F5 SSL Orchestrator: Setup Version 12.1.0
Table of Contents Table of Contents What is F5 SSL Orchestrator?...5 Configuring for F5 SSL Orchestrator...7 Overview: Configuring the system for F5 SSL Orchestrator...7 Downloading the iapp template onto your system...7 Using the SSL Orchestrator Setup Wizard...7 Deploying the SSL Intercept iapp template...10 Additional resources...10 Legal Notices...11 Legal notices...11 3
Table of Contents 4
What is F5 SSL Orchestrator? F5 SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure. Some of the key functions include: SSL visibility Policy based service chaining of security devices Load balancing and monitoring of non-ssl and decrypted SSL traffic flows across security devices Centralized and simplified management of certificates, and encryption keys Selective decrypt/encrypt of specific traffic flows Figure 1: SSL Orchestrator solution
Configuring for F5 SSL Orchestrator Overview: Configuring the system for F5 SSL Orchestrator To configure a standalone system that provides decryption and encryption of outbound SSL/TLS traffic and manages that traffic, you must use two components: SSL Orchestrator Setup Wizard F5 SSL Intercept iapp template The first component is the SSL Orchestrator Setup Wizard, which initially guides you through basic minimal setup configuration. The second component, the F5 SSL Intercept iapp template, assists with the rest of the configuration. This setup guide focuses only on using the SSL Orchestrator Setup Wizard. Downloading the iapp template onto your system Before you walk through the SSL Orchestrator Setup Wizard, you need to download and install the f5.ssl_intercept_svc_chain.v1.5.0.tmpl iapp template available from the F5 downloads web site. 1. Log in to the F5 Downloads site, https://downloads.f5.com, and click the Find a Download button. 2. In the Security Product Family, locate SSL Orchestrator, and click it. 3. Select the product version and click SSL-Orchestrator. 4. Read the End User Software License, and click the I Accept button if you agree with the terms. 5. Click the ssl-intercept-12.1.0-1.5.6 zip file. 6. Click the closest geographical location, and save the file on your local system. 7. Extract the contents of the ssl-intercept-12.1.0-1.5.6 zip file. The f5.ssl_intercept_svc_chain.v1.5.0 iapp template is now ready on your system. You will deploy this template using the SSL Orchestrator Setup Wizard. Using the SSL Orchestrator Setup Wizard Before you start this task: Make sure you set up a management IP address, netmask, and default routing on your system. Navigate to f5.downloads.com and download the f5.ssl_intercept_svc_chain.v1.5.0 template onto your system. Note: If at any time during your configuration you need to return to the SSL Orchestrator Setup Wizard, simply click the F5 logo in the upper-left corner of the Configuration utility, and on the Welcome screen, click the Run the Setup Utility link. The SSL Orchestrator Setup Wizard guides you through basic minimal setup configuration for F5 SSL Orchestrator.
Configuring for F5 SSL Orchestrator 1. On the Welcome screen, click Next. 2. On the License screen, click Activate. 3. On the EULA screen, click Accept. The license activates, and the system reboots for configuration changes to take effect. 4. Click Continue after the system reboots. 5. On the Device Certificate screen, click Next. 6. On the CA Bundle screen, click Next. 7. On the Forward Proxy Certificate screen, type a name for the Certificate Name and select Browse to upload your SSL certificate, and click Next. 8. On the Forward Proxy Key screen, type a name for the Key Name and select Browse to upload your SSL Key, and click Next. 9. On the Platform screen for the Management Port Configuration setting, click Manual. The Management Port setting should include the management interface details that were previously set up. 10. In the Host Name field, type the name of this system. The Host Name must be a fully qualified domain name. For example, www.siterequest.com. 11. In the User Administration area, type and confirm the Root and Admin account passwords, and click Next. The Root account provides access to the command line, and the Admin account accesses the user interface. The system reboots and asks you to log back in with your new login and password. 12. After you enter your user login and password, click OK. The NTP (Network Time Protocol) screen opens. 13. (Optional) To synchronize the system clock with an NTP server, in the Address field, type the IP address of the NTP server, and click Add. 14. Click Next. The DNS (Domain Name Server) screen opens. Note: If you plan to use the DNSSEC option in the iapp template, you must set up DNS using the SSL Orchestrator Setup Wizard. Otherwise, this step is optional. 15. (Optional) To resolve host names on the system, set up the DNS and associated servers: a) For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server, and click Add. b) If you use BIND servers, add them to the BIND Forwarder Server List. c) For doing local domain lookups to resolve local host names, add them to the DNS Search Domain List. Click Next and the Internal VLAN screen opens. 16. Specify the Self IP setting for the internal network: a) In the Address field, type a self IP address. b) In the Netmask field, type a network mask for the self IP address. c) For the Port Lockdown setting, retain the default value. 17. Specify the Floating IP setting: a) In the Address field, type a floating IP address. This address should be distinct from the address you type for the Self IP setting. 8
