» RFCs - Reasons For Concern? Axway User: Daily Insight into an Axway User’s Brain

I’ve been pretty busy lately, but last night i spent a solid hour writing a very detailed account of the troubles related to FTPS in the Synchrony Gateway product in the form of a “Dear Axway” letter, but I got logged out 45 seconds in so the post didn’t save. As such, I’m writing a much shorter version of the same thing tonight.

Dear Axway,

If there was a consensus of any kind amongst Axway customers about the Synchrony suite of software, it’s that FTP with SSL/TLS encryption sucks. It basically amounts to what seems like Axway being out of touch with the pulse of the Financial Services industry’s need to utilize secure B2B transfer protocols. The SSL/TLS functionality with FTP in the Synchrony Gateway product is ridiculously touchy, at best. The first answer when you take a failed connection to support is not to verify setups…it’s to verify the RFCs that are supported by the trading partners FTP server for SSL/TLS encryption.

Axway’s Synchrony Gateway product (at least per support), only supports RFC 4217 for the FTPS protocol. If you read the full text for the RFC at http://www.ietf.org/rfc/rfc4217.txt you’ll notice one of the first things you see is that it was released by “IBM UK Ltd”…which is striking since I’m using the product in the United States…and 98% of my trading partners are in the United States. I know for a fact that trading partners use software that relays heavily on RFC 2228, which RFC 4217 denounces. Now this is all well and good, except that all of the other major transmission softwares, and even simple FTP clients (FileZilla, Core, WS FTP, etc) support any of the major RFCs, 2228 and 4217 included.

A prime example of not getting what we needed out of this would be back in March when I started having troubles with FTPS. We were moving towards our first implementation of a trading partner requiring that we connect to them via FTPS to send a file. It didn’t work, so I opened a support case. After something like 6 weeks, one of the support engineers finally noticed a 334 response coming from the FTP server, and pointed out that they only supported RFC 4217, which requires a 234 response from the server for AUTH TLS. Support told us to tell the trading partner that their server did not conform to the “most current RFC for FTPS”, to which they did not respond well. This was a big blow to us since we promised the customer, based on the recommendation of Axway, that we could easily support their FTPS requirements.

When we had to implement the Tumbleweed Secure Transport Client as an alternative, Axway Support didn’t bat an eye, and it was case closed. We have since had nearly a dozen trading partners ask for FTPS that we’ve had to turn down. When we finally got one who confirmed that their FTP server supported RFC 4217 for FTP with SSL/TLS, and that they supported both implicit and explicit, we thought we were set. Nearly 3 months in and the case is still open, and hasn’t gone anywhere. I know we’re doing it right (from following the training manual, having been certified, having engaged PSO and user groups, having support verify our setup as being correct, etc.), but it still doesn’t work.

We’re definitely not the only ones experiencing this. I know from chatting with other folks in the Financial Services community of Axway customers that regardless of how crappy FTPS is as a protocol, trading partners still require it. PCI compliance, and other mandates for increased security and oversight have made it commonplace, but Axway seems to be extremely out of touch with the needs of its users, instead pushing SFTP, where the Gateway product is remarkably stronger. I support this 100%, SFTP is fantastic, but we don’t get to tell our major customers (huge financial and retail institutions) how we’re going to do electronic business - they tell us.

As a result, we need this functionality to be better. If our configuration is messed up, help us fix it. We’ve pointed to this as a possible issue, though the plethora of other users expressing concern tells us we’re not alone, and there’s more to it than that. I’m pretty sure the SSL/TLS addon for Gateway was tens of thousands of dollars, so why doesn’t it work, and why isn’t it a bigger concern?

Anxiously awaiting feedback and support,

Tony