Overview of FTPS Configuration in the VShell® Server
The FTPS protocol
FTPS is a secure file transfer option that uses the same
protocol as FTP. All data sent or received using FTPS
is protected by TLS (Transport Layer Security) based encryption. For more information on the protocol, please
see the IETF RFC document 4217.
General description of the VShell FTPS server
Most of the VShell configuration options are shared between the VShell FTPS server, the VShell SSH2 (SFTP) server, and the VShell HTTPS server (available with the HTTPS Enterprise edition for Windows).
Shared options include access control settings, connection filters, deny host, virtual roots, triggers, logging, the VShell internal user database, and others.
There are several options that are specific to the FTPS service:
The Require encrypted connections FTPS option is used to control
whether unencrypted connections are allowed. If this option is disabled,
plaintext FTP connections will be allowed to any explicit listen addresses
configured. Leaving the option enabled prevents unencrypted connections,
and also prevents the client from dropping the encryption on the control
or data channel after connected.
The Listen Addresses page allows the configuration of implicit
and explicit addresses on which VShell FTPS will listen for incoming
connections. By default, VShell FTPS listens on IP address 0.0.0.0,
which means that VShell will listen on all network interface cards (NICs).
The default port is 990 for implicit addresses and 21 for explicit addresses.
Multiple implicit and explicit addresses can be configured.
The difference between implicit and explicit addresses is the mechanism
by which the encrypted session is established. When a connection comes
in to an explicit address, the TLS negotiation is not started until
the client sends the "AUTH TLS"
command indicating to the server that this connection needs to be protected.
In contrast, when a connection comes in to an implicit address, VShell
FTPS will immediately and unconditionally start negotiating a TLS connection.
In order for the TLS negotiation to succeed, VShell FTPS must be configured
to use a certificate. A certificate must be specified for each listen
address configured. A certificate can be specified or created while
editing or adding listen addresses.
Open the Control Panel and go to the FTPS Listen Addresses
page.
Either click on the Add... button or select an existing listen
address and click on the Edit... button.
On the Add/Edit dialog, click on the Create... button.
Fill in the fields on the Create Certificate dialog. The
Common name field is most important as it needs to match the
hostname or IP of the machine on which the VShell server is running.
Select the Generate button.
Select OK on the Add/Edit dialog.
Rather than creating a self-signed certificate, VShell FTPS can
also be configured to use a pre-existing certificate for TLS negotiation.
The certificate must meet the following requirements:
The certificate's Enhanced Key Usage field must be set to
or include Server Authentication.
If the certificate is a self-signed certificate, the Authority Key Identifier must include the Certificate Serial Number specification, which must match the Serial Number field of that same certificate.
The listen addresses can all use the same certificate or a unique certificate can be specified for each address.
VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.
Manage our use of cookies
Here you can control cookies using the checkboxes below. Some cookies are essential for the use of our website and cannot be disabled. Others provide a convenience to the user and, if disabled, may reduce the ease of use of our site. Finally, some cookies provide anonymous analytic tracking data that help us provide the user with a richer browsing experience. You can elect to disable these cookies as well.
