CompleteFTP

User's Guide
Table of Contents
Overview
Product overview
Requirements
How to select the edition
License agreement
Revision history
Installation
Installation
Uninstalling
How to run the server
How to use the manager
How to migrate to another machine
How to automate installation
How to activate an installation of CompleteFTP
How to upgrade
Tutorials
Getting started
Getting started with EC2 (Amazon)
Connecting with Filezilla
Connecting with WinSCP
Step-by-step guides
Overview
Add a non-Windows user
Add a Windows user (Standard Edition)
Add a Windows user (Professional and Enterprise Editions)
Set up public-key authentication for a user
Allow all users from a Windows group to log in
Authenticate users from a database
Change the home folder of a user
Add a network folder
Allow users to share a folder (Method 1)
Allow users to share a folder (Method 2)
Allow users to share a folder (Method 3)
Block connections from specific IP addresses (blacklisting)
Accept connections only from specific IP addresses (whitelisting)
Accept connections only from specific users at specific IP addresses
Restrict some users to connect only from specific IP addresses
E-mail notification when a file is uploaded
Move a file to another directory after it's been uploaded
Add a scheduled task
Accepting connections from the internet
Share a file using CompleteBox
Customize the web login page
Host a web-app in CompleteFTP
Add my own authentication method
Configure SAML Single Sign On with OneLogin
Request a CA certificate
Install a CA certificate
Activate CompleteFTP free
Activate the paid editions
Set up a cluster
Overview panel
Overview
Site configuration
Settings/Sites
FTP/FTPS settings
SFTP/SCP/SSH settings
HTTP/HTTPS settings
File sharing settings
File system settings
General user settings
IP filtering and auto-banning
Limits and timeouts
Messages
How to secure your server
How to set a default Windows domain
How to use HTTP/HTTPS
How to use the File Manager
How to format HTML listings
How to customize the welcome page
How to use CompleteFTP with firewalls
How to set an external IP address
How to set a PASV port range
How to set up the server certificate
How to set up a CA certificate
How to generate a CSR
How to purchase a CA certificate
How to install a CA certificate
 How to import SSL certificates in other formats
How to set up the server SSH keys
How to use SSH terminal access
How to use SSH forwarding
How to configure anonymous logins
How to use multiple sites
How to view the Admin site
File system
File system
How to create a virtual folder
How to add a Windows folder
How to add a Windows special folder
How to view system folders
How to add a network or macro folder
How to add a gateway folder
How to add a Azure Share folder
How to add a Amazon S3 folder
How to insert macros into folder-names
How to give users shared access to a folder
How to set a folder's permissions
How to enable encryption at rest
How to list a folder-tree
How to extend the filesystem
How to stop executables being uploaded
How to mount ZIP files as directories
How to enable backslash separators
How to customize the welcome page
Users
Users
General user settings
How to add a Windows user
How to add a non-Windows user
How to add multiple users
How to change user properties
How to view system users
How to enable encryption at rest
How to configure database users
How to configure automatic Windows users
How to configure gateway users
How to configure single sign-on (SAML) users
How to set user quotas
How to set up public key authentication (SFTP/SCP)
How to control user access by IP address
How to use SSH terminal access
How to use SSH forwarding
How to configure anonymous logins
How to set up client certificates (FTPS)
How to make a user's home dir root
How to give users shared access to a folder
How to set password policies
How to make user accounts expire
How to manage groups
File sharing
File sharing
How to enable file sharing
How to install CompleteBox
File sharing vs file storing
How to share files with CompleteBox
How to store files with CompleteBox
File synchronization
How to configure CompleteBox
Clustering
Clustering
How to enable clustering
How to change primaries
How to resolve problems
How to activate cluster nodes
How to upgrade a cluster
Multiprotocol gateway
Gateway
How to configure a gateway
How to add a gateway folder
How to configure gateway users
How to configure a gateway authenticator
Events
Events
How to set up email notifications
How to set up process triggers
How to set up a scheduled event
How to write JSS process triggers
How to write a JSS event
 Tutorial 1
Tutorial 2
Tutorial 3
Tutorial 4
How to write FTP scripts
FTP script command reference
Event macros
How to write your own events
Web-Apps
Web-app Hosting with CompleteFTP
Web-App Basics
Using templates
Web-app examples
Custom extensions
Custom Extensions
.NET extensions
How to write a .NET extension
.NET authentication extensions
Simple .NET authentication extensions
Advanced .NET authentication extensions
.NET file-system extensions
.NET custom command extensions
.NET event extensions
JSS-to-.NET bridge extensions
How to add logging to a .Net extension
JSS extensions
How to write a JSS extension
JSS authentication extensions
Simple JSS authentication extensions
Advanced JSS authentication extensions
JSS file-system extensions
JSS custom command extensions
JSS IP filter extensions
JSS (Javascript Server-Side)
JSS RPC Reference
Monitoring
Monitoring
Real-time logging
Server log files
Manager log files
Changing the log file location
Enabling auditing
Modifying the logging configuration
Producing clean log files
Getting diagnostics for support
Performance
Performance
Administrator access
Administrator access
How to access the Admin Web-App
How to change the administrator site settings
How to manage the server remotely
How to add extra administrator users
How to do command-line administration
Administration with UNIX-like scripts
Administration with JSS scripts
Command-line reference
How to secure your server
Security
Security overview
How to secure your server
How to set password policies
How to disable SSL 3.0
Licensing
Licensing overview
How to activate an installation of CompleteFTP
How to migrate to another machine
How to resolve restricted mode
How to automatically import a license
Support
Support
How to get diagnostics for support
How to contact support
FAQ
CompleteFTP revision history
CompleteBox revision history
Reference
Revision histories
CompleteFTP revision history
CompleteBox revision history
File transfer guide
FTP
Protocol overview
Active and passive modes
FTP commands
Sample scenarios
Data types
Session commands
File commands
Directory commands
FTPS
FTPS - Securing FTP with TLS
Implicit FTPS and explicit FTPS
Securing control and data channels
FTPS commands
FTPS usage
Security
The essentials of FTP security
Public key cryptography
Certificates and certificate authorities (CAs)
Obtaining keys and certificates
Server and client validation
Hostname checking
Selecting ciphers
SFTP and SCP
SFTP and SCP
SSH - Secure shell
SCP - Secure copy
Comparison of FTPS and SFTP
HTTP and HTTPS
HTTP protocol overview
HTTP methods
HTTP sessions
HTTPS
IETF Standards
About this manual
PRODUCT OVERVIEW
CompleteFTP is a high performance Windows file server supporting secure file transfer via FTPS (FTP over SSL), SFTP (FTP over SSH), HTTP, HTTPS, SCP and SSH.
CompleteFTP also supports web applications written in Javascript, and collaborative file sharing.

Easy to install, fast, and easy to configure, CompleteFTP is the ideal server solution for securing file transfers on Windows. Features include:

Full support for FTP and FTPS (FTP over SSL) [All editions]. Includes implicit and explicit FTPS, and TLS 1.2. Now includes Elliptic Curve Cryptography (ECC) Cipher
Suites (from 11.0.6) and AES Galois Counter Mode (GCM) Cipher Suites (from 12.1.2).
Full support for SFTP (FTP over SSH) [Standard Edition or better].
Support for HTTP and HTTPS [Professional Edition or better], including support for Javascript FileManager, directory listings and HTTP uploads (unlimited in size!).
Custom MIME types are supported.
Full support for SCP [Professional Edition or better].
Multiple administration options:
Modern Windows application for full control of server configuration [All editions].
Mobile-friendly web-app for user management and monitoring [Professional Edition or better].
Command-Line Interface (CLI) [Enterprise Edition only].
Configuration Object Model accessible through Javascript (JSS) [Enterprise Edition only].
Support for encryption at rest [Enterprise Edition only].
Support for SSH tunneling/SSH local port forwarding [Professional Edition or better].
Support for SSH terminals [Professional Edition or better].
Support for collaborative file sharing [Professional Edition or better].
Support for CompleteFTP as a SAML Service Provider [Enterprise Edition only].
Support for web applications using server side Javascript (JSS) [Professional Edition or better].
Support for customized and automated installation [Enterprise Edition only].
Support for custom Javascript or .NET extensions for authentication, custom file-systems, events, custom commands and IP filters [Enterprise Edition only].
Support for generation of Certificate Signing Requests (CSRs) for submission to a Certificate Authority (CA) to obtain a CA certificate [All editions].
SSL self-signed certificate generator [All editions].
Ability to act as a multiprotocol gateway for other servers. Use CompleteFTP to provide secure access via FTPS or SFTP to an existing FTP server. Add FTP or FTPS
support to an existing SFTP server [Enterprise Edition only].
Support for file sizes greater than 4 GB [All editions].
Unlimited number of users [All editions].
User disk and bandwidth quotas [Professional Edition or better].
Extensive real-time charts for performance monitoring [Professional Edition or better].
Email notification of events such as upload, download, delete [Professional Edition or better].
Process Triggers for launching server processes, Powershell scripts, batch scripts or FTP scripts when events such as uploading or downloading occur [Professional
Edition or better].
Auto-banning [Available in all editions - customizable in Professional Edition or better].
IP filtering [Professional Edition or better].
Remote administration [All editions].
Virtual File System [All editions].
ZIP-file navigation [Professional Edition or better]. Users can change into folders within ZIP files and download specific files without downloading the entire ZIP file.
CompleteFTP (non-Windows) users [All editions].
Windows users [Standard Edition or better].
Automatic Windows / AD (Active Directory) users [Professional Edition or better]. Support for Windows domain users and can set a default domain.
Support for external users (e.g. stored in an external database) [Professional Edition or better].
Step-by-step guides built into management interface.
REQUIREMENTS
CompleteFTP will run on most versions of Windows: Windows XP (needs Service Pack 3), Vista, Windows 7, Windows 8.x, Windows 10, Windows Server 2003, Server 2008,
Server 2008 R2, Server 2012 and Server 2016. Both 32 bit and 64 bit versions of Windows are supported.

CompleteFTP also runs on Windows Azure and Amazon's Elastic Compute Cloud (EC2).

In terms of processing power, we recommend at least a dual core CPU, as encrypted transfers are CPU intensive. If the network connection is fast, CPU will be the bottleneck. If
CompleteFTP is being run in a VM, we recommend allocating at least 2 vCPUs to the VM.

CompleteFTP has a low memory footprint so memory should never be an issue, although in a VM be sure to allocate at least 1 GB.
HOW TO SELECT THE EDITION
CompleteFTP comes in four editions: Free Edition, Standard Edition, Professional Edition and Enterprise Edition.

A comparison of the four editions can be found here. The trial installer will start you off in Enterprise Edition, but you can easily downgrade and upgrade between editions in
the Licensing panel during the trial period.

The differences between the editions are shown in a table here.

Note that CompleteFTP is licensed on a per machine basis, i.e. one license is required for each machine it is installed on, unless the Corporate License is purchased. The
Corporate License permits installation on any number of machines in the corporation, and optionally provides a universal activation key so online activation is not required.

Upgrading

If you have purchased the Standard or Professional Edition but subsequently decide that you require the features of a higher edition, you can upgrade for the cost of the price
difference plus a USD 30 administration fee - please contact us to arrange this (and include your purchase reference in your email).
COMPLETEFTP SERVER SOFTWARE LICENSE AGREEMENT
We Enterprise Distributed Technologies Ltd grant you license to use this Software on the following terms:

1. License and support

1. This Software is licensed and not sold to you. Your use of this Software is governed solely by the terms of this License. This License is personal to you.
2. This Software is owned by us, save for certain elements of it which are owned by The KPD-Team; The Legion of the Bouncy Castle, Inc; Chew Keong Tan; Routrek
Networks, Inc; ComponentAce; Developer Express Inc; The Mentalis.org Team; Novell, Inc; Motus Technologies Inc; Studio 42; Evgen Noskov; The Outercurve
Foundation; Digitaliseringsstyrelsen; The Legion of the Bouncy Castle Inc., and akveo.com. This Software is protected by copyright law, and the owners reserve
ownership of all Intellectual Property Rights in it, and all rights other than those expressly granted by this Agreement. Copyright notices for other parties can be found
here.

3. You must take reasonable steps to protect the Software from unauthorised copying, publication, disclosure or distribution.
4. Technical support is initially available via email for 12 months after the date of purchase of a Full License (and can be renewed annually). We will endeavour to
respond to queries as soon as possible, but cannot guarantee a response within any particular time frame. Note that if excessive use is being made of technical
support, an additional payment not exceeding the payment required for 12 months' technical support will be required. Excessive use is defined on a calendar year
basis as exceeding five separate issues per server license. For a Corporate Server License excessive use is defined as exceeding fifty separate issues in a calendar
year. All technical support queries must be submitted via a designated support person.
5. Support agreements must be renewed within 6 months of expiry, otherwise the higher expired support renewal price will apply.
6. Where use is permitted by this License, such use includes
1. the making of no more than a reasonable number of backup copies of the Software; and
2. the right to utilise and make prints for your own personal use (but not otherwise copy) any instructional and/or operational manuals relating to the Software.
2. Free License
1. The Free License is applicable to the Free Edition of this Software. It does not apply to the Standard Edition, the Professional Edition, or the Enterprise Edition.
2. You are entitled to install the Free Edition of the Server Application on any number of machines within your organization.
3. Administrator Application. We grant to you the right to install and use the administrator application on an unlimited number of machines.
4. Technical support is not included with the Free Edition, but may be purchased separately. If support has not been purchased, queries can be posted on the
Enterprise Distributed Technologies Ltd public forums, but responses and response times are not guaranteed.
5. Free Licenses can be converted to Full Licenses by payment of the applicable License fee.
6. You may not use the edtftp.exe program independently of CompleteFTP. It cannot be invoked or executed by any other program or from the command-line.
7. You may not modify the Software. You may not disassemble, decompile, or reverse engineer the Software, or otherwise attempt to discover the source code of the
Software.
3. Trial License

Until and unless you buy a Full License or convert to a Free License for the use of the Software:

1. Your rights are limited to

1. use for evaluation purposes only, and
2. use for 30 days following first installation only; thereafter, the Trial License converts to a Developer License (the 30 day Trial License period may be extended
on request).
2. You may not use the edtftp.exe program independently of CompleteFTP. It cannot be invoked or executed by any other program or from the command-line.
3. You may not modify the Software. You may not disassemble, decompile, or reverse engineer the Software, or otherwise attempt to discover the source code of the
Software.
4. Developer License

Until and unless you buy a Full License or convert to a Free License for the use of the Software:

1. Your rights are limited to use for evaluation and code-development purposes only, indefinitely.
2. You may not access the Software in any way from a machine other than the machine on which the Software is installed.
3. You may not use the edtftp.exe program independently of CompleteFTP. It cannot be invoked or executed by any other program or from the command-line.
4. You may not modify the Software. You may not disassemble, decompile, or reverse engineer the Software, or otherwise attempt to discover the source code of the
Software.
5. Full License

Subject to payment of the full License fee:

1. Server Application. We grant to you a non-transferable and non-exclusive license to install the Server Application for use on the number of server machines for which
you have purchased separate licenses.
2. In the case of a Corporate License, you are entitled to install the Server Application on any number of machines within your organization, i.e. the legal entity which
purchased the license. A Corporate License is not a multi-national license, i.e. it is applicable only within the country of purchase.
3. Administrator Application. We grant to you the right to install and use the administrator application on an unlimited number of machines provided that you are licensed
to use the Server Application.
 4. You may not use the edtftp.exe program independently of CompleteFTP. It cannot be invoked or executed by any other program or from the command-line.
5. You may not modify the Software. You may not disassemble, decompile, or reverse engineer the Software, or otherwise attempt to discover the source code of the
Software.
6. CompleteBox User Licenses

Subject to payment of the full license fee:

1. We grant to you fifty (50) CompleteBox User Licenses in the case of the Professional Edition, and unlimited CompleteBox User Licenses in the case of the Enterprise
Edition. Each CompleteBox User License permits a single CompleteBox user to connect to the Server Application for the purposes of file sharing. A CompleteBox user
is a human being, not a user account shared between people. Each person using CompleteBox requires a CompleteBox User License. They may use their license
from any client machine, i.e. a person with a CompleteBox User License can connect from multiple machines. File sharing is not supported in the Standard Edition,
and no CompleteBox User Licenses are granted.
2. All CompleteBox technical support queries must be submitted via the designated support person for the Server Application.
7. Warranties, and Limitation of Liability:
1. You acknowledge that
1. you have had the opportunity to evaluate the Software without charge, and that you have satisfied yourself that it meets your requirements in all material
respects
2. it is not technically practicable to guarantee software to be error-free, and you agree that if any such errors are found to exist they shall not constitute a breach
of this Agreement
3. the Software is provided for use by you as an expert, and that where you decide to incorporate the Software in an application created by you, it is solely your
responsibility to carry out all appropriate testing and to determine its suitability for your intended purpose. You will therefore indemnify us against any and all
claims that may be brought by a third party in relation to any applications distributed by you which incorporate the Software, whether or not the terms of the
License you have bought permit such distribution.
2. THE SOFTWARE IS NOT WARRANTED TO BE FAULT-TOLERANT, AND IS NOT INTENDED FOR THE DESIGN, CONSTRUCTION, MAINTENANCE, OPERATION,
CONTROL, OR ANY OTHER USE IN CONNECTION WITH HIGH RISK SYSTEMS. WE SPECIFICALLY DISCLAIM ANY EXPRESS OR IMPLIED WARRANTY OF
FITNESS FOR PURPOSE IN CONNECTION WITH HIGH RISK SYSTEMS. ‘High Risk Systems’ means systems in environments requiring fail-safe performance (such as
nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life support machines, or weapons systems), in which the failure of the
software could lead directly to death, personal injury, or severe physical or environmental damage. You agree that you will not use the software for any purpose in
connection with High Risk Systems.
3. THIS SOFTWARE IS PROVIDED ``AS IS'', AND TO THE EXTENT PERMITTED BY THE APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES WITH RESPECT TO
THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
PARTICULAR PURPOSE.
4. ALTHOUGH WE DO NOT WARRANT THAT THE SOFTWARE SUPPLIED HEREUNDER SHALL BE FREE FROM ALL KNOWN VIRUSES WE HAVE USED
COMMERCIALLY REASONABLE EFFORTS TO CHECK FOR THE MOST COMMONLY KNOWN VIRUSES. YOU ARE NEVERTHELESS SOLELY RESPONSIBLE FOR
VIRUS SCANNING THE SOFTWARE.
5. WE SHALL NOT BE LIABLE TO YOU OR TO ANYONE ELSE FOR ANY LOSS OR DAMAGE WHATSOEVER OR HOWSOEVER CAUSED ARISING DIRECTLY OR
INDIRECTLY IN CONNECTION WITH THIS LICENSE, THE SOFTWARE, ITS USE OR OTHERWISE, EXCEPT TO THE EXTENT THAT SUCH LIABILITY MAY NOT BE
LAWFULLY EXCLUDED UNDER THE APPLICABLE LAW.
6. NOTWITHSTANDING THE GENERALITY OF THE ABOVE, IN NO EVENT WILL WE BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL LOSS
OR DAMAGE WHICH MAY ARISE IN RESPECT OF THE SOFTWARE, ITS USE, OR IN RESPECT OF OTHER EQUIPMENT OR PROPERTY, OR FOR LOSS OF
PROFIT, BUSINESS, REVENUE, GOODWILL OR ANTICIPATED SAVINGS, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS.
7. IF ANY EXCLUSION OR LIMITATION CONTAINED IN THIS LICENSE SHALL BE HELD TO BE INVALID FOR ANY REASON AND WE BECOME LIABLE FOR LOSS OR
DAMAGE THAT MAY LAWFULLY BE LIMITED, SUCH LIABILITY SHALL BE LIMITED TO THE LICENSE FEE PAID BY YOU FOR THE SOFTWARE.
8. We do not exclude liability for death or personal injury to the extent only that it arises as a result of our negligence or that of our employees, agents or authorized
representatives.
9. So far as any parts of this Software which were not created by us are concerned, THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL ANY PERSON WHO HAS CONTRIBUTED TO OR IS THE OWNER OF ANY PART OF THIS SOFTWARE BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This provision shall operate for the benefit of any and all such persons.
8. Miscellaneous
1. You acknowledge that these terms supersede all prior agreements, and are complete and exclusive. No oral or written information given by us or on our behalf shall
create a warranty or collateral contract, or in any way increase the scope of this warranty in any way, and you may not rely on any such advice.
2. If any provision in this Agreement shall be determined to be invalid, such provision shall be deemed omitted; the remainder of this Agreement shall stand.
3. This License shall be governed by the laws of Australia.
COMPLETEFTP REVISION HISTORY
Version Changes
Add support public key authentication in the gateway authenticator.
Improve the internal web pages.
Fixed XSS vulnerability in JSS web-app examples.
Fix bug maximizing the manager on a secondary monitor.
Fix bug when Automatic Windows Users log in via public key authentication - password authentication was
Version 12.1.5 not used and so even though the login seemed to succeed, operations would later fail.
(26 February, 2020) Auditing now reports transfer errors - previously a partial transfer was not recorded as a failure.
Fix issue re certain external RSA keys failing to be loaded.
Fix file sharing for active directory users.
Fix memory leak when custom command called from process trigger.
Allow adding cluster nodes with same SID.

Fix append issue in FTP for certain VM configurations.

Security fix for manager password saving.
Security fix for SSH exec - now restricted to members of 'admins' group.
Version 12.1.4 Security fix for new filemanager node permissions.
(7 October, 2019) Jquery update.
Optimise when user-profile is loaded.
Fix installer issue with non-canonical access control lists.
Fix for importing latest Filezilla server config.

Enable rename command to be called after PASV in FTP.

Update script engine.
Ensure manager supports TLS 1.2 for HTTP requests (such as checking latest version).
Version 12.1.3 Fix manager bug with expand arrow for Quotas & Limits category hidden in some skins.
(9 September, 2019) Installer security fix.
Remove direct dependence on CryptoAPI for TLS 1.0 and TLS 1.1.
Use ephemeral RSA keys to prevent buildup of files in MachineKeys folder.

Add AES Galois Counter Mode (GCM) cipher suites to TLS.

Change email notifications to use TLS 1.2 if available.
Fix ConsumeWindowSpace issue.
Version 12.1.2 Change the URL the manager contacts to find the latest version to HTTPS.
(16 August, 2019) Improve Automatic Windows Users for authenticating groups in other domains.
Fix Gateway issue: changing permissions causes an error for FTP/FTPS.
Fix signature issue verifying SAML responses.

Add diffie-hellman-group14-sha256 to SSH key exchange.

Audit and diagnostic log files now support non-ASCII characters.
Support modifying permissions from SFTP client via gateway folder to remote SFTP host.
Fixed a bug in SFTP directory listings (permissions and owner were sometimes incorrect).
Installer now prompts to remove previous installation to prevent issues with non-standard install locations.
Fix poor handling of permission denied error in new file-manager.
Web file-manager can now download multiple files.
Version 12.1.1 Fixed SCP bug where could not upload a file when the filename contains Unicode characters.
(17 June, 2019) Fixed SCP bug where could not upload a file after failing to upload a file blocked by a filename filter.
Fixed bug where generating RSA keys of keylengths not divisible by 8 caused an error. Now keylengths
must be a multiple of 8.
Fixed annoying bug in manager GUI where changes to SFTP advanced properties did not trigger the
enabling of the Apply Changes button.
Fixed error that occurs when clicking the CompleteBox icon in the system tray.
Minor documentation fixes.

Password-protected sharing in CompleteBox.

Import PEM format certificate/private keys for server certificate.
Support for downloading a single dynamically created file that contains a recursive directory listing.
Add CSID and CLNT FTP commands.
Fix bug where RSA keys were generated with 2,047 bits instead of 2,048 bits.
Enable PASV and STOR/RETR FTP commands to be separated by other commands to support clients
that do this.
Version 12.1.0 Support SAML group claim and a custom attribute called 'group' to allow CompleteFTP group membership
(31 March, 2019) to be specified via IDP.
Numerous bug fixes in CompleteBox.
Improved memory usage when downloading large files via SFTP.
Fix for ncftpput clients hanging.
Fix for bug introduced in 12.0 where authentication would fail if the Domain Users group was specified as
allowed group for automatic Windows users (AWU).
Support for better integration with SyncbackPro.
 New Web file-manager which includes file-sharing.
New WebAdmin application for basic user administration.
File system adapters for Amazon S3 and Azure
TLS/SSL certificate expiring event.
Many enhancements to the JSS (Javascript Serverside) Config API.
Add authenticator panel to users panel.
Ability to set a per-user home-root.
Enter path of Windows folders via text-editor.
Version 12.0 Allow user to return a log-in-as user-name from their DB authenticator query.
(5 December, 2018) Automatic Windows/AD authentication: Allow log-in-as user to be specified per AD group.
Expose client certificate to custom .NET authentication extensions.
Custom authenticators: make connection information accessible to authenticators.
Allow administrators to change folder type in the manager.
Allow administrators to add a date column in the real-time log viewer. .
Fix bug where HomeDirectory was ignored in advanced custom authentication extensions that use PK
Fix bug where 'Ignore filters' permission did not work properly for uploading of files via SFTP.
Fix CompleteBox errors after sleep/resume.

Version 11.0.6 Added Elliptic Curve key exchange algorithms for TLS 1.2.
(19 September, 2018)
Version 11.0.5 Fixed memory leak introduced in 11.0.3.
(25 July, 2018)
Fixed bug where JSS mail attachments file streams were not closed, meaning the files were locked after
Version 11.0.4 sending.
(11 July, 2018) Fixed ConsumeWindowSpace error that occurred with an SFTP client reading a file.

Version 11.0.3 Significant memory optimisation in certain situations for SFTP.

(5 June, 2018)
Allow substitution of environment variables, such as %LOCALAPPDATA%, in network/macro folders.
Fix CompleteFTP manager bug where the error "Configuration changes have been made by a third party"
Version 11.0.2 prevents connecting.
(4 May, 2018) Fix rare certificate issue where a microsoft\crypto\RSA entry is created by what ends up as an unresolved
SID.
Fix logging bug where some log tags are blank, causing issues in real-time logging.

