Windows ftp command line client

Overview

MOVEit Freely (a.k.a. «ftps.exe») is a secure command-line
FTP client for Windows.
It accepts syntax similar to Microsoft’s built-in «ftp.exe» FTP client to make migrations to secure FTP easy.
 

Картинка с сайта: docs.ipswitch.com

Designed with professional system administrators in mind, MOVEit Freely duplicates
Microsoft’s client syntax from commands to error messages.  In addition to embracing
Microsoft’s old standby, MOVEit Freely extends the functionality of
command-line FTP with the addition of secure channel communication, passive mode
transfers and resumption of transfers. 

MOVEit Freely runs on Windows 9x/ME/NT/2000/XP/2003/Vista/7/8 and can take the place
of Microsoft’s command-line FTP client in all scripts.  Simply replace
«ftp» in your existing scripts with «ftps».

MOVEit Freely also implements a «file integrity» mode.  This is a transfer mode that
compresses files on-the-fly, and checks a file checksum to ensure that the file
was transferred successfully.  This mode is selected automatically when
transferring to/from a MOVEit DMZ FTP server; it is not available with other types
of servers.

MOVEit Freely features:

• FTP and FTP/S (FTP over SSL) file transfers
• Explicit (RFC-conforming) and implicit FTP/S connection modes
• Active and passive file transfer modes
• Client certificate support
• Ability to halt script execution on first error
• Client-side NAT support for legacy FTP servers
• On-the-fly data transmission compression to conserve bandwidth and speed transfers (where available)
• Resuming of partial transfers (where available)
• Cryptographic-quality file integrity checks to guard against truncation or corruption during transit (MOVEit DMZ transfers only)
• USB-Friendly «Portable» deployment

Like any other well-behaved command-line utility,
MOVEit Freely can be driven by an automated script
such as a Windows batch file.
In turn, these scripts can be scheduled by Windows Scheduled Tasks.

• Need MISSION-CRITICAL automation?
• Need your own secure file transfer server?

Table of Contents

Requirements

MOVEit Freely is a standalone executable that does not require any other software,
assuming the operating system is Microsoft Windows 98, ME, NT, 2000, XP or 2003.

Installation

To install MOVEit Freely, simply run the MOVEit Freely installation package. This package will ask into which folder and which «Start menu» program group you would like to install the application. It will change your «PATH» variable to allow you to run MOVEit Freely from any command prompt. (You may be prompted to log off after the installation to allow this to occur.) The installation will also install a «Start Menu» link to this documentation.

If Windows Firewall is running—which is the default under Windows Vista and Windows Server 2008—then
«active mode» FTP transfers will be blocked until you create an «exception»
for MOVEit Freely in the firewall.
(This is the case with any FTP client.)
To create an exception, use Control Panel | Windows Firewall | Allow a program through Windows Firewall.

Command Line

MOVEit Freely must be executed from a shell (aka «command prompt»).  
Despite appearances to the contrary, MOVEit Freely is a 32-bit program, not a
«legacy» DOS program. 

(If you plan on using MOVEit Freely with MOVEit DMZ servers only,
Ipswitch also gives away a similar command-line client called «MOVEit Xfer»
that securely transfers files over firewall/proxy-friendly HTTPS instead of FTPS.)

Use the following command syntax to run MOVEit Freely:

FTPS [-e:sslmode] [args] [hostname [port]]

…where args is zero or more of:

• -a starts the program in passive
  mode.  By default, the program is in active mode.  This
  can be changed during a session with the passive command.
• -c:connect_timeout_secs to set the connect
  timeout in seconds.  This is the amount of time that the program will
  wait for a successful connection to the server.  The default is 30
  seconds.
• -csn:store to set the name of an alternate Microsoft Certificate Store
  from which an optional SSL client certificate (with private key) will be selected.
  .  This defaults to «MY» (a.k.a. «Personal»), which is the name
  Windows stores certificates for the
  currently-logged-in user.  This option is very rarely used, because
  when client certificates are used, they are usually in the default location.
• -ccn:common_name to specify the Common Name (CN)
  of an optional SSL client certificate; for example, «Thawte Freemail
  Member».  This must be specified in order to enable client
  certificates, and the named certificate must already be present in the current user’s
  Windows Certificate Store.  (This is typically configured via Internet Explorer’s Tools
  / Internet Options / Content / Certificates.)  The default is to
  not support client certificates.  This option should be used only if
  the remote FTP server requires client certificates. 
  Because Common Names usually contain spaces, you will usually need to use
  double quotes:  «-ccn:Thawte Freemail Member».
  Some SSL hardware tokens, such as Aladdin’s eToken, may also be used with MOVEit Freely
  to provide credentials as long as the SSL hardware certificate store is accessible
  through the Windows certificate store interface. 
  See also the -pfxfile:filename
  option.
• -d to display commands sent to the server. Passwords, however, are still masked when this mode is in use.
• -e:sslmode to select the SSL encryption
  mode.  sslmode must be one of:

