Secure FTP
This seems to be a common request for me, and I haven't found a "perfect" answer for it yet. Typical situation:
1. Client's vendor or customer needs a secure FTP server. They don't specify FTPS (FTP over SSL), so sometimes that means they're open to other solutions. Sometimes it has to be FTP. Everything must be encrypted.
2. The FTP server must be an existing Windows Server 2008 R2 system.
3. The server will sit behind an SMB-grade NAT firewall, using only a private IP.
4. The certificate used (assuming FTPS is used) will often be a Geotrust certificate, specifically. More on why that's significant in a moment.
I've only found a couple of solutions that work at all, and nothing works particularly well.
1. IIS 7.5 FTP over SSL (FTPS)
IIS 7.5 allows for FTPS, and it will work behind a NAT firewall... using the FireFTP client, and only the FireFTP client. I have not yet found any other FTP client that will talk to IIS 7.5 FTPS, even doing full 1:1 NAT. I haven't tested it on a public IP without NAT, but for our purposes here that is not feasible. It doesn't even work with IE, Explorer, or the built-in Windows FTP client. This leads to us having to mandate and support a specific client.
2. Filezilla FTP over SSL (FTPS)
Filezilla seems to work with more FTP clients, but still encounters problems. It uses its own authentication system rather than LDAP integration with AD. The Filezilla client won't take Geotrust certificates out-of-the-box. Not all FTP clients work, which still leads to support issues (not as bad as IIS, though).
3. SSH File Transfer Protocol (SFTP)
Seems to work just fine, but again, no authentication through AD, and keys management is more difficult and ultimately doesn't suit our needs. FTPS seems to be the "more standard" solution, and SFTP clients are just as restrictive as the first two solutions.
I guess what I'm looking for is the "perfect" solution - a Windows-based FTP server that does automatic or nearly automatic LDAP integration, works behind an appropriately configured FTP-aware NAT firewall, and has near universal client compatibility such that I do not need to give customers client-specific instructions based on their platform and desired FTP client.
IIS 7.5 really seems like a good solution other than the part where it doesn't work with hardly anything. If someone has gotten it to work behind NAT, I sure would appreciate any tips on what we've been doing wrong.
1. Client's vendor or customer needs a secure FTP server. They don't specify FTPS (FTP over SSL), so sometimes that means they're open to other solutions. Sometimes it has to be FTP. Everything must be encrypted.
2. The FTP server must be an existing Windows Server 2008 R2 system.
3. The server will sit behind an SMB-grade NAT firewall, using only a private IP.
4. The certificate used (assuming FTPS is used) will often be a Geotrust certificate, specifically. More on why that's significant in a moment.
I've only found a couple of solutions that work at all, and nothing works particularly well.
1. IIS 7.5 FTP over SSL (FTPS)
IIS 7.5 allows for FTPS, and it will work behind a NAT firewall... using the FireFTP client, and only the FireFTP client. I have not yet found any other FTP client that will talk to IIS 7.5 FTPS, even doing full 1:1 NAT. I haven't tested it on a public IP without NAT, but for our purposes here that is not feasible. It doesn't even work with IE, Explorer, or the built-in Windows FTP client. This leads to us having to mandate and support a specific client.
2. Filezilla FTP over SSL (FTPS)
Filezilla seems to work with more FTP clients, but still encounters problems. It uses its own authentication system rather than LDAP integration with AD. The Filezilla client won't take Geotrust certificates out-of-the-box. Not all FTP clients work, which still leads to support issues (not as bad as IIS, though).
3. SSH File Transfer Protocol (SFTP)
Seems to work just fine, but again, no authentication through AD, and keys management is more difficult and ultimately doesn't suit our needs. FTPS seems to be the "more standard" solution, and SFTP clients are just as restrictive as the first two solutions.
I guess what I'm looking for is the "perfect" solution - a Windows-based FTP server that does automatic or nearly automatic LDAP integration, works behind an appropriately configured FTP-aware NAT firewall, and has near universal client compatibility such that I do not need to give customers client-specific instructions based on their platform and desired FTP client.
IIS 7.5 really seems like a good solution other than the part where it doesn't work with hardly anything. If someone has gotten it to work behind NAT, I sure would appreciate any tips on what we've been doing wrong.
Working B.S., Computer Science
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Comments
-
AlexNguyen
Member Posts: 358 ■■■■□□□□□□
In my department, they decided to choose JSCAPE MFT Server: Managed File Transfer | Secure FTP Server | Accelerated File Transfer | JSCAPE MFT ServerKnowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity. -
networkjutsu
Member Posts: 275 ■■■□□□□□□□
Have you tried Ipswitch? Tried three FTP Servers for work: Globalscape MFT, Jscape, and Ipswitch. We went with Ipswitch. Wanted Globalscape but it was about 5 times more expensive than Jscape or Ipswitch. -
ptilsen
Member Posts: 2,835 ■■■■■■■■■■
I should have mentioned that the target price is almost always $0.00. My clients are very, very frugal.
-
ptilsen
Member Posts: 2,835 ■■■■■■■■■■
Just as an example, I'm using Ipswitch client to connect to a Filezilla server. It will not show or access any files or folders, but FireFTP works perfectly. Filezilla client also does not work. Passive vs. Active does not seem to matter. It connects, but no directory listing.
The customer's customer's end-user (yeah, that's right) can't use Firefox. -
KenC
Member Posts: 131
What about freeSSHd? I know it integrates with AD but I'm not sure about how robust it is for your needs or how it would scale.