proxies for the system,
and create services, service chains, and classifier rules.
Configuring logging
Before configuring logging for F5® Herculon™ SSL Orchestrator™, complete all areas in General
Properties. Refer to the Configuring general properties section of this document for more information.
You can generate log messages to help you monitor (and optionally debug) system activity. And you can
choose the level of logging you want the system to perform. Log messages may be sent to one or more
external log servers (preferred) and/or stored on the BIG-IP® device (less desirable because BIG-IP
devices have limited log storage capacity).
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. Scroll down to the Logging Confguration area to the What SSL Intercept logging level do you want
to enable? list, and select the level of logging you want the system to perform.
• Use Errors. Log only functional errors to log errors related to how Herculon SSL Orchestrator
functions.
• Use Normal. Log connection data as well as errors to log per-connection data in addition to
functional errors.
• Use Debug. Log debug data as well as normal level data to log debug data as well as
connection data and functional errors. Because this logging level consumes more resources on the
BIG-IP system, use this mode only during setup or troubleshooting.
3. From the Which Log Publisher will process the log messages? list, select whether an existing log
publisher object processes the log messages or does not process the log messages and sends the
messages to syslog-ng.
• Use None (Send log messages to syslog-ng) to send log messages to the system management
plane syslog-ng subsystem. This option is not recommended for use in production systems.
F5 Herculon SSL Orchestrator: Setup
15
• Otherwise, from the list, select the Log Publisher you created. A Log Publisher delivers log
messages to one or more Log Destinations. Log Destinations may include Syslog, ArcSight,
Splunk, and other log servers.
We strongly recommend that you use a Log Publisher for good system performance. The syslog-ng
service is useful for Errors-only logging but is too slow for Normal or Debug logging when the
system is used in production. A Log Publisher delivers log messages to one or more Log Destinations.
Log Destinations may include Syslog, ArcSight, Splunk, and other log servers as well as the BIG-IP
system's local log database. To use a Log Publisher, it must already be present on the system.
4. From the What kind of statistics do you want to record? list, select the type of statistic the system
records. This implementation can collect usage data for connections, service chains, services, and so
on. The implementation can also record remote domain names and TLS cipher suites for TLS
connections if you wish, but gathering such data consumes more system resources.
Domain names are taken from remote server PKI certificates (or client SNI in the case of Dynamic
Domain Bypass) and may include a wild card. TLS cipher suites may not be recorded when a
connection bypasses interception.
If you choose to collect any statistics, the BIG-IP system starts saving extra data in memory for the
use of integration with performance reporting systems like Splunk or BIG-IP iStats integration.
• Use None if you do not want the system to record statistics.
• Use Usage counters only (No remote-domain+cipher records) to record usage counters only
and not statistics on remote-domain and cipher records.
• Use Usage counters and remote-domain+cipher records (may slow system) to record both
usage counters and remote-domain and cipher records. This option can slow performance on your
system.
5. Click Save.
You have configured logging options and completed the basic Herculon SSL Orchestrator configuration.
Configuring an ingress and egress device on one system
The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The
egress device is either a device or a Sync-Failover device group that receives traffic after a connection
travels through the specified service chain and directs the traffic to the final destination.
If both the ingress and egress traffic are used by the same BIG-IP® system, the ingress device is one or
more ingress VLANs where the clients send traffic. The ingress device decrypts the traffic and then,
based on protocol, source, and destination, classifies the traffic and passes each connection for inspection.
If both the ingress and egress traffic are used by the same BIG-IP system, the egress device is one or
more egress VLANs where the clients receive traffic.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. If you have only one BIG-IP system, from the Do you want to setup separate ingress and egress
devices with a cleartext zone between them? list, select No, use one BIG-IP device for ingress
and egress.
3. From the Which IP address families do you want to support? list, select whether you want this
configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
If you do not choose to support both address families, you must configure IP addresses in the family
you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can
send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
4. From the Which is the SSL Forward Proxy CA certificate? list, select the Certificate Authority
(CA) certificate that your clients will trust to authenticate intercepted TLS connections.
