SteelHead™ Deployment Guide - Protocols : FTP Optimization : Overview of FTP
Overview of FTP
The FTP protocol consists of two connections: the control connection and the data connection. A client initiates the control connection to the server on TCP port 21. This connection remains open for the duration of the session and sends administrative data (for example, commands, identification, and passwords). After the control connection is established, the data connection transfers the file data.
The data connection uses various originators and ports. When you look at TCP connections and SteelHead optimization, both the control and data connections appear as separate TCP connections. The control connection always appears to go from the FTP client on a random source port to the FTP server on port 21. The data connection properties change significantly, depending on whether active or passive mode is used for the FTP transfer.
Active Mode
Figure 7‑1 shows the control connection and data connection used in FTP active mode:
The client from a random TCP source port greater that 1024 (shown here as port 1026) connects to the server on port 21 to establish the control connection. The client sends the server the port to establish the data connection on (shown here as TCP port 1027).
The server acknowledges the port number.
The server initiates the data connection from TCP port 20 to the client on the specified port in Step 1.
The client responds with an ACK to complete the establishment of the data connection.
Most of the time TCP port 21 is associated with FTP control and TCP port 20 with data. TCP port 20 is only true with FTP in active mode.
Figure 7‑1. Active Mode
Source: (Sept 8, 2010)
A potential issue with active mode FTP is the FTP client does not make the actual connection to the data port of the server—it tells the server what port it is listening on and the server connects back to the specified port on the client. From a client-side firewall this appears to be an outside system initiating a connection to an internal client, which can be blocked. For more information, see the SteelHead Deployment Guide.
Passive Mode
Figure 7‑2 shows the control connection and data connection used in FTP passive mode.
The client connects from a random TCP source port to the server on port 21. The client requests the server to provide a port that the client can connect to for the data connection.
The server replies with the specified port for the data channel (shown here as TCP port 2024).
The client initiates the data connection from a random port to the specified server data port.
The server sends an ACK to the client.
With passive FTP, both the control and data connections are both originated from the client and that port 20 is not used.
Figure 7‑2. Passive Mode
Source: (Sept 8, 2010)
Passive mode FTP solves many of the problems from the client-side security perspective, although it does require the server to accept a remote connection to a range of high numbered ports. Most clients today support both active and passive mode FTP. The default Windows client does not support passive FTP, along with some Unix versions, such as Solaris.
Many people prefer to use their Web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs.