[F5 SSLO] LAB 1 – Transparent Forward Proxy Configuration
The following steps will walk through the Guided Configuration (GC) to build a simple transparent forward proxy.1. Initial System and Network Configuration
BIG-IP Version
- BIG-IP VE v17.1.0
- Modules Provisioned: LTM, SSLO, URLDB
- F5 SSL Orchestrator v11.0.31
- RPM Package: f5-iappslx-ssl-orchestrator-17.1.0-11.0.31.noarch
BIG-IP License
- AFM, High Performance VE, 4 vCPUs
- Routing Bundle, VE
- VE, Carrier Grade NAT (AFM ONLY)
- PSM, VE
- APM, High Performance VE, 4 vCPUs
- AWF, High Performance VE, 4 vCPUs
- DNS, High Performance VE add-on, 4 vCPUs
- DNSSEC
- DNS Rate Limit, Unlimited QPS
- Routing Bundle, VE
- LTM, High Performance VE, 4 vCPUs
- APM, Limited
- Anti-Virus Checks
- Base Endpoint Security Checks
- Firewall Checks
- Machine Certificate Checks
- Network Access
- Protected Workspace
- Secure Virtual Keyboard
- APM, Web Application
- App Tunnel
- Remote Desktop
- SSL Orchestrator, High Performance VE, 8 vCPU
- Recycle, BIG-IP, VE
- Routing Bundle, VE
- Enable all versions
- APM, Limited
- SSL, VE
- Max Compression, VE
- Exclusive Version, v14.X – 18.X
- Anti-Virus Checks
- Base Endpoint Security Checks
- Firewall Checks
- Machine Certificate Checks
- Network Access
- Protected Workspace
- Secure Virtual Keyboard
- APM, Web Application
- App Tunnel
- Remote Desktop
- SSLO, High Performance VE, 4 vCPUs
- IP Intelligence, 3Yr, High Perf(Subscription)
- Subscription expires after Jun 28, 2026
- Secure Web Gateway, HP (VE), 20K Sessions, 3Yr(Subscription)
- Subscription expires after Jun 29, 2029
- URL Filtering, High-Perf-VE, 20000 Sessions, 3Yr(Subscription)
- Subscription expires after Jun 28, 2026
- System and Network Route Settings:
- System DNS:
- Name-server(s): 10.1.1.2
- System NTP:
- Server(s): pool.ntp.org
- Timezone: America/New_York
- System DNS:
- Network Routes:
- Name: gateway
- Destination: 0.0.0.0/0
- Gateway: 10.1.20.1
- Traffic Certificate Management:
- subrsa.f5labs.com
- Sub-CA Certificate:
- Subject CN: subrsa.f5labs.com
- Issuer CN: f5labs.com
- Private Key: RSA 2048 bits
- Sub-CA Certificate:
- wildcard.f5labs.com
- Server Certificate:
- Subject CN: *.f5labs.com
- Issuer CN: subrsa.f5labs.com
- Public Key: 2048 bits
- SAN: *.f5labs.com
- Private Key: RSA 2048 bits
- Server Certificate:
- subrsa.f5labs.com
| Name | App | Tag | Tagged | Partition/Path |
| client-vlan | 4094 | No | Common | |
| outbound-vlan | 4093 | No | Common | |
| dlp-vlan | 50 | Yes | Common | |
| web-vlan | 80 | Yes | Common |
| Name | App | Tag | Tagged | Partition/Path |
| ssloN_FEYE_in | ssloN_FEYE_in | 4090 | No | Common/ssloN_FEYE_in.app |
| ssloN_FEYE_out | ssloN_FEYE_out | 4091 | No | Common/ssloN_FEYE_out.app |
| ssloN_TAP_in | ssloN_TAP_in | 4092 | No | Common/ssloN_IPS_in.app |
| ssloN_Proxy_in | ssloN_Proxy_in | 30 | Yes | Common/ssloN_Proxy_in.app |
| ssloN_Proxy_out | ssloN_Proxy_out | 40 | Yes | Common/ssloN_Proxy_out.app |
| ssloN_IPS_in | ssloN_IPS_in | 60 | Yes | Common/ssloN_IPS_in.app |
| ssloN_IPS_out | ssloN_IPS_out | 70 | Yes | Common/ssloN_IPS_out.app |
| Self IPs Name | VLAN | IPv4 | IPv6 |
| client-self | client-vlan | 10.1.10.100/24 |
| outbound-self | outbound-vlan | 10.1.20.100/24 |
| dlp-self | dlp-vlan | 198.19.97.7/25 |
| web-self | web-vlan | 192.168.100.100/24 |
| Routes Name | Destination | NextHop |
| gateway | 0.0.0.0/0 | 10.1.20.1 |
| Self IPs Name | VLAN | IPv4 | IPv6 |
| ssloN_FEYE-70-0-S4 ssloN_FEYE-70-0-S6 ssloN_FEYE-70-0-flt-S4 ssloN_FEYE-70-0-flt-S6 | ssloN_FEYE_in | 198.19.32.8/27 2001:200:0:200:0:0:0:8/123 198.19.32.7/27 2001:200:0:200:0:0:0:7/123 |
| ssloN_FEYE-70-0-D4 ssloN_FEYE-70-0-D6 ssloN_FEYE-70-0-flt-D4 ssloN_FEYE-70-0-flt-D6 | ssloN_FEYE_out | 198.19.32.29%65000/27 2001:200:0:200:0:0:0:1d%65000/123 198.19.32.30%65000/27 2001:200:0:200:0:0:0:1e%65000/123 |
| ssloN_TAP4 ssloN_TAP6 | ssloN_TAP_in | 198.19.0.8/30 2001:200:0:100:0:0:0:8/124 |
| ssloN_Proxy-70-0-S4 ssloN_Proxy-70-0-flt-S4 | ssloN_Proxy_in | 198.19.96.8/25 198.19.96.7/25 |
| ssloN_Proxy-70-0-D4 ssloN_Proxy-70-0-flt-D4 | ssloN_Proxy_out | 198.19.96.244/25 198.19.96.245/25 |
| ssloN_IPS-70-0-S4 ssloN_IPS-70-0-flt-S4 | ssloN_IPS_in | 198.19.64.8/25 198.19.64.7/25 |
| ssloN_IPS-70-0-D4 ssloN_IPS-70-0-flt-D4 | ssloN_IPS_out | 198.19.64.244/25 198.19.64.245/25 |
2. SSLO Guided Configuration (via iApps LX)
- SSL Orchestrator Guided Configuration:
- The SSLO GC presents a completely new and streamlined user experience.