Setting Up a Basic Configuration
16
5. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private
key.
You import the CA certificate and private key while configuring the Setup Wizard. If you did not use
the Setup Wizard, you must import a CA certificate before you can use this functionality.
6. In the What is the private-key passphrase (if any)? field, type the private-key passphrase.
If the key does not have a passphrase, leave the field empty.
7. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the
transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will
arrive.
8. From the How should a server TLS handshake failure be handled? list, select whether you want
the connection to fail or bypass the connection.
9. From the DNS query resolution list, select whether to permit the system to send DNS queries
directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS
queries from Herculon SSL Orchestrator.
• If you select Send DNS queries directly to nameservers across the internet, proceed to step 10.
• If you select Send DNS queries to forwarding nameservers on the local network, proceed to
step 11.
10. From the Do you want to configure local/private DNS zones? list, select whether you do, or do not,
want to configure local or private DNS zones.
• If you select No, do not configure any local/private DNS zones, proceed to step 13.
• If you select Yes, configure local/private DNS zones, proceed to step 12.
11. In the Which local forwarding nameserver(s) will resolve DNS queries from this solution? field,
type the IP address of local nameservers that will resolve all DNS queries from this implementation
and click Add. Once you have added the necessary nameserver IP addresses, proceed to step 13.
12. In the List local/private Forward Zones setting, click Add and type the IP address of one or more
nameservers.
13. From the Do you want to use DNSSEC to validate DNS information? list, select whether you do,
or do not, want to use DNSSEC to validate the DNS information.
14. In the Egress Device Configuration area, from the Do you want to SNAT client IP addresses? list,
select whether you do, or do not, want to define SNAT addresses.
• If you select No, pass client addresses unaltered, proceed to step 17.
• If you select Yes, SNAT (replace) client addresses, proceed to step 15.
15. From the Do you want to use a SNAT Pool? list, select whether you want to use a SNAT pool or
SNAT auto map to translate addresses.
• If you select Yes, define SNAT Pool addresses for good performance, proceed to step 16.
• If you select No, use SNAT Auto Map (not recommended), proceed to step 17.
16. Options to provide SNAT addresses will vary, whether you selected Support IPv4 only, Support
IPv6 only, or Both IPv4 and IPv6. Enter at least as many IP host addresses as the number of TMM
instances on the ingress device. Type address must be uniquely assigned and routed to the ingress
device. It is best to assign addresses which are adjacent and grouped under a CIDR mask, for
example, 203.0.113.8 up through 203.0.113.15 which fill 203.0.113.8/29.
• In the IPv4 SNAT addresses field, type the IPv4 SNAT address.
• In the IPv6 SNAT addresses field, type the IPv6 SNAT address.
• In both the IPv4 SNAT addresses and IPv6 SNAT addresses fields, type both the IPv4 and IPv6
SNAT addresses.
17. From the Should traffic go to the Internet via specific gateways? list, select whether or not you
want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways
(routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each
device in the next step.
F5 Herculon SSL Orchestrator: Setup
17
• If you want outbound/Internet traffic out using the default route on the BIG-IP system, select No,
send outbound/Internet traffic via the default route and proceed to step 19 to save.
• If you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the
share of traffic each is given), use Yes, send outbound/Internet traffic via specific gateways and
proceed to step 18.
18. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4
only, Support IPv6 only, or Both IPv4 and IPv6. Specify one or more Internet gateway addresses
(routers) to handle outbound SSL traffic so to control the share of traffic each is given.
• In the What are the IPv4 outbound gateway addresses? field, type the IPv4 gateway addresses.
Proceed to step 20 to save.
• In the What are the IPv6 outbound gateway addresses? field, type the IPv6 gateway addresses.
Proceed to step 19.
