Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

Explicit Proxy + Authentication + FTP/SFTP Connections

Hi there,

we want to migrate from MS TMG to FortiGate, at the end FSSO wasnt very reliable in our environment (missing dns records, double homed clients and so on) so we throw away the idea to run the clients without explicit proxy.

 

So on for seamless access we use NTLM on the Proxy Access rules, but when it comes to FTP Clients such as winscp or filezilla they need to authenticate with basic auth at a socks 5 or generic http proxy.

So how could i solve this? Any ideas?

 

 

 

7 REPLIES 7
emnoc
Esteemed Contributor III

Never did  socks with ftp but have your tried setting up a SOCKS proxy and testing

 

e.g

 

curl -v -x socks5h://x.x.x.x:8081  [link]http://www.wwt.com[/link]

 

x.x.x.x would be your proxy address

 

cli config

 

config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set socks enable

    set ftp-incoming-port 2022

    set socks-incoming-port 8081

    set realm "SOCPUPPETS_EXP_PROXY"

    set sec-default-action accept

end

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

Okay I believe you could do this to  check  SOCKS and proxy thru a fortigate, not sure about the authentication.

 

 

 

GRYHATKEN:~ kfelix$ curl -v --socks4 1.1.1.1:8081  [link]ftp://ftp.fu-berlin.de/pub/atari/linux/[/link]

*   Trying 1.1.1.1...

* SOCKS4 communication to ftp.fu-berlin.de:21

* SOCKS4 connect to 130.133.3.130 (locally resolved)

* SOCKS4 request granted.

* Connected to 1.1.1.1 (1.1.1.1) port 8081 (#0)

< 220 FTP.FU-Berlin.DE ready.

> USER anonymous

< 331 Anonymous login ok, send send anything as password.

> PASS ftp@example.com

< 230-

<  Welcome at Freie Universitaet Berlin, Germany.

<  Willkommen auf dem FTP-Server der Freien Universitaet Berlin.

<  Ein Service der Zentraleinrichtung fuer Datenverarbeitung (ZEDAT).

<  

< 230 FTP.FU-Berlin.DE login ok.

> PWD

< 257 "/" is the current directory

* Entry path is '/'

> CWD pub

* ftp_perform ends with SECONDARY: 0

< 250 CWD command successful

> CWD atari

< 550 atari: No such file or directory

* Server denied you to change to the given directory

* Connection #0 to host ftp.fu-berlin.de left intact

curl: (9) Server denied you to change to the given directory

GRYHATKEN:~ kfelix$ curl -v --socks5 1.1.1.1:8081  [link]ftp://ftp.fu-berlin.de/pub/atari/linux/[/link]

*   Trying 1.1.1.1...

* 130

* 133

* 3

* 130

* Connected to 1.1.1.1 (1.1.1.1) port 8081 (#0)

< 220 FTP.FU-Berlin.DE ready.

> USER anonymous

< 331 Anonymous login ok, send send anything as password.

> PASS ftp@example.com

< 230-

<  Welcome at Freie Universitaet Berlin, Germany.

<  Willkommen auf dem FTP-Server der Freien Universitaet Berlin.

<  Ein Service der Zentraleinrichtung fuer Datenverarbeitung (ZEDAT).

<  

< 230 FTP.FU-Berlin.DE login ok.

> PWD

< 257 "/" is the current directory

* Entry path is '/'

> CWD pub

* ftp_perform ends with SECONDARY: 0

< 250 CWD command successful

> CWD atari

< 550 atari: No such file or directory

* Server denied you to change to the given directory

* Connection #0 to host ftp.fu-berlin.de left intact

curl: (9) Server denied you to change to the given directory

GRYHATKEN:~ kfelix$

 

 

I would 1st start by making sure SOCKS v4/5 works NO_AUTHENTICATION and go from that point by enabling Cauthen and identity policies

 

Mohammand,

 

if your following this post, I will PM you something as soon as  I land.

