diff --git a/docs/class5/module1/images/introduction-2.png b/docs/class5/module1/images/introduction-2.png
index 619bb2f..636a604 100644
Binary files a/docs/class5/module1/images/introduction-2.png and b/docs/class5/module1/images/introduction-2.png differ
diff --git a/docs/class5/module2/images/udf-access.png b/docs/class5/module2/images/udf-access.png
new file mode 100644
index 0000000..496cc07
Binary files /dev/null and b/docs/class5/module2/images/udf-access.png differ
diff --git a/docs/class5/module2/images/udf-deployment.png b/docs/class5/module2/images/udf-deployment.png
index 1795f14..9cc06ed 100644
Binary files a/docs/class5/module2/images/udf-deployment.png and b/docs/class5/module2/images/udf-deployment.png differ
diff --git a/docs/class5/module2/images/udf-documentation.png b/docs/class5/module2/images/udf-documentation.png
index f82f20f..217b690 100644
Binary files a/docs/class5/module2/images/udf-documentation.png and b/docs/class5/module2/images/udf-documentation.png differ
diff --git a/docs/class5/module2/images/udf-overview.png b/docs/class5/module2/images/udf-overview.png
new file mode 100644
index 0000000..9f3a856
Binary files /dev/null and b/docs/class5/module2/images/udf-overview.png differ
diff --git a/docs/class5/module2/images/udf-sslo-tmui.png b/docs/class5/module2/images/udf-sslo-tmui.png
deleted file mode 100644
index 5c42892..0000000
Binary files a/docs/class5/module2/images/udf-sslo-tmui.png and /dev/null differ
diff --git a/docs/class5/module2/images/udf-ubuntu-client-rdp.png b/docs/class5/module2/images/udf-ubuntu-client-rdp.png
deleted file mode 100644
index 7dee35c..0000000
Binary files a/docs/class5/module2/images/udf-ubuntu-client-rdp.png and /dev/null differ
diff --git a/docs/class5/module2/images/udf-ubuntu-client-rdp2.png b/docs/class5/module2/images/udf-ubuntu-client-rdp2.png
deleted file mode 100644
index 163f9b2..0000000
Binary files a/docs/class5/module2/images/udf-ubuntu-client-rdp2.png and /dev/null differ
diff --git a/docs/class5/module2/images/udf-ubuntu-services-webshell.png b/docs/class5/module2/images/udf-ubuntu-services-webshell.png
deleted file mode 100644
index d7e8557..0000000
Binary files a/docs/class5/module2/images/udf-ubuntu-services-webshell.png and /dev/null differ
diff --git a/docs/class5/module2/lab1.rst b/docs/class5/module2/lab1.rst
index 8d0a4d8..1d05b25 100644
--- a/docs/class5/module2/lab1.rst
+++ b/docs/class5/module2/lab1.rst
@@ -9,28 +9,56 @@ If you are not familiar with the process for joining a training course, refer to
- |join_link|
- |interface_link|
-You should have received a course registration email that contains the UDF course link. Click on the link and log into the UDF student portal.
+#. You should have received a course registration email that contains the **UDF course link**. Click on the link and log into the UDF student portal.
-After you **JOIN** the course, you will see the **DOCUMENTATION** tab with some information about the lab resources and a link to the Lab Guide (this document).
+.. important::
+ If MFA is not configured for your account, you will be asked to set it up before proceeding.
-.. image:: ./images/udf-documentation.png
- :align: left
-.. note::
- You will only need your local web browser to perform the lab exercises.
+#. Click on the **JOIN** button to enter the lab session. You will see 3 tabs: **Overview**, **Documentation**, and **Deployment**. The **Overview** tab will be shown.
+
+ .. image:: ./images/udf-overview.png
+ :align: left
-#. Click on the **DEPLOYMENT** tab to see all of your lab resources:
+#. Click on the **Documentation** tab to view lab information and a link to the Lab Guide (this document).
+
+ .. image:: ./images/udf-documentation.png
+ :align: left
+
+
+#. Click on the **DEPLOYMENT** tab to see all of your lab resources.
