Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco ACE 4710

Hi,

Can we offload SSL for ftp onto ACE, like we do for https. I need to configure ACE where i want the clients to connect to ACE via FTPS (989, 990), and ACE in terms connects to the FTP server via normal FTP (20,21).

8 REPLIES
Cisco Employee

Re: Cisco ACE 4710

this is currently not possible because the connection starts in clear and is then negotiated to be encrypted.

We can't switch from one mode to the other.

Gilles.

Re: Cisco ACE 4710

Any workaround?

I really need to load balance FTPS with ACE. Is it possible if the servers have FTPS configured and we load balance the servers on port 989 and 990. Just making sure that FTPS in not natively supported and i wont find any "inspect ftps" either like "inspect ftp" while configuring ftp LB, right?

Cisco Employee

Re: Cisco ACE 4710

You can use inspect ftp on any port.

But if the client or server negotiate SSL, the connection will fail.

If you want to LB ftp and keep the ssl feature, your only solution is to not use inspection.

But then we can nat the info inside the ftp control channel which some clients/servers do not like.

Gilles.

Re: Cisco ACE 4710

ok... but i am not clear on the Last part "nat the info inside the ftp control channel". Could u please explain about how to go for this?

And if I go for in this scenario, then do i have to import any SSL certificates onto the ACE.

Cisco Employee

Re: Cisco ACE 4710

sorry, I meant "we can't" !!

G.

Re: Cisco ACE 4710

so can i conclude that i can go forward and configure the FTPS the same way i configure LB for different server/ports but it may not work for some clients.

and do i need to import SSL certificates in ACE for that?

Cisco Employee

Re: Cisco ACE 4710

yes, you can configure like any other L4 rule except you need to take into account that client and server can open data connections.

These connections from the clients need to be sent to the appropriate server and be nated if sent to the vip.

So, you need src ip sticky and you need to be catch all possible ports or force your servers to use port 20.

Same for the connections opened by the servers. You need to configure nating so that they appear as coming from the vip.

This work is normally done for you by inspect ftp. But you can't use it here.

Gilles.

Re: Cisco ACE 4710

So that means, i don't have to import any certificates as such in ACE. Is it right?

585
Views
0
Helpful
8
Replies
CreatePlease to create content