Forum Discussion

Mike12345's avatar
Mike12345
Icon for Altocumulus rankAltocumulus
Jun 15, 2025
Solved

SSH forward proxy

Is it possible to use a single Virtual Server to proxy multiple connections to back end servers. I was considering whether it would be possible to read the hostname in the SSH stream or other identif...
ssh proxy
  • VGF5's avatar
    VGF5
    Jun 15, 2025

    Hi Mike12345​ 

     

    Answer is NO. It is NOT possible to use a single F5 Virtual Server to inspect the SSH stream and direct sessions to different backend servers based on hostname or similar identifiers, because this information is encrypted and not available for inspection by the F5 device.

    General SSH protocol behavior, confirmed in F5 KB K14806: Overview of the BIG-IP system as a reverse proxy for SSH (https://support.f5.com/csp/article/K14806)

     

Mike12345's avatar
Mike12345
Icon for Altocumulus rankAltocumulus
Jun 17, 2025

Hi, I found a way to do it!

It requires so policy based routing on the local router to push the specific traffic to the F5, then the F5 can run virtual servers listening for traffic on the real IP address of the remote host. The F5 doesn't need to NAT the destination!!! Traffic comes back through the F5 as it was source NAT'd!!!!

Still requires a number of virtual servers, but doesn't exhaust a limited supply of IP dedicated to the F5

Other traffic can still follow the normal routing process.

Melissa_C's avatar
Melissa_C
Icon for Moderator rankModerator
Jun 17, 2025

Wonderful! Thank you for updating your post! 

-Melissa