- - **BIG-IP Next Central Manager** - Access via web browser
- - **BIG-IP Next instance** - Access via Web Shell
- - **Ubuntu-Client** - Access via Web Shell and WebRDP
- - **Ubuntu-Server** - Access via Web Shell
-
.. image:: ./images/udf-deployment.png
:align: left
+ .. list-table::
+ :header-rows: 1
+ :widths: auto
+
+ * - Virtual Machines
+ - Access Methods Used In this Lab
+ * - BIG-IP Central Manager
+ - GUI
+ * - BIG-IP Next instance
+ - Web Shell
+ * - Ubuntu-Client
+ - Web Shell
+ * - Ubuntu-Server
+ - Web Shell,
+
+ WebRDP (to *Ubuntu-Client* desktop)
+
+ To access a lab VM, click on the **ACCESS** link to view the remote access methods. Then, click on the desired option. Here is an example:
+
+ .. image:: ./images/udf-access.png
+ :align: left
+
+
+ .. note::
+ You will only need your local web browser access the lab VMs.
+
.. |join_link| raw:: html
diff --git a/docs/class5/module2/lab2.rst b/docs/class5/module2/lab2.rst
index dff98e3..be97dbc 100644
--- a/docs/class5/module2/lab2.rst
+++ b/docs/class5/module2/lab2.rst
@@ -15,7 +15,7 @@ Network Diagram
Here is a visual representation of the virtual lab environment. The numbers inside the right edge of the SSL Orchestrator box indicate the port numbers and VLAN tags (if applicable). The colored boxes to the right of the services respresent some product examples for each respective service type.
-The first interface is connected to the client-facing VLAN. The second interface is connected to the Internet-facing VLAN. The remaining interfaces are connected to various types of security services: L2, L3, HTTP, ICAP, and passive Tap. The SSL Orchestrator management interface is not shown.
+The first interface is connected to the client-facing VLAN. The last interface is connected to the Internet-facing VLAN. One of the tagged interfaces connects to the application server VLAN. The remaining interfaces are connected to various types of security services: L2, L3, HTTP, ICAP, and passive Tap. The SSL Orchestrator management interface is not shown.
.. image:: ./images/labinfo-1.png
:align: left
@@ -76,7 +76,7 @@ this lab guide with your own environment, please ensure that you create these ob
configuration state. In most cases, objects created in CM (like iRules) are only deployed to a
Next instance when they are associated to an application. With respect to SSL Orchestrator, this
also applies to service chains and traffic policies. The exemption to this is inspection
- services. While inspection services can be saves to CM and deployed later, they are generally
+ services. While inspection services can be saved to CM and deployed later, they are generally
deployed direct to an instance on creation, irrespective of applications, as they have network
attributes that are typically specific to a BIG-IP Next instance. This will be made evident in
the upcoming labs.
@@ -168,14 +168,14 @@ The following tables provide device/service network configuration details. Login
* - 1.3
- 10.1.30.7/24
- TAP service - Inbound
- * - 1.4 / Future
- - TBD (10.1.40.0/24)
+ * - 1.4
+ - Future (10.1.40.0/24)
- Inline L2 service - Inbound
- * - 1.5 / Future
- - TBD (10.1.50.0/24)
+ * - 1.5
+ - Future (10.1.50.0/24)
- Inline L2 service - Outbound
- * - 1.6 / Future
- - TBD (10.1.60.0/24)
+ * - 1.6
+ - Future (10.1.60.0/24)
- Internet
|
@@ -259,11 +259,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens8 and ens9
br0 (bridge) tied to ens8 and ens9 interfaces on host
- * - Services
+ * - **Services**
- Suricata
|
@@ -275,9 +275,9 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
* - Traffic Flow
- BIG-IP Interface
* - Inbound
- - TBD
+ - Future
* - Outbound
- - TBD
+ - Future
|
@@ -287,11 +287,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens6.60 and ens6.70
- * - Services
+ * - **Services**
- Firewall
- * - Access
+ * - **Access**
- $ ``docker exec -it layer3 /bin/bash``
|
@@ -318,11 +318,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens6.30 and ens6.40
- * - Services
+ * - **Services**
- Squid - Port 3128
- * - Access
+ * - **Access**
- $ ``docker exec -it explicit-proxy /bin/bash``
|
@@ -350,11 +350,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens7
ens7 interface tied to tap service on host
- * - Services
+ * - **Services**
- Passive TAP
|
@@ -378,11 +378,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens6.50
- * - Services
+ * - **Services**
- ICAP Clamav
- * - Access
+ * - **Access**
- $ ``docker exec -it icap /bin/bash``
|
@@ -409,13 +409,13 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens6.80
- * - Services
+ * - **Services**
- Apache web server
\*.f5labs.com
- * - Access
+ * - **Access**
- $ ``docker exec -it apache /bin/bash``
|
@@ -443,11 +443,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto
- * - Description
+ * - **Description**
- Ubuntu server host -- ens6.80
- * - Services
+ * - **Services**
- NGINX app
- * - Access
+ * - **Access**
- $ ``docker exec -it nginx /bin/sh``
|
diff --git a/docs/class5/module3/images/udf-access-cm.png b/docs/class5/module3/images/udf-access-cm.png
new file mode 100644
index 0000000..496cc07
Binary files /dev/null and b/docs/class5/module3/images/udf-access-cm.png differ
diff --git a/docs/class5/module3/lab1.rst b/docs/class5/module3/lab1.rst
index 27703b0..6894366 100644
--- a/docs/class5/module3/lab1.rst
+++ b/docs/class5/module3/lab1.rst
@@ -12,6 +12,11 @@ Instantiating a BIG-IP Next Instance
Follow these steps to instantiate and activate a BIG-IP Next instance
through the Central Manager.
+#. In the UDF **Deployment** tab, access the **BIG-IP Central Manager** VM by clicking on the **ACCESS** link and then selecting **GUI**. A new browser tab will open.
+
+ .. image:: ./images/udf-access-cm.png
+
+
#. Log into Central Manager with username: ``admin`` and password: ``Welcome123!``.
.. image:: ./images/cm-login.png
diff --git a/docs/class5/module3/lab2.rst b/docs/class5/module3/lab2.rst
index c095755..f605648 100644
--- a/docs/class5/module3/lab2.rst
+++ b/docs/class5/module3/lab2.rst
@@ -7,7 +7,7 @@ TLS Certificates and Keys
.. note::
The **wildcard.f5labs.com** certificate and key has been pre-loaded into the BIG-IP CM, so you will not need to import any certificates at this time.
-#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon (it looks like a waffle pattern) to show the **Workspace Menu**.
+#. In the top left corner of the BIG-IP Central Manager GUI, click on the **Workspace** icon (it looks like a waffle pattern) to show the **Workspace Menu**.
.. image:: ./images/workspace-menu-1.png
@@ -71,7 +71,7 @@ Now, you will create a simple HTTPS application.
.. image:: ./images/add-app-4.png
-#. Enable the **Enable HTTPS (Client-Side TLS)** option to show additional settings.
+#. Enable (toggle on) the **Enable HTTPS (Client-Side TLS)** option to show additional settings.
- Click on the **Add** button to open the configuration panel.
- In the **Add Client-Side TLS** panel, enter ``wildcard.f5labs.com`` as the name
@@ -82,11 +82,11 @@ Now, you will create a simple HTTPS application.
#. Scroll down to see the other **Protocol & Profiles** options.
-#. Enable the **Enable Server-side TLS** option.
+#. Enable (toggle on) the **Enable Server-side TLS** option.
#. Ensure that the **Enable SNAT** and **Enable Auto SNAT** options are enabled (default).
-#. Disable the **Enable Connection Mirroring** option.
+#. Disable (toggle off) the **Enable Connection Mirroring** option.
.. image:: ./images/add-app-6.png
diff --git a/docs/class5/module3/lab3.rst b/docs/class5/module3/lab3.rst
index 25a4c1c..8d9ff8d 100644
--- a/docs/class5/module3/lab3.rst
+++ b/docs/class5/module3/lab3.rst
@@ -3,7 +3,7 @@ Testing the Application Deployment
Congratulations! You have now deployed a simple HTTPS application on BIG-IP Next. The next step is to test your application from a client environment and verify that everything is working properly.
