Problem Description

Your FTP client is configured to go through a ProxySG and provides the appropriate authentication details. You connect successfully for the first time and then disconnect the session. You connect again but this time the connection fails.

Cause of problem

In Visual Policy Manager you have configured your authentication layer to use the ‘Proxy-IP’ mode. (See KB2877 for a description of authentication modes). This mode may work OK for normal HTTP traffic but is causing a problem with the FTP traffic. The reason is that in ‘Proxy-IP’ mode, the proxy remembers the user credentials based on the IP address of the client. Once authenticated, the proxy will then not request authentication from the client (until the timeout period).

When the FTP client connects through the proxy to the FTP server for the first time it authenticates through the proxy as required. If you then disconnect the session and reconnect, the proxy will remember your credentials from the previous time because you are connecting from the same IP address. It is therefore not expecting, or requiring, the client to provide authentication credentials again and will therefore produce an error when the FTP client supplies these credentials.

Resolution

You need to authenticate FTP traffic using the ‘Proxy’ mode. This mode will remember the authentication credentials based on the client’s source TCP port, which will change for each FTP client session. The proxy will therefore require authentication every time. (For a more detailed explanation see KB3341).

1. In the Web Authentication Layer, create a new rule #1. This rule will be for FTP traffic. 
   
   
    
2. In the Destination field, match on FTP traffic.
   
   
    
3. In the Action field, create a new Authentication object using the 'Proxy' mode.
   
   
    
4. Install the policy and test.
   
   
    

Now, any FTP traffic going explicitly through the proxy will require authentication for each session.