07-06-2009 04:40 PM
Hi,
Can we offload SSL for ftp onto ACE, like we do for https. I need to configure ACE where i want the clients to connect to ACE via FTPS (989, 990), and ACE in terms connects to the FTP server via normal FTP (20,21).
07-07-2009 02:06 AM
this is currently not possible because the connection starts in clear and is then negotiated to be encrypted.
We can't switch from one mode to the other.
Gilles.
07-07-2009 05:29 AM
Any workaround?
I really need to load balance FTPS with ACE. Is it possible if the servers have FTPS configured and we load balance the servers on port 989 and 990. Just making sure that FTPS in not natively supported and i wont find any "inspect ftps" either like "inspect ftp" while configuring ftp LB, right?
07-07-2009 06:18 AM
You can use inspect ftp on any port.
But if the client or server negotiate SSL, the connection will fail.
If you want to LB ftp and keep the ssl feature, your only solution is to not use inspection.
But then we can nat the info inside the ftp control channel which some clients/servers do not like.
Gilles.
07-07-2009 06:28 AM
ok... but i am not clear on the Last part "nat the info inside the ftp control channel". Could u please explain about how to go for this?
And if I go for in this scenario, then do i have to import any SSL certificates onto the ACE.
07-07-2009 07:33 AM
sorry, I meant "we can't" !!
G.
07-07-2009 07:56 AM
so can i conclude that i can go forward and configure the FTPS the same way i configure LB for different server/ports but it may not work for some clients.
and do i need to import SSL certificates in ACE for that?
07-07-2009 11:59 PM
yes, you can configure like any other L4 rule except you need to take into account that client and server can open data connections.
These connections from the clients need to be sent to the appropriate server and be nated if sent to the vip.
So, you need src ip sticky and you need to be catch all possible ports or force your servers to use port 20.
Same for the connections opened by the servers. You need to configure nating so that they appear as coming from the vip.
This work is normally done for you by inspect ftp. But you can't use it here.
Gilles.
07-08-2009 09:05 AM
So that means, i don't have to import any certificates as such in ACE. Is it right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide