INSTALLATION
Automatic setup program makes installing the FTP Proxy on your
computer a simple and straightforward process.
If you are upgrading from an earlier version of the product, the Setup will automatically
uninstall the previous version before installing the new one.
The configuration data will be preserved.
Note: If you are installing the purchased copy over the evaluation copy (both version 1.4), the black list (if any) will not be preserved. Save the black list to an external blacklist (BLT) file and then restore it after the installation is complete. Refer to section Black List Editor for details.
Before You Begin
There are a few simple prerequisites to a successful setup. Please make sure that:
Your computer runs Windows NT/2000/XP/2003 Server operating system. The Trilent FTP Proxy is implemented as a Windows service, a part of the operating system. Therefore, it is not compatible with Windows 95/98/Me, as these systems do not support services. The product has been tested on Windows NT 4.0 SP6 or later.
You are a member of the Administrators group. The setup program needs to update Registry information. Depending on your system configuration, Windows may prevent the setup from modifying the Registry if you do not belong to the Administrators group. For information about user groups, please refer to the Windows help.
You have closed all Windows programs before running the setup. We strongly recommend this step. While not strictly required, it may save you much grief.
Your computer has a functioning connection to the Internet, which you have tested prior to installing the Trilent FTP Proxy. While the setup program does not require an Internet connection to complete successfully, it does require that the TCP/IP protocol and network interfaces are installed and properly configured on your computer. If you have a working FTP connection to the Internet, all of these details have already been taken care of.
Downloading the Trilent FTP Proxy
The evaluation copy of this product is distributed in the form of a self-extracting executable setup file. Its name is TrilentFtpProxyXX.exe, where XX is the version number. The file can be downloaded from TRILENT Networks Website and from many online shareware libraries.
Note: The download file for the purchased version of the product that is slightly different from the evaluation copy is TrilentFtpProxyXXp.exe. When you purchase the software, you will be given the opportunity to download this file.
| The Trilent FTP Proxy is guaranteed to be 100% free from any form of malware, including but not limited to: spyware, adware, trojans, viruses, and backdoors. |
The download file is protected from any modifications with a tamper-proof digital signature. A cryptographic certificate issued to TRILENT Networks by a certificate authority (VeriSign) protects the signature from forgery and verifies authenticity of the software.
When you download the program with the Microsoft® Internet Explorer, the following dialog box appears on the screen:
It verifies authenticity of the software and gives you confidence in the program integrity. Unmodified file means that there is no danger of viruses or other malware being added during the software distribution.
Running the Setup Program
Now you are ready to install Trilent FTP Proxy. The setup program is distributed in the form of a self-extracting executable file. Double-click on the file to start the installation wizard. The wizard will lead you through a few simple installation steps:
Read the End-User License Agreement. Trilent FTP Proxy is licensed software. You must read and accept the agreement before proceeding.
Choose installation options, such as program directory and the Start Menu folder (or accept defaults). Click on Finish. Installation proceeds automatically. If setup completed successfully, proceed to configuration (next section). In case of setup errors, please refer to the troubleshooting section.
Purchasing the Product
After installation, you can purchase the product from within its control panel applet. Click on the "About" tab of the applet. The screen will look like this:
Click on the "Purchase" button. A Web browser window will open with the online store for the Trilent FTP Proxy.
This is the preferred way of purchasing the program. It gives the credit for the purchase to the Website from which you downloaded your evaluation copy. That credit provides an incentive to software libraries for listing our products and results in an improved product availability to users.
Benefits of Purchasing:
- Free customer support.
- Free program upgrades for at least one year.
- Notification of program bugs/issues.
The purchased version of the product differs from this evaluation copy in minor details of the user interface (e.g. no "Purchase" button) and in licensing. After your purchase, you will be given opportunity to download the setup file for the purchased copy of the product. You can install it over this evaluation copy. All configuration settings will be preserved, except the server black list.
Note: The black list is not preserved. Before installing the purchased copy, save the black list to an external blacklist (BLT) file and then restore it after the installation is complete. Refer to section Black List Editor for details.
CONFIGURATION
After successful installation, the Trilent FTP Proxy
service is stopped. Before its first use it must be configured. The
configuration consists of simple steps shown below.
Setup automatically pre-configures the proxy by entering the
Gateway Host Data and default options.
We recommend you review the configuration before the first use.
You also need to obtain the
Evaluation License and
Start the Service manually.
