ECuRep
MVS or z/OS
VM or z/VM
VSE/ESA or z/VSE
OS/400 or IBM i
Other
Standard data upload
Secure data upload
	Secure FTP with SSL/TLS
	Secure FTP over SSH
	Secure HTTPS-based data upload
	Mail
Country/Region Codes
Exchanging diagnostic data with IBM
In case of problems

Secure FTP and Firewalls

When using Secure FTP (FTPS) it is possible that you will get problems with your firewall. This is due to the nature of the protocol and the different types of firewalls.

FTP uses two connections between the FTP client and FTP server. The control connection is used to exchange FTP commands and control information, and the data connection is used to transmit the files and for output of commands.

The control connection is established when an FTP client connects an FTP server. If data has to be transfered, the data connection is set up dynamically. There are no fixed TCP ports which are used for this connection. The FTP server tells the client the TCP port to be used within the control connection. The port changes for every data transmission. Modern firewalls read the port information exchanged within the control connection and dynamically create rules to allow the data transfer.

While FTPS is in use, the control and data connection is encrypted. A firewall can no longer read the content of the control connection and dynamic rule creation for the data connections is no longer possible.

There are also some firewalls which run more or less intensive checks on the traffic within the control connections. They drop the connection if they detect traffic which is not mentioned in the FTP protocol definition. Those checks must fail with encrypted connections.

In case of problems please read our page "In case of problems".