FTP server behind a reverse proxy using MS technologies

Hello Experts

One of my clients has an environment with a Cisco ASA 5500 series fw as the outward facing endpoint, a DMZ with reverse proxy server in it and an inside network with multiple web servers running.  All is working well - customers connect to the websites hosted on the RP server and this retrieves data from the inside web servers  as you would expect (configured with URL rewrite to assist).

They would now like to introduce a FTP server on the inside network and make this accessible through the reverse proxy - and I am a bit stumped.  URL-rewrite, a key component in getting the RP to operate, does not seem to support a FTP server.  My client has little interest in moving away from MS server technologies for this and I am not sure how to proceed.  Any advice would be gratefully received.
PlagusAsked:
Who is Participating?
 
Dan McFaddenSystems EngineerCommented:
The Cisco ASA does not have built in FTP client functionality.  It can pretty much only mask the destination endpoint via NAT or as ArnieLious mentioned, by proxying in TCP mode.

Unfortunately you may be in the position of having to explain the limitations of reverse proxying an ftp service.

Is there a more detailed reason for not wanting to use a NAT for ftp?

Dan
0
 
Dan McFaddenSystems EngineerCommented:
Is this really reverse proxying or just public IP to Private IP NAT'ing?  Seems like NAT'ing to me.

This isn't an issue, the typical setup would be:

1. Public IP on endpoint (Cisco ASA)
2. Private IP on FTP Server
3, On the ASA, NAT the Public IP -> Private IP for the FTP Services group.

You are just redirecting the FTP-control and FTP-data traffic to the Private IP side.

This has also been previously discussed here on EE.

Link:  https://www.experts-exchange.com/questions/28455182/CISCO-ASA-FTP-ISSUE.html

Dan
0
 
PlagusAuthor Commented:
Thanks Dan

They really do not want to NAT straight from a public IP to the inside server - they only want the external connection to go as far as the reverse proxy server and that then retrieve the data from the inside FTP server.  I demo'd the NAT solution to them (worked great....) but they were pretty clear this was not what they wanted.
0
 
ArneLoviusCommented:
URL rewriting is for HTTP, there is no concept of a URL in the same way for FTP.

It is certainly possible to run FTP through a reverse proxy, if only in TCP mode (which is similar to NAT in functionality), how you would do this depends on the reverse proxy itself.

A reverse proxy does not retrieve information from back end web servers, it proxies the connection, so unless it has any specific web application firewall/security capabilities, the only security it adds is to terminate the HTTP connection from outside, which can be useful for a small class of web server vulnerabilities which are better resolved by fixing the web servers.

The larger use of a reverse proxy is to make a single website available from multiple machines, or to make multiple websites available on a single public address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.