Solutions

Supporting FTP on the ProxySG

Solutions ID:    KB2898
Version:    7.0
Status:    Published
Published date:    05/29/2009
Updated:    01/19/2011
 

Problem Description

Supporting FTP on the ProxySG

Resolution

There are two deployment configurations in which you can deploy your ProxySG.  One is explicit, and the other is transparent.  Please click on the term for a definition of what each of those mean.  This document will break down the FTP proxy by deployment.

EXPLICIT DEPLOYMENTS:

When authenticating and using the explicit FTP proxy, the ProxySG needs to know five pieces of information:

  • Remote FTP username
  • Remote FTP host
  • Remote FTP user's password
  • Proxy username
  • Proxy user's password

The proxy supports two login / authentication methods.  Raptor is the default and Checkpoint is the alternate.

Most FTP clients support three functions: USER, PASS and ACCT.  The user (or a script) is required to insert the five pieces of information into these FTP commands.

Raptor login-syntax for explicit FTP:

When the FTP client responds with: USER  -the user/script enters:
<ftp-username>@<ftp-host> <proxy username>
NOTE:  delimiters are "@" and " " (Three pieces of information in one line)

When the FTP client responds with: PASS  -the user/script enters:
<ftp-user's password>

When the FTP client responds with:  ACCT  -the user/script enters:
<proxy user's password>

Raptor advantages:

  • Default ProxySG configuration.
  • Supports "@" in Proxy user's passwords
  • Supports "@" in FTP host's user passwords

Raptor disadvantages:

  • With the introduction of Microsoft Windows XP SP2, Microsoft broke the ACCT functionality in their command line FTP client.  The proxy user's password (entered at the ACCT prompt) is shown in clear-text.  It simply does not work.  Please see Blue Coat KB article KB1060 for futher details.  Or you can view Microsoft's article for the fix.
  • Does NOT support a " " (a space) in the proxy user's password.

Checkpoint login-syntax for explicit FTP:

When the FTP client responds with:  USER  -the user/script enters:
<ftp-username>@<proxy-username>@<ftp-host>
NOTE:  Delimiters are all "@" (Three pieces of information in one line).

When the FTP client responds with:  PASS  -the user/script enters:
<ftp-user's-password>@<proxy-user's-password>
NOTE:  Delimiter is "@" (Two pieces of information in one line).

Checkpoint advantages:

  • Supports FTP Clients that do not understand the ACCT command (real old/rare)
  • Supports " " (a space) in the Proxy user's password.
  • Supports "@" in FTP host's user passwords.
  • Works with Microsoft's XP SP2 unpatched FTP commandline client.

Checkpoint disadvantages:

  • Does NOT support a "@" in the Proxy user's password.

 

Please see KB3519 for a list of popular FTP clients that can be configured for an explicit proxy and how to set those up to work with the ProxySG.

 

TRANSPARENT DEPLOYMENTS:

Web Browser configurations and considerations:

Internet Explorer specific information

If no proxy settings are entered into Internet Explorer, the browser will attempt to do native FTP to the FTP server.  If this native traffic is redirected to the ProxySG and transparent proxy authentication is enabled, the connection will not succeed due to the fact that Internet Explorer does not understand the ACCT command to supply the proxy with a proxy authentication password.

As a workaround, Blue Coat suggests using FTP applications such as Filezille,  WS-FTP, Cute-FTP, etc., as alternatives in transparent proxy authentication environments.

If proxy authentication is not required and Internet Explorer attempts a native FTP connection, and the "Folder View" is enabled (Tools > Internet Settings > Advanced), FTP via the browser generally works well.  A username/password dialog box pops-up allowing you to provide the FTP server with credentials.

If Internet Explorer's "Folder View" is disabled, the browser always attempts FTP connections as user :anonymous", with a password of "proxy@" (since the connection is being proxied).

If the FTP server does not allow anonymous connections, you can try adding your FTP username and password within the URL using this format:

ftp://<username>:<password>@ftp.example.com

This may work fine, or the FTP server may send FTP responses that the browser does not understand.  Also consider whether the "plain" look of non-folder view is acceptable.  If not, use an FTP application instead of the web browser.

Firefox and other browsers:

Generally these work just fine.

FTP applications:

Configure the correct authentication syntax within the FTP application itself.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question