• In both the What are the IPv4 outbound gateway addresses? and What are the IPv6
outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to
step 19.
Click the + button to add additional addresses.
You can enter multiple gateways if you have multiple systems and wish to load balance across them.
If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For
example, if you have two devices, and one handles twice as much traffic as the other, you can set the
ratio to 1 on the smaller device, and 2 on the larger one.
19. In the Non-public IPv6 networks via IPv6 gateways field, type the requested IPv6 address if you
want to route connections to any non-public IPv6 networks via the IPv6 gateways above. Enter the
prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those outside the 2000::/3
block, such as ULA networks in the fc00::/7 block.
20. Click Save.
You have now configured an ingress device and an egress device located on one system.
This describes only the fields, lists, and areas needed to configure an ingress and egress device on one
system. You should complete the other areas in General Properties before moving on to create services
and service chains.
Configuring an ingress device (for separate ingress and egress devices)
The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The
ingress device is one or more ingress VLANs where the clients send traffic. The ingress device decrypts
the traffic and then, based on protocol, source, and destination, classifies the traffic and passes each
connection for inspection.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between
them? list, select Yes, configure separate ingress and egress BIG-IP devices.
3. From the Is this device the ingress or egress device? list, select This is the INGRESS device to
which clients connect.
4. In the What is the EGRESS device Application Service name? field, type the name of the device
service.
5. In the What is the IP address of the EGRESS device control-channel virtual server? field, type
the IP address of the service chain control channel virtual server over on the egress device.
6. In the What IP address should THIS (ingress) device's control-channel virtual server use? field,
type the IP address of the virtual server for the service chain control channel on a VLAN.
Setting Up a Basic Configuration
18
7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to
enable cryptographic protection of the service chain control channel between the ingress and egress
devices.
8. From the Which IP address families do you want to support? list, select whether you want this
configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
If you do not choose to support both address families, you must configure IP addresses in the family
you select for all IP address fields in this application. If you choose Both IPv4 and IPv6, you can
send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
9. From the Which is the SSL Forward Proxy CA certificate? list, select the Certificate Authority
(CA) certificate that your clients will trust to authenticate intercepted TLS connections.
10. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private
key.
You import the CA certificate and private key while configuring the Setup Wizard. If you did not use
the Setup Wizard, you must import a CA certificate before you can use this functionality.
11. In the What is the private-key passphrase (if any)? field, type the private-key passphrase.
If the key does not have a passphrase, leave the field empty.
12. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the
transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will
arrive.
13. From the How should a server TLS handshake failure be handled? list, select whether you want
the connection to fail or bypass the connection.
14. From the DNS query resolution list, select whether to permit the system to send DNS queries
directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS
queries from Herculon SSL Orchestrator.
• If you select Send DNS queries directly to nameservers across the internet, proceed to step 15.
• If you select Send DNS queries to forwarding nameservers on the local network, proceed to
step 16.
15. From the Do you want to configure local/private DNS zones? list, select whether you do, or do not,
want to configure local or private DNS zones.
• If you select No, do not configure any local/private DNS zones, proceed to step 18.
• If you select Yes, configure local/private DNS zones, proceed to step 17.
16. In the Which local forwarding nameserver(s) will resolve DNS queries from this solution? field,
type the IP address of local nameservers that will resolve all DNS queries from this implementation
and click Add. Once you have added the necessary nameserver IP addresses, proceed to step 18.
17. In the List local/private Forward Zones setting, click Add and type the IP address of one or more
nameservers.
18. From the Do you want to use DNSSEC to validate DNS information? list, select whether you do,
or do not, want to use DNSSEC to validate the DNS information.
19. In the Decrypt Zone to Egress Device Configuration area, for Are there parallel service devices in
the decrypt zone?, select whether you want to send outbound traffic using the BIG-IP® system
default route(s) or send outbound traffic through one or more service devices.
• If the system will send the traffic through its default route to the internet, which must be
configured to point to the egress BIG-IP® system, use No, send outbound traffic via the BIG-IP
default route(s) and proceed to step 22 to save.
