For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hans_Schneider2's avatar
Hans_Schneider2
Icon for Nimbostratus rankNimbostratus
Nov 10, 2014
Solved

Manage SFTP with iRule

Hi all, I have a Virtual Server that listens on every port (0) which it has to do. I want to point my SFTP traffic to different servers based on which customer it is. For HTTP traffic I am looking ...
application delivery
devops
iRules
  • mimlo_61970's avatar
    mimlo_61970
    Nov 12, 2014

    Yes, an http profile on a non http protocol will break the connection. The http profile is going to validate the data meets http specifications, and it will not.

     

    I don't think you can enable/disable/change the HTTP profile in an irule(I assumed you could when I said it above, but after further research it appears you can't), so a separate port 22 vip is probably required. I think you can keep your port 0 vip and just add a port 22 vip for sftp. If I remember correctly it will use the port 22 vip when it matches that port, and the port 0 vip for everything else. The the entire need for the irule goes away.

     

Hans_Schneider2's avatar
Hans_Schneider2
Icon for Nimbostratus rankNimbostratus
Nov 12, 2014

No other rules are affecting the SFTP connection. I can see the TCP handshake reaching the VIP but nothing on the server side. Shouldn't the handshake be between the server and the client?

 

As it is now the handshake happens between client and VIP. Is their some kind of other setting in F5 causing this? F5 is currently configured as SSL offload for HTTP traffic but since this is not the same protocol used in SFTP could it really mather?