Cerberus FTP Server FAQ
FTP connections within your local network usually work without any problems. However, when you want the FTP server to be available outside of your local network, additional steps are often necessary to make the server visible to the outside world. The following steps are usually required to allow Cerberus FTP Server to be accessible from the Internet:
- The control connection port Cerberus FTP Server is listening on needs to be forwarded from your router to the machine hosting Cerberus. The default port that Cerberus listens on is port 21. Consult your router documentation for instructions on how to setup port forwarding. Finishing this step will allow Internet users to establish a connection with your server. The next step is making sure passive mode is configured so that directory listings and file transfers work.
- To allow passive mode to work properly, you must forward the passive range of ports from your router to the machine running Cerberus. See “My IP address begins with 192.168.xxx.xxx. Is there anything special I have to do for people to see my FTP Server on the Internet?” for detailed instructions on how to make sure passive mode is setup properly. If you don’t perform this step, users may be able to login but directory listings may hang and timeout.
- Make sure any firewalls you are running are allowing connections on port 21 (and port 22 for SFTP). Cerberus will automatically attempt to add itself to the Windows Firewall Exception list (you will be prompted to allow this). However, you may still have to manually add an exception to allow port 21 connections into your computer.
The account you are trying to configure is probably not set to operate in Simple Virtual Directory mode.
The virtual directory (VD) system allows the administrator to attach any directory or drive to the root. When a client requests the root directory from the server, the VDs you specify are sent to the client. The client can also navigate to any of the VD directories’ subdirectories. The VD system takes care of all path translation.
Security settings can be specified for each virtual directory. All subdirectories under the VD inherit the security settings of the VD.
There are 2 modes that a user account can operate in with respect to the virtual filesystem. The two modes are simple and standard mode.
Simple Virtual Directory mode
When a user account uses simple directory mode, the administrator can only assign one directory to represent the virtual directory for that user. Instead of that directory being seen as a subdirectory off of the root, the virtual directory selected will be the directory the user is placed in when they first log into the server. In other words, the directory selected as the virtual root directory will be the root directory.
Standard Virtual Directory mode
In standard mode, the administrator may add as many directories as virtual directories to a user account as desired. The directories selected will appear as subdirectories off of the root when the designated user logs into the server.
Q2: My IP address begins with 192.168.xxx.xxx. Is there anything special I have to do for people to see my FTP Server on the Internet?
Addresses that begin with 192.168, or 10.0, or 172.16 are called private addresses. These addresses are only used for traffic on your local LAN and are invisible to users outside of your local network. External users to your network can usually only see your router’s IP address. To allow people to connect to your server from the Internet, your router has to be configured to forward FTP traffic to the machine running Cerberus FTP Server. This process is called Port Forwarding. While the exact procedure to enable port forwarding depends upon your router, there are generally three steps that need to be completed to connect to Cerberus from the Internet.
- Forward the FTP, SFTP, and FTPS ports Cerberus FTP Server is listening on from the router to to the machine running Cerberus (the default ports are 21, 22 and 990) .
- Forward the passive FTP port range from the router to the machine Cerberus FTP Server is listening on. The range is configurable and can be found on the ‘Advanced’ tab of the Server Manager.
Below is the Advanced tab of the Server Manager. From here you can select the ports that Cerberus will use for passive FTP connections. The range displayed below is Cerberus FTP Server’s default port range of 11000 to 13000. This is just a suggested default and the administrator can change the range to anything desired. However, a large range is recommended (at least several hundred ports) as a new port is used for each directory listing or file transfer FTP command received from a client and ports cannot be reused for several minutes because of restrictions inherent in the TCP protocol.
Below is an example of port forwarding using a popular router. The same passive ports specified in the Advanced tab of the server manager need to be specified here.
The above router is configured to forward requests on port 21 (for FTP) and from ports 11000 through 13000 (FTP PASV port range) from outside the local network (usually from the Internet for a home network) to the local machine at IP address 192.168.1.100. Any requests on those ports from the Internet will be forwarded to machine 192.168.1.100.
NOTE: For FTPS you will need to forward port 990, for SFTP you will need to forward port 22, and for HTTPS you will need to forward port 443.
