Featured

HOWTO: Getting Started with BulletProof FTP Server

Thank you for your interest in BulletProof FTP Server.

Below is a list of HOWTO articles that have been written over the years to help customers in getting up and running with BulletProof FTP Server.
Note: Some of the screen-shots show older versions of the software. The UI hasn’t changed much between different versions, but you might find some of the buttons labeled differently than what appears.

  • Download, Install and Adding First User
  • Opening Your Firewall
  • Licensing
  • Upgrading
  • Windows System Service
  •  

    Download, Install and Adding First User

    HOWTO: Downloading BPFTP Server 2010
    http://blog.builtbp.com/2010/09/howto-downloading-bpftp-server-2010/

    HOWTO: Installing BPFTP Server 2010
    http://blog.builtbp.com/2010/09/howto-installing-bpftp-server-2010/

    HOWTO: Adding a User
    http://blog.builtbp.com/2010/09/howto-adding-a-user/

     

    Opening Your Firewall

    It’s VERY common that people think only one-port is needed for ftp (default: tcp/ip 21). However, this is not true.

    FTP requires at least two ports, one for the control-port (used to login and issue commands, default tcp/ip 21) and a data-port (default tcp/ip 30000 to 30100). One data-port is needed for every concurrent data-connection, for this reason we suggest using a range of 100 ports which will handle most needs.

    HOWTO: Windows Firewall and BPFTP Server 2011
    http://blog.builtbp.com/2011/06/windows-firewall-and-bulletproof-ftp-server/

    HOWTO: Windows Firewall
    http://blog.builtbp.com/2010/09/howto-windows-firewall/

    HOWTO: Setting up NAT/Passive/Firewall Support
    http://blog.builtbp.com/2010/09/howto-setting-up-natpassivefirewall-support/

     

    Licensing

    HOWTO: Enter Your Subscription-Code
    http://blog.builtbp.com/2013/05/howto-enter-your-subscription-code/

    HOWTO: Purchase an Upgrade to your License
    http://blog.builtbp.com/2014/02/howto-purchase-an-upgrade-to-your-license/

    HOWTO: Remove Your License-Code
    http://blog.builtbp.com/2013/05/howto-remove-your-license-code/

     

    Upgrading

    FAQ: Can I Upgrade and retain all my Users, Groups and Settings?
    http://blog.builtbp.com/2011/12/faq-can-i-upgrade-and-retail-all-my-users-groups-and-settings/

    FAQ: Where does BPFTP Server store the Users, Groups and Settings?
    http://blog.builtbp.com/2011/12/faq-where-does-bpftp-server-store-the-users-groups-and-settings/

    HOWTO: Overridding the Storage-Path for Settings, Users and Groups
    http://blog.builtbp.com/2011/10/howto-override-storage-path-for-settings-users-and-groups/

     

    Windows System Service

    HOWTO: Windows System-Service
    http://blog.builtbp.com/2011/09/howto-windows-system-service/

     

    FTP Protocols and URLs

    FTP Protocols and URLs

    ProtocolPorts UsedWeb Browser Support?Encrypted?Example 
    FTP21 (+pasv)YESNOftp://myhost.mydomain.com
    FTPS Implicit990 (+pasv)NOYESftps://myhost.mydomain.com:990
    Implicit-Mode is FTP over TLS/SSL and was the first method of encrypting FTP and moves the control-port to 990 where it "implicitly" requires TLS/SSL to be used. Largely replaced by FTPS:Explicit.
    FTPS Explicit21 (+pasv)NOYESftpes://myhost.mydomain.coim
    Explicit is FTP over TLS/SSL and allows the ftp-client to turn-on encryption at login via the standard control-port tcp/ip 21. Once encryption is enabled (before login), everything communicated will be sent via TLS/SSL.
    SFTP22NOYESsftp://myhost.mydomain.com
    SFTP is FTP over SSH and is an extension of an SSH Server to allow for file-transfers. Considered a stable in the Unix/Linux world, and operating almost identical to "SCP", this protocol is considered industry standard for encrypted FTP.
    +PASV: In addition to the main port used to login and issue commands, you *must* define and port-forward the data-ports for any ftp-server on the internet and/or operating from behind a firewall. By default, the software is configured to use tcp/ip ports 30000 to 30100. These ports are used to communicate directory-listings and transfer-files.

    Firewall Ports

    ServiceTCP/IP PortDescription
    FTP21Initial port used for FTP, used for connecting, logging in and issuing commands
    FTP and FTPS30000 to 30100Data-Ports used for Data-Connections (directory-listings and file-transfers).