- This workflow-based architecture provides intuitive, re-entrant configuration steps tailored to the selected topology.
- This GC will allow you to quickly setup the SSLO Configuration.
- Main Configuration Objects:
- (1) Topology: Select the type of deployments you require and build on your configuration.
- (2) SSL Configurations: Configure your certificate chains for encrypting and decrypting packets.
- (3) Authentication: Configure a Local OCSP Responder and associate it to a Virtual Server.
- (4) Services: Define the security services to attach to SSL Orchestrator.
- (5) Service Chaining: Determine the flow of data through your network services.
- (6) Security Policy: Configure the traffic filtering and categorization to securely manage traffic.
- (7) Interception Rules: Create the rules for routing traffic.
- (8) Egress Setting: Manage SNAT Settings and configure Gateways.
- (9) Log Settings: Manage Log Settings.
SSLO creates discreet configurations based on the selected topology.
(*) An explicit forward proxy topology will ultimately create an explicit proxy listener and its relying transparent proxy listener.
(*) But the transparent listener will be bound only to the explicit proxy tunnel.
(*) If a subsequent transparent forward proxy topology is configured, it will not overlap the existing explicit proxy objects.
(*) The Topology Properties page provides the following options.- Name: sslo_demoL3
- Description:
- Protocol: TCP | UDP | Other | Any
- IP Family: IPv4 | IPv6
- SSLO Topologies: L2 Outbound | L3 Outbound | L3 Explicit Proxy | L2 Inbound | L3 Inbound | Existing Application
- TCP: This option creates a single TCP wildcard interception rule for the L3 Inbound, L3 Outbound, and L3 Explicit Proxy topologies.
- UDP: This option creates a single UDP wildcard interception rule for L3 Inbound and L3 Outbound topologies.
- Other: This option creates a single any protocol wildcard interception rule for L3 Inbound and L3 Outbound topologies, typically used for non-TCP/UDP traffic flows.
- Any: This option creates the TCP, UDP and non-TCP/UDP interception rules for outbound traffic flows.
- L3 Explicit Proxy: This is the traditional explicit forward proxy.
- L3 Outbound: This is the traditional transparent forward proxy. An L3 outbound topology is effectively a “routed hop” configuration, where the SSLO topology listener becomes a routed path on the way to external (ie. Internet) resources.
- L3 Inbound: This is a reverse proxy configuration. Like the L3 outbound, L3 inbound is typically a routed hop configuration for traffic directed inbound. It can also behave as a traditional loadbalanced application.
- L2 Inbound: The layer 2 topology options insert SSLO as a bump-in-the-wire in an existing routed path, where SSLO presents no IP addresses on its outer edges. The L2 Inbound topology provides a transparent path for inbound traffic flows.
- L2 Outbound: The layer 2 topology options insert SSLO as a bump-in-the-wire in an existing routed path, where SSLO presents no IP addresses on its outer edges. The L2 Outbound topology provides a transparent path for outbound traffic flows.
- Existing Application: This topology is designed to work with existing LTM applications. Whereas the L3 Inbound topology provides an inbound gateway function for SSLO, Existing Application works with LTM virtual servers that already perform their own SSL handling and client-server traffic management. The Existing Application workflow proceeds directly to service creation and security policy definition, then exits with an SSLO-type access policy and per-request policy that can easily be consumed by an LTM virtual server.
Note:
(*) It is important to distinguish SSLO’s L2 topology from those of other traditional L2 SSL visibility vendors.
(*) “True” L2 solutions like Blue Coat’s SSLVA limit the types of devices that can be inserted into the inspection zone to L2 and below, and devices must be directly connected to the appliance.
