1.5. Selecting an SSL Orchestrator Version

The F5 SSL Orchestrator is a feature module deployed on the industry-leading BIG-IP application delivery controller (ADC) platform. It can be provisioned on any F5 BIG-IP platform, including hardware appliances, VIPRION chassis, and Virtual Edition. There are two licensing options for SSL Orchestrator:

  • Standalone - the base functionality of the platform is the SSL Orchestrator. Standalone provides the additional add-on options:

    • Access Policy Manager (APM) - for forward proxy authentication
    • URL Category (subscription) - for URL-based TLS intercept/bypass decisions
    • IP Intelligence (subscription) - for IP reputation-based classification
    • Network HSM - for additional hardware-protected storage of private keys

  • LTM add-on - the base functionality of the platform is Local Traffic Manager (LTM) with SSL Orchestrator module added. The LTM base option provides all of the module configurations possible for LTM, including all of the above additional add-ons.


SSL Orchestrator functions the same in either license version on all platforms, with the following caveats:

  • SSL Orchestrator standalone is limited to the set of listed add-on options, and to the following platforms. If a platform is required that is not in this list, or module add-ons needed that are not allowed on SSL Orchestrator standalone, consider deploying the SSL Orchestrator add-on license with base LTM.


    Platform Name Platform Type Platform ID
    i2800 Appliance C120
    i4800 Appliance C115
    i5800 Appliance C121
    i7800 Appliance C118
    i10800 Appliance C122
    i11800 Appliance C123
    i15800 Appliance D116
    HP VE 8 CPU Virtual Edition Z100
    HP VE 16 CPU Virtual Edition Z100

    VPR-22XX

    VPR-24XX

    VPR-4480

    VPR-4800

    Chassis  
    C2100 Chassis Blade  
    C2200 Chassis Blade D114
    C4400 Chassis Blade J100

    Table 4: SSL Orchestrator standalone platforms


  • SSL Orchestrator standalone employs a limited set of LTM features, specifically:

    • Security service pools are limited to 6 load balanced devices
    • LTM limited provides a subset of advanced monitoring options

  • Layer 2 topology modes are limited to i5800 appliances and above, and B2250 and B4450 VIPRION blades. Layer 2 topology modes are not available on the following platforms:

    • Virtual Edition
    • Any vCMP deployment

    Please see https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-virtual-wire-layer2-transparency-13-1-0/2.html for the complete list of supported layer 2 “virtual wire” platforms.


  • Existing Application topology mode is limited to the LTM add-on version of SSL Orchestrator.


    Inline layer 2 services on VIPRION in a vCMP environment The following VIPRION chassis/blade combinations do not support inline layer 2 services in a vCMP environment:

    • B2250 blade on 2400 chassis
    • B4300 blade on 4800 chassis
    • B4450 blade on 4480 chassis

    This is due to a limitation in the number of MAC addresses provided to guests. Please see https://support.f5.com/csp/article/K14513 for additional information. SSL Orchestrator running directly on the blade (no vCMP) does not have this limitation.s


For additional information on installation, upgrade, licensing and provisioning, please refer to the following:

https://techdocs.f5.com/en-us/bigip-15-1-0/ssl-orchestrator-setup.html