How To: Create a Static Service Chain


A static service chain is a predetermined sequence of security services applied to SSL traffic as it flows through the SSL Orchestrator. It defines the path and order that you want traffic to take. The static service chain is configured ahead of time and not modified during runtime, which implies that SSL traffic is routed through the same set of security services and policies every time it passes through the SSL Orchestrator. A static service chain in SSL Orchestrator can enforce a specific security policy, ensure compliance with regulatory requirements, or optimize network performance.

BIG-IP Next SSL Orchestrator supports static service chaining that routes the encrypted SSL/TLS traffic through a configured list of security services for inspection and processing. Once the services are defined, create a service chain with the configured security services to process traffic.


You can create a static service chain while creating an application:

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon next to the F5 logo, and click Applications.

  2. If this is the first application service you are adding to BIG-IP Next Central Manager, click Start Adding Apps. Otherwise, at the top of the screen, click Add Application.

  3. For Application Service Name, specify a name for the application service and click Start Creating.
    The Application Service Properties screen opens.

    Note: For Application Mode, you need to create a Standard Application which is selected by default. For Gateway Mode, you must select From Template, and then s elect sslo-inbound-gateway-topology from the Application Template drop-down list.

  4. For the Description, specify a description of the application service and click Start Creating.
    The Virtual Servers tab of the Application Service Properties screen opens.

  5. Click the Pools tab.
    The Pools tab opens so you can specify the pools the application service will use.

    Note: Creating pools is not applicable for Gateway Mode.

  6. For the Name of pool, specify a name for the pool.

  7. Specify the Service Port to use for this pool.

  8. Select a Load-Balancing Mode for the pool.

  9. Select a Monitor Type for the pool.

  10. Click the Virtual Servers tab.
    The Virtual Servers tab opens.

  11. For the Virtual Server Name, specify a name for the virtual server.

  12. For Pool, select the pool that you want this virtual server to use.

  13. For the Virtual Port, specify the port number to use to access the virtual server.

  14. To specify Protocols or Profiles, click the edit icon under Protocols & Profiles.
    The Protocols screen opens.

    a. Select the protocols you want to enable.

    b. If the protocol you selected requires a certificate, a field displays so you can choose one.

    c. When you have specified the protocols and profiles needed, click Save to return to the Application Service Properties screen.

  15. To specify security policies, click the edit icon under Security Policies.

    a. To specify an SSLO service chain:

    i. Click Use an SSL Orchestrator Service Chain.

    ii. Select one or more Inspection services for this virtual server on this application service.

    b. Click Save to return to the Application Service Properties screen.

  16. To specify iRules, click the edit icon under iRules.
    The iRules screen opens.

    a. To Enable iRules, click Use iRules.

    b. To specify iRules for this application service, click Add.

    c. Use the controls to specify the iRules (and version) for this application service and arrange the order in which they run.

    d. When the iRules are correctly specified, click Save to return to the Application Service Properties screen.

  17. Repeat steps 11-16 to specify settings for additional virtual servers as needed.

  18. When you finish specifying settings for the application service, click Review & Deploy.
    The Instance/Locations page opens.

  19. Click Start Adding and select the instances to which you want to deploy the application service, click Add to List.
    The Deploy screen opens.

  20. For each instance/location you added in the previous step, under Virtual Address, specify the IP address(es) of the virtual server(s).

  21. Add Pool Members for each pool.

    a. For the first pool, click the down arrow under Members, then click the + Pool Members button.
    The Pool Members (endpoints) screen opens.

    Note: Adding pool members is not application for Gateway Mode.

    b. Click Add Row and specify a Name and IP Address for the first pool member.

    c.To add additional members, click Add Row again.

    d. When you finish adding pool members, click Save.

    e. Repeat sub-steps 1 - 4 to add pool members for each pool.

  22. When you finish adding pool members to each pool, click Deploy Changes.
    The Deploy Application Service screen displays a summary of the changes to be deployed.

  23. Click Yes Deploy to complete the deployment.