Cisco Cisco Web Security Appliance S190 Guía Del Usuario
Chapter 5 Web Proxy Services
Working with FTP Connections
5-10
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
–
User: ftp_user@proxy_user@remote_host
–
Password: ftp_password@proxy_password
•
Raptor. Uses the following formats:
–
User: ftp_user@remote_host proxy_user
–
Password: ftp_password
–
Account: proxy_password
When using authentication with native FTP, ensure that the FTP client uses the
same authentication settings configured for the FTP Proxy.
same authentication settings configured for the FTP Proxy.
Note
Be careful when requiring authentication for native FTP transactions. FTP is
inherently insecure because data (including the authentication credentials) is
transmitted directly over the wire without encryption.
inherently insecure because data (including the authentication credentials) is
transmitted directly over the wire without encryption.
Working with Native FTP in Transparent Mode
When the Web Security appliance is deployed in transparent mode, FTP clients
typically are not explicitly configured to use the FTP Proxy. Native FTP
connections are transparently redirected to the FTP Proxy and then processed.
typically are not explicitly configured to use the FTP Proxy. Native FTP
connections are transparently redirected to the FTP Proxy and then processed.
When a native FTP request is transparently redirected to the FTP Proxy, it
contains no hostname information for the FTP server, only its IP address. Because
of this, the FTP Proxy only matches native FTP transactions with IP addresses
configured in the Access Policies.
contains no hostname information for the FTP server, only its IP address. Because
of this, the FTP Proxy only matches native FTP transactions with IP addresses
configured in the Access Policies.
The predefined URL categories and Web Reputation Filters block by hostname
and IP address, but for some servers, they may only have hostname information
and not the server’s IP address. For example, if the “News” predefined URL
category contains the cnn.com, but not the corresponding IP address for that
server, and if that URL category is configured to block, then native FTP
connections to cnn.com will successfully connect instead of being blocked.
Therefore, to make sure the FTP Proxy blocks native FTP connections to certain
sites, you must create custom URL categories and enter the IP addresses in the list
of sites to block or in the regular expression field.
and IP address, but for some servers, they may only have hostname information
and not the server’s IP address. For example, if the “News” predefined URL
category contains the cnn.com, but not the corresponding IP address for that
server, and if that URL category is configured to block, then native FTP
connections to cnn.com will successfully connect instead of being blocked.
Therefore, to make sure the FTP Proxy blocks native FTP connections to certain
sites, you must create custom URL categories and enter the IP addresses in the list
of sites to block or in the regular expression field.