Simple File Transfer Protocol (SFTP) and High Ports

[runcmd]

A user of ours needs to transmit a file to a vendor on a regular basis and the vendor has requested the use of SFTP through the application "WS_FTP". Initially, the vendor indicated that only TCP port 115 would need to be opened outbound through our firewall, which we granted; however, the transfer is failing. The WS_FTP log indicates "425 Can't open data connection". When I watched the attempt in SmartView Tracker, I see traffic being passed on 115, but dropped on ports 1663, 1664, and 1665 at the same time as the failures. The vendor now says, "By-the-way, you also need to open ports 1025 through 65000."

I'm assuming that SFTP is attempting to operate similarly to a Passive FTP connection and is trying to establish a data connection on a higher port. I know that CheckPoint is intelligent enough to make the switch to higher ports when negotiating an FTP connection. Questions:

1. Is SFTP truly trying to negotiate to a higher port?
2. Is there a way around this, other than opening up the range 1025 through 65000?

Thanks!

(NG R55)

[northlandboy]

Why not use scp (tcp/22 only)?

[runcmd]

Ya know, I did a search of the forums (and the internet) prior to posting and saw reference to SCP, but couldn't find much information on it otherwise. Please forgive my ignorance, but what are the differences between SFTP and SCP? (Any reference information, like an RFC, would be great!) Would a different hosting service need to be active on the external server side? (Like SSH vs. FTP) If they'd need to change services on the vendor's side, it probably isn't going to fly. Thanks for the speedy response!

[kva.kva]

http://winscp.net/eng/docs/protocols

From http://forums.vandyke.com/showthread.php?t=435
"...As you have discovered, using scp to transfer file to/from a server actually uses SSH to remotely execute scp on the remote machine, then sends the files over through the pipe created by the remote execution. If the remote machine (e.g. a windows machine) does not have scp installed, scp will not work.

SFTP, the SSH file transfer protocol, does not execute some arbitrary program on the remote side. Rather, both the client and server speak SFTP to read and write files. SFTP requires SSH version 2 (a.k.a. SSH2)..."

About SFTP. Some servers can restrict range of high ports for connection, for example vsftpd.

[runcmd]

Thanks for the info! Hum... Now I'm really confused. It seems there's one acronym for two protocols: Does SFTP stand for "SSH File Transfer Protocol" or "Simple File Transfer Protocol?... Apparently, both! :-)

Based upon what I'm reading, Wikipedia indicates that the Simple File Transfer Protocol uses port 115, which matches up with the port number I was provided by our vendor. SSH File Transfer Protocol seems to function inside of an already established SSH connection, through port 22--closely matching what northlandboy mentioned.

Now, I see that there is also an FTPS (a.k.a. FTP Secure), which operates in conjunction with SSL. After establishing the initial connection on port 21, I'd assume FTPS would then switch to port 443 for the encrypted portion of the session (?)...

Quote:

The client connects to the server port 21 and starts an unencrypted FTP session as normal, but requests that TLS security be used and performs the appropriate handshake before sending any sensitive data.
http://en.wikipedia.org/wiki/FTPS

According to the article provided by kva.kva, it appears that, in order to use SCP, an SSH connection would also first need to be established. Therefore, in response to my number two question, the vendor would need to configure their server to accommodated SSH prior switching from Simple FTP on port 115 (not SSH FTP) to SCP. Correct?