Relay Server in a DMZ

// Expert user has replied.
T Thomas Panariello 3 years 6 months ago
2 2 0

I'm working with a customer that's running MSP 3.2. They have a WSFTP server running FTPS in a DMZ, behind a PIX firewall. The PIX can't read the encrypted packets so it can't negotiate and open a port to complete the FTPS session. The customer is reluctant to open all ports > 1024. Is anyone running FTPS in a DMZ with a firewall that's doing stateful packet inspection, and if so please share what your configuration looks like. This is also an MC75 opportunity with iPhone competition. MSP mgmt capabilities over the WWAN sets us apart and I want to keep that competitive edge.   Thanks!!

Please Register or Login to post a reply

2 Replies

A Allan Herrod

Tom; There is no firewall anywhere that can possible do stateful packet inspection on FTPS because the firewall is not and cannot be privy to the secure tunnel and hence cannot interpret the encrypted packets.  As a result, when using FTPS you cannot get the benefits of having the firewall open and close the required ports on an as-needed basis.  You most open all ports that will be used.  You can restrict the ports that will be used as part of the configuration of the FTPS Server, and then you only need to open those ports in the firewall.  But you cannot rely on the firewall to open and close the ports automatically because it cannot see into the encrypted packets.

A Arsen Bandurian

Hi, Tom Just read this: http://en.wikipedia.org/wiki/FTPS#Firewall_incompatibilities Then provide a fixed limited set of ports and set static firewall rules.

CONTACT
Can’t find what you’re looking for?