(*) SSLO’s L2 topology only exists at the outer edges. Inside the inspection zone, full-proxy routing is still happening, so L3 and HTTP services can still function normally.LTM Objects
## app-service /Common/sslo_demoL3.app/sslo_demoL3 ##
/Common/sslo_demoL3.app
ltm virtual sslo_demoL3-in-t-4 {
ltm virtual sslo_demoL3-in-u-4 {
ltm virtual sslo_demoL3-ot-4 {ltm virtual sslo_demoL3-in-t-4 {
app-service /Common/sslo_demoL3.app/sslo_demoL3
destination /Common/0.0.0.0:any
ip-protocol tcp
mask any
## ltm/apm profile ##
per-flow-request-access-policy /Common/ssloP_demoL3.app/ssloP_demoL3_per_req_policy
profiles {
/Common/f5-tcp-wan {
context serverside
}
/Common/ssloT_demoL3.app/ssloT_demoL3-cssl {
context clientside
}
/Common/ssloT_demoL3.app/ssloT_demoL3-sssl {
context serverside
}
sslo_demoL3-http { }
sslo_demoL3-http-proxy-connect { }
sslo_demoL3-tcp-lan {
context clientside
}
sslo_demoL3_accessProfile { }
}
## ltm rule ##
rules {
sslo_demoL3-in_t
sslo_demoL3-lib
/Common/ssloS_FEYE.app/ssloS_FEYE-port_remap
/Common/ssloS_IPS.app/ssloS_IPS-port_remap
}
## ltm pool ##
pool sslo_demoL3-ex-pool-4
## etc ##
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address disabled
translate-port disabled
vlans {
/Common/client-vlan
}
vlans-enabled
}## ltm profile ##
/Common
ltm profile tcp f5-tcp-wan {
/Common/sslo_demoL3.app
ltm profile tcp sslo_demoL3-tcp-lan {
ltm profile http sslo_demoL3-http {
ltm profile http-proxy-connect sslo_demoL3-http-proxy-connect {
/Common/ssloT_demoL3.app
ltm profile client-ssl ssloT_demoL3-cssl {
ltm profile server-ssl ssloT_demoL3-sssl {
## apm profile ##
/Common/sslo_demoL3.app
apm profile access sslo_demoL3_accessProfile {
/Common/ssloP_demoL3.app
apm policy access-policy ssloP_demoL3_per_req_policy {
## ltm rule ##
/Common/sslo_demoL3.app
ltm rule sslo_demoL3-in_t {
ltm rule sslo_demoL3-lib {
/Common/ssloS_FEYE.app
ltm rule ssloS_FEYE-port_remap {
/Common/ssloS_IPS.app
ltm rule ssloS_IPS-port_remap {
## ltm pool ##
ltm pool sslo_demoL3-ex-pool-4 {
app-service /Common/sslo_demoL3.app/sslo_demoL3
members {
/Common/10.1.20.1:any {
address 10.1.20.1
session monitor-enabled
state up
}
}
min-active-members 1
monitor min 1 of { /Common/gateway_icmp }
slow-ramp-time 300
}APM Objects
apm profile access sslo_demoL3_accessProfile {
access-policy sslo_demoL3_accessPolicy
app-service /Common/sslo_demoL3.app/sslo_demoL3
## log-settings ##
log-settings {
sslo_demoL3-log-setting
}
type ssl-orchestrator
## apm policy customization-group ##
customization-group sslo_demoL3_logout
eps-group sslo_demoL3_unknown_customization
errormap-group sslo_demoL3_errormap
framework-installation-group sslo_demoL3_framework_installation
general-ui-group sslo_demoL3_general_ui
}
apm policy access-policy sslo_demoL3_accessPolicy {
app-service /Common/sslo_demoL3.app/sslo_demoL3
caption general
## apm policy policy-item ##
default-ending sslo_demoL3_end_allow
items {
sslo_demoL3_end_allow { }
sslo_demoL3_ent { }
}
start-item sslo_demoL3_ent
}## apm log-settings ##
/Common/sslo_demoL3.app
apm log-setting sslo_demoL3-log-setting {
access { general-log { log-level {..}
publisher /Common/sys-sslo-publisher
type ssl-orchestrator } }
url-filters { urlf { publisher /Common/sys-sslo-publisher } }
}
## apm policy customization-group ##
/Common/sslo_demoL3.app
apm policy customization-group sslo_demoL3_errormap {
apm policy customization-group sslo_demoL3_framework_installation {
apm policy customization-group sslo_demoL3_general_ui {
apm policy customization-group sslo_demoL3_logout {
apm policy customization-group sslo_demoL3_unknown_customization {
## apm policy policy-item ##
/Common/sslo_demoL3.app
apm policy policy-item sslo_demoL3_end_allow {
apm policy policy-item sslo_demoL3_ent {
apm policy agent ending-allow sslo_demoL3_end_allow_ag {This page defines the specific SSL settings for the selected topology.
(*) In this case a transparent forward proxy, and This controls both client-side and server-side SSL options.
(*) If existing SSL settings are available (from a previous workflow), it can be selected and re-used.
(*) Otherwise, the SSL Configurations page creates new SSL settings for this workflow.- Name: ssloT_demoL3
- Description:
- SNI Server Name (FQDN):
- Default SNI: Yes | No
- Client-side SSL
- Processing Options: SSLv3 | TLS | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
- Cipher Type: Cipher Group | Cipher String
- Cipher: DEFAULT
- Certificate Key Chain
- Certificate: /Common/default.crt
- Key: /Common/default.key
- Type: rsa-public
- PassPhrase: *****
- CA Certificate Key Chain
- Certificate: /Common/subrsa.f5labs.com
- Key: /Common/subrsa.f5labs.com
- Chain:
- Type: rsa-public
- PassPhrase: *****
- ALPN
- Proxy APLN: Yes | No
- Server-side SSL
- Processing Options: SSLv3 | TLS | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
- Cipher Type: Cipher Group | Cipher String
- Cipher: DEFAULT
- Bypass on Handshake Alert: Yes | No
- Bypass on Client Certificate Failure: Yes | No
- Trusted Certificate Authority: /Common/ca-bundle.crt
- Expire Certificate Response: drop
- Untrusted Certificate Authority: drop
- OCSP Certificate Validator:
- CRL Certificate Validator:
Note:
Ensure that the Certificate Key Chain (CKC) and CA Certificate Key Chain types match the validation requirements.
Valid values are: ec-public + ec-public, rsa-public + rsa-public, and ec-public + rsa-public.
For example, if Certificate Key Chain holds type ec-public, CA Certificate Key Chain should have types ec-public or rsa-public.
If Certificate Key Chain holds type rsa-public, then CA Certificate Key Chain should have type rsa-public.
Processing Options: SSLO now provides TLS 1.3 support for outbound topologies.- SNI Server Name (FQDN):
- Optionally specify the fully qualified DNS hostname of the server which is used in Server Name Indication (SNI) communications.
- If you attach multiple SSL profiles, one of them must be the default SNI.
- Select the Default SNI checkbox to indicate that the system uses this profile as the default SSL profile when there is no match to the server name, or when the client provides no SNI extension support.
