Improve company productivity with a Business Account.Sign Up


Passive ftp with SSL over NAT

Posted on 2011-09-08
Medium Priority
Last Modified: 2012-05-12
I currently used SLift Pro ftp product (google with keywords  "SLift privylink")
without SSL enabled (but the files are sort of hashed/encrypted at one end &
when transferred over, it's unhashed/decrypted) but our customer (the remote
end whom we have data interchange with) now wants SSL to be enabled as
Internet files transfer needs better security than the current method & this is
the challenge facing me now

SLIFT Pro's data transfer mechanism is implemented based on FTP protocol. When SSL is not enabled/used, firewall configuration between server and clients is quite straightforward (&
is currently working in our environment) as most firewall products can support FTP protocol without any issue. Server and client hosts can use private IP addresses with NAT enabled at both ends' firewalls/routers. NAT will translate IP address information in FTP protocol communication messages from public to private, or private to public, automatically and do necessary port forwarding actions in context.

But when SSL is enabled to protect the data/messages, the message content will become unknown to the firewall servers/network routers. For this reason, NAT will not be possible anymore as firewalls/network routers will not be able to translate the IP address information in the 'encrypted' data packets. When this issue happens, the server will request a connected client to establish a new connection to server's private IP address for data transfer. Subsequently, client will follow the incorrect instruction (as not modified by NAT) to attempt to make a connection to server's private IP address.

Customer does not agree to replace SSL with SSH tunnel (ie ftp over
SSH tunnel/VPN )
I'm setting up a test network at my end to do a more rigorous test.  Any suggestions
on how I can approach this troubleshooting?  Checking firewall console for denied
access?  Anyway to check for NAT not being successfully translated?

Can I run netstat or some sort of tool to sniff (both client & server are Windows 2003)?

Question by:sunhux
  • 5
  • 2

Assisted Solution

shahravish earned 400 total points
ID: 36504709
I have done a similar deploy for a few clients in the past.. I can't recall exactly, but there is a way (either implicit/explicit) which allows youto define a set of ports that the protocol will use to respond.
Basically you define those ports for NATing purposes in your firewall - i used globalscape ftp server, which allowed me to set a range of ports that would be used, hence made it easier.
LVL 16

Accepted Solution

AlexPace earned 1600 total points
ID: 36506633
If you agree to use Passive Mode for the data channel, the FTP server software will allow you to set a port range to use in the PASV response.  Alternatively, if you decide to use Active Mode, the client could commit to always using a certain port or ports when he sends the PORT command.  However, it is more likely that the FTP Server software will allow you to specfiy a passive range than it is that the other guy's client will allow him to specify an active mode port.

Also, some FTP servers (ex: Robo-FTP Server) allow you to specify an external IP address in addition to the port range for the PASV response.  This comes in handy if your FTPS connection encrypts both the control channel and the data channel. With an FTPS connection you can encrypt both channels, only the control channel, or only the data channel.  If you only encrypt the data channel your firewall will still see the PASV or PORT commands come across the control channel and be able to open the necessary ports on fly... you can even connect with both encrypted and then clear the control channel after you authenticate so the credentials are sent over SSL (TLS) but the remaindre of the session is over an unprotected control channel.

Author Comment

ID: 36511867

So can we say in summary, setting the ftp server to use passive mode
is the way to go?  Active ftp would be more complicated?

Any 'port forwarding' on the firewall (at client or server end?) needed?
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

LVL 16

Assisted Solution

AlexPace earned 1600 total points
ID: 36511906
As the person responsible for the server, the choice to require passive mode makes sense because it allows you to know exactly which ports you need to tweak on your firewall.  Active Mode relies on the client to tell the server which port to use and then the server makes an outgoing connection to the client.  Half the time this is blocked by the client's firewall anyway so it might be a lower support load for you if you just say "we only support passive mode on ports 50000-50100" and be done with it.  This is not an unreasonable position for an FTP Server admin to take.  

The primary drawback of only supporting passive mode is that the DOS command line FTP client is ONLY able to do Active Mode.  This probably doesn't apply to your situation because the DOS client can't do FTPS either, only plain unencrypted FTP.

Author Comment

ID: 36518124

Yes, we have already set the ftp server such that
"we only support passive mode on ports 7001-7005"  
& our Slift ftp client has the option to turn on "passive" too.

On Monday, we'll test it out on our test environment (which has
just been set up last Fri evening) : if it doesn't work, can I paste
the firewall logs here for your analysis on we can do do next

Author Comment

ID: 36527798

Can't get hold of firewall logs : same NAT issue.

Is there any Windows freeware that could do address translation/forwarding
(not port forwarding) so that if this client PC is trying to access a certain IP
address, it will be forwarding to another address?

Author Comment

ID: 36533821
Refer to  the link above, seems like the Ftp software that I have only support
option 1 in the Solution section & that did not work (possibly because the
software did not allow us to specify the public address

Author Closing Comment

ID: 36560786
I'll try another thread

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question