F5 BIG-IP SSL Orchestrator Training Lab > Class 2: SSL Orchestration v5 (Ravello) > Module 3 - Create an Explicit Forward Proxy SSLO Source | Edit on

Lab 3.1: Configure an Explicit Proxy deployment through Guided Configuration

Minimally an explicit proxy requires DNS settings to be configured. To enable this navigate to the SSLO Dashboard by selecting SSL Orchestrator ‣ Configuration on the left menu. Once the dashboard has loaded, click System Settings.

In the DNS Settings section make the following modifications:

  • DNS Query Resolution - select Local Forwarding Nameserver.
  • Local Forwarding Nameserver(s) - enter
  • [Optional] Logging Level - select the logging level most appropriate for the deployment. Keep in mind, however, that DEBUG logging produces an enormous amount of local Syslog traffic and is not recommended when processing production traffic flows.
  • Click Deploy to commit the changes.

In the SSL Orchestrator dashboard view, select the Topologies tab (bottom) and click Add.

  • Configuration review and prerequisites - take a moment to review the topology options and workflow configuration, then click Next.

  • Topology Properties

    • Name: provide some name (ex. “lab3_explicit”)
    • Protocol: TCP
    • IP Family: IPv4
    • Topology: select L3 Explicit Proxy
    • Click Save & Next
  • SSL Configurations - the existing outbound SSL settings from Lab 1 can be re-used here.

    • Select Use Existing, and select the existing lab1_outbound SSL profile.

    • Click Save & Next

    • Click OK to acknowledge the profile warning.


      Whenever repurposing a topology setting, a warning will appear, “There are other configuration items that are referencing this item. Editing this item will affect the referencing ones mentioned below”.

  • Services List - there are no new services to create.

    • Click Save & Next
  • Service Chain List - there are no new service chains to create.

    • Click Save & Next
  • Security Policy - the existing outbound Security Policy from Lab 1 can be re-used here.

    • Select Use Existing, and select the existing lab1_outbound Security policy.
    • Click Save & Next
    • Click OK to acknowledge the profile warning.
  • Interception Rule - an explicit proxy requires a unique IP address and port listener.

    • IPV4 Address:
    • Port: 3128
    • Access Profile: if enabling explicit proxy authentication, select an existing SWG-Explicit access profile here. For this lab, leave it set to None.
    • VLANs: select client-net and move it to the right column
    • Click Save & Next
  • Egress Setting - traffic egress settings are now defined per-topology and manage both the gateway route and outbound SNAT settings.

    • Manage SNAT Settings - enables per-topology instance SNAT settings. For this lab, select Auto Map.
    • Gateways - enables per-topology instance gateway routing. Options are to use the system default route, to use an existing gateway pool, or to create a new gateway. For this lab, select Use Existing Gateway Pool, then select the “lab1_outbound-ex-pool-4” gateway pool.
    • Click Save & Next
  • Summary - the summary page presents an expandable list of all of the workflow-configured objects. To expand the details for any given setting, click the corresponding arrow icon on the far right. To edit any given setting, click the corresponding pencil icon. Clicking the pencil icon will send the workflow back to the selected settings page.

  • When satisfied with the defined settings, click Deploy.