Integrating SSL Orchestrator with Netscout vStream VM

Introduction

SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic.  This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies.  SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.

An integrated F5 and Netscout solution eliminates the blind spots introduced by SSL/TLS encrypted content.

Versions Tested

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

SSL Orchestrator version 11.0

Netscout vStream version 6.3.4

Netscout nGeniusONE version 6.3.4

Additional Help

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

Demo Video

VMware ESX Configuration

Create the following 3 Port Groups:

Internal-north

Internal-south

Netscout-tap

Attach them to a vSwitch, Netscout-demo in this example:

Configure the BIG-IP virtual settings as follows:

NOTE:

VM Network is used for Management

Internal-north is used for connectivity to the North side of the network

Internal-south is used for connectivity to the South side of the network

Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream

Configure the Netscout vStream virtual settings as follows:

NOTE:

VM Network is used for Management

Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream

Netscout Configuration

Use a web browser connect to the nGeniousONE management console.  Click Device Configuration.

You should have at least one vStream device configured here.

At this point Netscout nGeniusONE should be configured properly and ready to accept decrypted content from SSL Orchestrator.

BIG-IP SSL Orchestrator Configuration

The BIG-IP VLAN settings should look like the following:

Internal-north is used for network connectivity from the BIG-IP to the North

Internal-south is used for network connectivity from the BIG-IP to the South

Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Create the Netscout Service

Under Services, click Add.

In the Service Catalog select the TAP tab then double click on NETSCOUT TAP

Give it a name, NETSCOUT in this example.  Enter the MAC Address of the vStream network adapter connected to the netscout-tap port group.

NOTE: You can find the MAC Address in the vStream VM network settings.

For the VLAN select Use Existing then netscout-tap

Enable Port Remap.  Set the Remap Port to 80

Click Save and Next.

Click the name of the Service Chain.

Select the Netscout Service from the left and click the arrow to move it to the right.  Click Save.

Click OK

Click Save & Next at the bottom.

Click Deploy

Click OK to the Success message.

When done it should look like the following:

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://192.168.0.5

Test this connection now and it should look like the following:

We’ll use tcpdump on the BIG-IP to verify connectivity.

The capture from the internal-south vlan shows the encrypted HTTPS request

The capture from the netscout-tap vlan shows plain text HTTP content being sent to Netscout for Inspection

Netscout nGeniusONE Monitors

Check the Traffic Monitor to view statistics

Zoom into the HTTP request that has been decrypted by SSL Orchestrator

You can also see the server response in clear text

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with Netscout. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Netscout Service and inspected.