Cerberus FTP Server
Total Page:16
File Type:pdf, Size:1020Kb
V.11 Cerberus, LLC Cerberus FTP Server User Manual Detailed steps and help on configuring Cerberus FTP Server. CONTENTS 1.0 Introduction 14 1.1 Description 14 1.2 Guide 14 2.0 Minimum System Requirements 15 2.1 Hardware Requirements 15 2.2 Operating Systems 15 2.2.1 Cerberus FTP Server 10.0 15 3.0 Installation 16 4.0 Upgrading an Existing Installation 19 4.1 Method 1: Using the Auto-updater 19 4.2 Method 2: Manually downloading and running the latest Installer 20 5.0 Getting Started - Initial Setup Wizard 21 5.1 The Wizard 21 5.1.1 Step 1 - Licensing 21 5.1.2 Step 2 - Initial User Creation 22 5.1.3 Step 3 - Network Setup 23 5.1.3.1 Public IP Auto-detection for Passive Mode FTP 23 5.1.4 Step 4 – Security 24 5.1.4.1 Web Administration Password 25 5.1.5.2 Protocol Security 25 5.1.5.3 Final Steps 25 6.0 Getting Started - Network Setup 26 6.1 Basic Setup so users can connect from the Internet 26 6.1.1. Step 1 - Control Connection 26 6.1.2 Step 2 - Passive Mode 26 6.1.3 Step 3 - Firewall 26 7.0 How many types of FTP are there? 27 7.1 Controlling what types of FTP are Allowed 27 7.1.1 Restricting FTP connections at the User level 27 7.1.2 Restricting FTP connections at the Listener level 28 8.0 SSH2 SFTP Setup 29 8.1 About SSH SFTP Support in Cerberus FTP Server 29 8.2 Supported SSH2 Key Exchange Methods 29 8.3 Supported SSH2 Ciphers 29 8.4 Supported SSH2 MAC Algorithms 30 8.5 Adding an SSH2 SFTP Listener 30 8.6 Allowing SSH2 SFTP Connections through a Firewall 30 8.7 Enabling or Disabling Existing SFTP Listeners 30 9.0 Configuring the Server 31 9.1 Allowing External Access to your Server 31 9.1.1 The control connection 31 9.1.2 The data connection 31 9.2 Common Network Configurations 32 9.2.1 Configuration 1: Your computer is connected directly to the Internet 32 9.2.2 Configuration 2: Your computer is connected to a router, and the router is connected to the Internet 32 10.0 The Summary View 34 10.1 Understanding the Summary View 34 10.2 Common System Messages 34 10.2.1 “FTP Listener X can allow unencrypted control or data connections” 35 10.2.2 “HTTP Listener X only accepts unencrypted connections” 35 10.2.3 “HIPAA Non-compliance: One or more listeners allows non-encrypted traffic” 35 10.2.4 “FXP is enabled and could leave the server vulnerable to an FTP bounce attack” 36 10.2.5 “Server is configured to allow FTP data connection to reserved ports” 36 10.2.6 “You should set a Remote Access password” 36 11.0 The User Manager 37 11.1 About Cerberus FTP Server Authentication 37 11.2 Adding a new user 37 11.3 Configuring a user for SSH Public Key Authentication 40 11.4 The Virtual Directory System 41 11.5 Simple Virtual Directory mode 41 11.6 Standard Virtual Directory mode 41 11.6.1 A Virtual Directory Mode Example 41 11.6.2 Variables that can appear in Virtual Directory Names and Paths 42 11.7 Adding a virtual directory to a user account 42 11.8 Virtual Directory Permissions 43 12.0 Cerberus Group Accounts 44 12.1 About Groups 44 12.2 Overriding Group settings for a User 45 12.3 Adding a new group 45 13.0 User Policy Settings 47 13.1 Password Complexity Requirements 47 13.2 Password Change Policy 48 13.3 