Académique Documents
Professionnel Documents
Culture Documents
Currently on the Cisco Web Security Appliance (WSA), we support three methods of FTP proxy.
These methods use different techniques to communicate. Below are some details:
This method is commonly used by web browsers (IE, Firefox, Opera). It is rather a unique technique where
"Client > WSA" communication is done purely in HTTP, and "WSA > Internet" uses FTP to
communicate. Once the WSA receives its response from the FTP server, the WSA determines whether the
requested object is a directory or a file. If the object being accessed is a directory, the WSA would compose a
directory listing written in HTML which is then forwarded to the client. If the requested object is a file, the
WSA would download the file, and stream it to the client.
Below is an example of what you would see in access log for "FTP over HTTP"
This method requires you to allow majority of the ports under "Web Security Manager" > "Web Access
Policies" > "Applications" > "HTTP CONNECT Ports". Typically FTP servers should open ports between
49152 65535, but in a lot of cases, they would use ports 1024 65535. These ports would be used when
FTP client issues "PASV" command when establishing it's data channel.
If everything goes well, you would see two entries in your access log
The above logs show that both control channel (first log line) and data channel (second log line) has
successfully established.
Filezilla is one example of an application which supports this kind of transaction. To enable this feature on
Filezilla, please go under:
Edit > Settings > Proxy Setting and select proxy type to "HTTP 1.1", enter other necessary details if needed.
In either of the above methods, "Client WSA" only needs the proxy port to be open, and "WSA Internet"
needs all outbound ports to be opened.
Native FTP
In this method the FTP client will connect to the WSA on port 21 or port 8021, depending on whether the
proxy has been implemented in transparent mode or explicit mode, respectively. Communication between the
FTP client and WSA is based purely of FTP. For native FTP the connection details can be view in the FTP
Proxy Logs. The actual file transfer and listing of directories can however still be viewed in the access log.
Below are a few examples of what you would see in access log for "Native FTP"