SFTP over WSA S370 ironport

youssef.ghoulab · ‎11-28-2017

Hello,

Can any one tell me if it is possible to allow SFTP Flow over a WSA S370 Ironport .

And if it's possible how can I do it ?

Thank you in advance.

Regards

Handy Putra · ‎12-27-2017

Hi,

SFTP currently is not natively supported in WSA, we do have a feature request on this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCzv35912

However, WSA can configure for WSA to only perform Connect Tunnelling for it:

SFTP (SSH File Transfer Protocol)

The whole communication is using only a single port (22). Therefore like scp a SFTP client will try to connect on port 22 to the server. If a proxy is in between, the following will happen:The SFTP client will be configured to use the normal Web Proxy, not the
FTP Proxy, for example it will send a CONNECT <SFTP server URL>:22 to the WSA on port 3128 (default Web Proxy port).

To allow the traffic, the WSA must be configured as follows:

- The corresponding access policy must allow connects to port 22 and the WSA must be allowed to establish connections to that destination URL/IP and port (Access Policy -> Protocols and User Agents column -> HTTP CONNECT Ports -> make sure port 22 is listed there.
- The traffic must be passed through since it's non standard HTTPS traffic
- You must allow tunnelling of non-standard HTTPS traffic (CLI > advancedproxyconfig > miscellaneous)