Configuring F5 SSL Orchestrator as an Outbound Layer 3 Transparent Proxy

Based on the number of inquiries around F5's SSL Orchestrator, I wanted to take a few moments to provide a how-to guide on deploying SSLO with an explicit forward web proxy in the inspection zone. Th...
Published Dec 26, 2018
Version 1.0
application delivery
BIG-IP
LTM
security
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Apr 02, 2019

Hi,

 

Great article. What I can't figure out is how to configure routing on external proxy.

 

My assumption is that:

 

  • Traffic from SSLO will go to External Proxy (EP) via VLAN ssloN_proxy_in (198.19.96.7/25)
  • EP IP is 198.19.96.66, port 3128
  • Traffic should return to SSLO via VLAN ssloN_proxy_outbound (198.19.96.245/25)

Based on that what default route should be set on EP? Should in point to 198.19.96.245?

 

If so I have to be missing something as all the time traffic is just reset by ssloS_explicit-D-0-t-4 that as far as I understand should process it and send to the Internet - or I am completely missing the point here?

 

Piotr