Titan FTP Support QuickStarts

When you are ready to install Titan, access the most recent version of Titan FTP Server.

Launching the Administrator

To start the Administrator, double-click the Administrator icon in the Titan FTP Program Group. A shortcut to the Administrator program should also appear on your Windows desktop. Use the Titan FTP Administrator program to configure Servers, Groups, and Users, both locally and remotely.

The Administrator program is designed as a standard Windows application and contains a split screen with two panes separated by a vertical resizing bar. The left pane of the screen, or tree pane, displays the overall Titan hierarchy of Domains, Servers, Groups and Users. The right pane of the screen, or tab pane, displays configuration information and options based on what is currently selected in the tree pane. When you click on different items in the tree pane, the tab pane changes to display different dialog tabs, which include information and options relevant to the selected item.

Automatic Startup

Titan FTP is designed to run as a system service or background process. When Windows starts, the Titan Service will be running.

You can monitor the status of the Titan Service using the Titan tray applet in the Windows system tray.

By default, the Titan Service will run under the context of the standard LocalSystem or LocalService Windows User Account. When a user connects to the Titan server, all file access is normally performed by the Windows User Account on behalf of the logged-in MFT client user. Therefore, if there are files on a UNC Titan will access, the Titan Service must be re-configured to use a Windows User Account with proper NTFS permissions to the UNC share.

Applying your Registration Codes

If you are updating an outdated version of Titan, you must apply a new registration code to validate the Titan product. To activate your registration code:

1. Launch the Titan Administrator and click Activate License.
2. When the Product License Information screen appears, copy and paste your Titan FTP registration codes into the Registration Code field. To do this, copy your registration codes to your clipboard and click Get from Clipboard. Titan will apply the appropriate registration code(s) to the appropriate field(s).
3. Once you have pasted your registration codes into the Product License Information screen, click Finish.

You can also activate your registration code by selecting File > Licensing Information from the main menu in the Titan Administrator.

Domain Overview

The domain is the physical computer on which Titan is installed. The domain exists primarily to provide a grouping for the server or servers running on that computer. The Titan Administrator program connects to the domain to configure your servers.

The first time the Administrator is launched, the Local Domain Wizard will be launched. The Local Domain Wizard ensures that your computer is properly configured. Along with other configuration options, specify the username and password for local administration. Save this information; the Administrator will prompt you for your username and password every time it connects to the local domain.

Local and Remote Domains and Activity

When your Titan administrator launches, your domains will appear in the second level of the tree pane, under Titan FTP Domains.

When specifying a Directory or Path in Titan FTP, only use fully qualified Local Paths or UNC shares. Do not specify a mapped drive; these are not accessible from within the Titan Service.

Domain Activity will display a list of servers currently configured and running on the domain to which the Administrator application is connected. This will be empty if you’ve just installed Titan for the first time. If the Titan FTP Administrator application is connected to a remote domain, the tab will display servers configured and running on the remote domain.

The IP/Ports In Use tab, accessible from the Domain Activity category in the tree pane, displays the IP addresses and ports Titan is currently using.

For each server defined on the domain, FTP, FTPS and/or SFTP may be listed. This utility will not show non-Titan IP addresses and ports that are in use.

To display a complete list of all IP addresses and ports in use on the local computer, open a command prompt and use the NETSTAT utility. The -b command line argument can be used with NETSTAT to display the process/executable currently using the IP/port combination.

Configuring Servers

Titan FTP supports the ability to configure multiple server instances under a single domain or physical computer. Each server instance listens on its own IP address/port combination, which allows a virtually unlimited number of servers to run simultaneously. Each server can be configured to store data in a separate data directory, either on your local hard drive or on a shared network drive.

To create a new server configuration, launch the New Server Wizard from the main menu toolbar or via the right-click context menu for the domain under which you want the server to reside.
The New Server Wizard will walk you through the steps involved in configuring your server. You can start using a new server immediately.

