ProxySG & Advanced Secure Gateway

  • Private Community
 View Only

  • 1.  FTPS connection with Reporter VA 10.1.5

    Posted Sep 20, 2017 11:19 AM

    Hi,

    I am trying to set up a FTPS connection from my ProxySG VA (running 6.7.1.1)  directly to my Reporter VA (running 10.1.5), without the use of an additional FTP server. If I use FTP then when I try to Test Upload (Configuraiton > Access Logs > Logs > Upload Client), then it works without a problem. When I try a "Test Upload" using FTPS I get the following event log error:

    2017-09-20 11:40:49-00:00UTC "Access Log FTP (main):Test Upload: Connecting to primary 10.0.60.98 server 10.0.60.98:21." 0 E0000:96 alog_ftp_client.cpp:151 
    2017-09-20 11:40:49-00:00UTC "Access Log FTP (main):Test Upload: 220 Welcome to the Reporter FTPS service." 0 E0000:96 alog_ftp_client.cpp:1728 
    2017-09-20 11:40:49-00:00UTC "Access Log FTP (main):Test Upload: AUTH TLS" 0 E0000:96 alog_ftp_client.cpp:2116 
    2017-09-20 11:40:49-00:00UTC "Access Log FTP (main):Test Upload: 234 Proceed with negotiation." 0 E0000:96 alog_ftp_client.cpp:1728 
    2017-09-20 11:40:49-00:00UTC "Access Log FTP (main):Test Upload: Couldn't initialize a secure socket: OK" 0 E000A:1 alog_ftp_client.cpp:52 
    2017-09-20 11:40:49-00:00UTC "Access Log (main): Unable to connect to remote server for log uploading" 0 E0008:1 alog_facility_impl.cpp:2812 
    2017-09-20 11:40:49-00:00UTC "Access Log (main): Upload retries have been canceled." 0 E0008:96 alog_facility_impl.cpp:2839 
     

    I have exported the self-signed certificate from Reporter and uploaded it to the ProxySG and also put it into the browser-trusted certificate list. I have also set the "File Server Settings" on Reporter to FTPS with port 21, as well as checking the "Use secure connections (SSL)" box on the ProxySG FTP Client settings.

    Any help on this would be much appreciated.

    Luke

     

     


  • 2.  RE: FTPS connection with Reporter VA 10.1.5

    Posted Sep 20, 2017 10:47 PM

    Hi Luke,

     

                 What is the FTP server that you are running on the reporter server? Normally FTPS control channel listens on port 990. You may want to confirm this on the FTP server application and set it accordingly on the FTP Upload Settings in Proxy. Also the certificate which needed to be trusted is the cert used by the FTP application (not reporter software). I hope this is added too.



  • 3.  RE: FTPS connection with Reporter VA 10.1.5

    Posted Sep 21, 2017 03:24 AM

    Hi Aravind,

    Thanks for your reply. According to the release notes, as of Reporter 10.1.5, you no longer require an FTP server, Reporter functions as one itself. I have been using the webguide to set this up and followed it word for word. Which includes telling you to take the cetificate from Reporter itself.

    https://origin-symwisedownload.symantec.com/resources/webguides/symreporter/deploy/sg/prxysg_uploadlocal.htm 

    WIthin the Reporter GUI under Access Control > File Server Settings, you are able to set the FTPS port, it says "Note: Port 990 is reserved for implicit TLS communication and is unsupported by Blue Coat ProxySG". I did try changing the port here to 990 but again it did not work, this time with a different error. I also tried a random port which gave the same error as above (when using 21).

     

    Luke



  • 4.  RE: FTPS connection with Reporter VA 10.1.5

    Posted Sep 21, 2017 07:35 AM

    Hi Luke,

                  Sorry, I was not aware of this advancement in Reporter. Just went through the configuration guide and it is set to use port 21 as your configuration. With this, it seems to be correct on the configuration part. Is it possible for you to share a packet capture taken at the proxy with the filter as "ip host 10.0.60.98" and then attempt a test upload.



  • 5.  RE: FTPS connection with Reporter VA 10.1.5

    Posted Sep 22, 2017 02:58 AM

    Hi Luke,

    the good news is I have this working here (with SGOS 6.7.1.3 and Reporter 10.1.5.3), so we know it's possible :)

    The bad news is that I didn't do much different compared to what you have described.

    My FTPS server port is 21 and of course you have to import the FTPS certificate into the browser-trusted list on the SG.

    The only thing I stumbled across was the user. At first I wanted to have a special user just for the FTP uploads. But apparently vsftpd which is used on the Reporter requires a user to have a home directory on the server if you want to use FTPS for some reason. That didn't work with the new FTP user I've created. But it worked immediately with the original admin user. Have you tried the admin user?

    Having said that - for the user issue I've got a very distinct error message which I don't see in your log above.

    (Note: it probably isn't the best idea to use the amin user for FTP uploads for security reasons...)

    As Aravind said a packet capture might help. And I would recommend to try the connection to the FTP server with a FTP client like Filezilla first, because it might give you more detailed information during the connection attempt.

    Kind Regards,

    Gunnar



  • 6.  RE: FTPS connection with Reporter VA 10.1.5

    Posted Sep 22, 2017 04:11 AM

    Hi guys,

     

    I spent some time on a webex with Symantex support last night, we checked that Filezilla could connect to the Reporter with FTPS and that worked. So we looked at some packet captures but the support guy was unable to see the exact problem, just that the ProxySG VM we had was probably causing the problem. So we tried the setup again with a different ProxySG VM and it worked. So although we did not pin point the actual issue, we know it was the ProxySG, and in this instance it is not a problem using another Proxy.

     

    Thanks

     

    Luke