-Accesing the Client VM
+Accessing the Client VM
--------------------------------------------------------------------------------
The UDF lab environment provides an Ubuntu Linux VM instance (**Ubuntu-Client**) with access to an interactive shell for command line testing, as well as a GUI desktop to run web browsers and other tools.
diff --git a/docs/class5/module4/images/second-app-0.png b/docs/class5/module4/images/second-app-0.png
new file mode 100644
index 0000000..5ba9b49
Binary files /dev/null and b/docs/class5/module4/images/second-app-0.png differ
diff --git a/docs/class5/module4/lab1.rst b/docs/class5/module4/lab1.rst
index 67fd902..8ea811d 100644
--- a/docs/class5/module4/lab1.rst
+++ b/docs/class5/module4/lab1.rst
@@ -1,7 +1,7 @@
About Inbound Application Mode
==============================================================================
-The SSL Orchestrator **inbound application mode** deployment describes a
+The SSL Orchestrator **Inbound Application Mode** deployment describes a
scenario where the client's destination address terminates on the F5
BIG-IP. Effectively, this is a simple extension of a standard BIG-IP
Next application deployment, where SSL Orchestrator policy and
@@ -11,5 +11,17 @@ inspection services are applied to an application workflow.
|
+For more information about the various SSL Orchestrator deployment modes, refer
+to the |sslo-dg1|.
+
+|
+
.. note::
- The following instructions assume basic connectivity to the lab environment, and administrative access to the lab network and virtual machine configurations.
+ The following instructions assume basic connectivity to the lab
+ environment, and administrative access to the lab's network and virtual
+ machine configurations.
+
+
+.. |sslo-dg1| raw:: html
+
+ SSL Orchestrator Deployment Guide
\ No newline at end of file
diff --git a/docs/class5/module4/lab2.rst b/docs/class5/module4/lab2.rst
index 8744976..b4db1c4 100644
--- a/docs/class5/module4/lab2.rst
+++ b/docs/class5/module4/lab2.rst
@@ -7,7 +7,7 @@ The first step in this journey is to create the SSL Orchestrator inspection serv
Create an Inline L3 Inspection Service
--------------------------------------------------------------------------------
-#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon to show the **Workspace Menu**.
+#. In the top left corner of the BIG-IP Central Manager GUI, click on the **Workspace** icon to show the **Workspace Menu**.
#. Click on **Security** to navigate to the Security workspace.
@@ -23,17 +23,16 @@ Create an Inline L3 Inspection Service
#. In the **Create Inspection Service** panel, select **Generic Inline L3** and then click the **Start Creating** button to open the configuration settings panel.
+#. In the **General Properties** section:
+
- Enter ``my-sslo-ngfw`` in the service name field.
- Enter ``next-gen firewall`` in the description field (optional).
- .. image:: ./images/service-3.png
-
+ - Click the **Save & Continue** button.
-#. Click the **Save & Continue** button.
-
- .. image:: ./images/service-4.png
+ .. image:: ./images/service-3.png
#. In the **Network** settings:
@@ -43,31 +42,41 @@ Create an Inline L3 Inspection Service
- Enter ``sslo-insp-l3-out`` in the **From: VLAN** Name field.
.. note::
- In the future, the VLAN names will be selectable from a list.
+ VLAN names are 'SSLO-INSP-L3-IN' and 'SSLO-INSP-L3-OUT' (but lowercase).
+ In the future, the VLAN names will be selectable from a list.
- Select **ICMP** for the **Device Monitor**.
- - In the **Inspection Service Endpoints** section, click the **Start Adding** button.
+ .. image:: ./images/service-4.png
+
+
+#. In the **Inspection Service Endpoints** section above, click the **Start Adding** button.
- Enter ``198.19.64.30`` in the **Server Address** field.
.. image:: ./images/service-5.png
+
#. Click the **Review & Deploy** button.
#. In the **Deploy Inspection Service** panel, add the BIG-IP Next instance.
- Click the checkbox to the left of the assigned instance and then click the **Validate** button.
+ .. image:: ./images/service-6.png
+
- If Validation is successful, click the **Deploy Changes** button to push this inspection service configuration to the BIG-IP Next instance.
- .. image:: ./images/service-6.png
+ - Click the **Start Adding** button
+ - Select the instance named **bigip-next.f5labs.com**.
+ - Click on the **+ Add to List** button.
- At the **Deploy Inspection Service?** prompt, click on the **Yes, Deploy** button and wait for the task to complete.
+ |
+
After deployment, the new inspection service will appear in the list.
.. image:: ./images/service-7.png
-
diff --git a/docs/class5/module4/lab4.rst b/docs/class5/module4/lab4.rst
index cc1b273..30c9f43 100644
--- a/docs/class5/module4/lab4.rst
+++ b/docs/class5/module4/lab4.rst
@@ -29,17 +29,17 @@ You will now create a traffic policy with a TLS decryption bypass rule for a spe
#. Click the **Next** button to continue.