- Only one default SNI is allowed.
- Certificate Key Chain:
- Represents the certificate and private key used as the “template” for forged server certificates.
- While re-issuing server certificates on-the-fly is generally easy, private key creation tends to be a CPU-intensive operation.
- For that reason, the underlying SSL Forward Proxy engine forges server certificates from a single defined private key.
- This setting provides the opportunity to apply custom template private key, and optionally store that key in a FIPS-certified HSM for additional protection.
- The built-in “default” certificate and private key uses 2K RSA and is generated from scratch when the BIG-IP system is installed.
- CA Certificate Key Chain:
- An SSL forward proxy must re-sign, or “forge” remote server certificate to local clients using a local CA certificate, and local clients must trust this local CA.
- This setting defines the local CA certificate and private key used to perform the forging operation.
- SSL Settings minimally require RSA-based template and CA certificates but can also support Elliptic Curve (ECDSA) certificates.
- In this case, SSLO would forge an EC certificate to the client if the TLS handshake negotiated an ECDHE_ECDSA cipher.
- To enable EC forging support, add both an EC template certificate and key, and EC CA certificate and key.
- ALPN:
- The Proxy ALPN checkbox option specifies the ALPN hello extension to be proxied to the server by SSL Forward Proxy.
- This allows the client to negotiate with server for protocols like HTTP/2.
- If the Proxy ALPN checkbox is not selected, then HTTP1.1 will be utilised by default.
- Bypass on Handshake Alert:
- This setting allows the underlying SSL Forward Proxy process to bypass SSL decryption if an SSL handshake error is detected on the server side.
- It is recommended to leave this disabled.
- Bypass on Client Certificate Failure:
- This setting allows the underlying SSL Forward Proxy process to bypass SSL decryption if it detects a Certificate request message from the server, as in when a server requires mutual certificate authentication.
- It is recommended to leave this disabled.
- Trusted Certificate Authority
- Browser vendors routinely update the CA certificate stores in their products to keep up with industry security trends, and to account for new and revoked CAs.
- In the SSL forward proxy use case, however, the SSL visibility product now performs all server-side certificate validation, in lieu of the client browser, and should therefore do its best to maintain the same industry security trends.
- BIG-IP ships with a CA certificate bundle that maintains a list of CA certificates common to the browser vendors.
- However, a more comprehensive bundle can be obtained from the F5 Downloads site.
- Expire Certificate Response
- SSLO performs validation on remote server certificates and can control what happens if it receives an expired server certificate.
- The options are drop, which simply drops the traffic, and ignore, which mirrors an expired forged certificate to the client.
- The default and recommended behaviour for forward proxy is to drop traffic on an expired certificate.
- Untrusted Certificate Authority
- SSLO performs validation on remote server certificates and can control what happens if it receives an untrusted server certificate, based on the Trusted Certificate Authority bundle.
- The options are drop, which simply drops the traffic, and ignore, which allows the traffic and forges a good certificate to the client.
- The default and recommended behavior for forward proxy is to drop traffic on an untrusted certificate.
- OCSP Certificate Validator
- This setting selects an existing or can create a new OCSP profile for server-side Online Certificate Status Protocol (OCSP) and OCSP stapling.
- With this enabled, if a client issues a Status Request message in its Client Hello message (an indication that it supports OCSP stapling), SSLO will issue a corresponding Status Request message in its server-side TLS handshake.
- SSLO will then forge the returned OCSP stapling response back to the client.
- If the server does not respond with a staple but contains an Authority Info Access (AIA) field that points to an OCSP responder URL, SSLO will perform a separate OCSP request.
- The returned status is then mirrored in the stapled client-side TLS handshake.
- CRL Certificate Validator
- This setting selects an existing or can create a new CRL profile for server-side Certificate Revocation List (CRL) validation.
- With this enabled, SSLO attempts to match server certificates to locally cached CRLs.
Note:
The above two Bypass options can create a security vulnerability.
(*) If a colluding client and server can force an SSL handshake error,
(*) or force client certificate authentication, they can effectively bypass SSL inspection.
