F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

André_Amaro_215's avatar
André_Amaro_215
Icon for Nimbostratus rankNimbostratus
Apr 27, 2017

iRule to restrict SFTP by name

I'm needing a treatment by iRule so I accept SFTP connections just by name.   For example, a request for "sftp.domain.com" should refer to the pool named pool_sftp_port22.   I have seen that mo...
application delivery
iRules
LTM
sftp
The_Bhattman's avatar
The_Bhattman
Icon for Nimbostratus rankNimbostratus
May 03, 2017

Hi André

 

The main problem with this is that SFTP is a subsystem of SSH and the F5 cannot decrypt the SSH traffic in the path of the connection in order to programmatically peel away the domain that is being requested.

 

There is another method which may work - albiet not that elegant. It does require the SFTP client to use the proxy method. Specifically, if you create an F5 HTTP Proxy VIP with the following iRule in this posting https://devcentral.f5.com/codeshare/allow-http-explicit-proxy-to-handle-short-name-resolution.

 

You can extract the domain from the HTTP CONNECT method. From there you can potential send them to a VIP that contains the correct pool you are targeting for that domain. It will require reworking the iRule - but I can see that it's possible.

 

I hope this helps

 

-=Bhattman=-