If you are upgrading from an earlier version of the proxy, the Setup will preserve the configuration data, so there is no need to configure it again. However, we recommend you review the configuration before the first use of the new version.
If you are upgrading from an earlier version of the proxy, the Setup will preserve the configuration data, so there is no need to configure it again. However, we recommend you review the configuration before the first use of the new version.
The Trilent FTP Proxy service is configured through the
Control Panel applet. To open the applet, open the Control Panel
and click on the Trilent FTP Proxy icon (shown on the left.)
The applet opens on the Gateway Host page
that contains common configuration information.Get the Evaluation License
The Trilent FTP Proxy is a licensed program: it requires a license (registration code) in order to run. For evaluation purposes, you can obtain a free 30-day instant license. You can get the license from within the configuration applet (Internet connection is required). It is a simple, one-click process.
Click on the "About" tab of the control applet. The screen will look like this:
| Click on the "Get License" button. A progress bar appears and shows status of the connection to the license server. If there are no errors, you will see the message: "Temporary license successfully received." – the process is completed. You can now use the product. |
Note: The server may refuse to issue the license. A message will give the reason (e.g. "Your evaluation period has expired." or "This version is obsolete and is no longer supported").The instant license process (described above) requires Internet connection. If your computer is not connected to the Internet or the connection fails for any reason, the following dialog box will appear. (The error message you receive may be different from the one shown in this example.)
You have to obtain the license manually: Follow the link below (or copy and paste the following URL into your Web browser):
A license request form will appear. Enter the hardware ID of your computer into the request form and click on the "Send" button. Your evaluation license (registration code) will return instantly. The code looks like this:
20ACM8-110WRF-BJ51R8-BXNWTQ-Z7TVAN-TFKFYH-1D2AVN
To avoid mistakes and typos, copy and paste this code from the request form into the dialog box shown above. (You may need to click on the "Get License" button again for the dialog to reappear.) The "OK" button remains disabled until you enter a valid code. This license is only valid for the computer that has the hardware ID given, and will expire in 30 days.
The hardware ID (hardware fingerprint) is a hexadecimal number (e.g. 6143-8A97) that uniquely characterizes your computer. It is your computer's "fingerprint". This number is shown above the "Get License" button:
Enter the Gateway Host Data
Gateway host is the computer on which the Trilent FTP Proxy is installed. It is a gateway through which your internal network is connected to the Internet. Gateway hosts must have at least two network interfaces. One interface (the inside interface) is connected to the inside network while the other (the outside interface) is connected to the Internet. To learn more about gateways and interfaces, refer to the Application Note section.
Click on the "Gateway Host" tab of the control applet. The screen will look like this:
The screen contains configuration information that is common to both the FTP proxy and the reverse FTP proxy. It displays at-a-glance status of the service (at the bottom) and allows you to select the logging level. Four logging levels are provided that differ in the level of detail that is recorded in the Windows Event Log:
| Logging level: | Events recorded in the log: |
| Level 0 | All the fatal errors that result in termination of the Trilent FTP Proxy service. Warnings about abnormal termination of each FTP connection. |
| Level 1 | All of the above, plus warnings about the proxy refusal to connect FTP clients or servers based on access lists. |
| Level 2 | Currently not used - same as level 1. |
| Level 3 | All of the above, plus information about every FTP connection via proxy. |
Interface Addresses
The setup program automatically configures the proxy during installation by entering the correct IP addresses for the inside and outside interfaces of your computer. (Learn more about IP addresses here.) For computers with a single network interface, the Setup enters the data for Single-Computer Operation. We recommend you review the configuration before the first use.
If these fields are left blank, it means the setup could not reliably determine the correct interface addresses.
| You have to select the IP addresses from the drop-down list of all network interfaces detected on your computer. |
Note: Some network interfaces are implemented as user-level software that can be started manually. (Such is the case with the satellite Internet service and some DSL networks.) If these interfaces do not yet exist when the Setup is run, their IP addresses will not show in the drop-down list. You have to enter such IP addresses manually.The best way to obtain address information is to run the ipconfig program. Click on "Start" menu, click on "Run.." and type cmd. Click on "OK" button. The black command screen opens. Type ipconfig at the prompt and hit "Enter". The program output may look like this:
Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter DSL Connection: Connection-specific DNS Suffix . : example.com IP Address. . . . . . . . . . . . : 139.12.0.17 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 139.12.0.1In this example, our gateway host has two interfaces. The inside (internal LAN) interface has the address 192.168.0.1. The outside interface (DSL connection to the Internet) has the address 139.12.0.17. The outside interface usually has a non-empty "Default Gateway" entry.
