1.5. Selecting an SSL Orchestrator Platform

The F5 SSL Orchestrator is a feature module deployed on the industry-leading BIG-IP application delivery controller (ADC) platform. It can be provisioned on any F5 BIG-IP platform, including hardware appliances, VIPRION and VELOS chassis, and Virtual Editions.

SSL Orchestrator can be enabled by activating a standalone base license or an add-on license:

  • Standalone - the base functionality of the platform is the SSL Orchestrator. Standalone supports the following add-on licenses (if needed):


    • Access Policy Manager (APM) - to enable forward proxy authentication


    • Advanced Firewall Manager (AFM) - to enable integration of layered L3/4 ACLs and DoS protection


    • Advanced Web Application Firewall (AWF) - to enable integration of layered L7 advanced WAF capabilities


    • Secure Web Gateway (SWG) - to enable integration of layered web gateway protection


    • URL Category Database (subscription) - for URL category-based TLS intercept/bypass decisions


    • IP Intelligence (subscription) - for IP reputation-based classification


    • Network HSM - to enable integration with external hardware-protected storage for private keys


    • Advanced Routing Module (ARM) - to enable advanced networking routing protocols such as BGP and OSPF.


  • Add-on - SSL Orchestrator module is added to another base product module. It can be added to (most) devices that have any of the following base licenses:


    • Access Policy Manager (APM)


    • Advanced Firewall Manager (AFM) standalone


    • Advanced Web Application Firewall (AWF) standalone


    • Local Traffic Manager (LTM)


Both SSL Orchestrator license options provide the same functionality on all platforms, with the following caveats:

  • SSL Orchestrator standalone base licensing is available only on the platforms listed in the table below. If a desired platform is not in this list, or if a desired add-on module is not supported with SSL Orchestrator standalone, consider deploying the SSL Orchestrator add-on license with another base module that does support your requirements. For example: BIG-IP i11600 + LTM base + SSL Orchestrator add-on.


    Platform Name

    Platform Type

    i2800

    Appliance

    r2800

    Appliance

    i4800

    Appliance

    r4800

    Appliance

    i5800

    Appliance

    r5800

    Appliance

    r5900

    Appliance

    i7800

    Appliance

    i10800

    Appliance

    r10800

    Appliance

    r10900

    Appliance

    i11800

    Appliance

    i15800

    Appliance

    HP VE 8 CPU

    Virtual Edition

    HP VE 12 CPU

    Virtual Edition

    HP VE 16 CPU

    Virtual Edition

    HP VE 20 CPU

    Virtual Edition

    HP VE 24 CPU

    Virtual Edition

    VIPRION 22XX

    Chassis

    VIPRION 24XX

    Chassis

    VIPRION 4480

    Chassis

    VIPRION 4800

    Chassis

    VIPRION C2100

    Chassis Blade

    VIPRION C2200

    Chassis Blade

    VIPRION C4400

    Chassis Blade

    VELOS CX410

    Chassis Blade

    Table 4: SSL Orchestrator standalone platforms


  • Layer 2 topology modes are limited to BIG-IP i5800 and higher level appliances, as well as VIPRION B2250 and B4450 blades. Layer 2 topology modes are not available on the following platforms:

    • Virtual Edition

    • Any vCMP deployment

    Please see https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-virtual-wire-layer2-transparency-13-1-0/2.html for the complete list of platforms that support layer 2 “virtual wire”.


  • Inline layer 2 services in VIPRION vCMP environments: The following VIPRION chassis/blade combinations do not support inline layer 2 services in a vCMP environment:

    • B2250 blade on C2400 chassis

    • B4300 blade on C4800 chassis

    • B4450 blade on C4480 chassis

    This is due to a limitation in the number of MAC addresses provided to guests. Please see https://support.f5.com/csp/article/K14513 for additional information. SSL Orchestrator running directly on the blade (no vCMP) does not have this limitation.


  • Virtual Edition (VE): SSL Orchestrator running on the Virtual Edition (VE) requires the following minimum computing resource:

    • 4 vCPU (cores)

    • 12 Gb memory (16 or higher preferred)


Additional References: