FTP and BorderManager - The Basics
Novell Cool Solutions: Tip
Digg This -
Posted: 30 Sep 2004
An admin recently reported the following problem:
"I'm having a big problem with Internet Explorer and FTP Proxy on BorderManager. I am using IE6 and I already have ftp proxy set to port 8080, this only seems to work for anonymous ftp sites. I am trying to connect to a ftp site on port 510 that requires a username and password so I enter the site as ftp://username:password@ftpserver:510. This doesn't work; should I take BorderManager off and use a hardware firewall rather than installing a pure FTP client on each machine and training the users?"
And here's some timely advice on the matter from one of our sysops ...
BorderManager can do what you want in multiple ways, probably much better than most hardware firewalls in the market. However, there is some confusion about the various methods you can use to access FTP servers, paired with the confusing way IE can be setup, along with potential port oddities in FTP servers.
Here's the scoop:
- In general, FTP servers can be accessed using "real FTP" (using a pure FTP client), or they can be accessed by Web browsers, using FTP over http. FTP over http does allow authentication, but it does not allow uploads in any way, regardless or whether or not you authenticate. It's a pure read-only solution, and the authentication only helps to read files anonymous can't see.
- If you want to access FTP servers in real FTP mode, you must use either the FTP proxy or filter exceptions. You can't use the http proxy for that, as it only allows FTP over http.
- IE can do both: it can access ftp servers using real FTP, or it can access them over http. This is configurable in IE, with the misleading option name "Use folder view for FTP". When "folder view" in IE is enabled, it acts like a real native FTP client, and no longer like a Web browser. With this enabled, IE is also capable of uploading files to FTP servers, just like any other FTP client.
- The FTP protocol is really closely tied to port 21, as FTP needs special handling at the TCP/IP level of the firewall. That said, if your FTP server is listening on a non-standard port, it can make matters really complicated. There are quite a few firewall products on the market that will not be able to let you access such a server, no matter what you do.
What exactly are you trying to achieve with the FTP server - do you need to upload files to it, or do you only need to access it using authentication? Once you decide this, you can determine the best strategy going forward. Basically, for the FTP proxy, you must point the FTP client to connect to "your BM" and supply the real target server in the URL. Check the documentation of the FTP proxy for details if needed.
However, I have no idea if and how the FTP proxy could connect to FTP servers running on non-standard ports, so your better option seems to be to define the necessary FTP filter exceptions for port 510. Then configure IE to not use a proxy for FTP at all, but instead to connect to the target directly using NAT and filter exceptions.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com