Native FTP Profile

Overview

Starting with NSX Advanced Load Balancer version 22.1.1, File Transfer Protocol (FTP) application profile (System-FTP) is introduced for load balancing FTP workloads for both Active and Passive FTP modes.

The system default System-FTP profile lets you specify how a virtual server (VS) consuming this profile will process the FTP load balancing traffic. The default setting will help to quickly deploy the FTP VS in a few seconds with a couple of clicks. You can customize these default settings in the system default FTP application profile, or create a new custom FTP application profile to fine-tune the FTP load balancing behavior.

Configuration

FTP Profile Configuration

Navigate to Templates > Profiles > Application in the UI.

application-profile

ftp-profile

You can also execute show applicationprofile command in the CLI to access the system-inbuilt application profiles, where the System-FTP profile is available.

The CLI is as follows:


[admin:admin-ctrl-tb2]: > show applicationprofile 

+-------------------------+---------------------------------------------------------+ 
| Name                    | UUID                                                    | 
+-------------------------+---------------------------------------------------------+ 
| System-Secure-HTTP      | applicationprofile-cc7e793e-d860-4a3e-bdca-3d03639dc103 | 

| System-Secure-HTTP-VDI  | applicationprofile-d66f5a0b-9044-4ebb-9049-e0b33c922c6e | 

| System-HTTP-Horizon-UAG | applicationprofile-c17988b2-cdba-4094-9323-86818b6c58de | 

| System-HTTP             | applicationprofile-c5af211f-0e8d-43d3-9136-df6ae6bad4c6 | 

| System-SSL-Application  | applicationprofile-4f338983-7325-44e2-9362-740ec9787577 | 

| System-L4-Application   | applicationprofile-a76b3cb9-69d1-44e3-9b61-62e78aecf8fe | 

| System-L4-Horizon-Blast | applicationprofile-085327f2-1ef5-4c9b-a743-68c79db080e1 | 

| System-L4-Horizon-PCoIP | applicationprofile-379221a0-a3e7-4611-91fe-a6faeb9666d6 | 

| System-Syslog           | applicationprofile-e0cd7ecf-ae82-43a4-8f81-d45a66999950 | 

| System-DNS              | applicationprofile-21b86d60-5a59-4223-b43b-aed40138e075 | 

| System-FTP              | applicationprofile-76b1636a-4016-47a8-91eb-bd641a530dd5 | 

| L4-wildcard-app         | applicationprofile-b2e69b11-60d9-4f3d-9910-071cec054936 | 

| L4-conn-mirror          | applicationprofile-90413dd4-fa34-4dcf-8149-0671e2e279df | 

| new-FTP-profile         | applicationprofile-cfac016c-7c91-4e7b-8050-792a25549416 | 

+-------------------------+---------------------------------------------------------+ 


[admin:ctrl-tb2]: > 

[admin:ctrl-tb2]: > show applicationprofile System-FTP 

+-------------------------------+---------------------------------------------------------+ 

| Field                         | Value                                                   | 

+-------------------------------+---------------------------------------------------------+ 

| uuid                          | applicationprofile-76b1636a-4016-47a8-91eb-bd641a530dd5 | 

| name                          | System-FTP                                              | 

| type                          | APPLICATION_PROFILE_TYPE_L4                             | 

| tcp_app_profile               |                                                         | 

|   proxy_protocol_enabled      | False                                                   | 

|   proxy_protocol_version      | PROXY_PROTOCOL_VERSION_1                                | 

|   ssl_client_certificate_mode | SSL_CLIENT_CERTIFICATE_NONE                             | 

|   ftp_profile                 |                                                         | 

|     deactivate_active         | False                                                   | 

|     deactivate_passive        | False                                                   | 

| preserve_client_ip            | False                                                   | 

| preserve_client_port          | False                                                   | 

| preserve_dest_ip_port         | False                                                   | 

| tenant_ref                    | admin                                                   | 

| app_service_type              | APP_SERVICE_TYPE_L4_FTP                                 | 

+-------------------------------+---------------------------------------------------------+ 

[admin:ctrl-tb2]: >

By default, both Active FTP mode and Passive FTP mode are enabled and based on the client FTP connection, settings will switch to either of the modes. You can disable either of the modes in the tcp_app_profile-> ftp_profile config options from CLI (The UI does not have these configuration option yet), that is,

  • To disable Active FTP mode data connections, you can set deactivate_active to true, and

  • To disable Passive FTP mode data connections, you can set deactivate_passive to true.

