FTP and SSH SFTP are application protocols designed to allow individuals and businesses to easily transfer files between computers.
The two protocols are commonly used to transfer data reliably and efficiently, whether it is uploading important files to your home
backup system or securely sharing company files between two remote offices.
Setting up an FTP server will allow you to receive and share files with virtually anyone, anywhere in the world. This tutorial
will walk you through the basic steps of downloading, installing, and configuring Cerberus FTP Server. In addition
to standard FTP and HTTP, Cerberus can also secure your connections with encrypted
Part 1: Downloading and Installing Cerberus FTP Server
Close all other programs (recommended) before installing Cerberus FTP Server and make sure that you install it logged in as Administrator or a member of the Administrators group if you are installing it on a Windows NT or higher system.
Download the Latest Cerberus FTP Server installer
Double click or run the CerberusInstall.exe self-extracting installer. You may be prompted "Do you want to allow the following program to make changes to this computer" click
Yes (or Allow). Clicking Yes will give the Cerberus FTP Server Installer Administrator privileges to install (required on most operating systems).
Windows 7 UAC Prompt for granting installation privileges
You will see the "Welcome to the Cerberus FTP Server Setup" screen. Click Next.
Cerberus FTP Server Install
Agree to the licensing agreement to continue. Select the "I accept the terms in the License Agreement" button and click Next.
Agree to the licensing agreement
Select an installation folder. Or keep the default path. Click Next to move to the confirmation page.
Select Installation Folder Setup Page
Confirm your settings and click Install to begin installation.
Confirm the settings for your installation
Click Finish to complete the installer and launch Cerberus FTP Server.
Installation Complete Setup Page
Part 2: Configuring your FTP server
The Getting Started Wizard will appear when you start Cerberus FTP Server
for the first time. The wizard is designed to walk you through the basic steps of configuring the
server to allow clients to connect. At the end of the Getting Started Wizard your server should be
ready to accept connections from FTP, FTPS, SSH SFTP, and HTTP clients.
Step 1 - Licensing
The Licensing page allows the administrator to select the licensing option most
appropriate for their intended use of Cerberus FTP Server.
Selecting As a Company, Government entity, or Educational
institution enables a 25 day trial period of the Enterprise
edition of Cerberus FTP Server. During the trial period, the
server will perform and function as the Enterprise edition. Cerberus
FTP Server reverts to the Home edition after the evaluation
period expires and a message indicating that the server is unregistered
will be added to the server welcome message for each connection. At
any time, including after the trial period has expired or
even if "For
Personal Use" was selected at startup, Cerberus may be turned into the
full commercial Personal, Standard, Professional, or Enterprise edition
by entering a valid registration code into the
Selecting the For Personal, Home Use Only
option immediately causes Cerberus to function as the Home
edition. This license is only permitted for at home,
personal use of the FTP server. The Home edition is limited
to at most 5 simultaneous FTP or FTPS connections. A message
indicating that the server is Cerberus FTP Server Home
edition will also appear in the FTP welcome message whenever a client
connects to the server. In all other respects, Cerberus FTP Server Home edition is functionally equivalent to the
licensed Personal edition.
Step 2 - User Creation
The User Creation page will allow you to automatically create a simple user
account with access to a directory on the local machine. You
can use this account to test out your initial connection to the
server. You can turn off the creation of the user account by
un-checking the "Create an Initial User?" checkbox.
By default, an anonymous user will be created under the User Manager. The default anonymous user will have download and upload-only access to the "C:\ftproot"
directory as their root drive. This directory will be created if it
does not already exist. Please note, the default settings for the anonymous user allow anyone to connect to your FTP server without specifying a password. Using the default settings, anyone can view and download any file from your "C:\ftproot" directory and any subdirectories of that directory. To disallow anonymous access to Cerberus FTP Server, uncheck the "Create Initial user" box and the anonymous user will not be added.
You can further customize the newly added user, or create and manage additional users,
through the User Manager after the "Getting Started" wizard has finished.
Initial User Creation
Step 3 - Network Setup
The Network Setup page detects basic network settings and tries to provide advice on any changes that
may need to be made because of the computer's network configuration.
Public IP Auto-detection for Passive Mode FTP
The most complex task in configuring basic FTP access to your
server is preparing the machine to accept FTP data connections.
Unlike the SSH SFTP or HTTP/S protocols, FTP is complicated by
the need for two connections for each client session. The
first connection is established when the client initially
connects and is used to exchange commands and status between the
FTP server and the client. A second connection is created
every time a directory listing or file transfer takes place.
Whenever a directory listing or file transfer is requested, the
FTP server has to respond with an IP address and port that the
client can connect over to establish the secondary data
connection. To aid the server in determining what IP
address to give to the client, the server can be configured to
automatically detect the IP address of the server on the
Internet and use this IP address when sending the client
After clicking the Next button on the Network
Setup page a dialog prompt will ask whether you want to allow
Cerberus to automatically attempt to detect your public IP
address. We normally recommend you answer Yes
here. Answering yes will instruct Cerberus to automatically attempt to
detect and use the correct external IP address when clients
request passive FTP data connections.
