Overview: SSL Orchestrator Concepts

About SSL Orchestrator

F5® BIG-IP® Next SSL Orchestrator enables you to manage SSL/TLS encrypted traffic in a centralized and scalable manner, providing enhanced security, visibility, and control over network traffic. It optimizes the SSL infrastructure by centralizing the SSL decryption/re-encryption process. It delivers high-performance decryption of inbound SSL/TLS traffic, enabling security inspection that proactively exposes threats and prevents security attacks.

In the SSL daisy chain model, the traffic must be decrypted and re-encrypted for every security device, increasing the network’s latency. SSL orchestrator establishes a single intercept point and delivers the same level of security with the latest SSL encryption technologies across the entire security infrastructure. With the centralized decryption/encryption process of the SSL Orchestrator, the traffic is decrypted/encrypted only once, decreasing the latency and improving the network’s performance.

SSL Orchestrator employs intelligent traffic steering methodologies such as the service chain lists, which are ordered sets of security devices that can be customized based on the type of traffic. In addition, the load balancing and monitoring capabilities of the SSL Orchestrator ensure high availability and efficient utilization of your existing security solutions.

Architecture Diagram

BIG-IP Next SSL Orchestrator Architecture Diagram

Capabilities of SSL Orchestrator

  • Improved Visibility: SSL orchestrator provides complete visibility into SSL/TLS encrypted traffic, allowing you to monitor and analyze network traffic in real time. This visibility can help you to identify potential security threats and optimize network performance.

  • Improved Scalability: SSL Orchestrator includes full proxy architecture, and the security services (such as firewalls, intrusion detection and prevention systems, and other security tools) can be scaled independently, ensuring high availability and improved load balancing.

  • Reduced Costs: By centralizing SSL/TLS processing, the SSL orchestrator minimizes the need for multiple security devices to perform decryption, saving the costs associated with purchasing and maintaining these devices.

  • Supports various deployment modes: SSL Orchestrator supports multiple deployment modes such as standalone, cluster, and separate ingress/egress tiers.

  • Supports various inspection devices: SSL Orchestrator supports TAP, ICAP, and Inline layer 3 devices.

  • Transparent and explicit proxy: Intercepts and inspects traffic without requiring any special client configuration.

  • Dynamic Service Chaining: Context-based policies allow different types of traffic to flow through different service chains.

  • Context-based intelligence: The SSL Orchestrator Security Policy provides a rich set of context-aware methods to optimize the traffic flow through the security stack dynamically.