FTP and SSH SFTP are application protocols designed to allow individuals and businesses to easily transfer files between computers. The two protocols are commonly used to transfer data reliably and efficiently, whether it is uploading important files to your home backup system or securely sharing company files between two remote offices.
Setting up an FTP server will allow you to receive and share files with virtually anyone, anywhere in the world. This tutorial will walk you through the basic steps of downloading, installing, and configuring Cerberus FTP Server. In addition to standard FTP and HTTP, Cerberus can also secure your connections with encrypted SFTP, FTPS, or HTTPS.
- Part 1: Downloading and Installing Cerberus FTP Server
- Part 2: Configuring your FTP server
- Part 3: Make your FTP server accessible from the Internet
Part 1: Downloading and Installing Cerberus FTP Server
Close all other programs (recommended) before installing Cerberus FTP Server and make sure that you install it logged in as Administrator or a member of the Administrators group if you are installing it on a Windows NT or higher system.
Double click or run the CerberusInstall.exe self-extracting installer. You may be prompted "Do you want to allow the following program to make changes to this computer" click Yes (or Allow). Clicking Yes will give the Cerberus FTP Server Installer Administrator privileges to install (required on most operating systems).
You will see the "Welcome to the Cerberus FTP Server Setup" screen. Click Next.
Agree to the licensing agreement to continue. Select the "I accept the terms in the License Agreement" button and click Next.
Select an installation folder. Or keep the default path. Click Next to move to the confirmation page.
Confirm your settings and click Install to begin installation.
Click Finish to complete the installer and launch Cerberus FTP Server.
Part 2: Configuring your FTP server
The Getting Started Wizard will appear when you start Cerberus FTP Server for the first time. The wizard is designed to walk you through the basic steps of configuring the server to allow clients to connect. At the end of the Getting Started Wizard your server should be ready to accept connections from FTP, FTPS, SSH SFTP, and HTTP clients.
Step 1 - Licensing
The Licensing page allows the administrator to select the licensing option most appropriate for their intended use of Cerberus FTP Server.
Selecting As a Company, Government entity, or Educational institution enables a 25 day trial period of the Enterprise edition of Cerberus FTP Server. During the trial period, the server will perform and function as the Enterprise edition. Cerberus FTP Server reverts to the Home edition after the evaluation period expires and a message indicating that the server is unregistered will be added to the server welcome message for each connection. At any time, including after the trial period has expired or even if "For Personal Use" was selected at startup, Cerberus may be turned into the full commercial Personal, Standard, Professional, or Enterprise edition by entering a valid registration code into the license dialog.
Selecting the For Personal, Home Use Only option immediately causes Cerberus to function as the Home edition. This license is only permitted for at home, personal use of the FTP server. The Home edition is limited to at most 5 simultaneous FTP or FTPS connections. A message indicating that the server is Cerberus FTP Server Home edition will also appear in the FTP welcome message whenever a client connects to the server. In all other respects, Cerberus FTP Server Home edition is functionally equivalent to the licensed Personal edition.
Step 2 - User Creation
The User Creation page will allow you to automatically create a simple user account with access to a directory on the local machine. You can use this account to test out your initial connection to the server. You can turn off the creation of the user account by un-checking the "Create an Initial User?" checkbox.
By default, an anonymous user will be created under the User Manager. The default anonymous user will have download and upload-only access to the "C:\ftproot" directory as their root drive. This directory will be created if it does not already exist. Please note, the default settings for the anonymous user allow anyone to connect to your FTP server without specifying a password. Using the default settings, anyone can view and download any file from your "C:\ftproot" directory and any subdirectories of that directory. To disallow anonymous access to Cerberus FTP Server, uncheck the "Create Initial user" box and the anonymous user will not be added.
You can further customize the newly added user, or create and manage additional users, through the User Manager after the "Getting Started" wizard has finished.
Step 3 - Network Setup
The Network Setup page detects basic network settings and tries to provide advice on any changes that may need to be made because of the computer's network configuration.
Public IP Auto-detection for Passive Mode FTP
The most complex task in configuring basic FTP access to your server is preparing the machine to accept FTP data connections. Unlike the SSH SFTP or HTTP/S protocols, FTP is complicated by the need for two connections for each client session. The first connection is established when the client initially connects and is used to exchange commands and status between the FTP server and the client. A second connection is created every time a directory listing or file transfer takes place. Whenever a directory listing or file transfer is requested, the FTP server has to respond with an IP address and port that the client can connect over to establish the secondary data connection. To aid the server in determining what IP address to give to the client, the server can be configured to automatically detect the IP address of the server on the Internet and use this IP address when sending the client connection instructions.
After clicking the Next button on the Network Setup page a dialog prompt will ask whether you want to allow Cerberus to automatically attempt to detect your public IP address. We normally recommend you answer Yes here. Answering yes will instruct Cerberus to automatically attempt to detect and use the correct external IP address when clients request passive FTP data connections.
