Interfaces
An interface is simply an IP address that the FTP Server is listening on. It can be an IPv4 or IPv6 address. The "Default" interface represents the settings that will be applied for newly detected interfaces. There are several different parameters that each interface can have:
Types of Listeners
There are three types of listeners that you can add to an IP address. FTP listeners, FTPS listeners and SSH2 File Transfer Protocol (SFTP) listeners. The first two allow regular FTP as well as different forms of secure FTP while the SSH2 SFTP listener is for establishing connections over the SFTP protocol (a completely different protocol from FTP, despite the similar name).
There are two types of secure FTP connections possible, FTPS and FTPES. FTPS is usually referred to as implicit FTP with TLS/SSL security. Its closest analog is HTTPS. It is basically the FTP protocol over a TLS/SSL secured connection. This form of secure FTP is deprecated but widely supported and still in use. This is what a Cerberus FTP Server FTPS listener is for and this type of listener typically listens on port 990. Note, the settings "Require Secure Control" and "Require Secure Data" are meaningless for this type of listener. Connections established to an FTPS listener can only be established securely.
FTPES, which is often referred to as explicit FTP with TLS/SSL security, is a modification of the FTP protocol that starts out over an insecure, normal FTP connection and is then upgraded to a secure connection through FTP command extensions during login. This is the preferred method of secure FTP because it allows SPI firewalls to know that there is FTP traffic occurring on the connection. You establish FTPES sessions using a normal Cerberus FTP Server FTP listener, typically over port 21. Both unencrypted FTP and explicit TLS/SSL connections can be established to this type of listener. You cannot establish an implicit FTPS connection over this type of listener.
Adding a New Interface Listener
Cerberus FTP Server 4.0 and higher supports adding multiple listening interfaces for a given IP address. The only requirement is that the listener be on a unique IP/port combination. You can add an FTP, FTPS (for implicit secure FTP only), or an SSH2 SFTP listener.
Select the "plus" icon next to the interface list box to add a new interface. A new dialog box will appear to ask for the interface details (interface IP, type, and port combination). Selecting the "X" icon will prompt you to delete the selected interface listener.
Interface Settings
- Listen Port - The port that this interface will listen on for the control connection
- Max Connections - The maximum number of simultaneous connections that can connect to this interface
- Require Secure Control - If enabled, only secure control connection will be allowed. This is required to protect passwords from compromise on unsecured networks.
- Require Secure Data - If enabled, only secure data connections will be allowed. All directory listings and file transfers will be required to be encrypted.
- Don't Use External IP for Passive connections
- Passive Options
- Auto Detect - If WAN IP auto detection is enabled then use the WAN IP for the PASV command, otherwise use the interface's IP.
- Specify PASV IP - Allows the administrator to specify what IP address is returned in response to a PASV command
- Use DNS service - Allows use of DNS names like www.cerberusftp.com. The address specified will be examined at regular intervals and the IP address that represents that DNS name will be used in PASV commands.
The "Default" interfaces
There is a Default interface for each type of listener (FTP, implicit FTPS or SFTP). When a new interface (IP address) is detected, that interface will receive an FTP, FTPS and SFTP listener and each of those listeners will be assigned the values of the appropriate "Default" interface at the time of detection. For example, If the "Default FTP" interface was defined to be on port 21, then when a new interface is detected for the first time it will receive an FTP listener on port 21 with the values of the Default FTP interface. Those settings then become the settings for the newly detected interface. Note that the new interface's settings are not linked to the "Default" interface in any way. The "Default" interface simply represents the values that newly detected interfaces will be initialized with. Changing the values of the "Default" interface wouldn't change any values on existing or previously detected interfaces.
For example, when you first install Cerberus FTP Server, the "Default FTP" interface is set to port 21 (the default FTP listening port) and all interfaces detected during that first start will receive FTP listeners with that port value. If you later change the "Default FTP" interface settings then that change will have no effect on existing interfaces.
It is also worth noting that Cerberus remembers the settings for interfaces that were previously detected but might have changed. For servers that have dynamic addresses that constantly change or cycle between a range of addresses, Cerberus will "remember" the old values and apply those instead of the "Default" settings if that interface address is later detected again.
Un-checking the box next to each Default interface will disable automatic listener activation for that interface type when a new interface is detected.