Last time I checked Filezilla, the proxy logon and password was in clear in the config file and there were no option to ask for the proxy password at each connection as in WS-FTP. Did that change?
yes I know. If I configure the ftp-proxy like you did, it works.
But my question is: Why doesn't work the ftp-connection with the embed parameters in webgateway 7.0? Our customer uses this method.
With webgateway 6.8 the ftp-connection with embed parameters works fine.
Yes, the behaviour is different.
As I recall, I think it was changed because a lot of people had @ signs in both the username and/or passwords. So there was no way to tell when to split them:
Local User: firstname.lastname@example.org
FTP User: email@example.com
Local password: myP@sswordh@sthe@sign
FTP password: firstname.lastname@example.org
Which would then become:
How do you figure that one out?
If you are doing command line, you can still:
c:\My Documents\Desktop>ftp 192.168.2.230
Connected to 192.168.2.230.
220 McAfee Web Gateway 7.0.2 build 9319
User (192.168.2.230:(none)): LOCALUSER
331 User name okay, need password.
230 User logged in, proceed.
ftp> user FTPUSER@192.168.2.10
331 User name okay, need password.
230 User logged in.
And this method has also always worked in version 6.8 too.
No, that is still the same. But also consider that FTP password are always in the clear on the wire anyway.
So, even if you enter the password for each session, you aren't protected very much. It can always be intercepted and sniffed.
I don't really care about the FTP password BUT, The proxy Logon and Password is the Domain User logon and password and this, cannot stay in clear on the workstation.
plain FTP does not provide encryption of the data exchanged between FTP Client and FTP Server. Since MWG is acting as an FTP Server for the Client here, all data is unencrypted. To have this encrypted it would be required to use FTP over TLS or similar, which is not yet possible.
I see two options for preventing that Domain passwords become visible:
- Create seperate Users for FTP access, either in the external directory or local User DB and hand this over to the users that need to do FTP. This may work in a smaller environment.
- Use the authentication server, as it would work with the IM proxy, e.g. if you try to access via FTP you will see an error page unless you browse to some URL and authenticate against the authentication server with your credentials. This can be SSL encrypted. After you successfully authenticated, you will have X minutes to complete your FTP tasks, before you have to authenticate again.
It works similar for IM, I think it should be possible to tweak the rule sets. Not very comfortable, but more secure.
We will only need this for native FTP Clients, FTP-over-HTTP (downloads from FTP servers) are not affected here.
Please note the above samples are just "ideas". They may or may not work. Please let me know if you need some more details.
This on doesn't work out for my customer. They have "@" in the username and there is no way in MWG7 to make it work, except when I put the username in quotes. Up to now, they used the "quote site ftp-server-address" command in 6.8, which works fine.
On MWG7, it doesn't work anymore. A packet trace of the traffic from MWG to FTP Server shows that MWG just cuts off everything after and includind the "@" in the username.
Thus: the username sent to the server is just "username" instead of email@example.com.
There is some sort of problem with recent version of FileZilla. I've had repeated failures with Filezilla on both XP and Win7 systems. All the failures began on working FileZilla installs AFTER an upgrade.
I've had partial success with endless setting tweaks, but ONLY partial. The FileZilla developers seems to be in denial about this, and simply refer people to the Wiki in very dismissive way. It appears that they don't know what they broke.
However, at least on my systems, reverting to version FileZilla 18.104.22.168 http://www.oldapps.com/filezilla.php?old_filezilla provided a complete fix. You'll have to uninstall and try for yourself to see if it works for you. But, it takes about 5 minutes to find out.