Lab 2.1: Inbound Interception Rules¶

Task 1 - Create a new Interception Rule¶

Navigate to SSL Orchestrator ‣ Deployment ‣ Interception Rules
In the top, right hand corner, click Create Inbound Rule…

Task 2 - Create Wildcard Listener¶

In this step we will create a listener to intercept all inbound HTTPS traffic. After the configuration steps, this will be saved as a wildcard virtual server listening on port 443.

Under the General Properties section, configure the following values:

Property

Value

Name

ssl_inbound_listener

Destination Address/Mask

0.0.0.0/0

Service Port

443
Under the Security Policy section, select Create New.

The configuration GUI will redirect to the SSL settings configuration page.
In the General Settings section of the Security Policy, set the name to ssloT_inbound_ssl.

Note

For Inbound configurations the Forward Proxy option should be disabled
Under the Client-side SSL section, choose wildcard.f5demolabs.com.crt and wildcard.f5demolabs.com.key from the respective drop-down menus and click Add.
Under the section Server-side SSL, configure the following values:

Property

Value

Expire Certificate Response Control

ignore

Untrusted Certificate Response Control

ignore
Review the settings and click Finished. This will redirect back to the original Inbound Listener configuration screen.

Property	Value
Name	ssl_inbound_listener
Destination Address/Mask	0.0.0.0/0
Service Port	443

Property	Value
Expire Certificate Response Control	ignore
Untrusted Certificate Response Control	ignore

Task 3 - Configure VLAN Settings¶

In this step, we will define which VLAN interface that our listener will accept connections.

Note

Since we are configuring only for inbound traffic, it is important that the wildcard listener only accept connections on the incoming interface. In this case, the VLAN labeled outbound.

In the VLANs section, choose the /Common/outbound VLAN from the Available List and click the left arrow to move it into Selected.
Under the Security Policy section, configure these values:

Property

Value

L7 Profile Type

HTTP

L7 Profile

/Common/http

Access Profile

/Common/ssloP_outbound_ssl.app/ssloP_outbound_ssl_accessProfile

Per Request Policy

Create New
Once redirected to the New Inbound Rule configuration:
1. Create a name for the rule
2. Add ICAP, TAP, and L2 services to the Intercept Chain section
3. Repeat step (ii) for the Non Intercept Chain
4. Click Finished
Verify the settings under Security Policy.
Click Finish

Property	Value
L7 Profile Type	HTTP
L7 Profile	/Common/http
Access Profile	/Common/ssloP_outbound_ssl.app/ssloP_outbound_ssl_accessProfile
Per Request Policy	Create New