Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 4 subscribers
  • Views 20378 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP Sites - Authorization required

JonnyMD23
Hi,

I'm having a few issues with allowing FTP sites for normal users.

When the FTP site requires a username and password, the Astaro blocked the site stating that "Authorization required".

I have allowed the FTP service in here - 
Web Security -> HTTP/S -> Advanced -> Misc Settings -> Allowed Target Services

I also have found an Astaro KB article describing my problem
https://support.astaro.com/support/index.php/Enter_FTP_Site_Password_in_IE_via_HTTP-Proxy

This seems to suggest that you have to change the URL inorder for Astaro to understand the request. I hope you can appreciate that normal users won't understand what they need to do and I was hoping there is a setting to allow the username and password prompt to appear when you just hit the ftp://ftpsite.com

Please let me know if this is possible or a suitable alternative to make it as easy as possible for users to access their ftp sites.

Thanks in advance!

Jonny


This thread was automatically locked due to age.
  • 0 in reply to DouglasFoster

    If the browser is using the proxy explicitly, it handles FTP and the FTP Proxy doesn't get a look at the request.  If Web Filtering is in Transparent and FTP Proxy is in Both or Transparent, the FTP Proxy handles the request.  Could you tell from the FTP log whether it had handled the browser traffic at all?

    I prefer to use Both and do FTP with FileZilla.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I understood the theory, but the debugging process was challenging.

    The Standard Web proxy, which also handles FTP, logged the traffic as passed, because it was not blocking anything.   But the remote site rejected the traffic because the credentials had been stripped.   I was looking for a block entry that was not there.

    When I disabled Standard Web, Transparent Web and Transparent FTP automatically kicked in, but the logging for Transparent FTP is nearly useless (I do have "Log FTP data" enabled on the Firewall Advanced settings.)   Here is an excerpt:

    2018:03:08-13:37:12 defense frox[24698]: Connect from 192.168.2.68
2018:03:08-13:37:12 defense frox[24698]: ... to 194.116.180.152()
2018:03:08-13:37:14 defense frox[24698]: PASV: 194.116.180.152:50048
2018:03:08-13:37:14 defense frox[24698]: Connection refused when trying to connect to 194.116.180.152
2018:03:08-13:37:14 defense frox[24698]: Failed to contact server data port
2018:03:08-13:40:07 defense frox[24698]: Client closed connection
2018:03:08-13:40:07 defense frox[24698]: Closing session

    Eventually, I used an off-network laptop to prove that their server was working and the URL-embedded credentials were valid, so the problem HAD to be caused by UTM, even though UTM said it was letting everything through.

    Just to add salt to the wound, when I tried to switch to an FTP client, I parsed the URL entry incorrectly so my login did not work at first.  Eventually, I got my credentials straight and finally understood that the Standard Web log was lacking credentials from the URL entry, so the credentials had been stripped.

    It was a surprise that the credentials were not relayed, so I thought it was worth noting for the future.   

    FTP with credentials is an odd configuration, since FTP is unencrypted for both login and data transfer.   So in a perfect world, this should not matter because no one should be using it.

  • 0 in reply to DouglasFoster

    Doug, don't you think you found a bug?  I don't think the Web Proxy should have stripped the credentials.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Maybe so.  I will ask support if it is by design or by accident.   I tend to assume a lot of UTM's odd behaviors are considered features.

  • 0 in reply to DouglasFoster

    Hi Douglas, 

    If this issue is already reported and investigated by the support team then please PM me the case ID so that it helps me to coordinate with them and the developers.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML