Skip to main content

FTP(S)

FTP(S) is a legacy file-transfer protocol that USP can securely proxy between external partners and internal servers. When acting as an FTP or FTPS reverse proxy, USP breaks the session in the DMZ, optionally authenticates the partner, and establishes a new outbound connection to the internal target.

FTPS connections add a TLS layer on both inbound and outbound legs, allowing USP to authenticate servers (and optionally clients) using certificates while preserving standard FTP command and data-channel behavior.

Connection Flow

  1. An external client initiates an FTP or FTPS connection to the Listener's port on the USP Server.
  2. USP evaluates the incoming connection against the Listener's associated Route and selects the appropriate Inbound Node based on peer address and priority. If no Inbound Node matches, the connection is rejected.
  3. For FTPS settings, USP can:
    • Establish a standard one-way TLS connection where USP Server is authenticated.
    • Enforce mTLS, where both the USP Server and the partner are authenticated.
  4. USP authenticates client credentials (username and password).
  5. After authentication succeeds, USP creates a new FTP(S) connection to the internal server using the configuration defined in the Outbound Node.
  6. If the internal target uses FTPS:
    • Establish a standard one-way TLS connection where the internal target is authenticated.
    • Enforce mTLS, where both the USP Server and the internal target are authenticated.
  7. USP authenticates to the internal target passing the username and password presented by the partner or using a different set of credentials.
  8. Once both sessions are established, USP links the inbound and outbound FTP(S) control channels.
  9. The external client interacts with USP as if it were the internal FTP(S) server.

Authentication

FTP(S) authentication operates at two layers:

  1. TLS layer, where USP establishes a secure transport channel. See Inbound and Outbound mTLS.
  2. Protocol layer, where partners authenticate using standard FTP(S) commands. See Partner Authentication to USP and the Internal Target.

Inbound and Outbound TLS

USP can use mTLS on both inbound and outbound FTPS connections, ensuring that both the partner's client and the internal target are fully authenticated at the TLS layer.

For more information, refer to Inbound and Outbound Authentication for FTP(S).

Partner Authentication to USP and the Internal Target

Partner authentication applies both to the inbound connection to USP and to the outbound connection to the internal target.

FTP(S) supports (and requires) a single authentication method:

  • Basic: The partner authenticates using a username and password sent over the protocol's standard FTP(S) authentication commands.

When Authentication at the Proxy is enabled, USP validates these credentials using the configured Inbound Authentication Source (Account Repository or LDAP).

After this optional inbound authentication, USP can either forward the partner's username and password to the internal target or use a different set of credentials explicitly configured in the FTP(S) Rule.

For more information, refer to Rules.