Knowledge Center Search


 

How to let FTPS pass though a SRX device

  [KB19444] Show KB Properties

  [KB19444] Hide KB Properties

Categories:
Knowledge Base ID: KB19444
Last Updated: 14 Jan 2014
Version: 8.0

Summary:
To enable FTPS explicit mode (also referred to as FTPES) to pass through an SRX, the 'set security alg ftp ftps-extension' command can be configured from Junos 10.2 or later.

The FTPS implicit mode is currently not supported.

Problem or Goal:
  • FTPS in explicit mode fails to connect through a SRX device.

  • In explicit mode FTPS, the client connects to the server on the TCP/21 port. The client does SSL negotiation for either the control channel or the data channel using new FTP commands like AUTH etc.

  • The AUTH command in the control channel will not be recognized by the FTP ALG and will be dropped.

Cause:
 

Solution:
FTPS support for SRX can be enabled by using the following configuration command:
set security alg ftp ftps-extension

This will have the following effects:

  • The AUTH command will be recognized by the FTP ALG and is available in Junos 10.2 or later.

  • This feature is supported with the route mode and source nat. It works with FTPeS in passive mode, as the control channel can not be decrypted by FTP ALG; so no gate can be opened.

  • So, FTPeS in active mode is not supported as well.


Limitations (applicable to all Junos versions):
  • Destination nat and static nat are not supported with FTPeS. This is a protocol limitation and just opening ports wide open will not help.

  • Implicit FTPS is not supported.  This encrypts the entire FTP session, and the FTP ALG is not designed to handle this.

  • FTPeS is only supported with passive mode. FTPeS with active mode is not supported

Purpose:
Configuration
Implementation
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.