Hot!Explicit Proxy + Authentication + FTP/SFTP Connections

Author
Wurstsalat
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
2017/08/03 00:28:29 (permalink)
0

Explicit Proxy + Authentication + FTP/SFTP Connections

Hi there,
we want to migrate from MS TMG to FortiGate, at the end FSSO wasnt very reliable in our environment (missing dns records, double homed clients and so on) so we throw away the idea to run the clients without explicit proxy.
 
So on for seamless access we use NTLM on the Proxy Access rules, but when it comes to FTP Clients such as winscp or filezilla they need to authenticate with basic auth at a socks 5 or generic http proxy.
So how could i solve this? Any ideas?
 
 
 
#1

7 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4351
    • Scores: 247
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 03:51:25 (permalink)
    0
    Never did  socks with ftp but have your tried setting up a SOCKS proxy and testing
     
    e.g
     
    curl -v -x socks5h://x.x.x.x:8081  http://www.wwt.com
     
    x.x.x.x would be your proxy address
     
    cli config
     
    config web-proxy explicit
        set status enable
        set ftp-over-http enable
        set socks enable
        set ftp-incoming-port 2022
        set socks-incoming-port 8081
        set realm "SOCPUPPETS_EXP_PROXY"
        set sec-default-action accept
    end
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    emnoc
    Expert Member
    • Total Posts : 4351
    • Scores: 247
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 04:06:22 (permalink)
    0
    Okay I believe you could do this to  check  SOCKS and proxy thru a fortigate, not sure about the authentication.
     
     
     
    GRYHATKEN:~ kfelix$ curl -v --socks4 1.1.1.1:8081  ftp://ftp.fu-berlin.de/pub/atari/linux/
    *   Trying 1.1.1.1...
    * SOCKS4 communication to ftp.fu-berlin.de:21
    * SOCKS4 connect to 130.133.3.130 (locally resolved)
    * SOCKS4 request granted.
    * Connected to 1.1.1.1 (1.1.1.1) port 8081 (#0)
    < 220 FTP.FU-Berlin.DE ready.
    > USER anonymous
    < 331 Anonymous login ok, send send anything as password.
    > PASS ftp@example.com
    < 230-
    <  Welcome at Freie Universitaet Berlin, Germany.
    <  Willkommen auf dem FTP-Server der Freien Universitaet Berlin.
    <  Ein Service der Zentraleinrichtung fuer Datenverarbeitung (ZEDAT).
    <  
    < 230 FTP.FU-Berlin.DE login ok.
    > PWD
    < 257 "/" is the current directory
    * Entry path is '/'
    > CWD pub
    * ftp_perform ends with SECONDARY: 0
    < 250 CWD command successful
    > CWD atari
    < 550 atari: No such file or directory
    * Server denied you to change to the given directory
    * Connection #0 to host ftp.fu-berlin.de left intact
    curl: (9) Server denied you to change to the given directory
    GRYHATKEN:~ kfelix$ curl -v --socks5 1.1.1.1:8081  ftp://ftp.fu-berlin.de/pub/atari/linux/
    *   Trying 1.1.1.1...
    * 130
    * 133
    * 3
    * 130
    * Connected to 1.1.1.1 (1.1.1.1) port 8081 (#0)
    < 220 FTP.FU-Berlin.DE ready.
    > USER anonymous
    < 331 Anonymous login ok, send send anything as password.
    > PASS ftp@example.com
    < 230-
    <  Welcome at Freie Universitaet Berlin, Germany.
    <  Willkommen auf dem FTP-Server der Freien Universitaet Berlin.
    <  Ein Service der Zentraleinrichtung fuer Datenverarbeitung (ZEDAT).
    <  
    < 230 FTP.FU-Berlin.DE login ok.
    > PWD
    < 257 "/" is the current directory
    * Entry path is '/'
    > CWD pub
    * ftp_perform ends with SECONDARY: 0
    < 250 CWD command successful
    > CWD atari
    < 550 atari: No such file or directory
    * Server denied you to change to the given directory
    * Connection #0 to host ftp.fu-berlin.de left intact
    curl: (9) Server denied you to change to the given directory
    GRYHATKEN:~ kfelix$
     
     
    I would 1st start by making sure SOCKS v4/5 works NO_AUTHENTICATION and go from that point by enabling Cauthen and identity policies
     
    Mohammand,
     
    if your following this post, I will PM you something as soon as  I land.
     
