What's the latest status about offloading SFTP/SSH? Is this still not possible? I'm looking for an alternative solution to offload some security features for SFTP, because due to SNAT the server only sees the LBs IP-address and therefor can't use this for the blacklist. Disabling SNAT and having the LB as DFGW for the server is not an option. And as SFTP doesn't support and kind of XFF, I was wondering if I can use any nice iRule to check for not allowed usernames or the number of failed login attempts. We also have only LTM module available.
Thanks for any ideas or further information!
Regards Stefan 🙂
@Stefan_KlotzI don't believe you can with just LTM. I have been poking around in the various option for TCP connections but I can't seem to find any values pertaining to SSH sessions before they form. You can log client IP for every SSH sessions but I don't see a way currently to match that to SSH session on the server side to have that correlation.
did you consider using AFM and SSH Proxy?
AskF5 >> Secure SSH traffic with the SSH Proxy