Supporting File Transfer Protocol (FTP) on the ProxySG
search cancel

Supporting File Transfer Protocol (FTP) on the ProxySG

book

Article ID: 166944

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Supporting FTP on the ProxySG

Resolution

There are two deployment configurations which can be deployed on the ProxySG. One is explicit, and the other is transparent. Please see The differences between Explicit proxy and Transparent proxy for a definition of what each of those terms mean. This document will break down the FTP Proxy by deployment.

EXPLICIT DEPLOYMENTS:

When authenticating and using the explicit FTP Proxy, the ProxySG needs to know five pieces of information:

  • Remote FTP username
  • Remote FTP host
  • Remote FTP user's password
  • Proxy username
  • Proxy user's password

The proxy supports two login / authentication methods. Raptor is the default and Checkpoint is the alternate. In order to change the default, see How do I change the default FTP login syntax on ProxySG?

Most FTP clients support three functions: USER, PASS and ACCT. The user (or a script) is required to insert the five pieces of information into these FTP commands.

Raptor login-syntax for explicit FTP:

When the FTP client responds with: USER  -the user/script enters:
@
NOTE:  delimiters are "@" and " " (Three pieces of information in one line)

When the FTP client responds with: PASS  -the user/script enters:
<ftp-user's password=""></ftp-user's>

When the FTP client responds with:  ACCT  -the user/script enters:

  • Supports "@" in FTP host's user passwords

Raptor disadvantages:

  • With the introduction of Microsoft Windows XP SP2, Microsoft broke the ACCT functionality in their command line FTP client. The proxy user's password (entered at the ACCT prompt) is shown in clear-text. It simply does not work. Microsoft published article KB902149 ("The FTP client may echo account information back to the screen in Windows Server 2003 and Windows XP") to address this.
  • Does NOT support a " " (a space) in the proxy user's password.

Checkpoint login-syntax for explicit FTP:

When the FTP client responds with:  USER  -the user/script enters:
@@
NOTE:  Delimiters are all "@" (Three pieces of information in one line).

When the FTP client responds with:  PASS  -the user/script enters:
<ftp-user's-password>@<proxy-user's-password>
NOTE:  Delimiter is "@" (Two pieces of information in one line).</proxy-user's-password></ftp-user's-password>

Checkpoint advantages:

  • Supports FTP Clients that do not understand the ACCT command (real old/rare)
  • Supports " " (a space) in the Proxy user's password.
  • Supports "@" in FTP host's user passwords.
  • Works with Microsoft's XP SP2 unpatched FTP command line client.

Checkpoint disadvantages:

  • Does NOT support a "@" in the Proxy user's password.

 

TRANSPARENT DEPLOYMENTS:

Web Browser configurations and considerations:

Internet Explorer specific information

If no proxy settings are entered into Internet Explorer, the browser will attempt to do native FTP to the FTP server. If this native traffic is redirected to the ProxySG and transparent proxy authentication is enabled, the connection will not succeed due to the fact that Internet Explorer does not understand the ACCT command to supply the proxy with a proxy authentication password.

As a workaround, Symantec suggests using FTP applications such as FileZilla, WS-FTP, Cute-FTP, et c., as alternatives in transparent proxy authentication environments.

If proxy authentication is not required and Internet Explorer attempts a native FTP connection, and the "Folder View" is enabled (Tools > Internet Settings > Advanced), FTP via the browser generally works well. A username/password dialog box pops-up allowing a user to provide the FTP server with credentials.

If Internet Explorer's "Folder View" is disabled, the browser always attempts FTP connections as user :anonymous", with a password of "proxy@" (since the connection is being proxied).

If the FTP server does not allow anonymous connections, try adding the FTP username and password within the URL using this format:

ftp://:@ftp.example.com

This may work fine, or the FTP server may send FTP responses that the browser does not understand. Also consider whether the "plain" look of non-folder view is acceptable. If not, use an FTP application instead of the web browser.

Firefox and other browsers:

Generally these work just fine.

FTP applications:

Configure the correct authentication syntax within the FTP application itself.