Configuring advanced settings for FTP proxy


This article applies to:

  • WebMarshal 6.1 and above

Question:

  • What is the behavior of WebMarshal with proxied FTP connections?
  • Using non-browser FTP clients (such as FileZilla or WinSCP) through WebMarshal when HTTPS inspection is enabled

Information:

Non-browser FTP clients use a HTTP proxy such as WebMarshal by issuing a HTTP 1.1 CONNECT request to the proxy (requesting a connection to the remote FTP control port, usually port 21). The server replies with a passive FTP connection on a high port.

  • In WebMarshal 6.1 through 6.5.3, when HTTPS inspection is enabled, these connections fail. The initial CONNECT request is treated as a request to create a SSL tunnel. The FTP data connection is not allowed.
  • In WebMarshal 6.5.5 and above, WebMarshal examines the content of the CONNECT request to determine if it is a FTP connection. FTP connections that are established in this way are allowed and the content is inspected as with any other FTP connection.

Configuration:

You can choose to disable the checking of the CONNECT requests, or the inspection of the FTP content sent through these connections (in WebMarshal 6.5.5 and above).

Configure these settings by adding an entry in the WebMarshal Proxy Configuration file (WMProxy.config.xml) as follows:

<WebMarshal>
   <Proxy>
     <Config>
        <FTP detectFtpTunnels="{value}" processTunnelFiles="{value}" />
     </Config>
  </Proxy>
</WebMarshal>

Where each value can be true or false.

Enter the values in lower case, not including the {} braces, but including the quote marks.

detectFtpTunnels indicates whether the Proxy will sniff CONNECT tunnels to see if they are for an FTP control channel. This is needed to pick out the IP address and port that the client will attempt to connect to. Default (if not present): true. If set to false, and HTTPS inspection is enabled, these connections will fail.

processTunnelFiles indicates whether the Proxy should intercept the data connections and treat them as file requests instead of SSL tunnels. This is what allows the WebMarshal Engine to process the files as standard FTP requests. If set to false, the data connections will simply be treated as non-inspected SSL connections and the content will NOT be scanned in any way. Default (if not present): true.

Notes:

  • This article does not apply to web browsers such as Internet Explorer. They do not use the method described here. Connections from browsers should succeed regardless of HTTPS inspection.
  • The issue with connections from non-browser clients only applies when HTTPS content inspection is enabled.
  • WebMarshal cannot proxy connections that use FTPS (FTP over TLS/SSL).
  • For general information about editing XML settings files, see article Q12705.

Last Modified 3/8/2010.
https://support.trustwave.com/kb/KnowledgebaseArticle12950.aspx