cancel
Showing results for 
Search instead for 
Did you mean: 
cestrada
Level 7

FTP Tutorial

Anybody have a clear concise clarification on how FTP works using WebGateway?   Via the browser its a hit or miss.  One day FTP works fine other days, the appliance doesn’t allow my users to get into any FTP sites.  This is with any browser flavor e.g. IE\ Firefox\ Chrome, etc.  I find myself installing 3rd party FTP apps since they are easier to configure instead of the browser.

I'm using 2121 as the FTP port.

0 Kudos
12 Replies
asabban
Level 17

Re: FTP Tutorial

Hi Carlos,

Browsers need to point to the HTTP Proxy Port for all protocols, even for FTP. The FTP Proxy on port 2121 is only working for native FTP Clients, e.g. FileZilla or similar.

A browser will use FTP-over-HTTP, which works through the Proxy Port. This should work as expected.

Best,

Andre

0 Kudos
cestrada
Level 7

Re: FTP Tutorial

Hello Andre,

Yes I understand how to configure the browsers to utilize the port 2121 that’s not my issue.  My problem is any browser which uses the appliance it’s a hit or miss- very inconsistent.  I’ve checked logs and ran various tcpdumps but can’t see why this feature of the appliance is  very tedious.  

Was wondering if anyone else has experienced similar problem with browsers using FTP and what the resolution was to fix.

0 Kudos
dstraube
Level 11

Re: FTP Tutorial

Hello cestrada,

Yes I understand how to configure the browsers to utilize the port 2121 that’s not my issue. 

are you sure this is not your issue? As Andre has pointed out, your browser should be configured to port 9090, even for the FTP port. Port 2121 is only for dedicated FTP clients!

Regards,

Dirk

0 Kudos
cestrada
Level 7

Re: FTP Tutorial

ftp.GIF

Can you clarify, I dont use 9090 for my proxy HA so why should I use 9090 for browsers??  Are you saying I shouldnt have the 2121 on Proxy HA and change it to 9090 ??

0 Kudos
McAfee Employee

Re: FTP Tutorial

9090 is the default HTTP proxy port, it was just an example. They are not saying you shouldnt have 2121 on the port redirects. You are using port 80 or port 8080 for your HTTP proxy so you would have your browser configured as below (except with 80 or 8080 as the port):

ie-proxy.png

With filezilla or other FTP clients would be configured using the FTP proxy port:

filezilla-proxy.png

Hope this helps you understand better what the purpose is between the different proxies.

~Jon

cestrada
Level 7

Re: FTP Tutorial

Anyone know to use FTP via command prompt using the proxy.

0 Kudos
McAfee Employee

Re: FTP Tutorial

Hi Carlos,

IF LOCAL AUTH is not applying to FTP:

ftp

open [IP-of-MWG] 2121

username@ftpserver.tld

password

--------

IF USING AUTHENTICATION for FTP

ftp

open [IP-of-MWG] 2121

local-user

local-password

username@ftpserver.tld

password

In addition to the above, if you are URL filtering (and blocking everything) the inital commands will not have a URL associated with it, so you will need to allow the blank URL "ftp:" in order to allow the local authentication to take place (because there is no URL at that point). See screenshot below for an example.

ftp-blank2.png

There may be a more elegant way to do this, but it works.

Hope this helps.

~Jon

0 Kudos

Re: FTP Tutorial

Hi Jon,

Is there any way to restrict FTP access on the basis of username? I am able to do this on the basis of IP. I am using Filezilla as FTP client. Below are theproxy settings.

FTP.JPG

However as per the attached ruleset, if the FTP client's IP is not in the FTP Allowed IP list, I am getting the following message on Filezilla:

FTP_2.JPG

It seems that Filezilla is able to authenticate FTP proxy credentials, but not able to use the parameter Authenticate.Username. Is there any parameter available to allow only selected FTP Proxy credentials, access to FTP links?

0 Kudos
eelsasser
Level 15

Re: FTP Tutorial

Hmm, all I needed to do was add this one line somewhere under my normal authentication rules. I did not create any special condition for FTP authenticate:

Name:
FTP UserList Restriction:

Rule Criteria:
Connection.Protocol equals "FTP" AND
Authentication.UserName is not in list FTP allowed User ID list

Action:
Block

I changed the text block page to put the variables on the page and here's my output.

If my username is not in the list, i get a block like this:

Status: Using proxy 192.168.2.230:2121

Status: Connecting to 192.168.2.230:2121...

Status: Connection established, waiting for welcome message...

Response: 220 McAfee Web Gateway 7.1.6 build 12411

Command: USER eelsasser

Response: 331 User name okay, need password.

Command: PASS *******

Response: 500-Default Block Template

Response: 500-This is a default error message. Please make sure to configure an appropriate

Response: 500-error template for rule "FTP UserList Restriction:".

Response: 500-Authentication.Failed: false

Response: 500-Authentication.IsAuthenticated: true

Response: 500-Authentication.Method: User Database

Response: 500-Authentication.Realm: McAfee Web Gateway

Response: 500-Authentication.UserName: eelsasser

Response: 500-Authentication.UserGroups: Domain Users, Domain Admins, Allow WebMail, Allow

Response: 500-SocialNetworking

Response: 500-Proxy.IP: 192.168.2.230

Response: 500-Proxy.Port: 2121

Response: 500-Client.IP: 192.168.2.2

Response: 500-Connection.IP: 192.168.2.2

Response: 500-Connection.Protocol: FTP

Response: 500-Command.Name: PASS

Response: 500-Rules.CurrentRuleSet.Name: FTP Proxy

Response: 500-Rules.CurrentRule.Name: FTP UserList Restriction:

Response: 500-Rules.CurrentRule.ID: 22001

Response: 500-Cycle.TopName/Cycle.Name: Request/Request

Response: 500-Block.Reason (Block.ID): Default Error Template  (0)

If my username is in the list, I logon:

Response: 220 McAfee Web Gateway 7.1.6 build 12411

Command: USER eelsasser

Response: 331 User name okay, need password.

Command: PASS *******

Response: 230 User logged in, proceed.

Command: USER anonymous@ftp.microsoft.com

Response: 331 User name okay, need password.

Command: PASS **************

Response: 230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.

Response: 230 User logged in.

Message was edited by: eelsasser on 1/18/12 10:56:07 AM EST
0 Kudos