FTP Server
FTP Server
FTP Server
How do I setup the SmartFTP FTP client to work through the ProxySG? The ProxySG uses authentication. How do I get SmartFTP to work with proxy authentication?
Resolution
The SmartFTP 4.0 client can only be configured for an HTTP or SOCKS type proxy. It does not know how to use an FTP proxy. This document will configure the SmartFTP client to use FTP over HTTP and not SOCKS. Assuming the HTTP proxy is configured on port 8080, you will see a CONNECT ip.address.of.ftpserver:21 on port 8080 on the wire between the workstation and the proxy. This is normal and expected. The data provided below was gathered using SmartFTP Professional Edition v4.0.1054.0. Your experience may change depending on the version of SmartFTP you are using. NOTE: Once the proxy settings are all configured on the client, if the SmartFTP client works once and then fails several times and then works once and then fails, please see KB3341 for a way to work around the issue. CONFIGURING THE SMARTFTP PROFESSIONAL FTP CLIENT TO USE THE PROXY 1. Open or launch the SmartFTP client. 2. Click on Tools > Settings > General/Favorites. 3. In the Favorites section, click on the "Edit" button under "Default Favorite". Please see figure #1 below. 4. A "Properties" window will open. Go down to Connection and click on Proxy. See figure #2 below. 5. In the Proxy properties window, set the following: a. Type: Select "HTTP Proxy - Connection Tunnel" from the drop down menu. b. Settings: a. Host: Enter the IP address or DNS name of the ProxySG. b. Port: Change the port from 21 to 8080. If you are using a port other than 8080 to intercept HTTP traffic, then enter the appropriate port number. c. Put a check mark next to "Login to Proxy / Firewall" d. User: This is the username that will be passed to the ProxySG for authentication purposes. In this example, it is bob.kent . e. Password: Enter the proxy user's password into this field. f. Click on the OK button twice to save your changes 6. Test. Connect to one of your favorite FTP servers and test.
Figure #1:
Figure #2:
Resolution
This document assumes that you are using Raptor login syntax for your ProxySG. For details on Raptor syntax, please see KB2898. Please note that the menu options described below are from Filezilla v3.2.7.1 and may change with newer versions of the FTP client. 1. Open Filezilla FTP client. 2. Go to Edit > Settings > FTP Proxy 3. Under Connection, go to FTP > FTP Proxy 4. Select the radio button next to Custom and enter the following information:
USER %u@%h %s PASS %p ACCT %w 5. For "Proxy host:", enter the IP address of your ProxySG. For "Proxy user:", enter the username used to authenticate to the ProxySG. For "Proxy password:", enter the proxy password of the user. Please see the screen shot below for details. 6. Click on the OK button to save your changes. 7. On the main screen, enter the host, username, and password as you normally do. Filezilla will connect to the ProxySG and pass the remote host, remote host credentials, and ProxySG credentials. The ProxySG will then establish a connection to the FTP server using the credentials provided by the user. NOTE: If Filezilla intermittently works (it works once, and then fails for a while, and then works again), please see KB3341 for a way to work around the issue.
If you are attached to a corporate or an enterprise network and connect to internet from behind a BlueCoat proxy which proxies FTP connections then FileZilla FTP client needs needs to be configured accordingly to get it work properly. There is an FTP proxy configuration and a Generic Proxy configuration that can be set in FileZilla client. Using a Generic Proxy forces it to use Passive Mode connections.However, if you need to use Active mode FTP connections then FTP Proxy should be configured.
Click Edit Settings from menu to open the FileZilla client settings. Expand FTP in the leftpane and click "FTP Proxy".In the rightpane, select "custom" under "Type of FTP Proxy" and enter the following format specifications: USER %u@%h PASS %P ACCT %w
Once done, enter the IP Address/Hostname and of the Proxy host (if it is not listening on the standard TCP/21 then provide the prot number along with the IP address or hostname, ex: proxy:8085) then the user (username@domainname where domainname is name of the Windows Domain, if it uses WSSO or Intergrated Windows Authentication) and the password (domain password if using windows domain name as above) This should set the configs appropriately. To check if the connection works OK, try connecting to the external FTP server and you should be able to first connect to the BlueCoat proxy where it first issues a Welcome message as in the following screenshot before it connects you to the remote FTP server.
