Cisco Cisco Web Security Appliance S170 User Guide
6-6
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 6 Web Proxy Services
Working with FTP Connections
Working with FTP Connections
The Web Security appliance Web Proxy provides proxy services for the File Transfer Protocol (FTP) as
well as HTTP. FTP is a protocol used to transfer data between computers over a network. The Web Proxy
can handle the following FTP transactions:
well as HTTP. FTP is a protocol used to transfer data between computers over a network. The Web Proxy
can handle the following FTP transactions:
•
FTP over HTTP. Most web browsers support FTP transactions, but sometimes the transactions are
encoded inside an HTTP transaction. All policies and configuration options that apply to HTTP
transactions also apply to FTP over HTTP transactions.
encoded inside an HTTP transaction. All policies and configuration options that apply to HTTP
transactions also apply to FTP over HTTP transactions.
•
Native FTP. FTP clients use FTP to transfer data without invoking an HTTP connection. Native FTP
connections are treated and handled differently than HTTP connections.
connections are treated and handled differently than HTTP connections.
The component of the Web Proxy that handles native FTP transactions is referred to as the FTP Proxy.
Native FTP connections can be served when the Web Proxy is deployed in either transparent or explicit
forward mode.
forward mode.
Computers that transfer data using FTP create two connections between them. The control connection is
used to send and receive FTP commands, such as RETR and STOR, and to communicate other
information, such as the connection mode and file properties. The data connection is used to transfer the
data itself. Typically, computers use port 21 for the control connection, and use a randomly assigned port
(usually greater than 1023) for the data connection.
used to send and receive FTP commands, such as RETR and STOR, and to communicate other
information, such as the connection mode and file properties. The data connection is used to transfer the
data itself. Typically, computers use port 21 for the control connection, and use a randomly assigned port
(usually greater than 1023) for the data connection.
The FTP Proxy supports the following connection modes:
•
Passive. In passive mode, the FTP server chooses the port used for the data connection and
communicates this assignment to the FTP client. Passive mode is typically favored in most network
environments where the FTP client is located behind a firewall and inbound connections (such as
from an FTP server) are blocked. The default for the FTP Proxy is passive mode.
communicates this assignment to the FTP client. Passive mode is typically favored in most network
environments where the FTP client is located behind a firewall and inbound connections (such as
from an FTP server) are blocked. The default for the FTP Proxy is passive mode.
•
Active. In active mode, the FTP client chooses the port used for the data connection and
communicates this assignment to the FTP server.
communicates this assignment to the FTP server.
FTP clients may support passive mode, active mode, or both. No matter which mode the FTP client uses
to connect to the FTP Proxy, the FTP Proxy first attempts to use passive mode to connect to the FTP
server. However, if the FTP server does not allow passive mode, the FTP Proxy uses active mode.
to connect to the FTP Proxy, the FTP Proxy first attempts to use passive mode to connect to the FTP
server. However, if the FTP server does not allow passive mode, the FTP Proxy uses active mode.
Consider the following rules and guidelines when working with native FTP connections:
•
You can define which Identity groups apply to native FTP transactions.
•
You configure FTP Proxy settings that apply to native FTP connections. For more information, see
•
You can configure which welcome message users see in the FTP client when they connect to an FTP
server. Configure the welcome banner when you configure the FTP Proxy settings.
server. Configure the welcome banner when you configure the FTP Proxy settings.
•
You can define a custom message the FTP Proxy displays in IronPort FTP notification messages
when the FTP Proxy cannot establish a connection with the FTP server for any reason, such as an
error with FTP Proxy authentication or a bad reputation for the server domain name. For more
information, see
when the FTP Proxy cannot establish a connection with the FTP server for any reason, such as an
error with FTP Proxy authentication or a bad reputation for the server domain name. For more
information, see
•
When the FTP Proxy is configured to cache native FTP transactions, it only caches content accessed
by anonymous users.
by anonymous users.
•
You can configure the FTP Proxy to spoof the IP address of the FTP server. You might want to do
this when FTP clients do not allow passive data connections when the source IP address of the data
connection (FTP server) is different than the source IP address of the control connection (FTP
Proxy).
this when FTP clients do not allow passive data connections when the source IP address of the data
connection (FTP server) is different than the source IP address of the control connection (FTP
Proxy).