Integrating SSL Orchestrator with Netscout vStream VM
Introduction
SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.
An integrated F5 and Netscout solution eliminates the blind spots introduced by SSL/TLS encrypted content.
Versions Tested
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
SSL Orchestrator version 11.0
Netscout vStream version 6.3.4
Netscout nGeniusONE version 6.3.4
Additional Help
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Demo Video
VMware ESX Configuration
Create the following 3 Port Groups:
Internal-north
Internal-south
Netscout-tap
Attach them to a vSwitch, Netscout-demo in this example:
Configure the BIG-IP virtual settings as follows:
NOTE:
VM Network is used for Management
Internal-north is used for connectivity to the North side of the network
Internal-south is used for connectivity to the South side of the network
Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream
Configure the Netscout vStream virtual settings as follows:
NOTE:
VM Network is used for Management
Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream
Netscout Configuration
Use a web browser connect to the nGeniousONE management console. Click Device Configuration.
You should have at least one vStream device configured here.
At this point Netscout nGeniusONE should be configured properly and ready to accept decrypted content from SSL Orchestrator.
BIG-IP SSL Orchestrator Configuration
The BIG-IP VLAN settings should look like the following:
Internal-north is used for network connectivity from the BIG-IP to the North
Internal-south is used for network connectivity from the BIG-IP to the South
Netscout-tap is used for decrypted connections from BIG-IP to Netscout vStream
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Create the Netscout Service
Under Services, click Add.
In the Service Catalog select the TAP tab then double click on NETSCOUT TAP
Give it a name, NETSCOUT in this example. Enter the MAC Address of the vStream network adapter connected to the netscout-tap port group.
NOTE: You can find the MAC Address in the vStream VM network settings.
For the VLAN select Use Existing then netscout-tap
Enable Port Remap. Set the Remap Port to 80
Click Save and Next.
Click the name of the Service Chain.
Select the Netscout Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
Testing the Configuration
In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:
Test this connection now and it should look like the following:
We’ll use tcpdump on the BIG-IP to verify connectivity.
The capture from the internal-south vlan shows the encrypted HTTPS request
The capture from the netscout-tap vlan shows plain text HTTP content being sent to Netscout for Inspection
Netscout nGeniusONE Monitors
Check the Traffic Monitor to view statistics
Zoom into the HTTP request that has been decrypted by SSL Orchestrator
You can also see the server response in clear text
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with Netscout. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Netscout Service and inspected.