Version 11.0.1 Fix install failure on non-English installs (IdentityNotMappedException).

(22 March, 2018)
Major new feature. Encryption at rest now supported.
Major new feature. CompleteFTP is now a SAML Service Provider.
Logout page now customizable.
Login page now responsive.
Various JavaScript Server-Side (JSS) enhancements, including the JSS Config API (in beta) that allows
the user to make CompleteFTP configuration changes via JSS.
Enhancements to usermod command (Added enable flag and full-name argument).
Allow text selection in real-time logging view.
Fix issue where for certain users on Windows Server 2016 certificate generation was failing during
installation with "Can't acquire cryptographic context" error message.
Simplify installer.
Version 11.0.0 Minor CompleteBox fixes.
(9 March, 2018) Fix ClientIP macro.
Fix bug where the manager was crashing when attempting to delete the server certificate of a non-Default
site.
Fix bug where an error message was shown when trying to delete a secondary server from a cluster.
Failed logins now shown in audit log.
Minimum of .NET 4 required (earlier versions ran on .NET 2.0). Later versions such as 4.6 or 4.7 are also
fine. Enterprise .NET extension DLLs must be recompiled with the .NET 4 framework. It can be
downloaded from Microsoft here.
Tightened security of configuration data. WARNING! - users who have changed the 'log on' user of the
CompleteFTP service from the default (i.e. local SYSTEM user) may need to manually configure Windows
file permissions after installation (see here).

Add support for HTTP 0.9 (used by some monitoring clients).

Added ability to enable and disable users in administrator scripting.
Version 10.2.1 Fixed ClientIP macro in e-mail notification and process triggers
(20 October, 2017) Fix permissions issue with multipart HTTP requests.
Configure scripting engine to work with .NET 2.0 and .NET 4.x.
Fixed JSS API documentation errors.

Add server initiated key re-exchange for SSH.

Allow PASV to immediately follow PORT and vice versa for FTP/FTPS (first command is ignored).
Add CSRF token to web file manager to prevent CSRF attacks.
Version 10.2.0 Added support for admin site authenticators.
(21 August, 2017) Fix SSH bug when reading client version string.
Upgrade the binary that runs process trigger scripts (edtftp.exe).
Upgrade CompleteBox.
 Increase timeout when adding new secondary server to cluster, and make call asynchronous. Prevents
timeouts for servers that take a minute or two to restart.
Version 10.1.1 Fix bug where login failures caused by unrecognised user-names would only cause process triggers to be
(12 May, 2017) called if an alternative authentication method (such as AD authentication) was enabled.
Fix bug limiting the number of gateways that could be configured to three.
Fix gateway timestamp bug - gateway folders now allow timestamps of files to be set.

New feature - added ability to add custom IP filter extensions (.NET or Javascript).
External database users can now use RSA & DSA public keys for authentication.
Added extensive step-by-step user tutorials.
Content-Type was missing in HTTP responses, which was a problem if X-Content-Type-Options "nosniff"
is set, as the brower can no longer detect the content type.
Prevent the first "none" SSH auth method often sent by clients from triggering a failed login event.
Version 10.1.0 Fix HTTP/HTTPS upload bug where multipart uploads ended up with an extra char.
(24 April, 2017) Fixed bug where 'create a home folder automatically' when adding a new windows user can't be
unenabled.
Fixed permissions bug in SCP transfers - impersonation wasn't working correctly initially..
Fixed issue with confusing log file entries.
Fixed HTTP login error that occurred when 'Use browser-based logins' and 'User's home folder appears as
root' are both enabled.
Fixed numerous minor manager GUI issues.

Major new feature - add ability to write process triggers in Javascript (JSS).
Modernize manager GUI with side menu.
User and site filtering in events (email and process triggers).
Add new system events (banned or autobanned IP address, server startup, clustering failure, certificate
expiry).
Added TCP port usage view.
Numerous manager GUI fixes and minor enhancements.
Add ephemeral Diffie-Hellman (DHE) ciphers to FTPS, so perfect forward secrecy now supported.
Version 10.0 Add ability to set additional HTTP headers so various security headers can be used.
(21 December, 2016) Memory optimizations.
Disable SSH EXEC command in Standard Edition (and only enable in higher editions if SSH terminals are
enabled).
Fix starting CFTP service from the manager (asks for elevated permissions).
Fix client certificate support in TLS 1.2 (i.e. FTPS).
Fix bug in FTP listing of absolute paths with a wildcard.
Fix bug where couldn't set the external passive IP if there was a 0 in the IP address.
Fixed bug where the manager gets into a loop if the real-time log download continually fails.

Added ability to import Filezilla server users, folders and groups.

Version 9.1.3 Fixed bug in gateway preventing multiple downloads and fixed issue with a SFTP <-> FTP failure.
(10 October, 2016) Fixed bug in FTPS experienced when thousands of small files are transferred.
Fixed "invalid message number" issue experienced by WinSCP when transferring via SFTP.

Fixed SFTP bug that can cause server cpu to spike when certain clients such as perl sftp are used.
Version 9.1.2 Fixed real-time logging bug that causes a loop in the manager when FTP is used as the connection
(12 September 2016) protocol and real-time logging is enabled. Workaround is to use the default SFTP protocol to connect
manager to the server (on port 14983).

Fixed cluster bug stopping servers from being added and also preventing synchronization (introduced with
automatic deactivation in 9.1.0).
Fix for "Unable to load DLL 'dwmapi.dll'" error in CompleteFTP manager on Windows 2003 Server.
Fixed bug where min/max/close wouldn't be visible in Windows 2008.
Version 9.1.1 Fixed bug preventing macros from working when used in names of virtual file-system folders.
(30 August 2016) Fixed bugs in new certificate chain importation feature - some certificates failed to load.
Fixed bug on machines with desktop logins disabled that allowed users to access folder that they did not
have Windows permissions to access.
Prevented deactivation of servers if current activation key is invalid (esp if config moved to new machine).
Added error-message if user tries to deactivate on machine with invalid activation key.

Release of Free Edition supporting FTP and FTPS.

Support for automatic activation and deactivation added.
Added support for Tags in authentication extensions.
Various Javascript Server-Side (JSS) fixes and improvements:
Version 9.1.0 Fixed bug preventing multiple JSON DBs
(5 August 2016, see also 9.0.1 changes) Added tags property to system.user.
Added adapterAbsolutePath to File objects.
Prevent circular includes.
Added support for x-www-form-urlencoded (i.e. standard form) encoding in HTTP POSTS.

Support for loading of intermediate SSL certificates, and sending the entire certificate chain to clients.
TLS 1.2 fix where signalling ciphers were being selected as genuine ciphers. Error in debug log was
"Offset and length were out of bounds for the array".
Ensure FTP welcome message and SSH user auth message is converted to ISO-8859-1 (as some Unix
clients can't cope with UTF).
Version 9.0.1 Improve efficiency of SFTP threading when many small files are transferred.
(19 July 2016, not made generally available) Fix FTP directory listing so wildcards are handled.
Improve memory utilisation with the multiprotocol gateway.
Ensure clients don't complete a transfer until the secondary transfer is complete in the multiprotocol
gateway.
 Real-time log viewing in CompleteFTP Manager.
Script-based extensions. Authentication, file-system and custom command extensions can now be written
in Javascript (JSS) and entered directly into CompleteFTP Manager. Enterprise Edition only.
Read-only sites. Sites can be switched to read-only using a single checkbox.
Added FTP STAT command.
Added passwd command to SSH shell so internal users can change their password.
Groups can now be set from authentication extensions.
New flat look-and-feel for CompleteFTP Manager.
Many improvements to JSS resulting from the development of our customer portal, edtConnect, which is
hosted on CompleteFTP. Most notable is the introduction of JSON-DB - an indexed database where
Version 9.0.0 objects are stored in individual JSON files.
(23 March 2016) Changed gateway so that FTPS can specify max & min SSL connections.
Upgraded log4net DLL to 1.2.15. Resolves syslog bug in earlier log4net DLL.
Fixed SCP bug where filenames containing spaces could not be downloaded.
Fixed WinSCP issue where a directory's name was appearing in its content listing.
Fixed anonymous HTTP bug.
Fixed HTTP session time-out bug. Session time-outs were measure from time of login rather than time of
last access.
Over 60 minor bug fixes and enhancements in CompleteFTP Manager resulting from a comprehensive
usability review.
Made a start at improving CompleteFTP Manager's accessibility by making more user-interface elements
compatible with Windows Narrator. It's still early days, so we're looking for feedback on this.

Version 8.5.1 Fix bug affecting database authentication logins (login failure).
(15 January 2016)
Password hashing now uses PBKDF2-SHA256.
New command-line commands for administering permissions (chmod, chown).
Support for TLS_FALLBACK_SCSV in TLS.
Fix bug in SSL3 renegotiation.
Version 8.5.0 Change anonymous FTP behaviour so that if disabled there is still a password prompt.
(30 November 2015) Fix issue where login failures did not trigger the login event when set.
Remove RC4 support from default ciphers (as no longer regarded as secure).
Fix issue where downloading files with special chars in their name from HTTP works on Firefox but not with
Internet Explorer.
Fix bug where all connections in the manager application are shown as from one user.

Now supports TLS 1.2.

Version 8.4.0 Now supports TLS secure renegotiation.
(9 October 2015) Fix bug where downloading in SFTP via Gateway failed.

More efficient memory utilization, and now uses .NET 4.x framework if it is installed.
Bugfix for scheduled events, where some events were not firing due to a race condition.
Version 8.3.3 Bugfix for downloading from a zip folder.
(7 September 2015) Fixed OpenSSH 6.7 (and higher) issue using HMAC SHA2 with SFTP.
Fixed incorrect IP address in logging.

Now reuses PASV port for the same client, meaning PASV port range is used more efficiently.
Fix to FTPS implicit mode.
Version 8.3.2 Better throttling of server messages being sent to clients, reducing memory consumption.
(22 July 2015) Fix to SSH key re-exchange when initiated by clients.
New version of CompleteBox (1.1.1) included.

Replace Microsoft HMAC in SSH/SFTP as it was causing problems for a user.

Version 8.3.1 Fix a directory traversal security vulnerability.
(17 June 2015) Minor fixes to logging.

Added scheduled events. This means events can be set up to fire at a predefined schedule, such as once
per hour or at midnight every weekday.
Selectable ADO.NET providers for database authenticator.
Add SHA1 to database authentication option, so now MD5 and SHA1 are supported.
A user's Active Directory home directory can now be set as a macro variable.
Version 8.3.0 Set service recovery options to automatically restart for new installations.
(8 May 2015) If the anonymous user is disabled in FTP, give an error rather than prompting for password.
Fix issue with certificate signing requests that meant Verisign/Symantec would not accept them.
Make IPAddresses configuration field larger so more network interfaces can be supported.
Gateway authenticator fix - for multiple authenticators, the connection details of the first remote server were
being re-used.
 Per-user IP filtering.
Add SHA-1 password hashing to Authenticator. Now extensions can use SHA-1 hashed passwords.
Revert to using SHA-1 in certificate signing requests (CSR) because Verisign doesn't accept SHA-256
requests!
In CompleteFTP manager, the FTP/FTPS Server Certificate property is now also available under
Advanced HTTP/HTTPS Settings.
There is now an Extensions directory for loading extension assemblies from.
Version 8.2.0 Allow filenames which have '...' as part of the name(three dots).
(18 March 2015) Many new Javascript Server-Side (JSS) features.
New maximum connections per user setting.
Fixed issue starting CompleteFTP manager on .NET 4.x-only installations on machines with non-English
Windows. Manager would terminate with a FileNotFoundException referencing
CompleteFTPManager.resources.
Fixed issues with initial blank page appearing after logging in via HTTP/S.
Fixed "Couldn't create unsigned certificate" exception that occurred on install with Windows Server 2003.

Use SHA-256 for certificate requests (CSRs) and for generating self-signed certificates.
Can now downgrade the edition automatically when applying purchased activation key.
Version 8.1.6 Added lrename and ldelete to FTP scripting engine, and direct debug output to server log.
(11 February 2015) Add ability to export IP filter data from manager.
Modify installer so that CompleteFTP service is not removed when installer is run (if it exists).
Tidy overview panel.

Permit USER/PASS commands to be sent after logging in as per RFC 959.

Drag and drop for IE in the web file manager.
Fixed short timeout for starting downloads in web file manager.
Fix Gateway problem of closing the FTP connection when accessing a gatewayed FTP server via HTTP.
Version 8.1.5 Fixed bug with default domain being cached when authenticating via automatic Windows users.
(16 January 2015) Improve memory management for SCP transfers of large files.
Fix OnChannelClosed() exceptions in log in SFTP.
Fix unusual stability issue reported by a user.
Fixed some URLs in the manager application.

Improve performance of SFTP under heavy load, and generally reduce memory consumption.
Include client's IP address in logging.
Improve TLS session resumption.
Fix disabling of SSL renegotiation.
Version 8.1.4 Store logging config in separate file so that it doesn't get overwritten on reinstall.
(5 December 2014) Resizable panels in the group view, process trigger and email notification panels.
Undeprecated IUserInfo.HomeDirectory.
Fixed pscp bug where "Lost connection" was seen.
Fix HTTP/S intermittant download failures.
Fix gateway OutOfMemory error for large transfers.

SSL 3.0 is now disabled by default for FTPS and HTTPS. This was motivated by the POODLE vulnerability
in SSL 3.0.
Added hmac-sha2-256 and hmac-sha2-512 support to SSH/SFTP.
Version 8.1.3 Optimize use of SMTP client for the server so that email triggers scale better.
(22 October 2014) Fix minor installer issues - some files weren't being deleted on uninstall, and the manager is now detected
if running when the installer is started.
Ensure that the Admin site is always listening on localhost no matter what configuration changes are made.
Fixed an SFTP bug that caused problems for file transfers in the multi-protocol gateway.

Add the ability to prevent files with name matching set filemasks from being uploaded or renamed to.
No longer a restriction on number of gateways that can be set up.
Improved error-reporting in web file-manager.
Updated the edtftp.exe scripting binary - adds some new features.
Version 8.1.2 Fixed problems with multi-file upload in web file-manager ('invalid backend response' error).
(26 September 2014) Fix hanging session problem for users with disk quota.
Fixed "The path is not of a legal form" error in process trigger.
Fixed bug in adding multiple non-Windows users, which added a generated username if the user was
already present.

Change from superceded OID for sha1withRSA to PKCS#1 OID in certificate request generator.
Fix bug where HTTP SSL ciphers couldn't be disabled.
Fix problem of Filezilla 3.6.x and later versions getting a parse error on newly generated self-signed
certificates in FTPS.
Now rejects client-initiated SSL renegotiation.
Fixed cross-site scripting security hole.
Version 8.1.1 Fix quota bug for random write access.
(29 July 2014) Fix problem where clients that stop transmitting during transfers but keep connection open do not time out.
FIx so that Chrome FTP works correctly (sends two PASV commands).
Rationalise macros across email & process triggers.
Fixed search in CompleteFTP manager.
Fixed bug where HTTP failed on a site if anonymous user was disabled for that specific site.
Fix Elfinder download bug which occurs when home is set to root.
 Numerous improvements to the CompleteBox file-sharing client, including file synchronization.
Multi-protocol wrapper now supports publickey authentication for SFTP.
Version 8.1.0 SSH user authentication methods can now be specified on a per user basis in the Enterprise Edition.
(24 February 2014) Discard changes button in the manager client.
Search added to User Guide, and PDF version included.

Add HTTP PUT.

Version 8.0.1 Fix bug where some users received an "Index does not exist" error message in the CompleteFTP
(12 December 2013) manager when deleting a folder.
Fix CompleteBox right-button click from Windows Explorer stopped working bug.

Added support for file-sharing, via a file-sharing client, CompleteBox.

Added the ability to write web-apps in Javascript, making CompleteFTP a powerful platform for developing
Version 8.0.0 file-oriented web applications.
(2 December 2013) Improved ability to download diagnostic information for support.
Significantly improved HTTP support.
Many minor enhancements and bug fixes.

SSH local port forwarding added, so that SSH tunnels can be set up.
Add new SSH admin shell commands: folderadd, foldermodify, folderdel.
Added timestamp preservation to scp.
Added SSL session resumption to FTPS.
Implemented rename in the Gateway.
Fixed a connection leak in the Gateway.
Fixed incorrect key fingerprint displayed for user keys.
Version 7.4.0 Implemented FXP_FSETSTAT in SFTP.
(4 October 2013) Fixed scp file overwrite bug.
Fixed bug where RSA host key length was only 1024 in new sites - now 2048 bits.
Manager does not need to be running as administrator to import a new certificate and PVK file.
Fix disk quota bug.
Fix cyclic error message when using cp and mv commands in the SSH shell to copy a file into a
subdirectory.
Ensure allowed protocol list is viewable in Standard Edition.

Addition of an "Allow always" category in IP filtering. These IPs can't get autobanned.
Allow numeric ranges in IP filters.
In SFTP, if file exists don't send an error in response to FXP_STAT if size or last modified time can't be
obtained. This helps some Unix SFTP clients to work correctly.
Version 7.3.0 Improved connection establishment performance by using cached local IPs.
(3 June 2013) Fixed bug where HTTP session timeout of 0 was not infinite.
Fix problem in email triggers where duplicate emails were sent under certain circumstances.
Move jquery code to local disk to prevent security error.
Call Dispose() on extensions.

Now Windows Server 2012 certified.

Version 7.2.1 Improved installer to better detect .NET versions.
(23 April 2013) Fixed bug in SSH authentication when not all auth methods enabled.

Added HTTP file management - a Javascript file manager supporting upload, download, file viewing and
more. Professional and Enterprise Editions only.
Added support for Windows RODCs when listing users (previously needed to be writable).
Enabled public key authentication to be used with Automatic Windows Users (the password must still be
Version 7.2.0 supplied).
(21 March 2013) Database authentication now supports use of password salts.
Allow admin user-name change in Standard and Professional Editions.
Make sure # can be used in file-names in HTTP.
Minor display bug fixes in the CompleteFTP manager.
Documented how to achieve syslog integration.

Unlimited-size, unbuffered HTTP uploads. Previously uploads were capped at 20MB because they were
buffered in memory before being written to disk.
Version 7.1.2 Added support for customized and automated installation.
(5 February 2013) Corporate Editions now come with an optional universal activation key (so that online activation is not
required).

Performance enhancements.
Version 7.1.1 Fixed SFTP bug where if first_kex_packet_follows=true is set, the guess is handled incorrectly.
(18 December 2012) Fixed "Server offline" bug, where if the server is taken offline in the manager, it can't easily be put online
again.
 Added support for customizable HTTP listings.
Added support for remote ZIP-file navigation. ZIP-files on the server can now be mounted as a directory,
changed into, and individual files retrieved (write is not supported as this stage).
Added support for SSH keypair generation for users.
Make restarts of file downloads possible for > 2GB restarts (in FTP and FTPS).
Login/logout events in HTTP.
Version 7.1.0 Add Groups to ISession for use in extensions.
(26 November 2012) Disallow slashes in virtual folder-names and prevent duplicate folder names. Add hidden folder flag for
virtual folders.
Allow CoreFTP to use MDTM in a non-standard way for compatability.
Add option to exclude admin logging in log-view
Make virtual directories non case-sensitive.
Fix broken audit log, which wasn't logging anything.

Make CompleteFTPServer.dll strongly named.

Add the FilenameOnly listing format for FTP.
Version 7.0.1 Enable macros to be placed in the names of virtual folders.
(5 October 2012) Fixed trial installation problem where the error "Key not valid for use in specified state" was seen.
Fixed bug applying Windows permissions of auto-created folders.
Fixed folder re-ordering bug that occurred when renaming folders.

Major new feature - cluster support in Enterprise Edition!! This means configuration changes on the
primary server in the cluster are automatically propagated to the secondary servers. Very useful for failover
and load balancing.
Version 7.0.0 Added ability to add users via a script.
(20 September 2012) Fixed listings so if a single file was specified, its details are shown.
Added IsValidRSAKey and IsValidDSAKey methods to Authenticator so that users can validate public
keys themselves as part of implementing an authentication extension.

Groups can now be defined for database users by providing an additional field in the query that supplies a
comma-separated list of group-names.
Ensure any temporary script files are created by the process user.
Version 6.4.2 Make standard RSA keylengths 2048 bits (increased from 1024 bits).
(23 July 2012) Fix bug when trying to log in as a disabled user (IsAnonymous NRE).
Fix security vulnerability in directory navigation.
Fix potential security vulnerability in SSH DSA signing. Thanks to Nadia Heninger for pointing this out.
Fixed bug that made using multiple email addresses as targets for email triggers difficult to use.

Modify response when anonymous user is disabled so that Internet Explorer pops up its login prompt.
Fix bug where PVK files generated during CSR creation failed to import when a new certificate was being
Version 6.4.1 imported.
(28 May 2012) Fixed bug in when adding multiple Windows users. If UseHomeForAllSites was not selected then would get
"Please make sure every enabled site has a home-folder defined."

Added support editing of properties of multiple users in a single operation. Users can be selected by group
membership and wildcard filter. Users may be added to groups when they're being added using the 'add
multiple non-Windows users' form.
Group membership is now shown in the user-list in the Users panel.
Users can now be set an expiry date beyond which they cannot log on.
Added support for the generation of Certificate Signing Requests (CSRs) via the CompleteFTP manager.
Version 6.4.0 Made it easier to implement custom authenticators, and added support for doing public key authentication.
(7 May 2012) Added support so that SSH/SFTP users can change their passwords if this is permitted.
Added support in custom authenticators for forcing password changes for SSH/SFTP users.
When using FTP scripts as process triggers, sometimes they fail with the error "The directory name is
invalid". Now fixed. Also upgraded script engine.
Fixed bug where automatic Windows users failed to authenticate in HTTP/HTTPS.
Permit paths to contain ':'.
Fix bug where the manager overview panel fails to restore after minimizing.

Add HTTP to the multiprotocol gateway (Enterprise Edition only).

Add new macros, TIMESTAMP:format and TransferStatus for use in events.
Create new email notifications and process triggers by copying existing ones.
Redirect to user's home directory when logging in via /login page in HTTP.
System folders can now be viewed in folder browser in folder tab of manager.
Minor GUI improvements in the manager.
Fix bug where encrypted passwords were enabled and changing the admin password meant they could not
Version 6.3.0 be decrypted (and resulted in an error being displayed).
(27 February 2012) Fix trigger macro bug where WindowsPath and WindowsFolder macros were returning incorrect values
when the home-appears-as-root feature was enabled.
Fix bug in email triggers where "Notify on Error" could not be saved.
Fix problem with license.exe - error message was "Could not load file or assembly
'System.Data.SqlServerCe, Version=3.5.1.0".
Fixed file-system permission problem, which applied incorrect folder permissions for sub-folders if "User's
home appears as root" was enabled. Previously the permissions of the user's home folder would be
applied to all subfolders, overriding any that may have been defined for these.
 Major Enterprise Edition feature added - the Gateway. This allows CompleteFTP to act as a gateway to
other FTP servers - translating protocols in the process.
Added ability to define custom MIME types.
Version 6.2.0 Permit non-Windows users to use the SSH terminal.
(28 December 2011) Minor bug fixes, and tweaks to manager GUI.
Fix bandwidth limiting bug in SFTP.
Fixed bug where invalid event data could hang subsequent events.

Introduced overview panel for Complete FTP Manager.

Added support for HTTP FORM uploads.
Make SFTP the default protocol for the Complete FTP Manager for new installations.
Version 6.1.0 Add flag to enable support of backslashes in paths.
(20 November 2011) Fix HTTP session bug that can result in multiple authentication prompts.
Simplify installer options and operation.
Fix bug re client certificate authentication. Enforce admin permissions for managing the trusted certificate
store.

Major Enterprise Edition feature: added support for multiple sites.

Added HTTP directory listings (Professional and Enterprise Editions).
Fixed bug preventing change of directory with a relative path into a virtual dir.
Fixed bug giving inconsistent timestamps for virtual dirs.
Fix bug where administrator password could not be changed if SFTP protocol was chosen.
Version 6.0.0 Added support for multiple deletion of folders and users.
(23 August 2011) Improved memory management significantly.
Allow indefinite auto-bans (i.e. until next server restart).
Allow additional administrative users.
OPTS UTF ON/OFF added for FTP.
Make contextual help hidable.

Introduction of Enterprise Edition with support for custom extensions for authentication, events, site
commands and the file system.
Version 5.2.1 If AUTH argument not understood the client can now respond with USER if FTPS is not mandated.
(18 May 2011) Now examines the first character of the TYPE argument and compares with I or A rather than comparing
the entire argument string.

When adding multiple Windows users a single home directory can be now be specified (usually a macro
folder).
Added read-only flag for users. If a user is readonly then uploading (and other write operations) is not
permitted for that user regardless of what file permissions are set.
Make FEAT more RFC compliant (remove '211-' in front of each feature in the list).
More firewall friendly for FTP active mode transfers (server binds to FTP data port 20).
FTP commands are now uppercased to cater for clients that send 'pasv' rather than 'PASV'.
Improved installer. Status updates are only displayed for certificate and key generation if they are actually
Version 5.2.0 being generated.
(27 April 2011) Fixed bug caused by clashes between naming of virtual file-system folders and Windows file-system
folders. Windows folders now take precedence.
Prevent a file being closed prior to last FXP_WRITE by queuing the message (also for FXP_SETSTAT).
Fix bug limiting the number of email notifications (again!), and a bug where changed notifications were
saved to the config database but not immediately applied.
Fix bug preventing notifications for HTTP.
Fix SFTP authentication bug re enabled flag.
Fix Windows user directory traversal bug.

Fixed bug where FTP connection would be broken by the passive wait timeout if there was a error while
getting a listing or transferring in passive mode.
Version 5.1.1 Fix bug in "Admin" configuration re error message "The value for column "ExtUserID" in table "Site" is
(15 March 2011) DBNull".
Fix bug in email and process trigger filename filters, where wildcards were being treated as regex's.

