Setup Client for remote ftp server with FTP over SSL Explicit

Hi, I am trying to setup a site. The remote site setup is "FTP over SSL Explicit". I did that on the "General" sector of the "properties" for the new site. The login type of the remote site is "Username and Password".
The setup is:

Client -> internal BlueCoat proxy (socks) -> external DMZ BlueCoat (socks) -> firewall ->internet -> remote ftp server (FTP over SSL Explicit)

Internal BlueCoat proxy server will perform user authentication for Internet access.

The other changes that I made are:

1. Under Connection -> Proxy -> Type "Socks 5". In "Setting", I put in the IP address of the BlueCoat proxy server (v5.x) with port 1080 and enabled "Login to Proxy/Firewall" with my corporate proxy server username and password".
2. Under FTP -> Connection, I chose "Passive Mode (PASV)" of Data Connection -> Mode and changed Force PASV IP to "Enable".
3. Under FTP -> Connection -> Proxy, if I chose "Use Default Settings" or "SITE hostname" under Type with the same setting for the proxy as above.

From internal BlueCoat proxy server log, I saw the traffic hits the proxy server but not DMZ proxy server.
If I change the setting in step 3 to "Transparent", I saw the traffic hits internal and DMZ proxy, firewall and remote ftp server but the login name to the remote ftp server is my proxy login ID not the one that assigned by remote ftp server.
The PC has licensed SmartFTP client had expired evaluation copy installed before. I noticed that once expired copy installed and then upgrade the evaluation copy of client software and it won't work. I installed an evalution copy of SmartFTP on a PC that never installed SmartFTP and it works. Is this true? How do I clean my PC? What wrong with my setting? Can anyone help me? Thanks.

I'm sorry but I'm unaware of your network setup (it looks overcomplicated to me) and therefore cannot help you.

>Licensing problem
You have ordered the license through SHI and they have mistakenly entered their email address into the license key and not yours. So please contact shi and ask them to send us a request to change the email in your license key and we can email you the license key.

Regards,
Mat

Hi, Mat

We will work with SHI to fix the license problem.

I just tried without proxy which the ftp client has direct connection to the remote ftp server and I got the below connection log:

[11:05:33] SmartFTP v3.0.1023.1
[11:05:34] Resolving host name "38.103.154.53"
[11:05:34] Connecting to 38.103.154.53 Port: 21
[11:05:38] Connected to 38.103.154.53.
[11:05:41] 220 (vsFTPd 2.0.5)
[11:05:41] AUTH TLS
[11:05:45] 234 Proceed with negotiation.
[11:05:45] Connected. Exchanging encryption keys...
[11:05:51] Session Cipher: 168 bit 3DES
[11:06:06] TLS encrypted session established.
[11:06:06] PBSZ 0
[11:06:08] 200 PBSZ set to 0.
[11:06:08] USER mexx
[11:06:09] 331 Please specify the password.
[11:06:09] PASS (hidden)
[11:06:11] 230 Login successful.
[11:06:11] SYST
[11:06:12] 215 UNIX Type: L8
[11:06:13] Detected Server Type: UNIX
[11:06:13] FEAT
[11:06:14] 211-Features:
[11:06:14] AUTH SSL
[11:06:15] AUTH TLS
[11:06:15] EPRT
[11:06:15] EPSV
[11:06:15] MDTM
[11:06:15] PASV
[11:06:15] PBSZ
[11:06:15] PROT
[11:06:15] REST STREAM
[11:06:15] SIZE
[11:06:16] TVFS
[11:06:16] 211 End
[11:06:16] PWD
[11:06:16] 257 "/"
[11:06:17] TYPE A
[11:06:18] 200 Switching to ASCII mode.
[11:06:18] PROT P
[11:06:18] 200 PROT now Private.
[11:06:18] PASV
[11:06:19] 227 Entering Passive Mode (10,201,1,13,35,242)
[11:06:19] Passive ip address returned from server different from server ip.
[11:06:19] Opening data connection to 10.201.1.13 Port: 9202
[11:06:19] LIST -aL
[11:06:40] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
[11:07:20] 425 Failed to establish connection.
[11:07:20] Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".
[11:07:21] PORT 192,168,1,46,5,24
[11:07:22] 500 Illegal PORT command.
[11:07:52] NOOP
[11:07:53] 200 NOOP ok.
[11:08:23] NOOP
[11:08:24] 200 NOOP ok.
[11:08:35] PORT 192,168,1,46,5,47
[11:08:36] 500 Illegal PORT command.
[11:09:06] NOOP
[11:09:07] 200 NOOP ok.
[11:09:37] NOOP
[11:09:38] 200 NOOP ok.
[11:10:08] NOOP
[11:10:09] 200 NOOP ok.
[11:10:39] NOOP
[11:10:40] 200 NOOP ok.
[11:11:10] NOOP
[11:11:12] 200 NOOP ok.

