4.6. Create Secondary Topology

You will need to add an L3 Explicit topology for the outbound application server traffic. This topology will decrypt TLS and send traffic to a service chain consisting of:

  1. New ICAP-based antivirus service
  2. Existing Cisco Firepower TAP service

4.6.1. L3 Explicit Topology

  • Navigate to SSL Orchestrator > Configuration and Add a new topology.
  • Scroll to the bottom of the Configuration introduction page and click on the Next button.
  • Enter appsvr_explicit as the topology name. Ensure that the name is entered exactly as shown because it will be referenced in a later step.
  • Select the L3 Explicit Proxy topology type.
L3 Explicit Proxy
  • Click the Save & Next button to continue.

4.6.2. SSL Configurations

  • In the CA Certificate Key Chain section, click on the pencil icon to edit.
  • Select subrsa.f5labs.com for both Certificate and Key.

Warning

Ensure that you are editing the CA Certificate Key Chain shown above, not the Certificate Key Chain. They look very similar.

  • Click Done. The SSL settings have now been configured.
../../_images/clientssl.png

  • Click the Save & Next button to continue.

4.6.3. ICAP service

  • On the Services List screen, click the Add button.
  • Type icap in the Search box
  • Select Generic ICAP Service and click the Add button
ICAP Service
  • On the Service Properties screen, enter the following values:

    • Enter CLAM_AV in the Name field.
    • Enter ClamAV in the Description field.
    • In the ICAP Devices section, click on the Add button.
    • Enter 198.19.97.50 in the IP Address field.
    • Leave the Port set to 1344 (default for ICAP).
    • Click on Done to add the ICAP device.
    ICAP Service
    • Enter /avscan in the Request Modification URI Path field.
    • Enter /avscan in the Response Modification URI Path field.
    • Enter 1048576 in the Preview Max Length(bytes) field.
    ICAP Service
    • Click Save to return to the Services List.
Services List After Adding ICAP
  • Click the Save & Next button to continue.

4.6.4. Service Chain

You now need to create a new Service Chain containing the CLAM_AV and Cisco Firepower TAP services.

  • On the Services Chain List screen, click the Add button.

  • On the Services Chain Properties screen, enter the following values:

    • Enter CAV_CiscoFP in the Name field.
    • Enter ClamAV and Cisco Firepower TAP in the Description field.
    • Services - select the CLAM_AV and CiscoFP_TAP services under Services Available and move them to Selected Service Chain Order
    New service chain for Clam AV and Cisco Firepower TAP
  • Click the Save button to return to the Service Chain List.

  • Click the Save & Next button to continue.

4.6.5. Security Policy

You now need to create a new Security Policy for the appsvr_explicit topology.

  • On the Security Policy screen, modify the All Traffic rule by clicking on the pencil icon.
  • Select the ssloSC_SC_CAV_CiscoFP Service Chain.
  • Click the OK button.
New security policy for application server traffic
  • Click the Save & Next button to continue.

4.6.6. Interception Rule / Proxy Server Settings

  • Skip down to the Proxy Server Settings section.

  • Enter 10.1.10.175 in the IPV4 Address field.

    Note

    An IP address is required for an explicit proxy configuration, but it won't actually be referenced in this design since it is associated with an empty VLAN.

  • Leave the Port set to 3128 (default value).

  • In the VLANs section, select the /Common/zzz-vlan VLAN and and move it to Selected column.

New security policy for application server traffic
  • Click the Save & Next button.

4.6.7. Egress Settings

  • On the Egress Settings screen, select Auto Map in the Manage SNAT Settings field.
  • Click the Save & Next button.

4.6.8. Log Settings

  • On the Log Settings screen, leave all the default values.
  • Click the Save & Next button to continue.

4.6.9. Summary

  • Click the Deploy button.
  • When successfully deployed, click the OK button to return to the SSL Orchestrator Configuration screen.

You should now have two L3 Explicit topologies. The third topology is an L3 Outbound (transparent) topology that is not applicable to this lab exercise.