• If you want outbound/Internet traffic out using the default route on the BIG-IP system, select
No,
send outbound/Internet traffic via the default route
and proceed to step 19 to save.
• If you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the
share of traffic each is given), use
Yes, send outbound/Internet traffic via specific gateways
and
proceed to step 18.
18.
Options to provide the outbound gateway addresses will vary, whether you selected
Support IPv4
only
,
Support IPv6 only
, or
Both IPv4 and IPv6
. Specify one or more Internet gateway addresses
(routers) to handle outbound SSL traffic so to control the share of traffic each is given.
• In the
What are the IPv4 outbound gateway addresses?
field, type the IPv4 gateway addresses.
Proceed to step 20 to save.
• In the
What are the IPv6 outbound gateway addresses?
field, type the IPv6 gateway addresses.
Proceed to step 19.
• In both the
What are the IPv4 outbound gateway addresses?
and
What are the IPv6
outbound gateway addresses?
fields, type both the IPv4 and IPv6 gateway addresses. Proceed to
step 19.
Click the + button to add additional addresses.
You can enter multiple gateways if you have multiple systems and wish to load balance across them.
If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For
example, if you have two devices, and one handles twice as much traffic as the other, you can set the
ratio to 1 on the smaller device, and 2 on the larger one.
19.
In the
Non-public IPv6 networks via IPv6 gateways
field, type the requested IPv6 address if you
want to route connections to any non-public IPv6 networks via the IPv6 gateways above. Enter the
prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those outside the 2000::/3
block, such as ULA networks in the fc00::/7 block.
20.
Click
Save
.
You have now configured an ingress device and an egress device located on one system.
This describes only the fields, lists, and areas needed to configure an ingress and egress device on one
system. You should complete the other areas in General Properties before moving on to create services
and service chains.
Configuring an ingress device (for separate ingress and egress devices)
The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The
ingress device is one or more ingress VLANs where the clients send traffic. The ingress device decrypts
the traffic and then, based on protocol, source, and destination, classifies the traffic and passes each
connection for inspection.
1.
On the Main tab, click
SSL Orchestrator
>
Configuration
.
The General Properties screen opens.
2.
From the
Do you want to setup separate ingress and egress devices with a cleartext zone between
them?
list, select
Yes, configure separate ingress and egress BIG-IP devices
.
3.
From the
Is this device the ingress or egress device?
list, select
This is the INGRESS device to
which clients connect
.
4.
In the
What is the EGRESS device Application Service name?
field, type the name of the device
service.
5.
In the
What is the IP address of the EGRESS device control-channel virtual server?
field, type
the IP address of the service chain control channel virtual server over on the egress device.
6.
In the
What IP address should THIS (ingress) device's control-channel virtual server use?
field,
type the IP address of the virtual server for the service chain control channel on a VLAN.
Setting Up a Basic Configuration
18
Summary of Contents for Herculon SSL Orchestrator
Page 1: ...F5 Herculon SSL Orchestrator Setup Version 13 1 3 0 ...
Page 2: ......
Page 6: ...What is F5 Herculon SSL Orchestrator 6 ...
Page 26: ...Setting Up a Basic Configuration 26 ...
Page 38: ...Importing and Exporting Configurations for Deployment 38 ...
Page 54: ...Using Herculon SSL Orchestrator Analytics 54 ...