Solved

FTP server behind a reverse proxy using MS technologies

Posted on 2016-09-06
4
42 Views
Last Modified: 2016-09-12
Hello Experts

One of my clients has an environment with a Cisco ASA 5500 series fw as the outward facing endpoint, a DMZ with reverse proxy server in it and an inside network with multiple web servers running.  All is working well - customers connect to the websites hosted on the RP server and this retrieves data from the inside web servers  as you would expect (configured with URL rewrite to assist).

They would now like to introduce a FTP server on the inside network and make this accessible through the reverse proxy - and I am a bit stumped.  URL-rewrite, a key component in getting the RP to operate, does not seem to support a FTP server.  My client has little interest in moving away from MS server technologies for this and I am not sure how to proceed.  Any advice would be gratefully received.
0
Comment
Question by:Plagus
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41786376
Is this really reverse proxying or just public IP to Private IP NAT'ing?  Seems like NAT'ing to me.

This isn't an issue, the typical setup would be:

1. Public IP on endpoint (Cisco ASA)
2. Private IP on FTP Server
3, On the ASA, NAT the Public IP -> Private IP for the FTP Services group.

You are just redirecting the FTP-control and FTP-data traffic to the Private IP side.

This has also been previously discussed here on EE.

Link:  https://www.experts-exchange.com/questions/28455182/CISCO-ASA-FTP-ISSUE.html

Dan
0
 

Author Comment

by:Plagus
ID: 41786381
Thanks Dan

They really do not want to NAT straight from a public IP to the inside server - they only want the external connection to go as far as the reverse proxy server and that then retrieve the data from the inside FTP server.  I demo'd the NAT solution to them (worked great....) but they were pretty clear this was not what they wanted.
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 150 total points
ID: 41786735
URL rewriting is for HTTP, there is no concept of a URL in the same way for FTP.

It is certainly possible to run FTP through a reverse proxy, if only in TCP mode (which is similar to NAT in functionality), how you would do this depends on the reverse proxy itself.

A reverse proxy does not retrieve information from back end web servers, it proxies the connection, so unless it has any specific web application firewall/security capabilities, the only security it adds is to terminate the HTTP connection from outside, which can be useful for a small class of web server vulnerabilities which are better resolved by fixing the web servers.

The larger use of a reverse proxy is to make a single website available from multiple machines, or to make multiple websites available on a single public address.
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 350 total points
ID: 41787701
The Cisco ASA does not have built in FTP client functionality.  It can pretty much only mask the destination endpoint via NAT or as ArnieLious mentioned, by proxying in TCP mode.

Unfortunately you may be in the position of having to explain the limitations of reverse proxying an ftp service.

Is there a more detailed reason for not wanting to use a NAT for ftp?

Dan
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now