F5 SSL Orchestrator: Setup Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services and the device needs to failover to a device group peer, use the second, Secondary Private IP address for the floating IP address. b) For the Port Lockdown setting, retain the default value. 18. For the VLAN Tag ID setting, retain the default value, auto. This is the recommended value. 19. For the Interfaces setting: a) From the Interface list, select an interface number. b) From the Tagging list, select Tagged or Untagged. Select Tagged when you want traffic for that interface to be tagged with a VLAN ID. c) Click Add. 20. Click Next. This completes the configuration of the internal self IP addresses and VLAN, and displays the screen for configuring the default VLAN external. 21. Specify the Self IP setting for the external network: a) In the Address field, type a self IP address. b) In the Netmask field, type a network mask for the self IP address. c) For the Port Lockdown setting, retain the default value. 22. Specify the Floating IP setting: a) In the Address field, type a floating IP address. This address should be distinct from the address you type for the Self IP setting. Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services and the device needs to failover to a device group peer, use the second, Secondary Private IP address for the floating IP address. b) For the Port Lockdown setting, retain the default value. 23. In the Default Gateway field, type the IP address that you want to use as the default gateway to VLAN external. 24. For the VLAN Tag ID setting, retain the default value, auto. This is the recommended value. 25. For the Interfaces setting: a) From the Interface list, select an interface number. b) From the Tagging list, select Tagged or Untagged. Select Tagged when you want traffic for that interface to be tagged with a VLAN ID. c) Click Add. 26. Click Next. 27. On the Logging screen, under Publisher Type, select either local or splunk. If you select local as your Publisher Type, specify your destination to which logs are forwarded, either to a local database or a local syslog server. If you select splunk as your Publisher Type, select your protocol and type the IP address and port of the splunk server, and click Next. 9
Configuring for F5 SSL Orchestrator 28. On the Import screen, click Browse to search for your SSL Intercept iapp template that you saved onto your system, and click Upload. The template uploads onto your system and you are now ready to proceed to the second part of the configuration where you deploy the iapp template and follow additional instructions to finalize your system for SSL Orchestrator. Deploying the SSL Intercept iapp template The f5.ssl_intercept_svc_chain.v1.5.0 iapp template assists in the completion of your configuration so that your system can act as a forward proxy. This means it can decrypt outbound encrypted traffic to be inspected by service chains you configure, and send it back to the system for re-encryption and delivery to the destination. 1. On the Applications screen, type a name for your template. 2. In the Template field, select the template from the drop-down list. The system deploys the template on your system. Note: Refer to the F5 Deployment Guide: Deploying the BIG-IP system for SSL Intercept v1.5 to complete your deployment. Additional resources You can access all of the following BIG-IP system documentation from the AskF5 Knowledge Base located at http://support.f5.com/. Document BIG-IP System: Essentials BIG-IP System: SSL Administration BIG-IP TMOS : Routing Administration BIG-IP Local Traffic Manager : Implementations BIG-IP Device Service Clustering: Administration Release notes Solutions and Tech Notes Description This guide contains additional information on general device properties including licensing, platform, DNS, and NTP. This guide contains additional information on device certificates, managing SSL certificates and keys, understanding client and server certificate authentication, managing SSL traffic, and so on. This guide contains overview information on VLANs, self-ip addresses, route domains, and so on. This guide contains overview information on SSL forward proxy. This guide contains information about device clustering. Release notes contain information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds. Solutions are responses and resolutions to known issues. Tech Notes provide additional configuration instructions and how-to information. 10
Legal Notices Legal notices Publication Date This document was published on August 16, 2016. Publication Number MAN-0621-00 Copyright Copyright 2016, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks For a current list of F5 trademarks and service marks, see http://www.f5.com/about/guidelines-policies/trademarks/. All other product and company names herein may be trademarks of their respective owners. Patents This product may be protected by one or more patents indicated at: https://f5.com/about-us/policies/patents Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.
Legal Notices Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 12
Index Index D documentation finding 10 I initial setup of SSL Orchestrator 7 S software download for SSL iapp template 10 SSL Orchestrator downloading the iapp template 7 downloading the software 10 overview 5 overview of configuring 7 using for initial setup 7 system configuration overview 7 13
Index 14