  sslmode	Meaning
  off	no SSL encryption (default)
  tls-p or on	encrypts both control and data with the AUTH TLS and PROT P commands. («explicit»)
  on-ccc	the same as «on», except that after signon, the CCC command is sent to switch the control connection to unencrypted mode.  Data connections will be encrypted.  With this option, the username and password are encrypted, but other FTP commands are in cleartext.   This option is used when a firewall between the client and the server is using Network Address Translation to change the client’s view of the  FTP server’s IP address.  This option the firewall to inspect and rewrite PORT commands and PASV responses, to account for this IP address mapping.  Without this feature, if you are using encrypted sessions with certain firewalls, you might have to use the -natpasv or -natact:ip command-line options instead.   The «on-ccc» option is not frequently used, because many FTP servers do not support the CCC command.
  tls-c	encrypts only the control connection with the AUTH TLS command.  Encryption of the data connection can be changed during the session with the prot command.   prot p sets data connections to be protected (encrypted); prot c sets data connections to be cleartext (unencrypted).
  tls-c-ccc	like «tls-c», except that after signon, the CCC command is sent to switch the control connection to unencrypted mode.  Data connections will not be encrypted.  See the above discussion of «on-ccc».
  implicit	encrypts both connections without the use of an AUTH command; usually to port 990.
  implicit-ccc	the same as «implicit», except that after signon, the CCC command is sent to switch the control connection to unencrypted mode.  Data connections will be encrypted.  See the above discussion of «on-ccc».

• -n to not prompt for username and password at startup.
• -natact:ip to use ip as our IP address in «Client NAT» mode
  in active (as opposed to passive) FTP mode.  See Client
  NAT.
• -natpasv to ignore the IP address in the PASV reply in «Client NAT» mode
  when in passive FTP mode.  Instead, use the address of the control
  connection.  See Client NAT.
• -password:pw is the default password. 
  If this is not specified, the program will prompt for a password upon
  initial connect.
• -pfxfile:filename specifies a file from
  which a client certificate should be read.  The first private
  certificate in the file will be used.  This is an alternative to the -ccn
  parameter, for when the client certificate is not installed in a Windows
  store.  The filename must be in .PFX format (also known as .P12
  format).  If the file is protected by a password, use the -pfxpw
  parameter.
• -pfxpw:password specifies the password to be
  used with -pfxfile.  See also -pfxpwfile.
• -pfxpwfile:filename specifies the name of a
  file that contains the password to the file given by -pfxfile. 
  You should not use both -pfxpw and -pfxpwfile.
• -ports:low-high specifies the port
  range to use on the client side of TCP data connections.  For example,
  you might specify -ports:8000-8009. MOVEit Freely will restrict
  the port numbers it uses to be greater than or equal to low, and less
  than or equal to high.  For active mode, this restricts the port
  numbers sent by the PORT command.  For passive mode, this controls the
  port number of the originating end of the connection.  This very rarely
  used option exists to accommodate highly restrictive firewall rules. 
  Without this option, MOVEit Freely will allow the operating system to choose
  port numbers.  
• -quiterror to quit on any error. 
  This will exit a script file without reading any more commands.
• -resume to attempt to resume transfers if the destination
  files exist.
• -s:filename to read commands from a script file (do
  not use redirection).  The default is to read commands from the console.
• -t:data_timeout_secs to set the data socket
  timeout in
  seconds.  This applies to both the amount of time to wait for the
  server to connect back (on a non-passive data port), and the amount of time to wait
  without data before declaring a data socket dead.  The default is 120 seconds.
• -user:username is the default
  username.  If this is not specified, the program will prompt for a
  username upon initial connect.
• -z to not warn about problems with FTP server
  certificates, instead accepting any certificate.  By default, if there is a problem
  with a certificate, MOVEit Freely will display a dialog, asking whether you want to accept
  the certificate.  The most common problem is that a certificate was issued by a
  non-trusted certification authority, as happens with test certificates.

hostname is the domain name or numeric IP address of an FTP server. 

port is the numeric TCP port number to use.  The default is 21,
unless -e:implicit has been specified, in which case the default is 990.

If no hostname is given on the command line, MOVEit Freely starts without making a
connection.  In this case, you must issue an open command to connect to an FTP
server.

Here are some examples of this syntax in use:

• FTPS ftp.ipswitch.com
  (Open an INSECURE, INTERACTIVE connection to «ftp.ipswitch.com»)
• FTPS -e:on ftps.ipswitch.com
  (Open a SECURE, INTERACTIVE connection to «ftps.ipswitch.com»)
• FTPS -e:on -s:mybatch.txt ftps.ipswitch.com
  (Open a SECURE, BATCH connection to «ftps.ipswitch.com»)

Compatibility with MOVEit Xfer and Microsoft’s «ftp.exe» Client

MOVEit Xfer is a free, command-line application also written and distributed by Ipswitch
to communicate with MOVEit DMZ servers using the firewall-friendly HTTPS protocol.
(MOVEit Freely communicates with MOVEit DMZ server using the FTPS protocol.)
The command-line syntax for MOVEit Xfer was based on existing MOVEit Freely command-line syntax.
This uniformity allows people to convert most MOVEit Freely scripts to MOVEit Xfer scripts
simply by replacing «ftps» with «xfer».