 

Enjoy 

 

:)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Wurstsalat
New Contributor III

thanks for your suggestion, i thought about enabling socks but i read previously about it and it didnt read as a good solution

 

I tried it and what i see....is not really good

- as soon as any Client is able to connect to the socks Proxy, it is completetly unrestricted (no filter works, even not antivirus) and no authentication happens nor is it possible...if you send a username it doesnt care. I read about this behaviour before in this forum i think

 

Connection through socks is possible, so it is through generic proxy (HTTP) without authentication

 

At the moment

- Enabling SOCKS creates a whole Bypass of any rules

- Using generic Proxy/HTTP authentication cant be used

 

Stuck at the moment :(

 

 

edit

btw i am currently on 5.4, socks5 auth is only support uppon 5.6

http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-whats-new/Top-Firewall-Transparent-pr...

So on 5.4 i cant use socks5 at the moment

Any ideas for http proxy to allow ntlm+basic auth?

 

emnoc
Esteemed Contributor III

Okay I'm back online;

 

I've used explicit with LDAP ( AD ) and it quite simple  to enable and to use  in  filezilla, cyberduck, and ff or other applications that uses  FTP-PROXies. Other options are ftp-over-web-proxy or SOCKs v4/5 compatible proxies that latte I never achieved  authentication correctly but the FGT as demoe b4 will work as a SOCKs proxy for WEB  FTP TELNET etc....

 

 

For   FortiOS enable the explict-ftp,  and you can define  accept-action for deny and set  identity-based-policies.

 

e.g

 

config system interface     edit "NETLAN01"         set vdom "root"         set ip 192.198.11.1 255.255.255.0         set allowaccess ping https ssh         set type physical         set explicit-ftp-proxy enable

        # this would be the interface(s) that you expect users

 

end

 

config ftp-proxy explicit     set status enable     set incoming-port 21     set incoming-ip 0.0.0.0     unset outgoing-ip     set sec-default-action deny end

 

and finally a policy ;

 

config firewall explicit-proxy-policy     edit 1         set proxy ftp         set dstintf "wan1"         set srcaddr "CLASSROOMWEST         set dstaddr "all"         set action accept         set identity-based enable             config identity-based-policy                 edit 1                     set schedule "always"                     set users "Msjones" "terry" "jacue" "Basi"                 next                 edit 2                     set schedule "CLASS_HOURS"                     set groups "STUDENTSGRP1"  "STUDENTSGRP2" "STUDENTSGRP3" "STUDENTSGRP4"

                              next             end     next end

 

 

 

 

Thats about all that it takes ;)

 

 

 

On filezila you need to configure the proxy settings in a custom mode ( i found that work to work best )

 

See screen shot, naybe i will post this on line. Keep  in mind various clients don't own sys-proxy settings on Windows-version and even Macosx.

>

I.e CYBERDUCK always ignore my  proxy-settings

 

>

use curl  for dianostic

 

>

or a simple ftp 

 

i.e

 

ftp  proxyusername:proxyuserapassword:siteusername:password@sitename    <fgt_proxyaddress>

 

>

if you  think authentication is the issue.

 

[ol]
  •   disable authen for simplified testing and diagnostics
  •   disable identity policies for simplified testing and diagnostics[/ol]

     

     

     

    I hope that helps

     

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Wurstsalat
    New Contributor III

    thanks for your help

     

     sftp cant be used on this way i think and ftps, too. So only a solution for plain ftp Connections or do i miss something?

    emnoc
    Esteemed Contributor III

    I never tried  SFTP or FTP-SSL, but give it a try. I can test FTP-SSL since my day job we have  FTP-SSL applications. Again try and find out.

     

    SOCKS works for the most part but probably not what you really want if you need authentications. Protocol based ( FTP WEB ) seems to be the normal nowadays.

     

     

    I 'll post on my  FTP_SSL attempt here shortly.

     

    Ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    emnoc
    Esteemed Contributor III

    No go  ftpes using  the following failed when go thru  a explicit ftp-proxy

     

    http://test.rebex.net/

     

    user demo

    password   password

     

     

     

    The site does work, so we know it's not the site ;)

     

    I hope that helps

     

    Ken Felix

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Labels
    Top Kudoed Authors