Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Looking for an SFTP AD aware product

Posted on 2010-08-24
Medium Priority
Last Modified: 2013-12-09

We are looking for for an SFTP AD aware product. We need to implement a secure FTP that will integrate with AD and will allow users to authenticate and access to it with their Active Directory accounts.

Does anyone knows any good products that we could use?
Question by:llarava
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 22

Accepted Solution

Matt V earned 1000 total points
ID: 33513941
Cerberus FTP is both an excellent product and does SFTP with AD integration.
LVL 26

Expert Comment

ID: 33519248
Another product to consider: http://www.bitvise.com/winsshd

Also most Linux / Unix implementations can be made to authenticate against an LDAP Directory e.g.  AD  
Also via Samba a Linux / Unix box can access Windows shares, so a vanilla Linux install and a bit of tweaking may suffice, see:  http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication   OR http://ubuntuforums.org/showthread.php?t=91510


Author Comment

ID: 33550284
Thank you.

The FTP will be placed on the DMZ and will be to authenticate with the DC's which they are part of our internal network. Any of you have any suggestions/experience building something like this? Any suggestions about the lay out so that we can reach want we want to do without compromising the security of the env?

Can we use either of the products listed above to acomplish this type of setup?  
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 26

Expert Comment

ID: 33577664
Yes the suggested solutions may form the basis of a solution BUT if your corporate network contains any sensitive, financial or personal details I'd suggest you hire a security consultant / architect, preferable one whose CISSP, CISM, and / or CISA certified.

Without knowing the set-up and any regulatory requirements I wouldn't want to suggest anything.

Expert Comment

ID: 33633621
Two suggestions:

1) If you aren't tied to using FTP variants, Sharepoint 2010 or Microsoft Office Sharepoint Server (MOSS) 2007. You can place this behind an ISA Server 2006 or Forefront Threat Management Gateway (TMG) 2010 Reverse Proxy in the DMZ.
2) If you are required to use some form of FTP and are a Windows shop, I'd recommend an ISA Server 2006 or Forefront TMG 2010 Reverse Proxy in the DMZ with an IIS 7 server on the back-end running Microsoft FTP 7.5. You can then configure FTP-S (basically FTP over SSL/TLS) for encrypted connections that will be supported by most FTP clients, and you can have AD integration.

As a CISSP myself, I strongly agree with arober11's comment about bringing in a security consultant/architect as it would appear by definition there is sensitive data involved. Otherwise why would you want FTPS?

Author Comment

ID: 33636474
The data isn't confidential. I am concerned about the authentication. Would an SFTP be necessary? What are the mechanisms that are being used to protect the authentication process is an SFTP is not being used?  

Unfortunately ISA/TMG can't be used we have to go through our regular firewall.

FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389.

I am strongely considering getting the following app:


Any thoughts?

Thank you


Assisted Solution

lwalcher earned 1000 total points
ID: 33639097
If the owner of your data being transferred has defined it as all being public data, then you are correct that securing the credentials is what you need to focus on here. Most of the secure FTP solutions (e.g., sFTP, FTP-S) will secure the data channel by default--or at least try--if they secure the control channel, though.

I have no experience with xlightftpd but it theoretically could work based on the requirements you've provided so far. What are you going to use to authenticate against AD?:

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD?
* Are you planning to open the firewall betwen the DMZ and your domain controller directly?
* Something else?

I strongly recommend doing some research and/or bringing a security guru so you are aware of the security implications. The security issue to be addressed here is not just the FTP data itself. The issue is that this is a new entry point into your network, and you are using domain credentials to authenticate. If those credentials get compromised, that is a serious security breach that could have major ramifications from a regulatory perspective, depending on your business, and would generally be bad news.

Author Comment

ID: 33639235

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD? Initially I though about it...

* Are you planning to open the firewall betwen the DMZ and your domain controller directly? Allow port access from xlightftpd to the DC's.  The files will remain in the xlightftpd server. Also as far as I am concerned xlightftpd works with a service account that only needs read access to AD so worst case scenario if the xlightftpd box gets compromised the will only have access to this account and the data which doesn't have much value since is considered public data.

We only need to authenticate against the DC's from a front-end same way we (and others) are currently doing with OWA or any other AD aware apps out there.

Any other thoughts?

Author Comment

ID: 33657076
Here is the final approach:

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Any ideas, suggestions, comments would be appreciated.


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question