Cisco Cisco Web Security Appliance S170 Guia Do Utilizador
5-8
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 5 Web Proxy Services
Working with FTP Connections
•
If the connection between the FTP Proxy and the FTP server is slow, uploading a large file may take
a long time when Cisco IronPort Data Security Filters are enabled. If the FTP client times out before
the FTP Proxy uploads the entire file, users may notice a failed transaction.
a long time when Cisco IronPort Data Security Filters are enabled. If the FTP client times out before
the FTP Proxy uploads the entire file, users may notice a failed transaction.
•
FTP clients can specify any TCP port for the control connection as long as they use proper
formatting (hostname:port).
formatting (hostname:port).
•
Regardless of which mode the FTP client uses to connect to the FTP Proxy, the FTP Proxy first
attempts to use passive mode to connect to the FTP server. However, if the FTP server does not allow
passive mode, the FTP Proxy uses active mode.
attempts to use passive mode to connect to the FTP server. However, if the FTP server does not allow
passive mode, the FTP Proxy uses active mode.
•
Access logs include entries for when users first start a native FTP session. Search the access log file
for “FTP_CONNECT” (explicit forward connections) and “FTP_TUNNEL” (transparent
connections).
for “FTP_CONNECT” (explicit forward connections) and “FTP_TUNNEL” (transparent
connections).
Using Authentication with Native FTP
The FTP Proxy performs user authentication to control which users can make native FTP requests. This
user authentication determines which policy groups apply to the native FTP transaction.
user authentication determines which policy groups apply to the native FTP transaction.
However, due to the nature of FTP and FTP clients, only the following transactions can authenticate
users for native FTP transactions:
users for native FTP transactions:
•
Explicit forward connections.
•
Transparently redirected connections under any of the following conditions:
–
When users are identified transparently using either Novell eDirectory or Active Directory.
–
When the authentication surrogate is IP address and users make an HTTP transaction before the
FTP transaction.
FTP transaction.
–
When users are remote users and they are identified by a Cisco adaptive security appliance using
the Secure Mobility solution.
the Secure Mobility solution.
Due to this limitation, you may want to configure at least one Identity and Access Policy for native FTP
transactions that do not require authentication when the Web Proxy is deployed in transparent mode.
This allows all FTP connections that are transparently redirected to the Web Security appliance to work.
If authentication is required for all policy groups, some transparently redirected native FTP transactions
will fail. For example, transparently redirected native FTP transactions that use cookie authentication
surrogates will fail.
transactions that do not require authentication when the Web Proxy is deployed in transparent mode.
This allows all FTP connections that are transparently redirected to the Web Security appliance to work.
If authentication is required for all policy groups, some transparently redirected native FTP transactions
will fail. For example, transparently redirected native FTP transactions that use cookie authentication
surrogates will fail.
You can configure the authentication format the FTP Proxy uses when communicating with FTP clients.
The FTP Proxy supports the following formats for proxy authentication:
The FTP Proxy supports the following formats for proxy authentication:
•
Check Point. Uses the following formats:
–
User: ftp_user@proxy_user@remote_host
–
Password: ftp_password@proxy_password
•
Raptor. Uses the following formats:
–
User: ftp_user@remote_host proxy_user
–
Password: ftp_password
–
Account: proxy_password
•
No Proxy Authentication. Uses the following formats:
–
User: ftp_user@remote_host
–
Password: ftp_password