F5 Herculon SSL Orchestrator, Setup

Page: 20 / 58

• In the What are the IPv4 decrypt zone gateway addresses? field, type the IPv4 gateway
addresses. Proceed to step 22 to save.
• In the What are the IPv6 decrypt zone gateway addresses? field, type the IPv6 gateway
addresses. Proceed to step 21.
• In both the What are the IPv4 decrypt zone gateway addresses? and What are the IPv6
outbound gateway addresses? fields, type both the IPv4 and IPv6 gateway addresses. Proceed to
step 21.
Click the + button to add additional addresses.
You can enter multiple gateways if you have multiple systems and wish to load balance across them.
If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For
example, if you have two devices, and one handles twice as much traffic as the other, you can set the
ratio to 1 on the smaller device, and 2 on the larger one.
21. In the What are the Non-public IPv6 networks via IPv6 gateways? field, type the requested IPv6
address if you want to route connections to any non-public IPv6 networks via the IPv6 gateways
above. Enter the prefix/mask-length (CIDR) of each network. Non-public IPv6 networks are those
outside the 2000::/3 block, such as ULA networks in the fc00::/7 block.
22. Click Save .
You have now configured an ingress device for a system configured for separate ingress and egress
devices.
This describes only the fields, lists, and areas needed to configure an ingress device. You should complete
the other areas in General Properties before moving on to create services and service chains.
Configuring an egress device (for separate ingress and egress devices)
The egress device is either a device or a Sync-Failover device group that receives traffic after a
connection travels through the specified service chain and directs the traffic to the final destination. When
users set up separate ingress and egress devices, they send each other control messages. These can go
through the decrypt zone, or around it if you configure a different path through the network. In either
case, the messages are sent through TCP connections to port
245
, at an IP address users specify, on each
BIG-IP
®
system.
1. On the Main tab, click SSL Orchestrator > Configuration .
The General Properties screen opens.
2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between
them? list, select Yes, configure separate ingress and egress BIG-IP devices .
3. From the Is this device the ingress or egress device? list, select This is the EGRESS device to
which connects to server .
4. In the What is the INGRESS device Application Service name? field, type the name of the device
service.
5. In the What is the IP address of the INGRESS device control-channel virtual server? field, type
the IP address of the service chain control channel virtual server over on the egress device.
6. In the What IP address should THIS (egress) device's control-channel virtual server use? field,
type the IP address of the virtual server for the service chain control channel on a VLAN.
7. In the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to
enable cryptographic protection of the service chain control channel between the ingress and egress
devices.
8. From the Which IP address families do you want to support? list, select whether you want this
configuration to Support IPv4 only , Support IPv6 only , or Both IPv4 and IPv6 .
Setting Up a Basic Configuration
20