Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Connecting through a Firewall with Reflection FTP Client
Technical Note 1059
Last Reviewed 10-Aug-2007
Applies To
Reflection FTP Client version 12.0 or higher
Summary

This technical note explains how to configure Reflection FTP Client to connect through different types of firewalls.

The Reflection FTP Client is a component of many Reflection products and suites. For information about Reflection Suites components, see Technical Note 3000.

Background

A firewall is a network security device used to protect organizations from unauthorized connections. Firewalls can be configured to restrict FTP file transfers in various ways, depending on the vendor and configuration. For example, some firewalls can be configured to support FTP transfers in a way that is transparent to users. Other firewalls, however, are more restrictive and allow only pre-authenticated and/or passive-mode FTP connections.

FTP Connections

The FTP protocol establishes two distinct connections between the FTP client and FTP server:

  • The control connection is initiated by the client and is used to manage the session
  • The data connection is typically initiated by the server and is used for transferring files and directory listings

Some firewalls may block the inbound FTP data connection from the server, while others may block both the inbound and outbound connections.

Identifying the Presence of a Firewall

The following symptoms may indicate that a firewall is blocking FTP connections:

  • Users can transfer files to and from intranet FTP servers but cannot connect to Internet FTP servers.
  • Users can connect and log in to the FTP server; however, they receive a 425 error and/or cannot see a directory listing or perform a file transfer.
  • Users cannot connect or log in to the FTP server.
  • Users cannot perform file transfers with Reflection but can access files from a web browser such as Microsoft Internet Explorer or Netscape Navigator using the following syntax: ftp://<FTP Server>

If you are experiencing any of the above symptoms or you suspect that there is a firewall between Reflection and the FTP server you are attempting to connect to, check with the network administrator to determine the type of firewall and how it is configured. Then, use the instructions below to configure Reflection FTP Client to connect to your FTP server through the firewall.

If you are unable to determine the firewall configuration, you still may be able to establish an FTP connection by experimenting with the various configurations described below.

Passive Mode FTP

Passive mode FTP transfers use only outward connections for both control and data connections. If you suspect your firewall is blocking inbound connections, follow the steps below to configure Reflection FTP Client for passive mode connections.

  1. Start Reflection FTP Client.
  2. On the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Properties.
  3. In the Site Properties dialog box, click the Connection tab and then select the Use passive mode check box.
  4. Click OK, and then retry your FTP connection.

SOCKS Proxy Server Firewalls

SOCKS proxy servers use the SOCKS protocol between the FTP client and the proxy server. Reflection FTP Client includes support for SOCKS V4 servers. SOCKS V5 servers are supported only when they are configured to use V4 features.

To configure Reflection FTP Client to support a SOCKS proxy server, follow the steps below that correspond to your version of Reflection.

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Properties.
  3. In the Site Properties dialog box, click the General tab, and then click Security.
  4. Select the SOCKS tab, select the Use SOCKS check box, and then click Configure.
  5. Enter the IP address of your SOCKS proxy server.
  6. Click OK three times to close all of the dialog boxes, and then retry your connection.

See the online help for more information about configuring Reflection for multiple SOCKS proxy servers.

Common FTP Passthrough Server Firewalls

Passthrough servers differ from other proxy servers in that they use the FTP protocol to communicate between the FTP client and the firewall. To configure Reflection FTP Client to support common FTP Passthrough servers, follow the steps below.

  1. Start Reflection FTP Client.
  2. On the Connection menu, click Connect. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Properties.
  3. Click the Security button on the General tab.
  4. On the Firewall tab, select the Use Firewall check box.
  5. SITE servername and username@servername are available in the Style drop-down list.
  6. In the Passthrough server dialog box, enter your firewall host name or IP address in the Server name field.
  7. Enter your firewall user name and password, if required. Select the Save passthrough password check box to avoid entering the password on future connections.
  8. If you are using the "username@servername" style and your passthrough server requires a login before the USER command, select the Passthrough authentication check box.
  9. Click OK to close all of the dialog boxes, and then retry your connection.

Additional Firewall Support in Reflection FTP Client

Beginning in Reflection FTP Client version 10.0, support for other styles of firewall has been added: USER-PASS-ACCT, Transparent, and Challenge/Response. For detailed information about Firewall styles, search the FTP Client online help topic index for "Style."

Uncommon FTP Passthrough Server Firewalls

There is no industry-standardized format for connecting through an FTP passthrough server. Because of the wide variation in authentication methods, you may need to experiment with the information you enter in the passthrough server and general site properties fields in Reflection.

For example, you may need to enter your firewall user name instead of your FTP server user name on the General tab of the Site Properties. Consult your firewall documentation for the required syntax.

HTTP Proxy Server Firewalls

Firewalls that support HTTP proxy connections require client applications to use the Web HTTP protocol and to understand HTML. Reflection FTP Client does not support this type of proxy. Contact your network administrator to determine if your firewall can be configured to support SOCKS or FTP passthrough proxy connections instead of or in addition to the HTTP proxy.

Related Technical Notes
1176 Reflection FTP Client Technical Notes
1188 Basic Troubleshooting for the Reflection FTP Client

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.