How does ZCC with Tunnel V1.0 handles FTP traffic?

Hello Team, I have a question about how ZCC with Tunnel v1.0 handles FTP traffic.

To make a long story short, I have a working configuration now that forces Internet Explorer in the end user PC to send FTP traffic as FTP over HTTP through ZCC wit Tunnel V1.0
This is working fine.

However our customer is requesting this (FTP over ZCC with Tunnel v1.0) to work as well for FileZilla.
But if I try similar settings with FileZilla (FileZilla Settings > Generic Proxy > HTTP 1.1 Using CONNECT Method)…

…FileZilla does reach the proxy but the connection times out waiting for the welcome message:

Status: Connecting to ftp.rediris.es through HTTP proxy
Status: Connecting to 127.0.0.1:9000…
Status: Connection with proxy established, performing handshake…
Response: Proxy reply: HTTP/1.1 200 Connection Established
Status: Connection established, waiting for welcome message…
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server

Since there are no logs for this transaction in ZIA (Web Insights), I believe the transaction is actually not progressing beyond ZCC’s local proxy

Also, I have read this in our documentation: About FTP Control | Zscaler
With FTP Control, Zscaler provides access control for native FTP and FTP over HTTP traffic. This can be particularly useful if you are using a Z-App or PAC based deployment, as they only support FTP over HTTP traffic.

So I have reached to the hypothesis that FileZilla is actually tunnelling native FTP traffic over HTTP CONNECT, but it’s not actually using FTP over HTTP (as Internet Explorer does). But ZCC’s local proxy is, somehow, not accepting FTP tunneling over HTTP CONNECT…

QUESTION: Could someone please confirm/correct this hypothesis, please?
Many thanks in advance!

We are a full ftp proxy, FileZilla needs to be setup for that. However, this will only work from Ipsec/gre/known-ip’s

From an old thread:


How to setup Zscaler for Native FTP usage ?

HOW TO SETUP ZSCALER FOR NATIVE FTP USAGE ?

Native FTP is only supported from known location.
All Zscaler FTP configuration is done under Administration → Internet Gateways & SSL.
Please find below steps to setup Zscaler Native FTP:

  1. Add your location
  2. Enable FTP (this will enable both FTP over HTTP and Native FTP protocols)
  3. Define categories which will have FTP access granted
  4. Configure FTP client to connect our proxy (ie: gateway.zscaler.net) on port 21

Zscaler FTP proxy forward customer request to destination FTP server based on Username content.
USER @<destination_hostname>
PASS
Most of FTP client supports proxy confguration.

Zscaler Native FTP doesn’t need specific Proxy login / pass credentials. By now, we authenticate customers based on their gateway location IP.
Copyright 2012 Zscaler Inc.

Be aware that the approach via 127.0.0.1:9000 which uses FTP via HTTP does NOT support uploading files.

You could also use FTP transparently via Zscaler with tunnel v2 but then (because of the dynamic high port usage of FTP) you need to tunnel almost all traffic through Zscaler.

Regards Thomas

Hi Scott,

would I be able to access gateway.zscaler.net via a GRE tunnel to Zscaler ?

Thanks Thomas

Change the FQDN to match your cloud, e.g. gateway..net