- .. image:: ./images/policy-2.png
-
Create a Traffic Condition Rule - TLS Decryption Bypass
--------------------------------------------------------------------------------
-A traffic condition is generally made up of three parts, depending on the type of condition - the condition type (ex. IP Protocol), expression (ex. equals), and evaluation (what is being tested).
+A traffic condition rule is generally made up of three parts, depending on the type of condition - the condition type (ex. IP Protocol), expression (ex. equals), and evaluation (what is being tested).
#. Click the **+ Create** button to create a new traffic condition.
-#. Enter ``rule1`` as the name for this condition, and an optional description
+ .. image:: ./images/policy-2.png
+
+#. Enter ``rule1`` as the name for this condition, and an optional description.
#. Click **Save & Continue**.
@@ -65,7 +65,7 @@ A traffic condition is generally made up of three parts, depending on the type o
Edit Traffic Condition Rule - All Traffic (Default)
--------------------------------------------------------------------------------
-#. Now, you want to ensure that all other traffic flows through a service chain (none selected by default). Click the **All Traffic** condition to modify it.
+#. Now, you want to ensure that all other traffic flows through a service chain (none selected by default). Click the **All Traffic** rule to modify it.
#. Click on **Conditions and Actions**
@@ -93,9 +93,12 @@ Create a Logging Rule - Log all TCP traffic
- Expression: **Equals**
- Evaluation: **TCP**
+#. Click the **Save** button.
+
.. image:: ./images/policy-5.png
-#. Click the **Save** button to close the **Logging Rules** panel.
+
+#. Click the **Save and Continue** button to close the **Logging Rules** panel.
.. image:: ./images/policy-6.png
diff --git a/docs/class5/module4/lab5.rst b/docs/class5/module4/lab5.rst
index b324ce9..4c128e2 100644
--- a/docs/class5/module4/lab5.rst
+++ b/docs/class5/module4/lab5.rst
@@ -39,22 +39,40 @@ SSL Orchestrator inspection services, service chain, and traffic policy creation
- In the **Pool** field, select the **my-pool** pool.
- Change the **Virtual Port** to ``443`` (default value was **80**)
-#. In the **Protocols & Profiles** field, click on the edit icon to open the settings panel.
+#. In the **Protocols & Profiles** field, click on the **edit icon** to open the settings panel.
-#. Enable the **Enable HTTPS (Client-Side TLS)** option to show additional settings.
+#. Enable (toggle on) the **Enable HTTPS (Client-Side TLS)** option to show additional settings.
- Click on the **Add** button to open the configuration panel.
- In the **Add Client-Side TLS** panel, enter ``wildcard.f5labs.com`` as the name
- Select **wildcard.f5labs.com** in the **RSA certificate** dropdown list box. This certificate was pre-installed in your lab environment.
- Click on the **Save** button to close the panel.
-#. In the **Security Policies** column, click the edit icon to open the **Security Profiles** panel.
+#. Scroll down to see the other **Protocol & Profiles** options.
-#. Enable the **Use an SSL Orchestrator Policy** option and then select your SSL Orchestrator traffic policy.
+#. Enable (toggle on) the **Enable Server-side TLS** option.
+
+#. Ensure that the **Enable SNAT** and **Enable Auto SNAT** options are enabled (default).
+
+#. Disable (toggle off) the **Enable Connection Mirroring** option.
+
+#. Click on the **Save** button to the close the **Protocols & Profiles** panel.
+
+ Notice that the **TLS** and **HTTPS** badges were added, and **MIRRORING** was removed.
+
+
+#. In the **Security Policies** column, click the **edit icon** to open the **Security Profiles** panel.
+
+ .. image:: ./images/second-app-0.png
+
+
+#. Enable (toggle on) the **Use an SSL Orchestrator Policy** option and then select your SSL Orchestrator traffic policy.
.. image:: ./images/second-app-1.png
-#. Click **Save**.
+#. Click **Save** to close the panel.
+
+ Notice that the **SSLO** label now shows in the **Security Policies** column.
.. image:: ./images/second-app-2.png
@@ -79,9 +97,9 @@ SSL Orchestrator inspection services, service chain, and traffic policy creation
- Click on the **Save** button to close the Pool settings panel.
-#. In the **Configure** column, click the edit icon.
+#. In the **Configure** column, click the **edit icon**.
