Forum Discussion

André_Amaro_215's avatar
André_Amaro_215
Icon for Nimbostratus rankNimbostratus
Apr 27, 2017

iRule to restrict SFTP by name

I'm needing a treatment by iRule so I accept SFTP connections just by name.

 

For example, a request for "sftp.domain.com" should refer to the pool named pool_sftp_port22.

 

I have seen that more people with special needs have not yet been found in a solution. The version of my BigIP LTM is 11.6.0.

 

  • Hi André

     

    The main problem with this is that SFTP is a subsystem of SSH and the F5 cannot decrypt the SSH traffic in the path of the connection in order to programmatically peel away the domain that is being requested.

     

    There is another method which may work - albiet not that elegant. It does require the SFTP client to use the proxy method. Specifically, if you create an F5 HTTP Proxy VIP with the following iRule in this posting https://devcentral.f5.com/codeshare/allow-http-explicit-proxy-to-handle-short-name-resolution.

     

    You can extract the domain from the HTTP CONNECT method. From there you can potential send them to a VIP that contains the correct pool you are targeting for that domain. It will require reworking the iRule - but I can see that it's possible.

     

    I hope this helps

     

    -=Bhattman=-