Question on CSR and SSL
Please someone help me clear below doubt. Below is the scenario i am demonstrating in LAB. 1) I have generated CSR on LTM and provided to CA (CA is my Windows server 2012) 2)With the help of open SSL on Windows server 2012 i generated public and private key pair and signed the CSR. "TESTVIP" is name of my newly signed certificate. I also extracted public key from CAserver. 3)I have imported "TESTVIP" certificate and private key in LB(got private key while generating CSR on LB). Question1) When i am associating this (TESTVIP and private key) to client SSL profile it is giving me an error "KEY and certificate do not match. Though i have done it correctly. Question2) Also i am trying to install CA public key in end user browser to trust the website, but it says "this file is invalid for use as following security certificate". How can i establish that green lock symbol in URL in such LAB scenario? Any help would be appreciated.1.4KViews1like8CommentsBIG-IP SSL orchestrator Throughput vs platform Throughput
Going through the datasheet documents for SSL orchestrator and Platform I see different throughput values for SSL orchestrator Throughput vs Platform L7-L7 traffic processing throughput. What is the difference between these throughput? Using SSL Orchestrator does the Platform throughput decrease and limited to what SSL orchestrator Maximum Throughput is ? https://www.f5.com/pdf/products/ssl-orchestrator-datasheet.pdf https://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdfSolved1.1KViews0likes6CommentsCan SSL Orchestrator do daisy chaining to a Proxy first then to an ICAP server?
Hi; Let's say I want to decrypt on the Orchestrator, then send the clear text traffic to a Proxy device, then when it comes back from the Proxy, have the Orchestrator send it over ICAP to an ICAP server. I guess my question is: can the Proxy and the ICAP server be in the same daisy chain? Kindly WasfiSolved711Views0likes1CommentList of supported HSMs
Is there a list of supported HSMs for F5 devices? I've seen the "standard" ones ( like Thales Luna) but what about USB based ones likes YubiHSM or Nitrokey HSM 2 or Yubikey HSM 2 or other network based like Nitrokey NetHSM ? Will those work in general? From this presentation https://www.f5.com/content/dam/f5/corp/global/pdf/agility/agility2018/BIG-IP-SSL-Capabilities.pdf on page 21 it seems at least there is a chance.554Views0likes1CommentSSL Orchestrator between client and explicit HTTP proxy
Hi Devcentral, I am testing SSL orchestrator with Inline mode (L2 / Trasparent) in order to inspect cleartext web browsing traffic using an IPS device, the scenario is the following: Client that points directly to F5 as a gateway Client have explicit HTTP forward proxy configured on the browser (Mozilla) for HTTP & HTTPS traffic SSLO is placed inline with SNAT Automap that points to router connected to the Internet I did a packet capture and I saw that the SSL handshake occurs between the client and the HTTP/HTTPS Forward proxy (tiny proxy) - using HTTP Connect / Proxy-Connect method but the SSL decryption will not occur if the HTTP Forward proxy is configured on the client. (I am testing this because one of our customer would like to implement SSL Orchestrator but actually the customer have explicit HTTP proxy configured in order to provide web reputation filtering to the clients) The architecture flow is the following (starting from the source): Client F5 SSL Orchestrator HTTP/HTTPS Forward Proxy (tinyproxy) Internet I'll expect to see that the traffic is decrypted correctly also using the HTTP forward proxy in place. (actually it works for outbound decryption but without the HTTP forward proxy --> point 3.)486Views0likes4CommentsSSL Orchestrator and SWG combined
Hi, I wonder if it is at all possible to setup both SWG and SSL Orchestrator as combined solution using one BIG-IP (or two BIG-IP) setup? Idea is to be able to use SWG features for user authentication, URL filtering etc. and SSL Orchestrator for Service chaining to provide added security for users accessing Internet. From what I tested deploying SSL Orchestrator (module on BIG-IP VE, not Herculon appliance) in Explicit proxy SSL Orchestrator is deployed as kind of iApp (but not visible via iApps -> Application Service) with Strict Updates enabled - so no way to modify VS created by wizard. Additionally it seems that there is no way to disable Strict Updates for SSL Orchestrator so impossible to add APM policies to VS set as Explicit proxy. So not possible to combine those functionalities? Or maybe kind of proxy chaining from SWG Explicit proxy to SSL Orchestrator Explicit proxy VS? Or iRule on SWG Explicit Proxy VS with VIP targeting VIP? I am curious (if combining is possible) what are real life best practices and experiences how this setup works. Piotr421Views0likes2CommentsSSL Orchestrator Response Inspection
I've been testing the latest SSL Orchestrator with the guided configuration and I've noticed that it doesn't seem like the responses are sent to the inspection devices. Everything I've seen looks like they should be going through, but on a tcpdump I don't see anything. I've configured the BIG-IP as the gateway for a test client, and I can block specific sites with my filtering device, so I know outbound request filtering is working. I've configured a PAN as a L3 device in the service chain and I've been running a tcpdump on both the to-the-pan vlan and the from-the-pan vlan. Any ideas, am I doing something wrong or is it working as expected?Solved407Views0likes1CommentHow does the SSL orchestrator deal with non-http traffic encrypted over SSL
Hi; Let's say that the orchestrator is doing SSL decryption then sending the clear text traffic to an Explicit Proxy, how would the orchestrator deal with TLS encrypted traffic like Skype, MAPI over SSL or SIP over SSL, would it still decrypt it and send it in clear text to the Explicit Proxy or it wouldn't even decrypt it and send it to the Internet bypassing the Explicit Proxy all together. Kindly Wasfi385Views0likes0CommentsSSLO routing error
Hi guys, Whenever I try to run the SSLO with the services I always get the request back from my servers but if I add the services in the service chain it's not pushing thru. The devices are reachable with the corresponding interfaces, but I really can't seem to route and inspect the traffic from the services. Any ideas on how to fix this? Are there particular configurations that should be made first with my IPS to route the incoming traffic to the outgoing interface? I'm really lost on this one.373Views1like1Comment