Avatar of TNGIT
 asked on

Juniper ScreenOS - how to get an explicit FTPS policy working

I'm trying to use explicit FTPS to upload files to my IIS 7 FTP server.

It all works fine if I create a firewall policy to allow any data through.  However, as soon as I remove this policy and replace it with a policy that just allows FTP traffic, my FTP client connects to the FTP server just fine but hangs half way through - I believe when it hops to the encrypted port.

Can anyone provide instructions on how to get this to work?
File Sharing SoftwareHardware FirewallsAnti-Virus Apps

Avatar of undefined
Last Comment

8/22/2022 - Mon

I guess the AUTH SSL or AUTH TLS used to switch to encryption is not recognized. I suppose you defined the FTP policy with a Application Layer Gateway entry of FTP. I know that in all 6.x releases of Juniper ScreenOS the switchover from SMTP to SMTPS (and POP to POPS) does not work with the AV part, and I suspect it is similar with the FTP part and some checking rules.
If I'm right, it could work if you remove all AV, DI aso. checking (if any), and use no Application Layer Gateway in that policy.

That didn't fix it.... I removed all that you said (AV, DI, Application Layer Gateway) and still the same thing.

I have a feeling it's because, from my understanding, authentication happens on port 21, and once authenticated the FTP server instructs the client to use a different port for data transfer.  Could it be that because this instruction is encrypted the firewall cannot see which port to open?  -where as normal (passive) FTP the same instruction it can see and respond by opening the necessary port?

I'm not experienced at all with FTPS, but the Wikipedia article says it works in passive and active mode. You can try the passive stuff, of course.
On the other hand, this is a typical Juniper Support case ...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Sanga Collins

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

I see, thanks sangamc.

This would mean that the FTPS ports - post the port21 authentication bit - would be left open all the time in order for this to work?