It repeats with the above message.


I also tried CuteFTP without proxy server and which is recommended by the remote ftp server admin and it logs into remote server:

*** CuteFTP 8.3 - build Aug 25 2008 ***
STATUS:> [9/29/2008 11:21:39 AM] Getting listing ""...
STATUS:> [9/29/2008 11:21:39 AM] Connecting to FTP server... 38.103.154.53:21 (ip = 38.103.154.53)...
STATUS:> [9/29/2008 11:21:41 AM] Socket connected. Waiting for welcome message...
[9/29/2008 11:21:43 AM] 220 (vsFTPd 2.0.5)
STATUS:> [9/29/2008 11:21:43 AM] Connected. Authenticating...
COMMAND:> [9/29/2008 11:21:43 AM] AUTH SSL
[9/29/2008 11:21:45 AM] 234 Proceed with negotiation.
STATUS:> [9/29/2008 11:21:45 AM] Establishing SSL session...
STATUS:> [9/29/2008 11:21:45 AM] Initializing SSL module.
STATUS:> [9/29/2008 11:21:45 AM] Connected. Exchanging encryption keys...
Session Cipher: None
STATUS:> [9/29/2008 11:21:49 AM] SSL Connect time: 3906 ms.
STATUS:> [9/29/2008 11:21:49 AM] SSL encrypted session established.
COMMAND:> [9/29/2008 11:21:49 AM] PBSZ 0
[9/29/2008 11:21:52 AM] 200 PBSZ set to 0.
COMMAND:> [9/29/2008 11:21:52 AM] USER mexx
[9/29/2008 11:21:53 AM] 331 Please specify the password.
COMMAND:> [9/29/2008 11:21:53 AM] PASS *****
[9/29/2008 11:21:55 AM] 230 Login successful.
STATUS:> [9/29/2008 11:21:55 AM] Login successful.
COMMAND:> [9/29/2008 11:21:55 AM] PWD
[9/29/2008 11:21:57 AM] 257 "/"
STATUS:> [9/29/2008 11:21:57 AM] Home directory: /
COMMAND:> [9/29/2008 11:21:57 AM] FEAT
[9/29/2008 11:22:01 AM] Informational Message Only:
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
211 End
STATUS:> [9/29/2008 11:22:01 AM] This site supports features.
STATUS:> [9/29/2008 11:22:01 AM] This site supports SIZE.
STATUS:> [9/29/2008 11:22:01 AM] This site can resume broken downloads.
COMMAND:> [9/29/2008 11:22:01 AM] REST 0
[9/29/2008 11:22:03 AM] 350 Restart position accepted (0).
COMMAND:> [9/29/2008 11:22:03 AM] PBSZ 0
[9/29/2008 11:22:05 AM] 200 PBSZ set to 0.
COMMAND:> [9/29/2008 11:22:05 AM] PROT P
[9/29/2008 11:22:07 AM] 200 PROT now Private.
COMMAND:> [9/29/2008 11:22:07 AM] PASV
[9/29/2008 11:22:11 AM] 227 Entering Passive Mode (10,201,1,13,35,244)
STATUS:> [9/29/2008 11:22:11 AM] Substituting received PASV address 10.201.1.13 to server address 38.103.154.53.
COMMAND:> [9/29/2008 11:22:11 AM] LIST
STATUS:> [9/29/2008 11:22:11 AM] Connecting FTP data socket... 38.103.154.53:9204...
[9/29/2008 11:22:15 AM] 150 Here comes the directory listing.
STATUS:> [9/29/2008 11:22:15 AM] Connected. Exchanging encryption keys...
Session Cipher: None
STATUS:> [9/29/2008 11:22:18 AM] SSL Connect time: 3000 ms.
STATUS:> [9/29/2008 11:22:18 AM] SSL encrypted session established.
[9/29/2008 11:22:20 AM] 226 Directory send OK.
STATUS:> [9/29/2008 11:22:20 AM] Directory listing completed.

Do you know why? Thanks.

Hello ..

Yes enable the [x] Force PASV IP option in the favorite settings:
1. Menu: Favorites->Edit Favorites
2. Locate your favorite. Look in the Quick Connect folder
3. Right-click on the favorite
4. Select Properties from the context menu
5. Go to the FTP->Connection dialog
6. Set the Force PASV IP option to Enable

Regards,
Mat

Thanks, Matt, that works without proxy. Next I need to make it work through socks (v5) proxy servers (layered). When I initially tested SmartFTP for another ftp site with the same proxy server settings, SmartFTP worked so we purchased the license. Do you have any suggestions, Matt?

Where does it fail? Can you post the log?
Does it work with another FTP client?