Resolution
There are two deployment configurations in which you can deploy your ProxySG. One is explicit, and the other is transparent. Please click on the term for a definition of what each of those mean. This document will break down the FTP proxy by deployment. EXPLICIT DEPLOYMENTS: When authenticating and using the explicit FTP proxy, the ProxySG needs to know five pieces of information:
Remote FTP username Remote FTP host Remote FTP user's password Proxy username Proxy user's password
The proxy supports two login / authentication methods. Raptor is the default and Checkpoint is the alternate. Most FTP clients support three functions: USER, PASS and ACCT. The user (or a script) is required to insert the five pieces of information into these FTP commands. Raptor login-syntax for explicit FTP: When the FTP client responds with: USER -the user/script enters: <ftp-username>@<ftp-host> <proxy username> NOTE: delimiters are "@" and " " (Three pieces of information in one line) When the FTP client responds with: PASS -the user/script enters: <ftp-user's password>
When the FTP client responds with: ACCT -the user/script enters: <proxy user's password> Raptor advantages:
Default ProxySG configuration. Supports "@" in Proxy user's passwords Supports "@" in FTP host's user passwords
Raptor disadvantages: With the introduction of Microsoft Windows XP SP2, Microsoft broke the ACCT functionality in their command line FTP client. The proxy user's password (entered at the ACCT prompt) is shown in clear-text. It simply does not work. Please see Blue Coat KB article KB1060 for futher details. Does NOT support a " " (a space) in the proxy user's password.
Checkpoint login-syntax for explicit FTP: When the FTP client responds with: USER -the user/script enters: <ftp-username>@<proxy-username>@<ftp-host> NOTE: Delimiters are all "@" (Three pieces of information in one line). When the FTP client responds with: PASS -the user/script enters: <ftp-user's-password>@<proxy-user's-password> NOTE: Delimiter is "@" (Two pieces of information in one line). Checkpoint advantages:
Supports FTP Clients that do not understand the ACCT command (real old/rare) Supports " " (a space) in the Proxy user's password. Supports "@" in FTP host's user passwords. Works with Microsoft's XP SP2 unpatched FTP commandline client.
Checkpoint disadvantages:
Please see KB3519 for a list of popular FTP clients that can be configured for an explicit proxy and how to set those up to work with the ProxySG.
TRANSPARENT DEPLOYMENTS:
Web Browser configurations and considerations: Internet Explorer specific information If no proxy settings are entered into Internet Explorer, the browser will attempt to do native FTP to the FTP server. If this native traffic is redirected to the ProxySG and transparent proxy authentication is enabled, the connection will not succeed due to the fact that Internet Explorer does not understand the ACCT command to supply the proxy with a proxy authentication password. As a workaround, Blue Coat suggests using FTP applications such as Filezille, WS-FTP, Cute-FTP, etc., as alternatives in transparent proxy authentication environments. If proxy authentication is not required and Internet Explorer attempts a native FTP connection, and the "Folder View" is enabled (Tools > Internet Settings > Advanced), FTP via the browser generally works well. A username/password dialog box pops-up allowing you to provide the FTP server with credentials. If Internet Explorer's "Folder View" is disabled, the browser always attempts FTP connections as user :anonymous", with a password of "proxy@" (since the connection is being proxied). If the FTP server does not allow anonymous connections, you can try adding your FTP username and password within the URL using this format: ftp://<username>:<password>@ftp.example.com This may work fine, or the FTP server may send FTP responses that the browser does not understand. Also consider whether the "plain" look of non-folder view is acceptable. If not, use an FTP application instead of the web browser. Firefox and other browsers: Generally these work just fine. FTP applications: Configure the correct authentication syntax within the FTP application itself.