F5 BIG-IP SSL Orchestrator and Reversing Labs Integration Guide

An integrated F5 and Reversing Labs solution eliminates the blind spots introduced by SSL/TLS encrypted content.

 

Introduction

F5 BIG-IP SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic.  This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies.  SSL Orchestrator removes the burden of decrypting content from your security tools, so they perform better and are more scalable.

An integrated F5 and Reversing Labs solution eliminates the blind spots introduced by SSL/TLS encrypted content.

Reversing Labs (RL) Spectra Detect provides comprehensive, enterprise-wide visibility into malicious files and objects to identify threats wherever they reside. High-volume, high-speed file inspection and definitive threat classification empowers security operations teams with real-time, context-rich intelligence to drive faster, more effective threat detection and response, along with more powerful and precise hunting, so dangerous malware can no longer hide and dwell within the organization.

 

Demo Video

 

Deployment Prerequisites

This guide was tested with the following software versions:

  • F5 BIG-IP version 17.5
  • SSL Orchestrator version 12.1.5
  • Reversing Labs Spectra Detect version 5.5.1-24
  • Reversing Labs Hub version 5.5.1
  • Reversing Labs Worker version 5.5.1

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

 

Reversing Labs Configuration

The Spectra Detect Manager, Worker and Hub nodes should be deployed and working.  The Hub and Worker need to be members of the same Configuration Group.  The Dashboard should look like the following:

 

NOTE: Proceed to the section on “Add the Connector” if the Worker and Hub are already in the same Configuration Group.

If they are not in the same Configuration Group you can resolve this from the Central Configuration screen by clicking Add New Group. 

 

 

Give it a name, Hub-Group in this example.

Set the Group Type to Hub Group by clicking the down arrow on the right.

Set the Primary Host by clicking the down arrow on the right.

Enter 1 for the Router ID.

 

 

Click Add at the bottom

 

 

Click Confirm

 

 

Set the Configuration Group to Hub Group

 

 

Under Appliances select All then Save

 

 

Click Save and Apply

 

 

The Hub and the Worker should now be visible

 

 

Add the ICAP Connector

Go back to the Dashboard

 

 

Click on the Hub appliance

 

 

On the right select Actions then Connectors

 

 

Select ICAP Server on the left and then click Enable Connector

 

 

Optionally configure Max File Size and other settings on this page

 

Specify the REQMOD Block Page URL

 

 

NOTE: Replace 172.16.60 202 with the IP address of your Spectra Detect Manager

 

Disable the Use TLS option.  The port should default to 1344

Click Start Connector

 

 

Click Yes

 

 

Back on the Dashboard click the green arrow next to Integrations

It should look like the following:

 

 

NOTE: you can come back later and configure the ICAP Server TLS option

 

SSL Orchestrator Configuration

 

From the SSL Orchestrator Configuration screen select the Services tab then click Add

 

 

Select the ICAP tab then double click on the Generic ICAP Service

 

 

Give it a name, RL_SpectraDetect in this example

Click the Add button for ICAP Devices

 

 

Enter the IP address of your Reversing Labs Hub, 172.16.60.201 in this example

Click Done

 

 

Set the Request and Response Modification URI to “spectraconnector”

 

 

Scroll down then click Save & Next

 

 

From the Services Chain List screen click on the name of your Service Chain, ServiceChain1 in this example

 

 

Select the RL_SpectraDetect Service and click the right arrow to move it to the right.

 

 

It should look like the following

Click Save

 

 

Click OK

 

 

Click Save & Next

 

 

Click Deploy

 

 

Click OK

 

 

Afterwards it should look like this:

 

 

Test the Solution

 

Access the internet from a client computer that connects through BIG-IP SSL Orchestrator.  Note that the connection to www.f5.com is secure and the certificate has been verified by f5labs.com instead of Entrust, Inc.  This indicates that SSL Orchestrator is decrypting and encrypting the connection.

 

 

Next I will connect to the eicar.org web site which hosts a test virus.  I’ll attempt to download the EICAR.TXT file.

 

 

The test virus is successfully blocked by Reversing Labs!

 

 

The Analytics Dashboard on the Spectra Detect Manager shows more details about the files processed.

 

 

Conclusion

 

F5 BIG-IP SSL Orchestrator is a great solution for managing encrypted traffic.  Traffic can be selectively steered to one or more security solutions to check for threats.  Reversing Labs Spectra Detect works in tandem with SSO Orchestrator to protect Enterprise networks from malicious threats.

 

Related Content

Introduction to BIG-IP SSL Orchestrator

Integrating Security Solutions with F5 BIG-IP SSL Orchestrator

F5 BIG-IP Zero Trust with BIG-IP SSL Orchestrator

Updated Oct 06, 2025
Version 3.0
No CommentsBe the first to comment