Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP server behind a reverse proxy using MS technologies

Posted on 2016-09-06
4
Medium Priority
?
203 Views
Last Modified: 2016-09-12
Hello Experts

One of my clients has an environment with a Cisco ASA 5500 series fw as the outward facing endpoint, a DMZ with reverse proxy server in it and an inside network with multiple web servers running.  All is working well - customers connect to the websites hosted on the RP server and this retrieves data from the inside web servers  as you would expect (configured with URL rewrite to assist).

They would now like to introduce a FTP server on the inside network and make this accessible through the reverse proxy - and I am a bit stumped.  URL-rewrite, a key component in getting the RP to operate, does not seem to support a FTP server.  My client has little interest in moving away from MS server technologies for this and I am not sure how to proceed.  Any advice would be gratefully received.
0
Comment
Question by:Plagus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 41786376
Is this really reverse proxying or just public IP to Private IP NAT'ing?  Seems like NAT'ing to me.

This isn't an issue, the typical setup would be:

1. Public IP on endpoint (Cisco ASA)
2. Private IP on FTP Server
3, On the ASA, NAT the Public IP -> Private IP for the FTP Services group.

You are just redirecting the FTP-control and FTP-data traffic to the Private IP side.

This has also been previously discussed here on EE.

Link:  https://www.experts-exchange.com/questions/28455182/CISCO-ASA-FTP-ISSUE.html

Dan
0
 

Author Comment

by:Plagus
ID: 41786381
Thanks Dan

They really do not want to NAT straight from a public IP to the inside server - they only want the external connection to go as far as the reverse proxy server and that then retrieve the data from the inside FTP server.  I demo'd the NAT solution to them (worked great....) but they were pretty clear this was not what they wanted.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 600 total points
ID: 41786735
URL rewriting is for HTTP, there is no concept of a URL in the same way for FTP.

It is certainly possible to run FTP through a reverse proxy, if only in TCP mode (which is similar to NAT in functionality), how you would do this depends on the reverse proxy itself.

A reverse proxy does not retrieve information from back end web servers, it proxies the connection, so unless it has any specific web application firewall/security capabilities, the only security it adds is to terminate the HTTP connection from outside, which can be useful for a small class of web server vulnerabilities which are better resolved by fixing the web servers.

The larger use of a reverse proxy is to make a single website available from multiple machines, or to make multiple websites available on a single public address.
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 1400 total points
ID: 41787701
The Cisco ASA does not have built in FTP client functionality.  It can pretty much only mask the destination endpoint via NAT or as ArnieLious mentioned, by proxying in TCP mode.

Unfortunately you may be in the position of having to explain the limitations of reverse proxying an ftp service.

Is there a more detailed reason for not wanting to use a NAT for ftp?

Dan
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question