Additional configuration options are available once your server is created. Using the Administrator program, server properties can be modified on the fly. With the Administrator open, select the server to configure from the left-hand tree pane. Under the server are categories with different options, and each category has sub-categorized tabs in the right-hand tab pane.

Server of choice selected, configuration options will appear in the tab pane. After making changes to the settings, click Apply to ensure the changes take effect. The Administrator will notify the Titan Service to reconfigure the server with the new settings.

You can also delete servers from the Administrator so long as they are not running. Use the right-click context menu to stop the server, or select the server and click the Stop button in the top menu. Once the server has been deleted, all associated Groups and Users will also be deleted from the system. In order to protect from any possible data loss, the Titan Administrator program will not delete the contents of the MFT Server Data directory or the Log directory; you must delete that information manually if it is no longer needed.

Uninstalling/Removing Titan

1. From the Windows Start menu, click Control Panel to open the Windows Control Panel.
2. Open Add/Remove Programs.
3. Select Titan FTP.
4. Follow the instructions on the dialog screens to remove Titan from your machine.
   You must restart Windows to have Titan completely removed from your machine.

Upgrading old Titan software to the most current version is the best way to ensure the security of your data. While outdated versions of Titan will work indefinitely, security standards change constantly. Without regular patches and updates, the software may become vulnerable to new methods of hacking. Following this guide to upgrade from any version of Titan without losing your Server, Group, or User configuration data.

NOTE: We recommend scheduling an 8-10 minute server outage to allow Windows to restart. Do not begin this process unless you are prepared to restart your computer and briefly take the server offline.

Back Up Titan Configuration Data

Back up the existing Titan configuration information stored in the system registry:

1. Open Regedit via Start > Run > Regedit.exe.
2. In the left-hand tree view, expand HKEY Local Machine > Software > South River Technologies.
3. From the main menu, select File > Export.
4. Save the file in “Win 9x/NT” format.

If you are running SSL and/or SFTP on your Titan server(s):

1. From the Titan administration console, expand the server, go to Security, select the FTPS/SSL tab, and note the certstore folder for each server instance running FTPS.
2. Go to Security, SFTP/SSH tab and note the host key folder for each server instance running SFTP.
3. Locate these folders and backup/copy them to a safe location.

Install Upgraded Titan

Deactivate your old Titan registration, install the upgrade, and activate your new registration codes.

1. Open the admin console. By default, the first page should be the Server Domain window with the License Details button. Click this and Deactivate the Titan FTP Server registration code. Deactivate the Web Interface Module registration code if this feature is enabled.
2. Run the Titan server installer in elevated mode (as administrator). You can find the latest version of Titan at http://www.webdrive.com/products/titan-ftp-server/.
3. Reboot the server and launch the administrator.
4. Navigate back into Titan FTP Server Domains, click the License Details button, and enter the new registration codes to activate your upgraded Titan FTP Server.

Moving data from old hardware is a fact for most corporations and can yield security and performance improvements to your file storage system. This guide will help you migrate either the current version of Titan or an updated version to new hardware without losing your Server, Group, or User configuration data. You will need to:

1. Install the upgraded Titan product
2. Back up your configuration data and move it to the new hardware
3. Activate your upgraded software and test it

Migrating Titan FTP Server

Install Titan on your new hardware in elevated mode (as administrator).

Install the new software in one of two ways:

• If you are upgrading Titan, install on the new server and activate using the new registration code.
• If you are migrating Titan to a new computer without upgrading the software, install Titan in trial mode on the new server.

Back Up and Import Titan Configuration Data

On the old hardware, make copies of all of your configuration data in order to move it to the new hardware:

1. Open Regedit via Start > Run > Regedit.exe.
2. Navigate to HKEY Local Machine > Software > South River Technologies > Titan FTP server > Servers registry key and select File > Export from the menu. Only the \servers key is required. This key holds the configuration(s) for each server instance previously set up in Titan.
3. Save the file in “Win 9x/NT” format.
4. Import this file into regedit on the new hardware.

