Solved

FTP server behind a reverse proxy using MS technologies

Posted on 2016-09-06
4
72 Views
Last Modified: 2016-09-12
Hello Experts

One of my clients has an environment with a Cisco ASA 5500 series fw as the outward facing endpoint, a DMZ with reverse proxy server in it and an inside network with multiple web servers running.  All is working well - customers connect to the websites hosted on the RP server and this retrieves data from the inside web servers  as you would expect (configured with URL rewrite to assist).

They would now like to introduce a FTP server on the inside network and make this accessible through the reverse proxy - and I am a bit stumped.  URL-rewrite, a key component in getting the RP to operate, does not seem to support a FTP server.  My client has little interest in moving away from MS server technologies for this and I am not sure how to proceed.  Any advice would be gratefully received.
0
Comment
Question by:Plagus
  • 2
4 Comments
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41786376
Is this really reverse proxying or just public IP to Private IP NAT'ing?  Seems like NAT'ing to me.

This isn't an issue, the typical setup would be:

1. Public IP on endpoint (Cisco ASA)
2. Private IP on FTP Server
3, On the ASA, NAT the Public IP -> Private IP for the FTP Services group.

You are just redirecting the FTP-control and FTP-data traffic to the Private IP side.

This has also been previously discussed here on EE.

Link:  https://www.experts-exchange.com/questions/28455182/CISCO-ASA-FTP-ISSUE.html

Dan
0
 

Author Comment

by:Plagus
ID: 41786381
Thanks Dan

They really do not want to NAT straight from a public IP to the inside server - they only want the external connection to go as far as the reverse proxy server and that then retrieve the data from the inside FTP server.  I demo'd the NAT solution to them (worked great....) but they were pretty clear this was not what they wanted.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 150 total points
ID: 41786735
URL rewriting is for HTTP, there is no concept of a URL in the same way for FTP.

It is certainly possible to run FTP through a reverse proxy, if only in TCP mode (which is similar to NAT in functionality), how you would do this depends on the reverse proxy itself.

A reverse proxy does not retrieve information from back end web servers, it proxies the connection, so unless it has any specific web application firewall/security capabilities, the only security it adds is to terminate the HTTP connection from outside, which can be useful for a small class of web server vulnerabilities which are better resolved by fixing the web servers.

The larger use of a reverse proxy is to make a single website available from multiple machines, or to make multiple websites available on a single public address.
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 350 total points
ID: 41787701
The Cisco ASA does not have built in FTP client functionality.  It can pretty much only mask the destination endpoint via NAT or as ArnieLious mentioned, by proxying in TCP mode.

Unfortunately you may be in the position of having to explain the limitations of reverse proxying an ftp service.

Is there a more detailed reason for not wanting to use a NAT for ftp?

Dan
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question