SSLO 203: F5 BIG-IP SSL Orchestrator: Plug, play, automate (AppWorld 2026 | 2 hours)

Note

This lab relies on UDF Blueprint: AppWorld 2026 - SSL Orchestrator 201

Developed and tested with BIG-IP 21.0.0 / SSL Orchestrator 13.0.5.

SSL Orchestrator was built to protect your organization from encrypted inbound and outbound threats. Now, let's dive into some additional customizations to bolster your security posture for outbound traffic.

In this lab, you will learn how to:

• Deploy an L3 outbound (transparent forward proxy) Topology as a base to build upon.

• Implement user coaching for AI Chatbot sites (ChatGPT, Gemini, etc.)

• Implement a Service to inspect, protect, and block DNS-over-HTTPS requests

• Deploy additional SSL Orchestrator Services using the Ansible Automation tool.

Expected time to complete: 90 minutes (excluding lab instructor presentations)

Pre-requisite: Basic familiarity with SSL Orchestrator is recommended, but not required.

There are additional optional labs if you want to explore other Service Extensions if you have time after completing the other modules in this class. They build upon the any existing L3 Outbound Topology built in Lab #1 or Lab #3.

• Optional Lab Exercise #1: SaaS Tenant Isolation

CONTENTS

• 1. Lab Environment
  • 1.1. Accessing the Virtual Lab
  • 1.2. Lab Environment Details
• 2. Lab 1: Outbound Transparent Forward Proxy with User Coaching
  • 2.1. User Coaching Scenario
  • 2.2. Deploy User Coaching Objects
  • 2.3. Deploy a Basic L3 Outbound Proxy Topology
  • 2.4. Verify Outbound Topology Functionality
  • 2.5. Implement User Coaching with Default Cookie Persistence Method
  • 2.6. Implement User Coaching with JA4 Persistence Method
  • 2.7. Enable User Justification
  • 2.8. Module Completion
• 3. Lab 2: DNS-over-HTTPS (DoH) Guardian
  • 3.1. Using SSL Orchestrator with DNS-over-HTTPS Guardian
  • 3.2. Deploy DoH Guardian Configuration Objects
  • 3.3. Implement DoH Guardian
  • 3.4. Implement Sinkhole mode for DoH Guardian
  • 3.5. Test the DoH Guardian Sinkhole Functionality
  • 3.6. Module Completion
• 4. Lab 3: SSL Orchestrator Automation with Ansible
  • 4.1. What is Ansible?
  • 4.2. Ansible Modules for F5 BIG-IP SSL Orchestrator
  • 4.3. Ansible Playbooks we can use in this lab
  • 4.4. Ansible Environment Setup and Reset of Existing SSL Orchestrator Configuration
  • 4.5. Automating a new L3 Outbound Deployment with TAP Service
  • 4.6. Automating a new SWGaaS Deployment
  • 4.7. Conclusion
• 5. Optional Lab Exercise #1: SaaS Tenant Isolation
  • 5.1. SaaS Tenant Isolation Scenario
  • 5.2. Deploy SaaS Tenant Isolation Objects
  • 5.3. Implement SaaS Tenant Isolation
  • 5.4. Module Completion
• 6. Conclusion
• 7. Links to the github repositories used in the lab
• 8. Explore More SSL Orchestrator Labs
• 9. Contributors
• 10. Revision History
• 11. Lab Guide Repository (GitHub)
• 12. Appendices
  • 12.1. Presentation Slides