Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
May 17, 2017

SSL Orchestrator and SWG combined

Hi,

 

I wonder if it is at all possible to setup both SWG and SSL Orchestrator as combined solution using one BIG-IP (or two BIG-IP) setup?

 

Idea is to be able to use SWG features for user authentication, URL filtering etc. and SSL Orchestrator for Service chaining to provide added security for users accessing Internet.

 

From what I tested deploying SSL Orchestrator (module on BIG-IP VE, not Herculon appliance) in Explicit proxy SSL Orchestrator is deployed as kind of iApp (but not visible via iApps -> Application Service) with Strict Updates enabled - so no way to modify VS created by wizard.

 

Additionally it seems that there is no way to disable Strict Updates for SSL Orchestrator so impossible to add APM policies to VS set as Explicit proxy.

 

So not possible to combine those functionalities? Or maybe kind of proxy chaining from SWG Explicit proxy to SSL Orchestrator Explicit proxy VS? Or iRule on SWG Explicit Proxy VS with VIP targeting VIP?

 

I am curious (if combining is possible) what are real life best practices and experiences how this setup works.

 

Piotr

 

2 Replies

  • As we talked about, I have been having some fun with SSLO.

     

    SSLO module has developed since 12.1.0 when was launched, to now be a provisioned module in 14.0.0. https://support.f5.com/csp/article/K07457537

     

    If you have SSLO license, you will get the SSLO menu. However, before 14.0.0, it removed other menus, like the iApps. You could try change stuff via tmsh, but not sure if would work.

     

    In 14.0.0 things have improved. Menus are not removed, and APM menu is visible even with APM provisioned. Also, the documentation points out to some integration with APM.

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-14-0-0.html "Authorization support for Access policy with SSLO

     

    APM access policies can provide authorization for HTTP and non-HTTP traffic in conjunction with SSL Orchestrator (SSLO). The session check agent in the SSLO per-request policy can identify whether a main access session is present or not and take actions based on that. Additional data for SSLO per-request policies

     

    SSLO per-request policies now have access to the following information for use with branching:

     

    TCP/IP address/port

     

    SSL SNI and SAN

     

    IP Intelligence data

     

    IP Geolocation data"

     

    SWG work with APM, so I guess that integration extends to SWG.

     

    I would suggest you have look in 14.0.0, as I think what you want may be possible now.

     

  • This is correct. In 14.0 SSL Orchestrator merges into the Access engine, so SWG functions become native as part of the SSLO per-request (service) policy.

     

    But also important, authentication is not specifically a function of SWG. Auth is handled by APM. You would then use SWG to perform URL filtering and malware detection in the per-request policy. So in SSLO, you'd separate the two:

     

    • Create an SWG-Explicit access profile to define user authentication (NTLM, Kerberos, Basic...).
    • In SSLO, define Deployment Settings, forward proxy SSL settings, Services, a default service policy, and install the "default outbound rules" to specify an explicit forward proxy.
    • After creating the default outbound rules, you'll see an interception rule with the "-xp" ending. Edit this interception rule and attach the SWG-Explicit access policy.
    • Your configuration is essentially done here, and you'll be authenticating forward proxy traffic. You can then optionally go into the created service policy visual policy and make any needed modifications to do additional URL filtering.