cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2206
Views
0
Helpful
1
Replies
Highlighted

SFTP over WSA S370 ironport

Hello,

 

Can any one tell me if it is possible to allow SFTP Flow over a WSA S370 Ironport .

 

And if it's possible how can I do it ?

 

Thank you in advance.

 

Regards

1 REPLY 1
Highlighted
Cisco Employee

Hi,

 

SFTP currently is not natively supported in WSA, we do have a feature request on this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCzv35912

 

However, WSA can configure for WSA to only perform Connect Tunnelling for it:

SFTP (SSH File Transfer Protocol)

The whole communication is using only a single port (22). Therefore like scp a SFTP client will try to connect on port 22 to the server. If a proxy is in between, the following will happen:The SFTP client will be configured to use the normal Web Proxy, not the
FTP Proxy, for example it will send a CONNECT <SFTP server URL>:22 to the WSA on port 3128 (default Web Proxy port).

To allow the traffic, the WSA must be configured as follows:

- The corresponding access policy must allow connects to port 22 and the WSA must be allowed to establish connections to that destination URL/IP and port (Access Policy -> Protocols and User Agents column -> HTTP CONNECT Ports -> make sure port 22 is listed there.
- The traffic must be passed through since it's non standard HTTPS traffic
- You must allow tunnelling of non-standard HTTPS traffic (CLI > advancedproxyconfig > miscellaneous)