Password History 49 13.4 Authentication Order 49 13.5 Authentication Requirements 50 14.0 General Settings 52 14.1 Configuring General Settings 52 14.2 General 53 14.3 Network 53 14.4 Notification 54 15.0 Protocol Settings 55 15.1 FTP/S Settings 56 15.1.1 PASV Port Range 56 15.1.2 Advanced FTP/S Settings 56 15.1.2.1 FTP Directory Listing Time Format 56 15.1.2.2 FTP MDTM Time Format 56 15.1.2.3 FTP Compression 57 15.1.2.4 FTP Miscellaneous 57 15.2 SSH SFTP Settings 58 15.3 Advanced SSH Settings 58 15.4 HTTP/S Settings 58 16.0 Configuring Logging Support 60 16.1 Auditing 60 16.2 Log File Location 60 16.2.1 On Windows Vista, Windows 2008 and above 60 16.2.2 On Windows 2003, XP, and 2000 60 16.3 Configuring Logging 60 16.3.1 Example Syslog log4j.xml Configuration File 62 16.3.2 Example Daily Rollover log4j.xml Configuration File 62 16.3.3 Log File Location and Naming 63 16.4 Screen Logging Settings 63 16.4.1 Root Log Level 63 16.4.2 Syslog Support 65 17.0 Interface Settings 66 17.1 Configuring Interface Settings 66 17.2 Types of Listeners 67 17.3 Adding a New Interface Listener 67 17.4 Interface Settings 68 17.5 The "Default" Interfaces 70 17.6 Interface Status Controls 70 17.7 The HTTP/S Web Client 71 17.8 Security 71 17.8.1 Additional Web Client features include: 71 17.9 Public File Sharing 72 17.10 Emailing a link to a Public File 72 17.12 Adding an HTTP/S Listener 73 17.13 Web Client Customizations 74 17.13.1 Changing the Company Logo and Login Image 74 17.13.2 Changing the Login Welcome Message 75 17.13.3 Custom Web Client Themes 75 17.13.4 Further Web Client Customizations 75 18.0 Web Account Requests 76 18.1 Allowing Users to Request Accounts through the Web 76 18.1.1 Requesting a New Account 76 18.1.2 Enabling or Disabling Account Requests 77 18.2 Approving or Denying Account Requests 77 19.0 Security Settings 79 19.1 Configuring Security Settings 79 19.1.1 Digital Certificate Support 79 19.1.2 About Certificate Authorities 79 19.3 TLS/SSL Security 80 19.3.1 General 80 19.3.2 Advanced TLS Options 82 19.3.3 DUO 2FA 83 Setting up DUO in Cerberus 84 19.3.4 Client Verification 85 19.5 DSA Certificates and Ephemeral Diffie-Hellman Keys 86 19.6 Elliptic Curve SSH Support 86 20.0 Remote Settings 87 20.1 Configuring Remote Settings 87 20.1.1 General SOAP Settings 88 20.1.2 SOAP TLS Settings 89 20.1.3 Administrator Accounts 89 20.1.4 Secondary Web Administration Accounts 90 21.0 Setting up a Database for Statistics 91 21.1 Installing Microsoft SQL Server 2012 LocalDB 92 21.1.1 For the 64-bit version of Cerberus FTP Server: 92 21.1.2 For the 32-bit version of Cerberus FTP Server: 92 21.2 Selecting a Database 92 21.3 Database Backup and Restore 93 22.0 Advanced Settings 94 22.1 Configuring Advanced Settings 94 22.1.1 Send and Receive Buffers 94 22.1.2 Interface Advanced Settings 95 22.1.3 Advanced Windows Settings 95 23.0 The IP Manager 96 23.1 General Settings 96 23.1.1 Adding a single IP address to the IP manager policy 97 23.1.2 Adding a range of IP addresses to the IP manager policy 97 23.1.2.1 CIDR Support 97 23.1.3 Deleting an IP addresses from the current policy 97 23.1.4 Searching for an IP Address 97 23.2 The "Auto-Blocking" page 97 23.2.1 Immediately Ban these Users 99 23.2.2 Differences in Auto-blocking between Allow and Deny mode 99 24.0 The Event Manager 100 24.1 About Event Rules 100 24.2 The Event Targets page 100 24.2.1 Available Target Types 101 24.2.1.1 SMTP Server Targets 101 24.2.1.2 Executable Targets 101 24.2.1.3 HTTP Post Targets 102 24.2.2 Adding a New Event Target 102 24.2.3 Modifying an existing event target. 