How to allow FTPS connections via a ProxySG/ASG

book

Article ID: 158108

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

You wish to connect to an FTPS (FTP over SSL) website using an FTPS client  such as Filezilla, Winscp, Flashxp.

Resolution

The Symantec Web Gateway does have a FTPS proxy but this is only supported in transparent proxy mode i.e. inline, wccp. You would use the FTPS proxy for example if you have a requirement to decrypt the packet (ssl interception) and handoff to say an AV scanning device via ICAP. Unfortunately FTPS proxy is not supported in Explicit mode.  Please see the page 323 of the admin guide which explains this:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/6-7/generated-pdfs/SGOSAdmin67.pdf

So for transparent deployment we support the following methods for FTPS:

Explicit FTPS—The client sends an authentication SSL/TLS request to the
OCS. If the OCS supports FTPS, it responds with authentication details and
the secure session is established. File transfer occurs over an upgraded TLS
connection using the FTP proxy service

Implicit FTPS—The OCS assumes that client sent an authentication SSL/TLS
request, and the client assumes that the OCS responded with the
authentication information. The SSL connection is made and file transfer
occurs using the FTPS proxy service.

 

If your proxy is in explicit mode i.e. pac file or browser pointing at the proxy then you can still tunnel FTPS over HTTP CONNECT method or by using SOCKS proxy:

1) SOCKS proxy - The following article explains how to set this up:

https://knowledge.broadcom.com/external/article/168290/connect-to-an-ftps-server-behind-a-proxy.html

Detect_protocol() needs to be disabled as well. 

2) For HTTP PROXY in explicit mode then it is important you disable Detect_protocol() so that the request from the client does not get handed off to the FTPS proxy and break the connection.

This article explains about Detect_protocol() and has a link on how to disable it:

https://knowledge.broadcom.com/external/article/167272/functionality-and-expected-behavior-of-t.html#:~:text=Detect%20Protocol%20(or%20Protocol%20Detection,should%20use%20to%20handle%20it.

Note however you will not be able to av scan the response or apply any policy which requires ssl decryption due to the connection being tunneled. 

This shows a print screen of an explicit FTPS request with protocol detection disabled i.e. tunneled:

 

In the above, the client makes an Explicit FTPS connection using ftp control port 21 (tunneled over port 80) and then if the server and client  are using pasv then it will negotiate the pasv data port in the ftp control connection. Once it knows which port the server is listening on for the data transfer the client will issue a new HTTP CONNECT over that port.  In this case it is port 17482. The data connection also needs to have protocol detection disabled.

Therefore best way to disable Detect_Protocol() would be on the url address or host. It will be the ip address of the FTPS server. For implicit FTPS note the control port is 990 and the connection is encrypted from the start.If the client is set up to use Active FTP with implicit FTPS  and not Pasv then it will use port 989 as the data port rather than the pasv port range configured on the FTPS server.

 

 

 

 

 

 

 

Additional Information

One other thing we have noticed which can break the FTPS connection is webpulse/DRTR. Especially if DRTR is configured in realtime mode. We recommend disabling drtr for the FTPS server ip address. This can be done in policy using a cpl layer:

<proxy>

url .address = x.x.x.x webpulse.categorize.mode(none)

where x.x.x.x is the ip address of the FTPS server

 

Finally if you do still see it failing in tunneled mode then run a packet trace on the client pc and see whether it actually sends a HTTP CONNECT request. I have seen some clients set up to tunnel over HTTP but never send a HTTP CONNECT method. Some clients also bypass the proxy settings for the FTPS connection.

Attachments