The FTP communication to a particular server is failing when going through your ProxySG/Edge SWG or ASG device.

"202 Command not implemented, superfluous at this site" is displayed on the browser and packet/HAR captures.

If we take a packet capture and analyze the TCP streams containing the FTP communication, we can see the FTP communication starts normally. The ProxySG/Edge SWG sends an MDTM request and the server or upstream device ACKs it but immediately forwards the following FTP error "202 Command not implemented, superfluous at this site". The MDTM message seems to be the problem here (as it is what originates from the FTP 202 response).

MDTM is part of the FTP Extensions RFC (refer to https://tools.ietf.org/html/rfc3659#section-3), however, it is not accepted by all FTP servers.

Note: the ProxySG/Edge SWG's FTP Proxy needs to send this message and as long as the FTP Proxy is used, the MDTM message will be sent.

It is recommended to reach the FTP administrators/developers to have them add support for the MDTM FTP method, this way the ProxySG can complete the FTP communication without receiving the 202 error from the server.

If this is not possible or a faster solution is required:

• For Transparent Environments, the FTP server can be fully bypassed. Please refer to 170822 or 167379
   
• For Explicit deployments, the connection is always intercepted and when incoming FTP traffic is detected, it'll be handled by the FTP proxy automatically rather than being fully bypassed and tunneled as in Transparent. To fully bypass the FTP server on an Explicit deployment:

1. Make sure with your Firewall administrator/s that the FTP site can be accessed directly by the endpoints. (Most times, all connections to external resources are blocked by the Firewall or upstream devices if they aren't coming from the Proxy).
2. On a testing computer, modify the Proxy configuration to have the client go directly to the FTP server and test if the server works as expected. To do this, go to Internet Options > Connections > LAN Settings > next to the Proxy address, click the "Advanced" button, enter a semi-colon and the URL this way "; myftp.mycompany.com" (without the quotation marks), click "Accept".
3. If this test is successful, you can proceed to distribute this to all computers in the network through your Active Directory. You can use a PAC or WPAD to help distribute and manage this and other exceptions.