F5 SSL Orchestrator - Topologies

You may don’t know you need an SSL Orchestrator (SSLO) till you know what this kind of product can do for you. SSL visibility is mandatory for most companies today. It’s interesting for detecting malware, attacks, data leaks, etc. Therefore, if you want SSL visibility and you are going to install an SSLO, you’ll need to know and understand the six topologies that you can configure. The aim will be that internal client will be able to access remote (Internet) resources through SSLO, providing decrypted, inspectable traffic to the security services.

The configuration dashboard after deployment
The L3 Outbound topology (transparent proxy) is the traditional transparent forward proxy while the L3 Explicit Proxy topology is the traditional explicit forward proxy. An explicit forward proxy topology will ultimately create an explicit proxy listener and its relying transparent proxy listener; however, the transparent listener will be bound only to the explicit proxy tunnel. If a subsequent transparent forward proxy topology is configured, it will not overlap the existing explicit proxy objects.

L3 Outbound topology
For a reverse proxy “gateway” configuration, the L3 Inbound topology should be selected. In its simplest form, the L3 Inbound topology builds an SSLO environment designed to sit in front of another Application Delivery Controller, ADC, or routed path. Advanced options allow it to define a pool for more directed traffic flow, however, alone it does not provide the same flexibility afforded a typical LTM reverse proxy virtual server. It also must perform re-encryption on egress.

L3 Inbound topology

With L2 Inbound topology and L2 Outbound topology, we insert SSLO as a bump-in-the-wire in an existing routed path, where SSLO presents no IP addresses on its outer edges. The L2 Inbound topology provides a transparent path for inbound traffic flows. However, the L2 Outbound topology provides a transparent path for outbound traffic flows. Therefore, these topologies are the best to enhance the integrity, confidentiality, or reliability of communications across an existing logical link without altering the communications endpoints.

L2 Outbound topology
The sixth topology is the Existing Application topology which is designed to work with existing LTM applications. Whereas the L3 Inbound topology provides an inbound gateway function for SSLO, Existing Application works with LTM virtual servers that already perform their own SSL handling and client-server traffic management. The Existing Application workflow proceeds directly to service creation and security policy definition, then exits with an SSLO-type access policy and per-request policy that can easily be consumed by an LTM virtual server.

Existing Application topology

Finally, once we choose which topology fits our requirements, we have to attach security services to SSLO. For instance, the F5 SSLO includes a services catalog which contains common product integrations such as Fortinet Secure Web Gateway HTTP Proxy or Gigamon Inline Layer 2. However, there are also generic services for L2 inline, L3 inline, ICAP, HTTP or TAP connectors.

security services
Are you ready to deploy and install F5 SSLO? Go ahead!