Forum Discussion

Mike12345's avatar
Mike12345
Icon for Altocumulus rankAltocumulus
Jun 15, 2025
Solved

SSH forward proxy

Is it possible to use a single Virtual Server to proxy multiple connections to back end servers. I was considering whether it would be possible to read the hostname in the SSH stream or other identif...
ssh proxy
  • VGF5's avatar
    VGF5
    Jun 15, 2025

    Hi Mike12345​ 

     

    Answer is NO. It is NOT possible to use a single F5 Virtual Server to inspect the SSH stream and direct sessions to different backend servers based on hostname or similar identifiers, because this information is encrypted and not available for inspection by the F5 device.

    General SSH protocol behavior, confirmed in F5 KB K14806: Overview of the BIG-IP system as a reverse proxy for SSH (https://support.f5.com/csp/article/K14806)

     

PeteWhite's avatar
PeteWhite
Icon for Employee rankEmployee
Jun 18, 2025

AFM has an SSH proxy where you can send SSH to a pool of backend SSH servers. You could do this with different addresses or ports and use an iRule to send the serverside pool. SSH doesn't have a way to carry the destination server inside the packet in the way that the HTTP Host header works.