F5 SSL Orchestrator - Symantec DLP Integrated Solution

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), have been widely adopted by organizations to secure IP communications. But while SSL provides data privacy and secure communications, it also creates challenges to inspection devices such as data loss prevention (DLP) software in the security stack. In short, the encrypted communications cannot be seen as clear text and are passed through without inspection, becoming security blind spots. This creates serious risks, leaving organizations vulnerable to costly data breaches and loss of intellectual property. But today’s security devices, such as intrusion prevention systems (IPSs) and next-generation firewalls (NGFWs), lack the processing power to easily decrypt SSL/TLS traffic. This performance concern becomes even more challenging with the demands of 2048-bit certificates.

An integrated F5 SSL Orchestrator and Symantec Data Loss Prevention (DLP) solution solves these SSL/TLS challenges across cloud, mobile, and on-premises environments. F5 SSL Orchestrator centralizes SSL inspection across complex security architectures, providing flexible deployment options for decrypting and re-encrypting user traffic. It also provides intelligent traffic orchestration using dynamic service chaining and policy-based management. Once decrypted, the traffic is inspected by Symantec DLP, which can detect, and block data breaches and exfiltration of sensitive data previously hidden by encryption. This joint solution thus eliminates the blind spots introduced by SSL and closes any opportunity for attackers.

Solution Overview

Functional implementation of the solution involves both SSL visibility and content adaptation.

  • F5 SSL Orchestrator, deployed inline to the wire traffic, intercepts any outbound secure web request and establishes two separate SSL connections: one each with the client (the user device) and the requested web server. This creates a decryption zone between client and server with SSL visibility for inspection.
  • Within the decryption zone, the content adaptation feature of SSL Orchestrator conditionally forwards both unencrypted HTTP and decrypted HTTPS requests by encapsulating them within Internet Content Adaptation Protocol (ICAP, RFC3507). These encapsulated requests go to a pool of Symantec DLP servers for inspection and possible request modification (REQMOD). In this context, SSL Orchestrator is the ICAP client and Symantec DLP is the ICAP server. After inspection, HTTPS requests are re-encrypted on their way to the web server. The same process of decryption, inspection, possible response modification (RESPMOD), and re-encryption takes place for the return response from the web server to the client.

The F5 SSL Orchestrator and Symantec DLP solution

Bill of Materials

  • F5 SSL Orchestrator 5.1
    • Optional functional add-ons include URL filtering subscription, IP intelligence subscription, network hardware   security module (HSM) and F5 BIG-IP Access Policy Manager (APM)
  • Symantec Data Loss Prevention (DLP) 15.0


  1. F5 SSL Orchestrator is licensed and set up with internal and external VLANs and self-IP addresses.
  2. An SSL certificate—preferably a subordinate certificate authority (CA)—and private key are imported into SSL Orchestrator.
  3. The CA certificate chain with root certificate is imported into the client browser.
  4. Symantec DLP is installed and set up with IP connectivity to SSL Orchestrator. Symantec DLP software is composed of three components: Oracle Database, Enforce Server, and a detection server. Refer the Symantec technical documentation to further understand the various deployment types.

Solution Configuration Steps

The solution deployment involves policy creation on Symantec DLP and configuration of SSL Orchestrator on the F5 system.

I. Configure DLP Policy

On the web UI of the Symantec DLP Enforce Server, navigate to the Policies page and configure a policy. For example, here we show configuration of a policy named symconfidential with a rule type of Content Matches Keyword and the keyword confidential.

II. Deploy SSL Orchestrator using Guided Configuration

SSL Orchestrator version 5.1 introduced Guided Configuration, a workflow-based architecture that provides intuitive, re-entrant configuration steps and presents a completely new and streamlined user experience.  To deploy the SSL Orchestrator application, log into the F5 system. On the F5 Web UI Main menu, navigate to SSL Orchestrator > Configuration and follow the guided configuration steps.

Step 1: Topology Properties

SSL Orchestrator creates discreet configurations based on the selected topology. Selecting explicit forward proxy topology (as shown in the example) will ultimately create an explicit proxy listener.

Step 2: SSL Properties

Select the previously imported subordinate CA certificate (see Prerequisites, above) to sign and issue certificates to the end-host for client-requested HTTPS websites that are intercepted.

Step 3: Create the ICAP service

The services list section defines the security services that interact with SSL Orchestrator. The guided configuration includes a services catalog that contains common product integrations.

In the service catalog, double click the ICAP service and configure the service settings: Symantec DLP IP address, port, URI paths and preview maximum length.

Using the service catalog, create additional security services as required before proceeding to the next step.

Step 4: Service Chains

Create a service chain, which is an arbitrarily ordered lists of security devices. The service chain determines which services receive traffic.

Step 5: Security Policy

SSL Orchestrator’s guided configuration presents an intuitive rule-based, drag-and-drop user interface for the definition of security policies. In the background, SSL Orchestrator maintains these security policies as visual per-request policies. If traffic processing is required that exceeds the capabilities of the rule-based user interface, the underlying per-request policy can be managed directly. Use this section to create custom rules as required.

Step 6: Intercept Rule

Interception rules are based on the selected topology and define the listeners (analogous to BIG-IP Local Traffic Manager virtual servers) that accept and process different types of traffic, such as TCP, UDP, or other. The resulting BIG-IP LTM virtual servers will bind the SSL settings, VLANs, IPs, and security policies created in the topology workflow.

Step 7: Egress Settings

The egress settings section defines topology-specific egress characteristics like NAT and outbound route.

Step 8: Summary

The configuration summary page presents an expandable list of all the workflow-configured objects. Review the setting and click Deploy to deploy SSL Orchestrator.

SSL Orchestrator will be successfully deployed on the F5 system.

III. Verification

From the client, open Gmail or any other email service and compose an email with the body containing “confidential” and press Send. You will see the mail blocked with the following alert in Symantec DLP server.


The joint solution from F5 and Symantec brings together the best of application delivery and data security to help you identify and stop data loss. By taking advantage of ICAP and other standards, this joint solution gives you easy-to-use tools and granular control to decrease the risk of data breaches and data ex-filtration.

Learn more:

Product page: F5 SSL Orchestrator

Published Jan 07, 2019
Version 1.0

Was this article helpful?

No CommentsBe the first to comment