If you are running SSL and/or SFTP on your Titan server(s):

1. From the Titan administration console, expand the server, go to Security, select the FTPS/SSL tab, and note the certstore folder for each server instance running FTPS.
2. Go to the Security SFTP/SSH tab and note the host key folder for each server instance running SFTP.
3. Copy these folders to the new server. Once the registry is updated, Titan will look for the certificates/host keys in these folders.
4. Finish the Migration

On your new hardware:

Stop/restart the Titan service to pull in the server configurations. Verify the new server setup(s) for each server instance. You may need to adjust some of the settings, such as the IP address the server instances are running on.
After testing settings and functionality, deactivate the old server. If you simply moved the Titan install without upgrading, activate the trial server install with the existing registration code.

Troubleshooting

Registration Code Failure

If you are unable to activate your new software using the upgraded registration code:

1. Ensure the admin application is running in elevated mode.
2. Ensure the everyone group, which includes every user, has full rights to C:\ProgramData\south river technologies\Titan FTP server.

If the issue persists:

1. Stop the Titan service, close the administrator, and stop the Titan tray application.
2. Go to C:\ProgramData\south river technologies\Titan FTP server and delete the .bin license file.
3. From the command line, run srxTitan /clean. This will not return a status/response given.
4. Run the admin console again and activate the server and webui (if applicable).

Migration Failure

If you are unable to access the Titan administrator application upon migration:

1. Verify that port 31000 is free (it could be in use by Java). You can either free up that port, or change the port on which the admin application is called:
   Open Regedit via Start > Run > Regedit.exe.
2. go to HKEY Local Machine > Software > South River Tchnologies > Titan FTP server > LDomain > LASPort and change it from 31000 to another port number (31005, for example).
3. Stop and restart the Titan service and attempt to access the admin console.
4. Set your antivirus/security suite applications to allow traffic on 127.0.0.1 from/to port 31000.

Cisco Systems, Inc. has recommended Titan FTP Server Enterprise Edition as an approved backup server for Cisco Unified Communications Manager (CUCM). Cisco will work with any SFTP server product with applications that require SFTP access, but Cisco recommends SFTP products that are certified with Cisco through the Cisco Technology Developer Partner Program (CTDP). CTDP partners, which include Titan FTP Server, certify their products with a specified version of CUCM.
This document explains how to configure CUCM to back up to an SFTP-configured Titan FTP Server with two simple steps:

1. Set up Titan SFTP Server
2. Configure CUCM for backup functionality

Set up an SFTP Server

Configure your Titan FTP Server to accept SFTP connections from the Cisco Unified Communications Manager:

1. Launch your Titan FTP Server Administrator.
2. Select and expand the server instance.
3. Select Security, then click the SFTP/SSH tab.
4. Enable SFTP and accept the default SFTP port, 22; CUCM does not support non-standard SFTP ports. The SFTP version and Cipher/MAC preferences may be left as default.
5. Click the Host Key Management button.
6. When the Host Key Manager appears, click Create and generate an RSA key of the desired key length (higher key lengths provide more security while shorter key lengths speed up the process). Assign and confirm a host key password, then click Finish.
7. Using the dropdown arrow, select the newly created key, supply the password, and click Apply.

At this point, the SFTP server should be set up to receive SFTP logins.

Configure CUCM for Backup

To configure your CUCM to back up to the Titan SFTP Server, complete the following steps:

1. Log into the Disaster Recovery System of the Cisco Unified Communications Manager and choose the Backup Device option from the Backup menu.
2. When the Backup Device List window appears, click the Add New button in order to add a new backup device.
3. When the Backup Device window appears, enter this Network Directory information into the Select Destination section of the Backup Device window and assign a name for the backup device:
   1. Server name – IP address of the Titan SFTP server
   2. Path name – path name for the directory where you want to store the backup file
      Note: In the Cisco Unified Communications Manager settings, you only need to specify the Path Name as ./ (not C:\).
   3. User name – user created in the Titan SFTP server
   4. Password – password for this user
4. Choose the Manual Backup option from the Backup menu.
5. When the Manual Backup window appears, select any one of the backup devices from the Device Name list and select the features you would like to backup.
6. Click the Start Backup button in order to start the backup process.

