1.2. What’s new in SSL Orchestrator 10?

SSL Orchestrator 10.0 adds the following new features:

  • NetScout nGeniusOne integration - Bundled with SSL Orchestrator 10.0, the NetScout nGenius security service integration has been added to the service catalog.

  • Search tool - Bundled with SSL Orchestrator 10.0, the user interface now includes search capability to filter object lists in large deployments.

  • Support ECDH-RSA for SSL Forward Proxy - BIG-IP now supports Elliptic Curve Diffie-Helman (ECDH) ciphers in SSL Forward Proxy, which includes support in SSL Orchestrator. Note that Elliptic Curve Diffie-Helman Ephemeral (ECDHE) has been supported in SSL Forward Proxy since version 14.1.

  • Support FFDHE for SSL Forward Proxy - BIG-IP now supports Negotiated Finite Field Diffie-Helman Ephemeral (FFDHE) ciphers in SSL Forward Proxy, which includes support in SSL Orchestrator.

  • Support AES-CCM and AES-CCM8 - BIG-IP now supports AES128-CCM and AES128-CCM8 ciphers.

SSL Orchestrator 10.1 adds the following updates:

  • Enhanced logging - The SSL Orchestrator Summary log now includes the following data:

    • Ingress/egress VLAN

    • Policy rule names

    • URL categories matched

    • TLS handshake status

    • Reset causes

    • Connection failures

  • Configuration snapshot / recovery - You can now snapshot the SSL Orchestrator iFile configuration and use as a restore point.

  • Office365 Tenant Restrictions as a service - Tenant Restrictions implements an HTTP header injection function to enable organizations to control their users’ access to company-only Office 365 resources, while blocking access to personal/non-company Office 365 assets. This feature allows organizations to prevent a significant data exfiltration vector. Tenant Restriction is implemented in SSL Orchestrator as a service in the service chain. Please see Section 4.14 for additional details.

  • Office 365 URL categorization - SSL Orchestrator can now create a schedule to fetch the remote, dynamic set of Office 365 URLs. The URLs are maintained in custom URL categories that can be consumed by the security policy engine to make traffic flow decisions. Please see Section 4.15 for additional details.

  • Security policy enhancements - New security policy capabilities include:

    • Negation operators – previous versions provide is/are/contains operators. This update creates negations of these to allow ‘is not’, ‘are not’, and ‘not contains’ evaluations.

    • IP protocol – a new condition exists to evaluate the TCP or UDP protocol.

    • Bypass (Client Hello) – a SSL proxy action exists to initiate a TLS bypass without triggering a TLS handshake on the BIG-IP. This would be used in rare cases where TLS handling at the BIG-IP is disruptive to the protocol or application. The option is generally available for layer 3 (IP subnet), layer 4 (port), and a TLS Client Hello (Server Name) condition, where server-side evaluation is not required. However, this is not available for Server Certificate checks (issuer DN, SANs, subject DN) and category lookups, where server-side evaluation is required.


Note the following software dependencies:

  • SSL Orchestrator 10.0 requires BIG-IP 17.0.0 and higher 17.0.x.

  • SSL Orchestrator 10.1 requires BIG-IP and higher 17.0.x.

Please refer to the official SSL Orchestrator 10.0 release notes for detailed update information:


Please refer to the official SSL Orchestrator 10.1 release notes for details update information: