F5 Herculon SSL Orchestrator, Setup

Page: 19 / 58

7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to
enable cryptographic protection of the service chain control channel between the ingress and egress
devices.
8. From the Which IP address families do you want to support? list, select whether you want this
configuration to Support IPv4 only , Support IPv6 only , or Both IPv4 and IPv6 .
If you do not choose to support both address families, you must configure IP addresses in the family
you select for all IP address fields in this application. If you choose
Both IPv4 and IPv6 , you can
send intercepted IPv6 traffic through an IPv4 Layer 3 service device.
9. From the Which is the SSL Forward Proxy CA certificate? list, select the Certificate Authority
(CA) certificate that your clients will trust to authenticate intercepted TLS connections.
10. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private
key.
You import the CA certificate and private key while configuring the Setup Wizard. If you did not use
the Setup Wizard, you must import a CA certificate before you can use this functionality.
11. In the What is the private-key passphrase (if any)? field, type the private-key passphrase.
If the key does not have a passphrase, leave the field empty.
12. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the
transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will
arrive.
13. From the How should a server TLS handshake failure be handled? list, select whether you want
the connection to fail or bypass the connection.
14. From the DNS query resolution list, select whether to permit the system to send DNS queries
directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS
queries from Herculon SSL Orchestrator.
• If you select Send DNS queries directly to nameservers across the internet , proceed to step 15.
• If you select Send DNS queries to forwarding nameservers on the local network , proceed to
step 16.
15. From the Do you want to configure local/private DNS zones? list, select whether you do, or do not,
want to configure local or private DNS zones.
• If you select No, do not configure any local/private DNS zones , proceed to step 18.
• If you select Yes, configure local/private DNS zones , proceed to step 17.
16. In the Which local forwarding nameserver(s) will resolve DNS queries from this solution? field,
type the IP address of local nameservers that will resolve all DNS queries from this implementation
and click
Add . Once you have added the necessary nameserver IP addresses, proceed to step 18.
17. In the List local/private Forward Zones setting, click Add and type the IP address of one or more
nameservers.
18. From the Do you want to use DNSSEC to validate DNS information? list, select whether you do,
or do not, want to use DNSSEC to validate the DNS information.
19. In the Decrypt Zone to Egress Device Configuration area, for Are there parallel service devices in
the decrypt zone? , select whether you want to send outbound traffic using the BIG-IP
®
system
default route(s) or send outbound traffic through one or more service devices.
• If the system will send the traffic through its default route to the internet, which must be
configured to point to the egress BIG-IP
®
system, use No, send outbound traffic via the BIG-IP
default route(s) and proceed to step 22 to save.
• If your configuration includes any Layer 3 systems in the decrypt zone that must receive the
traffic, use Yes, send outbound traffic via one or more service device(s) and proceed to step 17.
20. Options to provide the outbound gateway addresses will vary, whether you selected Support IPv4
only , Support IPv6 only , or Both IPv4 and IPv6 . Type the IP addresses of the inward interface of
the first Layer 3 device in the decrypt zone or the decrypt zone gateway.
F5 Herculon SSL Orchestrator: Setup
19