Permit export of server's private key to file (only if manager is running locally).
Fix for Fetch (Mac OSX), which can't cope with FXP_READ replies that are out of order.
Fix for scp when "User's home folder appears as root" is set.
Fix in FTP so that 550 is returned when attempt made to delete a non-empty directory.
Support for aes128-ctr, aes192-ctr and aes256-ctr in SFTP added.
Version 5.1.0 Support for diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 in SFTP
(21 February 2011) added.
Fixed bug re anonymous user being permitted when the anonymous user was disabled (but anonymous
enabled in Settings).
Fixed bug with multi-line welcome text in FTP when product details are hidden (Windows 7 ftp.exe hung).
Automatic backup of configuration file on a daily basis (if altered).
Fix for infrequent occurrence of server stopping listening.
 Now supports HTTP and HTTPS.
Added support for external users via an OLEDB connection.
Added support for bulk user imports.
Process triggers now support FTP scripts.
Now supports TLS 1.1 for FTPS.
Handles anonymous user logins in a more standard manner for FTP.
Version 5.0.0 Improved scalability re simultaneous connections.
(20 December 2010) Add login and logout event auditing.
SITE commands now case insensitive.
Listeners are started/restarted appropriately when "Apply Changes" is selected in the manager and
protocols have been enabled or ports changed.
Can now hide product and version number in welcome messages/banners, for PCI compliance.
Fixed error with FTPS implicit where AUTH is (unnecessarily) required to be sent by the client.

Pro version now supports multiple SSH keys per user.

Fix bug where timestamp of newly uploaded file can be incorrectly set.
Implicit FTPS now supported.
Version 4.1.0 SSL email servers now supported for notifications.
(10 September 2010) SSH exec now supported (for the same commands available in the SSH shell).
Fix bug that allowed guest users access if guest is enabled on the server machine.
Fix bug limiting the number of email notifications.
Improve server memory management.

Security fix to disallow paths containing '...' and ':'. This prevents unauthorised directory listings and
Version 4.0.3 transfers from outside a user's home directory.
(1 June 2010) Fix so that Powershell scripts are piped directly into Powershell rather than via a temporary file.
Minor GUI fixes to process trigger setup. Also path filter was not being used in process trigger - now fixed.

Version 4.0.2 Domain name filters added.

(30 April 2010)
Extensive real-time charts for performance monitoring. (Professional Edition only).
Added Process Triggers - the ability to launch processes on the server when events such as uploading or
downloading occur (Professional Edition only).
SSH terminal access added for Windows users (Professional Edition only). Includes ability to execute
processes on the server.
Disk quotas introduced (Professional Edition only).
Bandwidth quotas introduced (Professional Edition only).
Version 4.0.0 Can now create a new folder from within the add-user forms.
(16 April 2010) Fix bug where creating a directory failed in WinSCP (when using SCP only).
Bug fix where it was reported that there was an unhandled exception causing the service to terminate.
Fixed bug where changing directory using forward slashes permitted navigation out of user's directory.
Fixed problem with determining AD group membership.
By default a maximum of 10 anonymous connections are now permitted (prevents someone denying
service by connecting as anonymous many times.

Add support for autobanning of IP addresses (configurable in Professional Edition). If a client IP has too
many authentication failures, it is automatically banned for a period.
Version 3.3.0 Add support for WinSCP with the SCP protocol (already works with WinSCP/SFTP).
(22 February 2010) Some minor SCP fixes.
Fix manager logging problem - now logs correctly to ApplicationData (for the user).
Fix manager problem where new filters could not be added for the administration server.

Fix bug in handling of invalid SSH_FXP_EXTENDED messages.

Add filtering for reducing the number of users returned from large active directory domains.
Can now install the manager only for remote administration from another machine (production install only).
Version 3.2.2 Fixed upload bug in SCP resulting from an infrequent race condition.
(2 February 2010) Increased minimum SSH window size to 64K to fix problem uploading with cURL.
CompleteFTP manager now logs to the same directory as the server.
Fixed installer bug whereby it always asks if the existing configuration should be kept even when it doesn't
exist.

Fix "User's home folder appears as root" bug which prevented users from logging in when this flag is set
Version 3.2.1 (SFTP only).
(18 December 2009) Code sign the installation executable.

By default permit all Windows users to logon without explicitly adding them to the user database (see
Settings). This can be restricted to users in active directory and/or local groups
Add option for home directory to appear as root ("/").
Add new permissons to Pro version: list folder, delete, create folder permissions. Make Windows and non-
Windows permissions distinct.
Added license import/export command-line tool.
Version 3.2.0 Permit non-Windows users to change their passwords (disabled by default).
(8 December 2009) Fix to prevent error when Cyberduck uploads files.
Fixed key re-exchange bug when kex initiated by clients.
Fixed Blowfish bug in SFTP.
Can now optionally delete the configuration on reinstalling.
When making a license request, allow copy to clipboard for separate emailing.
Allow admin to highlight and kill multiple connections. Auto-refresh of connection view.
 Added new folder-type called 'Network Folder', which supports UNC paths.
Fixed erroneous license warning from Manager when used remotely.
Fix idle timeout problem causing SFTP sessions to never time out if disconnected abruptly.
Fix 'All users (read)' folder permission in Standard edition.
Version 3.1.2 Allow path to config.sdf to be specified on CompleteFTPConsole.exe command-line.
(26 October 2009) Better error-handling in Windows file-listings.
Fixed error in new-user form causing half-configured user to be added when the user-root directory does
not exist.
Improved login error messages.

Fixed problem where not all active directory users were listed if greater than 1000 users.
Fixed problem where failed to login domain users with non-alphanumeric chars in username.
Fixed problem where failed to log in local Windows users that were also on a domain.
Version 3.1.1 Fixed problem where certificate parsing failed if there was a comma or semicolon in the subject.
(16 October 2009) Fixed problem where multiple Windows users could not simultaneously share MyDocuments.
Stop CFTP Manager minimizing to tray.
Stop Windows users from accessing other home directories.

User-specific protocol settings.

Reduce memory usage during log file viewing.
Stop scp client from hanging if SCP is disabled in the server and a command is attempted.
Version 3.1.0 Fixed error where target filename could not be specified in scp.
(4 September 2009) Improved passive mode port range handling.
Logging improvements.
Fixed bug preventing deletion of e-mail notifications.
A variety of minor GUI fixes.

Fix logging bug where can't change log level to Debug.

Fix notification bug where can't delete last notification.
Version 3.0.1 Fix incorrect log file location (Program Files -> Program Data).
(7 August 2009) Fix SCP bug where copy failed if target was a filename.
Minor performance tuning changes.

Added support for SCP (Professional Edition).

Permission editing added (more sophisticated version in Professional Edition).
Email notification for a variety of events such as file upload, download, delete (Professional Edition).
Auditing (i.e. tracking all changes to files - Professional Edition).
Version 3.0.0 FTPS client certificate verification (Professional Edition).
(30 July 2009) IP filtering added - accept/reject connections based on IP address (Professional Edition).
Can now specify the network interfaces to listen on.
No longer disconnects channel when client sends SSH_CHANNEL_EOF.
Added support for MODE S (which is the default).
Fix re file overwrite problem.

Now closes console gracefully.

Fixed bug whereby a disabled user could still log in via SFTP.
Fixed bug where newly generated SSL certificate failed to save to the config.
Fixed auto-add user checkbox in 'Add Windows user form'.
Version 2.2.1 Fixed bug where when a new activation key is entered, it is saved but the manager appears to show that it
(24 June 2009) has not.
Manager now uses compression to speed up log file transfers.
Manager connection editor now allows clearing of properties.
Added extra SFTP and FTPS properties to Manager connection settings.
Improved handling of socket accept errors.

Introduction of professional version supporting Windows domain users.

Now works on x64 machines.
MODE Z compression added for FTP and FTPS (also OPTS MODE Z).
Can now directly download log files to local disk.
Fixed SFTP authentication bug, where if the username was supplied in the incorrect case, public key
authentication failed.
Version 2.2.0 Users can no longer list /home, i.e. they can't see what the other user directories are.
(2 June 2009) Administrator can retrieve user list (Professional version only).
Manager now displays the version number.
Fixed FEAT bug (indenting too many spaces for each feature listed).
Fixed timeout that occurs in passive mode with large transfers if the passive timeout is set.
Fixed bug whereby SFTP admin could only log in once.
Manager now displays any critical server errors when connecting.

Can now call TYPE command in between PORT/PASV and RETR/STOR (which some clients do).
Administration functionality can now be performed via SFTP.
Invalid user names aren't immediately rejected, forcing hackers to try authenticating.
Version 2.1.2 Fix for WinSCP problem with files very occasionally being truncated.
(7 May 2009) Provide alternative for obtaining machine id hash if email client is not installed (for product activation).
Fix problem with using a non-default home directory when creating a Windows user.
Fix resource cleanup bug when client abruptly disappears.
 Added support for the XCRC FTP command to check file integrity.
Better feedback while installer is running.
Version 2.1.1 Added diffie-hellman-group14-sha1 key exchange method.
(23 March 2009) Should now work on .NET 2.0 SP1 (previously required a minimum of 2.0 SP2).
Fix problem with generated FTPS certificate being initially invalid.

Now offers full support for SFTP (FTP over SSH). Support for password and publickey authentication, RSA
and DSA keys etc.
Version 2.0.0 Can now set logging level in the manager.
(11 February 2009) User's Guide expanded.
Generation of server certificate takes place on the server.
Numerous enhancements to the Manager.

Fixed license reading bug - sometimes the license was not read correctly, resulting in the server running in
restricted mode.
Fixed user impersonation bug that meant special folders (e.g. My Documents) could not be navigated to.
Database and log files now stored in C:\ProgramData (or equiv) rather than in Program Files.
Default encoding is now UTF-8. Encoding can now be changed.
Added User's Guide.
Version 1.1.0 Improved responsiveness of Windows folder browser.
(12 November 2008) Set default name of Windows virtual folder to name of actual folder.
Fixed FTPSEnabled property.
Added ability to add multiple windows users in one operation. Fixed NRE when NodeForm was cancelled.
More descriptive message when max number of connections exceeded.
Returns meaningful message when AUTH is used and FTPSEnabled is off.
Rearranged controls and changed text to make it clearer that the settings are the settings of the admin
connection and not of the server itself..

Version 1.0.0 First commercial version! After many months of further development and testing.
(10 October 2008) New manager, better FTPS support, remote administration, too many other new features to explain here.

Version 0.5.1 Fix permitting LIST to accept '-' arguments.

(5 December 2007) Disable idle time forced logouts by default.

Version 0.5.0 First release, supporting FTP and FTPS.

(13 November 2007)
INSTALLATION
CompleteFTP is supplied as an executable Windows installer. It is also possible to customize and automate installation.

To install, double-click on the installer executable, and you will be taken through the steps required to set up CompleteFTP. You may require Administrator permissions to run
the installer.

The trial installer installs both the server components and the Complete FTP Manager. The production installer by default installs both, but optionally permits just the Complete
FTP Manager to be installed if required, so that it can be used for remote administration of a server installed on another machine.

Please note that CompleteFTP installs as a Windows Service, running as the local SYSTEM user. It will be started automatically when your computer starts. Once installed, run
the Complete FTP Manager to begin adding users.

The trial edition expires after 31 days. Once the trial period is over, the server converts to Developer Mode, and will only accept connections from localhost (but will otherwise
remain fully functional). CompleteFTP can be used in Developer Mode indefinitely. It may be converted to production mode by purchasing a license.

Once a license has been purchased, a trial or developer mode installation (or a production installation) can be activated as described here.

There are detailed getting started tutorials available that explain how to connect with Filezilla and WinSCP.
UNINSTALLING
To uninstall CompleteFTP, use one of the methods listed below:

1. Select the Uninstall Complete FTP menu item from the Tools submenu in the CompleteFTP program group

2. Navigate to the Windows Control Panel, and select "Programs and Features". CompleteFTP will appear in the list of programs. Right click and choose "Uninstall".
HOW TO RUN THE SERVER
CompleteFTP is installed as a Windows service, running as the local SYSTEM user, and by default is configured to run automatically on machine startup. The service can be
stopped and started via Control Panel -> Administrative Tools -> Services. Select the CompleteFTP Service. Under more recent versions of Windows you will need to have
administrator privileges to do this.

The service can also be started from the CompleteFTP Manager - but only if 1) it has been started on the server machine and 2) it was launched with administrator privileges.

If the CompleteFTP service fails to start, or starts with errors, the most likely problem (other than the lack of administrator privileges) is:

the standard FTP port, 21, is already in use on the machine

the standard SSH port, 22, is already in use on the machine
the standard HTTP (80) or HTTPS (443) ports are already in use on the machine

Using 'netstat -a' in a DOS prompt will reveal what ports are in use. IIS is usually the most likely application already using ports.

If IIS will continue to be used for HTTP and HTTPS, then HTTP and HTTPS will need to be disabled in CompleteFTP - see here.

CompleteFTP can also be run as a console application (rather than as a service). This can often be useful in debugging problems. Select Run server in console from the
CompleteFTP program menu (with the service stopped) to do so. It is usually necessary to "Run as administrator".
HOW TO USE THE MANAGER
The CompleteFTP manager controls all settings for the CompleteFTP server (which typically runs as a Windows service).

The manager is started by selecting the CompleteFTP Manager icon from the CompleteFTP menu. Normally, the service must already be running for the manager to connect
to it. If the server is not running, the manager will prompt to ask if the CompleteFTP Service should be started. If the manager is running with sufficient permissions, the service
will be started. If not, the Windows Control Panel -> Adminstrative Tools -> Services must be used to start the service.

The connect dialog box is brought up when the manager is selected. This allows details of the host that the CompleteFTP service is running on, and the administrator
credentials to be entered.

The defaults should generally be used (they are set in installation), and are shown below:

Setting name Default value

Server name/IP localhost
Server admin port 14983
Administrator username admin
Administrator password [whatever was entered on install]

Note that more detailed settings for the connection can be accessed via the Other settings... link. Normally these should not be modified. The "Save password" checkbox can
be checked to save the administrator password so it is automatically entered, and "Show connection log" can be checked if there are problems connecting to help resolve the
issue.

Once the CompleteFTP manager is running, all settings can be accessed via the list of panels on the left hand side. These include settings for the Site(s), File System, Users,
Events (Professional Edition), Extensions (Enterprise edition), Monitoring and Licensing.
MIGRATING TO ANOTHER MACHINE
At times it may be necessary to migrate a CompleteFTP installation to another machine. We recommend you have a current support agreement prior to migrating your
installation. This gives you access to assistance with the migration and the latest version of CompleteFTP.

If you do not have a current support agreement, you can still freely transfer your license if you are on version 9.1 or higher (via the release license option). If you are on 9.0 or
below, or you need technical assistance, you will need to renew support to move your license.

Migration steps

To migrate CompleteFTP server from one machine (source) to another machine (target) while preserving settings such as user logins, passwords and home folders, follow the
steps below:

1. a) If you are on version 9.0 or below, contact support to request an additional activation key (unnecessary for corporate licenses with unlimited keys). If you do not have a
current support agreement you will need to renew support to move your license.
OR
b) If you are on version 9.1 or above, you can use the release license option in the Licensing panel of the CompleteFTP manager. This puts the server into migration mode,
and it is fully operational for a further 30 days. We advise doing this only when the new machine is ready to activate (Step 7). Note that you can upgrade to the latest
version on the original machine so this option can be used.
2. Download the latest version of CompleteFTP that you are entitled to from our customer site. You'll need to know your registered email address for your account if you've
lost your account details. If you can't log in, please contact support. You'll need a current support agreement to get the latest version - the trial won't work.
3. Install CompleteFTP on the target machine. This creates all the default directories.
4. Locate the configuration file (config.sdf) on the source machine - see here.
5. Copy the config.sdf to the same location on the target machine (here).
6. Copy all data directories from the source to the target. By default, these are subdirectories of the directory where config.sdf is stored (here), but directories in other
locations may be referenced as well.
7. Install CompleteFTP (again) on the target machine, choose the option to keep the configuration file, and confirm everything works locally (it will have the wrong activation
key so you won't be able to connect from external machines). Note: if you have specific IP addresses configured for certain protocols, you will need to alter these if your new
machine has a different IP address.
8. Reactivate CompleteFTP on the target machine. If you are running 9.1 or above, this is the time to release the license from the original machine (Step 1b)). If you have
trouble activating your new installation then please contact support.

Locating the data directory

On Windows 7, Vista, Server 2008, 2012, 2016 the data-directory is:

C:\ProgramData\Enterprise Distributed Technologies\Complete FTP

On Windows XP and Server 2003 the data directory is:

C:\Documents and Settings\All Users\Application Data\Enterprise Distributed Technologies\Complete FTP

HOW TO AUTOMATE INSTALLATION
The CompleteFTP installer is a standard NSIS-based Windows installer, which uses a GUI to prompt for various options during installation.

Some organizations prefer to automate installations, and use command-line scripts to roll out software. A GUI-based installer is usually not suitable for this - instead a
command-line installer that requires no user input is required. This article describes how to create and use command-line installers for CompleteFTP.

There's a distinction between a first-time installer and an update installer. A first-time installer is used only when a completely new installation is required, or when an existing
installation is to be completely overwritten. An update installer should be used when an existing installation is to be updated to a more recent version.

The general pattern for creating and using automated installers is to:

1. Install CompleteFTP using the standard GUI installer on one machine (the 'development' machine)
2. Create archives of the required files
3. Un-archive these on another machine (the 'production' machine)
4. Execute various commands to make the software operable on that machine.
5. If necessary, activate the installation with an activation key (AK).

The sections below don't contain the full scripts that must be executed, but rather describe the actions that must be performed.

First-Time Installation

A first-time installation is an installation onto a machine that either has no current CompleteFTP installation, or has an existing CompleteFTP installation that is to be entirely
overwritten.

An activation key (AK) will be required to activate the installation. Most users developing automated installation scripts will have purchased the Corporate license, which entitles
users to a universal activation key. Without using a universal activation key, each installation will later need to be activated manually.

Development machine: Creating archives

1. Install CompleteFTP using the standard GUI installer on the development machine
2. Configure CompleteFTP as desired using CompleteFTP Manager
3. Activate the installation using the universal activation key
4. Create a ZIP file called binaries.zip that contains the directory C:\Program Files (x86)\CompleteFTP (including the directory itself)
5. Remove install.log and server\boostrapper.log from the ZIP-file
6. Create a ZIP file called data.zip that contains C:\ProgramData\Enterprise Distributed Technologies (including the directory itself)
7. Remove the contents of the Temp, Logs and Backups directories from the ZIP-file
8. Remove any unwanted directories and files from the Users directory

Production machine: Installation

1. Unzip binaries.zip in C:\Program Files (x86) (unzip app needs admin privileges)
2. Unzip data.zip in C:\ProgramData (unzip app needs admin privileges)
3. Locate the InstallUtil.exe program - usually in C:\Windows\Microsoft.NET\Framework\v2.0.50727 or later version
4. Install the CompleteFTP service with the command:

InstallUtil.exe "C:\Program Files (x86)\Complete FTP\Server\CompleteFTPService.exe"

5. Change the startup type of the service to Automatic with the command:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CompleteFTP /v Start /t REG_DWORD /d 2 /f

6. Stop parent directory of user accounts from inheriting permissions from its parent:

icacls "C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Users" /inheritance:d

7. Remove read permissions for the Users group for the same folder (so that Windows users can't get a list of other users):

icacls "C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Users" /remove:g Users

8. Each Windows user-account which is registered in CompleteFTP must have permission to their own home-directory, so if there are any such users then use icacls to
grant them
9. Start service using the command

net start CompleteFTP

Updating an Existing Installation
When a production installation is being updated, the new binaries may be copied over the old ones, but the configuration data on that machine must not be overwritten. The
main difference between the first-time installation and the update is therefore related to the treatment of the data.

Development machine: Creating archives

1. Update existing CompleteFTP using the standard GUI installer on the development machine
2. Create a ZIP file called binaries.zip that contains the directory C:\Program Files (x86)\CompleteFTP (including the directory itself)
3. Remove install.log and server\boostrapper.log from the ZIP-file

Production machine: Installation

1. Stop CompleteFTP Service using the command

net stop CompleteFTP

2. Delete the directory C:\Program Files (x86)\CompleteFTP and all its subdirectories
3. Unzip binaries.zip in C:\Program Files (x86) (unzip app needs admin privileges)
4. Update the configuration database to latest version using the command

C:\Program Files (x86)\CompleteFTP\cftpconfig

5. Perform any configuration modifications (see cftpconfig)

6. Start service using the command

net start CompleteFTP

HOW TO ACTIVATE AN INSTALLATION OF COMPLETEFTP
Most CompleteFTP installations start off in trial mode. If an installation is not activated before the trial ends then CompleteFTP will automatically switch to developer mode. In
developer mode incoming connections are accepted only if they're from the local machine.

The method of activation of CompleteFTP differs between the Free Edition and the three paid editions, Standard, Professional and Enterprise.

If you are trying to activate a very old version of CompleteFTP (pre 9.1.0) that does not support automatic activation, then see here
HOW TO UPGRADE
To upgrade an existing installation, the new production installer is required. This can be downloaded from the EnterpriseDT website using the link and login details you
received when you purchased your license. You cannot use the trial installer that is available on the website to upgrade a production installation. Please contact support if you
cannot locate your login details.

To perform the upgrade, exit the CompleteFTP manager application if it is running, and install the new version. The default option is to upgrade your existing configuration to
the new version (preserving your settings). You do not need to uninstall prior to running the new installer.
GETTING STARTED WITH COMPLETEFTP
This tutorial explains how to get started with CompleteFTP, our Windows secure file server supporting a variety of secure file transfer protocols, including FTPS, SFTP, SCP
and HTTPS.

Steps

1. Installation. The latest Windows trial installer can be downloaded from here. If you have already purchased CompleteFTP, the production installer can be downloaded from
our customer portal. To install, double-click on the installer executable. More details can be found here.

2. After the installation is complete, run the Complete FTP Manager to begin adding users.

3. A password is required for any user account you create. It is advisable for this to be as secure as possible. Alternatively, use the 'Random' button to quickly generate a
secure password.

4. Select the home directory where the data for this user will be stored. The default is usually the best option,
5. Verify the information entered previously and select Apply:

6. The server is now available for connection using an FTP, FTPS or SFTP client.

How to connect

For detailed instruction on how to allow users to connect to this server over the internet, please refer to Step-by-step guide: Accepting connections from the internet .

For detailed information on how to connect to this server using popular clients, see our tutorials:

Connecting with WinSCP

Connecting With FileZilla
GETTING STARTED WITH AMAZON EC2
This tutorial explains how to set up CompleteFTP on Amazon's Elastic Compute Cloud (Amazon EC2).

Steps

1. Set up your EC2 instance (see here). You must create a security group (basically a firewall configuration) as per Amazon's instructions. At a minimum, you must allow
connecting to your instance from your IP address using RDP (so you can connect remotely to your new instance).

2. Install CompleteFTP as usual - see Getting Started. Your RDP client should allow you to copy the installer to your instance. Aftewards, you should be able to run the
manager and connect to the server.

3. Configure your security group for CompleteFTP. You need to add rules that permit users of your server to access it. This means opening up ports for FTP/FTPS, SSH,
HTTP and HTTPS (if you are using all these protocols) -see below.

If you are using FTPS (explicit or implicit) then you also need open up a range of port for the data transfer connection, e.g.

In this case ports 10,000 to 11,000 are open, so you'll need to tell CompleteFTP that it should use these ports too, by setting the port range:

If you are not using FTPS then a port range need not be set. FTP (i.e. unencrypted) should work without setting the port range since the firewall is able to work out which ports
to open up by inspecting the (unencrypted) commands being sent on port 21.
CONNECTING TO COMPLETEFTP WITH FILEZILLA
This tutorial demonstrates how to connect to your CompleteFTP server using the popular FTP/SFTP client, FileZilla, which can be downloaded here. FileZilla supports FTP,
FTPS and SFTP.

Before looking at this tutorial, make sure you have CompleteFTP installed, and a user created (see here).

Steps
1. After installing FileZilla, open up the program.

Near the top of the FileZilla window, there is a QuickConnect Bar:

2. Enter your server's address into the Host Section (use 127.0.0.1, or localhost if you are connecting from the same computer you are hosting the server on).

If you want to connect using FTPS (FTP over SSL), enter the address as 'ftps://server.org'.

If you want to connect using SFTP (FTP over SSH) enter the address as 'sftp://server.org' .

3. Enter your users's details into the Username and Password sections. These should be the same details you entered for this user when they were added to CompleteFTP
using the CompleteFTP Manager (see Getting Started With CompleteFTP)

(you can leave the Port section blank, unless you require a specific port number)

5. Press QuickConnect to connect to the server.

6. If you have chosen SFTP or FTPS, a warning about the host will appear. This warning is because you have never connected to this server before, and FileZilla does not
have its host key (SFTP/SCP) or its certificate (encrypted FTP)- which identifies the server to clients - installed.

Click Yes to the warning to add the certificate or host key to your cache. Both warnings are displayed below - you will receive only one of them, depending on the protocol
used.
You should now be connected to CompleteFTP through FileZilla, using whatever protocol specified in your URL.

To add the server information to the site manager for later reference, select Copy current connection to Site Manager in the File menu;

You will find all the important details automatically filled out, leaving you to press OK;

Instead of the Quick Connect, you can also use the site manager to select a site and then connect.

To add files to the server, drag and drop from the bottom left panel (your computer's directory) to the bottom right panel (the server's directory). Alternatively, drag and drop
directly from your Computer to the right panel;
CONNECTING TO COMPLETEFTP WITH WINSCP
This tutorial demonstrates how to connect to your CompleteFTP server using the popular FTP/SFTP client, WinSCP, which can be downloaded here. WinSCP supports FTP,
FTPS, SFTP and SCP.

Before looking at this tutorial, make sure you have CompleteFTP installed, and a user created (see here).

Steps
1. After installing and launching WinSCP, the Login window is shown, below.

Enter the user name and password of a user that has been created in CompleteFTP previously.

If you are connecting from the same machine that CompleteFTP was installed on, you can use 127.0.0.1, or localhost for the host name. Otherwise use the hostname of the
server. If you are unsure what that is, ask your network administrator.

Now select the protocol to connect with - FTP, SCP or SFTP.

If FTP is chosen, use the Encryption drop-down menu to select what type of FTP you want. If you want plain, unencrypted FTP, select "No encryption". If you want FTPS, which
is FTP over a secure connection, select "TLS Explicit encryption".

Then select "Login" to log into the server.

2. If you have chosen SFTP, SCP or an encrypted FTP, a warning about the host will appear. This warning is because you have never connected to this server before, and
WinSCP does not have its host key (SFTP/SCP) or its certificate (encrypted FTP)- which identifies the server to clients - installed.

Click Yes to the warning to add the certificate or host key to your cache. Both warnings are displayed below - you will receive only one of them, depending on the protocol
used.
3. Next, the server's banner message will be displayed, as below. Select "Continue" to finish connecting. Check "Never show this banner again" to prevent it being displayed
again.

4. You are now connected through WinSCP to the CompleteFTP server, and can start transferring.
To transfer files to the server, simply drag and drop from the left panel to the right. The left panel is your home computer and the right panel is your CompleteFTP server.
STEP-BY-STEP GUIDES
Step-by-step guides present instructions for common configuration tasks using lots of screenshots and only a little text. They're accessible directly from the CompleteFTP
Manager, allowing users to easily work through the instructions. Since some features are not available in lower editions, the following list indicates which edition each guide
applies to.

Add a non-Windows user (All editions)

Add a Windows user (Standard edition only)
Add a Windows user (Professional edition and greater)
Set up public-key authentication for a user (Standard edition and greater)
Allow all users from a Windows group to log in (Professional edition and greater)
Authenticate users from a database (Professional edition and greater)
Change the home folder of a user (All editions)
Add a network folder (Standard edition and greater)
Allow users to share a folder (Method 1) (All editions)
Allow users to share a folder (Method 2) (Standard edition and greater)
Allow users to share a folder (Method 3) (Professional edition and greater)
Block connections from specific IP addresses (blacklisting) (Enterprise edition)
Accept connections only from specific IP addresses (whitelisting) (Professional edition and greater)
Accept connections only from specific users at specific IP addresses (Professional edition and greater)
Restrict some users to connect only from specific IP addresses (Professional edition and greater)
E-mail notification when a file is uploaded (Professional edition and greater)
Move a file to another directory after it's been uploaded (Professional edition and greater)
Add a scheduled task (Professional edition and greater)
Accepting connections from the internet (All editions)
Share a file using CompleteBox (Professional edition and greater)
Customize the web login page (Professional edition and greater)
Host a web-app in CompleteFTP (Professional edition and greater)
Add my own authentication method (Enterprise edition)
Request a CA certificate (All editions)
Install a CA certificate (All editions)
Activate CompleteFTP free (Free edition only)
Activate the paid editions (Standard edition and greater)
Set up a cluster (Enterprise edition only)
ADD A NON-WINDOWS USER
1. Select the 'Users' panel from the side-bar menu.

2. Click the 'Add user' link at the top of the panel. Free edition users: skip to step 4.

3. Select 'Non-Windows user' from the menu.

4. Enter the username and, optionally, other information in the appropriate dialog boxes. Click 'Next'.

5. Enter the password or click 'Random' to generate one randomly. In Standard Edition (or higher) you can also add public keys. Click 'Next'.

Note for Standard, Professional and Enterprise Edition users: if the user is going to be authenticating with a public key then give them a random
6. Set the home directory for this user by creating a new one (default) or selecting an existing one. Click 'Next'.
7. Click the 'Apply' button.

8. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.

The user is now successfully added on the CompleteFTP server and displayed in the user list. Try it out by logging in from a client application.
ADD A WINDOWS USER (STANDARD EDITION ONLY)
1. Select the 'Users' panel from the side-bar menu.

2. Click the 'Add user' link at the top of the panel.

3. Select 'Windows user(s)' from the menu.

4. In the 'Add Windows Users' dialog box, select the user, e.g. 'Fred', to be added from the list.

5. Select the way you want the user's home folder to be created. There are two options here:
(1) Automatically create the user's home folder by checking the 'Automatically create home folders' checkbox (It's selected by default).

(2) Manually create the user's home folder by un-checking the 'Automatically create home folders' checkbox.

6. Click the 'Add selected user(s)' button. If you checked 'Automatically create home folders' then skip to step 8.

7. In 'Home Folder' dialog box, select the user's home folder (default or non-default one) manually. Then click 'OK'.
8. Click the 'Close' button if you don't want to add another Windows user.

9. Click the 'Apply changes' button at the top right of the CompleteFTP Manager.

The users are now successfully added on the CompleteFTP server and displayed in the user list.
ADD A WINDOWS USER (PROFESSIONAL EDITION AND GREATER)
1. Select the 'Users' panel from the side-bar menu.

2. Click the 'Add user' link at the top of the panel.

3. Select 'Windows user(s)' from the menu.

4. In the 'Add Windows Users' dialog box, you can choose either to:
(1) Add server's local users.

OR (2) add domain users. Enter the name of the domain.

 Note: for domains with a very large number of users the size of the list can be restricted and/or a filter can be provided to reduce the number of users listed.
5. In the 'Add Windows Users' dialog box, select the user, e.g. 'Fred', to be added from the list.

6. Select the way you want the user's home folder to be created. There are two options here:
(1) Automatically create the user's home folder by checking the 'Automatically create home folders' checkbox (It's selected by default).

(2) Manually create the user's home folder by un-checking the 'Automatically create home folders' checkbox.

7. Click the 'Add selected user(s)' button. If you checked 'Automatically create home folders' then skip to step 9.

8. In 'Home Folder' dialog box, select the user's home folder (default or non-default one) manually. Then click 'OK'.
 9. Click the 'Close' button.

10. Click the 'Apply changes' button at the top right of the CompleteFTP Manager.

The users are now successfully added on the CompleteFTP server and displayed in the user list.
SET UP PUBLIC-KEY AUTHENTICATION FOR A USER
Before getting started, ensure that the user you want to set up public-key authentication has already been created. In this guide, the 'JoeSmith' user will be used.

To set up public-key authentication for a user, you need to:

I. Enable public key authentication.

II. Set up the user's keys.

Here are the detailed steps:

I. Enable public key authentication

Public key authentication need to be enabled in two places as below. But if you are using Standard/Professional Edition, you just need to go through the first one.

1. Enable public key authentication method in the 'Settings'/'Sites' panel.

a. From the side-bar menu, select the 'Settings' panel (Standard/Professional Edition)

OR the 'Sites' panel (Enterprise Edition).

b. Enable 'PublicKey' authentication method in SFTP settings (It is enabled by default).

c. Set the public key algorithms (optional).

Note: public key authentication uses either the RSA or DSA algorithm. Both of them are enabled by default.
 2. Enabled public key authentication method in the user's properties (Enterprise Edition only).
a. Select the 'Users' panel from the side-bar menu.

b. In the user list, select the user you want to set up the public key authentication for.

c. In the 'User Properties' window, enable 'PublicKey' authentication method for this user in 'Authentication' section.

II. Set up the user's keys

1. Select the 'Users' panel from the side-bar menu.

2. In the user list, select the user you want to set up the public key authentication for.
3. Open the 'Manage Public Keys' dialog box by clicking the ellipsis button (...) on the right of "Public keys" in the 'User Properties' window.

4. Click 'Generate a new keypair for this user and add it to the list' to create a new keypair. You can also use "Import a public key and add it to the list" to import existing
RSA or DSA public keys for this user. Public keys can also be deleted and exported.

5. In the 'Generate SSH Keypair' dialog box, select the desired SSH key type and set the key's size if needed (RSA only). Then click 'OK'.

6. In 'Save User's Private Key' dialog box, navigate to the directory where you want to save the private key securely. Then enter the file's name and click 'Save'.

7. Enter the key's password manually or click 'Random' to generate one randomly, then click 'OK'.
8. Now, the new public key is added to the list. Click 'OK' to close the 'Manage Public Keys' dialog.

9. Click the 'Apply changes' button at the top right of the CompleteFTP Manager.

Now, the new keypair has been generated successfully and the public key has been registered with the CompleteFTP server.
ALLOW ALL USERS FROM A WINDOWS GROUP TO LOG IN
1. Select the 'Users' panel from the side-bar menu.

2. Click the 'General user settings' link at the top of the panel.

3. In the 'General User Settings' dialog box, enable the Automatic Windows authentication method by checking its 'Enabled' checkbox.

4. Set the 'log-in-as' user for this authentication method via the drop-down list (optional).
Note: users connecting via this method are subject to the properties of the 'log-in-as' user. By default, the 'defaultWindows' user is selected

.
5. Click the 'Configure' link to the right to enable logins for users who belong to a particular Windows group.
6. Enter the name of either an Active Directory (AD) or a local group. Then click 'OK'.

7. Click the 'Close' button to close the 'General User Settings' dialog box.

8. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.
AUTHENTICATE USERS FROM A DATABASE
Before starting with this guide, you need to create a data-source corresponding to the database-type you will select in the step 6 of this guide. This data-source may be a
database table, spreadsheet or file containing a list of usernames, passwords or password-hashes, and optionally home directories, groups, password-salts, RSA and/or DSA
public keys.

1. Select the 'Users' panel from the side-bar menu.

2. Click the 'General user settings' link at the top of the panel.

3. In the 'General User Settings' dialog box, enable Database authentication method by checking its 'Enabled' checkbox.

4. Set the 'log-in-as' user for this authentication method via the 'Log in as' drop-down list (optional).
Note: users connecting via this method are subject to the properties of the 'log-in-as' user. By default, the 'defaultDatabase' user is selected.

5. Click the 'Configure' link to open the 'Database Configuration' dialog box.
6. Select the desired database type from the 'Database type' drop-down list. Note that new database types can be added (see here).

7. Enter the connection string into the 'Connection-string' text box. For connection string examples, click the 'examples' link or visit the website connectionstrings.com.

8. Click the 'Test connection' button to verify that it works.

 9. Click the 'OK' button.

10. Enter the SQL query for retrieving the user's password/password-hash into the 'Query for authenticating a user' text box. It may also optionally define a Windows home-
folder, a comma-separated list of groups to which the user belongs and the password-salt.
11. To test, enter the user-name and password of a user who exists in the user database, then click 'Test login' to verify that the SQL query works.

12. Click the 'OK' button.

13. In the 'Password encoding' section, you can select either 'Plain text' option

OR 'MD5/SHA1 hash' option.

14. Click the 'OK' button to close the 'Database Configuration' dialog box.
15. Then click the 'Close' button to close the 'General User Settings' dialog box.

16. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.

Now, all users from the data-source can be authenticated without having to be explicitly added to the CompleteFTP's internal user list.
CHANGE THE HOME FOLDER OF A USER
Before getting started, ensure that the user whose home folder you want to change has already been created. In this guide, the 'JoeSmith' user will be used.

In order to change the home folder of a user, you need to:

I. Change the user's home folder to another folder.

II. Set the permissions for the user's new home folder.

Here are the detailed steps:

I. Change the user's home folder to another folder.

1. Select the 'Users' panel from the side-bar menu.

2. In the user list, select the user whose home folder you want to change, e.g. 'JoeSmith'.

3. In the 'User Properties' window, click the ellipsis button (...) on the right of "Home folder' to change the user's home folder to another folder.

4. In the 'Home Folder' dialog box, create a new folder via the 'Add root folder' or 'Add sub-folder' link. In this tutorial, the 'Add root folder' link is selected.

5. Select the 'Windows Folder' from the menu.

6. In the 'Select a folder' dialog box, do the following.

7. Enter the folder name, e.g. 'MyFolder' then click 'OK'.

8. Click the 'OK' button to close the 'Select a folder' dialog box.
 9. Then click 'OK' to close the 'Home Folder' dialog box.

Verify that the user's home folder has been changed successfully.

II. Set the permissions for the user's new home folder.
1. Select the 'Folders' panel from the side-bar menu.

2. Select the newly added folder in the list, i.e. 'MyFolder'.

3. In the 'Folder Properties' window, set the folder's permissions to allow the user to access it. This depends on the user's type.
a. If the user is a non-Windows user:
In the 'Access (non-Windows users)' section, set the folder's owner to the user, i.e. 'JoeSmith' and give full access to the owner.
 b. If the user is a Windows user (This is not available in Free Edition):
Windows file-system permission may be viewed in the 'Access (Windows users)' section but can't be modified from here, you must use Windows Explorer to edit
Windows permissions.

4. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.
ADD A NETWORK FOLDER
1. Select the 'Folders' panel from the side-bar menu.

2. Select the 'Add root folder' link at the top of the panel. Note that you can also right-click on an existing folder to create a subfolder.

3. Choose the 'Network/Macro Folder' to create a network folder.

4. Enter the Windows path of the folder (in standard format or in UNC format), e.g. "\\MYPC\mydir". Then click 'OK'.

Now, the new network folder is displayed in the folder list.

Note that the Windows permissions of this network folder can be viewed in the 'Access (Windows users)' section in the 'Folder Properties' window (shown below). You must
set Windows permissions for users to access this folder, which can be done using Windows Explorer.

5. Click the 'Apply changes' button at the top right of the CompleteFTP Manager to save the changes.
ALLOW USERS TO SHARE A FOLDER (METHOD 1)
This guide illustrates how to allow multiple users to access a single Windows folder by creating a subfolder under each user's home folder that maps to that Windows folder.

In order to achieve that, you simply need to create a sub-folder in the virtual file-system underneath the home folder of each user that all map to the same folder in the
Windows file-system.

Firstly, ensure that the users have already been created in the Users panel. In this guide, 'FredJones' and 'JoeSmith' non-Windows users will be used.

1. Select the 'Folders' panel from the side-bar menu.

2. Add a Windows subfolder underneath the home folder of each user that maps to the same folder in the Windows file-system.
a. Select the 'FredJones' user from the list then click 'Add sub-folder'.

b. Select the 'Windows Folder' menu item.

c. Select a folder which will be shared among the users, e.g. 'SharedFolder'. You can also create a new one via the 'New Folder' button.

d. The result will look like this.

e. Repeat steps 2.a top 2.c for 'JoeSmith' user.

3. Give full access permissions to the folder to the owner.
a. In Free/Standard edition, select both users then select 'Owner (full)' option in 'Folder Properties' window.

b. In Professional/Enterprise edition, select both users then check all permission checkboxes in the 'Owner' tab.

4. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager to save the changes.
ALLOW USERS TO SHARE A FOLDER (METHOD 2)
This guide illustrates how to allow multiple users, with different Windows home folders, to share a common sub-folder. This is done by using a %UserName% macro in the
Windows path of the home folder so that, even though they all have the same home folder in the virtual file-system, this folder maps to different Windows folders.

Before getting started, ensure that the users have already been created in the Users panel. In this guide, 'FredJones' and 'JoeSmith' non-Windows users will be used.

1. Create a root network/macro folder that contains the %UserName% macro.

a. Select the 'Folders' panel from the side-bar menu.

b. Click the 'Add root folder' link at the top of the panel.

c. Select the 'Network/Macro' folder from the menu.

d. In the 'Network/Macro Folder' dialog box, enter the Windows path of the folder, e.g. 'C:\FTPUsers\%UserName%', then check the 'Automatically create the directory'
checkbox and click 'OK'.

e. Select the folder you've just created, it's probably called 'NetworkMacro Folder 1'.

f. In the 'Folder Properties' window, change the folder's name to a meaningful one, e.g. 'UserHome'.

This will be the home folder in the virtual file-system for the users, although it will map to a different Windows directory for each user.
2. Give full access permissions to /UserHome folder to all users. In other words, all users who have an account on the server will be able to access to their own unique
Windows folder through /UserHome, even if their home folder is elsewhere
a. If you're using Standard Edition, select the 'All users (full)' option in 'Folder Properties' window (It's selected by default).
 b. If you're using Professional/Enterprise Edition, select 'All users' tab and then check all permission checkboxes.

In these higher editions, permissions can be more tightly controlled using groups.
3. Add the folder that will be shared among the users beneath /UserHome.
a. Select the 'UserHome' folder then click the 'Add sub-folder' link.

b. Select the 'Windows Folder' from the menu.

c. In the 'Select a folder' dialog box, select the folder that users will share with one another, e.g. 'SharedFolder'. You can also create a new one via the 'New Folder'
button.
 Now, the 'SharedFolder' is added underneath the 'UserHome' folder.

4. Set the home folders of the users to /UserHome folder.

a. Select the 'Users' panel from the side-bar menu.

b. Select both 'JoeSmith' and 'FredJones' and set their 'Home Folder' to '/UserHome'.

5. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.
ALLOW USERS TO SHARE A FOLDER (METHOD 3)
This guide illustrates how to allow a group of users, who have their own home folder, to share access to a single folder which is not underneath their home folder. This is done
by giving full access permissions to the folder to the group that these users belong to.

Before getting started, ensure that the users have already been created in the Users panel. In this guide, 'FredJones' and 'JoeSmith' non-Windows users will be used.

1. Create a new group.

a. Select the 'Users' panel from the side-bar menu.

b. Click the 'Groups' link at the bottom of the panel.

c. Select the 'Add group' menu item.

d. In the 'Add Group' dialog box, enter the group name, e.g. 'mygroup' and click 'OK'.

2. Add the users to the newly created group.

a. Select both 'FredJones' and 'JoeSmith' from the user list, then right click and select 'Groups' -> 'Add selected users to group' -> 'mygroup'.

b. Now, both 'FredJones' and 'JoeSmith' users have been added to 'mygroup'.

3. Create a folder that will be shared among the users.

a. Select the 'Folders' panel from the side-bar menu.

b. Click the 'Add root folder' link at the top of the panel.
 c. Select the 'Windows Folder' menu item.

d. Select a folder in the list then click 'OK'. You can also create a new one via the 'New Folder' button.

4. Select the 'SharedFolder' folder and set its group property to 'mygroup' in the 'Folder Properties' window.

5. Give full access to the 'SharedFolder' to the 'mygroup'.

6. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager to save the changes.
BLOCK CONNECTIONS FROM SPECIFIC IP ADDRESSES (BLACKLISTING)
This guide illustrates how to allow access from anywhere except specific (blacklisted) IP addresses.

1. From the side-bar menu, select the 'Settings' panel (Professional Edition)

OR the 'Sites' panel (Enterprise Edition).

2. Click the ellipsis button of the 'IP filtering' property of the 'IP filtering and Auto-Banning' category.

3. In the 'IP Filtering dialog', make sure the 'Deny over allow' option is selected.

4. Create a rule to allow connection from all IP addresses.

By default there's a rule that allows connections from all IP address. If you have changed/removed it you'll need to add it again.

Once this is done, all connections will be permitted from any IP address.
5. Create a rule that denies connections from a specific IP address.
a. Add a 'Deny' rule.
 b. Enter the IP address you wish to block, e.g. 10.0.1.152.

Note that it's also possible to deny connections from:

The first one, two or three parts of an IP address, such as 192.168, which specifies all the IP addresses that begin with those parts.
A specific numeric range of IP addresses, such as 192.168.2.100-150.
An Internet host-name.
A LAN network name.
6. Close the 'IP Filtering' dialog then click the 'Apply changes' button.
ACCEPT CONNECTIONS ONLY FROM SPECIFIC IP ADDRESSES (WHITELISTING)
This guide illustrates how to deny access from everywhere except specific (whilelisted) IP addresses.

1. From the side-bar menu, select the 'Settings' panel (Professional Edition)

OR the 'Sites' panel (Enterprise Edition).

2. Click the ellipsis button of the 'IP filtering' property of the 'IP filtering and Auto-Banning' category.

3. In the 'IP Filtering dialog', select the 'Allow over deny' radio button.

4. Create a rule to deny access from all IP addresses.

If there's currently a rule that allows all connections, change this to deny all.

Now, no connections will be allowed from any IP address.

5. Create a rule that allows connections from a specific IP address.
a. Add an 'Allow (unless autobanned)' rule.
 b. Enter the IP address that is permitted to connect to the CompleteFTP server, e.g. 172.16.0.88.

Note that it's also possible to allow connections from:

The first one, two or three parts of an IP address, such as 192.168, which specifies all the IP addresses that begin with those parts.
A specific numeric range of IP addresses, such as 192.168.2.100-150.
An Internet host-name.
A LAN network name.
6. Close the 'IP Filtering' dialog then click the 'Apply changes' button.
ACCEPT CONNECTIONS ONLY FROM SPECIFIC USERS AT SPECIFIC IP ADDRESSES
It's possible to configure CompleteFTP to deny access from all users except some specific users at specific IP addresses.

The main steps will be:

I. Denying access from other IP addresses

II. Allowing specific IP addresses for specific users

Here are the detailed steps:

I. Denying access from other IP addresses

1. From the side-bar menu, select the 'Settings' panel (Professional Edition)

OR the 'Sites' panel (Enterprise Edition).

2. Click the ellipsis button of the 'IP filtering' property of the 'IP filtering and Auto-Banning' category.

3. In the 'IP Filtering dialog', select the 'Allow over deny' radio button.

4. If there's currently a rule that allows all connections, change this to deny all.

Once this is done, no connections will be allowed from any IP addresses.

II. Allowing specific IP addresses for specific users

Now that CompleteFTP has been configured to deny connections by default, we can go ahead and allow specific users to connect from specific IP addresses, as follows:

1. Select the 'Users' panel from the side-bar menu.

2. Select one or more users, e.g. select 'JoeSmith'.

3. Enter the IP address(es) from which the user is allowed to connect. Separate multiple IP addresses with commas, e.g. '10.0.1.138, 10.0.1.123'. Domain-names may
also be used.

4. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.

Now, only 'JoeSmith' user from the specified IP addresses can connect to the CompleteFTP server (check the 'show user-specific rules' checkbox in the 'IP Filtering'
dialog to show the JoeSmith's rules).
RESTRICT SOME USERS TO CONNECT ONLY FROM SPECIFIC IP ADDRESSES
Sometimes it's desirable to allow some users to connect only from specific IP addresses, while allowing all other users to connect from any IP address. This guide will show you
how to do this.

1. From the side-bar menu, select the 'Settings' panel (if you're using Professional Edition)

OR select the 'Sites' panel (if you're using Enterprise Edition)

2. Select the 'IP filtering' property in the 'IP filtering and Auto-banning' category. Then click the ellipsis (...) button.

3. In the 'IP Filtering' dialog, set the precedence to 'Allow over deny' option.

4. Then delete the default rule.

Why? If no rule applies to an incoming connection then the first part of the precedence is used (i.e. 'Deny' for 'Deny over allow' and 'Allow' for 'Allow over deny').
Therefore, unless the user-specific rules that will be defined below apply, then an incoming connection will be allowed.

5. Click the 'Yes' button when the confirmation dialog appears.

6. Check the 'show user-specific rules' checkbox.

7. Now, add a new rule to deny access of 'JoeSmith' user from all IP addresses.
a. Click the empty cell under the 'Action' column then select the 'Deny' action.

b. After the action is selected, the rule is automatically set for all IP addresses. Let it be!

c. Select the 'JoeSmith' user from the list.

 d. Now, the rule that prevents 'JoeSmith' user from connecting to the server from all IP addresses will look like this.

8. Add another rule to allow 'JoeSmith' user to be able to access from specified IP addresses.
a. Add an 'Allow (unless autobanned)' rule.

b. Enter the IP address from which 'JoeSmith' user is allowed to connect, e.g. 172.16.0.88.
 c. Then Select the 'JoeSmith' user from the list, who this rule will apply for.

d. Now, the rule that allow 'JoeSmith' user to access from the specified IP address will look like this.

9. Close the 'IP Filtering' dialog then click the 'Apply changes' button.
E-MAIL NOTIFICATION WHEN A FILE IS UPLOADED
1. Select the 'Events' panel from the side-bar menu.

2. Select the 'Email Notifications' tab at the top of the panel.

3. Enter the mail server (SMTP server) settings.

a. Specify the server's hostname/IP address, e.g. 'smtp.myserver.com'.

b. Specify the port number (normally port 25)

If you enable SSL connections by checking the "Enabled SSL/TLS" checkbox, the port number will most likely need to be changed - the default SMTP SSL port is 465.

c. Specify the SMTP username and password.

4. Click the 'Add' button to create a new email notification.

5. Select the email notification you just created, it's probably called 'New email notification 1'.

6. Enter an appropriate name for this email notification, e.g. 'New file upload'.

7. In the 'Events' section, click the 'Choose' button.

8. Then select the 'Upload file' from the menu.

 Once the event type is selected, extra fields appear below.

9. Select the 'Trigger on success' checkbox (it is selected by default).

10. Enter the folder- or file-path filter to select the files/folders for which the event should be triggered. E.g. the filter 'Home/*' will match all files/folders under the /Home folder.

Macros can be selected via the folder filter's left arrow button.

11. Select users for which an event should occur from the 'User Filter' dropdown list. By default, all users are selected.

12. Select sites for which an event should occur from the 'Site Filter' dropdown list (Enterprise Edition only). By default, all sites are selected.

13. Enter the email address that the email notification is to be sent from, e.g. '[email protected]'.

Macros can be used and selected via the left arrow button.

14. Enter the email address the email notification is to be sent to, e.g. '[email protected]'. Macros can also be used here. The list of macros is same as the From field's.

15. Enter the subject of the notification message. E.g. 'A new file has been uploaded" %FileName%'.

Various macros can be used here. Click the Subject's left arrow button to select them.
16. Enter the body of the notification message. E.g. 'A new file has been uploaded: User = %LoginUserName%, Path = %VirtualPath%'. Various macros can also be used here.
The list of macros is same as the Subject's.

17. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager.
MOVE A FILE TO ANOTHER DIRECTORY AFTER IT'S BEEN UPLOADED
1. Select the 'Events' panel from the side-bar menu.

2. Select the 'Process Triggers' tab at the top of the panel.

3. Click the 'Add' button to create a new process trigger.

4. Select the process trigger you just created, it's probably called 'New process trigger 1'.

5. Enter an appropriate name for this process trigger, e.g. 'Move on upload'.

6. In the 'Events' section, click the 'Choose' button.

7. Then select the 'Upload file' event.

8. After the event is selected, some extra fields are added on the panel. Now, select the 'Trigger on success' checkbox (It is selected by default).

9. Enter the folder- or file-path filter to select the files/folders for which the event should be triggered. E.g. the filter 'Home/*' will match all files/folders under the /Home folder.

Macros can be selected via the folder filter's left arrow button.

10. Select users for which an event should occur from the 'User Filter' dropdown list. By default, all users are selected.

11. Select sites for which an event should occur from the 'Site Filter' dropdown list (Enterprise Edition only). By default, all sites are selected.
12. Select the 'Batch script' radio button.

13. Enter the following script which will move uploaded files to the directory, 'C:\FTP\Incomming\username\' while username is the name of the logged in user.

Various macros can be used here. Click the script's left arrow button to select them.

14. Specify the working directory (optional).

15. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager to save the changes.

Now, every time a file is uploaded to the CompleteFTP server, the uploaded file will be moved to C:\FTP\Incoming.
ADD A SCHEDULED TASK
This guide demonstrates how to create an automated task with the CompleteFTP Manager. You can schedule a program to run or a batch/Powershell/JSS/FTP script to be
executed at a specified scheduled or at specific times.

This guide will show you how to create a scheduled task to upload a file to another server at a specific time using FTP script. Here are the steps:

1. Select the 'Events' menu item from the side-bar menu.

2. Select the 'Process Triggers' tab at the top of the panel.

3. Click the 'Add' button to create a new process trigger.

4. Select the process trigger you just created, it's probably called 'New process trigger 1'.

5. Enter an appropriate name for this process trigger, e.g. 'Upload schedule'.

6. In the 'Events' section, click the 'Choose' button.

7. Select the 'Scheduled' event.

8. Click the 'change' link next to the 'Scheduled' checkbox to open the 'Set Schedule' dialog box.

9. Select the 'Specific dates/times' radio button.

10. Select the 'Add' button.

11. Set a date time when you want the file to be uploaded.

12. Close the 'Set Schedule' dialog box.

13. Select the 'FTP script' radio button.

14. Enter the following script which will upload the file, 'Process.docx', to the remote server (10.0.1.134).

15. Specify the working directory (optional).

16. Finally, click the 'Apply changes' button at the top right of the CompleteFTP Manager to save the changes.
ACCEPTING CONNECTIONS FROM THE INTERNET
Normally, when CompleteFTP is initially installed, it can only accept connections from users who are within the local network. This is because (1) the computer on which
CompleteFTP is installed is behind a router, so connections requests that are made from the Internet never reach it, and (2) the Windows Firewall may be blocking incoming
connections. These are normally desirable as they protect your computer, but sometimes you may need to allow users outside of the local network to connect. Let's say a
CompleteFTP server has been set up at your workplace and you want to access to it from anywhere via the internet to share files.

In order to do that, you may need to configure the router and the Windows firewall of the server's machine to allow external connections to your server. Here are the steps:

1. Open the CompleteFTP Manager and connect to the server.

2. Make sure the required protocols are enabled in both 'Settings'/'Sites' panel and 'Users' panel -> 'User Properties' of each user.
3. Configure the 'Passive (PASV) transfer settings'. Skip this step if neither FTP nor FTPS are enabled.
a. In 'Settings'/'Sites' panel, go to 'FTP/FTPS' -> 'Advanced FTP/FTPS Settings' -> 'Passive (PASV) Transfer Settings'.
b. Limit the number of ports for passive mode FTP.
The number of ports in the range should be of the same order of magnitude as the maximum total number of files that clients will be transferring at any one time. If
that maximum is, say, 10, then a port-range of 20 would suffice, but since there are over 60,000 ports available we may as well make it 100. The port range should be
chosen so that it doesn't clash with those used by other services on the computer. This can be checked in the 'TCP Port Usage' tab of the 'Monitoring' section (look in
the 'Local Port' column).

c. Click the 'Apply changes' button.

4. Configure port forwarding on the router.

If your CompleteFTP server is behind a router, you need to access to your router's configuration page and configure your router to forward the following ports to your
CompleteFTP server.

FTP/Explicit FTPS - port 21.

Legacy or implicit FTPS - port 990.
SFTP/SCP/SSH - port 22.
HTTP - port 80.
HTTPS - port 443.

In addition, if FTP or FTPS are enabled then connections to all ports in the range chosen in step 3b) must also be forwarded to the server.

The way to configure port forwarding on the router depends on the type of router installed, so you should consult your router's documentation for appropriate steps.

5. Configure Windows firewall of the server's machine.

You need to create an inbound firewall rule to allow connections to the ports on which CompleteFTP server is listening (these ports are same as ports in step 4). And
also, don't forget to set the passive (or PASV) port range in the firewall to permit users to connect in this range in case FTP or FTPS are enabled.

The steps to configure the firewall depend on the specific firewall being used. Refer to the documentation of the firewall for specific instructions.
SHARE A FILE USING COMPLETEBOX
Before getting started, ensure that CompleteBox has been installed on the machine that files are being shared from and that it has been enabled on your CompleteFTP server.

To share a file follow these steps:

1. Open the CompleteBox dialog by selecting the CompleteBox icon in the Windows system tray. Then click the green cross to start sharing a file.

2. In the 'Select a file to upload' dialog box, do the following.

3. Once selected, the files will be shared on the file sharing server via a secure connection. A public link to the file is generated and automatically copied to clipboard. You can
now paste the link into an e-mail or a chat client, as required.

4. If, at a later time, you need to retrieve the link you can click on the file in CompleteBox and select 'Copy link to clipboard'.
CUSTOMIZE THE WEB LOGIN PAGE
When you first access to the CompleteFTP server via HTTP/HTTPS protocol, the following default HTML will show up.

To customize this page, you need to:

1. Open the file, C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Public\index.html, in a text editor and modify it. You can use any HTML you like there,
including images and even Javascript. Here's a very simple home page:

<html>
<body>
<h1>ACME Products</h1>
<p>Unauthorized access prohibited.</p>
<a href="/login">Login</a>
</body>
</html>

2. Save the changes you've made then navigate to that page again to see how it looks now.
HOST A WEB-APP IN COMPLETEFTP
This tutorial will give you two simple examples on how to host web-applications in CompleteFTP.

Before getting started, you need to enable the 'Server-side Javascript (JSS)' property on the site serving up the page.

1. From the side-bar menu, select the 'Settings' panel (Professional Edition)

OR select the 'Sites' panel (Enterprise Edition).

2. Enable JSS for the site by checking the 'JSS enabled' checkbox in the Site Settings HTTP/HTTPS category.

3. Enable JSS for the user who is the owner of the folder in which the JSS file will be placed, as follows:
a. Select the 'Users' panel from the side-bar menu.

b. Select the user whose home folder will contain the jss file, e.g. 'JoeSmith'.

Note that the owner of the /Public folder is the user called 'anonymous', which is hidden by default. To show it check the 'Show system users/folder/sites' item in the
View menu at the bottom left.
c. In the 'User Properties' window, check the 'JSS(Server-side Javascript)' checkbox.

4. Click the 'Apply changes' button at the top right of the CompleteFTP Manager.

Now, let's create our own web-application in Javascript.

Example 1
In this example, we create a web-app that simply displays 'Hello world' and is available publicly.

1. Create a text file called helloworld.jss with the following content.

response.write("Hello world");

2. Save it in C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Public.

3. Since 'anonymous' is the owner of /Public, JSS must be enabled for that user, as described above.
4. Now navigate to http://localhost/helloworld.jss. A web-page just saying 'Hello world' will show up.

Example 2

In this example, we're going to create a .jss file in a user's home directory and execute it as a JSS web application. This web-app will be available only to the user.

1. Create a file called listFiles.jss with the following content:

response.write("<h1>" + system.user.homeFolder + "</h1>");

response.write("");

var homeFolder = system.getFile(system.user.homeFolder)

var files = homeFolder.getFiles();
files.forEach(function(file) {
response.write("" + file.name + "")
});

response.write("");

2. Save it in the JoeSmith's home directory, i.e. C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Users\JoeSmith.
3. Enable JSS for the JoeSmith user, as described above.
4. Then go to URL http://localhost/Home/joesmith/listFiles.jss, you should see a listing of all the files in the directory.
For more information on developing JSS web-app, please refer to JSS Web-App Basics and the JSS API Guide.
ADD MY OWN AUTHENTICATION METHOD
This example will show you how to create your own authentication method using JSS. It's also possible to implement authentication extensions in .NET.

1. Select the 'Extensions' panel from the side-bar menu.

2. Select the 'Extensions' tab at the top of the panel.

3. Click the 'Add extension' button.

4. Select 'Javascript (JSS) extension' then 'Authentication' menu item.

5. In the 'Enable Authenticator' dialog, Click the 'Yes' button to enabled this authenticator.

6. In the code editor, select 'Code' then 'Simple authentication' menu item.

7. Then enter your JSS code. The example is shown below.

8. Click the 'Apply changes' button at the top right of the CompleteFTP Manager.

Now, try to log in using the username 'myuser' and the password 'mypassword', you will be able to log in successfully.
CONFIGURE SAML SINGLE SIGN ON WITH ONELOGIN
This guide illustrates how to configure CompleteFTP as a SAML Service Provider (SP) with OneLogin as an Identity Provider (IDP). Please note that this requires the
Enterprise Edition.

1. Configure OneLogin as the Identity Provider (IDP).

a. Create a free account at OneLogin and log in.
b. Navigate to Apps → Add Apps.

c. Enter 'saml' into the search box, then pick 'SAML Test Connector (IdP)' from the list.

d. Enter the app's name into the 'Display Name' field (e.g. CompleteFTP) then click the 'Save' button.

e. Go to the 'Configuration' tab and...

i. Enter your CompleteFTP server's address into 'Audience' and 'Recipient' fields. This URL will also be used in in step 2e below.
ii. Append '/Saml/Login' to the site's URL and put the whole URL, i.e. https://myserver/Saml/Login, into the 'ACS (Consumer) URL' field.
iii. Convert the 'ACS (Consumer) URL' into a regular expression and put that into 'ACS (Consumer) URL Validator' field. Note that all dots and backslashes in the
URL must be preceded by backslashes. For more information, please visit this link.
 f. Next, go to the SSO tab, copy the Issuer URL to the clipboard for later use. This is the URL that the IDP's metadata file can be downloaded from.

g. Click the 'Save' button in the top right corner to save the configuration.

h. The app is now created but no one has been given permissions to access it (see below).
Please visit this link for detailed instructions on how to give users access to the app.

2. Configure CompleteFTP as the Service Provider (SP)

a. Open the CompleteFTP Manager, select the 'Users' panel from the side-bar menu.
b. Click the 'General user settings' link at the top of the panel.

c. Enable the Single sign-on/SAML authenticator by checking its 'Enabled' checkbox.

d. Click the 'Configure' link to open the 'Single sign-on/SAML Configuration' dialog.

e. Enter the site's URL. This is the URL of the CompleteFTP server's site on which the Single sign-on/SAML authenticator is enabled.
Note that if the site is configured to use a non-standard port (i.e. 80 for HTTP and 443 for HTTPS) then the site URL must include the port number (e.g.
https://myserver:1443).
f. Enter the administrative contact details.
Note that all fields are mandatory.

g. Now, register OneLogin as an IDP in CompleteFTP by clicking 'Add IDP' link.

h. That brings up the 'Import IDP Metadata' dialog. Let's click 'Website' button.
i. Paste the URL copied in step 1f into the text-field and click 'OK' button.

j. A row should have been added to the list. Let's enter a name for it (e.g. OneLogin) into the 'Name' field.

k. Close the 'Single sign-on/SAML Configuration' dialog.

 l. Close the 'General User Settings' dialog.

m. Click the apply changes button.

3. Alright, OneLogin should now be configured as an IDP for your server. Now, let's see how it works.
a. Navigate to your CompleteFTP server via HTTPS protocol and click the 'Login' link.

b. The CompleteFTP login page is displayed. Let's login via OneLogin by clicking the OneLogin button.
c. You will be taken to the OneLogin login page. Now, enter the credentials of a OneLogin user who has been given permissions to access the OneLogin's app in step
1h above. Then click 'Log in'.

d. Once you've logged in successfully, you'll be redirected back to CompleteFTP where the File Manager is showing up.
REQUEST A CA CERTIFICATE
In order to purchase a CA SSL certificate from a CA, a Certificate Signing Request (CSR) must be generated. This guide will demonstrate how to generate a CSR using the
CompleteFTP Manager

1. From the side-bar menu, select the 'Sites' panel (Enterprise Edition):

OR the 'Settings' panel (other Editions)

2. Click 'FTP/FTPS' -> 'Advanced FTP/FTPS Settings' -> 'Security Settings' -> 'Server certificate' then select the ellipsis (...) button.

3. In the 'Server Certificate' dialog box, click the 'Generate a certificate signing request (CSR)' link.

4. Choose OK when the notice appears.

5. Enter the certificate details and press OK.

6. Enter the private key password or click the 'Random' link to generate one randomly. Then press 'OK'.

7. The private key is generated this key must be saved to a secure location for use with the issued certificate. Do not lose it! Your certificate is of no use without the
corresponding private key.

8. The CSR file is generated. Enter the name for it and click 'Save'.

9. Click OK to confirm the notice about CSR generated.

Now your private key and CSR file are ready to use. Your CA will request either the CSR file itself or its content.
INSTALL A CA CERTIFICATE
This guide demonstrates how to install your SSL Certificate for CompleteFTP. Before installing the SSL Certificate, you first need to create a Certificate Signing Request
(CSR).

1. From the side-bar menu, select the 'Sites' panel (Enterprise Edition):

OR the 'Settings' panel (other Editions)

2. Click 'FTP/FTPS' -> 'Advanced FTP/FTPS Settings' -> 'Security Settings' -> 'Server certificate' then select the ellipsis (...) button

.
3. In the 'Server Certificate' dialog box, select the 'Import a certificate from a file' link.

4. Choose 'Yes' in the Warning about the existing certificate will be overwritten.

5. Choose the certificate file that contains the server certificate.

6. Choose the private key which was generated when you created CSR file.

7. Then enter the password that you set when your private key had been generated and click OK.

8. Finally, click the 'Apply changes' button to save the changes.

Your SSL Certificate is now installed and ready to use.

ACTIVATE COMPLETEFTP FREE
1. Select the 'Activation' panel from the side-bar menu.

2. Click the 'activate for free' link.

3. If you do not have an account with EnterpriseDT then follow the following steps to create a new one.
a. Choose 'No' button.

b. Enter a valid e-mail address, your name and, optionally, the name of your company.

c. Click the 'Request verification code' button. This will tell the EnterpriseDT server to send a verification code to the e-mail address that you entered. It should arrive
within a minute or so.
d. Copy the verification code from the e-mail to the clipboard.

e. Paste the code into the last field on the 'User Registration' form.

f. Click the 'Register' button.

g. After a few seconds your account will have been registered and your server activated. Press 'OK' button when the 'Activation Applied' dialog pops up.
 4. If you already have an account then follow the following steps to activate a Free Edition server using your existing account.
a. Choose 'Yes' button.

b. Enter the user-name that you received when you first registered your account and the password you set for this account.

c. Then Click the 'Activate' button. CompleteFTP Manager will automatically activate your server.

d. Now, your server has been activated successfully.

Activating Free Edition without a direct Internet connection

In case the machine on which CompleteFTP Manager is running doesn't have an Internet connection then please follow the steps below:

1. Select the 'Activation' panel from the side-bar menu.

2. Click the 'activate for free' link.

3. You will be asked whether or not you have an account with EnterpriseDT. Click 'Yes' or 'No'.

4. In the dialog pops up, Click the 'here' link at the top to open the 'Browser-Based Activation' dialog.

5. If you've previously registered for a free license then use the License ID that was e-mailed to you. If you haven't previously registered then follow the 'register now' link in
step 0 to register you account and receive your License ID (by e-mail).

6. Enter the License ID in step 1.

7. Click the link marked 'copy' in step 2 to copy it to the clipboard.

 8. Send the link a computer that does have Internet access and open it.
9. On the web-page that opens enter your user-name and password. Then click 'Sign in'.

10. Copy the Activation Key shown on the web-page to the clipboard.

11. Send the Activation Key to the computer that's running CompleteFTP.
12. Paste the Activation Key into the field in step 4.
13. Click 'OK' to complete activation.

14. Now, your server has been activated successfully. Click the 'OK' button when the notice appears.
ACTIVATE THE PAID EDITIONS
An installation of CompleteFTP Standard, Professional or Enterprise Edition can be activated via the Licensing panel in the CompleteFTP Manager but first of all, you need to
purchase a license. Licenses may be ordered from the EnterpriseDT web-site.

Once your order has been processed a message will be sent to the technical contact e-mail address that you provided. This message will contain the Purchase Reference of
your order, your user-name and a link that you can use to set your password. You will need your password to activate your installation. Once you have your password please
complete the following steps:

1. Open CompleteFTP Manager and connect to your server.

2. Select the 'Licensing' menu item from the side-bar menu.

3. Click the 'Apply purchased license' link.

4. If the computer on which CompleteFTP Manager is running has an Internet connection then follow the steps below.
a. Enter the Purchase Reference, user-name and password in the appropriate text fields.

b. Then Click the 'Activate' button.

 c. Your server will have been activated within a few seconds. Click the 'OK' button when the notice appears.

5. If the computer on which CompleteFTP Manager is running has no Internet connection then follow the steps below.
a. Click the 'here' link at the top of the 'Direct Activation' form.

b. Enter the Purchase Reference in step 1.

c. Click the link marked 'copy' in step 2 to copy it to the clipboard.

d. Send the link a computer that does have Internet access and open it.
e. On the web-page that opens enter your user-name and password. Then click 'Sign in'.

f. Copy the Activation Key shown on the web-page to the clipboard.

g. Send the Activation Key to the computer that's running CompleteFTP.

h. Paste the Activation Key into the field in step 4.

i. Click 'OK' to complete activation.

 j. Now, your server has been activated successfully. Click the 'OK' button when the notice appears.

Activating with a Universal Activation Key (UAK)

If you've purchased a corporate license (for any paid edition) then you're eligible for a UAK. A UAK will activate any machine without any need to connect to the EnterpriseDT
website. Please e-mail [email protected] to obtain your UAK.

Follow these steps to activate a server using a UAK:

1. Run the CompleteFTP manager and connect to the CompleteFTP server instance that you wish to activate (usually localhost).

2. Select the 'Licensing' menu item from the side-bar menu.

3. Click the 'Apply purchased license' link.

4. In the 'Direct Activation' form, click the 'here' link at the top to open the 'Browser-Based Activation' form. Do this regardless of whether or not the computer actually has an
 Internet connection.

5. Paste the universal AK you have been sent into the CompleteFTP manager in Step 4.

6. Select "OK" button.

7. It should now be activated. Click the 'OK' button when the notice appears.
SET UP A CLUSTER
Before setting up a cluster, you need to ensure that:

1. The firewall rules are configured to allow the primary server to communicate with the secondary servers.
2. Each secondary server's IP filtering rules permit the primary server to contact them. You can add a new rule by the steps below:
a. Connect to each secondary server.
b. Select the 'Sites' menu item from the side-bar menu.

c. Check 'Show system users/folders/sites' in the Options menu at the bottom left of the window.

d. Select the 'Admin' site in the site list.

e. Select the 'IP filtering' property in the 'IP filtering and Auto-banning' category. Then click the ellipsis (...) button.

f. In the 'IP Filtering' window, add a new IP Filter rule that allows the primary server to connect to the secondary if the default rules do not satisfy your needs.

Now, connect to the primary server and start setting up a cluster.

1. Select the 'Servers' menu item from the side-bar menu.

The 'Servers' panel will show up.

2. Click the 'Add server' link at the bottom of the panel to add a server as a secondary.

3. Enter the secondary server's details.

4. Then click 'Next'.

5. Click 'Add' to start adding the secondary server to the cluster.

6. The new server will be added to the cluster as a secondary server. Click the 'Close' button to close the 'Add server' dialog box.

Now, the newly added secondary server is displayed in the list.

OVERVIEW
The Overview panel allows the administrator to combine a series of views within the one panel.

Views may be shown/hidden via the Options menu in the bottom-left of the window. Views can be resized, moved, docked to any edge, combined into tabs and moved into
separate "floating" windows. A view may be resized by dragging its edge and moved by dragging its title-bar. While a view is being dragged several icons are shown overlaid on
the window; dropping the view onto one of these will dock it to an edge or place it in a tab. The video below illustrates some ways in which panels may be configured:

The properties view shows the properties of the currently selected site, user or folder. If the property view is already visible then it will automatically change as different items
are selected. If it is not visible then it may be displayed by right-click on a user or a folder and selected Properties.
SETTINGS/SITES
A CompleteFTP site consists of a related group of protocols and port numbers - for example the default ports for FTP on port 21 and SFTP on port 22 make up the "Default
site" (below). Sites have their own settings, including public keys and certificates. Every installation of CompleteFTP supports at least two sites - the 'Admin site' and the
'Default site'.

Default site

As described above, the "Default site" consists of a group of protocols on their standard port numbers - FTP/FTPS on port 21, and SSH/SCP/SFTP on port 22 (and optionally
HTTP on port 80 and HTTPS on port 443). These are the port numbers and protocols most often used, and generally will not need to be modified, although the port numbers
can be changed if required. In the Standard Edition and Professional Edition, the default site is configured via the Settings panel.

In the Enterprise Edition, the default site is configured via the Sites panel.
Admin site

The "Admin site" is what the CompleteFTP manager connects to, to administer the server instance. By default the server listens on port 14983 for SFTP connections from the
manager. The Admin site cannot be deleted (the server could not be administered). Settings should be changed with care - if the port numbers are altered administrators must
be informed of the changes. In the Standard Edition and Professional Edition, the Admin site is configured via the Admin panel.

In the Enterprise Edition, the Admin site is displayed in Sites by checking 'Show system users/folders/sites' in the Options menu at the bottom left of the window.
Additional sites

The Enterprise Edition of CompleteFTP supports the creation and administration of multiple sites.
FTP/FTPS
FTP (File Transfer Protocol) is a well established Internet protocol designed to transfer files (and information about files) across networks using TCP (Transmission Control
Protocol). FTP is defined in the Request For Comments 959 document ( RFC 959), which can be obtained from the Internet Engineering Task Force.

FTPS is FTP over SSL. There are two incompatible variants of FTPS: explicit and implicit. FTPS explicit is the most recent and most widely used variant. FTPS implicit is older
and is generally being phased out. FTP and FTPS explicit can coexist on the same port (usually 21), in fact FTPS explicit connections start out as FTP connections before
being switched to SSL. FTPS implicit requires its own dedicated port (usually 990).

The various FTP/FTPS settings that are available to configure CompleteFTP are described below. Note that settings must be saved via the Apply Changes button, otherwise
they will be lost.

Setting Description
FTP If checked, the FTP protocol is enabled. If not checked, the FTP protocol will not be supported by the server (although FTPS may be enabled,
enabled below).
FTPS
explicit
If checked, the FTPS protocol (explicit mode) is enabled. If not checked, FTPS explicit mode will not be supported by the server. If "FTP
enabled
enabled" is not checked and FTPS (either implicit or explicit or both) is, then users are forced to use FTPS (i.e. they must connect securely).
(standard
FTPS)
FTPS
implicit If checked, the FTPS protocol (implicit mode) is enabled. This is a legacy form of FTPS that is still widely used. If not checked, FTPS implicit
enabled mode will not be supported by the server. If "FTP enabled" is not checked and FTPS (either implicit or explicit or both) is, then users are forced
(legacy to use FTPS (i.e. they must connect securely).
FTPS)
Anonymous If checked, anonymous access is enabled. This means connections can be made by logging in as an anonymous user rather than as a named
logins user with a password.
enabled
Max no. of
anonymous The maximum number of simultaneous anoynmous connections permitted to the server.
connections
Advanced FTP/FTPS Settings
Port for
FTP/FTPS Port that is used for FTP and FTPS in explicit mode. The standard port number for FTP and explicit FTPS is port 21.
explicit
Port for
FTPS Port that is used for FTPS in implicit mode. The standard port number for implicit FTPS is port 990.
implicit
Listening IP Lists the IP addresses to listen on for this protocol. All network interfaces can be selected, or individual interfaces selected.
addresses
Folder Format of folder listings being sent back to clients. In the FTP protocol folder listings are sent back to the client as plain text. This setting controls
listing the format of this plain text. This is particularly significant for non-console client applications, which usually parse the directory listings
format automatically.
Character Character set that is used for encoding file-names.
set
Passive (PASV) Transfer Settings
 In passive (PASV) mode transfers, the server listens on a random port between the minimum and the maximum port numbers specified, waiting
for a connection from the client to this port. The server sends the client a reply to the PASV command that provides the IP address to connect to
External IP
address and the port number. This setting allows a hard-coded IP address to be set. If not set, the IP address of the interface that the server is listening
on is provided. This setting is required in cases where the IP address of the server is not reachable by clients. For example, the client may need
to connect to another IP address that is accessible externally, and a NAT device may direct the connection to the server.
In passive mode transfers, some routers don't cope with a hard-coded external IP address as set in External IP address - they expect to see the
Use local LAN IP address in the PASV reply, and they replace this local address with the external IP address themselves. If the local LAN IP address
external IP is not found, some routers will abruptly terminate the connection. The solution in these situations is to only supply the hard-coded external IP
address for address for encrypted (i.e. FTPS) connections, which the router can't inspect (and hence can't know what IP address is in the PASV reply). To
do this, select the "FTPS only" setting rather than "FTP/FTPS" (which is the default).
Minimum This is the minimum port number used in passive (PASV) mode. In PASV mode transfers, the server listens on a random port between the
port number minimum and the maximum port numbers specified, waiting for a connection from the client to this port.
Maximum This is the maximum port number used in passive (PASV) mode. In PASV mode transfers, the server listens on a random port between the
port number minimum and the maximum port numbers specified, waiting for a connection from the client to this port.
Security Settings
Clients This option controls whether or not certificates should be requested from FTPS clients. If they are required then the client must send a certificate
must supply that may be validated against the Windows certificate store. This means that its issuer's certificate must be in the Windows 'Trusted root
certificates certificate authorities' store.
Displays the dialog for controlling the server certificate. A server certificate must be set if FTPS or HTTPS is enabled. The dialog displays the
Server current certificate's properties, and enables a new self-signed certificate to be generated. Also, a certificate signing request (CSR) can be
created to send to a certificate authority (CA) to obtain a CA certficate.
certificate
This property is shared with the HTTP/HTTPS settings.
Available
This setting controls the cipher suites that can be used. Generally, the default is appropriate unless there are special requirements for a
cipher
particular algorithm.
suites
Minimum
This setting controls the minimum version of SSL/TLS supported on this site (for both FTPS and HTTPS). The default is TLS 1.0, which means
SSL
that SSL 3.0 is not supported by default. This ensures that the server is not vulnerable to the security flaws of SSL 3.0.
version
SFTP/SCP/SSH
SFTP is an abbreviation for "SSH File Transfer Protocol"", and is exactly that - a protocol for transferring files over an SSH connection. SFTP is not the standard FTP protocol
running over SSH. Although SFTP has similar capabilities and even similar commands to standard FTP, these similarities are purely superficial. The protocol is completely
different and incompatible with FTP and its secure extension, FTPS. SCP is also a file transfer protocol that runs over SSH connections. It is a precursor to SFTP, and allows
the copying of files and directories over SSH.

