Remote users accessing internal services via ZTNA with WSS Agent running on Windows.

Many users running TN3270 terminal emulation software to run applications on Mainframes.

A subset of users cannot connect successfully to Mainframe server over FTP - generic connection related errors are rendered.

ZTNA.

Active FTP connection.

WSS / SEP Agents.

ZTNA does not support active mode FTP connections due to the inbound nature of new TCP connections.

Use passive mode FTP connections from the FTP client.

When taking PCAPs (available via Symdiag) during the failure, it was noticed that the FTP control path handshake included the PORT command. This implies an ACTIVE versus PASSIVE FTP connection, and will fail when using ZTNA.

With ACTIVE mode FTP sessions,

• the FTP client initiates a connection to the FTP server on port 21 (the command channel).
• When a data transfer (upload or download) is requested, the client sends a PORT command to the server. This command includes the client's IP address and a specific, random port number (typically greater than 1024) on which the client will listen for the data connection.
• The FTP server then initiates a connection from its data port (typically port 20) back to the client's specified IP address and port number.
• With ZTNA and zero trust networks in general, any TCP connection into the client host are blocked and so the TCP SYN on the negotiated TCP port will be dropped on the ZTNA service and not get sent back to the FTP client.