1.2. What’s new in SSL Orchestrator 9?¶
SSL Orchestrator 9.0 adds the following new features:
SWG as an inline security service - SWG is a full-featured secure web gateway product with rich integration with both BIG-IP Access Policy Manager (APM) and BIG-IP iRules, providing near limitless web policy enforcement flexibility. SWG as an inline security service (SWGaaS) is now available as a security device option in the security service catalog and allows you to define an SWG per-request policy that runs inside the decrypted service chain. SWG must be licensed and provisioned to use this feature. Please see Section 3.6 for additional details.
New session abort ending for blocked TLS session - The SSL Orchestrator security policy contains a new abort option as a blocking action.
SNI-based bypass based on TLS client hello - The security policy can now be configured to bypass TLS decryption based on SNI received in Client Hello, and before any server-side evaluation. In previous versions a connection would break in scenarios where TLS bypass by unique SNI/host was required for mutual TLS authentication. The elements of the security policy that perform this evaluation required a server-side “look”, which would then break on the server side due to the client certificate requirement. In 9.0, a TLS bypass can be created by SNI/host name that will not break mutual TLS..
Send SSL session logs using log publisher to one or more log destinations - SSL Orchestrator can now log the details of the forged server certificate, and pass that to external log consumers via log publishers. This feature require common criteria (ccmode) to be enabled in order for TMM to generate SSL session logs.
Support authorityKeyIdentifier extension for certificates - SSL Orchestrator now includes an authorityKeyIdentifier (AKI) in the forged server certificate to aid in certificate path discovery at the client. Path discovery is the mechanism that a TLS client performs to find and build a complete chain of trust from the end-entity (leaf) certificate to the explicitly trusted root CA. In previous versions, the client would need to perform certificate path discovery based on subject and issuer common name string values, where the issuer name in a child certificate matches the subject name in the issuer certificate, and continued up to the self-signed root CA. This can cause issues in scenarios where a CA root certificate is “cross-signed” with another authority, creating two versions of the CA (a self-signed and issued certificate with the same common name). The AKI and SKI values are a SHA hash of a unique public key, making path discovery more reliable. In this case, instead of using subject and issuer string names, the authorityKeyIdentifier (AKI) value in the leaf certificate will match the subjectKeyIdentifier (SKI) of its parent, and continued up to the self-signed root CA.
Gossip deprecation - Gossip is the process whereby the SSL Orchestrator communicates HA sync information to its peer. This information is bidirectional and independent of native BIG-IP sync functions. In previous versions, gossip could potentially cause stability issues, particularly when configurations fail. In this release, the gossip sync function is removed and replaced with a new sync option (see source-of-truth update below).
Support for local OCSP responder - SSL Orchestrator now supports a local OCSP certificate revocation responder service for forged server certificates. The forged certificates can contain an authorityInfoAccess (AIA) attribute that points to a locally defined URL (a listening service on BIG-IP) that provides OCSP revocation status on the forged certificates. Please see Section 4.10 for additional details.
HTTP/2 support - SSL Orchestrator now supports full-proxy HTTP/2 through the decrypted service chain for outbound traffic.
Verified Accept support - When enabled, the system verifies that the pool member is available to accept the connection by sending the server a SYN before responding to the client’s SYN with a SYN-ACK packet. SSL Orchestrator topologies are built on a standard virtual server type (with Verified Accept disabled). This could cause an issue in the scenario where an upstream firewall might block a specific IP and/or port, but the SSL Orchestrator allows the client-side connection to be established (only to be blocked later at the firewall). Enabling Verified Accept allows the F5 to test for a valid server-side connection before completing the client-side handshake.
Tabbed service catalog - The security products in the SSL Orchestrator service catalog are now represented in a new de-cluttered tabbed interface, separated as inline layer 2, inline layer 3, inline HTTP, ICAP, TAP, and a new F5 services tab.
Per-topology DNS settings - Explicit proxy topologies can now define independent DNS resolver settings.
Pool member change from 6 to 20 with Standalone license - SSL Orchestrator Standalone licensing has always limited the number of service pool members to 6 devices. This licensing update increases that number to 20.
Address and port list support - SSL Orchestrator now supports address lists and port lists in the Guided Configuration. This will allow for more granular IP/port control over traffic intercept conditions.
Custom category lookup performance enhancements - Significant improvements have been made to increase custom category lookup performance.
TCP keepalive proxy - The feature allows for dynamically setting TCP keepalive proxy settings, allowing an SSL Orchestrator interception rule to enable and proxy keepalive traffic. This is useful in situations where a client (ex. Citrix Workspace client) requires a keepalive to stay connected to the upstream server. Please see Section 4.11 for additional details.
Reject client with TLS alert if per-request policy reject ending is reached prior to SSL forward proxy triggering server-side TLS handshake - On a Reject policy ending, SSL Orchestrator can now generate a TLS alert in the client-side TLS handshake. In previous versions a Reject policy ending would either result in a TCP close or blocking page.
