F5 Herculon ssl orchestrator Manual

F5®Herculon™SSL Orchestrator™: Setup

Version 13.1-3.0

Table of Contents

What is F5 Herculon SSL Orchestrator?.................................................................................. 5

What is F5 Herculon SSL Orchestrator?............................................................................5

Terminology for Herculon SSL Orchestrator............................................................................7

Terminology for Herculon SSL Orchestrator...................................................................... 7

Configuring the System for F5 Herculon SSL Orchestrator .................................................. 9

Overview: Configuring the system for F5 Herculon SSL Orchestrator...............................9

Using the Herculon SSL Orchestrator setup wizard...........................................................9

Backing up your BIG-IP configuration..............................................................................11

Modifying your Herculon SSL Orchestrator configuration................................................11

Undeploying your Herculon SSL Orchestrator configuration............................................11

Diagnosing your Herculon SSL Orchestrator deployment................................................12

Setting Up a Basic Configuration............................................................................................13

Overview: Setting up a basic configuration......................................................................13

Configuring general properties.........................................................................................13

Configuring logging..........................................................................................................15

Configuring an ingress and egress device on one system...............................................16

Configuring an ingress device (for separate ingress and egress devices).......................18

Configuring an egress device (for separate ingress and egress devices)........................20

Configuring the system for transparent proxy.................................................................. 23

Configuring the system for explicit proxy..........................................................................23

Configuring the system for both transparent and explicit proxies.....................................24

Creating Services, Service Chains, and Classifier Rules..................................................... 27

Overview: Creating services, service chains, and classifier rules....................................27

Creating inline services for service chains.......................................................................27

Creating ICAP services....................................................................................................29

Creating receive-only services for traffic inspection.........................................................30

Creating service chains to link services...........................................................................30

Creating TCP service chain classifier rules..................................................................... 31

Creating UDP service chain classifier rules.....................................................................33

Importing and Exporting Configurations for Deployment....................................................35

Overview: Importing and exporting configurations for deployment.................................. 35

Importing new configurations for deployment.................................................................. 35

Importing past configurations for deployment..................................................................36

Exporting configurations for deployment..........................................................................36

Setting up Herculon SSL Orchestrator in a High Availability Environment ....................... 39

Overview: Setting up Herculon SSL Orchestrator in a high availability environment ......39

Task summary for deploying in a high availability environment........................................40

Installing an updated RPM file...............................................................................41

Configuring the network for high availability..........................................................41

Synchronizing the device group............................................................................ 43

Table of Contents

Setting up a basic configuration for deployment....................................................44

Task summary for diagnosing and fixing high availability deployment.............................44

Verifying deployment and viewing logs..................................................................44

Verifying the RPM file version on both devices..................................................... 45

Configuring general properties and redeploying...................................................45

Reviewing error logs and performing recovery steps............................................45

Using Herculon SSL Orchestrator Analytics..........................................................................47

Overview: About Herculon SSL Orchestrator analytics....................................................47

About analytics dashboard capabilities............................................................................47

Timeline capabilities.........................................................................................................48

Customizing timeline capabilities.....................................................................................48

Chart capabilities............................................................................................................. 48

Customizing chart capabilities......................................................................................... 49

Table capabilities..............................................................................................................49

Customizing table capabilities..........................................................................................49

Charting bytes in, bytes out, and hit count over time.......................................................50

Comparing statistics on the top virtual servers................................................................50

Viewing the top sites bypassed........................................................................................51

Viewing the top sites decrypted....................................................................................... 51

Viewing the most used client ciphers and protocols........................................................ 52

Finding where the top server ciphers and protocols are used.........................................52

Scheduling reports to be sent..........................................................................................52

Legal Notices............................................................................................................................ 55

Legal notices....................................................................................................................55

Table of Contents

What is F5 Herculon SSL Orchestrator?

F5® Herculon™ SSL Orchestrator™ provides an all-in-one appliance solution designed specifically to

optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic,

and maximize the efficient use of that existing security investment. This solution centralizes and

consolidates SSL inspection across complex security architectures, allowing you flexible deployment

options to decrypt and re-encrypt user traffic across the Internet and web-based applications. It supports

policy-based management and steering of traffic flows to third-party security devices such as firewalls,

intrusion prevention systems (IPS), anti-malware, data loss prevention (DLP), and forensics tools. It

provides a wide range of SSL orchestration analytics that you can easily customize across multiple

dimensions based on specified ranges of time.

The Herculon SSL Orchestrator single platform for unified inspection allows for the greatest flexibly

without architectural changes to prevent new blind spots from emerging.

Some of the key functions include:

• Dynamic security service chaining that leverages context-based policies to efficiently deploy security,

reduce administrative overhead, and effectively utilize security resources

• Centralized management of the SSL decrypt and re-encrypt function

• Inspection of all traffic for malware and data exfiltration with a multi-layered approach

• Flexible deployment modes to easily integrate the latest encryption technologies across your entire

security infrastructure

• High availability with best-in-class load-balancing, health monitoring, and SSL offload capabilities

Figure 1: Herculon SSL Orchestrator solution

What is F5 Herculon SSL Orchestrator?

Terminology for Herculon SSL Orchestrator

This section defines some of the terms used in this document.

•Certificate Authority (CA) certificate

This implementation requires a Certificate Authority PKI (public key infrastructure) certificate and

matching private key for SSL Forward Proxy. Your TLS clients must trust this CA certificate to sign

server certificates.

•Decrypt zone

A decrypt zone refers to the network region between separate ingress and egress BIG-IP® devices

where cleartex data is available for inspection. Basically an extra inline service can be placed at the

end of every service chain for additional inspection. You cannot configure a decrypt zone in the

scenario where a single BIG-IP system handles both ingress and egress traffic because the decrypt

zone does not exist.

•Egress device

The egress BIG-IP system is the device (or Sync-Failover device group) that receives the traffic after

a connection traverses the chosen service chain and then routes it to its final destination. In the

scenario where both ingress and egress traffic are handled by the same BIG-IP system, egress refers to

the VLAN(s) where traffic leaves the BIG-IP system to the Internet.

•ICAP services

Each ICAP service uses the ICAP protocol (https://tools.ietf.org/html/rfc3507) to refer HTTP traffic

to one or more Content Adaptation device(s) for inspection and possible modification. You can add an

ICAP service to any TCP service chain, but only HTTP traffic is sent to it, as we do not support ICAP

for other protocols. You can configure up to ten ICAP services using F5® Herculon™ SSL

Orchestrator™. For more information on ICAP services, refer to the Creating ICAP services section.

•Ingress device

The ingress BIG-IP system is the device (or Sync-Failover device group) to which each client sends

traffic. In the scenario where both ingress and egress traffic are handled by the same BIG-IP system,

ingress refers to the VLAN(s) where the client sends traffic. The ingress BIG-IP system (or ingress

VLAN(s)) decrypts the traffic and then based on protocol, source, destination, and so on, classifies it

and passes each connection for inspection based on service chains you will configure (or allows

certain connections to bypass service-chain processing based on your selections).

•Inline services

Inline services pass traffic through one or more service (inspection) devices at Layer2 (MAC)/Bump-

in-the-wire or Layer3 (IP). Each service device communicates with the ingress BIG-IP device over

two VLANs called Inward and Outwardwhich carry traffic toward the intranet and the Internet

respectively. You can configure up to ten inline services, each with multiple defined devices, using

Herculon SSL Orchestrator.

•Receive-only services

Receive-only services refer to services that only receive traffic for inspection, and do not send it back

to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (e.g.

plaintext) passing through it to an inspection device. You can configure up to ten receive-only

services using Herculon SSL Orchestrator. For more information on receive-only services, refer to the

Creating receive-only services for traffic inspection section.

•Service chain classifier rules

Each service chain classifier rule chooses ingress connections to be processed by a service chain you

configure (different classifier rules may send connections to the same chain). Each classifier rule has

four filters.The filters match source (client) IP address, destination (which can be IP address, IP

Intelligence category, IP geolocation, domain name, domain URL Filtering category, or server port),

and application protocol (based on port or protocol detection). Filters can overlap so the

implementation chooses the classifier rule with the most specifc matches for each connection.

