4.6.2.4. Configuring inband authentication

The Ftp proxy supports inband authentication as well to use the built-in authentication method of the FTP and FTPS protocols to authenticate the client. The authentication itself is performed by the ZAS backend configured for the service.

If the client uses different usernames on ZAS and the remote server (e.g., he uses his own username to authenticate to ZAS, but anonymous on the target FTP server), the client must specify the usernames and passwords in the following format:

Username:

<ftp user>@<proxy user>@<remote site>[:<port>]

Password:

<ftp password>@<proxy password>

Alternatively, all the above information can be specified as the username:

<ftp user>@<proxy user>@<remote site>[:<port>]:<ftp password>@<proxy password>
Warning

When using inband routing with the FTPS protocol, Zorp compares the server's certificate to its hostname. The subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) of the server's certificate must contain the hostname or the IP address (as resolved from the Zorp host) of the server (e.g., ftp.example.com).

Alternatively, the Common Name or the subject_alt_name parameter can contain a generic hostname, e.g., *.example.com.

Note that if the Common Name of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the subject_alt_name parameter.