Forum Discussion
How to bypass the similar domain in SSL Orchestrator
How to configure the SSL Orchestrator to bypass the same domain like "login.skype.com", "api.asm.skype.com". I have try to configured the ".*skype.com" and "*.skype.com" but no use.
- JGCumulonimbus
Will you please re-phrase your question? And I am trying to figure out what 'SSLO' means.
- Piotrek_72347Nimbostratus
SSLO means F5 Herculon SSL Orchestrator - one of two solutions from F5 :-)
- Piotrek_72347Nimbostratus
please go to:
choose DBB - For DDB (Dynamic Domain Bypass), the Destination you configure contains one or more DNS domain names (unique or wildcard) against which the destination hostname indicated by the client in TLS SNI is matched. This mode is special because it classifies traffic before the SSL Orchestrator implementation attempts any TLS handshake with the remote server (that is, in Match Phase Pre-handshake). You may use DDB to whitelist and bypass traffic to servers which cause TLS handshake problems or that require TLS mutual (client-certificate/smart- card) authentication. For DDB, the Service Chain value you select must be Bypass or Reject.
- xResCirrus
Hi Peter
The easiest way would be to create a DataGroup (type: string), lets call it "sslo-bypass". Declare your domain name as a string with no value - then create TCP Service Chain Classifier with your "sslo-bypass" DataGroup set as a destination and Service Chain value set to "Bypass". While adding string records for "skype.com" to datagroup remember to add "skype.com" as well as ".skype.com!" for subdomains of skype.com (* will not work here).
You can use the same method to block certain domains just by setting SC value to Reject. The only problem with this case scenario is that what you get is just a tcp reset - so the user sees "Secure Connection Failed" instead of nicely looking "blocking page" telling him "Your request has been rejected by our security dept.".
Regards
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com