3.5. Implement User Coaching

You will now enable and test the user coaching functionality. This will produce a prompt in the web browser when a user attempts to connect to a risky web site.

3.5.1. Modify Interception Rule

1. In the SSL Orchestrator UI, click on the Interception Rules tab.

   

2. Click on the sslo_l3_outbound-in-t-4 Interception Rule to view the Summary page.

   

3. Click on the Edit (pencil) icon to view the settings.

4. Scroll down to the Resources > iRules section and double-click on the /Common/user-coaching-ja4t-rule iRule to add it to the Selected panel.

   

5. Click on the Save & Next button to return to the Summary page.

   

6. Click on the Deploy button.

7. When the deployment has completed, click on the OK button to close the dialog box and return to the Topologies list.

3.5.2. Add User Coaching Inspection Service to a Service Chain

Create a new service chain that contains the user coaching service.

1. Click on the Service Chains tab.

   

2. From the Service Chain List, click on the Add button.

3. Enter user_coaching in the Name field.

4. Double-click on the ssloS_F5_UC and ssloS_F5_FEYE Inspection Services to add them to the Service Chain. The ssloS_F5_AWAF service will not be used for outbound inspection.

   

5. Click on the Deploy button.

6. When the deployment has completed, click on the OK button to close the dialog box and return to the Topologies list.

7. Click on the Service Chains tab to confirm that the new Service Chain was created.

   

3.5.3. Update the Security Policy

The final step is to update the Security Policy to use the new Service Chain.

1. Click on the Security Policies tab to view the list of policies.

2. Click on the ssloP_l3_outbound policy to edit it.

   

3. Click on the Edit (pencil) icon for the All Traffic rule.

   

4. Set SSL Proxy Action to Intercept.

5. Set Service Chain to ssloSC_user_coaching.

   

6. Click on the OK button to exit edit mode.

   
   

   Your Security Policy should now look like the following:

   

7. Click on the Deploy button and then click on Deploy again to accept the warning.

   

8. When the deployment has completed, click on the OK button to close the dialog box and return to the Topologies list.

3.5.4. Trigger Conditions for User Coaching

The presentation of the user coaching prompt is determined by a URL category match. The category list is defined in the user-coaching-rule iRule.

1. Navigate to Local Traffic > iRules and verify that the following iRules are present.

2. Click on the user-coaching-rule iRule to view it.

3. Notice that the COACHING_CATEGORIES variable defines an array of URL categories.

   
   
   

   Note

   Per the iRule comments, you can query the URL Category Database to determine the category names to use here. Do not change anything at this time.

3.5.5. Test User Coaching

1. Return to the Ubuntu-Client WEBRDP session.

2. Close the Firefox browser window and restart the application.

3. Navigate to https://copilot.microsoft.com/. You should receive the SSL Orchestrator user coaching prompt as follows:

   

4. Click on the Agree button to acknowledge the warning and terms of use policy. You will then be presented with the Microsoft Copilot site.

   

5. Restart Firefox and browse to Copilot again. You should not see the prompt reappear because the original user coaching acknowledgement has not expired yet.

   Note

   The default user coaching session timeout setting is 3600 seconds. This value is configurable in the user-coaching-rule iRule.