Configure the FTP Proxy
FTP Proxy handles FTP connections from clients located on your private, firewall-protected network to the FTP servers on the Internet.
Click on the "FTP Proxy" tab of the control applet. The screen will look like this:
Enter the following FTP proxy options:
- Enable FTP proxy - The FTP proxy operates independently
from the reverse FTP proxy and can be disabled
if it is not needed. Both proxies cannot be disabled at the same time.
When you try to disable the second proxy, you receive the following message:
- Use default port - The default port number for the FTP service is 21. It is recommended that you do not change the default port number without a strong reason to do so.
Click on the "FTP Options" button to enter protocol-specific options. The following dialog opens:
- Passive mode - Firewall-friendly mode of operation. The proxy
makes only passive data connections to servers. (Normally, it is hard to filter FTP
traffic using a firewall because the data connection is made to an arbitrary
port on a client computer. Passive data connections contribute to security
of firewalls by making it easier to develop effective filtering rules.)
- Allow sending data to a third party -
Under File Transfer Protocol rules, it is possible
to tell a server to send data to an arbitrary port of a third computer.
You may want to disallow such requests.
(This rule has been a source of much mischief on the Internet, while its
usefulness for a typical network operator is doubtful).
- Browser compatibility mode - For using the FTP proxy with Web browsers. This option enables the browser-compatible format of the USER command. It is safe to use (except in the most unusual cases) and is enabled by default.
The remainder of the screen is divided into three sections: client – proxy – server.
Client:
You can permit access to the FTP proxy to only specific (trusted) FTP clients (e.g. computers on your network), based on their IP addresses. Enter the network addresses (or address ranges) of computers permitted to connect to the proxy in the field "Permit client connections from these addresses:". The format of this entry is explained in the section Access Control. The format is checked for validity when you close the page (by clicking on another tab or on the "OK" button). If you make an error or leave the field empty, you receive the following message:
Proxy:
You can enter the FTP proxy port number (or chose default). The IP addresses of the proxy are shown here as read-only values. These are the addresses of the inside and outside interfaces of the Gateway Host. If you need to change them, click on "Gateway Host" tab.
Server:
You can deny connections to specific FTP servers, based on their IP addresses. Clicking on the "Edit Blacklist" button starts the Black List Editor that helps you create and maintain a "black list" (list of denied servers). Refer to the section Access Control for more details.
- Do not permit connection to servers on the black list - Allows you to disable the server address filtering without having to clear the current list.
Configure the Reverse FTP Proxy
Reverse proxy handles connections coming into the internal network from outside. It is used to make an internal FTP server on a private, firewall-protected network accessible from the Internet.
Click on the "Reverse Proxy" tab of the control applet. The screen will look like this:
Enter the following reverse FTP proxy options:
- Enable reverse proxy - The reverse proxy operates independently
from the (forward) FTP proxy and can be disabled if
it is not needed. If the reverse proxy is enabled, the server address field
must contain a valid IP address. Both proxies cannot be disabled at the same time.
When you try to disable the second proxy, you receive the following message:
- Use default ports - The default port number for the FTP service is 21.
It is recommended that you do not change the default
port numbers without a strong reason to do so.
- Enable standby server - The reverse proxy will connect to the secondary (standby) server if the primary server does not respond. If this option is enabled, the second server address field must contain a valid IP address.
The remainder of the screen is divided into three sections: client – proxy – server.
Client:
You can permit access to the reverse FTP proxy to only specific (trusted) FTP clients, based on their IP addresses. Enter the network addresses (or address ranges) of computers permitted to connect to the reverse proxy in the field "Permit client connections from these addresses:". The format of this entry is explained in the section Access Control. The format is checked for validity when you close the page (by clicking on another tab or on the "OK" button). If you make an error or leave the field empty, you receive the following message:
Reverse Proxy:
You can enter the reverse FTP proxy port number (or chose default). The IP addresses of the reverse proxy are shown here as read-only values. These are the addresses of the inside and outside interfaces of the Gateway Host. If you need to change them, click on "Gateway Host" tab. Please note that the reverse proxy, unlike the forward proxy, accepts connections coming from the outside.
Internal Servers:
Two FTP servers are supported: primary and backup (standby). Enter the port numbers of these servers (or chose default). Enter the IP addresses in the address fields. If the reverse proxy is enabled, the primary server address field cannot be left empty and must contain a valid IP address. The standby server address field must contain a valid IP address only if standby server is enabled. The format of IP addresses is checked for validity when you close the page (by clicking on another tab or on the "OK" button). If you make an error or leave a field empty, you receive the message shown above.
