X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both urgent for us and perhaps a little obscure.
With Passive FTP, the server uses a PORT command to say to the client "open the data connection on this IP address." Unfortunately with NAT that is an internal address that is meaningless at the client. Many firewalls or routers that support NAT are apparently smart enough to translate that PORT command from an internal to an external address, and everything works wonderfully. The wrinkle comes with TLS: the control connection is encrypted and inaccessible to the firewall or router. Enter CCC: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha lz001/ftpcastlsrfclevel.htm https://tools.ietf.org/html/rfc4217#page-19 CCC says "stop encrypting the control connection (so the router or firewall can see and translate it). Apparently -- and this is where my knowledge gets fuzzy -- the RFC now requires that the partners close the control connection at that point, but z/OS FTP perhaps does not support that (?). CCC has security red flags all over it, which is understandable, and it looks like we may be encountering a firewall or router that does not support it, or perhaps does not support the non-RFC version of it. I am asking here "what is the 'right' answer?" How is passive FTP supposed to work over a TLS session with NAT in effect? Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