- Enable “Detect WAN IP at Startup” from the ‘General’ tab of the server manager. Make sure your restart Cerberus FTP Server after enabling this option. Selecting this option will allow Cerberus to detect your public IP address and give that address out to FTP clients in response to a passive connection request.
That should be all you need to do to allow passive FTP connections to your server.
NOTE: Some routers inspect FTP traffic and do not allow the public IP address to be passed as a response for the PASV command. Those routers expect the internal IP address to be used. See this FAQ entry if you still have problems with FTP directory listings or file transfers after following the above steps.
An FTP session involves 2 separate connections – a control connection and a data connection. The control connection is the initial connection that a client makes to an FTP server. The control connection is used by the client and server to exchange commands for operations like authenticating a user, requesting a directory listing, or starting a file transfer.
Whenever a client requests a directory listing or decides to upload or download a file from the server a new connection is established between the client and server to transfer files and directory listings. The data connection is closed immediately after the file transfer or directory listing is completed and a new data connection needs to be established each time another file or directory listing is required.
This new data connection is established in one of two ways- in active or passive mode, and it is the client that instructs the server which mode it would like to use. The mode determines whether the client establishes the data connection by connecting to the server or whether the server should connect back to the client. This has practical implication on firewalls and security as discussed below:
Active FTP use to be the traditional default used by FTP client programs. Active FTP uses a “reverse data channel” that can cause problems when operating behind some older firewalls and NAT routers, though some modern products have become “FTP aware”. By comparison, passive FTP (see next section) has become the favored method of establishing a data connection as it is more firewall and NAT router friendly.
FTP sessions are initiated by an FTP client’s connection to port 21 of an FTP server. This establishes the command channel that FTP clients use to issue commands to the server. In active FTP, an FTP client next opens a listening port on its machine, informs the remote FTP server of this port number, and requests the remote FTP server to connect from its port 20 back to the client on the port it has specified. This establishes the “reverse data channel” for transporting file data and directory listings.
Since many firewalls and NAT routers automatically block incoming connections to their protected client machines, the need to establish this second “reverse data channel” can cause problems. Although passive FTP was created to overcome these problems, some modern firewalls and NAT routers have become “FTP aware”. They monitor the outgoing control channel, interpret the client’s request to the remote server, and open an incoming port back through the router to the client machine. This allows some active FTP clients to operate behind FTP aware firewalls and NAT routers without problems.
Passive FTP protocol was created to overcome the firewall and router problems associated with active FTP’s need to establish a reverse data channel back from the server to the client. Passive FTP operates just like active FTP except that both the initial control channel (to the server’s default port 21) and the data channel (to a port specified by the server in response to a client PASV command) are initiated by the client and received and accepted by the server. Because passive FTP does not use a “reverse data channel” approach, it is often more friendly to firewalls and NAT routers.
To configure for passive FTP (the preferred method), see “My IP address begins with 192.168.xxx.xxx. Is there anything special I have to do for people to see my FTP Server on the Internet?”
By default, the Getting Started Wizard will configure FTP listeners to not allow unencrypted FTP connections. A user will receive a “521 Not logged in – Secure authentication required” if they attempt to login using unencrypted FTP when secure connections are required. If you wish to allow unencrypted FTP, you have to change the FTP listener to allow it. Here are the steps:
- Open the Server Manager and select the Interfaces page.
- Select the IP address of the FTP listener you are trying to log in on.
Do not select the Default FTP listener. Changes to the Default listener will only be applied to any new IP addresses that are detected later.
- Un-check the options for Require Secure Control and Require Secure Data.
- Press OK to close the Server Manager and save your changes.
First, make sure you are running at least 6.0.12 or 126.96.36.199 By default, SSL 3.0 is already disabled in these versions. Please note that disabling SSL 3.0 may cause compatibility problems with older clients.
You can verify that SSL 3.0 is disabled by following the steps below:
- Open the Server Manager
- Go to the Security page
- Click the Advanced button to bring up the Advanced Security Settings dialog
- Check that the “Allow SSLv3.0” option is not checked
- Press OK to close the Advanced Security Settings dialog and save your changes.
- Press Save to close the Server Manager and save your changes to the server.