Solved

FTP server behind a reverse proxy using MS technologies

Posted on 2016-09-06
4
85 Views
Last Modified: 2016-09-12
Hello Experts

One of my clients has an environment with a Cisco ASA 5500 series fw as the outward facing endpoint, a DMZ with reverse proxy server in it and an inside network with multiple web servers running.  All is working well - customers connect to the websites hosted on the RP server and this retrieves data from the inside web servers  as you would expect (configured with URL rewrite to assist).

They would now like to introduce a FTP server on the inside network and make this accessible through the reverse proxy - and I am a bit stumped.  URL-rewrite, a key component in getting the RP to operate, does not seem to support a FTP server.  My client has little interest in moving away from MS server technologies for this and I am not sure how to proceed.  Any advice would be gratefully received.
0
Comment
Question by:Plagus
  • 2
4 Comments
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41786376
Is this really reverse proxying or just public IP to Private IP NAT'ing?  Seems like NAT'ing to me.

This isn't an issue, the typical setup would be:

1. Public IP on endpoint (Cisco ASA)
2. Private IP on FTP Server
3, On the ASA, NAT the Public IP -> Private IP for the FTP Services group.

You are just redirecting the FTP-control and FTP-data traffic to the Private IP side.

This has also been previously discussed here on EE.

Link:  https://www.experts-exchange.com/questions/28455182/CISCO-ASA-FTP-ISSUE.html

Dan
0
 

Author Comment

by:Plagus
ID: 41786381
Thanks Dan

They really do not want to NAT straight from a public IP to the inside server - they only want the external connection to go as far as the reverse proxy server and that then retrieve the data from the inside FTP server.  I demo'd the NAT solution to them (worked great....) but they were pretty clear this was not what they wanted.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 150 total points
ID: 41786735
URL rewriting is for HTTP, there is no concept of a URL in the same way for FTP.

It is certainly possible to run FTP through a reverse proxy, if only in TCP mode (which is similar to NAT in functionality), how you would do this depends on the reverse proxy itself.

A reverse proxy does not retrieve information from back end web servers, it proxies the connection, so unless it has any specific web application firewall/security capabilities, the only security it adds is to terminate the HTTP connection from outside, which can be useful for a small class of web server vulnerabilities which are better resolved by fixing the web servers.

The larger use of a reverse proxy is to make a single website available from multiple machines, or to make multiple websites available on a single public address.
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 350 total points
ID: 41787701
The Cisco ASA does not have built in FTP client functionality.  It can pretty much only mask the destination endpoint via NAT or as ArnieLious mentioned, by proxying in TCP mode.

Unfortunately you may be in the position of having to explain the limitations of reverse proxying an ftp service.

Is there a more detailed reason for not wanting to use a NAT for ftp?

Dan
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question