(*) It is recommended that these settings be left disabled.## app-service /Common/ssloT_demoL3.app/ssloT_demoL3 ##
/Common/ssloT_demoL3.app/ssloT_demoL3
ltm profile client-ssl ssloT_demoL3-cssl {
ltm profile server-ssl ssloT_demoL3-sssl {Client-Side Objects
ltm profile client-ssl ssloT_demoL3-cssl {
allow-non-ssl enabled
app-service /Common/ssloT_demoL3.app/ssloT_demo
bypass-on-client-cert-fail disabled
bypass-on-handshake-alert disabled
cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name }
cert-key-chain {
CA_CERT_KEY_CHAIN_0 {
app-service /Common/ssloT_demoL3.app/ssloT_demoL3
cert /Common/subrsa.f5labs.com
key /Common/subrsa.f5labs.com
usage CA
}
CERT_KEY_CHAIN_0 {
app-service /Common/ssloT_demoL3.app/ssloT_demoL3
cert /Common/default.crt
key /Common/default.key
}
}
cipher-group none
ciphers DEFAULT
defaults-from /Common/sslo-default-clientssl
forward-proxy-bypass-default-action intercept
hello-extension-includes none
inherit-ca-certkeychain false
inherit-certkeychain false
log-publisher /Common/sys-ssl-publisher
options { dont-insert-empty-fragments no-tlsv1.3 }
server-name none
sni-default false
ssl-c3d disabled
ssl-forward-proxy enabled
ssl-forward-proxy-bypass enabled
ssl-forward-proxy-verified-handshake enabled
unclean-shutdown disabled
}/ssl-cert
/Common
sys file ssl-cert subrsa.f5labs.com {
certificate-key-size 2048
checksum SHA1:1391:XXX
expiration-date 1905159108
expiration-string "May 16 10:51:48 2030 GMT"
fingerprint SHA256/XX:XX:..:XX:XX
issuer "CN=f5labs.com,OU=Certificate Authority,O=f5labs.com,C=US"
key-type rsa-public
size 1391
subject "CN=subrsa.f5labs.com,OU=Subordinate Authority,O=f5labs.com,C=US"
system-path none
version 3
}
ssl-key
/Common
sys file ssl-key subrsa.f5labs.com {
checksum SHA1:1675:XXX
key-size 2048
size 1675
}Server-side SSL Objects
ltm profile server-ssl ssloT_demoL3-sssl {
app-service /Common/ssloT_demoL3.app/ssloT_demoL3
bypass-on-client-cert-fail disabled
bypass-on-handshake-alert disabled
ca-file /Common/ca-bundle.crt
cipher-group none
ciphers DEFAULT
crl none
defaults-from /Common/sslo-default-serverssl
expire-cert-response-control drop
log-publisher /Common/sys-ssl-publisher
ocsp none
options { dont-insert-empty-fragments no-tlsv1.3 }
peer-cert-mode require
revoked-cert-status-response-control ignore
secure-renegotiation request
server-name none
sni-default false
ssl-c3d disabled
ssl-forward-proxy enabled
ssl-forward-proxy-bypass enabled
ssl-forward-proxy-verified-handshake enabled
unclean-shutdown disabled
untrusted-cert-response-control drop
}ssl-cert
/Common
sys file ssl-cert ca-bundle.crt {
certificate-key-size 2048
checksum SHA1:3977460:XXX
expiration-date 1893455999
expiration-string "Dec 31 23:59:59 2029 GMT"
fingerprint SHA256/XX:XX:..:XX:XX
is-bundle true
issuer "CN=Starfield Services Root Certificate Authority,OU=http://certificates.starfieldtech.com/repository/,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US"
key-type rsa-public
size 3977460
subject "CN=Starfield Services Root Certificate Authority,OU=http://certificates.starfieldtech.com/repository/,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US"
system-path /config/ssl/ssl.crt/ca-bundle.crt
version 3
}Starting v9.0 a new Authentication List workflow exists to create authentication mechanisms for a topology.
(*) In this initial release, the Authentication List simply contains an OCSP Responder configuration.
(*) The list of authentication mechanisms will grow in subsequent versions.
(*) Note that this configuration is only required if a client side OCSP responder is needed; Otherwise, it can be skipped.- <None>
(*) You can configure a Local Online Certificate Status Protocol (OCSP) Responder and associate a Local OCSP Responder to a virtual server.
(*) OCSP is an Internet protocol used to obtain the revocation status of a digital certificate.
(*) When the validity of a certificate is requested, an OCSP request is sent to an OCSP Responder and checks the specific certificate with a trusted certificate authority.
(*) This results in an OCSP response being sent back of good, revoked, or unknown.
(*) To configure OCSP, you must select TCP or Any as your Protocol and either L2 Outbound, L3 Outbound, or L3 Explicit Proxy as your SSL Orchestrator topology from the Topology Properties screen.
(*) To create a new authentication, click Add. The Authentication Properties screen appears where you can select OCSP Responder (for the Client). Click OCSP Responder and click Add. The Authentication Properties screen appears where you can configure a new OCSP Responder.
(*) Later when configuring the Interception Rule, you may select from the Authentication section OCSP
Responder list to associate a Local OCSP Responder into the Interception Rule.
This action adds a new iRule to the virtual server. In addition, you may configure authentication using the mini-flow
Authentication tab without creating a topology and may utilize the existing iRule item-selector to select the OCSP iRule.
(*) Essentially, this OCSP Responder configuration creates an OCSP service on the client side.
An iRule is then added to the interception rule VIP that inserts the FQDN into the forged server certificate that should resolve to the destination IP address defined in the setting, which is itself a separate virtual server with OCSP profile configuration.
The applied SSL settings must also contain a valid server side OCSP configuration in order to report back actual revocation state to the OCSP profile.- Type: OCSP Responder
- Name: ssloA_OCSP
- Description: OCSP Responder
- FQDN:
- Source: 0.0.0.0%0/0
- Destination Address/Mask: 0.0.0.0%0/0
- Port: 80
- VLANs: <Select>
- SSL Configuration: <Select>
- OCSP Profile: Create New | Use Existing
- Max Age in Seconds: 604800
- Nonce: Enabled
- Client TCP Profile: <Select>
- Server TCP Profile: <Select>
- HTTP Profile: <Select>
- FQDN: Enter an FQDN that will be injected into the authorityInfoAccess (AIA) field of the forged server certificate. This should resolve to the virtual server address listed below.
- Port: Enter the destination port here for the OCSP service. This will almost always be unencrypted HTTP on port 80.
- VLANs: Select the client facing VLAN.
- Max Age in Seconds: Enter a value in seconds for max age of the OCSP response.
- Nonce: Enable or disable OCSP response nonce, as required.
The Services List page is used to define security services that attach to SSLO.
(*) The SSLO GC includes a tabbed services catalog that contains common product integrations.
(*) The service catalog also provides “generic” security services.- Service Properties
- Service Settings: FireEye NX Inline L2
- Name: ssloS_FEYE
- Description: Type: L2
- Network Configuration
- Ratio: 1
- From BIGIP VLAN: Create New | Use Existing
- Name: FEYE_in
- Interface: 1.4
- Tag:
- To BIGIP VLAN: Create New | Use Existing
- Name: FEYE_out
- Interface: 1.5
- Tag:
- Continued…
- Device Monitor: /Common/gateway_icmp
- Service Down Action: Ignore | Reset | Drop
- Internal IP Offset: 0
- Internal IPv4 Address: 192.19.32.0
- Internal IPv6 Address: 2001:0200:0:0200::
- Enable Port Remap: Yes | No
- Remap Port: 8080
- Bypass on Client Certificate Failure: Yes | No
- iRules: <Select>
- Service Action Down: SSLO also natively monitors the load balanced pool of security devices, and if all pool members fail, can actively bypass this service (Ignore), or stop all traffic (Reset, Drop). For this lab, leave it set to Ignore.