Corporate networks today rely on a router and/or firewall to protect their computers or LAN (Local Area Network) from unauthorized access by outside users. Firewalls provide a high level of security by preventing inbound traffic (from computers outside the LAN, on the Internet) while allowing outbound traffic.

To ensure users have access to a Titan server newly installed on the internal LAN without endangering the computers linked through the LAN, use port forwarding on the firewall to direct the TCP/IP traffic to the proper computer. Port forwarding is used by most routers/firewalls. Put simply, port forwarding literally forwards data incoming on a specific port to the same port on a different computer.

Both your router/firewall and Titan will need to be configured according to this QuickStart to use port forwarding.

Configuring your Router/Firewall

During port forwarding, the firewall will redirect traffic to the Titan server based on IP address. Therefore, the LAN computers must use a static IP address the firewall can always refer to. If the Titan Server’s IP address is DHCP (Dynamic Host Configuration Protocol) based, the firewall could forward the data to the wrong computer.

To set up a static IP on a Titan installed on an internal LAN-based computer:

Retrieve the external public IP address of the firewall, the internal IP address of the router, and the internal LAN IP address of the Titan server.
Have the Network/LAN Administrator reconfigure the firewall to forward server traffic to the Titan Server according to the following table:

Protocol Ports to Route

• FTP 21, 20, 50000-50050 (range depends on number of users; see below)
• FTP/S 21, 990
• SFTP 21
• HTTP/WebDAV 80
• HTTPS/WebDAVS 443
• AS/2 443

We recommend opening a range of 2 ports per user. So for a system with 100 users, 200 passive ports would be appropriate. These ports will be used for transferring data and directory listings to the client. Do not use a single port, as this may result in data transfer failures for clients. Our example uses 50,000-50050, but this range can cover any sequence, so long as Titan’s passive port range settings match. If you have heavy traffic through your firewall, you may want to specify a wider range of ports.

Configuring Titan FTP to Use a Router/Firewall

Run the Titan Administration utility and start the New Server Wizard. Follow the steps to create a new server.

1. Click the dropdown arrow to choose your IP Address. Any available IP address indicates that the server will listen on all IP addresses that are configured on the PC along with the local IP address of 127.0.0, also known as localhost. Type the WAN address (the Public IP address for use outside the router). You do not need to type “http” (ie, myserver.com).
2. On the “Enable or disable FTP access for this server” page of the wizard, select Enable FTP Services. Select the FTP Port number by using the up/down arrows. Select This server is sitting behind a router/firewall and type the External WAN IP address of router/firewall. Click Next.
3. You must enable FTP access if you are using FTPS with explicit SSL (also known as AUTH SSL). The FTP protocol (RFC-959) establishes default ports for FTP traffic. Port 21 is the default port for the primary control connection, and port 20 is sometimes used for the default data connection. If you install a Titan Server on your internal LAN and have the requirement that users must be able to access the server from the Internet, your router must be configured with ports 21 and 20 open (or ports 21 and 990 for FTPS). The router must also be configured to provide port forwarding for traffic through the firewall to the computer being used as the FTP Server.
4. Finish the New Server Wizard and expand the newly-created server in the left-hand tree menu and select Connections. Select the Connections Advanced tab. Enable Allow PASV mode connections. Enable Limit PASV Port range from and set the range to the same range as the firewall. Once you have configured your settings, click Apply.

Testing Your Server

If you would like to test your server, download a secure file transfer client like WebDrive, or use the following instructions to test your server using a command prompt.

