Glub Tech, Inc.
About Us Products Forums Partners Press Online Store
overview
purchase
our clients
download trial
licensing
what's new
get our client
faq
documentation
feedback/bugs
forum
subscribe
+ del.icio.us
Secure FTP Wrapper
Frequently Asked Questions

  1. What do I need to run Secure FTP Wrapper?

  2. Which clients are supported by Secure FTP Wrapper?

  3. Does Secure FTP Wrapper support data encryption?

  4. You say Secure FTP Wrapper supports explicit SSL connections, but it's not working for me. What do I have to do to enable this behavior?

  5. How do I put Secure FTP Wrapper into a debug mode?

  6. Does Secure FTP Wrapper work with Microsoft IIS?

  7. How do I make Secure FTP Wrapper work with WS_FTP Pro?

  8. I have a certificate signed by Verisign, how do I convert the certificate to a format that will work with Secure FTP Wrapper?

  9. How can I put Secure FTP Wrapper behind a (NAT) firewall?
Q. What do I need to run Secure FTP Wrapper?
A. Secure FTP Wrapper requires the Java 2 Runtime Environment version 1.3 and higher.
 
Q. Which clients are supported by Secure FTP Wrapper?
A. We are aware of five clients that are supported Secure FTP Wrapper by default: our client (Secure FTP), Cute FTP Pro (2.0), FTP Voyager (9.0), FileZilla (1.9.4a), IglooFTP Pro (3.2), and Smart FTP (1.0). But we support any client that can make an Implicit SSL connection (port 990).

Starting in version 2.5 the Wrapper can be configured to handle an Explicit SSL connection (AUTH SSL). This feature adds support for WS_FTP Pro (7.5) and NetFinder (2.3.2).

 
Q. Does Secure FTP Wrapper support data encryption?
A. Yes, starting with version 2.1, data encryption is fully supported on all connection types (PASV and PORT).
 
Q. You say Secure FTP Wrapper supports explicit SSL connections, but it's not working for me. What do I have to do to enable this behavior?
A. By default the Wrapper does not accept explicit SSL connections. This feature is disabled because an explicit connection usually listens to the same port the FTP server listens to (port 21).

To enable this feature, you need to add ExplicitSSLPort=<port> to the ftpswrap.conf configuration file. The value set for ExplicitSSLPort must be different from the value set for DestPort, or DestInterface must be different from the value set for SSLInterface

If at all possible we recommend the following settings:

DestInterface=127.0.0.1
DestPort=21
SSLInterface=<your server's IP>
ExplicitSSLPort=21
For this to work, you need to force the FTP server to listen only on localhost and let the Wrapper take it's place.

We also recommend setting the flag EncryptCommand=1. This option enforces that the "AUTH SSL" command precede the "USER" command which in turn will keep your user's identity secure.

If you are unsure what to do here contact your system administrator.

 
Q. How do I put Secure FTP Wrapper into a debug mode?
A. Edit the file, ftpswrap.conf, and change the value of the key log4j.category.com.glub.secureftp.wrapper.SecureFTPWrapper from INFO to DEBUG. Then restart the Wrapper. More verbose information will then be logged to the logging file, ftpswrap.log.
 
Q. Does Secure FTP Wrapper work with Microsoft IIS?
A. Yes. Secure FTP Wrapper 2.1 has been updated to work under Microsoft IIS 5.
 
Q. How do I make Secure FTP Wrapper work with WS_FTP Pro?
A. You need to enable the explicit SSL option in the Wrapper.
 
Q. I have a certificate signed by Verisign, how do I convert the certificate to a format that will work with Secure FTP Wrapper?
A. Verisign usually sends a certificate in PEM format. The Secure FTP Wrapper needs it in DER format. The easiest way to convert the certificates is by using a utility that ships with OpenSSL.

Converting an RSA private key from PEM to DER format:

openssl pkcs8 -topk8 -nocrypt -outform der -in <priv.pem> -out <priv.pk8>

Converting an RSA public key from PEM to DER format:

openssl x509 -outform der -in <pub.pem> -out <pub.der>


Note: if you were not given the key/ceritifcate in PEM format but instead have it in one pkcs12 file, then first do the following (and then try the above steps again):

Getting an RSA private key in PEM format from a pkcs12 file:

openssl pkcs12 -in <verisign.pfx> -nocerts -nodes -out <priv.pem>

Getting an RSA public key in PEM format from a pkcs12 file:

openssl pkcs12 -in <verisign.pfx> -nokeys -out <pub.pem>

If the request is high enough we can write a CGI that will help in this conversion process.

 
Q. How can I put Secure FTP Wrapper behind a (NAT) firewall?
A. You need to do a few things:
  1. Edit the ftpswrap.conf configuration file and add:
    PassivePortRange=<low port>-<high port>
    We recommend setting a port range of at least 100 avaliable ports (e.g. 3000-3099).

    If you are using NAT, you will also want to add:

    FirewallInterface=<public IP address>
  2. Configure your firewall to forward the ports referenced under the PassivePortRange directly to the wrapper. If you cannot configure this on your firewall, the wrapper may not function properly.

  3. Finally, configure your firewall to allow for inbound traffic to port 990 (and port 21 if supporting explicit SSL), and outbound traffic from port 989 (and port 20 for explicit SSL).
 
Copyright (c) 1993-2008 - Glub Tech, Inc. - All Rights Reserved.