Using a different authentication mode based on protocol. HTTP web requests work with authentication, but FTP connections don't work correctly with authentication. Some application requests work, but most of the time they fail. My application is not able to get out to the internet. How can I work around the problem?
This example does not bypass authentication. It gives an example where a particular authentication mode may not work for all protocols (for example proxy-ip not working correctly with FTP). It may be necessary to authenticate the user with a different mode in order for authentication to work. One such example is the FTP protocol and the proxy-ip authentication mode. When using the proxy-ip mode with FTP, the first authentication request succeeds, but subsequent authentication requests result in the FTP connection failing. To address the problem, for FTP traffic, you use the proxy authentication mode instead of the proxy-ip mode.
This example assumes that you already have policy in place to authenticate users and that the authentication mode used is proxy-ip. The following steps will help you create a second authentication object that uses a different authentication mode than the one currently configured. In this example, any FTP traffic (FTP traffic uses TCP port 21) will be authenticated using the proxy mode instead of the proxy-ip mode.
Open the Management Console on the ProxySG appliance (https://<IP_address>:8082).
Select a Web Authentication Layer. Add a new rule above the current authentication rule that is causing problems.
In the Destination column, right click and select Set > New > Destination Host/Port and in the port number put in 21. Click Add > Close. With the newly created destination port 21 selected, click OK.
(Optional/alternate) In the Service column, right click and select Set > New >Client Protocol Object and choose FTP from the drop-down menu. Click OK. With the newly created FTP object selected, click OK.
Right-click in the Action column, select Set > New > Authenticate. Give it a meaningful name (FTPAuth), select your realm, and change your mode to Proxy. Click OK twice.
Install policy. NOTE: You may not be using proxy-ip and proxy. Select the appropriate authentication mode as needed for your environment. See 000012964 for a list of the authentication modes available for use.
Test and make sure the problem is resolved.
NOTE: The Web Access layer does not need any new rules because the request is still being authenticated. It is just using a different mode of authentication.
FTP with Filezilla works intermittently over FTP Proxy.
One of the errors is:
Status: Connecting to <ftpProxyIP>:21... Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Command: USER ftpserveruser@<ftpserverIP> proxyuser Response: 331 Password required for ftpserveruser proxyuser Command: PASS ******** Response: 530 Login or password incorrect! Error: Critical error: Could not connect to server
https://<proxyIP>:8082/Auth/User-Logins shows User IP/Name already listed.
The PCAP shows the proxy sending the FTP server username with the Proxy authentication username to the FTP server.
The following PCAP is of a server-side connection. The proxy username should not be passed to the FTP server.
The previous sample is of when the authentication mode is made with Auto mode. Resolve the issue by changing the Authentication mode to Proxy.
Imported Document ID: 000014404
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.