Cisco ACE 4710

Unanswered Question
Jul 6th, 2009

Hi,


Can we offload SSL for ftp onto ACE, like we do for https. I need to configure ACE where i want the clients to connect to ACE via FTPS (989, 990), and ACE in terms connects to the FTP server via normal FTP (20,21).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 07/07/2009 - 02:06

this is currently not possible because the connection starts in clear and is then negotiated to be encrypted.

We can't switch from one mode to the other.


Gilles.

Rajiv Dasmohapatra Tue, 07/07/2009 - 05:29

Any workaround?

I really need to load balance FTPS with ACE. Is it possible if the servers have FTPS configured and we load balance the servers on port 989 and 990. Just making sure that FTPS in not natively supported and i wont find any "inspect ftps" either like "inspect ftp" while configuring ftp LB, right?

Gilles Dufour Tue, 07/07/2009 - 06:18

You can use inspect ftp on any port.

But if the client or server negotiate SSL, the connection will fail.


If you want to LB ftp and keep the ssl feature, your only solution is to not use inspection.


But then we can nat the info inside the ftp control channel which some clients/servers do not like.


Gilles.

Rajiv Dasmohapatra Tue, 07/07/2009 - 06:28

ok... but i am not clear on the Last part "nat the info inside the ftp control channel". Could u please explain about how to go for this?


And if I go for in this scenario, then do i have to import any SSL certificates onto the ACE.

Rajiv Dasmohapatra Tue, 07/07/2009 - 07:56

so can i conclude that i can go forward and configure the FTPS the same way i configure LB for different server/ports but it may not work for some clients.


and do i need to import SSL certificates in ACE for that?


Gilles Dufour Tue, 07/07/2009 - 23:59

yes, you can configure like any other L4 rule except you need to take into account that client and server can open data connections.

These connections from the clients need to be sent to the appropriate server and be nated if sent to the vip.

So, you need src ip sticky and you need to be catch all possible ports or force your servers to use port 20.

Same for the connections opened by the servers. You need to configure nating so that they appear as coming from the vip.

This work is normally done for you by inspect ftp. But you can't use it here.


Gilles.

Actions

This Discussion