Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Use WCCP to Redirect FTP Traffic

Requests that clients of Web Gateway send to servers under the FTP protocol can be redirected to Web Gateway using the WCCP (Web Cache Control Protocol) redirection method.

To send a request to a server under the FTP protocol, a client of Web Gateway opens the initial FTP connection. The client uses the IP address of the server for this connection. To let Web Gateway act as a proxy, the request is redirected to the IP address of the appliance that Web Gateway runs on.

Under the default settings, the client considers this redirection as a security risk and does therefore not continue with opening the FTP data connection. When redirection is performed using the WCCP protocol, you can solve this problem by modifying the settings as follows:

  • Using the active FTP mode for the connection from the client to the proxy
    Clients are by default allowed to use the passive FTP mode. You can enforce the active FTP mode by disabling an option of the proxy settings on the user interface of Web Gateway.
  • Configuring a port for redirection to the proxy
    This port must be entered in the list of ports that are redirected under WCCP.
  • Letting the proxy use the IP address of the FTP server instead of its own IP address
    Setting a particular parameter ensures that the proxy uses this address.

After modifying the settings in this way, a client uses the active FTP mode. It sends the proxy an IP address and a port number to connect to. The proxy returns a synchronization message. In this message, the IP address of the FTP server is used as the source IP address of the proxy. The port number is 21 or 2020.

The client responds with the IP address of the FTP server as its destination IP address and the same port number. Requests from the client to the FTP server are then redirected to the proxy, using WCCP as the redirection method.

NOTE: The WCCP redirection method cannot be used for FTP traffic in transparent bridge or router mode.

  • Was this article helpful?