Public IP auto-detection
Step 4 - Security
The last page of the Getting Started Wizard will allow the
administrator to configure a few basic server security settings.
Cerberus FTP Server fully supports TLSv1/SSLv3 encryption over FTP (FTPS), HTTPS, and SSH SFTP.
To enable FTPS, HTTPS, and SSH SFTP support, a digital certificate
must be generated for the server. This digital certificate contains the necessary security data to allow the server to
establish encrypted connections with clients.
Cerberus FTP Server will automatically generate a new, self-signed certificate for you the
first time you run the Getting Started Wizard. You can replace the certificate at any time through
the Security page of the Server Manager.
Finalizing basic security settings
Web Administation Password
You also have the option to configure a web administration and remote API access password on the Security Wizard page.
You should set a strong password here even if you are not using web administration. Please note that the password strength
estimation meter is only meant as a guide. It will flag obviously poor passwords but there is no official weighting system
and this meter should only be utilized as a loose guide to improving your password.
The last option allows you to configure the server to only accept encrypted FTP connections.
Normal FTP has no encryption and therefore allows passwords and data to be
transmitted unencrypted over a network.
Fortunately, it is possible to establish a normal unencrypted FTP connection and then "upgrade" the
connection to secure encryption through special FTP commands (this enhanced protocol is called FTPES). This
type of connection depends on the client issuing FTP commands instructing the server to establish encryption
before accepting login credentials.
However, the client can also continue as a normal FTP connection without enabling encryption.
This situation allows for unencrypted connections and presents a security issue for servers.
If you wish to allow FTPES secure connections, but not FTP, then you must
instruct the server to require encryption before allowing a connection to proceed.
Checking this option does exactly that. It requires the client upgrade the connection
to use encryption before allowing login.
Click the Finish button to complete the Getting Started Wizard. Your server is now ready to accept local network FTP/S, SSH SFTP,
or HTTP/S web client connections. Please take a look at the next section for any changes that might need to be made to your firewall
or router to allow connection from outside of your local network to reach your server.
Part 3: Make your FTP server accessible from the Internet
Depending upon your connection to the Internet, you may need to configure your router or firewall before users outside of your local network can see your FTP server. Communication with an FTP server is done through two connections, a control connection and a data connection. Ensuring these connections can be established are the two areas where special attention is usually needed.
Addresses that begin with 192.168, or 10.0, or 172.16 are called private addresses. These addresses are only used for traffic on your local LAN and are invisible to users outside of your local network. External users to your network can usually only see your router's IP address. To allow people to connect to your server from the Internet, your router has to be configured to forward FTP traffic to the machine running Cerberus FTP Server. This process is called Port Forwarding.
While the exact procedure depends upon your router, there are generally three steps that need to be completed to connect to Cerberus from the Internet.
- Forward the FTP and SFTP ports Cerberus FTP Server is listening on from the router to to the machine running Cerberus (the default ports are 21 and 22) .
If you are using HTTPS then you will also need to forward
- Forward the passive ports range from the router to the machine Cerberus FTP Server is listening on. The range is configurable and can be found on the 'Advanced' tab of the Server Manager.
Below is the Advanced tab of the Server Manager. From here you can select the ports that Cerberus will use for passive FTP connections.
The range displayed below is Cerberus FTP Server's default port range of 11000 to 13000. This is just a suggested default and the administrator
can change the range to anything desired. However, a large range is recommended (at least several hundred ports) as a new port is used for each
directory listing or file transfer FTP command received from a client and ports cannot be reused for several minutes because of restrictions
inherent in the TCP protocol.
Selecting the PASV port range
Below is an example of port forwarding in a popular router.
The same passive ports specified in the Advanced tab of the server manager need to be
Port Forwarding example on a router
The above router is configured to forward requests on port 21
(for FTP), port 990 (for FTPS), port 22 (for SSH SFTP),
port 443 (for HTTPS) and from ports 11000 through 13000
(PASV port range) from outside the local network (usually from the Internet for a home network) to the local machine at IP address 192.168.1.100.
Any requests on those ports from the Internet will be forwarded to machine 192.168.1.100.
NOTE: Some routers inspect FTP traffic and do not allow the public IP address to be passed
in the response for the PASV command.
Those routers expect the internal IP address to be used. See this FAQ entry if you still have problems with FTP directory listings
or file transfers after following the above steps.
- Enable "Detect WAN IP at Startup" from the 'General' tab of the server manager. Make sure your restart Cerberus FTP Server after enabling this option. Selecting this option will allow Cerberus to detect your public IP address and give that address out to FTP clients in response to a passive connection request.
If you allowed Cerberus to detect your public IP address
during the Getting Started Wizard then this option
should already be checked and a restart is not
Selecting detect WAN IP
That's it! Your server should now be completely configured and accessible to the outside world. The next step is opening up the User Manager and adding users and setting up virtual folder permissions.