102 24.3 The Rules page 102 24.4 Editing a Rule 102 24.4.1 Available Event Rule Types 103 24.4.2 Adding a New Rule or Editing an Existing Rule 105 24.4.2.1 To add a new rule: 105 24.4.2.2 To edit an existing rule: 105 24.4.3 Changing the Name of a Rule 105 24.5 Adding Rule Conditions 105 24.5.1 Rule Matching Modes 105 24.5.2 Rule Variables 106 24.5.2 Comparison Operations 106 24.5.3 Deleting an Event Condition 106 24.6 Rule Actions 106 24.6.1 Adding Rule Actions 107 24.6.2 To add a new Action to a Rule: 107 24.6.3 Editing an Existing Rule Action 108 24.6.4 Deleting an Existing Rule Action 108 24.6.5 Changing the order an action is executed 108 24.6.6 Creating a Failure Action 108 24.6.6.1 Removing a failure action 109 24.7 Event Tasks 109 24.8 Adding a schedule to an Event Task 109 25.0 Adding and editing Event Task Actions 110 26.0 Folder Monitors 110 26.1 Other Event Settings 110 27.0 The Report Manager 111 27.1 Generating a Report 112 27.1.1 File Access Reports 113 28.0 Localization 114 29.0 LDAP Authentication 115 28.1 Default Virtual Directory Mapping for LDAP Users 117 29.1 Setting up Active Directory Authentication using LDAP 119 29.2 LDAP User to Cerberus Group Mapping 121 29.2.1 Creating an LDAP User to Cerberus Group Mapping 121 29.2.2 Removing an LDAP mapping 122 29.3 LDAP User Two Factor Authentication Control 122 30.0 Active Directory Authentication 122 30.1 About Active Directory Integration 122 30.2 Default Virtual Directory Mapping for AD Users 124 30.2.1 Active Directory FTP Security Group 126 30.3 Authenticating Against more than one Active Directory Domain 126 30.4 Understanding Windows Authentication 126 30.4.1 The "Guest" Account 126 30.5 Active Directory User to Cerberus Group Mapping 126 30.5.1 Creating an AD User to Cerberus Group Mapping 127 30.5.2 Creating an AD Group to Cerberus Group Mapping 127 30.5.3 Removing an AD mapping 128 30.6 Domain Controller Bind Options 128 30.7 AD User Two Factor Authentication Control 129 31.0 Entering a license for Cerberus FTP Server 130 31.1 The Registration dialog box 130 32.0 The Synchronization Manager 132 32.1 Backup Server Requirements 133 32.2 Available Settings 134 32.2.1 Backup Server 134 32.2.2 Synchronization Settings 134 33.0 Server Certificates 134 33.1 What is a Server Certificate? 135 33.2 Can I just use a Self-Signed Certificate? 135 33.3 More Information 135 34.0 Certificate Signing Request 136 34.1 Creating a Certificate Signing Request 136 34.2 Submitting your CSR to a Certificate Authority 137 34.3 Assigning your Certificate and Private Key in Cerberus FTP Server 137 35.0 Installing a Digital Certificate 138 35.1 Digital Certificate Support 138 35.2 Creating a Self-Signed Certificate 138 35.2.1 Steps to Create a Self-Signed Certificate: 138 35.3 Using a Certificate created by a 3rd Party Certificate Authority 140 35.3.1