Cisco Cisco Web Security Appliance S690 User Guide
74
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
WO R K I N G W I T H F T P C O N N E C T I O N S
The Web Security appliance Web Proxy provides proxy services for the File Transfer Protocol
(FTP) as well as HTTP. FTP is a protocol used to transfer data between computers over a
network. The Web Proxy can handle the following FTP transactions:
(FTP) as well as HTTP. FTP is a protocol used to transfer data between computers over a
network. The Web Proxy can handle the following FTP transactions:
• FTP over HTTP. Most web browsers support FTP transactions, but sometimes the
transactions are encoded inside an HTTP transaction. All policies and configuration
options that apply to HTTP transactions also apply to FTP over HTTP transactions.
options that apply to HTTP transactions also apply to FTP over HTTP transactions.
• Native FTP. FTP clients use FTP to transfer data without invoking an HTTP connection.
Native FTP connections are treated and handled differently than HTTP connections.
The component of the Web Proxy that handles native FTP transactions is referred to as the FTP
Proxy.
Proxy.
Native FTP connections can be served when the Web Proxy is deployed in either transparent
or explicit forward mode.
or explicit forward mode.
Computers that transfer data using FTP create two connections between them. The control
connection is used to send and receive FTP commands, such as RETR and STOR, and to
communicate other information, such as the connection mode and file properties. The data
connection is used to transfer the data itself. Typically, computers use port 21 for the control
connection, and use a randomly assigned port (usually greater than 1023) for the data
connection.
connection is used to send and receive FTP commands, such as RETR and STOR, and to
communicate other information, such as the connection mode and file properties. The data
connection is used to transfer the data itself. Typically, computers use port 21 for the control
connection, and use a randomly assigned port (usually greater than 1023) for the data
connection.
The FTP Proxy supports the following connection modes:
• Passive. In passive mode, the FTP server chooses the port used for the data connection
and communicates this assignment to the FTP client. Passive mode is typically favored in
most network environments where the FTP client is located behind a firewall and inbound
connections (such as from an FTP server) are blocked. The default for the FTP Proxy is
passive mode.
most network environments where the FTP client is located behind a firewall and inbound
connections (such as from an FTP server) are blocked. The default for the FTP Proxy is
passive mode.
• Active. In active mode, the FTP client chooses the port used for the data connection and
communicates this assignment to the FTP server.
Consider the following rules and guidelines when working with native FTP connections:
• You can define which Identity groups apply to native FTP transactions.
• You configure FTP Proxy settings that apply to native FTP connections. For more
information, see “Configuring FTP Proxy Settings” on page 76.
• You can configure which welcome message users see in the FTP client when they connect
to an FTP server. Configure the welcome banner when you configure the FTP Proxy
settings.
settings.
• You can define a custom message the FTP Proxy displays in IronPort FTP notification
messages when there is an error with FTP Proxy authentication. For more information, see
“Working with IronPort FTP Notification Messages” on page 257.
“Working with IronPort FTP Notification Messages” on page 257.