Can the F5 SSL Orchestrator(SSLO) send traffic to a not directly attached Layer 3 device?
I was playing with the SSLO wizards/guided configurations and when I tried to configure layer3 or http service with an IP address that is not directly attached to the a Vlan/Self IP on the F5 I got the error message " This is not a valid IP address for selected selfip for 'To Service' subnet.". For ICAP services there is no problem to send the traffic to a not directly attached device but I have to ask if I can do the same for HTTP/Layer 3 inline service in some way?Where are the F5 SSL Orchestrator (SSLO) SplitSession Client/SplitSession Server profiles used?
I have seen this profiles but there is not a lot of info about their use cases. From the article below I think that they are only important when two F5 sslo devices are used ingress and egress traffic: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/39.html From what I gather if a single SSLO is used the settings will be "Local Peer" enabled and "Lookup Type" set to "Flow" but when is "Session Flow" or "HTTP Header" used ? Is session flow for layer2/3 services and when there are 2 SSLO for ingress and egress traffic and "HTTP Header" for transparent/explicit proxy services again with two SSLO for ingress and egress traffic?
Detect IP Being Blocked Upstream
I am running SSLo L3 Outbound, Forward Proxy, and my organization blocks IP of sites at our perimeter. This makes it confusing for customers going to HTTPS sites because the client side does the full TCP handshake and sends its first TLS data to F5, before the F5 server side starts, and receives a TCP reset so to the user it looks like there is a TLS error. In reality on the F5 server side the first TCP packet is sent and it receives no response and times out. I would like to be able to detect the fact no response was received and return a custom page to the user with instructions on who to contact to resolve. Tried to use event SERVER_CLOSED but this event doesn't trigger in scenario above.
SSL Orchestrator between client and explicit HTTP proxy
Hi Devcentral, I am testing SSL orchestrator with Inline mode (L2 / Trasparent) in order to inspect cleartext web browsing traffic using an IPS device, the scenario is the following: Client that points directly to F5 as a gateway Client have explicit HTTP forward proxy configured on the browser (Mozilla) for HTTP & HTTPS traffic SSLO is placed inline with SNAT Automap that points to router connected to the Internet I did a packet capture and I saw that the SSL handshake occurs between the client and the HTTP/HTTPS Forward proxy (tiny proxy) - using HTTP Connect / Proxy-Connect method but the SSL decryption will not occur if the HTTP Forward proxy is configured on the client. (I am testing this because one of our customer would like to implement SSL Orchestrator but actually the customer have explicit HTTP proxy configured in order to provide web reputation filtering to the clients) The architecture flow is the following (starting from the source): Client F5 SSL Orchestrator HTTP/HTTPS Forward Proxy (tinyproxy) Internet I'll expect to see that the traffic is decrypted correctly also using the HTTP forward proxy in place. (actually it works for outbound decryption but without the HTTP forward proxy --> point 3.)
SSL Orchestrator and ASM application policy om BigIP
Hello. I met a problem while trying combine SSL Orcestrator and ASM application policy together. Is anyone met the same? Or have any ideas about such deployment. I need to inspect unencrypted HTTP trafiic on inline antivirus and same time I need provide web application security on F5 Big IP. Thank you in advance.
