Forum Discussion

Domel_163525's avatar
Domel_163525
Icon for Nimbostratus rankNimbostratus
Feb 20, 2015

How to configure virtual server for FTP/SFTP

Hello guys,   I have been trying to get this working but no success.   I have followed these 2x manuals but no luck:   https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm...
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Feb 20, 2015

Hi Domel,

There is a difference between SFTP and FTPS.

SFTP is easy to implement. Just use a virtual server on TCP/22 and you are done.

FTPS works like FTP but is using a secure channel for the control connection.

That´s why the the ftp-profile cannot a) rewrite the PORT command and b) open a listener on client-/serverside depending on using passive or active FTP.

I guess your issue is about FTPS and I would recommend to start with a dedicated server for this service.

Actually it should be easy to implement as well, if you try to use passive FTP only.

The FTP server needs to be reconfigured to announce the virtual server´s IP address and perhaps you are also able to limit the used port range for the inbound data connection. That´s why your virtual server for FTPS can run in PerformanceL4 listening on port 0 (any) with SNAT AutoMap and source address persistence configured.

You can limit incoming traffic to the virtual server via iRule or AFM: 

when CLIENT_ACCEPTED {
    if { not (([TCP::local_port] == 21) or (([TCP::local_port] >= 50000) and ([TCP::local_port] < 50003)))} {
        reject
    }
}

Thanks, Stephan