FTP over HTTP is the name used to refer to a specific type of HTTP traffic between a web browser and an explicitly configured proxy. For the most part, it is like any other HTTP request. The distinguishing factor is that the requested resource resides on an FTP server rather than an HTTP server. Correspondingly, this means an FTP over HTTP request will contain a URL prefixed with "ftp://" instead of "http://" and the HTTP "Host" header value will include port 21 (instead of no port number at all, in which case port 80 is assumed).
An example of an initial FTP over HTTP request from a client to the Web Gateway:
GET ftp://speedtest.tele2.net/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0)
When the Web Gateway receives this type of request, it recognizes that the requested resource resides on an FTP server (due to the presence of "ftp://" and port 21). The Web Gateway then uses native FTP to retrieve the file from the remote FTP server, on behalf of the client. FTP response traffic is then "translated" by the Gateway into HTTP before passing it back to the client. Sometimes this requires the Gateway to generate an HTML page so the client can display the results in the web browser. This translation is done for data such as an FTP directory listing:
The Web Gateway handles FTP over HTTP just like it would any other HTTP communication with the client computer. This means the traffic should be sent to the Web Gateway's HTTP proxy port (default = 9090). For FTP over HTTP, there is no need to enable, configure or use the Web Gateway's FTP proxy port (default = 2121), which is only used for native FTP protocol sent by a client to the Web Gateway. When the Web Gateway receives FTP over HTTP communication, it then does native FTP between itself and the FTP server, sending commands just like a native FTP client.
FTP over HTTP has advantages and disadvantages. It can be used to retrieve files from an FTP server using a web browser rather than setting up and configuring an FTP client such as Filezilla. As explained above, this also means you do not have to configure or enable the Web Gateway's FTP proxy port. The major disadvantage of FTP over HTTP is that it does not allow users to upload files. This requires the use of native FTP, an FTP client program on the client computer and the Web Gateway's FTP proxy port, if you choose to send the traffic through the Gateway. Another disadvantage of FTP over HTTP is that different web browsers have different behaviors, quirks and bugs. More discussion of these below.
Below are two images of the same packet capture with different filters applied. The capture was taken on the Web Gateway while an FTP over HTTP session was passing through it. You will see the following devices communicating:
Client computer: 10.10.80.1
Web Gateway: 10.10.80.55 (with HTTP Proxy Port 9090)
FTP Server: 10.10.80.200
The first image is of the connection between the client computer and the Web Gateway. You can see that Wireshark interprets this as HTTP traffic, which it is:
The second image shows communication between the Web Gateway and the FTP server. The Gateway recognized that the requested resource resides on an FTP server, thus uses FTP protocol to retrieve data from the FTP server. Here, active FTP was used, thus there are two TCP connections between the Gateway and the FTP server. The "control channel" is used for sending commands back and forth between the Gateway and FTP server (highlighted in pink). The "data" channel is used to send files from the FTP server to the Web Gateway (highlighted in purple):
There are two items on the Web Gateway that can be configured in relation to the usage of FTP over HTTP:
If the Gateway receives an FTP over HTTP request that does not contain FTP user credentials, the Gateway will send its pre-configured anonymous user credentials to the FTP server when attempting to login to the FTP server. You can change this username and password pair if you like. The settings can be found here:
Configuration > Appliances > [CHOOSE_APPLIANCE] > Proxies (HTTP(S), FTP, ICAP and IM) >> section "HTTP Proxy"
If you have done a fresh installation of McAfee Web Gateway v7.2 or newer, then you should already have the Log-In Page. If you upgraded from a version prior to v7.2, you probably do not have it. If you do not have the log-in page, you can add it yourself. To do so, find the template for the "Authentication Required" block page and replace its code with the contents of the file "MWG_ftp_login_page.txt" attached at the bottom of this article:
Currently, Firefox is the only web browser we have tested that does not require special attention from the user when doing FTP over HTTP. There are four major issues in other browsers, present in different combinations depending on the browser:
No known issues doing FTP over HTTP.
Header.Get("User-Agent") matches *Chrome* AND URL.Protocol equals "ftp" --> Stop Rule Set
Opera cannot do proxy authentication for FTP over HTTP traffic. It prompts the user for credentials when it receives the 407 HTTP status code from the Web Gateway, but once they are inputted, the browser displays the Block Page sent by Web Gateway with the 407 HTTP status code rather than retrieving FTP data from the Gateway. To send Opera FTP over HTTP traffic through the Web Gateway, it must be exempted from proxy authentication. You could do so with a rule like this:
Header.Get("User-Agent") matches *Opera* AND URL.Protocol equals "ftp" --> Stop Rule Set
Safari cannot do FTP over HTTP. It does not respect system proxy settings when the protocol in the address bar is set to "ftp://". Instead, it sends native FTP traffic directly to the FTP server, bypassing the configured proxy.