Why I cannot use Windows native FTP client to access FTP server via network App?

In simple and short answer it's due to The Windows ftp client ftp.exe does not support passive mode, which it does not contain a passive command. You can issue the passive command (PASV) through the use of the 'literal' or 'quote' command but this will only put the server in passive mode. However the Windows client will still be using active mode.

In more elaborative answer, we need to understand the basic difference concept between FTP active mode and passive mode.


FTP Active Mode

Among the two connection modes, active mode is the older one. Active FTP was introduced in the early days of computing when mainframes were more common and attacks to information security were not as prevalent. 

Here's a simplified explanation on how an active mode connection is carried out, summarized in two steps. Some relevant steps (e.g. ACK replies) have been omitted to simplify things.

  1. A user connects from a random port on a file transfer client to FTP port 21 on the server. It sends the PORT command, specifying what client-side port the server should connect to. This port will be used later on for the data channel and is different from the port used in this step for the command channel.
  2. The server connects from port 20 to the client port designated for the data channel. Once the data connection is established, file transfers are then made through these client and server ports.
    ftp active mode resized 600


FTP Passive Mode

In passive mode, the client still initiates a command channel (control connection) to the server. However, instead of sending the PORT command, it sends the PASV command, which is basically a request for a server port to connect to for data transmission. When the FTP server replies, it indicates what data port number it has opened for the ensuing data transfer. 

Here's how passive mode works in a nutshell:

  1. The client connects from a random port to port 21 on the server and issues the PASV command. The server replies, indicating which (random) port it has opened for data transfer. 
  2. The client connects from another random port to the random port specified in the server's response. Once connection is established, data transfers are made through these client and server ports.
    ftp passive mode resized 600


So, based on above explanation FTP active mode cannot be done to connect between the FTP server and the Client device that have Safous Agent installer. It's due to the nature of Agent based ZTNA in Safous is not the same as traditional VPN (which the traffic initialization can comes from both ways), It's to ensure there's no untrusted traffic that haven't been acknowledge even to client side