Bluecoat Proxy SG device Supporting FTP

There are two deployment configurations in which you can deploy your ProxySG.  One is explicit, and the other is transparent.  Please click on the term for a definition of what each of those mean.  This document will break down the FTP proxy by deployment.
EXPLICIT DEPLOYMENTS

When authenticating and using the explicit FTP proxy, the ProxySG needs to know five pieces of information:

* Remote FTP username
* Remote FTP host
* Remote FTP user’s password
* Proxy username
* Proxy user’s password

The proxy supports two login / authentication methods.  Raptor is the default and Checkpoint is the alternate.

Most FTP clients support three functions: USER, PASS and ACCT.  The user (or a script) is required to insert the five pieces of information into these FTP commands.

Raptor login-syntax for explicit FTP:

When the FTP client responds with: USER  -the user/script enters:

<ftp-username>@<ftp-host> <proxy username>

NOTE:  delimiters are “@” and ” ” (Three pieces of information in one line)

When the FTP client responds with: PASS  -the user/script enters:

<ftp-user's password>

When the FTP client responds with:  ACCT  -the user/script enters:

<proxy user's password>

Raptor advantages:

* Default ProxySG configuration.
* Supports “@” in Proxy user’s passwords
* Supports “@” in FTP host’s user passwords

Raptor disadvantages:

* With the introduction of Microsoft Windows XP SP2, Microsoft broke the ACCT functionality in their command line FTP client.  The proxy user’s password (entered at the ACCT prompt) is shown in clear-text.  It simply does not work.

* Does NOT support a ” ” (a space) in the proxy user’s password.

Checkpoint login-syntax for explicit FTP:

When the FTP client responds with:  USER  -the user/script enters:

<ftp-username>@<proxy-username>@<ftp-host>

NOTE:  Delimiters are all “@” (Three pieces of information in one line).

When the FTP client responds with:  PASS  -the user/script enters:

<ftp-user's-password>@<proxy-user's-password>

NOTE:  Delimiter is “@” (Two pieces of information in one line).

Checkpoint advantages:

* Supports FTP Clients that do not understand the ACCT command (real old/rare)

* Supports ” ” (a space) in the Proxy user’s password.

* Supports “@” in FTP host’s user passwords.

* Works with Microsoft’s XP SP2 unpatched FTP commandline client.

Checkpoint disadvantages:

* Does NOT support a “@” in the Proxy user’s password.

TRANSPARENT DEPLOYMENTS:

Web Browser configurations and considerations:

Internet Explorer specific information

If no proxy settings are entered into Internet Explorer, the browser will attempt to do native FTP to the FTP server.  If this native traffic is redirected to the ProxySG and transparent proxy authentication is enabled, the connection will not succeed due to the fact that Internet Explorer does not understand the ACCT command to supply the proxy with a proxy authentication password.

As a workaround, Blue Coat suggests using FTP applications such as Filezille,  WS-FTP, Cute-FTP, etc., as alternatives in transparent proxy authentication environments.

If proxy authentication is not required and Internet Explorer attempts a native FTP connection, and the “Folder View” is enabled (Tools > Internet Settings > Advanced), FTP via the browser generally works well.  A username/password dialog box pops-up allowing you to provide the FTP server with credentials.

If Internet Explorer’s “Folder View” is disabled, the browser always attempts FTP connections as user :anonymous”, with a password of “proxy@” (since the connection is being proxied).

If the FTP server does not allow anonymous connections, you can try adding your FTP username and password within the URL using this format:

ftp://<username>:<password>@ftp.example.com

This may work fine, or the FTP server may send FTP responses that the browser does not understand.  Also consider whether the “plain” look of non-folder view is acceptable.  If not, use an FTP application instead of the web browser.

Firefox and other browsers:

Generally these work just fine.

FTP applications:

Configure the correct authentication syntax within the FTP application itself.

Sponsored Link

Leave a comment

Your email address will not be published. Required fields are marked *