Access Control
The Trilent FTP Proxy 1.4 supports access control for both FTP clients and servers.
Limiting Client Access
You can limit access to the FTP service to specific FTP clients, based on their IP addresses. IP addresses, unlike computer names, do not depend on the domain name service (DNS) and therefore are a little more reliable and faster to use. Client access to the FTP proxy and to the reverse FTP proxy can be controlled independently. Enter the networks addresses (or address ranges) of computers that are permitted to connect in the field "Permit client connections from these addresses:" shown below:
In this field, you can enter:
- a single IP address, such as 192.168.0.3
- an address range, such as 192.168.0.2–4 (addresses from 192.168.0.2 to 192.168.0.4)
- a network address, such as 192.168.1.0 (addresses 192.168.1.1 through 192.168.1.255)
Network Masks
Trilent FTP Proxy supports network masks. Network mask has the following format:
192.168.0.0/24
The number
after the slash represents the number of bits (possible value: 0 to 32) of the network part of
the address. (Each of the four dot-separated fields of an IP address is 8 bit
long, for a total of 32 bits.) For example, the address above has the network part
that is 24-bit (or 3-field) long. The remaining (fourth) field represents host addresses.
Therefore, the network address 192.168.0.0/24 contains addresses
192.168.0.1 through 192.168.0.255. Please note that without the
network mask, the same network address 192.168.0.0 would include addresses
192.168.0.1 through 192.168.255.255, a much larger range. As you can see,
the explicit network mask takes precedence over the number or right-most
zeros in the address.Also note that this address would be appropriate to use in our example network.
Shortcuts
You can omit one or more of the right-most zeros (together the dots preceding them) in a network address. You can also replace one right-most zero with a star (*). For example, the following addresses are equivalent:
127.0.0.0 127.0.0.*
127.0.0 127.0.*
127.0 127.* 127
| The network address * (star) or 0 matches everything, while an empty field matches nothing (no client computer is permitted access). |
The setup program inserts the star into this field, for both the proxy and the reverse proxy. That permits access from everybody.
Tip: Do not change this initial setting until after you have successfully configured and started the proxy for the first time. Many questions to our technical support originate from this area.Multiple Nets (Allow List)
You can enter up to 30 comma-separated network addresses (or address ranges) in the format described above to create an allow list (a list of addresses allowed access). Spaces are permitted between entries for readability. For example, this is a valid allow list:
192.168.0.0/24, 127.*, 10.1.125.17-26, 10.1.125.29, 172
A client computer with IP address matching any of the entries above will be permitted to connect to the proxy (or to the reverse proxy). The allow list is scanned until the first match is found. Therefore, duplicate entries are acceptable (but make no difference). Please note that the order of entries is important. For efficiency, addresses of clients that frequently use the proxy should be at the beginning of the allow list.
Limiting Server Access
The Trilent FTP Proxy allows you to deny access to selected FTP servers. You can create a deny list of servers to which connections are not permitted. The deny list (also known as a black list, because the servers on it are "blacklisted") is comprised of undesirable servers' IP addresses.
When you enable the server address filtering feature of the FTP proxy (the reverse proxy utilizes a fixed server and does not need filtering), each connection request by a client is checked against the black list. If the IP address of the requested server is found on the list, the connection is denied.
The black list of server addresses can be potentially very long (the Trilent FTP Proxy supports up to about 250,000 entries). Care has been taken to optimize the search algorithm to make it very fast. For example, to filter 5,000 addresses requires about 12 steps of a few instructions each. The use of IP addresses instead of server names, which depend on the domain name service (DNS), makes the search a little more reliable and faster. Additionally, a graphical Black List Editor is provided to help create and maintain such long lists.
Note:
You may have noticed that the client allow list, described earlier in this section, and the server deny list described here have a different format. That is because allow lists and deny lists have diverse characteristics:
- An allow list is comprised of network addresses and address ranges, while a
deny list is comprised of single addresses.
It is very likely that trusted clients are part of a network
or address range. It is very unlikely that undesirable public servers
have consecutive IP addresses.
- An allow list is typically quite short, while a
deny list may be very long. This is the consequence of (1).
A single network address may include thousands of hosts.
- An allow list is scanned until the first match is found, while a
deny list must be scanned in its entirety.
