Our network uses an application layer firewall for deep packet inspection. When we attempt to connect to an external ftps server on port 21, the firewall blocks it because it does not recognize the traffic to be ftp traffic. The AUTH TLS command is evidently not yet an accepted extension for the protocol. Earlier IETF drafts recommended using implicit port 990-989, but this evidently has been dropped. IBM also does not recommend 990 for their ftps on zOS (II13516). The firewall folks are balking at allowing our secure ftp traffic through on port 21-20.
One suggestion we've come up with is to get our own external ip address for the mainframe (as opposed to having a private ip address NAT'd from the firewall). The zOS firewall in our experience seems to be sufficient, but we're not experts on other potential exposures that may bring. Any shops out there using 990? Any shops out there using 21 with an application layer firewall? Any shops using solely the zOS firewall on a mainframe with a public ip address (I would imagine there are many)? Any other suggestions are welcome. Thanks, Joel ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