• If your configuration includes any Layer 3 systems in the decrypt zone that must receive the
traffic, use Yes, send outbound traffic via one or more service device(s) and proceed to step 17.
20. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4
only, Support IPv6 only, or Both IPv4 and IPv6. Type the IP addresses of the inward interface of
the first Layer 3 device in the decrypt zone or the decrypt zone gateway.
F5 Herculon SSL Orchestrator: Setup
19
• In the What are the IPv4 decrypt zone gateway addresses? field, type the IPv4 gateway
addresses. Proceed to step 22 to save.
• In the What are the IPv6 decrypt zone gateway addresses? field, type the IPv6 gateway
addresses. Proceed to step 21.
• In both the What are the IPv4 decrypt zone gateway addresses? and What are the IPv6
outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to
step 21.
Click the + button to add additional addresses.
You can enter multiple gateways if you have multiple systems and wish to load balance across them.
If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For
example, if you have two devices, and one handles twice as much traffic as the other, you can set the
ratio to 1 on the smaller device, and 2 on the larger one.
21. In the What are the Non-public IPv6 networks via IPv6 gateways? field, type the requested IPv6
address if you want to route connections to any non-public IPv6 networks via the IPv6 gateways
above. Enter the prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those
outside the 2000::/3 block, such as ULA networks in the fc00::/7 block.
22. Click Save.
You have now configured an ingress device for a system configured for separate ingress and egress
devices.
This describes only the fields, lists, and areas needed to configure an ingress device. You should complete
the other areas in General Properties before moving on to create services and service chains.
Configuring an egress device (for separate ingress and egress devices)
The egress device is either a device or a Sync-Failover device group that receives traffic after a
connection travels through the specified service chain and directs the traffic to the final destination. When
users set up separate ingress and egress devices, they send each other control messages. These can go
through the decrypt zone, or around it if you configure a different path through the network. In either
case, the messages are sent through TCP connections to port 245, at an IP address users specify, on each
BIG-IP® system.
1. On the Main tab, click SSL Orchestrator > Configuration.
The General Properties screen opens.
2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between
them? list, select Yes, configure separate ingress and egress BIG-IP devices.
3. From the Is this device the ingress or egress device? list, select This is the EGRESS device to
which connects to server.
4. In the What is the INGRESS device Application Service name? field, type the name of the device
service.
5. In the What is the IP address of the INGRESS device control-channel virtual server? field, type
the IP address of the service chain control channel virtual server over on the egress device.
6. In the What IP address should THIS (egress) device's control-channel virtual server use? field,
type the IP address of the virtual server for the service chain control channel on a VLAN.
7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to
enable cryptographic protection of the service chain control channel between the ingress and egress
devices.
8. From the Which IP address families do you want to support? list, select whether you want this
configuration to Support IPv4 only, Support IPv6 only, or Both IPv4 and IPv6.
Setting Up a Basic Configuration
20
Table of contents
Other F5 Network Hardware manuals
F5
F5 520 User manual
F5
F5 ARX-500 Manual
F5
F5 6900 User manual
F5
F5 i5000 Series Assembly Instructions
F5
F5 WANJet 500 Technical manual
F5
F5 ARX-4000 Use and care manual
F5
F5 i15000 Series User instructions
F5
F5 iSeries User manual
F5
F5 ARX-500 Operating and maintenance manual
F5
F5 WANJet 500 Assembly Instructions
Popular Network Hardware manuals by other brands
ATTO Technology
ATTO Technology FibreBridge 2370E Installation and operation manual
DivioTec
DivioTec SRA312-032 Series user manual
Cisco
Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control... Configuration guide
Cabletron Systems
Cabletron Systems BRIM-T6 user guide
Idis
Idis DR-8300 Series Operation manual
RuggedCom
RuggedCom RUGGEDBACKBONE RX1510 installation guide