- Internal IP Offset: This setting specifies an internal IP Offset to generate the Internal IPv4 and IPv6 addresses. For High Availability (HA) configurations, the Internal IP Offset index numbers must be the same on all HA devices (Active and Standby). For scaled standalone configurations where non-HA standalone SSLO appliances are scaled behind a separate load balancer, the Internal IP Offset index numbers must be different across all devices.
- Enable Port Remap: This setting allows SSLO to remap the port of HTTPS traffic flowing across this service. This is advantageous when a security service defines port 443 traffic as encrypted HTTPS and natively ignores it. By remapping HTTPS traffic to, say, port 8080, the security service will inspect the traffic.
- iRules: SSLO now allows for the insertion of additional iRule logic at different points. An iRule defined at the service only affects traffic flowing across this service. It is important to understand, however, that these iRules must not be used to control traffic flow (ex. pools, nodes, virtual servers, etc.), but rather should be used to view/modify application layer protocol traffic. For example, an iRule assigned here could be used to view and modify HTTP traffic flowing to/from the service.
Note:
N/A- Service Properties
- Service Settings: Generic Inline L3
- Name: ssloS_IPS
- Description: Type: L3
- IP Family: ipv4
- Service Definition
- Auto Manage Addresses: Yes | No
- To Service Configuration
- To Service: 198.19.64.7/25
- VLAN: Use Existing | Create New
- Name: ssloN_IPS_in
- Interface: 1.3
- Tag: 60
- Service Down Action: Ignore | Reset | Drop
- Security Devices
- L3 Devices:
- IP Address | Security Device Description
- 198.19.64.30 | <none>
- L3 Devices:
- Device Monitor: /Common/gateway_icmp
- Continued…
- From Service Configuration
- From Service: 198.19.64.245/25
- VLAN: Use Existing | Create New
- Name: ssloN_IPS_out
- Interface: 1.3
- Tag: 70
- Enable Port Remap: Yes | No
- Remap Port: 8181
- Manage SNAT Settings: None
- From Service Configuration
- Resources
- iRules: <none selected>
- Auto Manage Addresses: When enabled the Auto Manage Addresses setting provides a set of unique, non-overlapping, non-routable IP addresses to be used by the security service. If disabled, the To and From IP addresses must be configured manually. It is recommended to leave this option enabled (checked).
- To Service: With the Auto Manage Addresses option enabled, this IP address will be pre-defined, therefore the inbound side of the service must match this IP subnet. With the Auto Manage Addresses option disabled, the IP address must be defined manually. For this lab, leave the 198.19.64.7/25 address intact.
- From Service: With the Auto Manage Addresses option enabled, this IP address will be pre-defined, therefore the outbound side of the service must match this IP subnet. With the Auto Manage Addresses option disabled, the IP address must be defined manually. For this lab, leave the 198.19.64.245/25 address intact.
- Manage SNAT Settings: SSLO now defines an option to enable SNAT (source NAT) across an inline layer 3/HTTP service. The primary use case for this is horizontal SSLO scaling, where independent SSLO devices are scaled behind a separate load balancer but share the same inline layer 3/HTTP services. As these devices must route back to SSLO, there are now multiple SSLO devices to route back to. SNAT allows the layer 3/HTTP device to know which SSLO sent the packets for proper routing. SSLO scaling also requires that the Auto Manage option be disabled, to provide separate address spaces on each SSLO. For this, leave it set to None.
Note:
In environments where SSLO is introduced to existing security devices, it is a natural tendency to not want to have to move these devices.
(*) And while SSLO certainly allows it, by not moving the security devices into SSLO-protected enclaves,
(*) Customers run the risk of exposing sensitive decrypted traffic, unintentionally, to other devices that may be connected to these existing networks.
(*) It is therefore highly recommended, and a security best practice, to remove SSLO-integrated security devices from existing networks and place them entirely within the isolated enclave created and maintained by SSLO.- Service Properties
- Service Settings: Cisco WSA HTTP Proxy
- Name: ssloS_Proxy
- Description: Type: http-proxy
- IP Family: ipv4
- Service Definition
- Auto Manage Addresses: Yes | No
- Proxy Type: Explicit | Transparent
- To Service Configuration
- To Service: 198.19.96.7/25
- VLAN: Use Existing | Create New
- Name: ssloN_Proxy_in
- Interface: 1.3
- Tag: 30
- Service Down Action: Ignore | Reset | Drop
- Security Devices
- HTTP Proxy Devices:
- IP Address | Security Device Description | Port
- 198.19.96.30 | <none> | 3128
- HTTP Proxy Devices:
- Device Monitor: /Common/gateway_icmp
- Continued…
- From Service Configuration
- From Service: 198.19.96.245/25
- VLAN: Use Existing | Create New
- Name: ssloN_Proxy_out
- Interface: 1.3
- Tag: 40
- Manage SNAT Settings: None
- Authentication Offload: Yes | No
- From Service Configuration
- Resources
- iRules: <none selected>
- Authentication Offload: When an Access authentication profile is attached to an explicit forward proxy topology, this option will present the authenticated username value to the service as an X-Authenticated-User HTTP header.