-#. Enable the **Enable VLANs to listen on** option and select **clientside**.
+#. Enable (toggle on) the **Enable VLANs to listen on** option and select **clientside**.
#. Click **Save**.
diff --git a/docs/class5/module4/lab6.rst b/docs/class5/module4/lab6.rst
index ed2f616..576212a 100644
--- a/docs/class5/module4/lab6.rst
+++ b/docs/class5/module4/lab6.rst
@@ -33,22 +33,20 @@ You will now test the HTTPS application by sending a command line **cURL** reque
#. From inside the layer3 service, initiate a tcpdump packet capture on the service's **inbound** interface (eth1):
- .. code-block:: text
-
- tcpdump -lnni eth1
-
-
-#. Optionally add the ``-Xs0`` flag to the capture command to view the unencrypted payload.
-
.. code-block:: text
tcpdump -lnni eth1 -Xs0
+
+ The ``-Xs0`` (capital 'x', lowercase 's', zero) flag allows you to view the unencrypted payload.
+
+ |
.. note::
The Client VM has been configured to resolve hostnames **www.f5labs.com** and **test.f5labs.com** to the BIG-IP's VIP address.
+ |
#. From the **Client VM Web Shell**, test the BIG-IP application using the hostname **www.f5labs.com**. Enter:
diff --git a/docs/class5/module5/lab1.rst b/docs/class5/module5/lab1.rst
index 0c3efba..5cd9bce 100644
--- a/docs/class5/module5/lab1.rst
+++ b/docs/class5/module5/lab1.rst
@@ -1,7 +1,7 @@
About Inbound Gateway Mode
==============================================================================
-The SSL Orchestrator **inbound gateway mode** deployment describes a
+The SSL Orchestrator **Inbound Gateway Mode** deployment describes a
scenario where the F5 BIG-IP functions in routing mode. The
destination addresses are behind the BIG-IP and traffic is forwarded through
as a routed next hop. This is different from the standard
@@ -20,9 +20,19 @@ attached in exactly the same way as other inbound application workflows.
.. image:: ./images/inbound-gw-mode.png
+|
+
+For more information about the various SSL Orchestrator deployment modes, refer
+to the |sslo-dg2|.
+
+|
.. note::
The following instructions assume basic connectivity to the lab
environment, and administrative access to the lab's network and virtual
machine configurations.
+
+.. |sslo-dg2| raw:: html
+
+ SSL Orchestrator Deployment Guide
\ No newline at end of file
diff --git a/docs/class5/module5/lab2.rst b/docs/class5/module5/lab2.rst
index 217a7ff..29ade2b 100644
--- a/docs/class5/module5/lab2.rst
+++ b/docs/class5/module5/lab2.rst
@@ -7,6 +7,12 @@ Create an ICAP Inspection Service
Now, you will create an ICAP inspection service.
+#. In the top left corner of the BIG-IP Central Manager GUI, click on the **Workspace** icon to show the **Workspace Menu**.
+
+#. Click on **Security** to navigate to the Security workspace.
+
+#. In the **SSL Orchestrator** menu, click on **Inspection Services**.
+
#. In the **Inspection Services** window, click the **+ Create** button.
#. In the **Create Inspection Service** drawer, select **Generic ICAP** and click the **Start Creating** button.
@@ -24,12 +30,12 @@ Now, you will create an ICAP inspection service.
- VLAN Name: ``sslo-insp-icap``
- Device Monitor: Select **TCP**
- - Click the **Start Adding** button in the **Endpoints** section
+ - Click the **Start Adding** button in the **Inspection Service Endpoints** section
- Add: ``198.19.97.50``, port ``1344``
#. Click the **Review & Deploy** button.
-#. In the **Deploy Inspection Service** drawer, add the BIG-IP Next instance.
+#. In the **Deploy Inspection Service** drawer, click **Start Adding** to add the BIG-IP Next instance.
#. Click the checkbox to the left of the assigned instance, then click the **Validate** button.
diff --git a/docs/class5/module5/lab3.rst b/docs/class5/module5/lab3.rst
index c7f99e6..5309a06 100644
--- a/docs/class5/module5/lab3.rst
+++ b/docs/class5/module5/lab3.rst
@@ -13,7 +13,7 @@ With the ICAP inspection service created, you will create a new service chain th
#. In the **SSL Orchestrator** menu, click on **Service Chains**.
