NimbostratusHow to configure the SSL Orchestrator to bypass the same domain like "login.skype.com", "api.asm.skype.com". I have try to configured the ".*skype.com" and "*.skype.com" but no use.
CumulonimbusWill you please re-phrase your question? And I am trying to figure out what 'SSLO' means.
NimbostratusSSLO means F5 Herculon SSL Orchestrator - one of two solutions from F5 :-)
Nimbostratusplease go to:
SSL Orchestrator>Configuration and Polices.
next editing your policy go to > Destination setting and for > Address Destination.
choose DBB - For DDB (Dynamic Domain Bypass), the Destination you configure contains one or more DNS domain names (unique or wildcard) against which the destination hostname indicated by the client in TLS SNI is matched. This mode is special because it classifies traffic before the SSL Orchestrator implementation attempts any TLS handshake with the remote server (that is, in Match Phase Pre-handshake). You may use DDB to whitelist and bypass traffic to servers which cause TLS handshake problems or that require TLS mutual (client-certificate/smart- card) authentication. For DDB, the Service Chain value you select must be Bypass or Reject.
CirrusHi Peter
The easiest way would be to create a DataGroup (type: string), lets call it "sslo-bypass". Declare your domain name as a string with no value - then create TCP Service Chain Classifier with your "sslo-bypass" DataGroup set as a destination and Service Chain value set to "Bypass". While adding string records for "skype.com" to datagroup remember to add "skype.com" as well as ".skype.com!" for subdomains of skype.com (* will not work here).
You can use the same method to block certain domains just by setting SC value to Reject. The only problem with this case scenario is that what you get is just a tcp reset - so the user sees "Secure Connection Failed" instead of nicely looking "blocking page" telling him "Your request has been rejected by our security dept.".
Regards