9 Replies Latest reply on Feb 20, 2011 3:39 PM by gahillbilly

    Problems with FTP over Filezilla




      we are using webgateway 7.0 and have problems with ftp with filezilla. With our old webgateway 6.8 solution ftp is functional with the following parameters in filezilla:


      Host: <webgateway 6.8>

      User:  <wg-user>@<ftp-server-user>@<ftp-Server>

      Password: <wg-password>@<ftp-server-password>


      With these parameters a connection can be established with webgateway 6.8.


      If I use the same parameters with webgateway 7.0 I get the following error:


      Status:    Verbinde mit webgateway1:21...
      Status:    Verbindung hergestellt, warte auf Willkommensnachricht...
      Antwort:    220 McAfee Web Gateway 7.0.1 build 8505
      Befehl:    USER esctest01@esc@ftp-server
      Antwort:    331 User name okay, need password.
      Befehl:    PASS ******************
      Antwort:    530-The URL ftp://esctest01@esc@ftp-server/ needs authentication.
      Antwort:    530-URL: ftp://esctest01@esc@ftp-server/
      Antwort:    530-User name:
      Antwort:    530 
      Fehler:    Kritischer Fehler
      Fehler:    Herstellen der Verbindung zum Server fehlgeschlagen


      With webgateway 6.8 I get the following status infos:


      Status:    Verbinde mit webwasher1:21...
      Status:    Verbindung hergestellt, warte auf Willkommensnachricht...

      Antwort:    220 McAfee Web Gateway FTP Proxy 6.8.6 build 6257
      Befehl:    USER esctest01@esc@ftp-server
      Antwort:    331 User name okay, need password.
      Befehl:    PASS ******************
      Antwort:    230 User esc logged in.
      Status:    Verbunden
      Status:    Empfange Verzeichnisinhalt...
      Befehl:    PWD
      Antwort:    257 "/" is current directory.
      Befehl:    TYPE I
      Antwort:    200 Type set to I
      Befehl:    PASV
      Antwort:    227 Entering Passive Mode
      Befehl:    LIST
      Antwort:    150 File status okay; about to open data connection.
      Antwort:    226 Transfer complete.
      Status:    Anzeigen des Verzeichnisinhalts abgeschlossen


      Can you tell me what's the problem?


      If I configure webgateway 7.0 as ftp-proxy in filezilla a connection can be established.






        • 1. Re: Problems with FTP over Filezilla

          See what happens when you use the FTP Proxy option in FileZilla.

          I use that all the time and it works with 7 very nicely.



          Afterwards, you don't need to embed the user and password into each site's settings, just setup the site's profile as if it were direct.

          • 2. Re: Problems with FTP over Filezilla

            Last time I checked Filezilla, the proxy logon and password was in clear in the config file and there were no option to ask for the proxy password at each connection as in WS-FTP.  Did that change?



            Ce message a été modifié par: DBO on 30/12/10 09:11:38 CST
            • 3. Re: Problems with FTP over Filezilla



              yes I know. If I configure the ftp-proxy like you did, it works.


              But my question is: Why doesn't work the ftp-connection with the embed parameters in webgateway 7.0? Our customer uses this method.


              With webgateway 6.8 the ftp-connection with embed parameters works fine.




              • 4. Re: Problems with FTP over Filezilla

                Yes, the behaviour is different.


                As I recall, I think it was changed because a lot of people had @ signs in both the username and/or passwords. So there was no way to tell when to split them:


                Local User: myusername@mydomain.local

                FTP User: myemail@mydomain.com


                Local password: myP@sswordh@sthe@sign

                FTP password: myemail@mydomain.com


                Which would then become:

                user: myusername@mydomain.local@myemail@mydomain.com@FTP.site.com

                password: myP@sswordh@sthe@sign@myemail@mydomain.com


                How do you figure that one out?


                If you are doing command line, you can still:


                c:\My Documents\Desktop>ftp
                Connected to
                220 McAfee Web Gateway 7.0.2 build 9319
                User ( LOCALUSER
                331 User name okay, need password.
                Password: LOCALPASSWORD
                230 User logged in, proceed.


                ftp> user FTPUSER@
                331 User name okay, need password.
                Password: FTPPASSWORD
                230 User logged in.


                And this method has also always worked in version 6.8 too.

                • 5. Re: Problems with FTP over Filezilla

                  No, that is still the same. But also consider that FTP password are always in the clear on the wire anyway.

                  So, even if you enter the password for each session, you aren't protected very much. It can always be intercepted and sniffed.

                  • 6. Re: Problems with FTP over Filezilla

                    I don't really care about the FTP password BUT, The proxy Logon and Password is the Domain User logon and password and this, cannot stay in clear on the workstation.

                    • 7. Re: Problems with FTP over Filezilla



                      plain FTP does not provide encryption of the data exchanged between FTP Client and FTP Server. Since MWG is acting as an FTP Server for the Client here, all data is unencrypted. To have this encrypted it would be required to use FTP over TLS or similar, which is not yet possible.


                      I see two options for preventing that Domain passwords become visible:


                      - Create seperate Users for FTP access, either in the external directory or local User DB and hand this over to the users that need to do FTP. This may work in a smaller environment.

                      - Use the authentication server, as it would work with the IM proxy, e.g. if you try to access via FTP you will see an error page unless you browse to some URL and authenticate against the authentication server with your credentials. This can be SSL encrypted. After you successfully authenticated, you will have X minutes to complete your FTP tasks, before you have to authenticate again.


                      It works similar for IM, I think it should be possible to tweak the rule sets. Not very comfortable, but more secure.


                      We will only need this for native FTP Clients, FTP-over-HTTP (downloads from FTP servers) are not affected here.


                      Please note the above samples are just "ideas". They may or may not work. Please let me know if you need some more details.




                      • 8. Re: Problems with FTP over Filezilla


                        This on doesn't work out for my customer. They have "@" in the username and there is no way in MWG7 to make it work, except when I put the username in quotes. Up to now, they used the "quote site ftp-server-address"  command in 6.8, which works fine.

                        On MWG7, it doesn't work anymore. A packet trace of the traffic from MWG to FTP Server shows that MWG just cuts off everything after and includind the "@" in the username.

                        Thus:  the username sent to the server is just "username" instead of username@domain.com.


                        Any idea?




                        • 9. Re: Problems with FTP over Filezilla

                          There is some sort of problem with recent version of FileZilla. I've had repeated failures with Filezilla on both XP and Win7 systems. All the failures began on working FileZilla installs AFTER an upgrade.


                          I've had partial success with endless setting tweaks, but ONLY partial. The FileZilla developers seems to be in denial about this, and simply refer people to the Wiki in very dismissive way. It appears that they don't know what they broke.


                          However, at least on my systems, reverting to version FileZilla http://www.oldapps.com/filezilla.php?old_filezilla provided a complete fix. You'll have to uninstall and try for yourself to see if it works for you. But, it takes about 5 minutes to find out.