You wish to know Best Practice as applied to FTP proxy traffic over the Symantec Web Gateway.
When operating in proxy mode, The Symantec Web Gateway is an explicit web proxy. Only anonymous FTP connections can be proxied over the standard HTTP proxy running on port 8080. For FTP connections requiring use of a specific user account, a dedicated FTP proxy is available. When enabled, this proxy runs by default on port 8021.
Note that the SWG FTP proxy is not suitable for use with Web Browsers. This is because in their default configuration, browsers use FTP over HTTP rather than FTP itself. FTP over HTTP cannot handle the URL patterns required to authenticate traffic to an FTP Site through a Proxy.
Anonymous FTP connections:
Symantec recommends that you configure your browser to use the http proxy on port 8080 for FTP connections. This will allow anonymous FTP connections to be proxied.
User Account FTP connections using an FTP client:
For FTP connections requiring a user account, you need to use the FTP proxy on port 8021. These connections cannot be made using a browser (with some exceptions, see below), but must be made using an FTP client that is capable of using the "[email protected]" FTP proxy type and specifying a specific proxy port.
The following FTP clients have been informally tested and confirmed to work with the SWG FTP proxy:
User Account FTP connections using a browser:
It is also possible to connect to an FTP site with a specific user account by using a Browser extension called "Foxyproxy". This add-on is available for both Internet Explorer and Firefox, and it works by effectively changing the connection method to standard FTP (rather than FTP over HTTP) to allow a connection to a proxy to be established.
Detailed instructions to implement FTP proxy configuration for both FTP clients and the browser extension are provided in TECH169665