- The order of entries in an allow list is important, while the order of entries in a deny list is pre-determined (usually to optimize search). This is the consequence of (3).
Black List Editor
The black list editor provides a graphical user interface (GUI) to help you create and maintain the server deny list (also known as a black list). This is a list of IP addresses of servers to which access is to be denied. The list can be potentially very long (the editor supports up to about 250,000 entries).
To start the editor, click on the "Edit Blacklist" button that is located under the FTP Proxy tab of the control applet. The screen will look like this:
The list window shows a multi-column view of the current black list of IP addresses in the familiar dot-decimal notation. The list is sorted. When you start the black list editor for the first time, the current black list will be empty and the list window will be blank.
Clicking on the "OK" button closes the black list editor, after all the entries in the list window (possibly changed) were checked, compiled and loaded into the configuration database as a new current black list. Clicking on the "Cancel" button closes the black list editor, ignoring all changes made to the list window.
The editor menu has the following items:
| File Open Save As Exit |
Edit Server Add Modify Delete Remove All Find |
Tools Options Validate List Compile & Load |
Help Help Topics About |
Click on Open in the File menu and the standard "Load File" dialog box will appear:
You can open an external blacklist file and add it to the current list.
Each address is checked for validity. When invalid format is detected, you are given an option to correct it (only the bottom of the screen is shown to save space):
The list is not checked for duplicate entries. Use Validate List in the Tools menu to remove duplicates from the list.
The blacklist file (extension .BLT) is a text file that can be opened and edited with the Windows Notepad. Its format is very simple. Each line in the file is a single list entry (representing a server) and contains an IP address in the dot-decimal notation. Any text following # is a comment. Comments are ignored. Lines beginning with # and empty lines are also ignored. The addresses do not need to be sorted.Click on Save As in the File menu to save the current list to an external blacklist file. Click on Exit to abandon all changes and close the black list editor. (This has the same effect as clicking on the "Cancel" button at the bottom of the screen.)
Edit Server menu contains operations to manipulate list items.
Click on Add and the screen will look like this (only the bottom of the screen is shown to save space):
Add a new server to the list. The current version of the product only supports IP addresses, so the "name" option is disabled. The "OK" button remains disabled (grayed) until you enter a valid address. Since the list is sorted, the new server is automatically inserted in the correct place.
Click on Modify and the screen will look like this (only the bottom of the screen is shown to save space):
Edit the IP address of the selected server. The "OK" button remains disabled (grayed) until you make a valid change.
Click on Delete to remove the selected server. (Click on Remove All to clear the whole list window.) The following message appears:
Click on Find and the screen will look like this (only the bottom of the screen is shown to save space):
Enter an IP address (or partial address) to find the server. In case of a partial-address search, the first entry matching the partial address is selected.
The Tools menu contains three items:
Options - current version of the editor supports only one option: "Ask before deleting" to disable the delete confirmation message box. This is useful if a large number of entries are to be deleted.
Validate List - checks the list for validity, removes duplicate entries, counts all entries and generates a report:
This is useful for combining two overlapping lists. Simply load the first list (from an external blacklist file), load the second list, and then click on Validate List to remove duplicate entries.
Compile & Load - silently runs Validate List, compiles all entries into a format acceptable to the proxy and loads them into the configuration database as the new current black list. (Clicking on the Compile & Load menu item and then clicking on the "Cancel" button has the same effect as clicking on the "OK" button.)
Configure FTP Clients
Two FTP clients are usually installed on every Windows® computer: ftp command and Web browser.
FTP Command
Each Windows operating system (and each Unix/Linux system) includes an "ftp" command. When you type ftp (at the command prompt or in the "Run" menu) you invoke a built-in FTP client program that presents a simple, command-oriented interface for transferring files.
Note: FTP commands are beyond the scope of this document. You can learn them from Windows Help. (Search on "ftp command" keyword.)
| The FTP command-oriented client does not need any special configuration to use the Trilent FTP Proxy. |
A slightly different login process is required when connecting via proxy, as described in the Using FTP Commands section of this manual.
Web Browser
Most Web browsers can act as FTP clients and connect to FTP servers using URLs (Uniform Resource Locators). This allows you to access FTP sites through the familiar user interface similar to that used for Web pages.
| Web browser does not need any special configuration to use the Trilent FTP Proxy. The browser sees the proxy as just another FTP server. |
A slightly different URL is required to work with the proxy, described in the section Using Web Browsers.
