3.1. Scenario


Your organization has deployed SSL Orchestrator for internal users who access the Internet. This is an L3 Explicit outbound topology with NTLM user authentication required for clients. The security policy rules are as follows:

Security Policy Rules
Traffic Classification Actions to perform Services (in Service Chain)
Websites known to use certificate pinning Bypass TLS decryption Cisco Firepower TAP service
Websites matching the "Finance and Data Services" URL category Bypass TLS decryption Cisco Firepower TAP service
Default (all other traffic) Intercept (Decrypt TLS) Squid Proxy and Cisco Firepower TAP services

New Requirement

You receive a request from the Applications team to inspect outbound traffic from their internal application servers (accessing Internet-based API services). However, these UNIX servers do not support NTLM authentication and this traffic must also be inspected by the Applications team's ICAP-based virus scanning solution.

3.2. Lab Overview


Completion of the first two lab exercises is a pre-requisite.

You will create a new LTM virtual server with an iRule to direct client traffic between two L3 Explicit topologies. The first one is the f5labs_explicit topology for corporate user traffic that you modified in the NTLM authentication exercise. The second one will be a new L3 Explicit topology that will decrypt TLS and send traffic to a service chain consisting of an ICAP-based antivirus service and the Cisco Firepower TAP service.

The following diagram illustrates the flows:

Internal Layered SSL Orchestrator Architecture

The corporate users reside on several /24 subnets that fall within the block of IP addresses. You will use the Windows Client machine ( to represent test users.

The application servers reside primarly on subnets and There is also a server attached to the corporate user subnet. You will use the Ubuntu18.04 Client machine ( to represent this server for testing.

You will need to define the ICAP-based antivirus service and add it to a new service chain along with the Cisco Firepower TAP service.

Finally, you will test the solution from the two client machines.