    These ports *MUST* be opened and port-forwarded in order to offer FTP to clients on the internet
    FTPS21,990Explicit vs Implicit Mode

    These two ports are used for connecting, logging in and issuing commands.
    SFTP22Standard SSH port, used for all communication (does not need PASV)

    HOWTO: Enabled SFTP for User Account

    As of version 2018.0.0.40, BulletProof FTP Server supports SFTP aka FTP over SSH in the Secure Edition of the product.

    Enabling SFTP for a given User-Account simply requires the toggling of the feature for the user-account, and specifying the authentication method. The two methods of authenticating are via Public-Key, Password or both. Optionally, you can specify that the authentication must happen via the keyboard.

    Turn on SFTP for User-Account
    (click for full-size)
    Optional: Enable Password Authentication
    (click for full-size)
    Optional: Enable Public-Key Authentication (Recommended)
    (click for full-size)

    HOWTO: Enabled SFTP for FTP Server

    As of version 2018.0.0.40, BulletProof FTP Server supports SFTP aka FTP over SSH in the Secure Edition of the product.

    Enabling SFTP is very simple and only requires a Private-Key. The Private-Key can be loaded via a file or text which has been copy/paste’d into the software (NOTE: text keys will be stored encrypted in the software).

    Enabled SFTP for the FTP Server
    Enable SFTP for the FTP Server (click for full-size)
    Generate Private-Key (click for full-size)
    Assigned Private-Key (click for full-size)

    HOWTO: Enter License-Code from Command-Line

    In some Windows configurations, it might be necessary to enter the license-code via the command-line. Specifically, in Windows Server where “Internet Explorer Enhanced Security” is turned on (More Info: here, here, here, here and here). When IE ESC is turned on, you’ll need to turn it off; this is because the dialog-box that appears for entering your registration code uses the IE WebKit and as a result the links won’t work correctly.

    However, you don’t have to disable IE ESC, you can also enter it via the command-line:


    1) Start -> Run -> "cmd" (enter)
    2) c:
    3) cd "C:\Program Files (x86)\BulletProof FTP Server"
    4) Working with a license-code that looks like...

    Name:John Doe
    Key:00012X-8d7DJF2-6F323F-JVQBUA-8DJF3F-28RR4E-02Z6PC-ZXG37G-QBFDH2-NPDPBM-9XS9D9-MPH56G

    Enter the following command:

    bpftpserver.exe QUIETREGISTER John Doe 00012X-8d7DJF2-6F323F-JVQBUA-8DJF3F-28RR4E-02Z6PC-ZXG37G-QBFDH2-NPDPBM-9XS9D9-MPH56G

    FEATURE: IP-Based Access-Control: Server Wide

    - Navigate to Management -> Security -> IP Access Control-Lists - Right-click and choose "Add IP/ACL" PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    – Navigate to Management -> Security -> IP Access Control-Lists
    – Right-click and choose “Add IP/ACL”
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the "Refuse IP Address Access" should be chosen. PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the “Refuse IP Address Access” should be chosen.
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    - Navigate to Server Monitor -> Log Watch In this example, you'll see the DENY rule being made for "-54.153.69.28" and you'll see the ftp-client disconnect and then attempt to reconnect again, only to be refused access.
    – Navigate to Server Monitor -> Log Watch
    In this example, you’ll see the DENY rule being made for “-54.153.69.28” and you’ll see the ftp-client disconnect and then attempt to reconnect again, only to be refused access.

    FEATURE: IP Based Access-Control for Users/Groups

    - Navigate to User/Group Manager -> Edit User/Group -> Restrictions - Right-click and choose "Add IP/ACL" PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    – Navigate to User/Group Manager -> Edit User/Group -> Restrictions
    – Right-click and choose “Add IP/ACL”
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the "Allow IP Address Access" should be chosen, in order to restrict a user|group to a specific IP Address (aka whitelist) PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the “Allow IP Address Access” should be chosen, in order to restrict a user|group to a specific IP Address (aka whitelist)
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    - Navigate to Server Monitor -> Log Watch In this example, you'll see the ftp-client from "-54.153.69.28" is denied. This is because the IP/ACL was converted to a "whitelist" with a single ALLOW rule and "+192.168.0.*" does not match the incoming ftp-client.
    – Navigate to Server Monitor -> Log Watch
    In this example, you’ll see the ftp-client from “-54.153.69.28” is denied. This is because the IP/ACL was converted to a “whitelist” with a single ALLOW rule and “+192.168.0.*” does not match the incoming ftp-client.