Manual Chapter :
Proxy SSH traffic with an SSH Proxy profile
Applies To:
Show Versions
BIG-IP AFM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Proxy SSH traffic with an SSH Proxy profile
Configure an SSH proxy security profile to allow or deny SSH channel actions to
specific users on a virtual server.
- On the Main tab, click.The Protocol Security: Security Profiles: SSH Proxy screen opens.
- ClickCreate.The New SSH Profile screen opens.
- In theProfile Namefield, type a unique name for the profile.
- From theLang Env Tolerancelist, select which connections with LANG environment variables set are allowed to pass through if the SSH Proxy profile has theOtherchannel type permission (in the SSH Proxy Permissions rules) set toDisalloworTerminate.AnyAllows connections with any LANG environment value set.CommonAllows only connections with the LANG environment value set toen_US.UTF-8to pass through the Other restrictions.NoneDisallows all connections with the LANG environment variable set.
- In theTimeoutfield, specify the idle timeout, in seconds, to maintain an SSH session if there is no activity.A setting of0means that the SSH session never times out.
- Edit an existing rule, or add a new rule.
- To edit an existing rule, click the name of the rule. For example, clickDefault Actionsto edit the default rule for a profile.
- To add a new rule, clickAdd New Rule. A new line is added to the list of rules. Add a name to the rule to begin editing.
- In the Users column, in theadd new userfield, type an SSH user name to which the rule applies, then clickAdd.You cannot add users to theDefault Actionsrule.
- Configure the settings for each SSH channel action.
- To allow the session to be set up for the SSH channel action, selectAllow.
- To deny an SSH channel action, and send acommand not acceptedmessage, selectDisallow. Note that many SSH clients disconnect when this occurs.
- To terminate an SSH connection by sending a reset message when a channel action is received, selectTerminate.
In non-default rules, SSH channels have anUnspecifiedoption, which means that for a specific user, if all the rules' actions (except default actions) are unspecified, then use theDefault Actionrule. - To enable logging for an SSH action, select theLogcheck box.Before events are logged, you need to set up a log publisher and logging profile.
- When you finish editing
- An existing rule, clickDone Editing.
- A new rule, clickAdd Rule.
- When you are finished adding and editing rules, clickCommit Changes to System.
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server,
attach the profile to a virtual server.