-#. Click the **Start Creating** button to open the **Create Service Chain** panel.
+#. Click the **+ Create** in the top right to open the **Create Service Chain** panel.
- Enter ``my-service-chain-lab3`` in the **Name** field.
@@ -22,6 +22,7 @@ With the ICAP inspection service created, you will create a new service chain th
.. image:: ./images/service-chain-1.png
+
#. In the **Inspection Services** section, click the **Start Adding** button.
#. Select the both of the previously created inspection services and then click **Add to List**. Once applied, they can be re-ordered as needed.
diff --git a/docs/class5/module5/lab4.rst b/docs/class5/module5/lab4.rst
index 729cd56..4dcc3f0 100644
--- a/docs/class5/module5/lab4.rst
+++ b/docs/class5/module5/lab4.rst
@@ -17,9 +17,7 @@ You will now create a traffic policy with a TLS decryption bypass rule for a spe
#. In the **SSL Orchestrator** menu, click on **Policies**.
-#. Click the **Start Creating** button.
-
-#. Click the **Start Creating** button.
+#. Click the **+ Create** button in the top right to open the **Create Policy** pane.
- Enter ``my-sslo-policy-lab3`` in the **Name** field and an optional description
- Enter ``Traffic policy for lab 3`` in the **Description** field (optional).
diff --git a/docs/class5/module5/lab5.rst b/docs/class5/module5/lab5.rst
index 91b65bf..69738d4 100644
--- a/docs/class5/module5/lab5.rst
+++ b/docs/class5/module5/lab5.rst
@@ -15,12 +15,15 @@ SSL Orchestrator inspection services, service chain, and traffic policy creation
#. Enter ``my-sslo-lab3-app`` in the **Application Service Name** field.
-#. Click the **Select Template** button and then select the **sslo-inbound-gateway-topology**.
+#. Click the **From Template** button.
+#. Click on **Select Template** and then select **sslo-inbound-gateway-topology**.
#. Click on the **Start Creating** button to open the **Application Service Properties** panel.
+#. Click **Start Creating** to open the **Virtual Servers** panel.
+
#. In the **Virtual Servers** box, enter ``my-service`` for the name of your new application
and set the **Virtual Port** to ``443``.
@@ -31,18 +34,33 @@ SSL Orchestrator inspection services, service chain, and traffic policy creation
- Click on the **Add** button to open the configuration panel.
- In the **Add Client-Side TLS** panel, enter ``wildcard.f5labs.com`` as the name
- Select **wildcard.f5labs.com** in the **RSA certificate** dropdown list box. This certificate was pre-installed in your lab environment.
+ - Click on the **Save** button.
- Click on the **Save** button to close the panel.
+#. Scroll down to see the other **Protocol & Profiles** options.
+
+#. Enable the **Enable Server-side TLS** option.
+
+#. Ensure that the **Enable SNAT** and **Enable Auto SNAT** options are enabled (default).
+
+#. Disable the **Enable Connection Mirroring** option.
+
+#. Click on the **Save** button to the close the **Protocols & Profiles** panel.
+
+ Notice that the **TLS** and **HTTPS** badges were added, and **MIRRORING** was removed.
+
#. In the **Security Policies** column, click the edit icon to open the **Security Profiles** panel.
#. Enable the **Use an SSL Orchestrator Policy** option and then select your SSL Orchestrator traffic policy.
- .. image:: ./images/second-app-1.png
+ .. image:: ./images/third-app-1.png
-#. Click **Save**.
+#. Click **Save** to close the panel.
+
+ Notice that the **SSLO** label now shows in the **Security Policies** column.
- .. image:: ./images/second-app-2.png
+ .. image:: ./images/third-app-2.png
#. At the bottom right corner, click on the **Review & Deploy** button to open the **Deploy** panel.
@@ -65,12 +83,12 @@ SSL Orchestrator inspection services, service chain, and traffic policy creation
#. Click on the **Validate All** button to validate the pending configuration changes.
- .. image:: ./images/second-app-3.png
+ .. image:: ./images/third-app-3.png
#. If Validation is successful, click on the **Deploy Changes** button. Then, click on the **Yes, Deploy** button to send the application definition to the BIG-IP Next instance.
After deployment, the **Application Services** dashboard will show the status of your application.
- .. image:: ./images/second-app-4.png
+ .. image:: ./images/third-app-4.png