Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

CraigMo's avatar
CraigMo
Icon for Nimbostratus rankNimbostratus
Aug 12, 2016

forward proxy irule for ssh

I am trying to configured a VS as a forward proxy VS for ssh. The traffic flow is: internal server --> F5 VIP --> Internet server I have tried the below irule but the connectivity just hangs a...
application delivery
big-ip
devops
irules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 13, 2016

Hi Craig,

the used syntax of 

[TCP::collect]
followed by 
[TCP::payload]
and 
[TCP::release]
looks fine for me. The iRule should successfully collect the first TCP packet send by your client, inspect the received payload and then select a 
[pool]
based on the result and then just relase the collected packet and send it to the selected pool.

So far so good, but unfortunately you will not find the FQDN of the accessed erver within the payload. The problem is that SSH does not reveal the used FQDN like the TLS protocol would do using its SNI extension. The only information that is send in the initial TCP packet exchange is the SSH-Agent / Version string of your SSH client and server: 

Client -> Server : SSH-2.0-PuTTY_Release_0.67
Server -> Client : SSH-2.0-OpenSSH_5.3

So in the end your intended iRule logic may work for you, if you're going to use different SSH clients for the individual SSH servers, or if you find a SSH client which would allow to overwrite the initial SSH-Agent / Version strings using additional command line options... 😞

Cheers, Kai