1.5. Selecting an SSL Orchestrator Platform¶
The F5 SSL Orchestrator is a feature module deployed on the industry-leading BIG-IP application delivery controller (ADC) platform. It can be provisioned on any F5 BIG-IP platform, including hardware appliances, VIPRION and VELOS chassis, and Virtual Editions.
SSL Orchestrator can be enabled by activating a standalone base license or an add-on license:
Standalone - the base functionality of the platform is the SSL Orchestrator. Standalone supports the following add-on licenses (if needed):
Access Policy Manager (APM) - to enable forward proxy authentication
Advanced Firewall Manager (AFM) - to enable integration of layered L3/4 ACLs and DoS protection
Advanced Web Application Firewall (AWF) - to enable integration of layered L7 advanced WAF capabilities
Secure Web Gateway (SWG) - to enable integration of layered web gateway protection
URL Category Database (subscription) - for URL category-based TLS intercept/bypass decisions
IP Intelligence (subscription) - for IP reputation-based classification
Network HSM - to enable integration with external hardware-protected storage for private keys
Advanced Routing Module (ARM) - to enable advanced networking routing protocols such as BGP and OSPF.
Add-on - SSL Orchestrator module is added to another base product module. It can be added to (most) devices that have any of the following base licenses:
Access Policy Manager (APM)
Advanced Firewall Manager (AFM) standalone
Advanced Web Application Firewall (AWF) standalone
Local Traffic Manager (LTM)
Both SSL Orchestrator license options provide the same functionality on all platforms, with the following caveats:
SSL Orchestrator standalone base licensing is available only on the platforms listed in the table below. If a desired platform is not in this list, or if a desired add-on module is not supported with SSL Orchestrator standalone, consider deploying the SSL Orchestrator add-on license with another base module that does support your requirements. For example: BIG-IP i11600 + LTM base + SSL Orchestrator add-on.
HP VE 8 CPU
HP VE 12 CPU
HP VE 16 CPU
HP VE 20 CPU
HP VE 24 CPU
Table 4: SSL Orchestrator standalone platforms
Layer 2 topology modes are limited to BIG-IP i5800 and higher level appliances, as well as VIPRION B2250 and B4450 blades. Layer 2 topology modes are not available on the following platforms:
Any vCMP deployment
Please see https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-virtual-wire-layer2-transparency-13-1-0/2.html for the complete list of platforms that support layer 2 “virtual wire”.
Inline layer 2 services in VIPRION vCMP environments: The following VIPRION chassis/blade combinations do not support inline layer 2 services in a vCMP environment:
B2250 blade on C2400 chassis
B4300 blade on C4800 chassis
B4450 blade on C4480 chassis
This is due to a limitation in the number of MAC addresses provided to guests. Please see https://support.f5.com/csp/article/K14513 for additional information. SSL Orchestrator running directly on the blade (no vCMP) does not have this limitation.
Virtual Edition (VE): SSL Orchestrator running on the Virtual Edition (VE) requires the following minimum computing resource:
4 vCPU (cores)
12 Gb memory (16 or higher preferred)
For additional information on installation, upgrade, licensing and provisioning, please refer to the following:
For additional information on latest BIG-IP and SSL Orchestrator versions:
For additional information on latest BIG-IP hotfix and point releases:
For additional information on latest BIG-IQ SSL Orchestrator interoperability: