I've been asked to start filtering FTP over HTTP sites through the McAfee Web Gateway. Under the "Block List" tab of the Client Proxy Settings it says at the top that McAfee Client Proxy redirects the following ports: "Ports handled as HTTP/HTTPS traffic: 8080, 21, 80, 443." Based on that information I was hoping that it would be as simple as choosing the client proxy settings, then the "Proxy Servers" tab, adding port 21 to the field where you can specify additional ports that you would like to redirect as HTTP/HTTPS traffic. However, when I made this change and tested the FTP URL the page will not load.
When I bypass the MCP agent and just enable the proxy settings manually in the IE browser I do get the desired filtering from our web gateway appliances. So, the issue seems to be related to the Client Proxy Agent.
Does anybody have experience configuring the Client Proxy Agent for filtering FTP over HTTP?
We are using McAfee Agent 18.104.22.1688, Client Proxy 22.214.171.1248, and Web Gateway 126.96.36.199.0.
It's true that MCP doesn't support native FTP. But it's important to understand that FTP over HTTP only ever happens when the browser knows its using a proxy.
MCP is effectively a transparent proxy on the endpoint, so the browser doesn't know it's using a proxy.
So testing standard MCP and adding port 21 would not work for two reasons, 1) it's not FTP over HTTP (if it was, that would work), 2) Most FTP servers use passive FTP which means that your FTP client (browser or filezilla or pick one) is negotiating a random high port to connect out on (this is the FTP data communication). MCP is not equipped to read the FTP control communication, to determine what FTP data port needs to be intercepted.
I was able to trick the browser and get it working by specifying an internet address in the FTP proxy setting, and specifying port 80.
The below is a directory listing from the Web Gateway Cloud Service.
Okay, thanks Jon for the detailed explanation and clarification. I did some testing yesterday and I was able to route the FTP over HTTP traffic to our web gateway like you displayed above by modifying the proxy settings in the browser. I added the IP address of our web gateway and port number that the MCP agent uses which then produced the desired results by routing the FTP browser to the web gateway. I had been a little confused about MCP support for FTP redirection based on what I had read in the past, and since there were proxy configuration settings for "Non-HTTP/HTTPS Redirected Ports."
Am I correct that when the FTP Proxy configuration settings on the web gateway appliances are intended for use only with FTP clients such as Filezilla?
The MCP settings for Non-HTTP/HTTPS Redirected ports is intended only for on-premise deployments, though I haven't seen it widely used. FTP wouldnt work for that because of the FTP data port changing per transaction. It would work if the communication all happened over a single port like RTMP or SCP.
The FTP Proxy is indeed intended for FTP clients, but can also be used in transparent environments. MWG will intercept the FTP control traffic (port 21) and modify it to re-route the passive FTP data traffic to the MWG for filtering. MWG can also handle active FTP as well, but thats less common nowadays.
Oh, also, by adding the MWG to the proxy settings, you're telling the browser to use your on-premise MWG for FTP traffic. This method would likely not use MCP because MCP by default bypasses all RFC1918 (172,192,10 networks) traffic.
This is different from what I demonstrated. I demonstrated that MCP can handle FTP over HTTP by tricking the browser into using a non-existent public proxy (188.8.131.52). Its not elegant but it works.