AltocumulusHello,
With a f5 located in the dmz and clients on a "inside" of a firewall. is it possible do a SSH wildcard vserver to multiple internet hosted SSH servers with Afm (SSH proxy) or is there a better way?
Cumulonimbuswith or without AFM module (AFM module can't route outcoming SSH requests to different Internet SSH servers based on user), you can create a SOCKS Proxy virtual server.
with Socks proxy virtual server, you won't be able to authenticate user but be able to filter destination.
here are Proxy Socks configuration TMSH commands :
BASE_NAME="SOCKS_PROXY"
VS_IP="192.168.2.80"
VS_PORT="1080"
TCP_CLIENT_PROFILE="f5-tcp-lan"
TCP_SERVER_PROFILE="f5-tcp-wan"
ROUTE_DOMAIN="0"
DNS_SERVER="1.1.1.1"
SOCKS_VERSION="socks5"
tmsh create net dns-resolver RESOLVER_${BASE_NAME} { forward-zones replace-all-with { . { nameservers replace-all-with { ${DNS_SERVER}:domain { } } } } route-domain ${ROUTE_DOMAIN} }
tmsh create ltm profile socks socks_${BASE_NAME} { default-connect-handling allow defaults-from socks dns-resolver RESOLVER_${BASE_NAME} protocol-versions { ${SOCKS_VERSION} }
tmsh create ltm virtual VS_${BASE_NAME} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { socks_${BASE_NAME} { } ${TCP_CLIENT_PROFILE} { context clientside } ${TCP_SERVER_PROFILE} { context serverside } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}