Server Connection: FTPS

PORT *

Enter the port to connect to the server. This is the TCP/IP port the server will listen to in the STENG node.

PORT RANGE

Enter the range for the ports the server will listen to.

SERVER KEYLABEL *

Enter the Key identifier about keystore store to select Private Key and Certificate to create SSL connection.

ACTIVE DATA CONNECTION LOCAL ADDRESS

Enter the local address for active data connection.

PASSIVE EXTERNAL ADDRESS

This field must be filled in only if OPERATING MODE is set to PASSIVE and will contain the address used for passive connections. If the server is behind NAT, insert the external IP address.

MAX SESSION

Specify the maximum number of active sessions.

CONNECTION TIMEOUT

Define the number of seconds without network activity to wait before closing a session due to inactivity. Default value: 60.

ACTIVE DATA CONN LOCAL OUTPORT

If the OPERATING MODE is set to ACTIVE, enter the port the client must connect to.

REQUIRE CLIENT AUTHENTICATION

Enable the toggle button if you want the server to require SSL Client Authentication to the client that is connecting. If enabled, the CLIENT CERTIFICATION MATCH field appears and the appropriate option must be selected in the drop-down menu – details in the field here below.

CLIENT CERTIFICATION MATCH

This field appears if the REQUIRE CLIENT AUTHENTICATION button is enabled. It defines if the Certificate required for Client Authentication will be matched and how. Possible values: - NONE: the Certificate will not be matched. The presence of a valid Certificate is enough to proceed. This is the less secure option. - CNEQUALS (default value): the Common Name field of the Certificate must be exactly the same as the user name. This is the most restrictive option. - CNCONTAINS: the Common Name field of the Certificate must contain the user name.

OPERATING MODE

How data connection is established, possible values: - ACTIVE (default value) - PASSIVE When setting the “Active mode file transfer”, the client will establish a control connection to the server and the server will establish a data connection back to the client. With “Passive mode file transfer”, the client will establish both a control connection and a data connection to the server.

DATA PROTECTION

Data channel protection. Possible values: - PROTECTED: Force data channel protection - CLEARTEXT: No data channel protection

SSL CONTROL

Possible values: - EXPLICIT (recommended) - IMPLICIT Selecting EXPLICIT, an explicit SSL/TLS connection will be set via AUTH command. Selecting IMPLICIT, an implicit SSL/TLS connection will be set. Most FTP/S Servers listen for implicit connections to port 990.

AUTHENTICATION PROTOCOL

Select the SSL authentication protocol. Possible values: - ALL - ONLY SPECIFIC VALUES: SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3 SSLv2Hello

ACCEPTED CIPHER SUITES

Select the cipherSuites accepted to establish SSL connection. For a list of all accepted Cipher Suites, follow this link.

NONE (default)

No session proxying through DMZ Gateway applied.

PORT_FORWARDING

Incoming/Outgoing connections to/from STENG server will be proxied inside an SSL tunnel without being validated in advance. DMZ PROXY PORT *: This port represents the tunnel that is opened for connection with the STENG Server.

SESSION_TERMINATION

The server session will be terminated inside the DMZ Gateway, before data is sent to STENG server. DMZ PROXY PORT *: This port represents the tunnel that is opened for connection with the STENG Server. SERVER PORT *: DMZ server port used for connection. SERVER KEYLABEL: Select the label of private key to be used by the FTPS server exposed in the DMZ Gateway. REQUIRE CLIENT AUTHENTICATION: Enable the toggle button if you want the server to require SSL Client Authentication to the client that is connecting in DMZ. If enabled, the DMZ CLIENT CERTIFICATION MATCH field appears and the appropriate option must be selected in the drop-down menu – details in the field here below. If the FTPS client on DMZGateway is connecting to an FTPS Server with clientAuthentication=true on the STENG, check the client certificate coming from the client FTPS into the Untrusted Cache. Then trust the client certificate and check the Trust Store. DMZ CLIENT CERTIFICATION MATCH: This field appears if the Require Client Authentication button is enabled. It defines if the Certificate required for Client Authentication will be matched and how. Possible values: - NONE: the Certificate will not be matched. The presence of a valid Certificate is enough to proceed. This is the less secure option. - CNEQUALS (default value): the Common Name field of the Certificate must be exactly the same as the user name. This is the most restrictive option. - CNCONTAINS: the Common Name field of the Certificate must contain the user name. ACCEPTED CIPHER SUITES: It lists SSL/TLS cipher suites available in the FTP/S server and exposed in the DMZ Gateway. Select the cipherSuites accepted. For a list of all accepted Cipher Suites, follow this link. DATA PROTECTION: Set whether the data channel must be protected via SSL in the FTP/S server exposed in DMZ Gateway. Possible values: - PROTECTED: Force data channel protection - CLEARTEXT: No data channel protection SECURITY PROTOCOL: Possible values: - ALL - ONLY SPECIFIC VALUES: SSLv3 TLSv1 TLSv1.1 TLSv1.2 SSLv2Hello SSL PROTOCOL: Select a secure server profile activation mechanism in FTP/S server exposed in DMZ Gateway (see Connection/SSL Control). DMZ PASSIVE EXTERNAL ADDRESS: When an FTP/S client wants transfer data using Passive Mode, it issues the PASV command. Upon receiving that command, the FTP/S server responds with the server’s IP address and the port number the client must connect to. DMZ PORT RANGE: Range of ports for passive data connection.