Step 4 - Security
The last page of the Getting Started Wizard will allow the administrator to configure a few basic server security settings.
Cerberus FTP Server fully supports TLSv1/SSLv3 encryption over FTP (FTPS), HTTPS, and SSH SFTP. To enable FTPS, HTTPS, and SSH SFTP support, a digital certificate must be generated for the server. This digital certificate contains the necessary security data to allow the server to establish encrypted connections with clients.
Cerberus FTP Server will automatically generate a new, self-signed certificate for you the first time you run the Getting Started Wizard. You can replace the certificate at any time through the Security page of the Server Manager.
Web Administation Password
You also have the option to configure a web administration and remote API access password on the Security Wizard page. You should set a strong password here even if you are not using web administration. Please note that the password strength estimation meter is only meant as a guide. It will flag obviously poor passwords but there is no official weighting system and this meter should only be utilized as a loose guide to improving your password.
The last option allows you to configure the server to only accept encrypted FTP connections. Normal FTP has no encryption and therefore allows passwords and data to be transmitted unencrypted over a network.
Fortunately, it is possible to establish a normal unencrypted FTP connection and then "upgrade" the connection to secure encryption through special FTP commands (this enhanced protocol is called FTPES). This type of connection depends on the client issuing FTP commands instructing the server to establish encryption before accepting login credentials. However, the client can also continue as a normal FTP connection without enabling encryption. This situation allows for unencrypted connections and presents a security issue for servers.
If you wish to allow FTPES secure connections, but not FTP, then you must instruct the server to require encryption before allowing a connection to proceed.
Checking this option does exactly that. It requires the client upgrade the connection to use encryption before allowing login.
Click the Finish button to complete the Getting Started Wizard. Your server is now ready to accept local network FTP/S, SSH SFTP, or HTTP/S web client connections. Please take a look at the next section for any changes that might need to be made to your firewall or router to allow connection from outside of your local network to reach your server.
Part 3: Make your FTP server accessible from the Internet
Depending upon your connection to the Internet, you may need to configure your router or firewall before users outside of your local network can see your FTP server. Communication with an FTP server is done through two connections, a control connection and a data connection. Ensuring these connections can be established are the two areas where special attention is usually needed.
Addresses that begin with 192.168, or 10.0, or 172.16 are called private addresses. These addresses are only used for traffic on your local LAN and are invisible to users outside of your local network. External users to your network can usually only see your router's IP address. To allow people to connect to your server from the Internet, your router has to be configured to forward FTP traffic to the machine running Cerberus FTP Server. This process is called Port Forwarding. While the exact procedure depends upon your router, there are generally three steps that need to be completed to connect to Cerberus from the Internet.
- Forward the FTP and SFTP ports Cerberus FTP Server is listening on from the router to to the machine running Cerberus (the default ports are 21 and 22) . If you are using HTTPS then you will also need to forward port 443.
- Forward the passive ports range from the router to the machine Cerberus FTP Server is listening on. The range is configurable and can be found on the 'Advanced' tab of the Server Manager.
Below is the Advanced tab of the Server Manager. From here you can select the ports that Cerberus will use for passive FTP connections. The range displayed below is Cerberus FTP Server's default port range of 11000 to 13000. This is just a suggested default and the administrator can change the range to anything desired. However, a large range is recommended (at least several hundred ports) as a new port is used for each directory listing or file transfer FTP command received from a client and ports cannot be reused for several minutes because of restrictions inherent in the TCP protocol.
Below is an example of port forwarding in a popular router. The same passive ports specified in the Advanced tab of the server manager need to be specified here.
The above router is configured to forward requests on port 21 (for FTP), port 990 (for FTPS), port 22 (for SSH SFTP), port 443 (for HTTPS) and from ports 11000 through 13000 (PASV port range) from outside the local network (usually from the Internet for a home network) to the local machine at IP address 192.168.1.100. Any requests on those ports from the Internet will be forwarded to machine 192.168.1.100.
NOTE: Some routers inspect FTP traffic and do not allow the public IP address to be passed in the response for the PASV command. Those routers expect the internal IP address to be used. See this FAQ entry if you still have problems with FTP directory listings or file transfers after following the above steps.
- Enable "Detect WAN IP at Startup" from the 'General' tab of the server manager. Make sure your restart Cerberus FTP Server after enabling this option. Selecting this option will allow Cerberus to detect your public IP address and give that address out to FTP clients in response to a passive connection request.
If you allowed Cerberus to detect your public IP address
during the Getting Started Wizard then this option
should already be checked and a restart is not
That's it! Your server should now be completely configured and accessible to the outside world. The next step is opening up the User Manager and adding users and setting up virtual folder permissions.