SSL Orchestrator Architecture Guide Version 14.0.0-4.0 SSL Orchestrator v4.0 Architecure Guide Page 2 Table of Contents Table of Contents .......................................................................................................................................... 3 Document Overview ..................................................................................................................................... 6 General Architecture ..................................................................................................................................... 7 Licensing and hardware Notes .................................................................................................................. 7 Licensing and Provisioning ........................................................................................................................ 7 Compatibility / Support............................................................................................................................. 8 Performance ........................................................................................................................................... 13 Logging .................................................................................................................................................... 13 Certificates .............................................................................................................................................. 14 General Security Best Practices .............................................................................................................. 15 Decoding Object Naming ........................................................................................................................ 15 Pre-Deployment Requirements .............................................................................................................. 16 Basic Configuration Steps ....................................................................................................................... 17 Templated architecture concept ............................................................................................................ 18 Deployment Architecture ........................................................................................................................... 23 Deployment scenarios ............................................................................................................................ 23 Deployment Mode .................................................................................................................................. 24 Deployment Topology Details ................................................................................................................. 26 Service Architectures .................................................................................................................................. 34 Services Security Best Practices .............................................................................................................. 34 Layer 2 Inline Service .............................................................................................................................. 35 Layer 3 Inline Device ............................................................................................................................... 37 Inline HTTP Proxy (Explicit / Transparent) .............................................................................................. 39 ICAP Device ............................................................................................................................................. 41 TAP Device .............................................................................................................................................. 43 Policy Architecture ...................................................................................................................................... 45 Overall policy object relationships .......................................................................................................... 45 SSL Settings Groups ................................................................................................................................. 45 SSLO Per-Request Policy ......................................................................................................................... 46 APM Per-Request Policies ....................................................................................................................... 47 SSL Orchestrator v4.0 Architecure Guide Page 3 Access Profile (Per-Session Policy) .......................................................................................................... 48 Interception Rules ................................................................................................................................... 48 Default APM Per-Request Policies .......................................................................................................... 51 Base Policy .............................................................................................................................................. 52 Categorization Macro ............................................................................................................................. 53 SSL Intercept Policy Macro...................................................................................................................... 55 Service Chain Intercepted Macro ............................................................................................................ 57 IP Policy Macro (Unused) ........................................................................................................................ 57 Proxy Chaining (Connect / URI Rewrite) Macros (Unused) .................................................................... 59 Troubleshooting .......................................................................................................................................... 62 Use Cases .................................................................................................................................................... 67 Standard Use Cases ..................................................................................................................................... 68 Block HTTP and HTTPS traffic based on URL ........................................................................................... 68 Select a different intercept chain based on IP intelligence or geolocation ............................................ 70 Select the Non-Intercept chain based on IP information ....................................................................... 74 HTTP should bypass all chains based on a user’s group ......................................................................... 78 Remap ports for inbound traffic ............................................................................................................. 79 Categorize URLs for HTTP (non-encrypted) traffic .................................................................................. 79 Setup without URL Filtering or SWG licensed ......................................................................................... 83 Configuring Inbound Services when SNAT is used .................................................................................. 84 Configuring Layer 3 and HTTPS services for inbound traffic ................................................................... 85 Adding an iRule to a service .................................................................................................................... 85 Adding a monitor to a TAP service .......................................................................................................... 86 Configuring SSLO to use an upstream explicit proxy .............................................................................. 87 Setting up authentication with explicit proxy connections .................................................................... 88 Setting policy to bypass ICAP services .................................................................................................... 90 Configure VLANs for L2 wire Interfaces .................................................................................................. 92 Advanced Use Cases ................................................................................................................................... 93 Create additional outbound explicit proxy rules .................................................................................... 93 SNI for inbound listeners ........................................................................................................................ 94 Using SSLO in a horizontally scaled architecture .................................................................................... 96 Provide IP address persistence for outbound traffic .............................................................................. 98 Enable Client Certificate Constrained Delegation for SSLO .................................................................... 99 SSL Orchestrator v4.0 Architecure Guide Page 4 Add HTTP Headers to traffic ................................................................................................................. 101 Configuring external communications