Service Extensions with SSL Orchestrator User Coaching of AI Related Content
Table of Contents
Service Extensions with SSL Orchestrator
In this guide you will learn how to download, install, and configure the policy that enables the “User-Coaching” Service Extension. In this example, the Coaching Policy will be triggered when trying to access a website that contains Artificial Intelligence (AI) resources. “User-Coaching” is an alternative to outright blocking. It notifies and “coaches” a user when they attempt to access something that may violate local security policy. Here’s an example of a User-Coaching page:
This gives the user the option to click Agree and continue to the site or cancel to return to the previous page.
Configuration Prerequisites
BIG-IP software version 17.1.2 or newer
SSL Orchestrator software version 11.1.8 or newer
- SSL Orchestrator Policy and Service Chain configured
- SSL Orchestrator Outbound Topology created and working properly
A configured Layer 3 Outbound Topology will look like the following:
NOTE: there is a Lab Guide and Troubleshooting Guide attached to the end of this article. Use these if you are accessing the UDF Course SSL Orchestrator Service Extensions User Coaching. Please contact your F5 Account Team to get access to this Course.
Demo Video
User Coaching Service Extension GitHub
The information below is from the GitHub repository for the User Coaching Service Extension (click here for a direct link). It includes an installer to create all of the necessary objects:
## From the BIG-IP Shell, fetch the installer and make it executable: curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/user-coaching/user-coaching-installer.sh -o user-coaching-installer.sh chmod +x user-coaching-installer.sh ## Export the BIG-IP admin username and password for the installer to use: export BIGUSER='admin:admin' ## Launch the installer: ./user-coaching-installer.sh
Using the information above, you can download the installer from GitHub in the first step:
Then change the permissions to make the installer executable:
Export the BIG-IP admin username and password*
*Replace "admin" with your BIG-IP admin password.
Run the installer:
The installer will create the default coaching and blocking HTML (iFile objects), the user-coaching iRule, and the new User Coaching Inspection Service. Once this is complete, simply add the new Service to your SSL Orchestrator Service Chain(s). With the defaults in place, and an active URLDB subscription on the BIG-IP, any attempt to access an AI-categorized site will return the User Coaching page. Clicking the Agree button generates a log entry detailing the source (user) and destination (IP and host).
Next Steps: Add the User Coaching Inspection Service to a Service Chain
From the BIG-IP Web UI, navigate to Configuration > Service Chains > click the name of the Service Chain you want to add the User Coaching Service to.
Move the User Coaching Service from Available to Selected.
Click Deploy
Click OK
Click OK
The SSL Orchestrator configuration is complete. Let’s test it out and see what it looks like.
From a test client, when attempting to go to https://mem.ai you will be presented with the following:
Clicking Agree takes you to the website. Clicking cancel returns you to the previous website. Try it yourself.
Customizing the Coaching Policy
The Coaching Policy is easily customizable.
Enable Justification Option
Let’s enable the Justification option. Go back to the “user-coaching-rule” iRule. Scroll down until you see the section to REQUIRE_JUSTIFICATION. Change the value from 0 to 1, then click Update.
Let’s test it out and see what it looks like.
From a test client, when attempting to go to https://mem.ai you will be presented with the following.
Notice, you are asked to enter a justification to access the site. Example Justification:
“I have a legitimate reason to access this site”
All of this will be logged.
Customize the Coaching Page
The Coaching Page itself can be customized to include images, email links, and so much more. In this example, the BIG-IP is preconfigured with two additional custom coaching pages:
Custom-Coaching-1 is a clever looking Coaching Page.
Custom-Coaching-2 is similar but also contains an Email To link at the bottom should the user have any questions about the Coaching Policy.
To use a Custom Coaching Page, navigate to Local Traffic > iRules > iRule List.
Click the “user-coaching-rule” at the bottom.
Scroll down to the COACHING lookup section and replace user-coaching-html with your custom HTML page, Custom-Coaching-1 in this example.
Click Update
From the test client (UBUNTU-SERVER) when attempting to go to https://mem.ai you will be presented with the following.
Add an HTML link to the Coaching Page
Let’s customize this even further by including an HTML link in the Coaching Page. This could be a link to the corporate internet guidelines or an email address to contact with any questions.
Navigate to Local Traffic > iRules > iRule List.
Click the “user-coaching-rule” at the bottom.
Scroll down to the COACHING lookup section and replace user-coaching-html with your custom HTML page, Custom-Coaching-2 in this example.
Click Update
From the test client (UBUNTU-SERVER) when attempting to go to https://mem.ai you will be presented with the following.
At the bottom of the Coaching Page is a link to an email address if there are any questions.
Enable Blocking Mode
Let’s enable blocking mode. From the BIG-IP Web UI, navigate to Local Traffic > iRules > iRule List.
Click the “user-coaching-rule” at the bottom.
Set the CATEGORY_TYPE to “sub_and_custom”
Copy the COACHING_CATEGORIES
Paste them into the BLOCKING_CATEGORIES
Comment out the COACHING_CATEGORIES and click Update
From the test client (UBUNTU-SERVER) when attempting to go to https://mem.ai you will be presented with the following.
The request is now blocked instead of coached.
Conclusion
SSL Orchestrator gives you the flexibility to decide how to address access to external AI resources. Content can be blocked outright or “Coaching” pages can be used to warn users about the risks associated with external AI resources. A URLDB subscription is recommended, but a Custom Category can be used without incurring additional costs.
Additional Resources
Employee