3.3. Deploy a Basic L3 Outbound Proxy Topology

In this section, you will create a basic SSL Orchestrator Topology to verify that outbound client traffic is being intercepted before enabling the user coaching function.


3.3.1. Create Topology

  1. In the SSL Orchestrator UI, click on the Topologies tab.

    ../../_images/l3outbound.png

  2. Click on the Add button to start creating a new Topology.

  3. Scroll to the bottom of the Configuration introduction page and click on the Next button to start creating a new Topology.

  4. Enter l3_outbound as the topology name.

  5. Select the L3 Outbound topology type.

    ../../_images/l3outbound-create.png

  6. Scroll down to the bottom of the page and click on the Save & Next button to proceed to the next step in the configuration workflow.


3.3.2. Create SSL Configuration

On the SSL Configurations page, create the Client-side SSL profile for the L3 outbound (transparent) forward proxy.

  1. In the Name field, leave the default value as l3_outbound.

  2. In the Certificate Key Chain section, leave the default settings as is (default certificate and key).


    Important

    Since this is an outbound forward proxy deployment, the SSL Orchestrator will be using a subordinate CA certificate and private key to sign the re-issued ('forged') certificates delivered to clients for outbound traffic. This is configured in the CA Certificate Key Chains section, not the Certificate Key Chains section.


    Note

    When using subordinate CA certificates, both the subordinate and root CA certificates must be imported into the client's browser certificate store. The Ubuntu-Client machine in the lab environment trusts has these already installed.


  3. In the CA Certificate Key Chain section, click on the Edit (pencil) icon.

  4. In the Certificate drop-down list, select subrsa.f5labs.com to replace the default value.

  5. In the Key drop-down list, select subrsa.f5labs.com to replace the default value.

  6. Click on the Done button to apply the config change.

    ../../_images/l3outbound-ssl.png

  7. Leave the default Server-side SSL settings.

  8. Click on the Save & Next button to proceed to the next step in the configuration workflow.


3.3.3. User Authentication

No user authentication will be enabled at this time.

  1. Click on the Save & Next button to proceed to the next step in the configuration workflow.


3.3.4. Create Services

There are 3 Inspection Services. The ssloS_FEYE and ssloS_F5_AWAF services were created in the previous lab module. Recall that the ssloS_F5_UC service was created by the SSLO User Coaching script.

../../_images/l3outbound-services.png

No additional services need to be created at this time.

  1. Scroll down to the bottom of the page and click on the Save & Next button to proceed to the next step in the configuration workflow.


3.3.5. Create Service Chains

There are 2 Service Chains: ssloSC_service_chain_1 and ssloSC_service_chain_2. These were created in the previous lab module.

../../_images/l3outbound-chain.png

No additional Service Chains need to be created at this time.

  1. Scroll down to the bottom of the page and click on the Save & Next button to proceed to the next step in the configuration workflow.


3.3.6. Create Security Policy

The Security Policy contains 2 default rules: Pinners_Rule and All Traffic.

../../_images/l3outbound-policy-1.png

  1. Click on the Edit (pencil) icon for the All Traffic rule.

  2. Set Service Chain to ssloSC_service_chain_1. Recall that this Service Chain contains only the ssloS_FEYE service.

    ../../_images/l3outbound-policy-2.png

  3. Click on the OK button to exit edit mode.

    Your Security Policy rules should now look like the following:

    ../../_images/l3outbound-policy-3.png

  4. Click on the Save & Next button to continue.


3.3.7. Create Interception Rule

The Interception Rule determines which traffic to process. For an L3 Outbound topology, you will accept traffic for all destinations and ports.

  1. Leave the default Destination Address/mask value as 0.0.0.0%0/0.

  2. Leave the default Port as 0.

  3. In the Ingress Network section, select the client-vlan VLAN.

    ../../_images/l3outbound-int-1.png

  4. Leave the default values for the remaining sections:

    • Protocol Settings

    • Security Policy Settings

    • Authentication

    • L7 Interception Rules


    ../../_images/l3outbound-int-2.png

  5. Click on the Save & Next button to continue.


3.3.8. Create Egress Settings

You will use SNAT all egress traffic and use the default route as a gateway.

  1. In the Manage SNAT Settings drop-down list, select Auto Map.

  2. Leave the default Gateways setting.

    ../../_images/l3outbound-egress.png

  3. Click on the Save & Next button to continue.


3.3.9. Create Log Settings

  1. Leave the default log settings.

    ../../_images/l3outbound-log.png

  2. Click on the Save & Next button to continue.


3.3.10. Deploy Topology

  1. Click on the Deploy button to create the new topology configuration.

    ../../_images/l3outbound-deploy-1.png

  2. When the deployment has completed, click on the OK button to close the dialog box and return to the Topologies list.

    ../../_images/l3outbound-deploy-2.png