[Last updated July 17, 2019] Last time, we tackled the problem system administrators encounter when their passive FTP or FTPS connections have to pass through a NAT firewall or router. A similar problem can happen when you're dealing with the same type of connections and a reverse proxy. It gets even more complicated when you have to deal with both external and internal users. Let me show you how to deal with that.
To understand the problem better, I suggest you read the article "Setting Up An FTPS Server Behind A Firewall or NAT For PASV Mode Data Transfers" first. Notice that that article teaches you how to address the issue on the FTP/S server side.
Unfortunately, a similar issue can happen with a reverse proxy. More specifically, if your FTP/S reverse proxy is listening on an internal IP address but has to be reachable to external users. These users will likely have to go through your NAT-enabled router or firewall.
Here's a more concrete example. Let's say your FTP/S reverse proxy is listening on the non-routable address 192.168.1.1 but it can only be reached by external users through the external IP address 22.214.171.124. External users are those who connect over the Internet.
As soon as these users switch on passive mode while attempting to perform a directory listing, an upload, or a download, the connection will likely time out.
We already explained why this happens and how to deal with it in the previous article (see link above). A similar approach can be used to address this issue on your reverse proxy. That is, you need to configure your proxy to use the passive IP address 126.96.36.199 instead of 192.168.1.1 when responding to passive requests.
In JSCAPE MFT Gateway, this particular setting can be specified in Services > [the FTP/S service in question] > [Edit] > Advanced > Passive IP field.
Perfect. That should now allow your external users to connect.
But how about your internal users? Surely, they're not supposed to use that passive IP address, right? To deal with internal users, you need to instruct your reverse proxy to exempt internal clients from using the passive IP address. That way, internal users will simply connect to your reverse proxy's internal IP address 192.168.1.1.
In JSCAPE MFT Gateway, you can do this by ticking the "Do not use Passive IP for client IP matching regex" check box and entering a suitable regular expression. For example, if you want to exempt all IP addresses within the range 192.168.0.0 to 192.168.255.255, then just enter:
Other regular expressions you can use:
Note: I copied these regular expressions from here. While I have reviewed and tested these regexes, I strongly suggest you double-check, in case I missed something.
For the Range - 10.0.0.0 to 10.255.255.255:
For the Range - 172.16.0.0 to 172.31.255.255:
That's all there is to it.
If you want to try this out yourself, download a free, fully-functional evaluation edition of JSCAPE MFT Gateway now.
Want to be updated on posts like this? Connect with us...