Forum Discussion

Mike12345's avatar
Mike12345
Icon for Altocumulus rankAltocumulus
Jun 15, 2025
Solved

SSH forward proxy

Is it possible to use a single Virtual Server to proxy multiple connections to back end servers. I was considering whether it would be possible to read the hostname in the SSH stream or other identifying information to direct the SSH session to the correct server.

 

The other alternative is port multiplexing eg server 1 connects to virtual server 10.0.0.15:4567 server2 connects on 10.0.0.15:4568 etc. 

Thanks for an help

ssh proxy
  • f51's avatar
    f51
    Jun 15, 2025

    Hi Mike12345​ 

     

    Answer is NO. It is NOT possible to use a single F5 Virtual Server to inspect the SSH stream and direct sessions to different backend servers based on hostname or similar identifiers, because this information is encrypted and not available for inspection by the F5 device.

    General SSH protocol behavior, confirmed in F5 KB K14806: Overview of the BIG-IP system as a reverse proxy for SSH (https://support.f5.com/csp/article/K14806)

     

8 Replies

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jun 18, 2025

    AFM has an SSH proxy where you can send SSH to a pool of backend SSH servers. You could do this with different addresses or ports and use an iRule to send the serverside pool. SSH doesn't have a way to carry the destination server inside the packet in the way that the HTTP Host header works.

  • Mike12345's avatar
    Mike12345
    Icon for Altocumulus rankAltocumulus
    Jun 17, 2025

    Hi, I found a way to do it!

    It requires so policy based routing on the local router to push the specific traffic to the F5, then the F5 can run virtual servers listening for traffic on the real IP address of the remote host. The F5 doesn't need to NAT the destination!!! Traffic comes back through the F5 as it was source NAT'd!!!!

    Still requires a number of virtual servers, but doesn't exhaust a limited supply of IP dedicated to the F5

    Other traffic can still follow the normal routing process.

    • Melissa_C's avatar
      Melissa_C
      Icon for Moderator rankModerator
      Jun 17, 2025

      Wonderful! Thank you for updating your post! 

      -Melissa 

  • Melissa_C's avatar
    Melissa_C
    Icon for Moderator rankModerator
    Jun 17, 2025

    Hello Mike12345​

    Looking at the comments in your thread it appears you may have gotten the answer to your question. If this is correct, please consider marking the post as solution. 

    Thank you for you post! 

    - Melissa 

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Cumulonimbus rankCumulonimbus
    Jun 15, 2025

    With ssh unfortunately you don't have the option to"play" with FQDN or SNI.

    So only option is to use different ports.

    • Mike12345's avatar
      Mike12345
      Icon for Altocumulus rankAltocumulus
      Jun 15, 2025

      Thanks guys,

      A hard no is better than mew floundering through docs in the hope of an answer. it looks like I'm recommending port multiplexing

  • f51's avatar
    f51
    Icon for Cumulonimbus rankCumulonimbus
    Jun 15, 2025

    Hi Mike12345​ 

     

    Answer is NO. It is NOT possible to use a single F5 Virtual Server to inspect the SSH stream and direct sessions to different backend servers based on hostname or similar identifiers, because this information is encrypted and not available for inspection by the F5 device.

    General SSH protocol behavior, confirmed in F5 KB K14806: Overview of the BIG-IP system as a reverse proxy for SSH (https://support.f5.com/csp/article/K14806)