MOVEit Freely command-line syntax was itself based on the command-line syntax of Microsoft’s non-secure ftp.exe client.
Once again, this uniformity allows people to convert many scripts based on «ftp.exe» to MOVEit Freely scripts
simply by replacing «ftp» with «ftps».

Program Exit Values

MOVEit Freely will return an exit value of zero (0) if no errors occurred during the
processing of a file transfer session.  See the example below for a batch file that checks
the return code for errors.  Several different exit codes are returned by MOVEit Freely.

1 is returned for syntax errors in the command line parameters.

2 is returned if the -s: parameter points to a file or directory that does not exist.

3 is returned if any command during the session caused an error, either a
4xx or 5xx response from the server or a syntax or file error detected by MOVEit Freely itself.

13 is returned if the -s: parameter points to a file whose sharing mode does not
allow read access, or if the path is a directory, not a file.

If the -quiterror parameter is specified, MOVEit Freely will exit immediately with an
exit code of 3 as soon as an error occurs without reading any more commands from the script file
or console.

 

Resuming Transfers

The -resume parameter can be used to cause MOVEit Freely to attempt to resume a transfer
that may have been interrupted in a previous execution.  Specifying -resume will change the
way that get and put (also mget/mput) work.  Resuming transfers requires support on the
corresponding FTP server, but not all server implementations have that support.  Here is
how the -resume parameter works:

When a get operation is performed,
MOVEit Freely will first check to see if there is already a local file present.  If so, a
«REST xxxxx» command is sent to the server with «xxxxx» being the size in bytes of local copy
of the file.  Then, when the file is transferred, the first «xxxxx» number of bytes are skipped
by the server and MOVEit Freely will write the data sent to the end of the local file.

When a put operation is performs, MOVEit Freely will first send a «SIZE (filename)»
command to the server to ask for the number of bytes in the file.  Next, MOVEit Freely will
send a «REST xxxxx» command is to the server with «xxxxx» being the number of bytes to skip
when the transfer takes place.  The server is responsible for writing the data to the end
of the file.

It is important to note that use of the -resume parameter will cancel the ability of MOVEit
Freely to overwrite a file if it already exists.  A destination file, if it exists, is assumed to be
a partially transferred version of the source file.  If you often transfer different versions
of a file with the same name with overwrite, you should not use -resume.

When MOVEit Freely «file integrity mode» is used with MOVEit DMZ, a partial transfer that is
completed by using the -resume parameter is verified, by checksum, that the entire destination file
matches the source file.

When using -resume for put operations with MOVEit DMZ, only files that have
been detected by MOVEit DMZ as previously incomplete transfers can be resumed.  That is, a
file which was completely received by MOVEit DMZ cannot be extended using the -resume feature.

 

Commands

Once MOVEit Freely is started, it prompts for and reads single-line commands.  The
commands are read from the console, or from the script filename if the -s
parameter has been specified on the command line.  If the -quiterror parameter has been
used and an error is encountered, (either a 4xx or 5xx response from the server or a syntax
or file error detected by MOVEit Freely itself), MOVEit Freely will exit without reading
any more commands from the console or script file.

If a command that has required parameters is entered without the parameters, MOVEit
Freely will prompt for the parameters, using the same prompts as Windows 2000’s FTP.EXE.  

For many commands, to enter a parameter containing spaces, you must enclose the parameter in
double quotes.  For instance, to retrieve a file named My
Document.txt, you should say get «My Document.txt». 
The only exceptions to this rule are the dir, lcd, ls, and quote commands, which
do not require double quotes.

Legal FTP commands are listed below.  Optional parameters are enclosed in brackets
([]).

![cmd]

Executes a shell command on the local machine.  If cmd is not specified, a copy of
the command interpreter is launched.  You can type as many Windows commands as you
like.  When you are finished, type exit to return control to MOVEit
Freely.  If cmd is specified, that command is executed, then control is returned to
MOVEit Freely, with no need to type exit.

?

Displays a list of the available MOVEit Freely commands. 

about

Displays a brief description of MOVEit Freely, the current version, and a link to the
vendor’s website.

append localfilename [remotefilename]

Appends a local file to an existing file on the server.  If remotefilename is not specified,
the name of the file on the remote  system will be the same as localfilename. 
You may put » around the filenames in order to include spaces in the names. 
If the remote file does not exist, many FTP servers will create a new one,
treating the command as if it were a put.

ascii

Tells the FTP server to switch to ASCII transfer mode.

bell

Toggles the flag that says whether a bell should be sounded after the completion of
certain commands.  These commands are the commands that cause data to be
transferred:  dir, ls, get, put, mget, mput.

binary

Tells the FTP server to switch to binary transfer mode.

cd directory

Changes the working directory on the server.

close

Closes the connection to the server without exiting the program.

debug

Toggles the flag which says whether commands sent to the FTP server should be echoed to
the console.

delete filename

Deletes a filename on the FTP server.

dir [filemask] [outputfile]

Gets a directory listing from the FTP server.  If outputfile is
specified, the output goes to that file instead of to the console.

get remotefilename [localfilename]

Retrieves a file.  If localfilename is not specified, the file will be saved to
the local system as remotefilename.  You may put » around the
filenames in order to include spaces in the names.

hash

Toggles the flag that says whether to print a ‘#’ for every 2048 bytes transferred.

help

Displays the list of commands accepted by MOVEit Freely.

lcd

Changes the local directory.

ls [filemask] [outputfile]

Displays a list of files on the remote system, with file names only.  If
outputfile is specified, the output goes to that file instead of to the
console.

mdelete remotefilemask

Deletes multiple files from the remote system.  MOVEit Freely implements this by
executing the equivalent of an «ls» command, then doing a delete for
each filename returned.  If prompting is on, MOVEit Freely prompts for whether to actually
delete the
file.  The response should be «y» or just <Enter> to fetch that file,
q to quit,
or anything else to not delete the file.

mget remotefilemask

Retrieves multiple files from the remote system.  MOVEit Freely implements this by
executing the equivalent of an «ls» command, then doing a get for each filename
returned.  If prompting is on, MOVEit Freely prompts for whether to actually get the
file.  The response should be «y» or just <Enter> to fetch that file,
q to quit, or anything else to not transfer the file.

Examples of remotefilemask:

• *.*  (Get all files — however some remote systems omit files without
  «extensions»)
• * (Get all files — however some remote systems omit files with «extensions»)
• *.txt (Get all files with an extension of «txt»)

mkdir remotedirectory

Makes a directory on the remote system.

mput localfilemask

Sends multiple files to the remote system.  MOVEit Freely implements this by
getting a list of local files matching the mask, then doing a put for each filename
returned.  If prompting is on, MOVEit Freely prompts for whether to actually put the
file.  The response should be «y» or just <Enter> to send that file,
or anything else to not transfer the file.

open hostname [port]

Connects to an FTP server.  If port is not specified, MOVEit Freely will
attempt to connect on port 21.

passive

Toggles the flag that says whether to use passive mode.  In passive mode, the
remote FTP server accepts data connections from MOVEit Freely for each data
transfer.  In the more traditional non-passive mode, MOVEit Freely accepts data
connections from the remote FTP server.

(Passive mode is often required by firewalls and proxy servers.)

prompt

Toggles the flag that says whether to prompt for transfers during an mget or mput.

put localfilename [remotefilename]

Sends a file to a remote FTP server.  If remotefilename is not specified,
the name of the file on the remote  system will be the same as localfilename. 
You may put » around the filenames in order to include spaces in the names.

pwd

Displays the working directory on the FTP server.

quit

Closes the connection, if any, and exits the program.

quote remotecommand

Sends an arbitrary command to the remote system.

remotehelp

Displays a list of commands available on the remote FTP server. 

rename oldfilename newfilename

Renames a file on the remote system.

rmdir directory

Removes a directory on the remote system.

status

Displays the status of various flags.

user

Prompts for username and password.  Used when you are connected to an FTP server,
but not necessarily logged in.

type [ascii | binary]

Displays the current transfer type.  If ascii or binary are
specified, first tells the FTP server to switch to that type.

verbose

Toggles the flag that says whether responses from the FTP server should be displayed on
the console.  There is rarely a reason to turn this mode off.

Examples

Simple Script Example

The following script and command line retrieve all files named *.rpt from the
Incoming directory of an FTP server.  Passive mode is used.  

The command line is:

ftps -s:GetRpt.in ftp.bigcorp.com 

The contents of GetRpt.in are:

jsmith
secret123
cd Incoming
passive
prompt
mget *.rpt
quit

Note that the lines in the script are simply the lines of text
that would be entered by the user if the transfer were done interactively
rather than via a script.  The
«prompt» command is necessary to turn off prompting for use inside a
script.

Batch File to Upload a Single File

The following batch file lets a user upload a single file using a single command. If you save the following snippet as «uploadit.bat», usage would be: «uploadit (hostname) (username) (password) (file_to_transfer)»

echo put %4 > temp.txt
echo quit >> temp.txt
ftps -a -e:on -user:%2 -password:%3 -s:temp.txt %1
del temp.txt

Batch File that Checks for Errors

This batch file checks the exit code from MOVEit Freely to see if any errors occurred.  The
-quiterror parameter will make the program exit as soon as there is an error without reading any more
commands from the script file.

ftps -user:dave -password:super -quiterror -s:script.txt myhost
if %ERRORLEVEL%==0 goto great
echo ftps returned error code: %ERRORLEVEL%
if %ERRORLEVEL%==3 goto out
if %ERRORLEVEL% GEQ 1 goto oops
echo Unknown File Transfer Problem
goto done
:oops
echo Error in File Transfer syntax
goto done
:out
echo An error occurred in the File Transfer
goto done
:great
echo The File Transfer completed successfully
:done

Secure FTP Host to Insecure FTP Host

Included with this documentation is a longer script example («samplecopy.bat») which retrieves all the files from a folder on a secure FTP server and places them into a folder of an insecure FTP server.

