F5 Herculon SSL Orchestrator Manuale
F5®Herculon™SSL Orchestrator™: Setup
Version 13.1-3.0
Table of Contents
What is F5 Herculon SSL Orchestrator?.................................................................................. 5
What is F5 Herculon SSL Orchestrator?............................................................................5
Terminology for Herculon SSL Orchestrator............................................................................7
Terminology for Herculon SSL Orchestrator...................................................................... 7
Configuring the System for F5 Herculon SSL Orchestrator .................................................. 9
Overview: Configuring the system for F5 Herculon SSL Orchestrator...............................9
Using the Herculon SSL Orchestrator setup wizard...........................................................9
Backing up your BIG-IP configuration..............................................................................11
Modifying your Herculon SSL Orchestrator configuration................................................11
Undeploying your Herculon SSL Orchestrator configuration............................................11
Diagnosing your Herculon SSL Orchestrator deployment................................................12
Setting Up a Basic Configuration............................................................................................13
Overview: Setting up a basic configuration......................................................................13
Configuring general properties.........................................................................................13
Configuring logging..........................................................................................................15
Configuring an ingress and egress device on one system...............................................16
Configuring an ingress device (for separate ingress and egress devices).......................18
Configuring an egress device (for separate ingress and egress devices)........................20
Configuring the system for transparent proxy.................................................................. 23
Configuring the system for explicit proxy..........................................................................23
Configuring the system for both transparent and explicit proxies.....................................24
Creating Services, Service Chains, and Classifier Rules..................................................... 27
Overview: Creating services, service chains, and classifier rules....................................27
Creating inline services for service chains.......................................................................27
Creating ICAP services....................................................................................................29
Creating receive-only services for traffic inspection.........................................................30
Creating service chains to link services...........................................................................30
Creating TCP service chain classifier rules..................................................................... 31
Creating UDP service chain classifier rules.....................................................................33
Importing and Exporting Configurations for Deployment....................................................35
Overview: Importing and exporting configurations for deployment.................................. 35
Importing new configurations for deployment.................................................................. 35
Importing past configurations for deployment..................................................................36
Exporting configurations for deployment..........................................................................36
Setting up Herculon SSL Orchestrator in a High Availability Environment ....................... 39
Overview: Setting up Herculon SSL Orchestrator in a high availability environment ......39
Task summary for deploying in a high availability environment........................................40
Installing an updated RPM file...............................................................................41
Configuring the network for high availability..........................................................41
Synchronizing the device group............................................................................ 43
Table of Contents
3
Setting up a basic configuration for deployment....................................................44
Task summary for diagnosing and fixing high availability deployment.............................44
Verifying deployment and viewing logs..................................................................44
Verifying the RPM file version on both devices..................................................... 45
Configuring general properties and redeploying...................................................45
Reviewing error logs and performing recovery steps............................................45
Using Herculon SSL Orchestrator Analytics..........................................................................47
Overview: About Herculon SSL Orchestrator analytics....................................................47
About analytics dashboard capabilities............................................................................47
Timeline capabilities.........................................................................................................48
Customizing timeline capabilities.....................................................................................48
Chart capabilities............................................................................................................. 48
Customizing chart capabilities......................................................................................... 49
Table capabilities..............................................................................................................49
Customizing table capabilities..........................................................................................49
Charting bytes in, bytes out, and hit count over time.......................................................50
Comparing statistics on the top virtual servers................................................................50
Viewing the top sites bypassed........................................................................................51
Viewing the top sites decrypted....................................................................................... 51
Viewing the most used client ciphers and protocols........................................................ 52
Finding where the top server ciphers and protocols are used.........................................52
Scheduling reports to be sent..........................................................................................52
Legal Notices............................................................................................................................ 55
Legal notices....................................................................................................................55
Table of Contents
4
What is F5 Herculon SSL Orchestrator?
What is F5 Herculon SSL Orchestrator?
