Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 4230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM can't connect to FTP via TLS

Dieter Senf

Hi there,

 

i try to ask my Question in English to get more answers. But normally i'am German.

 

So my Problem is that i have now a SG210 and actually for my uses Configured without any Problems.

But the only Problem i have is to get an Connection to an FTP Server in the WWW.

The Connection will be established when i disable TLS connection in FileZilla, but with activated TLS nothing happens.

 

What can i do? I have tried different solution wich i found in this community or in the WWW, but nothing helps.

I tried the FTP Proxy but this wouldn't work for me too.

 

When i establish a connection without the Sophos UTM SG210, so directly trough my Router, everything works well.

 

So for better understanding here are some information i get from the UTM and Filezilla and some configurations i set and get out.

######

- The FTP Helper is activated!

 

###

-The UTM Firewall Log:

11:46:38 Standard-VERWERFEN TCP  
10.x.xx.x : 57111
85.xx.xx.x : 50201
 
[SYN] len=64 ttl=63 tos=0x00 srcmac=ac:87:a3:28:x:x dstmac=7c:5a:1c:49:x:x

 

When i select that TLS will not be used, this comes out:

 

11:50:56 FTP-Datenverbindung TCP  
10.x.x.x : 57150
85.x.x.x : 50235
 
[SYN] len=64 ttl=64 tos=0x00 srcmac=ac:87:a3:28:x:x dstmac=7c:5a:1c:49:x:x

 

###

- The Log from FileZilla:

Status:          Resolving address of xxx.kasserver.com
Status:          Connecting to 85.xx.xx.x:21...
Status:          Connection established, waiting for welcome message...
Status:          Initializing TLS...
Status:          Verifying certificate...
Status:          TLS connection established.
Status:          Logged in
Status:          Retrieving directory listing...

###

 

I hope this is enough information.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dieter,

    I guess you only have a firewall rule which allows FTP from Internal to Internet.

    The problem lies in the FTP-protocol itself. In a normal (not TLS) active FTP-connection, the client tells the server in a control-session (Port 21) on which high port he awaits the data. The Firewall listens to this control-session and opens this ports. If the control-session is encrypted, the firewall can't see this negotiation and therefore don't open the ports. This will only work if you open all TCP-Highports from Internal to the Internet and switch the client to passive mode (which reverse the initiation of data-connection).

    In my opinion "TLS-enhanced FTP" is a bad hack, use SFTP (based on ssh) instead.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • 0 in reply to JosefBergmann

    Hallo Herr Bergmann,

     

    das ging ja schnell und hat mir zumindest hierzu eine Lösung gegeben! Über SFTP/SSH funktioniert es einwandfrei. DANKE!

     

    Jetzt stellt sich für mich die Frage falls ich diese option nicht habe, was ich in Zukunft dann machen würde oder kann.

    Das mit den Highports ist ja in diesem Fall wahrsch der Port 57111 oder 50201. Wenn ich diese öffne, bzw. wenn diese offen sind sollte es auch mit TLS funktionieren? Zumindest habe ich das aus deinem Beitrag so verstanden.

     

    Dann müsste ich mal schauen wie man diese öffnet, weil diese ändern sich ja mit jedem Verbindungsaufbau ständig.

  • 0 in reply to Dieter Senf

    Also so kriege ich auch eine Verbindung via TLS mit den High Ports. Aber bis auf die FTP mit TLS Verbindung die ja nicht so sicher ist wie die SFTP mit verschlüsselung ist so eine Konfiguration ja jetzt völlig fahrlässig oder?

    Das sind ja jetzt alle Ports von 1-65535 offen.

     

    Wie kann man sowas eleganter lösen?

     

     

  • 0 in reply to Dieter Senf

    Hi Dieter,

    I antworte in Englisch, weil das die Sprache in dem Forum ist.

    The ports will be different on every FTP-Session. So you only have the option to allow all TCP-highports (add new Service "AnyTCP": Type TCP, Destination Port 1024:65535) from Internal to Internet.

    There is no other solution. As said, try to avoid TLS-FTP, because it's not compatible with any stateful firewall. Use SFTP.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • +1 in reply to Dieter Senf

    Hallo Dieter,

    willst Du es eleganter lösen, musst Du auf deinem FTP Server die Datenports festlegen z.B. 50000-51000.

    Anschließend kannst Du auf deiner UTM eine Definition erstellen, die diese Datenports enthält.

    Dann benötigst Du nur Port 21 und die Datenports in der Regel beachten.

    Gruß
    DKKDG

  • +1 in reply to DKKDG

    As you said, this only works if you have admin-access to all FTP-servers which your users need with TLS-FTP.

    Try to avoid this crappy protocols, finally you make giant punchholes in your firewall. Use SFTP (over and out :-)

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • 0 in reply to JosefBergmann

    @ DKKDG 

    Danke dir für den Tipp! Das wäre ein guter Weg für eine Notlösung! :-)

    @ JosefBergmann

    I will use only SFTP in the future! Best thanks for this way, because i have forgotten that this is one more way to establish a FTP connection. And it works perfect with the Firewall!

     

    Thanks a lot for this fast and perfect HELP from you Guys!!!

Reply
  • 0 in reply to JosefBergmann

    @ DKKDG 

    Danke dir für den Tipp! Das wäre ein guter Weg für eine Notlösung! :-)

    @ JosefBergmann

    I will use only SFTP in the future! Best thanks for this way, because i have forgotten that this is one more way to establish a FTP connection. And it works perfect with the Firewall!

     

    Thanks a lot for this fast and perfect HELP from you Guys!!!

Children
No Data
Unfiltered HTML