This batch file invokes MOVEit Freely twice (once for each of the two hosts). Immediately before invoking the client, the batch file builds up a temporary command file. These command files (as well as a temporary work folder) are deleted before the batch file exits.

echo off
rem * * * * * * * * * * * * * * * * * * * * * * * * * * *
rem * Simple script to pick up files from MOVEit DMZ
rem * (via its FTP over SSL interface)
rem * and upload those file to another host via FTP
rem * * * * * * * * * * * * * * * * * * * * * * * * * * *
rem *
rem Fill out ALL the values below
rem *
SET MOVEitIP=securehost1
SET MOVEitUser=username1
SET MOVEitPassword=password1
SET RemoteIP=insecurehost2
SET RemoteUser=username2
SET RemotePassword=password2
rem *
rem * * * * * * * * * * * * * * * * * * * * * * * * * * *
echo Copying files from %MOVEitIP% as %MOVEitUser%
echo Copying files to %RemoteIP% as %RemoteUser%
mkdir work
echo prompt > frommoveit.txt
echo lcd work >> frommoveit.txt
echo mget *.* >> frommoveit.txt
echo quit >> frommoveit.txt
ftps -a -e:on -user:%MOVEitUser% -password:%MOVEitPassword% -s:frommoveit.txt %MOVEitIP%
del frommoveit.txt
echo prompt > toremote.txt
echo lcd work >> toremote.txt
echo mput *.* >> toremote.txt
echo quit >> toremote.txt
ftps -user:%RemoteUser% -password:%RemotePassword% -s:toremote.txt %RemoteIP%
del toremote.txt
del work\*.* /Q
rmdir work

Piping Directory Lists and Other Output to a File

People who write scripts around MOVEit Freely often find it useful to be able to write directory listings and other FTP output to a file.
The standard Windows executable-level pipe makes this easy.

Here is a one-line command which signs onto a secure FTP server, runs a script («myscript.txt») and pipes all output to a file («xxx.txt»).

C:\>ftps -e:on -a moveit.ipswitch.com -user:myuser -password:mypass -s:myscript.txt > xxx.txt

The «myscript.txt» script file contains the following commands.

prompt
cd home
cd "My User Folder"
pwd
ls *.zip
quit

The «xxx.txt» output file will contain output similar to the following.
The directory list begins after the «150» response.
Alternately, a «dir» command could be used in place of «ls» if the intent was to view a «column-view» directory listing.

220 Connected to MOVEit DMZ FTP server version 2.7.1.4
234 SSL enabled start the negotiation
Connected to moveit.ipswitch.com.
331 Password required for myuser
230-This area exists to provide our clients and business partners with secure,
immediate access to key resources.  Anonymous access is NOT permitted - please
contact Ipswitch for your complementary account
230-All time and date stamps displayed on this site are GMT -5 unless otherwise
specified.
230-This server is configured to do passive mode transfers only.
230 User myuser logged in.
215 Windows_NT version 5.0 (MOVEit DMZ FTP 2.7.1.4)
200 Integrity Mode Selected
ftp> Interactive mode Off .
ftp> 250 CWD command successful
ftp> 250 CWD command successful
ftp> 257 "/home/My Home Folder" is current directory
ftp> 227 Entering Passive Mode (66,170,5,143,46,224).
150 Opening ASCII mode data connection
backup.zip
DMZ_2751_Patch.zip
DMZ_NTFS_Advice.zip
DMZ_Training_26.zip
flbk.zip
gnugpg.zip
jgl_backup.zip
personalfirewall.zip
upload.zip
Using Local SMTP Relay.zip
ftp: 190 bytes received in 0.70Seconds 0.26Kbytes/sec.
226 Transfer complete
ftp> 221 Goodbye

FTP Protocol 101

Unlike most other Internet protocols FTP requires not one but TWO TCP/IP connections to
function properly.  The first connection is called the «control channel»
and is initiated by an FTP client to an FTP server.  (Nothing unusual so far.)  
FTP commands such as «USER» and «PWD» and simple responses are sent and received across this
the control channel. 

The second connection is called the «data channel».  Actual file data
— including DIRECTORY LISTINGS — is sent across the data channel.
  Unlike the control channel, the data channel does NOT remain connected throughout
an FTP sessions, but is only connected and available when needed.

Most FTP servers «listen» for control channel connections on TCP port 21.
(Or port 990 when FTP over SSL implicit mode is used.)
  Data channels are not as predictable, however. 

