Cisco Cisco Web Security Appliance S680 Guía Del Usuario
U S I N G A U T H E N T I C A T I O N W I T H N A T I V E F T P
C H A P T E R 5 : W E B P R O X Y S E R V I C E S
75
• When the FTP Proxy is configured to cache native FTP transactions, it only caches content
accessed by anonymous users.
• You can configure the FTP Proxy to spoof the IP address of the FTP server. You might want
to do this when FTP clients do not allow passive data connections when the source IP
address of the data connection (FTP server) is different than the source IP address of the
control connection (FTP Proxy).
address of the data connection (FTP server) is different than the source IP address of the
control connection (FTP Proxy).
• If the connection between the FTP Proxy and the FTP server is slow, uploading a large file
may take a long time when IronPort Data Security Filters are enabled. If the FTP client
times out before the FTP Proxy uploads the entire file, users may notice a failed
transaction.
times out before the FTP Proxy uploads the entire file, users may notice a failed
transaction.
Using Authentication with Native FTP
The FTP Proxy performs user authentication to control which users can make native FTP
requests. This user authentication determines which policy groups apply to the native FTP
transaction.
requests. This user authentication determines which policy groups apply to the native FTP
transaction.
However, due to the nature of FTP and FTP clients, only explicit forward connections can
authenticate users for native FTP transactions. Due to this limitation, you must configure at
least one Identity and Access Policy for native FTP transactions that do not require
authentication when the Web Proxy is deployed in transparent mode. This allows FTP
connections that are transparently redirected to the Web Security appliance to work. If
authentication is required for all policy groups, transparently redirected native FTP transaction
will fail.
authenticate users for native FTP transactions. Due to this limitation, you must configure at
least one Identity and Access Policy for native FTP transactions that do not require
authentication when the Web Proxy is deployed in transparent mode. This allows FTP
connections that are transparently redirected to the Web Security appliance to work. If
authentication is required for all policy groups, transparently redirected native FTP transaction
will fail.
You can configure the authentication format the FTP Proxy uses when communicating with
FTP clients. The FTP Proxy supports the following formats for proxy authentication:
FTP clients. The FTP Proxy supports the following formats for proxy authentication:
• Check Point. Uses the following formats:
• User: ftp_user@proxy_user@remote_host
• Password: ftp_password@proxy_password
• Raptor. Uses the following formats:
• User: ftp_user@remote_host proxy_user
• Password: ftp_password
• Account: proxy_password
When using authentication with native FTP, ensure that the FTP client uses the same
authentication settings configured for the FTP Proxy.
authentication settings configured for the FTP Proxy.
Note — Be careful when requiring authentication for native FTP transactions. FTP is
inherently insecure because data (including the authentication credentials) is transmitted
directly over the wire without encryption.
inherently insecure because data (including the authentication credentials) is transmitted
directly over the wire without encryption.