Any change of FTP mode settings is applicable for new connections and existing connections will continue to work. It is recommended to create a custom FTP profile rather than modifying the system default FTP profile.

Note: Do not disable both Active and Passive modes together; FTP connections will not work.

FTP Virtual Service Configuration

For creating an FTP virtual service, you can use the FTP application profile and set the appropriate backend server pool configuration.

Note: Consistent Hash is the only supported pool load balancing algorithm while using FTP application profile.

ftp-vs-with-ftp-profile

ftp-vs-pool-configuration

Once the FTP VS is created, NSX Advanced Load Balancer Controller will detect that the VS has FTP application profile attached to it and will automatically create the additional configuration required, that is,

  1. Configure the service port for FTP data connections. The default port is 20. You can update the port to desired data port.
  2. Attach the data script based on the FTP data communication modes.
    a. Default-FULL-FTP for both Active and Passive modes for data connections.
    b. Default-ACTIVE-FTP for Active mode for data connections.
    c. Default-PASV-FTP for Passive mode for data connections.

The FTP VS summary post creation with the auto-created data port and DataScript is as follows:

ftp-vs-with-dataport-and-datascript

FTP VS configuration option to modify the default FTP data port for Active FTP connections. The service port for FTP data communication is created with an override TCP profile of System-TCP-Fast-Path-FTP.

ftp-vs-dataport-configuration

FTP VS gets the appropriate DataScript attached based on the FTP modes allowed in the FTP profile.

ftp-vs-datascript

FTP VS client traffic logs have the username of the FTP connection logged.

ftp-vs-client-traffic-logs

The system default FTP Data scripts for respective FTP modes that are in the FTP profile are listed in Templates > Scripts > DataScripts. Additional logging can be added to these DataScripts based on the user requirements. It is recommended to consult the VMware account or professional services team to modify the appropriate DataScript.

ftp-system-datascript

Migration

Migrate from earlier version (prior to 22.1.1) FTP deployments to Native FTP profile

In earlier releases, FTP load balancing was supported as separate configurations for Active FTP and Passive FTP with their respective configuration methods. These configuration methods are still supported, but it is recommended to migrate the individual FTP Virtual Services to native FTP profile-based configuration to simplify the configuration and long-term supportability.

Upgrade of FTP VS with older config model to 22.1.1

FTP VS configured with older configuration model will continue to work once upgraded to 22.1.1.

Migration of FTP VS with old config to Native FTP Profile

FTP VS with old configuration can be migrated to native FTP profile VS in either of 2 methods:

  1. Retain the VIP IP: You can disable the FTP VS and clean up the unnecessary configurations.
    a. For the case of Passive FTP VS:
    i. Update the VS service ports appropriately.
    ii. Clean up the old L4 data scripts.
    b. For the case of Active FTP VS:
    i. Detach the NAT Profile to the Network Service and clean up as appropriate.
    ii. Detach the Network Service from the Service Engine group and clean up as appropriate.
  2. Create new FTP VS (new VIP IP): You can create a fresh new FTP VS config based on their requirements, as explained in the above FTP Virtual Service Configuration section. Post validations can clean up the old FTP VS configuration.

You can disable/ enable the respective desired FTP data modes in both the methods.

Caveats and Limitations

  • All SE HA modes are supported for Virtual Servers configured with the Native FTP profile.
    • The older config model has limitations for Active FTP mode to work with Legacy (Active/ Standby) Service Engine HA mode.
  • FTPS is not yet supported with the Native FTP profile.
  • Traffic mirroring is not supported for VS with a Native FTP profile.
  • Do not disable both active and passive FTP (i.e., do not set both deactivate_active and deactivate_passive true) at the same time.
  • Native FTP profile is supported in all ecosystems. However, for Public clouds, such as, AWS, Azure, GCP, you have to manually update the Security/ Firewall for the FTP data ports (currently, the Controller does not automate the FTP data ports to be enabled).
  • VIP sharing is not allowed for virtual service, which has an FTP application profile.
  • Consistent Hash is the only load balancing algorithm supported for virtual service with FTP application profile.