In «ACTIVE»
mode the CLIENT tells the SERVER which remote port to use and a data connection is
opened by the SERVER from port 20 back to the CLIENT on a random «high port».
(A «high port» is a TCP port numbered 1024-65535). 

«Active Mode» FTP

Картинка с сайта: docs.ipswitch.com

In «PASSIVE»
mode the SERVER tells the CLIENT which remote port to use and a data connection is
opened by the CLIENT from a random high port back to the SERVER on a random «high port».

«Passive Mode» or «Firewall-Friendly» FTP

Картинка с сайта: docs.ipswitch.com

Over the years, firewalls became increasingly involved in site-to-site file transfers,
and most firewalls learned
enough about the FTP protocol that they could DYNAMICALLY open up high ports
for FTP data transfer without requiring addition configuration
by actually reading FTP control channels.
In other words, a firewall technician dealing with regular FTP
would typically only need
to define a single «FTP» rule on his firewall
and would not need to define
additional rules to cover the data ports.

FTP over SSL

With the introduction of FTP over SSL, however, FTP-aware firewalls lost the ability to
dynamically open data ports because the firewalls could not longer read the control
channels. This meant that firewall technicians needed to start defining ranges of ports
for FTP sessions to use. The rules required to get FTP over SSL to work properly were
often alarming to security people for good reason. For example, a basic FTP over SSL
«ACTIVE DATA PORT» rule might allow OUTBOUND connections from the FTP server to ANY high port
ANYWHERE on the Internet. A basic FTP over SSL «PASSIVE DATA PORT» rule might allow
INBOUND connections from ANYWHERE on the Internet to ANY high port on the FTP server.
Obviously, some improvements needed to be made.

At this point we can safely discard the idea of using
FTP over SSL in ACTIVE mode, however, because any FTP client which supports
FTP over SSL also supports PASSIVE mode. (FTP over SSL in ACTIVE mode also
requires a great deal of holes to be poked in CLIENT firewalls, so it is
good we do not need to deal with it.) This leaves only FTP over SSL in
PASSIVE mode to worry about.

The knock against the FTP over SSL PASSIVE data port rule defined above is that
it allows traffic from ANY Internet address to ANY high port on the FTP server. It’s easy
to begin defining rules which restrict the ANY Internet addresses to SPECIFIC Internet
addresses, but an address spoofer would still have access to ANY high port on the FTP server.
(This is also really only an option for organizations which a finite number of users and
do not have restrictions on immediately firewall changes.) However, if you have a
decent FTP server (e.g. MOVEit DMZ),
it is relatively
easy to tell the FTP server itself to confine its passive data ports to a finite range
(e.g. 15000-15020). Now, your passive data port rule can have a finite range of ports too,
and because the SERVER is in charge of port assignments during PASSIVE transfers, you
never need to do anything to your FTP CLIENTS but tell them to use PASSIVE mode. (Some CLIENT
firewalls will need this range of ports configured in them too, but it’s still less work than
dealing with ACTIVE mode over SSL.)

MOVEit Freely complies with RFC 959 (regarding the FTP protocol) and uses SSL to
encrypt both the control and data channels.  (In particular, MOVEit Freely does not
implement the single channel, usually port 22 «secure FTP over SSH» mode.)

Client NAT

MOVEit Freely provides a client Network Address Translation («client
NAT») capability to help overcome problems with poorly-configured FTP
servers and firewalls.  These problems can prevent you from performing
transfers over data ports, even if you can connect and login on the control
port.  These problems occur in two similar circumstances:

• In active mode, the FTP server may be unable to connect to the client’s IP
  address due to an intervening network firewall.  
• In passive mode, you may not be able to connect to the FTP server because
  the address it has told the client to connect to is not reachable by the
  client.

These problems are particularly likely to occur in secure mode.  In
non-secure mode, many firewalls will automatically make adjustments to the PORT
and PASV transactions on-the-fly to compensate for the client and server being
on different networks.  This is not possible with secure connections,
because the firewall is unable to decrypt and rewrite the transactions.

Although these problems are best addressed by reconfiguring the FTP server
and/or firewall, users of MOVEit Freely do not always have administrative access
to do so.  MOVEit Freely thus provides two command-line parameters that
allow the user to work around these problems on the client end.

• The -natact:ipaddr parameter tells MOVEit Freely to tell
  the FTP server, in active mode, to connect to MOVEit Freely on IP address «ipaddr»
  rather than the client’s actual IP address.  In order to use this
  parameter, you must know an address by which the server can access your PC. 
  Note:  You cannot use this feature with MOVEit DMZ’s FTP server in
  active mode, because of a security feature in MOVEit DMZ which prevents the
  «hijacking» of a data port.  Use passive mode instead.
• The -natpasv parameter tells MOVEit Freely to ignore
  the IP address specified by the FTP server when the FTP server tells Freely to
  make a data connection in passive mode.  Instead, when this parameter is
  specified, MOVEit Freely will connect to the IP address that it used to make the
  control connection.