Test your Server Using a Command Prompt

1. On the computer with Titan installed, open a command prompt and use the command line FTP utility to connect to the Titan server:
   Type: ftp <ip-address of server>
2. You will see a welcome message from the Titan server, including the IP address, which will look something like the test response below (192.168.2.104).
3. Log onto Titan using a user account or using anonymous if anonymous access is enabled.
4. Log on and issue the DIR command to see if a directory listing can be created. The Windows FTP client will run in Active/Port mode; you should see a directory listing of existing files:
   Type: dir
5. While still in the FTP session, test to see if the Titan Server will return the proper passive address and port for internal LAN clients:
   Type: literal pasv
6. Titan will respond with numbers like (192,168,2,104,4,2), the IP address and port Titan is listening on for a data connection from the client. The first four numbers should match the IP address the Titan Server is listening on. The last two numbers are the port, mathematically broken down. Since our port range is 1025-65535, the port will fall into this range, beginning at the low end and incrementing sequentially to the last port, then returning to the first port in the range. For our example, Titan used port 1026, written as 4 * 256 + 2 .

Once you succeed, connect to the server from the Internet in PASV mode; Titan should return information. If you receive an error, the firewall is not routing the passive ports correctly to the Titan server, or the Titan server is not returning the public/external IP address of the firewall as part of the response to the PASV command.

Virtual Folders can be mapped into a server’s data directory and used to link, or map, external folders into a user’s directory space.

In other words, in a Virtual Folder, data appears to reside within your computer’s native folder structure; however, the data is actually stored somewhere else. If you are a Windows user, you can think of a Virtual Folder as a Windows Shortcut. For UNIX users, Virtual Folders are very similar to Symbolic Links.

One of the benefits of Virtual Folders is the ability to access network shares. Cornerstone MFT Server supports the ability to add a UNC (Universal Naming Convention) path into the namespace. For example, if you have a share on your network called \\MyServer\My Music\, you can use Virtual Folder support to map that into your Server Data Directory as /public/My Music/ or /user/joe/My Music/.

Virtual Folders can be added at the Server, Group, or User level. Virtual Folders added at the User Level are limited to one specific user. Group-level Virtual Folders allow data to be shared with all users of a given group.

Permissions

When you add a Virtual Folder to a Cornerstone MFT Server configuration, the default Directory Access Permissions will be set to Read Only. Users with Read Only access are allowed to browse the folder and download information but aren’t able to modify the contents or upload files. The administrator can adjust user and group Directory Access Rights to Virtual Folder data.

Configuring the Virtual Folder

1. Run the Titan administrator. Expand the appropriate server and the Groups category.
2. Expand the appropriate group. Select Files/Directories and click the Virtual Folders tab. Click Add.
3. Browse to the real location of the folder you would like to become a Virtual Folder. This will select the fully qualified path that will be mapped to the namespace for this group. You may select a folder on your local computer or a previously shared network folder. If you are mapping a UNC share, make sure the account under which the server is running has access to the UNC.
4. Select the location within your namespace where you would like this folder to appear.
5. Select the default Access Rights for this new Virtual Folder using the check boxes. Click Next.
6. Enter the path information as it will appear in the user’s directory. The folder selected in step 2 will appear as a subdirectory of this folder. Here you can change the name of the folder. The virtual path is pre-filled with the %USERDIR% variable to ensure the Virtual Folder appears as a subfolder under the user’s home directory. Click Finish to generate the Virtual Folder mapping.

The Virtual Path and the Actual Path are now displayed in the Virtual Folders tab. Click Apply.

Testing the Virtual Folder

To test the Virtual Folder:

1. Open a Command Prompt and connect to ftp localhost.
2. When prompted, enter a username (and matching password) of a user included in the group. Once logged in, enter the dir command. The VirtualFolder you just created should now display as a subdirectory under the user’s home directory.

Note that Virtual Folder updates are not real-time. If a user was connected to the server when you made changes to the Virtual Folder list, the user would need to log out and back into the system to see the Virtual Folder changes.