F5® Herculon™ SSL Orchestrator™ provides an all-in-one appliance solution designed specifically to
optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic,
and maximize the efficient use of that existing security investment. This solution centralizes and
consolidates SSL inspection across complex security architectures, allowing you flexible deployment
options to decrypt and re-encrypt user traffic across the Internet and web-based applications. It supports
policy-based management and steering of traffic flows to third-party security devices such as firewalls,
intrusion prevention systems (IPS), anti-malware, data loss prevention (DLP), and forensics tools. It
provides a wide range of SSL orchestration analytics that you can easily customize across multiple
dimensions based on specified ranges of time.
The Herculon SSL Orchestrator single platform for unified inspection allows for the greatest flexibly
without architectural changes to prevent new blind spots from emerging.
Some of the key functions include:
• Dynamic security service chaining that leverages context-based policies to efficiently deploy security,
reduce administrative overhead, and effectively utilize security resources
• Centralized management of the SSL decrypt and re-encrypt function
• Inspection of all traffic for malware and data exfiltration with a multi-layered approach
• Flexible deployment modes to easily integrate the latest encryption technologies across your entire
security infrastructure
• High availability with best-in-class load-balancing, health monitoring, and SSL offload capabilities
Figure 1: Herculon SSL Orchestrator solution
What is F5 Herculon SSL Orchestrator?
6
Terminology for Herculon SSL Orchestrator
Terminology for Herculon SSL Orchestrator
This section defines some of the terms used in this document.
•Certificate Authority (CA) certificate
This implementation requires a Certificate Authority PKI (public key infrastructure) certificate and
matching private key for SSL Forward Proxy. Your TLS clients must trust this CA certificate to sign
server certificates.
•Decrypt zone
A decrypt zone refers to the network region between separate ingress and egress BIG-IP® devices
where cleartex data is available for inspection. Basically an extra inline service can be placed at the
end of every service chain for additional inspection. You cannot configure a decrypt zone in the
scenario where a single BIG-IP system handles both ingress and egress traffic because the decrypt
zone does not exist.
•Egress device
The egress BIG-IP system is the device (or Sync-Failover device group) that receives the traffic after
a connection traverses the chosen service chain and then routes it to its final destination. In the
scenario where both ingress and egress traffic are handled by the same BIG-IP system, egress refers to
the VLAN(s) where traffic leaves the BIG-IP system to the Internet.
•ICAP services
Each ICAP service uses the ICAP protocol (https://tools.ietf.org/html/rfc3507) to refer HTTP traffic
to one or more Content Adaptation device(s) for inspection and possible modification. You can add an
ICAP service to any TCP service chain, but only HTTP traffic is sent to it, as we do not support ICAP
for other protocols. You can configure up to ten ICAP services using F5® Herculon™ SSL
Orchestrator™. For more information on ICAP services, refer to the Creating ICAP services section.
•Ingress device
The ingress BIG-IP system is the device (or Sync-Failover device group) to which each client sends
traffic. In the scenario where both ingress and egress traffic are handled by the same BIG-IP system,
ingress refers to the VLAN(s) where the client sends traffic. The ingress BIG-IP system (or ingress
VLAN(s)) decrypts the traffic and then based on protocol, source, destination, and so on, classifies it
and passes each connection for inspection based on service chains you will configure (or allows
certain connections to bypass service-chain processing based on your selections).
•Inline services
Inline services pass traffic through one or more service (inspection) devices at Layer2 (MAC)/Bump-
in-the-wire or Layer3 (IP). Each service device communicates with the ingress BIG-IP device over
two VLANs called Inward and Outwardwhich carry traffic toward the intranet and the Internet
respectively. You can configure up to ten inline services, each with multiple defined devices, using
Herculon SSL Orchestrator.
•Receive-only services
Receive-only services refer to services that only receive traffic for inspection, and do not send it back
to the BIG-IP system. Each receive-only service provides a packet-by-packet copy of the traffic (e.g.
plaintext) passing through it to an inspection device. You can configure up to ten receive-only
services using Herculon SSL Orchestrator. For more information on receive-only services, refer to the
Creating receive-only services for traffic inspection section.
