Forum Discussion
Draven_186334
Altocumulus
AltocumulusSSH proxy without afm
Hello,
With a f5 located in the dmz and clients on a "inside" of a firewall. is it possible do a SSH wildcard vserver to multiple internet hosted SSH servers with Afm (SSH proxy) or is there a better way?
Stanislas_Piro2Cumulonimbus
with or without AFM module (AFM module can't route outcoming SSH requests to different Internet SSH servers based on user), you can create a SOCKS Proxy virtual server.
with Socks proxy virtual server, you won't be able to authenticate user but be able to filter destination.
here are Proxy Socks configuration TMSH commands :
BASE_NAME="SOCKS_PROXY" VS_IP="192.168.2.80" VS_PORT="1080" TCP_CLIENT_PROFILE="f5-tcp-lan" TCP_SERVER_PROFILE="f5-tcp-wan" ROUTE_DOMAIN="0" DNS_SERVER="1.1.1.1" SOCKS_VERSION="socks5" tmsh create net dns-resolver RESOLVER_${BASE_NAME} { forward-zones replace-all-with { . { nameservers replace-all-with { ${DNS_SERVER}:domain { } } } } route-domain ${ROUTE_DOMAIN} } tmsh create ltm profile socks socks_${BASE_NAME} { default-connect-handling allow defaults-from socks dns-resolver RESOLVER_${BASE_NAME} protocol-versions { ${SOCKS_VERSION} } tmsh create ltm virtual VS_${BASE_NAME} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { socks_${BASE_NAME} { } ${TCP_CLIENT_PROFILE} { context clientside } ${TCP_SERVER_PROFILE} { context serverside } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}