The following outlines how to get the ProxySG to handle SFTP traffic. All we are going to do is Tunnel the request, that is take the request coming into the SG and send it out.
Pre-Requirements.
On the SG you need to add the following rules to allow a NON 443 Connect port.
Code:
<proxy>
http.method=CONNECT url.port=!443 detect_protocol(no) ALLOW
This is saying; if its a CONNECT and not port 443 then do not detect_protocol (reduces the time to take to connect) then allow. You could change this to the port you are using for SFTP.
PUTTY:
If we examine a PCAP at the time on the PC we can see the establishing connection.
No. Time Source Destination Protocol Info
127 10:42:47.909 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
128 10:42:47.909 10.91.1.210 10.91.1.21 TCP 8080 > 1685 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
129 10:42:47.909 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=1 Ack=1 Win=65535 Len=0
130 10:42:47.923 10.91.1.21 10.91.1.210 HTTP CONNECT 10.91.1.32:22 HTTP/1.1
131 10:42:47.925 10.91.1.210 10.91.1.21 HTTP HTTP/1.1 200 Connection established
132 10:42:47.927 10.91.1.210 10.91.1.21 SSHv2 Server Protocol: SSH-2.0-WeOnlyDo 2.0.6\r
133 10:42:47.927 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=56 Ack=64 Win=65472 Len=0
134 10:42:47.927 10.91.1.21 10.91.1.210 SSHv2 Client Protocol: SSH-2.0-PuTTY_Snapshot_2008_05_13:r7993\r
135 10:42:47.927 10.91.1.21 10.91.1.210 SSHv2 1685 > 8080 [PSH, ACK] Seq=97 Ack=64 Win=65472 Len=512[Malformed Packet]
136 10:42:47.927 10.91.1.21 10.91.1.210 SSHv2 1685 > 8080 [PSH, ACK] Seq=609 Ack=64 Win=65472 Len=128[Malformed Packet]
137 10:42:47.928 10.91.1.210 10.91.1.21 TCP 8080 > 1685 [ACK] Seq=64 Ack=609 Win=65188 Len=0
138 10:42:47.928 10.91.1.210 10.91.1.21 SSHv2 Server: Key Exchange Init
139 10:42:48.000 10.91.1.21 10.91.1.210 SSHv2 Client: Diffie-Hellman Key Exchange Init
142 10:42:48.071 10.91.1.210 10.91.1.21 TCP 8080 > 1685 [ACK] Seq=560 Ack=1009 Win=65535 Len=0
143 10:42:48.116 10.91.1.210 10.91.1.21 SSHv2 Server: Diffie-Hellman Key Exchange Reply
145 10:42:48.170 10.91.1.21 10.91.1.210 SSHv2 Client: New Keys
146 10:42:48.172 10.91.1.210 10.91.1.21 SSHv2 Server: New Keys
147 10:42:48.172 10.91.1.21 10.91.1.210 SSHv2 Encrypted request packet len=88
148 10:42:48.173 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=52
149 10:42:48.306 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=1113 Ack=1204 Win=64332 Len=0
190 10:42:54.276 10.91.1.21 10.91.1.210 SSHv2 Encrypted request packet len=120
191 10:42:54.277 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=68
193 10:42:54.442 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=1233 Ack=1272 Win=64264 Len=0
201 10:42:56.012 10.91.1.21 10.91.1.210 SSHv2 Encrypted request packet len=300
202 10:42:56.017 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=36
203 10:42:56.017 10.91.1.21 10.91.1.210 SSHv2 Encrypted request packet len=104
204 10:42:56.018 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=52
205 10:42:56.019 10.91.1.21 10.91.1.210 SSHv2 Encrypted request packet len=136
206 10:42:56.020 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=36
207 10:42:56.020 10.91.1.21 10.91.1.210 SSHv2 Encrypted request packet len=88
208 10:42:56.022 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=36
210 10:42:56.122 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=52
211 10:42:56.122 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=1861 Ack=1484 Win=65535 Len=0
213 10:42:56.248 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=52
230 10:42:56.353 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=1861 Ack=1536 Win=65483 Len=0
234 10:42:56.607 10.91.1.210 10.91.1.21 SSHv2 Encrypted response packet len=196
235 10:42:56.756 10.91.1.21 10.91.1.210 TCP 1685 > 8080 [ACK] Seq=1861 Ack=1732 Win=65287 Len=0
FileZilla: (or any other SFTP Client)
Remember, the key thing here is that the SG does not Support SFTP as an Intercepted Service, but can tunnel requests when NO Protocol Detect is set on the connection.
.