FTP through Proxy failing with error "202 Command not implemented, superfluous at this site"
Last Updated February 17, 2019
The FTP communication to a particular server is failing when going through your Proxy SG or ASG device.
"202 Command not implemented, superfluous at this site" is displayed on the browser and packet/HAR captures.
If we take a packet capture and analyze the TCP streams containing the FTP communication, we can see the FTP communication starts normally, then the ProxySG sends an MDTM request and the server or upstream device ACKs it but immediately forwards the following FTP error "202 Command not implemented, superfluous at this site". The MDTM message seems to be the problem here (as it is what originates the FTP 202 response).
MDTM is part of the FTP Extensions RFC (refer to https://tools.ietf.org/html/rfc3659#section-3), however it is not accepted by all FTP servers.
Note the ProxySG's FTP Proxy needs to send this message and as long as the FTP Proxy is used, the MDTM message will be sent.
It is recommended to reach the FTP administrators / developers to have them add support for the MDTM FTP method, this way the ProxySG can complete the FTP communication without receiving the 202 error from the server.
If this is not possible or a faster solution is required:
For Transparent Environments, the FTP server can be fully bypassed. Please refer to TECH241979 or TECH243229
For Explicit deployments the connection is always intercepted and when incoming FTP traffic is detected, it'll be handled by the FTP proxy automatically rather than being fully bypassed and tunneled as in Transparent. In order to fully bypass the FTP server on a Explicit deployment:
Make sure with your Firewall administrator/s that the FTP site can be accessed directly by the endpoints. (Most times, all connections to external resources are blocked by the Firewall or upstream devices if they aren't coming from the Proxy).
On a testing computer, modify the Proxy configuration to have the client going directly to the FTP server and test if the server works as expected. To do this, go to Internet Options > Connections > LAN Settings > next to the Proxy address, click the "Advanced" button, enter a semi-colon and the URL this way "; myftp.mycompany.com" (without the quotation marks), click "Accept".
If this test is successful, you can proceed to distribute this to all computers in the network through your Active Directory. You can use a PAC or WPAD to help distribute and manage this and other exceptions as well.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.