Control plane re-architecture (source-of-truth and HA improvements) - Significant improvements have come to the SSL Orchestrator control plane. In previous versions, the source-of-truth for the SSL Orchestrator configuration is JSON block storage (file-system objects). This separate source-of-truth (vs. native MCP configuration state) could cause stability issues. In 9.0 the source-of-truth is now stored in BIG-IP native iFile objects. This change allows SSL Orchestrator to utilize native MCP/CMI HA sync functions, and thus allows it to now support native automatic and incremental sync.
Control plane re-architecture (removal of UI strictness) - In 9.0, the strictness lock icon has been removed from most objects, allowing you to freely make out-of-band changes that are honored by the SSL Orchestrator configuration throughout management and upgrade.
New SSL Orchestrator standalone platforms - the following platforms are being made available for the standalone version:
i11800-DS
10350-F (FIPS)
i7820-DF (FIPS)
i15820-DF (FIPS)
Please see the official platform datasheet for official sizing: https://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf
SSL Orchestrator 9.2 is a bugfix release.
SSL Orchestrator 9.1 adds the following updates:
Inbound gateway mode - SSL Orchestrator now provides SSL visibility for inbound connections to servers behind BIG-IP in two modes.
Gateway Mode: The Gateway mode works like a router where a virtual uses a network address to process incoming connections for the range.
Application Mode: The Application mode works like a traditional LTM Virtual Server. It creates a virtual listening for a specific IP: Port and processes incoming connections for this IP
SNI switching with multi-SNI - SNI switching allows a virtual server to contain multiple client SSL profiles, each with its end-entity certificates. The SSL Orchestrator UI now supports assigning multiple SSL profiles to the same virtual for both Inbound and Outbound explicit topologies.
Verified Accept SSL profile optimization - SSL Orchestrator now generates a single SSL profile instead of two profiles for Verified Handshake True (vht) and Verified Handshake False (vhf), greatly simplifying the SSL Orchestrator-generated configurations. By default, the verified Handshake will be enabled for Outbound traffic and disabled for Inbound traffic.
Port remap enhancement - Some security devices require HTTPS (443) traffic to be re-mapped to HTTP (80) for correct inspection. Previously, the remap setting was applied regardless of bypass/decrypt decisions. With this release, the bypass traffic is not re-mapped, and the port remap applies only to the decrypted traffic.
Port lockdown enhancement - The BIG-IP system allows administrators to configure Port Lockdown settings for Self-IPs to reduce the attack surface by restricting incoming traffic. Previously, any setting besides “Allow All” or “Allow Default” caused the SSL Orchestrator GUI to malfunction and report High Availability failures. With this release, you can deploy/edit the SSL orchestrator configuration with the Port Lockdown settings set to Custom (TCP port 443).
SSL Orchestrator 9.3 adds the following updates:
Support ECDH-RSA for SSL Forward Proxy - BIG-IP now supports Elliptic Curve Diffie-Helman (ECDH) ciphers in SSL Forward Proxy, which includes support in SSL Orchestrator. Note that Elliptic Curve Diffie-Helman Ephemeral (ECDHE) has been supported in SSL Forward Proxy since version 14.1.
Support FFDHE for SSL Forward Proxy - BIG-IP now supports Negotiated Finite Field Diffie-Helman Ephemeral (FFDHE) ciphers in SSL Forward Proxy, which includes support in SSL Orchestrator.
Support AES-CCM and AES-CCM8 - BIG-IP now supports AES128-CCM and AES128-CCM8 ciphers.
STIP mode - SSL/TLS Inspection Proxy (STIP) refers to a category of network devices that perform SSL visibility/interception functions. STIP compliance is part of Common Criteria (CC) that provides a common set of requirements for the security functionality of IT products and the assurance measures to be applied to the IT products during a security evaluation. F5 is a member of the technical committee (amongst other vendors) who participated in the drafting of STIP PP (Protection Profile). Version 1.0 of the STIP PP was published in August 2019. Think of the BIG-IP as the Network Device and SSL Orchestrator as the STIP. Some of these new STIP features are included and enabled within SSL Orchestrator by default whereas others can only be enabled by activating a special “CC Mode” of operation in the BIG-IP (tmsh ccmode). Please see Section 4.12 for additional details.
Note
Note the following software dependencies:
SSL Orchestrator 9.0 requires BIG-IP 16.1.0 and higher 16.1.x.
SSL Orchestrator 9.1 and 9.2 require BIG-IP 16.1.1 and higher 16.1.x.
SSL Orchestrator 9.3 requires BIG-IP 16.1.3 and higher 16.1.x.
Please refer to the official SSL Orchestrator 9.0 release notes for detailed update information:
Please refer to the official SSL Orchestrator 9.1 release notes for details update information:
Please refer to the official SSL Orchestrator 9.2 release notes for details update information:
Please refer to the official SSL Orchestrator 9.3 release notes for details update information: