F5 BIG-IP SSL Orchestrator Training Lab > Class 1: SSL Orchestration > Module 2: Inbound SSLO Source | Edit on

Lab 2.1: Inbound Interception Rules

Task 1 - Create a new Interception Rule

  1. Navigate to SSL Orchestrator ‣ Deployment ‣ Interception Rules

    image45

  2. In the top, right hand corner, click Create Inbound Rule…

    image46

Task 2 - Create Wildcard Listener

In this step we will create a listener to intercept all inbound HTTPS traffic. After the configuration steps, this will be saved as a wildcard virtual server listening on port 443.

  1. Under the General Properties section, configure the following values:

    Property Value
    Name ssl_inbound_listener
    Destination Address/Mask 0.0.0.0/0
    Service Port 443

    image47

  2. Under the Security Policy section, select Create New.

    image48

    The configuration GUI will redirect to the SSL settings configuration page.

  3. In the General Settings section of the Security Policy, set the name to ssloT_inbound_ssl.

    Note

    For Inbound configurations the Forward Proxy option should be disabled

    image49

  4. Under the Client-side SSL section, choose wildcard.f5demolabs.com.crt and wildcard.f5demolabs.com.key from the respective drop-down menus and click Add.

    image50

  5. Under the section Server-side SSL, configure the following values:

    Property Value
    Expire Certificate Response Control ignore
    Untrusted Certificate Response Control ignore

    serverside_ssl

  6. Review the settings and click Finished. This will redirect back to the original Inbound Listener configuration screen.

Task 3 - Configure VLAN Settings

In this step, we will define which VLAN interface that our listener will accept connections.

Note

Since we are configuring only for inbound traffic, it is important that the wildcard listener only accept connections on the incoming interface. In this case, the VLAN labeled outbound.

  1. In the VLANs section, choose the /Common/outbound VLAN from the Available List and click the left arrow to move it into Selected.

    image51

  2. Under the Security Policy section, configure these values:

    Property Value
    L7 Profile Type HTTP
    L7 Profile /Common/http
    Access Profile /Common/ssloP_outbound_ssl.app/ssloP_outbound_ssl_accessProfile
    Per Request Policy Create New

    image52

  3. Once redirected to the New Inbound Rule configuration:

    1. Create a name for the rule
    2. Add ICAP, TAP, and L2 services to the Intercept Chain section
    3. Repeat step (ii) for the Non Intercept Chain
    4. Click Finished

    image53

  4. Verify the settings under Security Policy.

    image54

  5. Click Finish

Previous Next