Unauthorized users or hackers attempting to guess usernames and passwords in order to gain access are some of the most common dangers to servers. Titan FTP Event Management can help thwart them by detecting invalid user attempts. Titan FTP will kick that connection from the server and ban future access from the client IP address.

The following instructions will help you set up a Titan FTP Server to defend against hackers using the built-in Event Management functions.

Enacting these three actions using the Titan FTP Event Manager will trigger in the event of a hacking attempt and will help protect your server from being compromised:

• Send Email
• Kick User
• Ban IP Address

Event Management Best Practices

The Event Management actions are only a few ways you can use Titan FTP Event Management to monitor unauthorized access to the server. Regardless of the event and action configuration for each event, whenever you create new events it is a good idea to send an email notification to the system administrator, especially if you have defined an action that bans someone from accessing the system. Although rare, on occasion valid users may be banned from the system because of user error.

Configuring the Event Handler

Once you have created your server using the New Server Wizard, the server starts and appears in the main Titan FTP Administrator window. A server icon with a green light will appear to indicate that the server is running.

You will use the Titan FTP Administrator to configure your Event Handler. Expand the server you would like to modify from the left-hand tree view and select Events. Click Add to add the event. The Titan FTP Event Handler Wizard will launch. The Event Handler Wizard will allow you to add events and conditions and actions for those events.

• Add Events – In the Event Handler Wizard: Set Events Wizard, expand User Events and check the “User login attemt failed” option to enable it. Click Next.
• Set Conditions – To use the “login attempt failed” event to thwart hackers, you want to capture all connection attempts; do not specify any conditions. Click Next.
• Set Actions – Enable the following actions to protect against potential hacking attempts:
• Kick User – Terminates the current connection session and prevents the user from issuing another USER command. When you select this, a dialogue box will appear. Keep the default %USERNAME% setting and click OK.
• Ban IP address – After checking to see if the IP Access Restrictions feature is enabled at the server level and, if necessary, enabling it, the Event Manager then adds the current IP address to the IP Access Restrictions list and marks it as banned. No connections will be accepted from this IP address in the future. Leave the default %CIP% entry in the dialogue box that appears.
  • WARNING: Please note that this feature may potentially ban good users permanently if they accidentally enter incorrect information. Take precautions to monitor banned IP addresses closely and inform users.
• Send Email – Notifies the server administrator each time the event is triggered. The server administrator can then double check to make sure a valid user was not banned from the system. Select Send Email and enter the From and To email addresses and the Subject of the email. You may want to include details about when the event occurred in the body of the email. We recommend including the time, the server name, the IP address of the client, and the username that was used during the hack attempt. If the message is HTML, select the HTML Message check box. Click OK.

Now that you have defined your actions, your Event Handler list should look like our example. Click Next.

Type a name for this Event Handler; you may also enter a description. This Event Handler is enabled by default. You may Test Fire this Event Handler now; however, since you do not have a valid client IP address or user name, the test will not be 100% accurate. Click Finish.

The event you just defined should be displayed.

Testing Events

To properly test events, log onto the server using an invalid user name.

1. Open a Run Prompt window on the local computer (Start>Run).
2. Type “ftp localhost” and click OK.
3. The Command Prompt window should appear, prompting you to type a username. Type a username that does not exist on the server. You will then be prompted for your password. Enter a fake password.
4. Try to log on again by typing “user root.” You will see that you are now kicked from the server.
   1. NOTE: Titan FTP Server will ask for a password even when a username doesn’t exist in the system. This is an added security feature to prevent hackers from fishing for valid usernames.

To test the Ban IP action, quit the current FTP session and, from the Command Prompt, open a new session by typing “ftp localhost.” You will receive a message indicating that you are now connected to the server. The connection will then be terminated because the server has banned access from your IP address.

To clear this IP address from the banned list, launch the Titan FTP Administrator. From the Titan left-hand tree view, select the server and Connections. Use the left/right arrows to view the IP Access tab. The banned IP Address now shows in the window. Select the IP Address and Click Delete. Click Apply to apply the change.