The various SFTP/SCP/SSH settings that are available to configure CompleteFTP are described below. Note that settings must be saved via the Apply Changes button,
otherwise they will be lost.

Note that SFTP is not supported in the Free Edition, and that SCP and SSH terminals are not supported in the Standard Edition. The Professional and Enterprise Editions
support all features described in this section.

Setting Description
SFTP enabled If checked, the SFTP protocol is enabled. If not checked, the SFTP protocol will not be supported by the server.
SCP enabled
(not available in
If checked, the SCP protocol is enabled. If not checked, the SCP protocol will not be supported by the server.
Standard
Edition)
SSH terminal
access enabled
(not available in If checked, users may (if permitted) log into the server using an SSH terminal. If not checked, SSH terminal access will not be supported by
the server.
Standard
Edition)
Advanced SFTP/SCP/SSH Settings
Port for
Port that is used for SFTP, SCP and SSH. The standard port number is port 22. All of these protocols use the same port number.
SFTP/SCP/SSH
Listening IP Lists the IP addresses to listen on for these protocols. All network interfaces can be selected, or individual interfaces selected.
addresses
Methods of user-authentication that the server accepts. Note that these methods can also be specified at the user level. When a user
logins in, only the authentication methods specified at both levels are available. For example, if the site permits password only, and the
user permits password and publickey, then only password will be available. Available methods are:

Password - only a password is required. A password must be set for each user using the Users view.
Authentication
methods
PublicKey - public key cryptography is used to authenticate the user. For every user the server must have a public key that matches
the client's private key. Note that this method of authentication does not work for Windows users, since a password is required by
Windows to log the user in. Thus Password or PublicKeyAndPassword should be enabled if Windows users are to be allowed to
connect.
PublicKeyAndPassword - both password and public-key authentication is used.

The RSA server key - the private key that the server uses to identify itself. The server normally has a DSA and an RSA key set. This can be
RSA key imported, exported or generated via the menu that appears when selecting the ellipsis (...) in the text box displaying the key's details. Note
that generation of a new server key can take up to 30 seconds. The private key can only be imported or exported if the CompleteFTP
manager is running on the server that the CompleteFTP service is running on.
The DSA server key - the private key that the server uses to identify itself. The server normally has a DSA and an RSA key set. This can be
DSA key imported, exported or generated via the menu that appears when selecting the ellipsis (...) in the text box displaying the key's details. Note
that generation of a new server key can take up to 30 seconds. The private key can only be imported or exported if the CompleteFTP
manager is running on the server that the CompleteFTP service is running on.
Algorithms
Available key
Controls what key exchange methods are supported by the server. It is rare that the defaults should be changed. It is possible that an
exchange
administrator may want to disable weaker key exchange methods.
methods

Available ciphers Controls what ciphers are available to SSH for encrypting data. The default setting of All should generally be used unless some ciphers are
required to be disabled.
Available ciphers Controls what ciphers are available to SSH for encrypting data. The default setting of All should generally be used unless some ciphers are
required to be disabled.
Compression Permits the compression algorithms used in SSH to be selected. For example, if zlib compression is to be forced, then 'None' would need
algorithms to be unselected.

MAC algorithms Permits the MAC algorithms used in SSH to be selected. The default setting of All should generally be used unless some MACs are
required to be disabled.
Public key Controls what public key algorithms are supported by the server. For example, RSA public keys can be forced by disabling DSA.
algorithms
HTTP/HTTPS SETTINGS
HTTP/HTTPS is supported in the Professional and Enterprise Editions.

The various HTTP/HTTPS settings that are available to configure CompleteFTP sites are described below. Note that settings changes must be saved via the Apply Changes
button, otherwise they will be lost.

Please note that HTTP and HTTPS should not be enabled until any other HTTP/HTTPS services on the server machine are shut down, e.g. IIS and Apache. Other products
such as Skype also use the HTTP and HTTPS default ports of 80 and 443. If in doubt, use netstat to check what ports are in use. Note that these products can be run
simultaneously, but must be configured so their port numbers do not clash. Both Apache and CompleteFTP can be set up with HTTP/S port numbers that differ from the default
ports.

There are additional HTTP settings in Limits & Timeouts.

For HTTPS security settings, see the FTP/FTPS Security Settings (as they are shared).

Setting Description

HTTP Enabled If checked, the HTTP protocol is enabled. If not checked, HTTP will not be supported by the server. If enabling, ensure that
other HTTP servers are not running on the server machine.

HTTPS Enabled If checked, the HTTPS protocol is enabled. If not checked, HTTPS will not be supported by the server. If enabling, ensure that
other HTTPS servers are not running on the server machine.
If checked, unauthenticated users will be able to access any file in the public folder. Unauthenticated users are represented by
Public HTTP access enabled the user called 'anonymous' (which can be found in Users panel and by selecting "Show system users/folders/sites" in the main
form's Options menu). By default the home-folder of this user is /Public, so this is the folder that will be publicly accessible if
this option is enabled.
JSS enabled Enable JSS (Javascript Server-Side) for this site.
Port for HTTP Port that is used for HTTP. The standard port number for HTTP is port 80.
Port for HTTPS Port that is used for HTTPS. The standard port number for HTTP is port 443.
Listening IP addresses Lists the IP addresses to listen on for this protocol. All network interfaces can be selected, or individual interfaces selected.
Site-default web-app that users will be redirect to after logging in. This is usually the web-based file-manager. This setting may
Home web-app
be overridden by the home web-app setting for individual users.
Displays the configured web features. Clicking on the ellipsis (...) will bring up a dialogue box listing each web feature, and
showing the configured URL path used by clients to access the application, and whether or not it is enabled. The URL path
aan be modified here, and the enabled or disabled status.
By default, the Professional and Enterprise Editions support the FileManager1 and FileManager2 features, which allow
users to manage files via their browser. FileManager1 is only suitable for desktops, whereas the more modern
Web features FileManager2 is a responsive web-app that works well both on desktops and mobile devices.
The WebAdmin application provides basic configuration functions through a browser interface: either desktop or mobile.
The FileServer application is responsible for serving files via HTTP. If it's disabled, individual files will be unavailable HTTP.
The FileSharing feature controls access to shared files via HTTP. The Login and Logout feature controls HTTP user logins
and logouts. The CustomCommand feature controls the Custom Command Script feature.The SamlSingleSignOn is
required for SAML single-sign-on to work.
Controls the format in which directory listings are displayed to the user. Directories may be listed by users by entering a URL
specifying the path of a directory. The listing is rendered using HTML containing macros, such as %FileName%. Clicking on
Listing template
the ellipsis (...) will bring up a dialog permitting the user to enter their own template. See How to format HTML listings for more
information.
Controls the format in which HTTP errors are displayed to the user. The default template uses Javascript to redirect the user to
Error template their home folder for 403 errors. Clicking on the ellipsis (...) will bring up a dialog permitting the user to enter their own
template.
 A custom header is a HTTP header field that will be include with every HTTP response.By default, the following headers
are included: Strict-Transport-Security (value=frame-ancestors self), Content-Security-Policy (value=max-age=31536000;
includeSubdomains), X-Frame-Options (value=sameorigin) and X-XSS-Protection (value=value).These may be modified
Custom headers or removed as required, and any other desired headers may be added.
CompleteFTP will automatically generate headers, such as Content-Length, Content-Type, Date, Keep-Alive as required.
Content-type is calculated using MIME types (see below).
A MIME type, or Internet media type, is a two part identifier for file formats. In its most basic form, it defines the type and the
subtype for a file extension. For example, HTML files are defined as "text/html". The webserver sends the MIME type to the
Custom MIME types browser as part of the file being downloaded, and the browser uses the MIME type to decide how best to display the file. An
HTML file, with a MIME type of "text/html", will be displayed as a web page. Most common MIME types are included by default
in CompleteFTP. Custom MIME types can be added, either as additional file types or to override default MIME types.
If this option is enabled then HTTP logins to CompleteFTP will be handled by the browser (usually via HTTP basic
HTTP authentication (legacy) authentication) rather than by the CompleteFTP login page. This is not generally recommended as it can cause problems with
logouts. SAML Single Sign-On will not work if this option is enabled.
Displays the dialog for controlling the server certificate. A server certificate must be set if FTPS or HTTPS is enabled. The
dialog displays the current certificate's properties, and enables a new self-signed certificate to be generated. Also, a
Server certificate certificate signing request (CSR) can be created to send to a certificate authority (CA) to obtain a CA certficate.

This property is shared with the FTP/FTPS settings.

This setting controls the cipher suites that can be used. Generally, the default is appropriate unless there are special
Available cipher suites
requirements for a particular algorithm.
This setting controls the minimum version of SSL/TLS supported on this site (for both FTPS and HTTPS). The default is TLS
Minimum SSL version 1.0, which means that SSL 3.0 is not supported by default. This ensures that the server is not vulnerable to the security flaws of
SSL 3.0.
FILE SHARING SETTINGS
File sharing is supported in the Professional and Enterprise Editions.

The file sharing settings that are available to configure CompleteFTP sites are described below. Note that settings must be saved via the Apply Changes button, otherwise they
will be lost. There is also a per-user setting to enable or disable sharing.

Setting Description
Enabled If checked, file-sharing is enabled. If not checked, file-sharing will not be supported by the server. Note that users are enabled for sharing by default.
FILESYSTEM SETTINGS
The file system settings that are available to configure CompleteFTP sites are described below.

Setting Description
Read-only When checked only read access to the file-system will be permitted; all write, create, rename and delete operations will be disallowed.

Encrypt If this setting is enabled and the user has the equivalent setting enabled, all files transferred to the server will be encrypted on the server
stored files (encryption at rest). The only way to decrypt files is by transferring them from the server, or via an administrator command. More details here.
Note that this feature is only available in the Enterprise Edition.
Show
When checked virtual folders and Windows files/folders whose hidden flag will be hidden from users. Note that users will not be prevented from
hidden
files/folders accessing hidden files if they have the file-system permissions to do so.
Set up Sometimes it is a requirement to block the upload of certain file types, such as executable files. This setting allows you to specify the filters used
filename to control what files can be uploaded. Note that the filters are also applied to renaming of files - otherwise a user could upload a file with an
blocking acceptable name and then rename it to a banned name. Administrators can choose to block files that match the filters, or to only permit files that
filters match the filters.
ZIP-file When ZIP-file navigation is enabled ZIP files are presented to clients as though they are folders. This means that users can change into folders
navigation within the ZIP file and download specific files. This can save time and bandwidth as it allows users to download only what they need from a ZIP
enabled file instead of downloading the whole ZIP file. Note that this feature is available in Professional and Enterprise Editions only.
By default, both the ZIP file itself and the folder that corresponds to the ZIP file are shown in listings, the latter having the additional extension
ZIP-folder
'.folder'. The additional extension can be changed by modifying the 'ZIP-folder extension' setting. If this setting is cleared completely then the ZIP
extension
file won't be displayed being replaced by the corresponding folder.
GENERAL USER SETTINGS
The general user settings that are available to configure CompleteFTP sites have been moved to the Users tab, and can be displayed by selecting the General user settings
link. They are also described here.
IP FILTERING AND AUTO-BANNING
All editions of CompleteFTP implement auto-banning, though it can only be customized in Professional and Enterprise Editions. Additionally, the Professional and Enterprise
Editions support IP filtering.

Auto-banning

Auto-banning is an important feature related to IP filtering that helps secure the server. It works by automatically banning IP addresses from connecting (for a period of time) if
they have failed to authenticate a certain number of times within a time period.

For example, using the default settings, if a rogue client is attacking from a given IP address, and fails to guess a password correctly 10 times within a 60 second period, their
IP address is banned from connecting for the next hour. After an hour has elapsed, the ban is automatically lifted.

The auto-banning settings are configurable, although it is generally advisable to use the defaults.

The currently banned IP addresses can be viewed in the Monitoring panel. Bans can be removed or made permanent from this panel.

Note that auto-bans are not persistent - if the service is restarted, all bans are lost (unless they are made permanent via the Monitoring panel).

Auto-banning can be disabled for specified IP addresses using an allow-always IP filter-rule (see below). Clients connecting from IP addresses that fall under an IP filter-rule
whose action is allow-always will be immune from auto-banning. This is especially helpful in situations where many clients are connecting from a single Internet IP address since
it stops a single 'misbehaving' client from causing all other clients to lose their ability to connect.

IP filtering

CompleteFTP's IP filtering is very flexible and may be used to implement many different policies. The following step-by-step guides are available:

Step-by-step guide: Block connections from specific IP addresses (blacklisting)

Step-by-step guide: Accept connections only from specific IP addresses (whitelisting)
Step-by-step guide: Accept connections only from specific users at specific IP addresses
Step-by-step guide: Restrict some users to connect only from specific IP addresses

An IP filter consists of a collection of rules. Each rule consists of a mask and an action. The mask specifies which IP addresses the rule pertains to and the action specifies
what should be done. Each rule also has a scope that is either the entire site or a specific user.
The mask may be (a) a specific IP address, such as 123.123.123.123, (b) the first one, two or three parts of an IP address, such as 192.168, which specifies all the IP
addresses that begin with those parts, (c) a specific numeric range of IP addresses, such as 192.168.2.100-150, (d) an Internet host-name, or (e) a LAN network name.

There are three possible actions - deny, allow and allow-always. Deny will block access from clients whose IP addresses are included in the mask. Allow will permit access,
unless the auto-banning system has detected too many failed login-attempts (see above). Allow-always is like allow except that auto-banning is disabled.

Rules are combined to filter incoming IP addresses. When a connection attempt is made, the rules are consulted to see if the remote IP address matches the rules, and the
connection is dropped if it is determined that access should be denied.

The precedence of operations is important. By default, the precedence is Deny over allow. This means that if all IP addresses are allowed, and there is a deny rule for a
specific address or range, then the deny rule takes precedence and any IP address matching the deny rule is denied. Allow over deny is the other option, which means if an IP
address matches an allow rule, then it will be permitted access even if it is listed in a deny rule.

Each rule may optionally be associated with a user. If it is associated with a user then it applies only to that user. If it's not associated with a user then it applies to the entire
site. Typically user-specific rules are used in the following scenarios:

Restrict specific users to connect only from specific IP addresses while the other users can still connect from any IP addresses.
Please refer to Step-by-step guide: Restrict some users to connect only from specific IP addresses for detailed instructions.
Reject all connections except those that are from specific users on specific IP addresses.
Please refer to Step-by-step guide: Accept connections only from specific users at specific IP addresses for detailed instructions.
LIMITS AND TIMEOUTS
The various limits and timeouts that are available to configure CompleteFTP sites are described below. Note that settings must be saved via the Apply Changes button,
otherwise they will be lost.

Setting Description
Timeout for
The maximum time in seconds before HTTP sessions expire. If the timeout is set to zero, sessions do not expire. The default is 1,800 seconds
HTTP
(30 minutes).
sessions
Timeout for The maximum time in seconds permitted for a login attempt. If a connection is made and login is not completed within this period, the
logging in connection is closed. If the timeout is set to zero, the timeout is infinite, i.e. the connection does not time out.
Timeout for The maximum time in seconds that the underlying sockets wait for while performing read operations. If the timeout is set to zero, the timeout is
stalled infinite, i.e. read operations do not time out.
transfers
Timeout for The maximum time in seconds that a connection is permitted to be idle, i.e. if no commands are sent from the client. If the timeout is set to
idle sessions zero, the timeout is infinite, i.e. the connection does not time out.

Timeout for In passive mode, the server listens on a socket, waiting for the client to make a connection. The client can connect before actually sending the
PASV wait next command (LIST,NLST,RETR or STOR), and the server must wait for this next command before it can do anything with the client
connection. If the timeout is set to zero, the timeout is infinite, i.e. the connection does not time out.
Max. allow
login Sets the maximum number of login attempts that can be made for a user account.
attempts
Max.
Sets the maximum number of simultaneous connections permitted. If this limit has been reached, any further connection attempts are denied
simultaneous
until current connections are closed. This setting does not apply to HTTP connections.
connections
Max.
simultaneous (Professional and Enterprise Editions only) Sets the maximum number of simultaneous HTTP connections permitted. If this limit has been
HTTP reached, any further HTTP connection attempts are denied until current connections are closed.
connections
Max.
Sets the maximum number of simultaneous connections permitted per user. If this limit has been reached for a user, any further connection
connections
attempts by that user are denied until current connections are closed.
per user
MESSAGES
The message settings that are available to configure CompleteFTP sites are described below. Note that settings must be saved via the Apply Changes button, otherwise they
will be lost.

Setting Description

Welcome The text that is displayed (i.e. sent to the client) during a login attempt.
message In SFTP this is the banner message, and is often not displayed by
SFTP clients.
Hide
If this option is enabled, the product name and version of the server is
server
not displayed in welcome messages. This may be required for PCI
product
compliance. This option is not enabled by default.
details
HOW TO SECURE YOUR SERVER
FTP servers are always vulnerable to attack from unauthorised people, and a number of steps should be taken to minimize the risks of this occurring:

1. Keep up to date with the latest patches for your operating system. Microsoft regularly publishes security updates, so ensure that they are applied to your host.
2. Keep up to date with the latest release of CompleteFTP. Each release usually includes at least one security fix, and it is important to keep your installation current.
3. A good firewall is the first line of defence for security, and should be your first port of call in denying/permitting access to certain IP addresses.
4. If your server is not required to be accessible from the Internet, ensure that it is only reachable internally. If it is not accessible externally, the only attacks can be from within
your organization, greatly reducing the risk.
5. Use the IP filtering capabilities of CompleteFTP to only permit the IP addresses you want (if this is possible).
6. Ensure that auto-banning is configured correctly (e.g. the defaults) to prevent dictionary attacks on passwords.
7. Regularly review log files for unwanted intrusions and take remedial action (such as banning IP addresses).
8. Disable protocols that aren't being used, e.g. if you are running an SFTP server only, disable FTP, FTPS, HTTP, HTTPS and SCP.
9. Don't use HTTP - use HTTPS. Usernames, passwords and other sensitive data should not be sent via HTTP.
10. Don't use FTP - use FTPS. Usernames, passwords and other sensitive data should not be sent via FTP.
11. Disable SSL 3.0. SSL 3.0 is disabled by default starting from CompleteFTP 8.1.3. SSL 3.0 has serious security flaws that make it unsafe for use, e.g. the POODLE attack
12. Disable the automatic Windows users feature, so that only explicitly permitted users are permitted.
13. Use strong password policies - see here. Also disable any anomymous FTP access unless it is required.
14. For SFTP disable password authentication, and only permit public key authentication. This means users must have valid private keys and have their public keys registered
on the server. This is not always possible of course.
15. For SFTP disable SSH terminal access. This is disabled by default. SSH terminal access permits Windows users who have this feature enabled to execute almost any
program or DOS command, and is potentially a significant security hole.
16. Hide the server product details. This is found in the Settings->Messages section, and conceals the version and name of the product from clients. This is disabled by default.
The default welcome message should also be changed, as it identifies the server.
17. Enforce hashed passwords for database users. If database users are enabled (not the default), make sure any stored passwords are hashed. Even better, use a 'salt'
prepended to passwords before they are hashed. See how to configure database users
18. Enable encryption at rest. This means all files transferred to the server using accounts that have encryption at rest enabled will be encrypted on the server filesystem. This
means that if an attacker succeeds in obtaining unauthorized access to the server machine, files are still secure. See here for more details.
HOW TO SET A DEFAULT WINDOWS DOMAIN
If a default Windows domain is set, it means that Windows users on the default domain can login without specifying the domain (instead of using MyDomain\MyUserName they
can use MyUserName). This can be very convenient for users.

You can set the default Windows domain in the General User Settings dialog box of the Users panel as shown below.

The default Windows domain tells CompleteFTP which domain to authenticate against if (1) a domain-name was not given and (2) no exact match was found in CompleteFTP's
list of users.

For Windows users that have been explicitly added to CompleteFTP, if the client tries to log in using a username without a domain-name then the server will first look for this
exact username in the config (just like it does now). If a match is not found and a default domain has been set then it tries to prefix the default domain to the username and look
up the user-list.

If the user is not found in the explicitly added list of users and automatic Windows users are enabled, the default domain is again used if the domain name was not specified
while logging in. This will result in logging in as 'DefaultDomain\MyUserName'. One consequence of this is that if a default Windows domain has been set then an attempt to log
in without specifying a domain name will never log into the local machine. CompleteFTP will always assume the default domain should be used. If the user does want to log into
the local machine when a default domain has been set they have to log in using ".\MyUserName".
HOW TO USE HTTP/HTTPS
CompleteFTP supports HTTP and HTTPS in the Professional and Enterprise Editions.
HTTP and HTTPS may be enabled by selecting the "HTTP enabled" and "HTTPS enabled" settings (see the HTTP/HTTPS group of settings).
Please note that HTTP and HTTPS should not be enabled until any other HTTP/HTTPS services on the server machine are shut down, e.g. IIS, Apache. Other products such
as Skype also use the HTTP and HTTPS default ports of 80 and 443. If in doubt, use netstat to check what ports are in use. Note that these products can be run
simultaneously, but must be configured so their port numbers do not clash. Both Apache and CompleteFTP can be set up with HTTP/S port numbers that differ from the default
ports.
How to use HTTP
How to use HTTPS
How to perform HTTP uploads
HOW TO USE THE FILE MANAGER
CompleteFTP supports HTTP and HTTPS (Professional and Enterprise Editions) and is a capable web-server in its own right. It includes two file-manager web-apps. The
original file-manager, added in version 7.2, is similar in style to the Macintosh Finder application, and as such is suitable for desktop/laptop environments. The newer file-
manager, added in version 12.0.0, is a more modern responsive web-app that works well both on computers and on mobile devices. Screenshots of both are included below:

Responsive file-manager (FileManager2):

Original file-manager (FileManager1):

Selecting a default File-Manager

Pre-12.0.0 installations retain the original file-manager as the default web-app that a user will see when they've logged into CompleteFTP, whereas post-12.0.0 installations will
use the new, responsive file-manager as the default web-app. This can be changed, however, both for each site, as a whole, or for each individual user.

To select a default file-manager for a site:

1. Open to the Settings panel (called 'Sites' in Enterprise Edition)

2. [Enterprise Edition only] Select the Default Site
3. Open the 'Advanced HTTP/HTTPS Settings' section
4. Select the desired file-manager as the 'Home web-app'. FileManager1 is the original file-manager, and FileManager2 is the newer responsive (i.e. mobile-friendly) file-
manager.
5. Click Apply changes

To select a default file-manager for a specific user

1. Open the Users panel

2. Select the desired user
3. Select the desired file-manager as the 'Home web-app'. FileManager1 is the original file-manager, and FileManager2 is the newer responsive (i.e. mobile-friendly) file-
manager.
4. Click Apply changes

Accessing the File-Manager

By default, the file-managers are available at the URLs, /FileManager/1 and /FileManager/2, but users are also redirected to their default file-manager when they access their
home directories. If users have not authenticated, they will be prompted to do so by the standard browser authentication dialog. Once authenticated, the file-manager will be
displayed.
Disabling the File-Managers
Both file-manager web-apps are enabled by default, but can be disabled. To disable a file-manager, and go to the Settings/Sites tab. Go down to the HTTP/HTTPS section.
Select the ellipsis (...) in the Web features setting and uncheck the file-manager you wish to disable. More details can be found here.

Customizing the File-Managers

The original file-manager is based on the elFinder file manager, and is written entirely in Javascript. Accordingly, it can be modified (at your own risk!). The code can be found
a t C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\FileManager\1 or the equivalent (depending on your OS). The elFinder website contains
documentation, including client configuration options. Different languages are also supported.

The newer file-manager is a fork of the GitHub project, angular-filemanager. Our fork is available at github.com/EnterpriseDT/completeftp-filemanager. We greatly appreciate
any pull requests that developers feel might be useful for other users.
 HOW TO FORMAT HTML LISTINGS
When a HTTP client requests a folder URL that it has permission to list and the file-explorer is disabled, CompleteFTP will return a listing in HTML. The format of this listing is
controlled by a template that may be modified. The template is defined by a single HTML page containing macros (see the 'Template Format' section below).

