Server FAQ

• Setting up SurgeFTP inside a NAT firewall for external access
• Passive ports and SSL and NAT / Peephole settings
• No username & password prompt for the Web Admin? http://127.0.0.1:7021/
• What's all this SSL stuff?(click here for SSL FAQ)
• How do I restart the server?
• How do I get to the web manager?
• How do I change the web manager password?
• Where do I enter my registration key?
• Why is the manager sluggish on Netscape & Win 2000?
• Concurrent user limits.
• Converting from standard unix FTP server.
• How can I access or share a mapped Windows Drive through SurgeFTP?
• Why does WS_FTP Pro fail to connect in SSL/TLS mode?
• Security implications of the web administration
  

No username & password prompt for the Web Admin? http://127.0.0.1:7021/

If you do not get the login username/Password prompt, in IE, go to Menu ->Tools , Security, click Internet Icon, click "Custom level" and scroll to bottom of the list, find User Authentication - Logon - Choose "Prompt for user name and password", click on OK, and OK on all other windows you just opened.

How do I restart the server?

On NT, type in: net start SurgeFTP

On 95/98, type in: \windows\surgeftp.exe

On Unix, /usr/local/surgeftp/surgeftp_start.sh

Unfortunately, there is currently no way to start it remotely. You can run it in "stopped mode" where it does not accept FTP connections, but where you can continue to use the manager.

How do I get to the web manager?

If you are accessing the web admin tool over the internet you should use the https://your.ftp.server:9021 port as it is secure for the admin password to be accessed. Ideally you should disable the http:7021 port from IPs other than 127.0.0.1, and change the 9021 port to something only you know of.

From a default install use your web browser and type in a link like this: http://your.ftp.server:7021 If you are on the machine itself this link should work http://127.0.0.1:7021

Security implications of the web administration

The Web admin tool allows complete control of the SurgeFTP configuration. As such it could easily be used to gain access to anything on the file system, and thus it could be used to take control of a server.  This is not a security fault as such as it is intended to have this ability so it can fully configure surgeftp.  But you should be aware of this and take some precautions.

Make sure you set a good password for the web administration, and consider using the setting GLOBAL_ADMINIP to limit access to your local network or other trusted local networks!!!

How do I change the web manager password?

Create a DOS/SHELL window and type in:

       SurgeFTP -password

(See note above, consider setting GLOBAL_ADMINIP)

Where do I enter my registration key?

In the web manager, click on 'Register' at the top.

Why is the manager sluggish on Netscape & Win 2000?

This is a bug in Netscape. It steals all the CPU while waiting for a web page to arrive, but since the server is on the same system that means it responds slowly. You can fix it in task manager:- set the priority for netscape down to 'below normal' and suddenly it will work properly!

Concurrent user limits.

The number of concurrent users is Operating System dependent, and basically a matter of how many threads and file handles the operating system supports, without running too low. Here are the approximate figures...

Converting from standard unix FTP server.

When you install SurgeFTP, it allows normal user access to their home directory, defined by the system user database.
Although SurgeFTP can easily replace the standard unix FTP server, there are some differences you need to keep in mind, specifically:

• SurgeFTP does not support executing programs that are in the path (This feature is usually disabled anyway as it is a security risk)
• It does not support auto compression of files to .Z. This feature is probably not very sensible anyway as it is more efficient to supply the files in compressed format rather than compress them for each user.

How can I access or share a mapped Windows Drive through SurgeFTP?

This is needed if you need to configure SurgeFTP to run as a particular user to access a network drive etc.

• Click Start, point to Settings, and then click Control Panel.
• Double-click Administrative Tools, and then double-click Local Security Policy.
• Double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.
• Double-click the user right you want to change, "Act as part of the operating system"
• Click Add, and then click the accounts to which you want to assign the right.
• Click OK, and then click OK again.

Why does WS_FTP Pro fail to connect in SSL/TLS mode?

The evaluation version of WS_FTP Pro is limited to 40 bit encryption, and is unable to negotiate a common cipher with SurgeFTP. This problem does not occur with the registered version of WS_FTP Pro. FTP Connections without SSL/TLS will work correctly.

Passive ports and SSL and NAT/peep holes.

When SSL is used your smart router / NAT fire wall which tries to 'spy' on the ftp protocol and automatically modify the pasv command and automatically create peep holes for the ftp DATA channels will fail, because you can't spy on SSL traffic (that's the whole idea of encryption, to make spying impossible :-)

If possible turn off 'smart ftp' features in your NAT/Router.

Create a 'class' in your surgeftp settings and setup manually the passive settings to be correct for outside your firewall:

passive_ipnumber "1.2.3.4"
passive_port "4021"
passive_port_max "4031"

Then in your NAT firewall, which in this case must have an external IP address of 1.2.3.4, you map the incoming ports '4021...4031' to your ftp server, ports 4021...4031

Then as long as you do transfers in passive mode it will work.

Setting up SurgeFtp inside a NAT firewall for external access

There is a general problem with the FTP protocol and firewalls, and that is FTP requires connections from the client to the server (passive mode) or from the server to the client (active mode), these are in addition to the 'control' connection. These extra connections are used to transfer the data or directory listing. The purpose of a firewall is to block all 'extra' ports, and so a firewall often stops this occuring. But don't panic, it can be fixed in most cases :-)

Here is what you must do/permit.

Check that your server can connect to any port on any machine outside your firewall. Use 'telnet' to test this, from your surgeftp server type in "telnet netwinsite.com 7110". You should get a single line response, if you don't then modify your firewall so it permits all outgoing connections from your ftp server and test again.

Second, to fix passive mode ftp you need to map some ports from your NAT box to your ftp server, typically you will map a block of 10 ports lets say from port 4021 to 4031, these should map from your external address to the same ports on your ftp server.

Then once you have that mapping configured in your NAT router, then tell surgeftp about this mapping with a class setting like this, lets assume your EXTERNAL ip address is 1.2.3.4 and you mapped ports 4021-4031

You can make this class a special one that is only used for connections from your 'NAT' server, so that this mapping doesen't break local ftp transfers, e.g. if the internal address of your nat box is 10.0.0.1

 class type="real" from="10.0.0.1" users="" groups="" name="" class_name="" 
     passive_ipnumber "1.2.3.4" 
      passive_port "4021" 
      passive_port_max "4031" 
      ...