Forum Discussion

Techniplex_9090's avatar
Icon for Nimbostratus rankNimbostratus
Jun 01, 2011

Load Balance SFTP but not SSH

I was wondering if there is a way with the LTM to allow SFTP connections but not allow SSH to the VIP. I am not even sure this is possible or how to even approach the issue. I can not remove SSH from the servers and then I can not gain access to the backend servers. Seems to be a catch 22.



4 Replies

  • Hi Techniplex,


    The main problem with this is that SFTP is subsystem of SSH and the F5 cannot decrypt the SSH traffic in the path of the connection in order to programmatically alter it in the way you are mentioning. Your best bet is to do this a tthe source of the backend server. Here is a link that I found may help



  • I did find that article and did not hold much hope for positive resolution, but I had hoped that maybe something had changed in two years. I guess I should open a feature request for SSH encryption offload? If that was implemented I am guessing that this might be possible then.



    Thanks for the insight.



  • I don't think anything has changed on this recently. I'd open a case with F5 Support if you see value in being able to do SSH encryption on LTM. I'm not sure there is broad appeal for the feature, but it can't hurt to ask.



  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    In theory it should be possible to offload the ssl to the f5 and perform the sftp in an irule...



    I like a good theory... Hmm...