Note:
N/A- Service Properties
- Service Settings: Digital Guardian DLP ICAP
- Name: ssloS_DLP
- Description: Type: icap
- IP Family: ipv4
- ICAP Devices
- IP Address | Port
- 198.19.97.50 | 1344
- Device Monitor: /Common/tcp
- Continued…
- ICAP Headers: Default
- OneConnect: Yes | No
- Request Modification URI Path: /avscan
- Response Modification URI Path: /avscan
- Preview Max Length (bytes): 524288
- Service Down Action: Ignore | Reset | Drop
- HTTP Version: HTTP/1.0 & HTTP/1.1 | HTTP/1.1 only
- ICAP Policy: <none selected>
- ICAP Headers: Select either Default or Custom to specify additional ICAP headers. To add custom headers, select Custom, otherwise leave as Default.
- OneConnect: The F5 OneConnect profile improves performance by reusing TCP connections to ICAP servers to process multiple transactions. If the ICAP servers do not support multiple ICAP transactions per TCP connection, do not enable this option.
- Request Modification URI Path: This is the RFC 3507-defined URI request path to the ICAP service. Each ICAP security vendor will differ with respect to request and response URIs, and preview length, so it is important to review the vendor’s documentation.
- Response Modification URI Path: This is the RFC 3507-defined URI response path to the ICAP service. Each ICAP security vendor will differ with respect to request and response URIs, and preview length, so it is important to review the vendor’s documentation.
- Preview Max Length (bytes): This defines the maximum length of the ICAP preview. Each ICAP security vendor will differ with respect to request and response URIs, and preview length, so it is important to review the vendor’s documentation. A zero-length preview length implies that data will be streamed to the ICAP service, similar to an HTTP 100/Expect process, while any positive integer preview length defines the amount of data (in bytes) that are transmitted first, before streaming the remaining content. The ICAP service in this lab environment does not support a complete stream, so requires a modest amount of initial preview.
- HTTP Version: This defines whether SSLO sends HTTP/1.1 or HTTP/1.0 requests to the ICAP service.
- ICAP Policy: An ICAP policy is a pre-defined LTM CPM policy that can be configured to control access to the ICAP service based on attributes of the HTTP request or response. ICAP processing is enabled by default, so an ICAP CPM policy can be used to disable the request and/or response ADAPT profiles.
Note:
N/A- Service Properties
- Service Settings: Cisco Firepower Threat Defense TAP
- Name: ssloS_TAP
- Description: Type: tap
- MAC Address: 12:12:12:12:12:12
- Continued…
- VLAN: Use Existing | Create New
- Name: ssloN_TAP_in
- Interface: 1.6
- Tag:
- Enable Port Remap: Yes | No
- VLAN: Use Existing | Create New
- Mac Address: For a tap service that is not directly connected to the F5, enter the device’s MAC address. For a tap service that is directly connected to the F5, the MAC address does not matter and can be arbitrarily defined.
- VLAN: This defines the interface connecting the F5 to the TAP service.
Note:
N/AService chains are arbitrarily-ordered lists of security devices.
(*) Based on environmental requirements, different service chains may contain different re-used sets of services, and different types of traffic can be assigned to different service chains.
(*) For example, HTTP traffic may need to go through all of the security services, while non-HTTP traffic goes through a subset.
(*) Traffic destined to a financial service URL can bypass decryption and still flow through a smaller set of security services.- (1) Services Chain Properties
- Name: ssloSC_all_services
- Description:
- Services
- Selected Service Chain Oder
- (1) ssloS_Proxy
- (2) ssloS_DLP
- (3) ssloS_TAP
- (4) ssloS_FEYE
- (5) ssloS_IPS
- (2) Services Chain Properties
- Name: ssloSC_L2_services
- Description:
- Services
- Selected Service Chain Oder
- (1) ssloS_TAP
- (2) ssloS_FEYE
- N/A
Security policies are the set of rules that govern how traffic is processed in SSLO. The “actions” a rule can take include:
(*) Whether or not to allow the traffic (reject/allow/abort)
(*) Whether or not to decrypt the traffic (intercept/bypass)
(*) Which service chain (if any) to pass the traffic through- Security Policy
- Type: Create New | Use Existing | None
- Name: ssloP_demoL3
- Description:
- Rules
- Rules
- (1) Name: Pinners_Rule
- Conditions:
- SSL Check is true, and
- Category Lookup (SNI) is Pinners
- Action: Reject | Allow | Abort
- SSL Proxy Action: Bypass
- Service Chain: –
- Conditions:
- (2) Name: urlf_bypass
- Conditions:
- Category Lookup (All) is Financial Data and Services, Health and Medicine
- Action: Reject | Allow | Abort
- SSL Proxy Action: Bypass
- Service Chain: ssloSC_L2_services
- Conditions:
- (1) Name: Pinners_Rule
- Continued…
- (3) Name: All Traffic
- Conditions: All
- Action: Reject | Allow | Abort
- SSL Proxy Action: Intercept
- Service Chain: ssloSC_all_services
- (3) Name: All Traffic
- Server Certificate Status Check: Yes | No
- Proxy Connect: Yes | No
- Pinners_Rule
- It checks to make sure the content is SSL/TLS.
- It also checks the category “Pinners” which contains websites with Pinned Certificates.
- Certificate pinning forces the client application to validate the server’s certificate against a known copy to ensure that certificate really comes from the real server.
- The intent is to protect against MITM attacks, but in doing so it also prevents forward proxy SSL decryption/bridging.
- Sites in the category Pinners are automatically set to Bypass decryption.
- It is recommended to keep this setting.
- Server Certificate Status Check:
- This option inserts additional security policy logic to validate the remote server certificate and return a blocking page to the user if the certificate is untrusted or expired.
- One or both of the Certificate Response options on the SSL Configuration page (Expire Certificate Response and Untrusted Certificate Response) must be set to ‘ignore’.
- SSLO will “mask” the server certificate’s attributes in order to present a blocking page with a valid forged certificate.
