Re: WSA Protocols and User Agents: HTTP CONNECT Ports

cpaquet · ‎08-23-2019

When ports are listed under HTTP CONNECT ports, the WSA passes the HTTP traffic without evaluating it.

So:

1. What would be a good reason to have port 20/21 listed under HTTP Connect Ports?

2. If port 20/21 is listed under HTTP Connect ports, then browser-based FTP traffic wouldn't be checked against AV, AMP, etc, right?

Thanks.

Handy Putra · ‎08-25-2019

Hi,

In FTP over HTTP (or you can say we are doing FTP on the internet browser (HTTP) that using CONNECT port in Access Policies), the client establishes an http connection to the proxy, and the proxy then subsequently establishes a FTP connection to the remote server. When the client talks to the WSA it encapsulates the FTP information in http packets and sends them to the proxy. The proxy then extracts the FTP information from the HTTP packets and makes the connection to the destination server. When the data is transferred to the proxy, it forwards it to the client through the HTTP tunnel.

In order to do that, port 20 and 21 need to be listed in the HTTP CONNECT ports of WSA access policies.

When this happen WSA will still be able to apply its scanning process such as getting the web categorisation of the FTP site, the web reputation score, malware and AV scanning.

Below is example of access logs when doing FTP over HTTP:

1566799578.425 790 x.x.x.x TCP_MISS/200 1776 GET ftp://ftp.iinet.com.au/ - DIRECT/ftp.iinet.com.au text/plain DEFAULT_CASE_12-test1.ap-DefaultGroup-NONE-NONE-NONE-DefaultGroup-NONE <IW_comp,ns,1,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,IW_comp,-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",17.98,0,-,"Unknown","-",1,"-",-,-,"-","-",-,-,"-",-> -

1566799911.945 287 x.x.x.x TCP_MISS/200 2376 GET ftp://ftp.iinet.com.au/debian - DIRECT/ftp.iinet.com.au text/plain DEFAULT_CASE_12-test1.ap-DefaultGroup-NONE-NONE-NONE-DefaultGroup-NONE <IW_comp,ns,1,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,IW_comp,-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",66.23,0,-,"Unknown","-",1,"-",-,-,"-","-",-,-,"-",-> -

From above example, we still be able to get the categorisation of the FTP traffic - which is IW_comp which is Computer and Industry category and the verdict of the other scanning engines such as malware, AV scanning

Hope this information helps

Regards

Handy Putra

cpaquet · ‎09-09-2019

Thank you for your reply. My question wasn't probably clear enough. Let me rephrase it:

What is the purpose of the port listed in the HTTP CONNECT Ports configuration of the Access policy? See attachment. This screenshot was created from the dCLoud Instant demo of WSA.

what are the consequences of listing ports here? is it that the traffic arriving on the WSA for those ports will not be proxied? that the WSA will simply let the original session go through the WSA, without proxying that session?

Thanks.

assethum · ‎09-09-2019

Hello,

HTTP CONNECT enables applications to tunnel outbound traffic over HTTP, unless the protocol is blocked itself blocked in the section "Block Protocols" just above the HTTP CONNECT ports in the Web GUI. Traffic tunneled through HTTP CONNECT will not be scanned, except for SSL ports (specified on Security Services > HTTPS Proxy) . This is mentioned in the info section of the HTTP CONNECT Ports.

Thanks

Ash