Looking for an SFTP AD aware product


We are looking for for an SFTP AD aware product. We need to implement a secure FTP that will integrate with AD and will allow users to authenticate and access to it with their Active Directory accounts.

Does anyone knows any good products that we could use?
Who is Participating?
Matt VConnect With a Mentor Commented:
Cerberus FTP is both an excellent product and does SFTP with AD integration.
Another product to consider: http://www.bitvise.com/winsshd

Also most Linux / Unix implementations can be made to authenticate against an LDAP Directory e.g.  AD  
Also via Samba a Linux / Unix box can access Windows shares, so a vanilla Linux install and a bit of tweaking may suffice, see:  http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication   OR http://ubuntuforums.org/showthread.php?t=91510

llaravaAuthor Commented:
Thank you.

The FTP will be placed on the DMZ and will be to authenticate with the DC's which they are part of our internal network. Any of you have any suggestions/experience building something like this? Any suggestions about the lay out so that we can reach want we want to do without compromising the security of the env?

Can we use either of the products listed above to acomplish this type of setup?  
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Yes the suggested solutions may form the basis of a solution BUT if your corporate network contains any sensitive, financial or personal details I'd suggest you hire a security consultant / architect, preferable one whose CISSP, CISM, and / or CISA certified.

Without knowing the set-up and any regulatory requirements I wouldn't want to suggest anything.
Two suggestions:

1) If you aren't tied to using FTP variants, Sharepoint 2010 or Microsoft Office Sharepoint Server (MOSS) 2007. You can place this behind an ISA Server 2006 or Forefront Threat Management Gateway (TMG) 2010 Reverse Proxy in the DMZ.
2) If you are required to use some form of FTP and are a Windows shop, I'd recommend an ISA Server 2006 or Forefront TMG 2010 Reverse Proxy in the DMZ with an IIS 7 server on the back-end running Microsoft FTP 7.5. You can then configure FTP-S (basically FTP over SSL/TLS) for encrypted connections that will be supported by most FTP clients, and you can have AD integration.

As a CISSP myself, I strongly agree with arober11's comment about bringing in a security consultant/architect as it would appear by definition there is sensitive data involved. Otherwise why would you want FTPS?
llaravaAuthor Commented:
The data isn't confidential. I am concerned about the authentication. Would an SFTP be necessary? What are the mechanisms that are being used to protect the authentication process is an SFTP is not being used?  

Unfortunately ISA/TMG can't be used we have to go through our regular firewall.

FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389.

I am strongely considering getting the following app:


Any thoughts?

Thank you

lwalcherConnect With a Mentor Commented:
If the owner of your data being transferred has defined it as all being public data, then you are correct that securing the credentials is what you need to focus on here. Most of the secure FTP solutions (e.g., sFTP, FTP-S) will secure the data channel by default--or at least try--if they secure the control channel, though.

I have no experience with xlightftpd but it theoretically could work based on the requirements you've provided so far. What are you going to use to authenticate against AD?:

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD?
* Are you planning to open the firewall betwen the DMZ and your domain controller directly?
* Something else?

I strongly recommend doing some research and/or bringing a security guru so you are aware of the security implications. The security issue to be addressed here is not just the FTP data itself. The issue is that this is a new entry point into your network, and you are using domain credentials to authenticate. If those credentials get compromised, that is a serious security breach that could have major ramifications from a regulatory perspective, depending on your business, and would generally be bad news.
llaravaAuthor Commented:

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD? Initially I though about it...

* Are you planning to open the firewall betwen the DMZ and your domain controller directly? Allow port access from xlightftpd to the DC's.  The files will remain in the xlightftpd server. Also as far as I am concerned xlightftpd works with a service account that only needs read access to AD so worst case scenario if the xlightftpd box gets compromised the will only have access to this account and the data which doesn't have much value since is considered public data.

We only need to authenticate against the DC's from a front-end same way we (and others) are currently doing with OWA or any other AD aware apps out there.

Any other thoughts?
llaravaAuthor Commented:
Here is the final approach:

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Any ideas, suggestions, comments would be appreciated.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.