Connect to an FTPS Server Behind a ProxySG with FileZilla with SOCKS

book

Article ID: 168290

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

 For a guide on how to setup FTPS in a FileZilla server, please refer to 000007724. To access an FTP (plain text) server through a ProxySG using SOCKS, please refer to KB 000011426 . In this article we will cover the necessary steps to configure the FileZilla Client and ProxySG to allow a successful connection to an FTPS server located behind a ProxySG. 

Resolution

The process below will show how to configure FileZilla to use FTPS via your ProxySG using SOCKS 5.
 
In FileZilla you will need to go to Edit > Settings > Generic Proxy:

 
User-added image
 

Here you have to enter the IP of your ProxySG and the SOCKS port number. Above you can see that the ProxySG's IP is 10.91.9.20 and we used the default SOCKS port, 1080.

For the purpose of this KB, the ProxySG will not be performing SOCKS authentication. If required, this can be achieved by following Step 3 provided in article 000011426

Once you have entered the relevant details for you ProxySG you will want to click the “OK” button.

Now if you go to File > Site Manager you can configure the FTPS site that you would like to connect to:
 User-added image

In the above example we have set the IP of the FTPS server and specified that the Protocol will be “FTP – file Transport Protocol” and that the Encryption will be “Require explicit FTP over TLS”

The Logon Type has been set as “Normal” and then user and pass for the FTPS site have been entered.

Now we need to configure the ProxySG to accept incoming SOCKS connections. To do this, we must intercept the SOCKS service located in Configuration > Services > Proxy Services > SOCKS > change this service so that it is set to Intercept:


User-added image


Now you will need to open the VPM Configuration > Policy > Visual Policy Manage > Launch
In the VPM you will need to make sure that you have a rule that will allow the connection to the FTPS site:


User-added image
 

The example above shows that the Web Access Layer contains a rule for the FTPS site IP and the action is set to “Allow” > once you have added a rule to allow the connection to the FTPS site you can then go back to your FileZilla Client and click Connect:


User-added image
 

What you should now see if you were to see a PCAP is that the connection from the client to the FTPS server does not show any readable data being passed other than the certificate. If using plain FTP, you would have been able to see the FTP username and password that were being passed.
An example of the secure connection in a PCAP has been uploaded to this KB as has an example an unsecured connection to the same FTP server (this can be found in the .rar file called examples).

Attachments

Examples.rar get_app