Transparent FTP tunneling is implemented using the SSH Tectia SOCKS Proxy component. The SSH Tectia SOCKS Proxy acts as a SOCKS proxy for the FTP client application on the SSH Tectia Server for IBM z/OS host and captures FTP connections based on filter rules. The tunneling is transparent to the user and the FTP application. The only change needed in the FTP application is to change the SOCKS proxy setting to point to a localhost listener.
The principle of Transparent FTP tunneling is shown in Figure 4.6. Before starting the tunneling, the SSH Tectia SOCKS Proxy must be running and listening on the SOCKS port 1080 on the File Transfer Client host. The following steps happen during the tunneling:
An application, a script, or a user triggers an FTP file transfer.
The FTP client makes a SOCKS query. Instead of a real firewall, the SOCKS setting in the FTP client is set to point to the localhost SSH Tectia SOCKS Proxy.
The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.
The SOCKS Proxy module creates an authenticated and encrypted Secure Shell tunnel to a Secure Shell server. The user is authenticated with the FTP username and password, or by using public keys. The Secure Shell server can be the FTP server specified in the original FTP request, or a server defined in the filter rules can be used.
The secure tunnel is terminated at the Secure Shell server. If the FTP server is located on a third host, the connection from the Secure Shell server to the FTP server will be unsecured.
The FTP server in the File Transfer Server host is the end point of the file transfer.
For a sample use case, see Transparent FTP Tunneling.