•Service chain classifier rules
Each service chain classifier rule chooses ingress connections to be processed by a service chain you
configure (different classifier rules may send connections to the same chain). Each classifier rule has
four filters.The filters match source (client) IP address, destination (which can be IP address, IP
Intelligence category, IP geolocation, domain name, domain URL Filtering category, or server port),
and application protocol (based on port or protocol detection). Filters can overlap so the
implementation chooses the classifier rule with the most specifc matches for each connection.
For more information on service chain classifier rules, refer to the Creating TCP service chain
classifier rules section and/or the Creating UDP service chain classifier rules section.
•Service chains
Herculon SSL Orchestrator service chains process specific connections based on classifier rules
which look at protocol, source and destination addresses, and so on. These service chains can include
four types of services (Layer 2 inline services, Layer 3 inline services, receive-only services, and
ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).
For more information on service chains, refer to the Creating service chains to link services section.
•SNAT
A SNAT (Secure Network Address Translation) is a feature that defines routable alias IP addresses
that the BIG-IP system substitutes for client IP source addresses when making connections to hosts on
the external network. A SNAT pool is a pool of translation addresses that you can map to one or more
original IP addresses. Translation addresses in a SNAT pool should not be self IP addresses.
•Sync-Failover device group
A Sync-Failover device group (part of the Device Service Clustering (DSC®) functionality) contains
BIG-IP devices that synchronize their configuration data and failover to one another when a device
becomes unavailable. In this configuration, a Sync-Failover device group supports a maximum of two
devices.
•Transparent/Explicit Proxy
You can operate in transparent and/or explicit proxy mode. A transparent proxy intercepts normal
communication without requiring any special client configuration; clients are unaware of the proxy in
the network. In this implementation, the transparent proxy scheme can intercept all types of TLS and
TCP traffic. It can also process UDP and forward other types of IP traffic. The explicit proxy scheme
supports only HTTP(S) per RFC2616. In addition, transparent proxy supports direct routing for
policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) that are dependent on
networking services to support both protocols, while explicit proxy supports manual browser settings
for proxy auto-config (PAC) and Web Proxy Autodiscovery Protocol (WPAD) that require additional
iRule configurations (not included) to provide the PAC/WPAD script content.
Terminology for Herculon SSL Orchestrator
8
Configuring the System for F5 Herculon SSL Orchestrator
Overview: Configuring the system for F5 Herculon SSL Orchestrator
To set up your system for decrypting and encrypting outbound SSL/TLS traffic, you need to use the F5®
Herculon™ SSL Orchestrator™ Setup Wizard which initially guides you through basic minimal setup
configuration. When you have completed the basic setup using the Setup Wizard, the Herculon SSL
Orchestrator configuration utility assists you with the rest of your configuration.
Note: If you are implementing a high availability environment for Herculon SSL Orchestrator, review the
Setting up Herculon SSL Orchestrator in a High Availability Environment section for more detailed
information.
Using the Herculon SSL Orchestrator setup wizard
Before you start this task:
Make sure you set up a management IP address, netmask, and default routing on your system.
Note: If at any time during your configuration you need to return to the F5® Herculon™ SSL
Orchestrator™ Setup Wizard, simply click the F5 logo in the upper-left corner of the configuration utility,
and on the Welcome screen, click the Run the Setup Utility link.
The Herculon SSL Orchestrator Setup Wizard guides you through the basic, minimal setup configuration
for Herculon SSL Orchestrator.
1. On the Welcome screen, click Next.
2. On the License screen, click Activate.
3. On the EULA screen, click Accept.
The license activates and the system reboots for the configuration changes to take effect.
4. After the system reboots, click Continue.
5. On the Device Certificates screen, click Next.
6. On the Platform screen, for the Management Port Configuration setting, click Manual.
The Management Port setting should include the management interface details that were previously
created.