For more information on service chain classifier rules, refer to the Creating TCP service chain

classifier rules section and/or the Creating UDP service chain classifier rules section.

•Service chains

Herculon SSL Orchestrator service chains process specific connections based on classifier rules

which look at protocol, source and destination addresses, and so on. These service chains can include

four types of services (Layer 2 inline services, Layer 3 inline services, receive-only services, and

ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).

For more information on service chains, refer to the Creating service chains to link services section.

•SNAT

A SNAT (Secure Network Address Translation) is a feature that defines routable alias IP addresses

that the BIG-IP system substitutes for client IP source addresses when making connections to hosts on

the external network. A SNAT pool is a pool of translation addresses that you can map to one or more

original IP addresses. Translation addresses in a SNAT pool should not be self IP addresses.

•Sync-Failover device group

A Sync-Failover device group (part of the Device Service Clustering (DSC®) functionality) contains

BIG-IP devices that synchronize their configuration data and failover to one another when a device

becomes unavailable. In this configuration, a Sync-Failover device group supports a maximum of two

devices.

•Transparent/Explicit Proxy

You can operate in transparent and/or explicit proxy mode. A transparent proxy intercepts normal

communication without requiring any special client configuration; clients are unaware of the proxy in

the network. In this implementation, the transparent proxy scheme can intercept all types of TLS and

TCP traffic. It can also process UDP and forward other types of IP traffic. The explicit proxy scheme

supports only HTTP(S) per RFC2616. In addition, transparent proxy supports direct routing for

policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) that are dependent on

networking services to support both protocols, while explicit proxy supports manual browser settings

for proxy auto-config (PAC) and Web Proxy Autodiscovery Protocol (WPAD) that require additional

iRule configurations (not included) to provide the PAC/WPAD script content.

Terminology for Herculon SSL Orchestrator

Configuring the System for F5 Herculon SSL Orchestrator

Overview: Configuring the system for F5 Herculon SSL Orchestrator

To set up your system for decrypting and encrypting outbound SSL/TLS traffic, you need to use the F5®

Herculon™ SSL Orchestrator™ Setup Wizard which initially guides you through basic minimal setup

configuration. When you have completed the basic setup using the Setup Wizard, the Herculon SSL

Orchestrator configuration utility assists you with the rest of your configuration.

Note: If you are implementing a high availability environment for Herculon SSL Orchestrator, review the

Setting up Herculon SSL Orchestrator in a High Availability Environment section for more detailed

information.

Using the Herculon SSL Orchestrator setup wizard

Before you start this task:

Make sure you set up a management IP address, netmask, and default routing on your system.

Note: If at any time during your configuration you need to return to the F5® Herculon™ SSL

Orchestrator™ Setup Wizard, simply click the F5 logo in the upper-left corner of the configuration utility,

and on the Welcome screen, click the Run the Setup Utility link.

The Herculon SSL Orchestrator Setup Wizard guides you through the basic, minimal setup configuration

for Herculon SSL Orchestrator.

1. On the Welcome screen, click Next.

2. On the License screen, click Activate.

3. On the EULA screen, click Accept.

The license activates and the system reboots for the configuration changes to take effect.

4. After the system reboots, click Continue.

5. On the Device Certificates screen, click Next.

6. On the Platform screen, for the Management Port Configuration setting, click Manual.

The Management Port setting should include the management interface details that were previously

created.

7. In the Host Name field, type the name of this system.

The Host Name must be a fully qualified domain name.

For example, www.siterequest.com.

8. In the User Administration area, type and confirm the Root Account and Admin Account passwords,

and click Next.

The Root Account provides access to the command line, while the Admin Account accesses the user

interface.

The system notifies you to log out and then log back in with your username and new password.

9. Click OK.

The system reboots.

10. (Optional) On the Network Time Protocol (NTP) screen, in the Address field, type the IP address of

the NTP server to synchronize the system clock with an NTP server, and click Add.

11. Click Next.

The Domain Name Server (DNS) screen opens.

