There are several methods to secure data transmissions through a NetScaler appliance. Each method has advantages and challenges. This article describes the various secured File Transfer Protocol (FTP) communications and their behavior with NetScaler appliance.

Requirements

A properly configured NetScaler appliance and a backend FTP server that is properly configured for the data transfer type. For true FTP connections, you need an FTP server, and for SFTP the server must serve SSH FTP sessions (using port 22).

Background

When FTP was originally proposed, securing the data and control channels were not considered necessary, as the network at that time was assumed to consist of trusted systems. Securing these FTP sessions became critical because the data was sensitive. Three different protocols are developed to satisfy the security requirements.

FTPS

The FTPS protocol layers are either SSL or TLS on top of the original FTP protocol. To remain compatible with clients that are not aware of FTPS the server can be either implicit or explicit. Implicit mode does not allow a client that is not FTPS-aware to connect. Explicit mode requires the client to explicitly request the channel or channels to be secured.

Because the data channel is connected to a dynamic port, NAT and Firewall devices generally have a problem with FTPS if the control channel is encrypted, because they cannot determine what port to open for this traffic. In general, the only solution is to open all possible data ports, but that is not a good security policy, and is particularly tedious on the NetScaler appliance, because you need to define VIP addresses and services for each possible port to be able to secure both the control and data channels. However, if only the data channel requires encryption, then it is possible to define it on the NetScaler appliance as type FTP. This only works with explicit mode as implicit mode and requires both channels to be encrypted. The only way to encrypt both the data and control channels is to open all possible data ports, and this configuration is not recommended. See the section on SFTP for a better, more supportable method to secure file transfers.

SFTP

SFTP is not actually related to the FTP protocol, but is included here, because it is an easy way to define a secure path for file transfers. SFTP is an SSH File Transfer Protocol, and uses the SSH port 22 in typical configurations. Setting up a resource in the NetScaler appliance for an SFTP resource is very simple with a VIP and Service on port 22. The NetScaler appliance does not have to understand the traffic, the appliance just needs to let the traffic pass through it unchanged.

NetScaler configuration statements to allow SFTP through the appliance are similar to the following commands. This sets up a VIP at 10.217.148.231 to backend unit 10.217.148.108.

add service SFTP 10.217.148.108 TCP 22
add lb vserver SFTPVip TCP 10.217.148.231 22
bind lb vserver SFTPVip SFTP

FTP over SSH

FTP over SSH is a protocol that is not widely used, because it involves tunneling normal FTP traffic over an SSH connection. However, this is complicated because it must support the dynamic port for the data connection, and is rarely used in practice. The NetScaler appliance cannot support this setup without opening all possible data ports, and this is not suggested.

Additional Resources

SFTP uses a secured communication channel on port 22. In contrast, FTP in active mode starts with the client opening a dynamic port for the data channel and communicating that to the server. The server then binds this client port to server port 20. In passive mode the server opens the dynamic port, and the client binds that to a local dynamic port. Network Address Translation (NAT) devices and firewalls have problems with the dynamic port used if they cannot interpret the control stream.

Summary

There are several methods to secure data transmissions through a NetScaler appliance. Each method has advantages and challenges. This article describes the various secured File Transfer Protocol (FTP) communications and their behavior with NetScaler appliance.

Requirements

A properly configured NetScaler appliance and a backend FTP server that is properly configured for the data transfer type

For true FTP connections, you need an FTP server, and for SFTP the server must serve SSH FTP sessions (using port 22)

Background

When FTP was originally proposed, securing the data and control channels were not considered necessary, as the network at that time was assumed to consist of trusted systems. Securing these FTP sessions became critical because the data was sensitive. Three different protocols are developed to satisfy the security requirements.