7. In the Host Name field, type the name of this system.
The Host Name must be a fully qualified domain name.
For example, www.siterequest.com.
8. In the User Administration area, type and confirm the Root Account and Admin Account passwords,
and click Next.
The Root Account provides access to the command line, while the Admin Account accesses the user
interface.
The system notifies you to log out and then log back in with your username and new password.
9. Click OK.
The system reboots.
10. (Optional) On the Network Time Protocol (NTP) screen, in the Address field, type the IP address of
the NTP server to synchronize the system clock with an NTP server, and click Add.
11. Click Next.
The Domain Name Server (DNS) screen opens.
12. (Optional) To resolve host names on the system, set up the DNS and associated servers:
a) For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server
and click Add.
b) If you use BIND servers, add them in the BIND Forwarder Server List.
c) For local domain lookups to resolve local host names, add them in the DNS Search Domain List.
d) Click Next.
The Internal VLAN screen opens.
Note: If you plan to later use the DNSSEC option in the configuration utility, you must set up DNS
using the Herculon SSL Orchestrator Setup Wizard. Otherwise, this step is optional.
13. Specify the Self IP settings for the internal network:
a) In the Address field, type a self IP address.
b) In the Netmask field, type a network mask for the self IP address.
c) For the Port Lockdown setting, retain the default value.
14. For the VLAN Tag ID setting, retain the recommended default value, auto.
15. For the Interfaces setting:
a) From the VLAN Interfaces list, select an interface number.
b) From the Tagging list, select Tagged or Untagged.
Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
c) Click Add.
16. Click Next.
This completes the configuration of the internal self IP addresses and VLAN, and the External VLAN
screen opens.
17. Specify the Self IP setting for the external network:
a) In the Address field, type a self IP address.
b) In the Netmask field, type a network mask for the self IP address.
c) For the Port Lockdown setting, retain the default value.
18. In the Default Gateway field, type the IP address that you want to use as the default gateway to the
external VLAN.
19. For the VLAN Tag ID setting, retain the recommended default value, auto.
20. Click Next.
This completes the configuration of the external self IP addresses and VLAN.
21. On the Forward Proxy Certificate screen, do the following:
a) In the Certificate Name field, select Create New and type a certificate name.
b) In the Certificate Source field, select either Upload File and click Choose File, or select Paste
Text and copy and paste your certificate source.
c) In the Key Source field, select either Upload File and click Choose File, or select Paste Text and
copy and paste your key source.
d) From the Security Type list, select either Normal or Password.
22. Click Next.
23. On the Logging screen, under Publisher Type, select either local or splunk.
• If you select local as your Publisher Type, specify the Destination as either local-db or local-
syslog and click Next.
Configuring the System for F5 Herculon SSL Orchestrator
10
Indice
Altri manuali F5 Hardware di rete
F5
F5 WANJet 300 Manuale tecnico
F5
F5 ARX-500 Manuale operativo e di manutenzione
F5
F5 WANJet 500 Manuale tecnico
F5
F5 ARX-500 Manuale
F5
F5 8900 Istruzioni di montaggio
F5
F5 i4000 Series Istruzioni di montaggio
F5
F5 WANJet 500 Istruzioni di montaggio
F5
F5 i5000 Series Istruzioni di montaggio
F5
F5 ARX-4000 Manuale per l'uso e la cura
F5
F5 520 Manuale utente
Manuali Hardware di rete popolari di altre marche
Matrix Switch Corporation
Matrix Switch Corporation MSC-HD161DEL Manuale utente
B&B Electronics
B&B Electronics ZXT9-IO-222R2 Manuale utente
Yudor
Yudor YDS-16 Manuale utente
D-Link
D-Link ShareCenter DNS-320L Manuale utente
Samsung
Samsung ES1642dc Istruzioni per l’uso
Honeywell Home
Honeywell Home LTEM-PV Istruzioni per il montaggio