    Enjoy 
     
    :)
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #3
    Wurstsalat
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/18 01:05:35
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 05:17:35 (permalink)
    0
    thanks for your suggestion, i thought about enabling socks but i read previously about it and it didnt read as a good solution
     
    I tried it and what i see....is not really good
    - as soon as any Client is able to connect to the socks Proxy, it is completetly unrestricted (no filter works, even not antivirus) and no authentication happens nor is it possible...if you send a username it doesnt care. I read about this behaviour before in this forum i think
     
    Connection through socks is possible, so it is through generic proxy (HTTP) without authentication
     
    At the moment
    - Enabling SOCKS creates a whole Bypass of any rules
    - Using generic Proxy/HTTP authentication cant be used
     
    Stuck at the moment :(
     
     
    edit
    btw i am currently on 5.4, socks5 auth is only support uppon 5.6
    http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-whats-new/Top-Firewall-Transparent-proxy.htm
    So on 5.4 i cant use socks5 at the moment
    Any ideas for http proxy to allow ntlm+basic auth?
     
    post edited by Wurstsalat - 2017/08/03 07:49:11
    #4
    emnoc
    Expert Member
    • Total Posts : 4351
    • Scores: 247
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 07:50:34 (permalink)
    0
    Okay I'm back online;
     
    I've used explicit with LDAP ( AD ) and it quite simple  to enable and to use  in  filezilla, cyberduck, and ff or other applications that uses  FTP-PROXies. Other options are ftp-over-web-proxy or SOCKs v4/5 compatible proxies that latte I never achieved  authentication correctly but the FGT as demoe b4 will work as a SOCKs proxy for WEB  FTP TELNET etc....
     
     
    For   FortiOS enable the explict-ftp,  and you can define  accept-action for deny and set  identity-based-policies.
     
    e.g
     
    config system interface
        edit "NETLAN01"
            set vdom "root"
            set ip 192.198.11.1 255.255.255.0
            set allowaccess ping https ssh
            set type physical
            set explicit-ftp-proxy enable
            # this would be the interface(s) that you expect users
     
    end
     
    config ftp-proxy explicit
        set status enable
        set incoming-port 21
        set incoming-ip 0.0.0.0
        unset outgoing-ip
        set sec-default-action deny
    end

     
    and finally a policy ;
     
    config firewall explicit-proxy-policy
        edit 1
            set proxy ftp
            set dstintf "wan1"
            set srcaddr "CLASSROOMWEST
            set dstaddr "all"
            set action accept
            set identity-based enable
                config identity-based-policy
                    edit 1
                        set schedule "always"
                        set users "Msjones" "terry" "jacue" "Basi"
                    next
                    edit 2
                        set schedule "CLASS_HOURS"
                        set groups "STUDENTSGRP1"  "STUDENTSGRP2" "STUDENTSGRP3" "STUDENTSGRP4"

                 
                    next
                end
        next
    end

     
     
     
     
    Thats about all that it takes ;)
     
     
     
    On filezila you need to configure the proxy settings in a custom mode ( i found that work to work best )
     
    See screen shot, naybe i will post this on line. Keep  in mind various clients don't own sys-proxy settings on Windows-version and even Macosx.
    >
    I.e CYBERDUCK always ignore my  proxy-settings
     
    >
    use curl  for dianostic
     
    >
    or a simple ftp 
     
    i.e
     
    ftp  proxyusername:proxyuserapassword:siteusername:password@sitename    <fgt_proxyaddress>
     
    >
    if you  think authentication is the issue.
     
    1.   disable authen for simplified testing and diagnostics
    2.   disable identity policies for simplified testing and diagnostics
     
     
     
    I hope that helps
     
     

    Attached Image(s)


    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #5
    Wurstsalat
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/18 01:05:35
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 07:57:05 (permalink)
    0
    thanks for your help
     
     sftp cant be used on this way i think and ftps, too. So only a solution for plain ftp Connections or do i miss something?
    #6
    emnoc
    Expert Member
    • Total Posts : 4351
    • Scores: 247
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 08:04:11 (permalink)
    0
    I never tried  SFTP or FTP-SSL, but give it a try. I can test FTP-SSL since my day job we have  FTP-SSL applications. Again try and find out.
     
    SOCKS works for the most part but probably not what you really want if you need authentications. Protocol based ( FTP WEB ) seems to be the normal nowadays.
     
     
    I 'll post on my  FTP_SSL attempt here shortly.
     
    Ken
     
    post edited by emnoc - 2017/08/03 08:26:45

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #7
    emnoc
    Expert Member
    • Total Posts : 4351
    • Scores: 247
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Explicit Proxy + Authentication + FTP/SFTP Connections 2017/08/03 08:43:50 (permalink)
    0
    No go  ftpes using  the following failed when go thru  a explicit ftp-proxy
     
    http://test.rebex.net/
     
    user demo
    password   password
     
     
     
    The site does work, so we know it's not the site ;)
     
    I hope that helps
     
    Ken Felix
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #8
    Jump to:
    © 2017 APG vNext Commercial Version 5.5