SFTP Via a Proxy in Explicit Mode

book

Article ID: 166899

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 

The following outlines how to get the ProxySG to handle SFTP traffic. All we are going to do is Tunnel the request, that is take the request coming into the SG and send it out.

Pre-Requirements.

 

  • Client A: running PUTTY and Filezilla
  • ProxySG: in explicit mode on 8080
  • Server: Running SFTP Server. (freeSSHD)

 

On the SG you need to add the following rules to allow a NON 443 Connect port.

Code:

<proxy>
   http.method=CONNECT url.port=!443 detect_protocol(no) ALLOW

 

This is saying; if its a CONNECT and not port 443 then do not detect_protocol (reduces the time to take to connect) then allow. You could change this to the port you are using for SFTP.

 

PUTTY:

  1. Changes the Proxy settings to point to the Proxy on port 8080.
  2. Create the session connection to the remote server on port 22.
  3. Then connect to the server.

 

 

 

 

If we examine a PCAP at the time on the PC we can see the establishing connection.

 

    No. Time         Source               Destination           Protocol Info

    127 10:42:47.909 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460
    128 10:42:47.909 10.91.1.210          10.91.1.21            TCP      8080 > 1685 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
    129 10:42:47.909 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=1 Ack=1 Win=65535 Len=0
    130 10:42:47.923 10.91.1.21           10.91.1.210           HTTP     CONNECT 10.91.1.32:22 HTTP/1.1 
    131 10:42:47.925 10.91.1.210          10.91.1.21            HTTP     HTTP/1.1 200 Connection established 
    132 10:42:47.927 10.91.1.210          10.91.1.21            SSHv2    Server Protocol: SSH-2.0-WeOnlyDo 2.0.6\r
    133 10:42:47.927 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=56 Ack=64 Win=65472 Len=0
    134 10:42:47.927 10.91.1.21           10.91.1.210           SSHv2    Client Protocol: SSH-2.0-PuTTY_Snapshot_2008_05_13:r7993\r
    135 10:42:47.927 10.91.1.21           10.91.1.210           SSHv2    1685 > 8080 [PSH, ACK] Seq=97 Ack=64 Win=65472 Len=512[Malformed Packet]
    136 10:42:47.927 10.91.1.21           10.91.1.210           SSHv2    1685 > 8080 [PSH, ACK] Seq=609 Ack=64 Win=65472 Len=128[Malformed Packet]
    137 10:42:47.928 10.91.1.210          10.91.1.21            TCP      8080 > 1685 [ACK] Seq=64 Ack=609 Win=65188 Len=0
    138 10:42:47.928 10.91.1.210          10.91.1.21            SSHv2    Server: Key Exchange Init
    139 10:42:48.000 10.91.1.21           10.91.1.210           SSHv2    Client: Diffie-Hellman Key Exchange Init
    142 10:42:48.071 10.91.1.210          10.91.1.21            TCP      8080 > 1685 [ACK] Seq=560 Ack=1009 Win=65535 Len=0
    143 10:42:48.116 10.91.1.210          10.91.1.21            SSHv2    Server: Diffie-Hellman Key Exchange Reply
    145 10:42:48.170 10.91.1.21           10.91.1.210           SSHv2    Client: New Keys
    146 10:42:48.172 10.91.1.210          10.91.1.21            SSHv2    Server: New Keys
    147 10:42:48.172 10.91.1.21           10.91.1.210           SSHv2    Encrypted request packet len=88
    148 10:42:48.173 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=52
    149 10:42:48.306 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=1113 Ack=1204 Win=64332 Len=0
    190 10:42:54.276 10.91.1.21           10.91.1.210           SSHv2    Encrypted request packet len=120
    191 10:42:54.277 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=68
    193 10:42:54.442 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=1233 Ack=1272 Win=64264 Len=0
    201 10:42:56.012 10.91.1.21           10.91.1.210           SSHv2    Encrypted request packet len=300
    202 10:42:56.017 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=36
    203 10:42:56.017 10.91.1.21           10.91.1.210           SSHv2    Encrypted request packet len=104
    204 10:42:56.018 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=52
    205 10:42:56.019 10.91.1.21           10.91.1.210           SSHv2    Encrypted request packet len=136
    206 10:42:56.020 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=36
    207 10:42:56.020 10.91.1.21           10.91.1.210           SSHv2    Encrypted request packet len=88
    208 10:42:56.022 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=36
    210 10:42:56.122 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=52
    211 10:42:56.122 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=1861 Ack=1484 Win=65535 Len=0
    213 10:42:56.248 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=52
    230 10:42:56.353 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=1861 Ack=1536 Win=65483 Len=0
    234 10:42:56.607 10.91.1.210          10.91.1.21            SSHv2    Encrypted response packet len=196
    235 10:42:56.756 10.91.1.21           10.91.1.210           TCP      1685 > 8080 [ACK] Seq=1861 Ack=1732 Win=65287 Len=0

 

FileZilla:  (or any other SFTP Client)

  1. Set the proxy settings to the SG using port 8080.
  2. Create a site for the remote site using "SFTP using SSH2"
  3. Configure the login credentials for the remote site.

 

Remember, the key thing here is that the SG does not Support SFTP as an Intercepted Service, but can tunnel requests when NO Protocol Detect is set on the connection.

 

 

.

 

 

Attachments