Basic Troubleshooting

Ipswitch rarely deals with «control channel» problems
encountered through MOVEit Freely because these problems provide such
instant feedback to the user.
For example, a user who cannot connect or sign on to an FTP server will usually
contact the technician in charge of the particular FTP server rather than
the client software vendor.

The problems Ipswitch does hear about are typically «data channel» problems instead.
Specifically, these involve the inability to start a data transfer or perform a directory listing.
(Many people do not know that FTP directory listing are technically data transfers too.)

To troubleshoot these problems, be sure you are running MOVEit Freely in DEBUG mode
(so you can capture a log), try to replicate the problem and see if it is described by
one of the situations described below.

«Six Octet» PORT Syntax

Before proceeding, however, you should know how to read «six octet» PORT syntax you will
see using many clients and servers.

227 Entering Passive Mode (192,168,3,15,15,180)

In this format, the first four octets are the IP address the remote machine is telling
the client to connect to. (i.e. «192.168.3.15») The two remaining octets describe the port
the remote machine is telling the client to connect to, but this calculation requires a
calculator. Take the fifth octet, multiply by 256 and add the sixth octet
to get the complete port number. (i.e. 15×256+180= «4020»)

Blocked ACTIVE Data Channel

In this situation, the FTP client asks the FTP server to connect to a specific
port on the FTP client, but access to that port is blocked by a client firewall
or a server firewall. Note the «PORT» command being issued by the client.

C:\>ftps -z -d -t:5 -e:implicit 192.168.3.15 -user:myuser -password:mypass
Connected to 192.168.3.15.
...
ftp> dir
---> PORT 192,168,3,165,12,195
200 PORT command successful
---> LIST
Timed out waiting for connection from server.
ftp>

Solution:

• If you are using FTP over SSL, consider using PASSIVE mode transfers instead.
• If you are not using FTP over SSL, consider switching to an «FTP-aware» firewall
  or use explicit firewall rules to un-block the data channel ports.

Blocked PASSIVE Data Channel

In this situation, the FTP server asks the FTP client to connect to a specific
port on the FTP server, but access to that port is blocked by a client firewall
or a server firewall. Note that there is no «PORT» command being issued by the client.
Instead, the server sends its IP address to the client.

C:\>ftps -a -z -d -e:implicit 192.168.3.15 -user:myuser -password:mypass
Connected to 192.168.3.15.
...
ftp> dir
---> PASV
227 Entering Passive Mode (192,168,3,15,15,178).
---> LIST
Unable to connect to server: The connection timed-out. timeout=5
150 Opening ASCII mode data connection

Solution:

• If you are using FTP over SSL, use explicit rules to un-block the data channel ports.
• If you have control over the FTP server, consider limiting the PASSIVE data channel
  ports to a specific range to avoid a confrontation with your security team.
• If you are not using FTP over SSL, consider switching to an «FTP-aware» firewall
  or use explicit firewall rules to un-block the data channel ports.

Incorrect Server Address using PASSIVE mode with FTP over SSL

In this situation, the FTP server returns an IP address (usually an internal IP address)
to be used for passive data transfer which is different than the IP address to
which you connected the client. (In the example below, «192.168.3.15» != «33.44.55.66»)
This is another situation which used to be taken care
of automatically by «FTP aware» firewalls before FTP over SSL existed.

C:\>ftps -a -z -d -e:implicit 192.168.3.15 -user:myuser -password:mypass
Connected to 192.168.3.15.
...
ftp> dir
---> PASV
227 Entering Passive Mode (33,44,55,66,15,178).
---> LIST
Unable to connect to server: The connection timed-out. timeout=5
150 Opening ASCII mode data connection
ftp>

Solution:

• If you have control over the FTP server, configure the correct
  external NAT address on the server itself to avoid the need to deploy this fix
  to all your clients. (Major commercial FTP over SSL servers, including
  MOVEit DMZ, have
  the built-in ability to send the correct IP address to clients in a NAT environment.
• Use MOVEit Freely’s Client NAT capability.
• See Ipswitch Secure FTP v. NAT White Paper for more information.

Distribution

The standard MOVEit Freely
installation packages will automatically
set the «PATH» variable to include the folder into which MOVEit Freely was
installed. This allows users to invoke the MOVEit Freely client
from any command line prompt. You should use the standard MOVEit Freely
installation packages for distribution if your clients will write their
own scripts OR are replacing existing FTP client scripts.

USB-Friendly «Portable» Deployment

«A portable app is a computer program that you can carry around with you on a
portable device and use on any Windows computer. When your USB thumbdrive,
portable hard drive, iPod or other portable device is plugged in, you have
access to your software and personal data just as you would on your own PC.
And when you unplug, none of your personal data is left behind.»
(Rare Ideas, LLC, 2005)

MOVEit Freely can be deployed/installed as a USB-Friendly «Portable» application.
Simply copy the contents of a MOVEit Freely archive file (e.g., «MOVEitFreely.zip»)
into a folder on your USB drive or other portable device.

