1.
On the Main tab, click
SSL Orchestrator
>
Configuration
, and on the menu bar, click
Policies
to
view service chain settings.
The Service Chain information on the Policies screen opens.
2.
Click
Add
.
3.
In the
Name
field, type a name for your service chain.
Create a short name for this service chain. A service chain name may contain 1-15 alphanumeric or
underscore characters and must start with a letter (not case-sensitive). Use spaces or commas to
separate service names.
Note: You cannot use any of the keywords "all", "bypass", "reject", or "drop", nor the name of any
(inspection) service you previously configured as a service chain name.
4.
In the
Services
area, select a
Type
and
Name
and then click
Add
.
5.
Click
Finished
.
6.
Click
Save
.
You have now configured a service chain.
After you create a service chain, configure either TCP or UDP classifier rules.
Creating TCP service chain classifier rules
Before you create a TCP service chain classifier rule, you must create one or more service chains.
Service chain classifier rules
determine which service chains receive traffic. Each service chain classifier
rule you choose selects the specific chain to process ingress connections. Different classifier rules can
send connections to the same chain. Each classifier has three filters that match the source IP address, the
destination, and the application protocol. Filters can also overlap, so the best matching classifier
determines the service chain for a specific connection, and classifiers can reject a connection or allow it
to bypass the service chain. In addition, you can also choose to send decrypted or non-decrypted traffic to
the inspection devices.
Note: When configuring a single device Herculon SSL Orchestrator transparent proxy in front of an
explicit proxy, Herculon SSL Orchestrator can transparently intercept SSL traffic tunneled through an
explicit proxy and selectively forward the decrypted user traffic through the security service chain for
proper inspections. Afterwards, the user traffic is sent back to the BIG-IP, which re-encrypts the traffic
and sends to the explicit proxy. User traffic of certain categories may also be rejected by the BIG-IP or
bypass the security inspections.
Note: When transparently decrypting traffic to upstream explicit proxies in a two device Herculon SSL
Orchestrator deployment, the SSL forward proxy interception only occurs on the ingress device
(decryption, service chaining, and re-encryption occur on the ingress device, while the encrypted
plaintext traffic will pass through the egress device). In addition, all classifier rules apply to traffic inside
HTTP CONNECT tunnels except for rules bypassing SSL during the TLS handshake phase. Rules
bypassing SSL during the TLS handshake phase do not apply because SSL forward proxy cannot reuse
the same HTTP CONNECT tunnel to the explicit proxy for the bypassed flow.
1.
On the Main tab, click
SSL Orchestrator
>
Configuration
, and on the menu bar, click
Policies
to
view TCP service chain classifiers settings.
The TCP Service Chain Classifiers information on the Policies screen opens.
2.
In the TCP Service Chain Classifiers area, click
Add
.
3.
In the
Name
field, type a name for this rule.
4.
From the
Phase
list, select a phase for this classifier.
F5 Herculon SSL Orchestrator: Setup
31
Summary of Contents for Herculon SSL Orchestrator
Page 1: ...F5 Herculon SSL Orchestrator Setup Version 13 1 3 0 ...
Page 2: ......
Page 6: ...What is F5 Herculon SSL Orchestrator 6 ...
Page 26: ...Setting Up a Basic Configuration 26 ...
Page 38: ...Importing and Exporting Configurations for Deployment 38 ...
Page 54: ...Using Herculon SSL Orchestrator Analytics 54 ...