Cisco Cisco Web Security Appliance S360 User Guide
5-9
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 5 Web Proxy Services
Working with FTP Connections
When using authentication with native FTP, ensure that the FTP client uses the same authentication
settings configured for the FTP Proxy.
settings configured for the FTP Proxy.
You can use spaces and the @ character in FTP user names. However, you must precede these characters
with a backslash character (\).
with a backslash character (\).
Note
Be careful when requiring authentication for native FTP transactions. FTP is inherently insecure because
data (including the authentication credentials) is transmitted directly over the wire without encryption.
data (including the authentication credentials) is transmitted directly over the wire without encryption.
Working with Native FTP in Transparent Mode
When the Web Security appliance is deployed in transparent mode, FTP clients typically are not
explicitly configured to use the FTP Proxy. Native FTP connections are transparently redirected to the
FTP Proxy and then processed.
explicitly configured to use the FTP Proxy. Native FTP connections are transparently redirected to the
FTP Proxy and then processed.
When a native FTP request is transparently redirected to the FTP Proxy, it contains no hostname
information for the FTP server, only its IP address. Because of this, the FTP Proxy only matches native
FTP transactions with IP addresses configured in the Access Policies.
information for the FTP server, only its IP address. Because of this, the FTP Proxy only matches native
FTP transactions with IP addresses configured in the Access Policies.
The predefined URL categories and Web Reputation Filters block by hostname and IP address, but for
some servers, they may only have hostname information and not the server’s IP address. For example, if
the “News” predefined URL category contains the cnn.com, but not the corresponding IP address for that
server, and if that URL category is configured to block, then native FTP connections to cnn.com will
successfully connect instead of being blocked. Therefore, to make sure the FTP Proxy blocks native FTP
connections to certain sites, you must create custom URL categories and enter the IP addresses in the
list of sites to block or in the regular expression field.
some servers, they may only have hostname information and not the server’s IP address. For example, if
the “News” predefined URL category contains the cnn.com, but not the corresponding IP address for that
server, and if that URL category is configured to block, then native FTP connections to cnn.com will
successfully connect instead of being blocked. Therefore, to make sure the FTP Proxy blocks native FTP
connections to certain sites, you must create custom URL categories and enter the IP addresses in the
list of sites to block or in the regular expression field.
Configuring FTP Proxy Settings
The FTP Proxy settings apply to native FTP connections. To configure proxy settings that apply to FTP
over HTTP connections, configure the Web Proxy. For more information, see
over HTTP connections, configure the Web Proxy. For more information, see
Step 1
Navigate to the Security Services > FTP Proxy page, and click Edit Settings.
Step 2
Verify that the Enable FTP Proxy field is selected.
Step 3
Configure the basic and advanced FTP Proxy settings.
Table 5-2
Property
Description
Proxy Listening Port
Specify the port FTP clients should use to establish a control connection
with the FTP Proxy.
with the FTP Proxy.
Caching
Choose whether or not to cache contents of data connections from
anonymous users.
anonymous users.
Server Side IP Spoofing
Choose whether or not the FTP Proxy should spoof the FTP server IP
address. You might want to do this for FTP clients that do not allow
transactions when the IP address is different for the control and data
connections.
address. You might want to do this for FTP clients that do not allow
transactions when the IP address is different for the control and data
connections.