With command line
applications, MOVEit Freely included, your personal information is
generally confined to what you have written in batch files or piped out
into log files. Please remember to keep any such batch or log files on
the portable drive too.

You may wish to add the portable directory in which you installed MOVEit Freely
to your PATH if you want to be able to invoke MOVEit Freely from any folder
without specifying a full path to the executable. If you often find yourself
running command-line applications in a portable environment, you will also
probably want to create a portable «Launch Command Line» shortcut and/or batch
file on your portable device so your favorite utilities are always available
in command-line sessions.

Custom Distribution

If you elect to roll your own distribution of MOVEit Freely, you MUST include:

• THIS DOCUMENT, AND…
• MOVEitOverview.pdf, AND…
• ftps.exe

You will probably also wish to include the supporting images required by this document,
all of which are found in the «images_MoveITFreely» folder.

You will also probably want to include any custom batch files, script input files and/or documentation
in your own distribution. Usually all these files are placed into a single «archive»
file (e.g., a «zip» file), but they may be bundled in other distributions
as permitted by the license found in this document.

Other MOVEit Products

Need MISSION-CRITICAL automation?

If you run more than 10 automated MOVEit Freely transfers or need mission-critical automated file-transfer,
please consider using MOVEit Central instead of MOVEit Freely.
MOVEit Central is a fully-automated, schedule and event driven file transfer engine.
It can move files between FTP servers, SSH servers, Windows file shares, email servers and comes with enterprise features such as remote control, task configuration/execution delegation, and automatic retry/resume of failed transfers.
(More info…)

Need your own secure file transfer server?

The first Windows-based secure file transfer server to support all three modes of FTP over SSL, the first to add SSH support, and the first one to support both protocols plus browser-based (HTTPS) transfers was MOVEit DMZ. In addition to three secure IN TRANSIT protocols, MOVEit DMZ features integrated FIPS-140-validated AT REST encryption to protect files while they are stored on the server. Request an evalution and join the banks, governments, hospitals and others who have stepped up to MOVEit secure file transfer today!
(More info…)

MOVEit Freely LICENSE

MOVEit � Freely is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. MOVEit Freely is licensed, not sold.

1. GRANT OF LICENSE. This license agreement grants you the following rights:

Installation and Use. You may install and use MOVEit Freely for your personal or company use. There is no charge for such use. You may also make copies of MOVEit Freely for backup and archival purposes.

Distribution. You may make unlimited copies of and may distribute to any party the original MOVEit Freely installation package as long as such distribution is performed without charge. You may reproduce or distribute components of the product (e.g., just «ftps.exe») as long as all MOVEit Freely documentation (including «MOVEitOverview.pdf») accompanies the software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble MOVEit Freely, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

Software Transfer. You may not transfer your rights under this license agreement.

Termination. Without prejudice to any other rights, Ipswitch, Inc. may terminate this license agreement if you fail to comply with the terms and conditions of this license agreement. In such event, you must destroy all copies of MOVEit Freely and all of its component parts.

Rental. You may not sell, rent, or lease MOVEit Freely.

3. COPYRIGHT. All title and copyrights in and to MOVEit Freely, the accompanying printed materials, and any copies of MOVEit Freely are owned by Ipswitch, Inc. MOVEit Freely is protected by copyright laws and international treaty provisions. Therefore, you must treat MOVEit Freely like any other copyrighted material.

WARRANTY AND LIMITATION OF LIABILITY

WARRANTY. MOVEit Freely is distributed on an «as is» basis with no warranty, either expressed or implied.

OTHER WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IPSWITCH, INC. AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, WITH REGARD TO MOVEit Freely, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHERS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION.

LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IPSWITCH, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE MOVEit Freely OR THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF IPSWITCH, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, IPSWITCH, INC.’S ENTIRE LIABILITY UNDER ANY PROVISION OF THIS EULA SHALL BE LIMITED TO THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR MOVEit Freely OR U.S.$5.00; PROVIDED, HOWEVER, IF YOU HAVE ENTERED INTO A IPSWITCH, INC. SUPPORT SERVICES AGREEMENT, IPSWITCH, INC.’S ENTIRE LIABILITY REGARDING SUPPORT SERVICES SHALL BE GOVERNED BY THE TERMS OF THAT AGREEMENT. BECAUSE SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

TRADEMARKS. MOVEit is a registered trademark of Ipswitch, Inc. All names of products and companies used in this document, the software, or the enclosed documentation may be trademarks of their corresponding owners. Their use in this document is intended to be in compliance with the respective guidelines and licenses.

Contacting the Vendor

MOVEit Freely is FREEWARE.
Support for MOVEit Freely is normally only available
to existing MOVEit DMZ customers and MOVEit DMZ evaluators.

To contact Ipswitch Support, go to: