I am aware that F5 LTM does SSL offloading, so it is able to open SSL traffic and checking out what's going on right there... nevertheless, there is this other product called SSL Orchestrator which is supposed to work exclusively for SSL traffic... I found their respective SKU's in the pricelist:
BIG-IP 5250v SSL Orchestrator (32 GB Memory, SSD, Max SSL, Max Compression) F5-BIG-SSLI-5250V
BIG-IP 5250v Local Traffic Manager (32 GB Memory, SSD, Max SSL, Max Compression, vCMP) F5-BIG-LTM-5250V
They both look alike, but their prices are quite different... so I would like to know what's the difference between an SSL Orchestrator appliance and a LTM appliance. Why should I buy an SSL Orchestrator if it is more expensive than a LTM device and apparently LTM does the same? Any help would be helpful and very well received. Thank you guys in advanced!!!
I think it's just sales related. They just would like to get some extra money for effort involved in creating customized interface and complicated iRules.
All pieces used by SSL Orchestrator are available via existing LTM objects - maybe without specialized analytics engine/interface created for this solution - even this functionality can be replicated using some external logging systems with properly configured dashboard (at least I think so).
SSL Orchestrator is simply an iApp which automatically configures all of the various LTM components to create the transparent SSL intercepting forward proxy. You do however require additional licenses over the normal base LTM SKU.
The specific SSL Orchestrator SKU's simply bundle up all the required licenses (SSL Forward Proxy and URL Filtering iirc) into one neat package. The hardware itself is identical*. As I am running SSL Orchestrator on 7250V.
A common misconception.
SSL Orchestrator (SSLO) and Herculon are somewhat different things.
SSL Orchestrator is the iApp-based product that configures a BIG-IP device to perform the SSL visibility. The iApp can be used on an existing BIG-IP LTM, but requires separate licensing of SSL Forward Proxy, and optionally URL filtering.
Herculon is a dedicated appliance, which could either be used to serve DDoS Hybrid Defender or SSL Orchestrator. It's still a BIG-IP, but provisioned differently than an LTM and includes SSL Forward Proxy (with SSLO). URL Filtering is still optional.
Please allow me to elaborate.
LTM is the ADC (application delivery controller) function of the BIG-IP product line. It's the traditional reverse full proxy, and load balancing component. And while yes, it does do SSL decryption and re-encryption, it is still fundamentally different from the SSL Orchestrator.
SSL Orchestrator is a visibility product. It's primary role is to decrypt, send that decrypted traffic to external security devices for inspection (ex. IDS. IPS. NGFW, ICAP, etc.), and then re-encrypt. By virtue of the F5 full proxy architecture, these security services can be load balanced, monitored, skipped if failed, and re-usably "chained" together in logical flows, with a traffic classification component that can drive individual TCP packet flows through different chains based on various criteria. So for example, HTTP traffic can be sent to a FireEye and IPS, mail traffic can be sent to an ICAP service and the same IPS, and everything else might flow through a NGFW, the IPS and an IDS. And all of that happens within a single set of hardware-accelerated decrypt and re-encrypt operations.
SSL Orchestrator is slightly more expensive because today is relies on components from multiple product modules, including LTM.
And to elaborate on Odaah's statement, a full proxy is more resistant to cryptography challenges than other "bump-in-the-wire" SSL visibility products, and can more easily support PFS ciphers.
Totally understood, Kevin... thanks a lot for the explanation!!!
Adding an answer for test
I think your question would be complete if you can provide what you are trying to achieve. For most cases, LTM should suffice. However, if you have an environment with WAF or other such devices that needs to inspect traffic, I can see the value in SSL Orchestrator that will serve as a single point of SSL termination as the newer SSL ciphers don't allow "Man-in-the-middle" encryption/decryption.
You're right... the decision of whether use one or another depends a lot of what are we going to use the appliance for... so, although both appliances do work with SSL traffic, if I need to open this traffic and send it to another solution it would be better to work with SSL Orchestrator, right? Kevin's explanation is quite useful as well... thank you for the help!!!