Note: Web browsers can be configured to use a proxy for FTP. However, only CERN-type (HTTP-to-FTP) proxies are supported by browsers. This product is an FTP-to-FTP proxy and cannot be used in this manner.
OPERATION
Using the Trilent FTP Proxy is simplicity itself.
Since it is implemented as a service, it starts automatically (if so
configured) as soon as the host computer is powered up. Unlike
application programs, no user login is required.
Start the FTP Proxy Service
The Trilent FTP Proxy is implemented as a Windows service. A service cannot be run from the command line. The "Services" control applet must be used instead. To start the service, open the Control Panel, open the "Administrative Tools" window and click on the "Services" icon. A list of services opens. Scroll the list to the "Trilent FTP Proxy" entry and double-click to open. The screen will look like this:
Click on the "Start" button to start the service. Change the "Startup Type" entry to "Automatic" if you want the Trilent FTP Proxy to start every time the computer is turned on (this is the normal operation). Click on "OK" button to close the applet.
Using FTP Commands
Using command-oriented FTP clients with the Trilent FTP Proxy differs very little from their use without the proxy. Sequence of commands required to connect to a remote FTP server without the proxy is shown below. Comments (in italics) are not a part of the sequence.
|
c:\WINDOWS> ftp ftp> open ftp.example.com Connected to ftp.example.com. 220 ftp.example.com FTP server ready. User (ftp.example.com:(none)): john 331 Password required for john. Password: ***** 230 User john logged in. ftp> dir (directory listing follows..) |
start the FTP client connect to FTP server enter user name enter password |
In the presence of the FTP proxy, the login process is slightly different.
| Instead of connecting directly to the remote server, the client first connects to the FTP proxy. Client then gives the proxy the name of the remote FTP server to connect to. This information is provided as a part of the user name in the following format: username@ftpserver. |
|
c:\WINDOWS> ftp ftp> open 192.168.0.1 Connected to 192.168.0.1. 220 FTP Proxy ready. User (192.168.0.1:none):john@ftp.example.com 331-(Proxy connected to ftp.example.com) (220 ftp.example.com FTP server ready.) 331 Password required for john. Password: ***** 230 User john logged in. ftp> dir (directory listing and other commands follow.. ) ftp> user jane 331 Password required for jane. Password: ***** 230 User jane logged in. |
start the FTP client connect to FTP proxy FTP proxy greeting username@server connected to server remote server greeting enter password no need for @server |
Once the proxy is connected to the FTP server, it transparently forwards all commands and responses between client and server. After being connected, the FTP client talks directly to the remote server. Therefore, users no longer need to use the username@ftpserver form for additional logins so long as they log in to the same server. This is illustrated in the last lines of the example above.
|
The full format of the USER command is similar to the FTP URL: username:password@ftpserver:port Password and port are optional. If the browser compatibility mode is enabled, characters @ and : can be replaced with the currency sign and the exclamation mark, respectively. The USER command then becomes: username!password$ftpserver!port |
The login sequence below shows the usage.
c:\WINDOWS> ftp
ftp> open 192.168.0.1
Connected to 192.168.0.1.
220 FTP Proxy ready.
User (192.168.0.1:(none)): john:mypassword@ftp.example.com:21
230-(Proxy connected to ftp.example.com)
(220 ftp.example.com FTP server ready.)
230 User john logged in.
ftp> dir
(directory listing follows..)
Using Web Browsers
Most Web browsers can act as FTP clients and connect to FTP servers using URLs (Uniform Resource Locators). This allows you to access FTP sites through the familiar user interface similar to that used for Web pages.
Using Web browsers as FTP clients with the Trilent FTP Proxy differs very little from their use without the proxy. Browsers see the proxy as just another FTP server. A slightly different URL is required to provide the proxy with the name of a remote FTP server to connect to. (The URL is shown later in this section.)
For reference, we first show the FTP URL that is used without the proxy:
ftp://username:password@ftpserver:port
The username, password, and port are optional. If you do not include the username, the browser will send the name "anonymous" that by convention will permit you access to the guest account on most FTP servers. If you do not include the password, you will be prompted for it later by the server. The port is optional only if you use the default FTP port (21) on the server.
Note: The password use in the URL is not recommended for security. URL is frequently displayed by browsers, stored in bookmarks, favorites, and logged in browser history. Such storage of authentication information in clear text has proven to be a security risk.Web browsers interpret the part of the URL to the right of the separating @ character as the name of the server to connect to, and the part to the left of it as user information (userinfo) to be sent to the server.