The template is modified using an editor that features real-time previews. Clicking on the ellipsis (...) in the Listing template property displays this editor, shown below.

The HTML to be used for the folder listing is entered on the left. On the right are shown the rendered HTML, and the generated HTML (i.e. with macros expanded). Macros
may be entered manually or inserted by clicking the 'Insert macro' link at the bottom. The 'Reset to default' link may be clicked to set the template back to CompleteFTP's
default format.

Template Format
The template is split into three sections: the header, the entry-block and the footer. The header is everything before the %EntryBegin% macro; the entry-block is everything
between %EntryBegin% and %EntryEnd%; and the footer is everything after %EntryEnd%. When a folder-listing is rendered the entry-block is repeated once for each entry in
the folder. An entry can be a file or a sub-folder.

The table below defines the available macros as well as stating which section each macro may be used in:

Macro Section Description

%EntryBegin% Start of entry-block Marks the start of a block that defines the format of a single entry in the listing - file or folder
%EntryEnd% End of entry-block Marks the end of a block that defines the format of a single entry in the listing - file or folder
%FileCreated% Entry-block Date and time at which the file or folder was created
%FileGroup% Entry-block Group of the folder or file
%FileLength% Entry-block Length of the file in bytes, kB, MB or GB
%FileModified% Entry-block Date and time at which the file or folder was last modified
%FileName% Entry-block Name of the file or folder (not including the path)
%FileOwner% Entry-block Owner (user) of the folder or file
%FilePath% Entry-block Full virtual file-system path of file or folder
%FilePermissions%Entry-block UNIX-like permission string of the file or folder
%FileType% Entry-block Type of the directory-entry - either 'File' or 'Folder' (useful for CSS classes)
%FolderName% Header or footer Name of the folder being listed
%FolderPath% Header or footer Full virtual file-system path of the folder being listed
%TimeZoneName% Header or footer Name of the current time-zone
%TimeZoneOffset% Header or footer Offset (in hours) of the current time-zone compared to UTC
Formatting:
Formatting instructions may be provided with each macro to refine how it is rendered. These instructions use a syntax similar to the composite formatting syntax defined by
Microsoft. The general pattern is:

%macro-name[,alignment][:formatString]%

where macro-name is the name of the macro as shown in the table above or plain text (see below); alignment is an integer defining the preferred width of the field
(positive=left-aligned, negative=right-aligned); and formatString provides instructions on how the text is formatted. These instructions depend on whether the field's type is a
date or a number.

The functions, Max(m) and Pad(m), may be placed in a format-string. m is the name of an entry-block macro, such as FileName. Max(m) returns the maximum width of the
field, m. Pad(m) returns the difference between the maximum and minimum widths of the field, m.
If the text that is not a legal macro-name is provided then that text is rendered literally. If no macro-name is provided then spaces will be inserted according to the alignment
format. For example, ,Max(FileName) will insert a number of spaces equal to the longest file-name.

Example:

The following example produces a listing similar to the default listing format of Apache:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>
<head>
<title>Index of %FolderPath%</title>
</head>
<body>
<h1>Index of %FolderPath%</h1>
<pre>
%Name,-Max(FileName)% Last modified Size Description

<a href="..">Parent Directory</a>

%EntryBegin%<a href="%FileName%">%FileName%</a>%,Pad(FileName)% %FileModified,-25:yyyy-MM-dd hh:mm%%FileLength,-10%
%EntryEnd%</pre>

<address>In the %TimeZoneName% Zone (GMT %TimeZoneOffset:+#;-#;0%)</address><FORM METHOD=POST ENCTYPE="multipart/form-data" ACTION="."><INPUT TYPE
</body>
</html>

Notes:

1. Since Name is not a legal macro-name, the text %Name,-Max(FileName)% will render the literal characters "Name" followed by the number of spaces required to yield the
same total width as the longest file-name.
2. %,Pad(FileName)% yields a number of spaces equal to the difference between the longest and shortest file-names.
3. %FileModified,-25:yyyy-MM-dd hh:mm% renders a file's last-modified date left-aligned in the format "2012-15-11 14:02" and padded with spaces to give a total width of
25 characters.
4. %TimeZoneOffset:+#;-#;0% yields the timezone offset hours with a plus- or minus-sign in from of it.
HOW TO CUSTOMIZE THE WELCOME PAGE
When a user first navigates to the server via a web browser, a default HTML page is displayed.

This page is easily modified. Depending on the CompleteFTP installation (and the operating system), this HTML page and associated files can be found at:

C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Public\index.html

This page can be replaced with your own company-branded HTML page or pages.

For more information on this, please refer to Step-by-step guide: Customize the web login page
HOW TO USE COMPLETEFTP WITH FIREWALLS
Issue: using FTPS, clients can connect but transfers and directory listings hang and eventually timeout.

Firewalls block connections to networks (and thus servers) on certain port numbers, and can thus prevent client applications connecting.

If problems are being experienced connecting to CompleteFTP, the firewall is a good place to start looking.

HTTP and HTTPS rarely have firewall problems, while SFTP has fewer problems with firewalls than FTPS. All commands and transfers go through a single port (the default is
port 22). As long as the firewall is permitting connections to port 22, SFTP should work correctly.

The situation is more complicated with FTP/FTPS, mainly because directory listings and file transfers are performed using separate socket connections on a different (and
potentially random) port number to the standard port 21. Of course firewalls are designed to prevent connections on random port numbers, so listings and transfers can get
blocked. This is not usually an issue for FTP, as firewalls can read FTP commands and dynamically open data ports. But for FTPS, commands are encrypted and so firewalls
cannot open ports dynamically. Instead, a firewall rule must be set up permitting inbound connections to the server (for passive mode transfers, also known as PASV).

In passive mode, the FTP/FTPS client initiates all transfers, and the server returns an IP address and port number to connect to. This port number is either assigned by the
server's operating system (if the defaults are used), or is used from a passive port range configured in the server. To set up a passive port range with CompleteFTP, see how
to set a PASV port range. This port range should also be set in the firewall, permitting clients to connect in this range.

Often, the FTP server will be on a machine with only an internal IP address. As the IP address is returned to the client via the PASV command, this is problematic. The client
requires an external IP address, and the firewall must be configured to reroute packets to this external IP address to the server machine. To set an external IP address with
CompleteFTP, see how to set an external IP address.
HOW TO SET AN EXTERNAL IP ADDRESS
In passive (PASV) mode transfers (FTP and FTPS only), the server listens on a random port between the minimum and the maximum port numbers specified, waiting for a
connection from the client to this port.

The server sends the client a reply to the PASV command that provides the IP address to connect to and the port number.

If the External passive IP address setting is set, the server sends back that IP address in the PASV reply. Otherwise, the IP address of the interface that the server is listening
on is provided. This setting is part of the Passive (PASV) Transfer Settings group of settings.

Using the hard-coded external address is often necessary if the server is behind a NAT router or firewall, as the server may only know about its internal IP address. In this
situation, the internal IP address can't be passed back to the client in the PASV reply - an external client can't connect to an internal IP address such as 192.169.x.y.

Using the external IP address for FTPS only

There is one caveat to using a hard-coded external IP address - some routers don't like it. These routers expect to see the local LAN IP address in the PASV reply, and they
replace this local address with the external IP address themselves. If the local LAN IP address is not found, some routers will abruptly terminate the connection.

The solution in these situations is to only supply the hard-coded external IP address for encrypted (i.e. FTPS) connections, which the router can't inspect (and hence can't
know what IP address is in the PASV reply). To do this, use the Use external IP address for setting and select "FTPS only" rather than "FTP/FTPS" (which is the default).
HOW TO SET A PASV PORT RANGE
In FTP's passive (PASV) mode, transfers and directory listings are performed on a separate network connection to the control connection, which is typically on port 21. Instead,
the server listens on a different port number which is in the server's passive port range. The PASV command sends this port number to the client, asking it to connect on this
port to make the transfer or listing.

The passive port range is set in the server as described below. Typically, firewalls must also be configured on the server end to allow clients to connect to the server for all
ports in the passive port range. An unconfigured firewall is usually the issue if clients can connect successfully but fail to transfer files or list directories. This is not applicable to
SFTP, which uses a single port - only FTP and FTPS.

The minimum and maximum port numbers are set using the Minimum port number setting and the Maximum port number setting. These settings are part of the Passive (PASV)
Transfer Settings group of settings. It is recommended to set a passive port range of 100, and the range should be between 1024 and 65535. For example, set the lower
bound to 15000, and the upper bound to 15100.

If these values are not set explicitly, the defaults are used.
HOW TO SET UP THE SERVER CERTIFICATE
When using FTPS and HTTPS, the server must have an SSL certificate installed. The certificate is an integral part of how the secure connection is established.
By default, a server certificate is already installed. It can be viewed via the Server certificate setting in the FTP/FTPS group of settings. Selecting the "..." button (see below) will
bring up the Server Certificate dialog box.

The default certificate has a Common Name (CN) of "localhost", and is a self-signed certificate. By convention, the CN is often set to the hostname of the server for use in
server validation, and another self-signed certificate with the desired hostname as CN can be generated by selecting "Create a new self-signed certificate" (below). This will
replace the existing certificate.

On production machines, certificates issued by a certificate authority (CA) may be required. If the server will be accessed from HTTPS or FTPS clients external to the
organization (e.g. across the Internet) then a CA certificate is essential. Many organizations already have CA certificates issued and centrally controlled. Otherwise, you will
need to purchase and install a CA certificate.
HOW TO SET UP A CA SSL CERTIFICATE
On production machines, the default self-signed SSL certificate will probably not be sufficient. Instead, a certificate issued by a certificate authority (CA) may be required. If the
server will be accessed from HTTPS or FTPS clients external to the organization (e.g. across the Internet) then a CA certificate is essential. Many organizations already have
CA certificates issued and centrally controlled. Otherwise, a CA certificate must be purchased and installed, as described below.

There are three steps in obtaining and installing a CA certificate:

1. Generate a Certificate Signing Request (CSR)

2. Purchase the CA certificate using your CSR
3. Download and install your CA certificate
HOW TO GENERATE A CSR
To purchase a CA SSL certificate from a CA, a Certificate Signing Request (CSR) must be generated. A CSR is a message sent to a CA that contains the information
identifying the applicant, as well as the applicant's public key. This information (as well as the public key) is embedded in the issued certificate. It includes fields such as the
organization name, city, region and country.
It is important to note that SHA-1 signed certificates are being phased out by CAs, and will not be trusted after January 1, 2017. The stronger SHA-2 family of hash algorithms
is replacing SHA-1. This means if you have an older SHA-1 certificate it may need to be replaced.
The most important field is the Common Name (CN), which is normally the fully qualified domain name that you wish to secure using the certificate, e.g. 'www.mydomain.com' or
'myserver.mydomain.com'. Before the CSR is sent, it must be signed by the applicant's private key. The CA sends back the certificate containing these fields, signed by the
public key of the CA.
The CompleteFTP manager can generate the keypair (private and public keys) required together with the CSR to be sent to the CA. In the Site/Sites panel, the FTP/FTPS
group of settings must be chosen. Drill down to Advanced FTP/FTPS Settings and then to Security Settings. Click on the Server certificate field to display the ellipsis (...) button
(see below) and select that to display the Server Certificate dialog box.

Select the Generate a certificate signing request (CSR) link (see image below) to begin the process of generating a CSR. Note that a private key (in PVK format) is first
generated - this key must be saved to a secure location for use with the issued certificate. Do not lose it! Your certificate is of no use without the corresponding private key.
The end result of the process should be a CSR file and a private key. The CSR file is to be sent to the CA you have selected. The private key is not sent to the CA.

For step by step instructions on how to generate a CSR, please refer to Step-by-step guide: Request a CA certificate .
HOW TO PURCHASE A CA SSL CERTIFICATE
Once you have your CSR (and have your CSR's private key safely stored), you can purchase an SSL certificate from a CA.

Firstly, you must select a CA to purchase from. There are a number of CAs that sell SSL certificates, and for compatibility reasons, it is best to choose one of the more well-
known providers. Some of the largest are listed here. Please note that prices vary considerably, so compare prices before purchasing.

Purchasing will involve uploading your CSR to the CA's website. The CA will then want to verify your organization's identity before issuing the certificate. In particular, they will
need to verify that your organization is the legal owner of the domain being set as the Common Name. They may require certain documents to be sent to them as part of the
verification process, or send an email to the registered owner of the domain (to confirm you have access to this email).
HOW TO INSTALL A CA SSL CERTIFICATE
Your chosen CA will send you an email with a link to download your new certificate once their verification procedure is completed.

Most CAs will allow you to choose a format in which you can download your certificate. Generally, "Apache/SSL" or "Other" will be suitable for CompleteFTP - this will usually be
a CER or CRT file that can be directly imported.

To import into CompleteFTP, use the Import a certificate from a file link in the Server Certificate dialog box (see below). The private key that was generated with the CSR will
also be required - you will be prompted to select it.

Importing a certificate chain

From 9.0.1, CompleteFTP supports importing the certificate chain, not just the leaf certificate (i.e. your organization's certificate).

To do this, your certificate and the intermediate certificates (usually supplied by your CA) must be combined into a single file. They can be concatenated, with your certificate
placed at the top. So the combined certificate file would look something like this:

-----BEGIN CERTIFICATE-----
MIIFhjCCBG6gAwIBAgIQfZnwRktIbUWoel4F0LoKATANBgkqhkiG9w0BAQsFADBj

.... [your certificate data] ....

zWgmVzIYRVRpzJGr89zVnygjUmFEB7KSLhQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE0jCCA7qgAwIBAgIQLGnhL2pnC9md0g+RnvCeUTANBgkqhkiG9w0BAQsFADCB

.... [intermediate CA certificate data] ....

zWgmVzIYRVRpzJGr89zVnygjUmFEB7KSLhQ=
-----END CERTIFICATE-----

This file is then imported into CompleteFTP in the same way as the single certificate.

For step by step instructions on how to install a CA SSL certificate, please refer to Step-by-step guide: Install a CA certificate .

If CompleteFTP was not used to generate a CSR, you may be provided with an SSL certificate and private key in different formats. See how to import SSL certificates in other
formats.
HOW TO IMPORT SSL CERTIFICATES IN OTHER FORMATS
If CompleteFTP is used to generate a CSR so that a certificate can be requested from a certificate authority (CA), then the private key that is generated along with the CSR is
stored in the Microsoft PVK format. The SSL certificate is normally supplied by the CA in CRT or CER format, which can usually be imported straight into CompleteFTP along
with the PVK file (which is prompted for after loading the certificate file).

If CompleteFTP is not used to generate a CSR, your SSL certificate and its private key might be in other formats. The commonest certificate and private key format is PEM-
encoded. Certificates begin with "-----BEGIN CERTIFICATE-----", and private keys begin with "-----BEGIN RSA PRIVATE KEY-----". PEM supports certificates and private keys in
the same file.

From version 12.1, CompleteFTP can directly import certificates in PEM format. If the certificate's private key is not included in the PEM file, you will be prompted for it. PEM
private key files are also supported from 12.1.

Previous versions of CompleteFTP cannot directly import SSL certificates with PEM-encoded private keys, but it is easy to convert them to a supported format using OpenSSL.
The supported format is PFX, also known as PKCS#12 format. Windows binaries of OpenSSL can be obtained here. Normally one of the Win64 "Light" distributions is sufficient
if you are running Windows 7 or Windows 8, or another 64 bit Windows OS.

Please note that OpenSSL should be run in a command prompt that is being run with administrator privileges.

Sometimes, your PEM-encoded certificate file will have the certificate authority's certificates embedded in it as well as your SSL certificate. From 9.0.1, all certificates can be
imported, but for versions prior to 9.0.1 your certificate will need to be copied to a separate file and installed. Your certificate can usually be identified by the attributes listed
above it (especially its common name).To import into PFX format (below), create a file that contains only your certificate (cut and paste inclusive from the "-----BEGIN
CERTIFICATE-----" to "-----END CERTIFICATE-----").

Use the following OpenSSL command to convert your certificate and private key into PFX format:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

You can then import the PFX file directly into CompleteFTP via the Import a certificate from a file link in the Server Certificate dialog box.

Converting a private key to PVK format

Sometimes the certificate is already in PFX format, but the private key is PEM-encoded. In this situation, the private key can be converted to the Microsoft PVK format. When
the PFX file is imported without a private key, the private key in PVK format is then prompted for. Again, OpenSSL can be used:

openssl rsa -inform PEM -in mykey.pem -outform pvk -out mykey.pvk

Some users have found it easier to also convert their PFX certificate to CER format (as well as their private key into PVK format).
HOW TO SET UP THE SERVER KEYS
When using SFTP, the server must have private keys installed. The keys are an integral part of how the secure connection is established. They identify the server to its users.

There are two types of keys - DSA keys and RSA keys. When clients connect, they indicate what type they prefer to be used, and a key type is negotiated. In Settings->SFTP-
>SSH Settings->Public Key Algorithms, one or the other type of key may be disabled if, for example, only RSA is to be supported.

By default, private keys are already installed - they are generated when CompleteFTP is installed.

The private keys can be regenerated or private keys can be imported via the popup menu shown by selecting the ellipsis (...) on RSA Key or DSA Key, found via Settings-
>SFTP/SCP->Advanced SFTP/SCP Settings, as shown below. The server's public keys can also be exported via this menu.
HOW TO USE SSH TERMINAL ACCESS
CompleteFTP (Professional and Enterprise Editions only) supports SSH terminal access. This means that a command-line SSH client can SSH onto the CompleteFTP server
machine, obtain a shell and use various command-line commands.

Note that CompleteFTP must have SSH terminal access enabled (disabled by default).

And the user must also have SSH terminal access enabled.

Both Windows and non-Windows (internal) users can be granted terminal access. However as non-Windows users run by default as the local SYSTEM user, for security
reasons they are not permitted to exec processes.

SSH Terminal Shell

The setting, 'SSH terminal shell', determines the type of command-line that the user is given when they log in via SSH terminal.

The 'UNIX' shell offers UNIX-like commands, such as ls, cwd and pwd. A list may be obtained by executing the command, help. If an administrator logs in in this way then
administration commands, such as useradd and folderadd, are available.

The JSS shell is a Javascript interpreter environment, similar to that found in the developer tools in browsers like Google Chrome and Microsoft Edge. The full JSS API is
available. If an administrator is connected then configuration changes may be made via the Config object returned by the system.getConfig() function.

Connecting

Once the server settings (in SFTP/SCP/SSH settings) are enabled for SSH terminal access, users can login to CompleteFTP via ssh username@hostname, from any
command-line SSH client on any operating system.

Once logged in, users are presented with a simple Unix-like command-line shell that permits certain commands, such as changing directory, creating directories, and copying
and renaming files.

The help command lists all available commands.

Exec command

The most useful command (and only permitted for Windows users) is exec, which can be used to launch programs and scripts. For example, to run a DOS command such as
'echo', you would use the standard 'cmd' program, e.g.

exec cmd /c echo test

The same technique can be used to run the DOS 'type' command to display the contents of a text file:

exec cmd /c type test1.txt

For DOS commands, the '/c' flag is necessary as it instructs the DOS shell to terminate after running the command.
HOW TO USE SSH FORWARDING
CompleteFTP (Professional and Enterprise Editions only) supports local SSH port forwarding (often known as SSH tunneling). This means SSH tunnels can be established
between a client machine and CompleteFTP that other protocols can use.

Why would you use SSH port forwarding (also called SSH tunneling)? There are two reasons - firewalls and security.

Consider the scenario where an employee using a laptop outside the corporate network wants to give a demonstration to a customer using a machine within the corporate
network. Perhaps they want to use RDP (the Remote Desktop Protocol) and it has not been set up in secure mode. In this scenario a CompleteFTP server is also within the
corporate firewall.

Firewalls

By default, RDP uses port 3389, but say for security reasons the corporate firewall does not permit external connections to this port number. If SSH port forwarding is used, all
RDP traffic is transmitted over port 22 (the standard SSH port). There is no need to open the RDP port in the firewall.

Security

What's more, the RDP protocol is transmitted securely over the SSH tunnel. So unsecure protocols can be safely used via SSH tunnels. The only unsecure portion of the route
is between CompleteFTP and the destination machine (the RDP machine), and both of these machines are inside the corporate firewall.

Setting up forwarding

How is port forwarding set up? For security reasons, it is disabled by default in CompleteFTP. It must be enabled both for the site and individual users. To enable port
forwarding for the site, the Site tab in the CompleteFTP manager must be opened, and SSH Port Forwarding flag enabled, which is under the SFTP/SSH settings section.

The users who require port forwarding must also have this option enabled, which is done in the User panel by selecting the user.

On the client side, the tunnel must be set up by an SSH utility such as PuTTY. When PuTTY sets up a local port forward, it listens on the client for connections on the local port
specified. When a connection on the client is made to this local port on the local machine, the SSH tunnel is established with CompleteFTP. All the data on this local connection
is sent through the tunnel to CompleteFTP, which forwards it to the ultimate destination (set by PuTTY).
HOW TO CONFIGURE ANONYMOUS LOGINS
FTP servers often permit anonymous logins. This means users log in as the 'anonymous' user, and don't require a password.

In CompleteFTP anonymous logins are disabled by default, but can be enabled via the Settings window, as shown below. The Anonymous Logins section has a checkbox for
Anonymous logins enabled. This should be checked if anonymous logins are to be permitted.

To prevent malicious users logging in multiple times anonymously, the maximum number of anonymous logins can also be set. The default is 10, but if anonymous logins are
enabled this should be set to a number in keeping with the site requirements.
HOW TO USE MULTIPLE SITES
Every installation of CompleteFTP supports at least two sites - the 'Admin' site and the default site. A site consists of a related group of protocols and port numbers. Sites have
their own settings, including public keys and certificate.
The Enterprise Edition of CompleteFTP supports the creation and administration of additional sites, as described here.
HOW TO VIEW THE ADMIN SITE
CompleteFTP sites are described here. Every installation of CompleteFTP supports at least two sites - the 'Admin site' and the 'Default site'.

The "Admin site" is what the CompleteFTP manager connects to, to administer the server instance. By default the server listens on port 14983 for SFTP connections from the
manager. The Admin site cannot be deleted (the server could not be administered). Settings should be changed with care - if the port numbers are altered administrators must
be informed of the changes.

In the Standard Edition and Professional Edition, the Admin site is configured via the Admin panel.

In the Enterprise Edition, the Admin site is displayed in Sites by checking 'Show system users/folders/sites' in the Options menu at the bottom left of the window.
FILESYSTEM
CompleteFTP has an extremely flexible virtual file system, which means that folders can be mounted from almost anywhere on the physical file system (or network) and
combined in various ways.

There are six different types of folders supported:

Virtual folders don't exist on the actual file system - they permit a virtual folder structure to be created.
Windows folders are standard Windows folders
Windows special folders are folders such as My Documents.
Network/Macro folders are UNC (network) folders, or folders with an expanded macro. These are not supported in the Free Edition.
Gateway folders are folders that a mounted from remote FTP/FTPS/SFTP servers. These are only available in the Enterprise Edition.
Custom folder-types may be developed in the Enterprise Edition (see here).

CompleteFTP may have many root level folders mounted, and if virtual folders are used the CompleteFTP file system may not bear any resemblance to the underlying file
system.

If the Hidden checkbox is checked then the folder will not show up in listings. This works independently of access permissions. For example, a folder may be shown but not
accessible, or it may be hidden but still accessible.

Note that macros may be inserted into folder-names using the same %xyz% notation used elsewhere.
HOW TO CREATE A VIRTUAL FOLDER
Virtual folders don't physically exist. They are used to create virtual hierarchies of folders under which real folders can be placed.

CompleteFTP administrators should carefully plan out their folder structure, and create virtual folders as appropriate. For example, a virtual folder called 'home' might be
created at the root level, by selecting "Add root folder" and choosing the 'Virtual folder' option, as shown below. Once created, its name may be modified from 'New Virtual
Folder' by selecting this name and typing over it with the desired name.

A virtual folder is of little use unless a real folder is one of its children. Right- clicking on the folder will display a New menu that allows creating of subfolders beneath the
current folder, as shown below. For example, a Windows folder named after a user might be created here, so that it is under /home/username in the hierarchy - even though it
may exist at a location such as D:\Users\username\ftphome on the disk.
HOW TO ADD A WINDOWS FOLDER
Windows folders are standard folders on the local machine. They can be inserted into the virtual folder hierarchy at any point, including the root.

They are added by selecting "Add root folder" (or "Add sub-folder") and choosing "Windows folder".

A folder browser dialog displays the available drives, and a folder can be chosen.
HOW TO ADD A WINDOWS SPECIAL FOLDER
Windows special folders are folders that are predefined by Windows, and include folders such as "My Documents" and "My Music". They can be inserted into the virtual folder
hierarchy at any point, including the root.

They are added by selecting "Add root folder" (or "Add sub-folder") and choosing "Windows special folder".

A dialog box displays the types of special folders that are available.

It should be noted that only Windows users can access special folders. They have no meaning for non-Windows users, and an error is returned if a non-Windows user tries to
change into a folder that is a Windows special folder.
HOW TO VIEW SYSTEM FOLDERS
There are a number of pre-configured system folders that are not normally displayed. To view these folders, and to alter their properties, select 'Show system users/folders/sites' in
the main applications's Options menu (bottom left) as shown below. Exercise caution in editing system folders, as this may have unexpected side affects.
HOW TO CREATE A NETWORK/MACRO FOLDER
Network/macro folders are folders whose paths are entered manually. Paths may include macros, such as the name of the logged in user or an environment variable.

To add a new network/macro folder, select "Add root folder" or "Add sub-folder" and choose the 'Network/Macro folder' option.

A dialog box will appear into which the Windows path of the folder can be entered (in standard format or in UNC format), as shown below. For example, "\\machine1\mydir"
could be the UNC path used.

For detailed steps on how to create a network folder, please refer to Step-by-step guide: Add a network folder .

