How to configure FileZilla Client and ProxySG to connect to an FTP server behind a ProxySG using SOCKS.


Article ID: 166500


Updated On:


ProxySG Software - SGOS SG-300 SG-600 SG-510 SG-9000 SG-900


This document explains how to set-up the following:

1.       FileZilla proxy config for SOCKS
2.       BC Proxy Services
3.       Blue Coat VPM

This KB assumes that you have already configured one of the following forms of authentication:




Step 1 – Setting-up FileZilla:

After installing FileZilla go to Edit > Settings > expand the Connection menu and then expand the FTP menu > then select Generic Proxy.
As you image above show you need to select ‘SOCKS 5’ and then enter the IP address of the Blue Coat Proxy > specify the SOCKS port that will be set on the BC Proxy (by default this will be 1080). Then enter the correct Username and Password that will allow the client access.

Step 2 – Configuring the SOCKS service on the ProxySG:

Connect to the Blue Coat Proxy > Configuration > Services > expand the ‘Standard’ services list > locate the SOCKS service and change the service from ‘Bypass’ to ‘Intercept’.
Please note that the SOCKS service should have Detect Protocol disabled because FTP handoff is unsupported as per article 000010697 .The ProxySG has to tunnel this connection without trying to use the FTP proxy, otherwise the connection will fail.

Now locate the FTP service and make sure that this is also set to ‘Intercept’. This is necessary for the communication between the ProxySG and the FTP server.

Step 3 – Configure the VPM for SOCKS access and Authentication:

Connect to the Blue Coat Proxy > Configuration > Policy > Visual Policy Manager > click on the ‘Launch’ button.

You will first want to add a SOCKS Authentication Layer.
Go to Policy > Add SOCKS Authentication Layer:
Now the Layer has been added you will need to set the Action to use the Auth Realm you require:
Right click on the word ‘None’ underneath the Action column.
 As per the image above click on the ‘New’ button and select ‘SOCKS Authentication’ and then select the Auth Realm you have configured. Your result should look something like:
Now in this basic scenario, I have a Web Access Layer configured that is set to allow all traffic as you can see below:
The rule base will allow the FileZilla client to access any FTP site (or anything) and any User to access any site but thanks to the SOCKS Authentication Layer any connection that uses port 1080 has to authenticate to the Auth Realm set in the SOCKS Authentication Layer.
Now as you can see from the image below the FileZilla client can now connect to the FTP site via the ProxySG