Hi, Matt

I tried and I saw the following messages:

[13:27:52] Connecting to 38.103.154.53 Port: 21
[13:27:52] Proxy: Connecting to SOCKS5 proxy server 156.146.99.19 Port: 1080
[13:27:52] Proxy: Connected to proxy server. Sending connection request.
[13:27:53] Connected to 38.103.154.53.
[13:28:53] 220 (vsFTPd 2.0.5)
[13:28:53] AUTH TLS
[13:28:53] 234 Proceed with negotiation.
[13:28:53] Connected. Exchanging encryption keys...
[13:28:53] Session Cipher: 168 bit 3DES
[13:28:53] TLS encrypted session established.
[13:28:53] PBSZ 0
[13:28:53] 200 PBSZ set to 0.
[13:28:53] USER mexx
[13:28:53] 331 Please specify the password.
[13:28:53] PASS (hidden)
[13:28:53] 230 Login successful.
[13:28:53] SYST
[13:28:53] 215 UNIX Type: L8
[13:28:54] Detected Server Type: UNIX
[13:28:54] FEAT
[13:28:54] 211-Features:
[13:28:54] AUTH SSL
[13:28:54] AUTH TLS
[13:28:54] EPRT
[13:28:54] EPSV
[13:28:54] MDTM
[13:28:54] PASV
[13:28:54] PBSZ
[13:28:54] PROT
[13:28:54] REST STREAM
[13:28:54] SIZE
[13:28:54] TVFS
[13:28:54] 211 End
[13:28:54] PWD
[13:28:54] 257 "/"
[13:28:54] TYPE A
[13:28:54] 200 Switching to ASCII mode.
[13:28:54] PROT P
[13:28:54] 200 PROT now Private.
[13:28:54] PASV
[13:28:54] 227 Entering Passive Mode (10,201,1,13,35,244)
[13:28:54] Proxy: Resolving host name 156.146.99.19
[13:28:54] Opening data connection to 10.201.1.13 Port: 9204
[13:28:54] Proxy: Connecting to SOCKS5 proxy server 156.146.99.19 Port: 1080
[13:28:54] LIST -aL
[13:28:55] Proxy: Connected to proxy server. Sending connection request.
[13:28:55] Connected. Exchanging encryption keys...
[13:29:55] 425 Failed to establish connection.
[13:29:55] 0 bytes transferred. (0 bytes/s) (00:01:00)
[13:29:55] Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".
[13:29:55] PASV
[13:29:55] 227 Entering Passive Mode (10,201,1,13,35,241)
[13:29:55] Proxy: Resolving host name 156.146.99.19
[13:29:55] Opening data connection to 10.201.1.13 Port: 9201
[13:29:55] Proxy: Connecting to SOCKS5 proxy server 156.146.99.19 Port: 1080
[13:29:55] LIST -aL
[13:29:55] Proxy: Connected to proxy server. Sending connection request.
[13:29:55] Connected. Exchanging encryption keys...
[13:30:55] Timeout (60s).
[13:30:55] Active Help: https://www.smartftp.com/support/kb/74
[13:30:55] Client closed the connection.

I don't know where is the IP address 10.201.1.13 coming from in the log for the dstination IP.
For the other ftp client, it logs in and prompted me for the password which should not since it is similar as SmartFTP which I put in the user name and password already. I typed in the password but it kept to prompt me for the password. Thanks.

The main problem is the IP address returned by vsftpd. You have to setup your FTP server to return the WAN ip address (38.103.154.53) and not the internal IP (10.201.1.13) address.

Try the latest version:
https://www.smartftp.com/download

The Force PASV IP option now works for SOCKS and HTTP proxies as well. This might solve the problem you have.

Regards,
Mat

Thanks, Matt

After remote ftp servre side removed their internal IP address, SmartFTP client on my PC can access the ftp server. I have another question though. Earlier today when I launched the client to access the site, it retried 9 times and timed out. On 10th retry to connect to the ftp server, it succeeded. On my BlueCoat proxy servers (Socks 5) and firewall, I could see that the traffice had been sent out to the remote ftp server. On the ftp client, I don't see much information from log as why so many failed or timed out connection:

[11:18:17] SmartFTP v3.0.1022.44
[11:18:19] Resolving host name "38.103.154.53"
[11:18:19] Proxy: Resolving host name 156.146.99.19
[11:18:19] Connecting to 38.103.154.53 Port: 21
[11:18:19] Proxy: Connecting to SOCKS5 proxy server 156.146.99.19 Port: 1080
[11:18:19] Proxy: Connected to proxy server. Sending connection request.
[11:18:19] Connected to 38.103.154.53.
[11:19:19] Timeout (60s).
[11:19:19] Active Help: https://www.smartftp.com/support/kb/74
[11:19:19] Client closed the connection.
[11:19:19] Connect failed. Waiting to retry (30s)...
[11:19:24] Aborted by user.

I just downloaded the latest version. Earlier test was with the version 3.0.1022.15.

Doesn't look like a problem with SmartFTP.

Hi, Matt

I changed "Connection time out" from default 60 seconds to 120 seconds and it seemed a lot better to connect remote site.