Skip to main content

SFTP

SFTP is a secure file-transfer protocol built on SSH that USP can proxy between external partners and internal servers. When acting as an SFTP reverse proxy, USP breaks the SSH session in the DMZ, optionally authenticates the partner, and establishes a new outbound SSH/SFTP session to the internal target.

Both inbound and outbound connections use SSH security and key validation, requiring to authenticate servers and clients while preserving standard SFTP command and file-transfer behavior.

Connection Flow

  1. An external client initiates an SFTP connection to the Listener's port on the USP Server.
  2. USP evaluates the incoming connection against the Listener's associated Route and selects the appropriate Inbound Node based on peer address and priority. If no Inbound Node matches, the connection is rejected.
  3. USP presents its Host Private Key; the partner's client verifies the server's host identity.
  4. USP authenticates client credentials (password, public key, password and/or public key).
  5. After authentication succeeds, USP creates a new SSH/SFTP session to the internal server using the configuration defined in the Outbound Node.
  6. USP authenticates to the internal target passing the credentials presented by the partner or using a different set of credentials.
  7. Once both sessions are established, USP links the inbound and outbound SFTP control channels.
  8. The external client interacts with USP as if it were the internal SFTP server.

Authentication

SFTP authentication operates at two layers:

  1. TLS layer, where USP establishes a secure transport channel. See Inbound and Outbound Host Key Verification.
  2. Protocol layer, where partners authenticate using standard SFTP commands. See Partner Authentication to USP and the Internal Target.

Inbound and Outbound Host Key Verification

USP verifies SSH host identities on both inbound and outbound SFTP connections, ensuring that both the partner and the internal target are fully authenticated at the SSH layer.

For more information, refer to Authentication in SFTP.

Partner Authentication to USP and the Internal Target

Partner authentication applies both to the inbound SFTP connection to USP and to the outbound connection to the internal target.

SFTP supports multiple authentication methods at the SSH layer:

  • Password: Only password-based authentication is accepted.
  • Public Key: Only SSH key-based authentication is accepted.
  • Password or Public Key: Either password-based or SSH key-based authentication is accepted.
  • Password and Public Key: Both password-based and SSH key-based authentication are required.

When Authentication at the Proxy is enabled, USP validates the partner's credentials using the configured Inbound Authentication Source (Account Repository or LDAP), according to the authentication method defined in the SFTP Rule.

After this optional inbound authentication, USP can either forward the partner's username and password to the internal target (Passthrough Credentials) or authenticate to the target using credentials explicitly configured in the SFTP Rule (Dedicated Credentials), such as an outbound private key or stored password.

For more information, refer to Rules.