Forum Discussion
NimbostratusHow to configure virtual server for FTP/SFTP
Hello guys,
I have been trying to get this working but no success.
I have followed these 2x manuals but no luck:
I can see traffic is actually hitting my server in statistics of Virtual Server but connection can not be established.
What am I missing here?
16 Replies
Domel_163525I forgot to mention I can log in to my FTP server when using filezilla client on both FTP/SFTP when accessing it directly.- Domel_163525I have only one physical server in my pool and using AutoMap - still no luck
StephanMantheyNacreous
Hi Domel,
There is a difference between SFTP and FTPS.
SFTP is easy to implement. Just use a virtual server on TCP/22 and you are done.
FTPS works like FTP but is using a secure channel for the control connection.
That´s why the the ftp-profile cannot a) rewrite the PORT command and b) open a listener on client-/serverside depending on using passive or active FTP.
I guess your issue is about FTPS and I would recommend to start with a dedicated server for this service.
Actually it should be easy to implement as well, if you try to use passive FTP only.
The FTP server needs to be reconfigured to announce the virtual server´s IP address and perhaps you are also able to limit the used port range for the inbound data connection. That´s why your virtual server for FTPS can run in PerformanceL4 listening on port 0 (any) with SNAT AutoMap and source address persistence configured.
You can limit incoming traffic to the virtual server via iRule or AFM:
when CLIENT_ACCEPTED { if { not (([TCP::local_port] == 21) or (([TCP::local_port] >= 50000) and ([TCP::local_port] < 50003)))} { reject } }Thanks, Stephan
- Domel_163525
Hi Stephan,
I'm actually trying to configure SFTP (not FTPS) on port 22.
This should be fairly simple but or some reason it doesn't work for me.
I have created a node with my physical server, assigned it to my ftp_pool using port 22, used that pool for my virtual server but no luck.
I have tried to configuring the virtual server as "Standard" and as "PerformanceLayer4" and still nothing.
Is there anything else I need to do?
- StephanMantheyHi Domel, a virtual server on TCP/22 with snat automap and a single poolmember configured to TCP/22 should work fine. Done it three times for different clients in the last couple of months. You can try to run a tcpdump to track traffic: tcpdump -nnni 0.0:nnnp -s 0 -c 1000 host The dump should show all traffic from this client and how it is forwarded to the real server (via the "p" flag in the interface specification; available since TMOS v11.2.1+). There are some extensions (the "n" aka "noise" flags) showing, which virtual server is handling the traffic. Maybe this helps to figure out what´s going wrong. Thanks, Stephan
- Domel_163525
Hi Stephen,
What am I supposed to select from the drop down menu for SFTP server?
I have configured a new profile called SFTP. Not too sure if correctly, but was wondering if I can chose FTP for the "Ftp Profile" or it won't work?
- StephanMantheyWhat TMOS version are you on? I never saw this option before ... In my opinion no profile needs to be selected. You should even be able to run the virtual server in PerformanceL4 mode.
- Domel_163525I have tried to telnet directly to my ftp server on port 22 and it is successful (SSH-2.0-WS_FTP-SSH_7.6). When I try to telnet to my virtual server ip address on port 22 it also is connected but there is no message visible apart of cursor. When virtual server disabled I can not telnet to it so it looks like I'm actually getting there. Also the statistics are showing me that there is some traffic/connections to the server.
- StephanMantheyJust figured out, you named a new ftp-profile as sftp. (Sometimes it takes me a bit longer ..., sorry.) It´s very unlikely to get SFTP to work through a ftp-based profile. Please just turn it off and the virtual server should work as expected. Things will become complicated, if you try to combine both ftp and sftp on the same virtual server. That´s why I recommended to have separated virtual servers.
- Domel_163525
BIG-IP 11.4.1 Build 608.0 Final
I have tried PerformanceL4 but no luck either.
sftp option isn't available unless configured.
What is the difference between "standard" and "PerformanceL4"??
- StephanMantheyHi Domel, thanks. Good to know. Regarding your question: Standard mode means full proxy to intercept traffic on transport layer allowing to use proxy functions for transport layer security (SSL, TLS, DTLS) and presentation layer (i.e. http, rtsp, sip, ftp, radius etc.). PerformanceL4 (virtual server type) means pure packet forwarding and no protocol interception. It´s just protocol sanitization on transport layer level and very low latency. Thanks, Stephan
- Domel_163525
Hi Stephan,
Thanks a lot for your help.
It looks like the PerformanceL4 works this morning - wasn't working on Friday/Saturday when I have tested it (no too sure why). I have also tried to use "Standrad" one but no luck.
- StephanMantheyHi Domel, thanks for the feedback. Cheers, Stephan
- Domel_163525
Hi there,
It looks like the issue was intermittent.
I have been told by F5 support when "AutoMap" enabled for the Virtual server the "Address Translation" will also need to be enabled while "Port Translation" disabled.
Also we have configured "sftp" monitor little bit differently and it work too:
Arun_LK_202176Hi Stephan,
Am working on the same issue , activeFTP and FTPS (ftp in explicit mode). Could you advice on the way to implement it.