- Proxy Connect:
- This option is only available for the outbound explicit proxy topology and defines an upstream proxy chain.
- With this setting enabled, SSLO can egress to an upstream (external) explicit proxy gateway.
- An example of this might be a cloud gateway solution.
- Select a pool that points to the upstream explicit proxy, and optionally any (HTTP Basic) credentials needed to access this proxy.
- Rule Condition Options:
- Category Lookup (All)
- Category Lookup (HTTP Connect)
- Category Lookup (SNI)
- Client IP Geolocation
- Client IP Reputation
- Client IP Subnet Match
- Client Port Match
- Client VLANs
- IP Protocol
- L7 Protocol Lookup (TCP)
- L7 Protocol Lookup (UDP)
- Continued…
- Server Certificate (Issuer DN)
- Server Certificate (SANs)
- Server Certificate (Subject DN)
- Server IP Geolocation
- Server IP Reputation
- Server IP Subnet Match
- Server Name (TLS ClientHello)
- Server Port Match
- SSL Check
- URL Match
Interception rules are based on the selected topology and define the “listeners”.
(*) Analogous to LTM virtual servers, that accept and process different types of traffic (ex. TCP, UDP, other).
(*) The resulting LTM virtual servers will bind the SSL settings, VLANs, IPs, and security policies created in the topology workflow.- Interception Rule
- Label: Outbound
- Description:
- Source Address: 0.0.0.0%0/0
- Destination Address/Mask: 0.0.0.0%0/0
- Port: 0
- Ingress Network
- VLANs: /Common/client-vlan
- Protocol Settings
- SSL Configurations: ssloT_demoL3
- Client TCP Profile: /Common/sslo_demoL3.app/sslo_demoL3-tcp-lan
- Verified Accept: Yes | No
- Security Policy Settings
- Access Profile: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile
- Access Profile Scope: Named | Public
- Authentication
- OCSP Responder: None
- L7 Interception Rules
- Protocols: FTP | IMAP | POP3 | SMTP
- Verified Accept:
- When enabled, the system verifies that the pool member is available to accept the connection by sending the server a SYN before responding to the client’s SYN with a SYN-ACK packet.
- SSL Orchestrator topologies are built on a standard virtual server type (with Verified Accept disabled).
- This could cause an issue in the scenario where an upstream firewall might block a specific IP and/or port, but the SSL Orchestrator closer to the client allows the connection (only to be blocked later at the firewall).
- Enabling Verified Accept allows the F5 to test for a valid server-side connection before completing the client-side handshake.
- Access Profile:
- The Access Profile selection is exposed for both explicit and transparent forward proxy topology deployments.
- In transparent forward proxy mode, this allows selection of an access policy to support captive portal authentication (covered later in this guide).
- Access Profile Scope:
- Profile scope generally applies to authentication.
- When a transparent proxy captive portal authentication profile is assigned to the topology,
- The Named scope allows authentication information from the captive portal authentication to be available here.
- Without authentication, the scope should be left as Public.
- Authentication:
- This setting defines additional authentication schemes to be attached.
- This simply contains the OCSP Responder configuration created on the Authentication page of the workflow.
- L7 Interception Rules – Protocols:
- FTP and email protocol traffic (i.e., SMTP, IMAP, POP3) are all “server-speaks-first” protocols, and therefore SSLO must process these separately from typical client-speaks-first protocols like HTTP.
- This selection enables processing of each of these protocols, which create separate port-based listeners for each.
- If processing of any of these protocols is needed, selectively enable the additional protocols that need to be decrypted and inspected through SSLO.
- Pool:
- This setting would not generally be used in a forward proxy scenario, as it enables address translation (destination NAT) to a set of pool members.
Traffic egress settings are now defined per-topology and manage both the gateway route and outbound SNAT settings.- Egress Settings
- Manage SNAT Settings: None | Auto Map | Use Existing SNAT | Create New
- Gateways: Default Route | Use Existing Gateway Pool | Create New
- IPv4 Outbound Gateways:
- Ratio | Address
- 1 | 10.1.20.1
- IPv4 Outbound Gateways:
- N/A
Log settings are defined per-topology. In environments where multiple topologies are deployed, this can help to streamline troubleshooting by reducing debug logging to the affected topology.- Log Settings
- Applies to Access Profile: /Common/sslo_demoL3.app/sslo_demoL3_accessProfile
- Log Publisher: /Common/sys-sslo-publisher
- Per-Request Policy: Error
- FTP: Error
- IMAP: Error
- POP3: Error
- SMTPS: Error
- SSLO Generic: Error
- Per-Request Policy: provides log settings for security policy processing. In Debug mode, this log facility produces an enormous amount of traffic, so it is recommended to only set Debug mode for troubleshooting. Otherwise, the most appropriate setting is Error to only log error conditions.
- FTP: specifically logs error conditions for the built-in FTP listener when FTP is selected among the additional protocols in the Interception Rule configuration. The most appropriate setting is Error to only log error conditions.
- IMAP: specifically logs error conditions for the built-in IMAP listener when IMAP is selected among the additional protocols in the Interception Rule configuration. The most appropriate setting is Error to only log error conditions.
- POP3: specifically logs error conditions for the built-in POP3 listener when POP3 is selected among the additional protocols in the Interception Rule configuration. The most appropriate setting is Error to only log error conditions.
- SMTP: specifically logs error conditions for the built-in SMTP listener when SMTP is selected among the additional protocols in the Interception Rule configuration. The most appropriate setting is Error to only log error conditions.
- SSL Orchestrator Generic: provides log settings for generic SSLO processing. If Per-Request Policy logging is set to Error, and SSL Orchestrator Generic is set to Information, only the SSLO packet summary will be logged. Otherwise, the most appropriate setting is Error to only log error conditions.
Supplemental Links
- None
