Looking for an SFTP AD aware product

Posted on 2010-08-24
Last Modified: 2013-12-09

We are looking for for an SFTP AD aware product. We need to implement a secure FTP that will integrate with AD and will allow users to authenticate and access to it with their Active Directory accounts.

Does anyone knows any good products that we could use?
Question by:llarava
  • 4
  • 2
  • 2
  • +1
LVL 22

Accepted Solution

Matt V earned 250 total points
ID: 33513941
Cerberus FTP is both an excellent product and does SFTP with AD integration. 
LVL 26

Expert Comment

ID: 33519248
Another product to consider:

Also most Linux / Unix implementations can be made to authenticate against an LDAP Directory e.g.  AD  
Also via Samba a Linux / Unix box can access Windows shares, so a vanilla Linux install and a bit of tweaking may suffice, see:   OR


Author Comment

ID: 33550284
Thank you.

The FTP will be placed on the DMZ and will be to authenticate with the DC's which they are part of our internal network. Any of you have any suggestions/experience building something like this? Any suggestions about the lay out so that we can reach want we want to do without compromising the security of the env?

Can we use either of the products listed above to acomplish this type of setup?  
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

LVL 26

Expert Comment

ID: 33577664
Yes the suggested solutions may form the basis of a solution BUT if your corporate network contains any sensitive, financial or personal details I'd suggest you hire a security consultant / architect, preferable one whose CISSP, CISM, and / or CISA certified.

Without knowing the set-up and any regulatory requirements I wouldn't want to suggest anything.

Expert Comment

ID: 33633621
Two suggestions:

1) If you aren't tied to using FTP variants, Sharepoint 2010 or Microsoft Office Sharepoint Server (MOSS) 2007. You can place this behind an ISA Server 2006 or Forefront Threat Management Gateway (TMG) 2010 Reverse Proxy in the DMZ.
2) If you are required to use some form of FTP and are a Windows shop, I'd recommend an ISA Server 2006 or Forefront TMG 2010 Reverse Proxy in the DMZ with an IIS 7 server on the back-end running Microsoft FTP 7.5. You can then configure FTP-S (basically FTP over SSL/TLS) for encrypted connections that will be supported by most FTP clients, and you can have AD integration.

As a CISSP myself, I strongly agree with arober11's comment about bringing in a security consultant/architect as it would appear by definition there is sensitive data involved. Otherwise why would you want FTPS?

Author Comment

ID: 33636474
The data isn't confidential. I am concerned about the authentication. Would an SFTP be necessary? What are the mechanisms that are being used to protect the authentication process is an SFTP is not being used?  

Unfortunately ISA/TMG can't be used we have to go through our regular firewall.

FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389.

I am strongely considering getting the following app:

Any thoughts?

Thank you


Assisted Solution

lwalcher earned 250 total points
ID: 33639097
If the owner of your data being transferred has defined it as all being public data, then you are correct that securing the credentials is what you need to focus on here. Most of the secure FTP solutions (e.g., sFTP, FTP-S) will secure the data channel by default--or at least try--if they secure the control channel, though.

I have no experience with xlightftpd but it theoretically could work based on the requirements you've provided so far. What are you going to use to authenticate against AD?:

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD?
* Are you planning to open the firewall betwen the DMZ and your domain controller directly?
* Something else?

I strongly recommend doing some research and/or bringing a security guru so you are aware of the security implications. The security issue to be addressed here is not just the FTP data itself. The issue is that this is a new entry point into your network, and you are using domain credentials to authenticate. If those credentials get compromised, that is a serious security breach that could have major ramifications from a regulatory perspective, depending on your business, and would generally be bad news.

Author Comment

ID: 33639235

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD? Initially I though about it...

* Are you planning to open the firewall betwen the DMZ and your domain controller directly? Allow port access from xlightftpd to the DC's.  The files will remain in the xlightftpd server. Also as far as I am concerned xlightftpd works with a service account that only needs read access to AD so worst case scenario if the xlightftpd box gets compromised the will only have access to this account and the data which doesn't have much value since is considered public data.

We only need to authenticate against the DC's from a front-end same way we (and others) are currently doing with OWA or any other AD aware apps out there.

Any other thoughts?

Author Comment

ID: 33657076
Here is the final approach:

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Any ideas, suggestions, comments would be appreciated.


Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
Over the past decade, as Internet security has become a chief concern of IT professionals, one of the most common questions administrators and users ask is, “Which is more secure, SFTP or FTPS?” In short, both file transfer protocols offer a high…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question