FTPs Reverse Proxy with UTM possible and if yes, how?

Hi everybody,

we have a Sophos UTM 9 running in our company. It has installed a wildcard certificate for our domain and subdomain (*.company.com)

At the moment, we have (amongst others) a subdomain ftp.company.com which has firewall and DNAT rules in the UTM for all traffic arriving at port 21 to be transferred to our internal FTP server installed as a IIS role. BUT this only works for unencrypted (non ssl) traffic.

What I want to do is use the UTM as a reverse FTPs proxy to "ssl unwrap" the incoming FTPs traffic by using our wildcard certificate and then send the "regular" traffic to the FTP server.

Is this technically - and specifically with the UTM - possible?

I have searched the forum and found a lot of information regarding FTPs traffic coming from within the firewalled network but not from outside.

Thank you for your help!

Regards, Ken

  • Hallo Ken and welcome to the UTM Community!

    There is no reverse FTP proxy available.  I would modify your DNAT by replacing the FTP service with a Services Group containing FTP and FTPS, being careful to not violate #5 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob, please excuse the delay and thank you for your answer. Do you know if this feature ist planned at some point? Also, if I understand correctly, your solution would require the IIS to be outfitted with a SSL certificate. Regards, Ken
  • In reply to chronowerx:

    To my knowledge, Ken, there's no plan to add a reverse FTP proxy in either UTM or XG.  Perhaps a Sophos employee will see this thread and comment one way or the other.

    Yes, UTM can't do the SSL "unwrapping" of inbound FTPS.

    Cheers - Bob

  • In reply to BAlfson:

    Alright. I've signed the (admittedly not very active) petition at ideas.sophos.com/.../397649-networking-reverse-proxy-for-ftp and will hope for the best. Thanks for your help!