SUPPORT > TIPS

Got a question or comment?

Related Links

Evaluation

Updates Policy

Encryption Export

Secure Shell Solutions

White Papers

Index

Overview of FTPS Configuration in the VShell® Server

Introduction

Beginning with version 3.5, the VShell server offers an additional choice for secure file transfer protocols. In addition to the Secure Shell's SFTP protocol, which has been supported in VShell since its initial release in 2000, you can now download a version of the VShell server that also includes FTP over SSL. FTP over SSL, often called FTPS, secures standard FTP traffic with SSL/TLS encryption. The SSL/TLS protocols may be required by policy in certain network environments. VShell with FTPS shares many configuration settings with the existing VShell server; other settings are specific to VShell with FTPS. Two key steps for the FTPS version are choosing implicit and explicit listening addresses, and defining the certificate used by the server.

The FTPS protocol

FTP over SSL (FTPS) provides a secure file transfer option using the FTP protocol in which all data sent or received can be protected by SSL (Secure Socket Layer) and TLS (Transport Layer Security) based encryption. For more information on the protocol, please see the IETF RFC document 4217.

General description of the VShell server with FTPS

The VShell server with FTPS is delivered as a separate download, installation, and executable module from the standard VShell with Secure Shell/SFTP support. Both are available from the VanDyke Software website. VShell with FTPS also supports SFTP and honors many existing VShell configuration options. These include access control settings, connection filters, deny host, virtual roots, triggers, logging, and the new VShell internal user database. There are several options that are specific to the FTPS service:

The Require encrypted connections FTPS option is used to control whether unencrypted connections are allowed. If this option is disabled, plaintext FTP connections will be allowed to any explicit listen addresses configured. Leaving the option enabled prevents unencrypted connections, and also prevents the client from dropping the encryption on the control or data channel after connected.

The Listen Addresses page allows the configuration of implicit and explicit addresses on which VShell FTPS will listen for incoming connections. By default, VShell FTPS listens on IP address 0.0.0.0, which means that VShell will listen on all network interface cards (NICs). The default port is 990 for implicit addresses and 21 for explicit addresses. Multiple implicit and explicit addresses can be configured.

The difference between implicit and explicit addresses is the mechanism by which the encrypted session is established. When a connection comes in to an explicit address, the SSL negotiation is not started until the client sends the "AUTH TLS" command indicating to the server that this connection needs to be protected. In contrast, when a connection comes in to an implicit address, VShell FTPS will immediately and unconditionally start negotiating an SSL connection.

In order for the SSL negotiation to succeed, VShell FTPS must be configured to use a certificate. A certificate must be specified for each listen address configured. A certificate can be specified or created while editing or adding listen addresses.

Open the Control Panel and go to the FTPS Listen Addresses page.
Either click on the Add... button or select an existing listen address and click on the Edit... button.
On the Add/Edit dialog, click on the Create... button.
Fill in the fields on the Create Certificate dialog. The Common name field is most important as it needs to match the hostname or IP of the machine on which the VShell server is running.
Select the Generate button.
Select OK on the Add/Edit dialog.

Rather than creating a self-signed certificate, VShell with FTPS can also be configured to use a pre-existing certificate for SSL/TLS negotiation. The certificate must meet the following requirements:

The certificate's Enhanced Key Usage field must be set to or include Server Authentication.
If the certificate is a self-signed certificate, the Authority Key Identifier must include the Certificate Serial Number specification, which must match the Serial Number field of that same certificate.

The listen addresses can all use the same certificate or a unique certificate can be specified for each address.

Licensing and upgrade options for VShell with FTP/SSL

The FTPS version of VShell is available in Administrator, Workgroup, and Enterprise editions. New license and upgrade pricing can be found on the VanDyke Software website.

Was this information helpful?

1. Read or download one of our secure solutions white papers.

2. Download a free
30-day evaluation copy of our products.

3. Let us help define the right Secure Shell solution for your company.

4. Subscribe to our What's New page for tips, solution ideas, and product news.


	Products	Downloads	Purchase	Support	About Us
	VShell Server	VShell Server	Buy Direct	Evaluation	Contact
	SecureCRT	SecureCRT	License Pricing	Updates Policy	Press Releases
	SecureFX	SecureFX	About Encryption Export	FAQs	What's New
	VanDyke ClientPack	VanDyke ClientPack	Orders FAQ	Tips & How-Tos	Customer Stories
	Beta Software	Beta Software	Resellers	Forums	Secure Solutions
Site Map \| Legal Notices \| Privacy Policy \| Refund Policy VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. Copyright © 1995 - VanDyke Software, Inc. All rights reserved.

About Encryption Export

Site Map | Legal Notices | Privacy Policy | Refund Policy

VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners.