SSL Orchestrator Advanced Use Case: One-Armed Mode
Introduction
A typical SSL Orchestrator deployment uses 4 network interfaces. Two are used for North/South connectivity and two are used for egress/ingress to/from Security Services. There may be circumstances where you need to deploy SSL Orchestrator with a limited number of interfaces. This guide walks you through configuration of SSL Orchestrator with only 3 interfaces. One interface will be used for North/South connectivity and two will be used for egress/ingress to/from Security Services.
This guide assumes you have configured a vlan and Self IP on BIG-IP. A client computer on the same vlan is also required.
Note: SSL Orchestrator has limited functionality when deployed this way. A single Security Service is used in this guide and this has not been thoroughly tested.
Example Configuration
BIG-IP version 16.1.2.1
SSL Orchestrator version 9.2.49
BIG-IP is configured with a single vlan for Inbound and Outbound traffic, Outbound_Vlan, with Self IP 10.1.20.100
A default route of 10.1.20.1 is also configured
A client computer is configured with IP 10.1.20.101 and a Default Gateway of 10.1.20.100
Configuration of 2 Tagged interfaces for egress/ingress to/from Security Services will be covered next.
BIG-IP Network configuration
In this example the network settings will be configured outside of SSL Orchestrator though that is not required.
From the BIG-IP GUI go to Network > VLANs > Create.
Create a VLAN for Service1 Egress. In this example interface 1.2 is being used. Note that this is a TAGGED interface. When done it should look like this:
Create a VLAN for Service1 Ingress. In this example interface 1.3 is being used. This must also be a Tagged interface. When done it should look like this:
Next we’ll configure the Self IPs for these VLANs. Navigate to Self IPs under Network.
Create 2 Self IPs like the following:
Name |
IP Address |
Netmask |
VLAN |
Egress_Service1 |
10.0.0.1 |
255.255.255.0 |
Service_Egress |
Ingress_Service1 |
90.0.0.1 |
255.255.255.0 |
Service_Ingress |
When done it should look like this:
BIG-IP SSL Orchestrator Configuration Steps
From the Configuration Utility select SSL Orchestrator > Configuration.
Scroll down and click Next.
Give the Topology a Name, L3_Outbound in this example.
Select the Protocol needed, TCP in this example.
Select the IP Family, IPv4 in this example.
Select the Topology type, L3 Outbound in this example.
Note: L3 Inbound is also compatible with One-Armed Mode.
Click Save & Next at the bottom of the page.
For SSL Configurations you will need to specify the CA Certificate Key Chain. In this example we used subrsa.f5labs.com.
Click Save & Next at the bottom of the page.
Click Save & Next at the bottom of the page.
Configure the two L3 Services
Click the Add Service button
Select the Inline L3 tab then double-click the Generic Inline Layer 3 Service.
Note: a Generic Inline Layer 3 device is used in this example but any Layer 3 device can be used.
Give it a name, L3_Service1 in this example.
Uncheck the box to Auto Manage Addresses
For the To Service Configuration select Use Existing then click the down arrow to expand the dialog box. Select the Egress IP address for Service1, 10.0.0.1/24 in this example.
Under Security Devices click Add.
Enter the IP address of your L3 Security device, 10.0.0.25 in this example. Click Done.
For the From Service Configuration select Use Existing then click the down arrow to expand the dialog box. Select the Ingress IP address for Service1, 90.0.0.1/24 in this example.
Click Save at the bottom.
For the Services Chain you can configure it by clicking Add.
Give it a name, Service_Chain in this example.
Select the Service under Services Available and click the right arrow to move it under Selected Service Chain Order.
Click Save at the bottom.
Click Save & Next at the bottom of the next page.
The Security Policy screen is where you enable/disable SSL Proxy and specify the Service Chain to use. Click the pencil (edit) icon on the bottom rule to set the Service Chain.
Click OK.
Click Save & Next at the bottom of the page.
For the Interception Rule optionally specify the Source Address. The Destination Address/Mask field is required. In this example the policy is configured to intercept connections from and to any IP address.
Select the correct vlan from the Available options, Outbound_Vlan in this example, and click the right arrow to move it to Selected.
Click Save & Next at the bottom of the page.
For SNAT Settings select Auto Map.
Click Save & Next at the bottom of the page.
Click Save & Next at the bottom of the page.
Click Deploy at the bottom of the page.
You should see a Success message. Click OK.
Test Connectivity from a Client Computer
The Default Gateway of the client computer is set to 10.1.20.100 which is the Self IP of the BIG-IP.
The client computer has already been configured to trust the SSL certificates emulated by BIG-IP SSL Orchestrator.
Test the SSL decryption capabilities by connecting to an HTTPS site, espn.com in this example.
The connection to the site is secure, there are no certificate errors and the certificate was Issued By subrsa.f5labs.com.
Conclusion
You have successfully configured BIG-IP SSL Orchestrator with only 3 network interfaces. For more information on that see the SSL Orchestrator series: Orchestrated Infrastructure Security
- KevinGallaugherEmployee
Thanks! I want to re-test it with VMware because it might work better.
Thanks for sharing this trick 🙂