FileZilla Client Through an Ironport Proxy Appliance

A while ago I had to get this working and never told anyone about it. No doubt I will have to do it again at some point, so though I would just jot it down.


The issue is the way that the FileZilla client authenticates with the proxy devices. I can not remember where I read this but some wise person wrote about it.


Anyway there are two stages to this, ensuring the proxy appliance is set up correctly and then configuring the FileZilla client.


In Iron Port you need to setup the FTP proxy correctly, below is the area that you need to configure.


Pick FTP Proxy



Then enter the following details







You can use any port just make a note as you will need this for the FileZilla client setup


The FileZilla client is fairly easy. Open the client and settings, in the FTP section pick FTP Proxy and enter your details.



Note the Proxy host is as per the standard x.x.x.x:8021

The code for the passing of parameters is

USER %u@%s@%h
PASS %p@%w


You should now have a working FileZilla client 🙂



Can not connect on HTTPS port number Cisco Ironport

We are developing some Apex web applications in the cloud. We utilise the Cisco Ironport web proxy filters.


APEX uses port 4848 and 8181 to connect to by default. The problem that I was facing was that Chrome had the following error


Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.


And the Iron port log displayed


1344331467.525 0 TCP_DENIED/407 1656 CONNECT tunnel://xxxxx:4848/ – NONE/- – OTHER-NONE-IT_Department_Special_Priv-NONE-NONE-NONE-NONE <-,-,”-“,”-“,-,-,-,”-“,”-“,-,-,-,”-“,”-“,-,”-“,”-“,-,-,-,-,”-“,”-“,”-“,”-“,”-“,”-“,0.00,0,-,”-“,”-“> – – –
1344331467.526 0 TCP_DENIED/407 1656 CONNECT tunnel://xxxxxx:4848/ – NONE/- – OTHER-NONE-IT_Department_Special_Priv-NONE-NONE-NONE-NONE <-,-,”-“,”-“,-,-,-,”-“,”-“,-,-,-,”-“,”-“,-,”-“,”-“,-,-,-,-,”-“,”-“,”-“,”-“,”-“,”-“,0.00,0,-,”-“,”-“> – – –
1344331467.531 0 TCP_DENIED/407 551 CONNECT tunnel://xxxxx:4848/ – NONE/- – OTHER-NONE-IT_Department_Special_Priv-NONE-NONE-NONE-NONE <-,-,”-“,”-“,-,-,-,”-“,”-“,-,-,-,”-“,”-“,-,”-“,”-“,-,-,-,-,”-“,”-“,”-“,”-“,”-“,”-“,0.00,0,-,”-“,”-“> – – –
1344331467.539 5 TCP_DENIED/403 1653 CONNECT tunnel://xxxxxx:4848/ “alistair henderson@NTLMRealm” NONE/- – BLOCK_ADMIN_CONNECT_11-IT_Special_Priv-IT_Department_Special_Priv-NONE-NONE-NONE-NONE <xxx-,”-“,”-“,-,-,-,”-“,”-“,-,-,-,”-“,”-“,-,”-“,”-“,-,-,-,-,”-“,”-“,”-“,”-“,”-“,”-“,2644.80,0,-,”-“,”-“> – xxxxx

Apology for the xxxxx it is to protect the innocent 🙂

The answer was not clear as it is a little buried in the configuration of Iron Port.


Open you the configuration console of the appliance or management appliance and navigate to the Access Policy screen.

I want all the users to have access to these ports so I am setting it at the group policy level.


This will display the Protocols page



Enter the Port numbers that you want to give access too







Port mirroring Cisco switches

To mirror a port i.e. pass traffic to another port so that it can be analised is different per Cisco switch but the basis is

Create a monitoring group

Tell one or more of the ports that it is the source

Tell one port that it is the destination.

Becareful here as this can increase load on the switch.


The command are as follows:

Cisco 2950

monitor session 1 source interface x/x both
monitor session 1 destination interface x/x


This puts the switch into monitoring mode, you can have more than 1 session also

To show what is being monitored

show monitor

To stop monitoring of 1 session or turn off completley

no monitor session x

no monitor


Cisco Switch Admin

General Cisco Commands

To see what the network switch is doing

sh interface

can be combined with

| inc xxxx

e.g. sh interface | inc error

To show more details

sh controllers ethernet-controller card_type port_number


sh controllers ethernet-controller fastEthernet 0/42