Manage SFTP with iRule

Question

Hi all,
I have a Virtual Server that listens on every port (0) which it has to do. I want to point my SFTP traffic to different servers based on which customer it is. For HTTP traffic I am looking at the HTTP::header but this is not an option with SFTP traffic. Is it possible to do the same with SFTP somehow?
Right now I'm trying to get one SFTP connection working but it's not successful. I have the following in my iRule:
when CLIENT_ACCEPTED {

if { [TCP::local_port] equals 22 } {

pool OP_22

log local0. "FTP TRAFFIC!!"
    }
}

No traffic is reaching the SFTP server.

mimlo_61970 · Accepted Answer

Yes, an http profile on a non http protocol will break the connection.  The http profile is going to validate the data meets http specifications, and it will not.&nbsp;
I don't think you can enable/disable/change the HTTP profile in an irule(I assumed you could when I said it above, but after further research it appears you can't), so a separate port 22 vip is probably required.  I think you can keep your port 0 vip and just add a port 22 vip for sftp.  If I remember correctly it will use the port 22 vip when it matches that port, and the port 0 vip for everything else.  The the entire need for the irule goes away.&nbsp;

what_lies_bene1 · Answer

Assuming this isn't internet based traffic you could just give each client a dedicated IP address, or, to minimise the config, a distinct TCP port. Then your iRule can direct traffic to the desired pool based on the IP or port.&nbsp;
Your rule looks mostly OK. I think you either need to enclose 22 in double quotes "" to allow a string comparison or replace equals with == to allow a numerical comparison.&nbsp;

hans_schneider2 · Answer

Hi,&nbsp;
I can see that the log prints out "FTP TRAFFIC!!" so the iRule works. I have been monitoring the SFTP server with wireshark but I don't see any requests on port 22 reaching the server. Something with the F5 configuration seems to be wrong.
Any other ideas?&nbsp;

what_lies_bene1 · Answer

Any other rules in play here?&nbsp;
I assume the Pool Members in Pool OP_22 are configured with Service Port 22?&nbsp;
I'd suggest you do a tcpdump client and server side on the F5 if neither of the above are true.&nbsp;

hans_schneider2 · Answer

No other rules are affecting the SFTP connection. I can see the TCP handshake reaching the VIP but nothing on the server side. Shouldn't the handshake be between the server and the client? &nbsp;
As it is now the handshake happens between client and VIP. Is their some kind of other setting in F5 causing this? F5 is currently configured as SSL offload for HTTP traffic but since this is not the same protocol used in SFTP could it really mather?&nbsp;

mimlo_61970 · Answer

What profiles are on the virtual server?  For instance, if there is an http profile attached, that would break SFTP.  You'd need to disable the profile in the iRule as well.&nbsp;

Forum Discussion

Manage SFTP with iRule

9 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

iRules Change Management

management interface failover

Routing application traffic through management interface

BIG-IQ - management interface SSL certificate

BIG-IQ Managed LTM not removing message "Managed by BIG-IQ"