For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

davidfisher's avatar
davidfisher
Icon for Cirrus rankCirrus
Aug 11, 2018

Why does FTPS loadbalancing need 3 VIPs?

Hey All,   I followed this guide to do FTPS SSL offloading - https://devcentral.f5.com/articles/ftps-offload-via-irules   The solution 1 did not work even after multiple tries but the solution 2 ...
big-ip ltm
ftps offloading
LTM
security
Andy_McGrath's avatar
Andy_McGrath
Icon for Cumulonimbus rankCumulonimbus
Aug 13, 2018

This solution is for Passive FTP only, your first VS is for the the incoming Command connection over SSL, this forwards on to the internal VS which looks to be dealing with the actual FTP Command connection without SSL.

As the iRule on the second VS reads the TCP Payload within the CLIENT_ACCEPTED event the traffic needs to in plaintext, decrypted, to allow it be do this. If you tried do do this in the initial VS with SSL the payload would be encrypted and you would not be able to read the contents to execute the iRule.

The final VS is for the Passive Data connection, which could be on any port as the connection is dynamic.

The connection flow looks a little like this

Initial Connection

    Client
      ||
    (SSL Connection 21)
      ||
    virtual SSL-FTP
      ||
    (none-SSL Connection 21)
      ||
    virtual ftpvs2
      ||
    Backend FTP

Data Connection

    Client
      ||
    (SSL Connection Dynamic port)
      ||
    virtual FTP-all-ports
      ||
    Backend FTP

I think you could, with some complex iRules, do all this on a single Virtual Server however to keep the solution simple multiple Virtual Servers is often much better.