Unfortunately, the Trilent FTP Proxy uses the same separating character @ and for the same purpose. We need to use another separating character to avoid conflict with the browser. The new separating character that replaces @ is $ (currency sign). Similarly, the ! (exclamation mark) replaces : (colon). Both characters ($ and !) are reserved by the URL specification (RFC3986) and will not be interpreted or modified by the browser. They will therefore be passed unchanged to the proxy.
|
The FTP URL that is used with the proxy is the following:
ftp://username!password$ftpserver!port@proxy:port The Web browser connects to the proxy via FTP and sends it the whole userinfo part of the URL (shown in green). The proxy then uses the non-conflicting separating characters ($ and !) to extract the username, password, server, and port. As mentioned earlier in this section, the use of passwords in the URL is not recommended. The more common form of the FTP URL to use with the proxy is:
ftp://username$ftpserver@proxy It is not much different from the URL used without the proxy: ftp://username@ftpserver |
The Trilent FTP Proxy interprets the characters $ (currency sign) and ! (exclamation mark) as separating characters only if the browser compatibility mode is enabled. Otherwise, they are treated like any other character forming the user name. If the browser mode is enabled, the characters $ and ! are fully equivalent to @ and :, respectively. They can be used interchangeably with command-oriented FTP clients.
| The following Web browsers have been tested with the FTP proxy: Internet Explorer, Netscape/Mozilla/Firefox, Opera. |
Note for Opera users: The Opera Web browser issues the EPSV command that the FTP proxy supports. However, we had trouble connecting Opera to a few FTP servers, both via the proxy and directly. Therefore, the Opera browser is not supported at this time.
Note for IE users: The Internet Explorer opens up to three FTP connections per server access. When you close the browser, one of these connections is forcefully terminated and that causes the FTP proxy to log a warning.
Single-Computer Operation
If you do not have a network, but only a single computer connected to the Internet, you can still use the FTP proxy.
Every computer that supports IP (Internet protocol) is equipped with a loopback interface. The loopback is an internal ("dummy") interface that allows networking programs on the same computer to communicate. This interface behaves in every respect identically to a "real" interface connected to an outside network via a networking card. The well-known IP address of the loopback interface is always the same: 127.0.0.1. This arrangement is illustrated on the following diagram:
In this scenario, both FTP client and the Trilent FTP proxy are installed on the same computer. The inside interface of the proxy is now the loopback interface. Enter address 127.0.0.1 into the "Inside Interface" box as shown in the Enter the Gateway Host Data section.
The FTP client program has to connect to the inside interface of the proxy, which in this case is the loopback. For example, you can use the command "ftp 127.0.0.1" to connect. That is the only difference from the information shown in the Using FTP Commands section.
The benefits of using the Trilent FTP Proxy on a single computer are limited. It is typically so used for testing, or when some specific features of the proxy are needed. For example, you may want to use passive data connections, but your FTP client program does not support them.
Proxy Chaining
The Trilent FTP Proxy supports proxy chaining. An FTP client can connect to a server via more than one proxy. The following picture shows an example of two chained proxies. For comparison, it also shows direct connection between FTP client and server (no proxy), and a connection via a single proxy.
The FTP servers and proxies shown here are called: ftpserver, ftpserver1, ftpserver2, proxy1 and proxy2, respectively. (Not very original, but it makes it easier to keep track of them.) For simplicity, let's assume that user account on all three servers is the same:
| User: Password: |
john mypass |
Note: The following examples show an abbreviated sequence of commands. Please refer to the section Using FTP Commands for the full sequence of commands and responses.Direct connection to the server (without proxy) is very straightforward: connect to server and give it your login name.
ftp> open ftpserverConnection via a single proxy differs very little from the direct connection shown above: connect to proxy and give it your login name in the format username@ftpserver. Optionally, you may also include your password (if you don't, you will be prompted for it later):
ftp> user john
ftp> open proxy1Connection via two proxies is not much different – connect to proxy and give it your login name in the format that now contains two @server terms to accommodate the extra proxy:
ftp> user john:mypass@ftpserver1
ftp> open proxy1The first proxy (proxy1) strips the right-most @-separated term of the "user" command (shown green in our example), finds the next server name (proxy2), connects to proxy2, and sends to it the remainder of the "user" command. As this operation is can be repeated many times, there is no limit to the number of proxies that can be chained. (We only tested the product with a two-proxy chain.)
ftp> user john:mypass@ftpserver2@proxy2
The full format of the "user" command: john:mypass@ftpserver2:port@proxy2:port is used with non-standard proxy or server ports.
