Service extensions are a new programmable capability in the SSL Orchestrator service chain (as of BIG-IP 17.0) that allow for customizable behaviors on decrypted HTTP traffic directly from within the service chain. Service extensions invoke a new internal service type in SSL Orchestrator that performs its functions directly within an iRule. This iRule can reasonably do anything from inject HTTP headers, return a coaching/blocking page, and also communicate with external services. Below are a list of currently defined service extensions.
-
Office 365 Tenant Restrictions - Tenant Restrictions implements an HTTP header injection function to enable organizations to control their users’ access to company-only Office 365 resources, while blocking access to personal/non-company Office 365 assets. This feature allows organizations to prevent a significant data exfiltration vector. Tenant Restriction is implemented in SSL Orchestrator as a service in the service chain. For additional details on this built-in service extension, please see: Implementing Office 365 Tenant Restrictions
-
User Coaching - User coaching is an inline function intended to coach users away from (potentially) harmful applications. This SSL Orchestrator service extension is invoked at some event (ex. a user accessing a Generative AI tool, based on URL category match) and generates a coaching page that supports simple acknowledgement, justification input, and event logging. The utility also supports a customizable blocking page function.
-
DoH Guardian - DNS-over-HTTPS (DoH) is supported by the most popular browsers, and by default they point their queries at Internet-based services like Cloudflare and Google. Where an enterprise once had full visibility of their NS traffic, DoH now hides DNS traffic in indistinguishable outgoing HTTPS for the sake of enhanced privacy. And while is this privacy is undeniably a good thing, it also introduces some interesting challenges. As noted, DoH is encrypted and typically pointing to external services like Cloudflare. So, if an organization logged and/or applied any security controls to DNS traffic previously, DoH removes that visibility. But also, DNS as a protocol is extremely flexible, making it very good at things like data exfiltration. DoH now makes the detection and protection against data leakage more difficult. DoH Guardian is an F5 SSL Orchestrator service extension function for monitoring and management of outgoing DNS-over-HTTPS traffic flows and can detect potentially malicious DoH exfiltration.