12. (Optional) To resolve host names on the system, set up the DNS and associated servers:

a) For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server

and click Add.

b) If you use BIND servers, add them in the BIND Forwarder Server List.

c) For local domain lookups to resolve local host names, add them in the DNS Search Domain List.

d) Click Next.

The Internal VLAN screen opens.

Note: If you plan to later use the DNSSEC option in the configuration utility, you must set up DNS

using the Herculon SSL Orchestrator Setup Wizard. Otherwise, this step is optional.

13. Specify the Self IP settings for the internal network:

a) In the Address field, type a self IP address.

b) In the Netmask field, type a network mask for the self IP address.

c) For the Port Lockdown setting, retain the default value.

14. For the VLAN Tag ID setting, retain the recommended default value, auto.

15. For the Interfaces setting:

a) From the VLAN Interfaces list, select an interface number.

b) From the Tagging list, select Tagged or Untagged.

Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.

c) Click Add.

16. Click Next.

This completes the configuration of the internal self IP addresses and VLAN, and the External VLAN

screen opens.

17. Specify the Self IP setting for the external network:

a) In the Address field, type a self IP address.

b) In the Netmask field, type a network mask for the self IP address.

c) For the Port Lockdown setting, retain the default value.

18. In the Default Gateway field, type the IP address that you want to use as the default gateway to the

external VLAN.

19. For the VLAN Tag ID setting, retain the recommended default value, auto.

20. Click Next.

This completes the configuration of the external self IP addresses and VLAN.

21. On the Forward Proxy Certificate screen, do the following:

a) In the Certificate Name field, select Create New and type a certificate name.

b) In the Certificate Source field, select either Upload File and click Choose File, or select Paste

Text and copy and paste your certificate source.

c) In the Key Source field, select either Upload File and click Choose File, or select Paste Text and

copy and paste your key source.

d) From the Security Type list, select either Normal or Password.

22. Click Next.

23. On the Logging screen, under Publisher Type, select either local or splunk.

• If you select local as your Publisher Type, specify the Destination as either local-db or local-

syslog and click Next.

Configuring the System for F5 Herculon SSL Orchestrator

Table of contents

Other F5 Network Hardware manuals

F5 i5000 Series Assembly Instructions

F5 520 User manual

F5 i15000 Series User instructions

F5 BIG-IP 3900 User manual

F5 i4000 Series Assembly Instructions

F5 ARX-4000 Use and care manual

F5 WANJet 300 Technical manual

F5 ARX-500 Manual

F5 6900 Assembly Instructions

F5 8900 Assembly Instructions

F5 WANJet 500 Assembly Instructions

F5 BIG-IP 1600 Assembly Instructions

F5 ARX-500 Operating and maintenance manual

F5 BIG-IP 11050 User manual

F5 WANJet 500 Technical manual

F5 iSeries User manual

F5 6900 User manual

Popular Network Hardware manuals by other brands

socomec

socomec SNMP Card II quick start guide

NVR SYSTEMS

NVR SYSTEMS 4-CH user manual

Draytek

Draytek VigorSwitch G1240 quick start guide

Westermo

Westermo TD-34 LV installation manual

LaCie

LaCie Network Space MAX Quick install guide

ZoneVu

ZoneVu ZSI-450-IP Installation guide & user manual

QNAP

QNAP Turbo NAS Application notes

OpenEye

OpenEye MV Series quick start guide

Huawei

Huawei SmartAX MT880a quick start guide

Proxim

Proxim Tsunami QuickBridge 2454-R installation guide

Bay Networks

Bay Networks CLAM quick start guide

Innodisk

Innodisk SATADOM-SH 3SE Series manual

Cisco

Cisco CGR 1000 Series Getting connected guide

Matrix Switch Corporation

Matrix Switch Corporation MSC-HD161DEL product manual

National Instruments

National Instruments NI 653x user manual

B&B Electronics

B&B Electronics ZXT9-IO-222R2 product manual

Yudor

Yudor YDS-16 user manual

D-Link

D-Link ShareCenter DNS-320L datasheet

F5 Herculon SSL Orchestrator Manual

Popular Network Hardware manuals by other brands