Note: If the browser compatibility mode is enabled, the character @ can be replaced with $ (currency sign). Refer to the section Using Web Browsers for details.
| To chain reverse proxies, simply replace the internal server address with the address of the next reverse proxy in chain. |
Event Log
The Trilent FTP Proxy service logs status and error messages in the system event log. To review the log, open the Control Panel, open the "Administrative Tools" window and click on the "Event Viewer" icon. A list of logged events opens, as shown below. (Usually the list is much longer than that shown in our example.) Look under "System Log" for any Trilent FTP Proxy messages.
Uninstalling Trilent FTP Proxy
Use the Add/Remove Programs applet in the Control Panel to completely remove the Trilent FTP Proxy from your computer.
You can also use the shortcut from the Start menu. Click on "Start", then on "Programs", "Trilent", "FTP Proxy", and finally on "Uninstall FTP Proxy".
TROUBLESHOOTING
This section will help you troubleshoot problems with the product. The problems may be
classified into two groups: Initial problems (when you never could get the Trilent FTP Proxy to work) and operational
problems (the proxy used to work correctly, but works no more). The former are mainly setup and configuration
problems, the latter are more open-ended and involve the entire network. Please follow the common sense
troubleshooting steps shown below before contacting the technical support.
Setup Problems
The Trilent FTP Proxy setup program does not complete successfully. Read the setup error messages for a clue of what went wrong. Go back to the Before You Begin section of this manual and review the prerequisites to a successful setup. This is a usual culprit. Make sure your copy of the setup file has not been corrupted during the download.
Configuration Problems
When the setup completes successfully, but the Trilent FTP Proxy doesn't seem to work, it usually indicates problems with configuration of the proxy itself or with your network.
- Did the setup really complete successfully? Make sure by reviewing the
Configuration section of this manual. Open the Trilent FTP Proxy control
applet and verify the information you have entered is still there.
- Is the Trilent FTP Proxy service running? Make sure by opening the Services applet as shown in the
Start the FTP Proxy Service section of this manual.
- Did you obtain your evaluation license?
The Trilent FTP Proxy is a licensed program: it requires a license
(registration code) in order to run. For evaluation purposes, you can get a free 30-day
instant license from within the configuration applet.
- Do you have a functioning Internet connection? Can you connect
from your FTP client installed on the gateway host to an Internet FTP server
directly, without the Trilent FTP Proxy?
If you can not, please install and configure it now. The
importance of this step cannot be overemphasized. There is no point in
troubleshooting the Trilent FTP
Proxy when your Internet connection or your FTP client do not work.
- Do you have a dial-up connection to the Internet? Dial-up connections typically assign
a different IP address to your computer each time a connection is made. Current version of the
Trilent FTP Proxy only supports fixed IP addresses.
- Configure the Trilent FTP Proxy on a single computer. If you have
successfully gone through all the above steps, try to
configure the FTP proxy and an FTP client on a single computer
connected to the Internet. You should have an FTP client already installed
and tested on this computer. You should also
have the Trilent FTP Proxy service installed and running on the same host.
The details of the setup are shown in the Single-Computer
Operation section. Test the operation.
- If you have a firewall installed on your gateway host, check its
configuration. Does it allow the
Trilent FTP Proxy to connect to the outside world?
- If everything else fails contact our
Technical Support.
Operational Problems
If the Trilent FTP Proxy had been working correctly for a period of time and then suddenly failed, it usually indicates changes or problems within the network. The main culprit is usually the domain name server. You should investigate any recent changes in your network (sometimes the changes are in your ISP’s network).
- Review the system event log (as shown in the Event Log section)
for any error messages. Error messages usually give pretty accurate clues as to that has happened.
- Make sure the Trilent FTP Proxy service is running. If needed, start the service (as shown
Start the FTP Proxy Service section) and review the event log
again.
- Did your license expire? Trilent FTP Proxy is a licensed software. If you are using a limited
time license for an evaluation copy of the software, your license might have just expired.
- Check your network for any recent changes. Verify that the domain name server
works correctly (this is beyond the scope of this manual.) Bypass the Trilent FTP Proxy
by connecting your FTP client on the gateway host to an Internet FTP server directly.
Does it work?
- It may be a bug in our program. Despite our best efforts, sometimes a software bug slips in.
If your problem looks like a bug, please report it to our
Technical Support.
We highly value and welcome your feedback.
