Ftp

gunbunnysoulja

Hey everyone! So I'm looking for options to setup FTP at one of our offices for our workforce to use. Just looking at some suggestions. Thinking about just use an older desktop with a couple 2TB drives in RAID. I saw some NAS devices with built in FTP but I wasn't sure how those would compare to using IIS, etc. Security is important. Drag/Drop as well. Client software might be an issue (govt. machines) so I'm not sure of how many options I'll have.

Thanks!

veritas_libertas

Internal FTP, or accessible from outside of the company, i.e. The Internet?

gunbunnysoulja

Sorry for not clarifying. It would be accessible from the internet and not just the LAN.

veritas_libertas

The two options would be using FTPS (SSL) or SFTP (SSH.) I'm not familiar with what options are out there, but I assume you would want it to interact with AD for authentication? I'm just provoking thoughts in order to help others be able to help you

paul78

Since you have a security requirement and its Internet accesible, I would suggest that you avoid FTP and look at SFTP or FTPS instead. You could potentially explore a webbased HTTPS dropbox of some kind as well.

Personally, if the user-base community are less IT savvy, I would advocate building an SSL VPN solution and use plain old CIFS. That way the endusers can continue to use their apps transparently.

Unfortunately, I am not familiar with specific tools or software packages.

DevilWAH

For a simple and cheap FTPS solution you can use FileZiller, its free and does the job, widely used in the IT world and easy to set up.

For a few users i would be fine, it does not tie in to AD sadly so if you need that feature you need a enterprise solution. However you may want to down load fileziller to play with for half an hour before you go and spend money on a full blown product.

here is the feature sets for it

FileZilla - Client Features

blargoe

If it's going to be only for users that you control, ie internal employees, Windows 2008 R2 and IIS 7.5 could make sense if you're using AD authentication internally (and then optionally, you could use the new IIS managed accounts for any external users). You could then use other Windows features such as File Server Resource Manager to regulate the types of files that are allowed to be saved to the FTP directory (ie, no executable content) and set policies to clean up this area after the content ages out. And since you're presumably controlling the computers of the end user, you can enable FTPS and give them an FTPS client to use.

If the server were going to be for your customers or other outside consumers, you might have a hard time getting anything other than standard FTP or maybe an HTTP dropbox kind of solution, since you can't control what those individuals are allowed to install on their computers, and Windows doesn't come with FTPS or SFTP clients.

gunbunnysoulja

Thanks for the suggestions everyone! I'm thinking FTPS via IIS will be a good solution but then I would need to figure out what clients are authorized for Army use (FileZilla isn't). I had hoped to use native windows but as stated it doesn't natively support FTPS. No AD authentication because we are hosting at our contractor facility, and users will be accessing from an Army domain that we don't control. So I'm assuming we will just use username/password.

In this scenario, would there be much difference from using IIS via a Windows 7 vs. Server 2008?

networkjutsu

I use FileZilla FTP Server for personal use.
For work, we use Ipswitch. I wanted the GlobalScape but the price was really high.
For IOS upgrades, I just spin up a Ubuntu Server edition with vsftpd.

gunbunnysoulja

How do you like IPSwitch? That's 1 of 3 that I found to be Army approved.

JScape and RhinoSoft Serv-U are the other 2. I was working off an old approved list however so I gotta see what's approved now.

networkjutsu

I tested three server FTP products from GlobalScape, Ipswitch, and JScape. Out of the three, I like the GlobalScape. Ipswitch is fine. It gets the job done. However, it didn't have the bells and whistles that are for security stuff - like for auditing, DLP, and etc. All three has the web interface so no FTP clients needed - just a web browser and you're good to go.

ptilsen

A big consideration is whether you are behind NAT. FTPS is a nightmare behind NAT, depending on your firewall.

IIS is a great way to do it if you already have a web server provisioned that has no real reason it requires separation from FTPS. I would not turn up a server just to run IIS FTPS, though. Go with third-party if the server will be dedicated. FileZilla is good, but it dislikes some of the cheaper commercial certificates you might buy. It also doesn't work behind certain NAT firewalls.

If there's some money to be spent, I really enjoyed implementing CerberusFTP. The enterprise version includes some awesome features. I've always been able to get it working behind NAT, when other products failed. One especially awesome feature is a web portal that provides access to the same directories as the FTPS share. You can have different folders in different locations with different permissions with different authentication (LDAP, Windows, local) with different protocols (FTP, FTPS, SFTP, SCP, HTTP, HTTPS) enabled for sharing, web management, web user requests, etc. It's a really polished product, but it could be overkill for your needs.

If you're not behind NAT or you know your firewall can be made to work, I would say just use FileZilla or IIS 7.5.

gunbunnysoulja

So apparently this is a low budget task so FTPS is out due to the necessity of software purchase (army approved software). So I'm planning on just using a Windows 7 computer running IIS. I noticed when using FTP IPv4 Address and Domain Restrictions, IP's not explicitly specific can still get to the credentials prompt. Login does fail as it should, however I'd like to make it so these users don't even get to the prompt. Any thoughts or is this a non-issue?

it_consultant

We use the IPSWITCH software here as well. It beats the pants off of IIS or filezilla. It is also much more expensive.