Supporting FTP on the ProxySG
There are two deployment configurations which can be deployed on the ProxySG. One is explicit, and the other is transparent. Please see The differences between Explicit proxy and Transparent proxy for a definition of what each of those terms mean. This document will break down the FTP Proxy by deployment.
EXPLICIT DEPLOYMENTS:
When authenticating and using the explicit FTP Proxy, the ProxySG needs to know five pieces of information:
The proxy supports two login / authentication methods. Raptor is the default and Checkpoint is the alternate. In order to change the default, see How do I change the default FTP login syntax on ProxySG?
Most FTP clients support three functions: USER, PASS and ACCT. The user (or a script) is required to insert the five pieces of information into these FTP commands.
Raptor login-syntax for explicit FTP:
When the FTP client responds with: USER -the user/script enters:
@
NOTE: delimiters are "@" and " " (Three pieces of information in one line)
When the FTP client responds with: PASS -the user/script enters:
<ftp-user's password=""></ftp-user's>
When the FTP client responds with: ACCT -the user/script enters:
Raptor disadvantages:
Checkpoint login-syntax for explicit FTP:
When the FTP client responds with: USER -the user/script enters:
@@
NOTE: Delimiters are all "@" (Three pieces of information in one line).
When the FTP client responds with: PASS -the user/script enters:
<ftp-user's-password>@<proxy-user's-password>
NOTE: Delimiter is "@" (Two pieces of information in one line).</proxy-user's-password></ftp-user's-password>
Checkpoint advantages:
Checkpoint disadvantages:
TRANSPARENT DEPLOYMENTS:
Web Browser configurations and considerations:
Internet Explorer specific information
If no proxy settings are entered into Internet Explorer, the browser will attempt to do native FTP to the FTP server. If this native traffic is redirected to the ProxySG and transparent proxy authentication is enabled, the connection will not succeed due to the fact that Internet Explorer does not understand the ACCT command to supply the proxy with a proxy authentication password.
As a workaround, Symantec suggests using FTP applications such as FileZilla, WS-FTP, Cute-FTP, et c., as alternatives in transparent proxy authentication environments.
If proxy authentication is not required and Internet Explorer attempts a native FTP connection, and the "Folder View" is enabled (Tools > Internet Settings > Advanced), FTP via the browser generally works well. A username/password dialog box pops-up allowing a user to provide the FTP server with credentials.
If Internet Explorer's "Folder View" is disabled, the browser always attempts FTP connections as user :anonymous", with a password of "proxy@" (since the connection is being proxied).
If the FTP server does not allow anonymous connections, try adding the FTP username and password within the URL using this format:
ftp://:@ftp.example.com
This may work fine, or the FTP server may send FTP responses that the browser does not understand. Also consider whether the "plain" look of non-folder view is acceptable. If not, use an FTP application instead of the web browser.
Firefox and other browsers:
Generally these work just fine.
FTP applications:
Configure the correct authentication syntax within the FTP application itself.