Note that network folders in particular can introduce permissions problems. The user that is actually using a particular network folder must have Windows permissions to do so,
otherwise the operation will fail. Similarly, the Windows permissions of the network folder may not be able to be inspected by the server if the user under which the server
process runs (usually SYSTEM) cannot access the folder.

To insert a CompleteFTP macro into the path, use the arrow button on the right hand side of the dialog box to insert the macro of your choice. For example,
"D:\users\%UserName%". Whenever this folder is accessed by a user the username is substituted in for the macro, so a "user1" user would be accessing "D:\users\user1".

Windows environment variables may also be included by surrounding them with percent (%) characters, e.g. %MyVariable%. Windows has two classes of environment
variables: system and user. User environment variables should not be used with non-Windows users, but for Windows users both system and user environment variables are
accessible.
GATEWAY FOLDERS
A gateway folder is a directory on a different server to the current CompleteFTP server instance. It is basically a remotely mounted directory (analogous to a network share).
This feature is only available in the Enterprise Edition of CompleteFTP.

Unlike normal network shares, gateway folders are specified by protocol - either FTP, FTPS or SFTP. This means that a remote folder from an SFTP or FTPS server can be
accessed by logged in users as if it were a local folder on the CompleteFTP server.

So a user who logs into CompleteFTP via FTP is able to access the files on a different SFTP server if those folders are made accessible as a gateway folder. In effect,
CompleteFTP does protocol translation. Some scenarios that are possible are listed here.

Gateway folders are created in the same way as other folders in the filesystem - via the Folders tab, and by choosing New root folder or new sub-folder - in the Enterprise
Edition of CompleteFTP, there is a Gateway folder menu item.

This brings up the Configure Gateway Folder dialog box.

Two options are available when configuring the new gateway folder:

1. Use the gateway connection. When a user logs into CompleteFTP via a gateway authenticator, they are authenticated by the remote server, and a connection to that
remote server is stored in their session. This is the current gateway connection. By default, it uses the connection's working directory, although a specific directory on the
remote server can be provided (as long as it exists and is accessible). This means the gateway folder is only accessible by users who are authenticated by the gateway
authenticator.
2. Use a specified connection, i.e. specify the credentials to be used to access the gateway folder as part of the folder configuration. Of course, the protocol and remote
server name must be also be specified. This means any user can access this gateway folder.

To use the gateway folder, users must change directory into it, or have the gateway folder set as their home directory. Gateway users require the defaultExtension user's home
directory to be set to a gateway folder that uses the current connection (you can find defaultExtension user in Users panel by selecting "Show system users/folders/sites" in the
Options menu at the bottom left of the window).
AZURE SHARE FOLDERS
Azure Files is a Microsoft service that offers network drives hosted in the cloud or, more specifically, the Azure Cloud Computing Platform. Azure Shares may be mounted in the
virtual file-system of CompleteFTP Enterprise Edition. Once an Azure Share has been mounted as a folder in CompleteFTP, it may be accessed seamlessly by users in the
same way that any other folder is accessed.

Before an Azure Share folder can be mounted the following are required: (1) an Azure Storage account and (2) a share in that account's File service.

Azure Share folders are added to CompleteFTP's virtual file-system in the same way as other folders in the filesystem - via the Folders tab, and by choosing New root folder or
new sub-folder - in the Enterprise Edition of CompleteFTP, there is a Azure Share folder menu item.

This brings up the Configure Azure File Share Folder dialog box.

Each Azure storage account has a name and one or more access keys. Each share has a name and may contain a directory tree. In the dialog box, enter the account name,
access key and the name of the share. You may also specify a directory within the share.

For special cases, it's also possible to enter the raw Azure File connection string. This connection string must contain an AccountName and an AccountKey attribute.

Once the changes have been applied, the folder should be accessible to connecting clients.

Important Note
Files stored in Azure folders will not be automatically encrypted.
AMAZON S3 FOLDERS
Amazon S3 is a generic cloud data storage offered by Amazon Web Services (AWS). S3 storage containers are called 'buckets'. S3 buckets may be mounted in the virtual file-
system of CompleteFTP Enterprise Edition. Once an Amazon S3 bucket has been mounted as a folder in CompleteFTP, it may be accessed seamlessly by users in the same
way that any other folder is accessed.

Access to an AWS account may be granted via a 'secret access key'. Each AWS account can have many secret access keys. They may be created and destroyed in the
Security Credentials panel of the AWS console. Each secret access key has an 'access key ID'.

Before an Amazon S3 folder can be mounted the following are required: (1) an AWS S3 account, (2) an AWS secret access key, and (3) an AWS S3 bucket.

Amazon S3 folders are added to CompleteFTP's virtual file-system in the same way as other folders in the filesystem - via the Folders tab, and by choosing New root folder or
new sub-folder - in the Enterprise Edition of CompleteFTP, there is a Amazon S3 Folder menu item.

This brings up the Configure Amazon S3 Folder dialog box.

In the dialog box, the following must be entered: (1) the name of the region in which the bucket was created, (2) the access key ID, (3) the secret access key, (4) the bucket
name, and (5) optionally the path of the directory that's to be mounted. If the directory is left blank then the root-level of the bucket will be mounted.

Once the changes have been applied, the folder should be accessible to connecting clients.

Important Notes
Clients may experience timeouts if the connection between the client and CompleteFTP is faster than the connection between CompleteFTP and Amazon.
Directory timestamps are not available from S3 and will therefore always be given by CompleteFTP as 1/1/1901. Why? Since Amazon S3 is actually an object store rather
than a file store, it doesn't implement directories, but instead has a naming-convention called prefixes. Prefixes are not objects by themselves, but rather simply parts of
object keys (i.e. file-names). Since they're not objects, they don't have their own timestamps.
Files stored in Amazon S3 folders will not be automatically encrypted.
HOW TO INSERT MACROS INTO FOLDER-NAMES
Macros may be inserted into the name of any folder in the virtual file-system. A common case where this may be useful is in setting the name of the home-folder of Automatic
Windows Users such that the user-name matches the name of the folder that they see when they log in. To do this, change the name of the 'MyDocuments' folder to
'%UserName%'.
To see the available macros, click the ellipsis (i.e. "...") button next to the name field in the folder properties panel. This shows a dialog containing a text-box with a small button
to its right. Clicking this small button shows a list of the available macros.
HOW TO GIVE USERS SHARED ACCESS TO A FOLDER
It's often necessary to give a group of users shared access to a folder. CompleteFTP's very flexible virtual file-system offers many ways to do this. Three such methods are
described below.

1. Step-by-step guide: Allow users to share a folder (Method 1) (All editions)

Illustrates how to allow multiple users to access a single Windows folder by creating a subfolder under each user's home folder that maps to that Windows folder.

2. Step-by-step guide: Allow users to share a folder (Method 2) (Standard edition and greater)

Illustrates how to allow multiple users, with different Windows home folders, to share a common sub-folder. This is done by using a %UserName% macro in the Windows
path of the home folder so that, even though they all have the same home folder in the virtual file-system, this folder maps to different Windows folders.

3. Step-by-step guide: Allow users to share a folder (Method 3) (Professional edition and greater)

Illustrates how to allow a group of users, who have their own home folder, to share access to a single folder which is not underneath their home folder. This is done by
giving full access permissions to the folder to the group that these users belong to.
HOW TO SET A FOLDER'S PERMISSIONS
Access to files is controlled either by CompleteFTP itself or by the Windows file-system. For non-Windows users CompleteFTP will always control access. Windows users will be
subject to Windows' own file-system permissions by default, though this can be changed (see below).

User settings affecting file access

Access control for Windows users can be managed by CompleteFTP if the 'access control' property of those users has been manually set to 'non-Windows'. It's also possible
restrict users to read-only access by setting the 'read-only' property of those users.

Managing Windows permissions

While Windows file-system permission may be viewed from within CompleteFTP Manager (see 'Access (Windows users)') they can't modified from there. Windows Explorer
must be used to edit Windows permissions.

Managing CompleteFTP (non-Windows) permissions

The Standard Edition of CompleteFTP features basic permission control, while the Professional and Enterprise Editions have more sophisticated permissions.

Free and Standard edition permissions

In Free and Standard edition, three levels of access are available for each folder:

Owner (full)
Owner has full permissions

All users (read)

Owner has full permissions, other users have read permissions

All users (full)

All users have full permissions

The owner of the folder can be selected in the Folder Properties section of the File System panel. The user permissions are shown as radio buttons under Access (non-
Windows users).

Professional/Enterprise edition permissions

The Professional and Enterprise editions of CompleteFTP offer a permission system that's similar to that used in UNIX-like systems, such as Linux and OSX. This system was
chosen because it's simple, flexible and widely known.
Permissions are managed in three different scopes: owner, group and all users. Each folder in the CompleteFTP's file-system will either inherit permissions from its parent
folder or specify an owner, a group and a set of permissions for each of these scopes. Permissions are defined separately for the owner, the group and all users. The following
permissions are available:

download files
files may be downloaded/read from this folder

upload files
files may be uploaded/written to this folder

rename files
files may be renamed in this folder

delete files
files may be deleted from this folder

list folder contents

the contents of this folder may be listed

change into folder

user may change into this folder

create subfolders
folders may be created under this folder

rename subfolders
subfolders of this folder may be renamed

delete subfolders
subfolders of this folder may be deleted

ignore filters
user is not subject to any file-name filters that are defined for this folder

A user will have permission to perform a particular action if:

1. they are the owner of the group and that permission is enabled for the owner, or
2. they are a member of the group of that folder and that permission is enabled for the group, or
3. that permission is enabled for all users

The owner of the folder can be selected in the Folder Properties section of the Folders panel. The folder's group can be selected from the list of user groups. Any non-
Windows user who is a member of that group will be granted the permissions that group has on the folder. Finally the permissions are shown. Click on "[Click to view]" and a
popup will display the permissions for the folder's owner, group, and for all users. The permissions themselves are self-explanatory.

Hidden folders

If the Hidden checkbox is checked then the folder will not show up in listings. This works independently of access permissions. For example, a folder may be shown but not
accessible, or it may be hidden but still accessible.
HOW TO ENABLE ENCRYPTION AT REST (ENTERPRISE EDITION ONLY)
The Enterprise Edition supports encryption at rest (EAR) from version 11.0. This means that if this feature is enabled for a particular user, all files transferred to the server as
that user will be automatically encrypted as they are written onto the server file system. Users directly logged onto the server machine will not be able to decrypt the files. The
encryption used is 128 bit AES.

Once a file is encrypted, the only way to decrypt it is by transferring it (i.e. downloading it) from the server, or via the decrypt administrator command run from the SSH
command-line. Note that EAR has implications for events that might copy or post-process uploaded files. If EAR is enabled, uploaded files will not be able to be decrypted by
other programs or by process triggers. For example, as FTP scripts are executed by an external program, they cannot decrypt encrypted files. Batch files and standalone
executables also cannot decrypt server files. The exception is JSS process triggers, which are fully integrated into the server filesystem and can decrypt files. These should be
used if encrypted files need to be decrypted by process triggers.

To enable encryption at rest for a user, the user setting "Encrypt stored files" must be enabled, as well as the site-wide "Encrypt stored files" setting. Turning off the site-wide
setting disables encryption at rest for all users. Files that are already encrypted will still be automatically decrypted when downloaded, but no new files will be encrypted.
HOW TO LIST A FOLDER-TREE (PROFESSIONAL AND ENTERPRISE EDITION)
CompleteFTP has the ability to obtain the listing of an entire folder tree in a single operation. This saves having to recurse through the tree, which can be time-consuming. The
listing is available through a file called _treeList.json which is listed when the Folder-tree file option is enabled. This option is in the Details category of the folder properties
panel. It's off by default.

Format of the folder-tree file

Although the extension of the file is .json, the format has been optimised slightly in order to reduce its size since many folder-trees are extremely large. The optimisation is
that field names are not in quotes, which, in the opinion of the developer, should've been optional anyway.

_treeList.json contains a single line per file or directory. It looks something like this:

[
{n:"file001.txt",l:1024,t:"2018-08-05T07:08:57Z"},
{n:"file002.txt",l:1024,t:"2018-08-05T07:08:57Z"},
{n:"/directory11",t:"2018-08-05T07:08:57Z"},
{n:"file111.txt",l:1024,t:"2018-08-05T07:08:57Z"},
{n:"file112.txt",l:1024,t:"2018-08-05T07:08:57Z"},
{n:"/directory11/directory12/",t:"2018-08-05T07:08:57Z"},
{n:"file121.txt",l:1024,t:"2018-08-05T07:08:57Z"},
{n:"file122.txt",l:1024,t:"2018-08-05T07:08:57Z"}
]

where n = name, l = length (only for files) and t = timestamp (UTC)

If the name starts with a forward slash then it's a directory, otherwise it's a file. For directories, the name is the full path with the directory in which the folder-tree file is placed
being the root. For files the name is just the file-name without the path. Files at the beginning of the listing (i.e. not preceded by a directory) are in the same directory as the
folder-tree file. Files listed immediately below a directory are in that directory.
HOW TO EXTEND THE FILESYSTEM (ENTERPRISE EDITION ONLY)
The regular file-system can be completely replaced or extended by one of your own design. When a virtual folder is associated with your extension, your code will be called by
the server whenever a client performs file operations (e.g. reading, writing, directory-listing) in that folder.
For example, your extension may read from and write to a database instead of the Windows file system.
See file system extensions for more details.
HOW TO STOP EXECUTABLES BEING UPLOADED
Sometimes it is a requirement to block the upload of certain file types, such as executable files. This can be done by using filename filters, in the Filesystem settings of the site.

Select the ellipsis to bring up the Manage Filename Filters dialog, as shown below and add the filename masks required. For example, to match executable files, use "*.exe".
Multiple filters can be added to match various file types.

The filters apply to all protocols - SFTP, SCP, FTP/FTPS and HTTP/HTTPS.

These filters can be applied in one of two ways. The default is to block the upload of filenames that match the filters. But this can be inverted by selecting the radio button to
only permit files that match the filters.

It is important to realize that once set up, these filename filters apply to all files that are uploaded to the site - and to files that are being renamed (filename filters also prevent
renaming files to banned names).

Ignore Filters permission

The only way to avoid filename filters is by specifically adding the "ignore filters" permission to a virtual directory. Then all users who have this permission will be able to upload
any files they wish.
HOW TO MOUNT ZIP FILES AS DIRECTORIES
ZIP files contain many files combined into one compressed archive. When residing on a file server, normally the entire ZIP file would need to be downloaded to access a single
file within the ZIP file.

The Professional and Enterprise Editions support ZIP file navigation. When enabled ZIP files are presented to clients as though they are folders. This means that users can
change into folders within the ZIP file and download specific files. This can save time and bandwidth as it allows users to download only what they need from a ZIP file instead of
downloading the whole ZIP file.

By default, both the ZIP file itself and the folder that corresponds to the ZIP file are shown in listings, the latter having the additional extension '.folder'. The additional extension
can be changed by modifying the 'ZIP-folder extension' setting. If this setting is cleared completely then the ZIP file won't be displayed being replaced by the corresponding
folder.

Currently ZIP files cannot be updated on the server - they are read only. This feature may be added to a future release.

See the filesystem settings for more details.

HOW TO ENABLE BACKSLASH SEPARATORS
Most FTP servers including CompleteFTP use Unix-style forward slash separators in paths. Occasionally it is desirable to be able to use Windows-style backslash separators -
for example if there are clients accessing the server that only support backslash separators. CompleteFTP does not support backslash separators by default, as shown below,
but enabling this option enables support for backslash separators (forward slash separators are still supported if this option is enabled).

See the filesystem settings for more details.

USERS
CompleteFTP supports unlimited numbers of users. All editions support non-Windows users. Windows users are supported in Standard, Professional and Enterprise Editions.

The Users screen displays the current users, and ways to add, modify and delete users.

If an existing user's details are selected in the list of users shown, a panel at the right enables the details to be changed, such as the username, password, and home directory
(For more information on changing the user's home directory, please refer to Step-by-step guide: Change the home folder of a user ). The allowed protocols for the user are
also displayed - as well as on a site basis, protocols can be enabled or disabled for each user. The user can also be disabled by unchecking the Enabled checkbox.

Note that CompleteFTP supports the Automatic Windows Users (AWU) feature. This allows the administrator to enable login of any Windows user without having to manually
add the user to CompleteFTP's internal user list. See how to configure automatic Windows users for more details.
GENERAL USER SETTINGS
The general user settings that are available to configure CompleteFTP sites are described below. They are found on the Users tab, and can be displayed by selecting the
General user settings link. Note that settings must be saved via the Apply Changes button, otherwise they will be lost.

General settings

Setting Description
If checked, anonymous access is enabled. This means connections can be made
Allow by logging in as an anonymous user rather than as a named user with a password.
anonymous Anonymous users are represented by the user called 'anonymous'. By default the
FTP users home-folder of this user is /Public, so this is the folder that will be publicly
accessible if this option is enabled.
Allow If checked, unauthenticated users will be able to access any file in the public
public folder. Unauthenticated users are represented by the user called 'anonymous'. By
HTTP default the home-folder of this user is /Public, so this is the folder that will be
access publicly accessible if this option is enabled.
User's
home folder If/).this
option is enabled then the user will see their home directory as the root (i.e.
If it is disabled then the user will see the absolute virtual file-system path, e.g.
appears as "/home/javaftp".
By default this option is not checked.
root
If a default Windows domain is set, it means that Windows users on the default
domain can login without specifying the domain (instead of using
Default MyDomain\MyUserName they can use MyUserName). This can be very
Windows convenient for users. The default Windows domain tells CompleteFTP which
domain domain to authenticate against if (1) a domain-name was not given and (2) no
exact match was found in CompleteFTP's list of users. See How to set a default
Windows domain.

Other authentication methods

Users may be authenticated by other methods such as:

Automatic Windows (all editions) - enables login of any Windows user without having to manually add each user to CompleteFTP's internal user-list (see here).
Database (Professional and Enterprise editions) - authenticates against an external data-source such as a database table or spreadsheet (see here).
Gateway (Enterprise edition) - authenticates via another FTP or SFTP server (see here).
SAML Single Sign-On (Enterprise edition) - delegates authentication to a SAML IDentity Provider (IDP) (see here).
Custom (Enterprise edition) - write your own authentication method using any .NET language (see here).

Users that are authenticated via one of these methods are subject to the settings of the specified 'log-in-as' user. For example, if Automatic Windows users are only to be
allowed to connect via SFTP then only SFTP should be enabled for the log-in-as user that's defined for the Automatic Windows authenticator, which is the defaultWindows user
by default (note that this user can be found in Users panel by checking "Show system users/folders/sites" in the Options menu at the bottom left of the window).

Password policies

Password policies can be found by selecting the "Password policies" link on the General User Settings dialog box, and are described here.
HOW TO ADD A WINDOWS USER
To add an existing Windows user, click the Add user link in the Users panel and then select Windows user(s) from the menu.

This brings up the Add Windows User dialog box.

When adding Windows users from the local server then click List server's local users. When adding Windows domain users (not available in Standard Edition) enter the domain
name and click List domain users. For domains with a very large number of users the size of the list can be restricted and/or a filter can be provided to reduce the number of
users listed.

Once the list of users has been fetched and displayed as in the example below, select the users to be added from the list. Hold down the shift or control keys to select multiple
users.

If a single user is being added and the checkbox labeled Automatically create home folders is checked then a home-folder with the same name as the user will be created
automatically. The folder will be created under the /Home folder in the virtual file-system, and by default will be mapped to a Windows directory underneath the directory to
which /Home is mapped. The mapping can be changed by clicking the ellipsis (...) to the right of the label of the checkbox. By default, the mapping is created using the
template %HomeBaseFolder%/%UserName%, but this can be changed as desired.

If multiple users are selected when the Add selected user(s) button is clicked then a dialog-box will pop up.

In this dialog-box you can choose to create a home-folder in the same manner as described above for single users, or you can choose to use the same directory for all users.

Once all users have been added click Close to close the dialog.

Back in the Users window, all the users that have just been added will be selected, so that any properties that must be set commonly for all users may be set.

For detailed steps on adding a Windows user, please refer Step-by-step guide: Add a Windows user (Standard Edition) if you're using Standard Edition, o r Step-by-step
guide: Add a Windows user (Professional/Enterprise Edition) if you're using Professional or Enterprise Edition.
HOW TO ADD A NON-WINDOWS USER
Add a non-Windows user should be selected to add a user that does not exist as a current Windows user on the server machine (or domain). This means an FTP user does
not have to exist as a Windows user.

The username and details should be entered in Step 1.

A password and/or public keys must be set in Step 2. Public keys are only used in SFTP, SCP and SSH (Standard Edition or better).

In step 3, the home directory for this user must be selected. By default, the new user's home directory will be created in the Home directory (see how to add a user for more
details).
If a different home directory is desired, use 'Select non-default home directory' to choose one of the folders listed. You may need to create a virtual folder for them.

After selecting the home directory, select the 'Next' button, and finally 'Apply' to add this new user to the server database.

For detailed steps on adding a non-Windows user, please refer to Step-by-step guide: Add a non-Windows user .

Back in the Users window, which displays the current users, note that selecting on any user displays their details in the right hand panel. Any of these details can be edited at
any time (although any changes will not apply to currently logged in users).
HOW TO ADD MULTIPLE USERS
Often, it is desirable to add multiple users at the same time rather than one by one. This can be done for non-Windows users by selecting Add user and choosing the Multiple
non-Windows users menu item.

This displays a dialog that allows multiple non-Windows users to be inputted by various means (displayed below).

Users can be explicitly typed in, imported from a text file, or pasted from the clipboard. For the latter two cases, the text file or clipboard data needs to have a user per line, and
fields must be separated by commas or tabs. The first field contains the username, the second field the password, and the third field the Windows path of the home folder.
Both username and password fields are mandatory. If the password is supplied as an MD5 hash rather than plaintext, then the MD5 radio button should be selected.

Finally, if the administrator has created any groups, they are displayed and can be checked so that all added users are members of the checked groups.
HOW TO CHANGE USER PROPERTIES
User properties are modified by selecting the user's row in the list of users displayed in the Users tab. The user properties are displayed on the right.

After properties have been changed Apply Changes must be selected to commit the changes to the server.

Multiple users can be selected from the list of users by using the combination of the control key and left button click. The properties panel displayed can be used to set
properties for all of the selected users.

Multiple users can also be selected via the right mouse button menu item, Select. All users can be selected, or users from a particular group or matching a wildcard.

Groups can be quickly added/removed from this menu as well, using the Groups menu item. Besides, the Manage Groups dialog box can be accessed from here. See How to
manage groups for more details.
HOW TO VIEW SYSTEM USERS
There are a number of pre-configured system users that are not normally displayed. To view these users, or to edit their properties, select 'Show system users/folders/sites' in
the main applications's Options menu as shown below. Exercise caution in editing system users, as this may have unexpected side affects.
HOW TO CONFIGURE EXTERNAL DATABASE USERS
The database authentication feature allows the administrator to authenticate against an external data-source, rather than explicitly adding users to CompleteFTP's internal
user-list. Typically, this data-source is a database table or spreadsheet containing a list of usernames, passwords or password-hashes, optionally home directories, groups,
password-salts, RSA and/or DSA public keys. This is a feature of the Professional and Enterprise Editions only.

Database authentication may be set up in the General User Settings dialog, accessed from the User panel. The Database authenticator must be enabled and configured via
the 'Configure' link shown below

Clicking the 'Configure' link will bring up the Database Configuration dialog.

In the database authentication configuration dialog, you can select the database type (ODBC, OleDb, Oracle...) you want from the 'Database type' drop-down list.

Support for new database types may be added by installing the appropriate ADO.NET provider and restarting the CompleteFTP service. Once this has been done the new
database type should appear in this list. For example, support for MySQL may be added by downloading and installing the MySQL Connector/Net provider from the MySQL
website and restarting the CompleteFTP service.

After a desired database type is selected, enter the connection-string in the 'Connection-string' text-box and press the 'Test connection' button to verify that it works. The
website, connectionstrings.com, is an excellent resource for connection-strings. It lists various types, so remember to choose a connection-string that is appropriate to the
selected database type. Also remember that the connection is made from the server, so if you are using CompleteFTP Manager on a machine other than the server then the
connection-string may differ from the one you would use on your local machine.

Fields

The SQL query retrieves the user's password/password-hash. It may also optionally define additional fields that are described below: a Windows home-folder, a list of groups
to which the user belongs, a password salt, and an RSA and/or DSA public key for the user.

Field Description
password
or This must be the first field returned. It is highly recommended that any passwords
password- stored in a database are hashed. Even better, use a 'salt' prepended to passwords
hash before they are hashed. See the fourth field, below.

Hone If a second field is returned then it will be assumed to be the Windows path of the
folder user's home-folder. If the home-folder doesn't already exist when the user logs in
path then it will be created at that time. Note that this field will not be used if the type of
the home-folder of the log-in-as user is "Virtual folder".
If a third field is returned then it will be assumed to be a comma-separated list of
Groups group-names (e.g. MyGroup1,MyGroup2,MyGroup3). The user will be treated as a
member of all of the groups listed as well those of which the "defaultDatabase" user
is a member.
If a fourth field is returned then it will be assumed to be the 'salt' that was prepended
to the password before it was hashed (if hashing is enabled). The salt should be a
Password random string of at least 8 characters. Salting is intended to defeat rainbow table
salt attacks. Rainbow tables are sets of pre-calculated hashes for common passwords.
If salts are not used, attackers can simply match these hashes with the hashes in
your database. If salts are used, a new rainbow table must be calculated for each
salt value (and these tables are computationally expensive).
RSA If a fifth field is returned then it will be assumed to be the RSA public key for the
public key user. Public key fields should be text fields in either OpenSSH or SECSH format.
DSA If a sixth field is returned then it will be assumed to be the DSA public key for the
public key user. Public key fields should be text fields in either OpenSSH or SECSH format.
Log-in-as If a seventh field is returned then it will be assumed to be the log-in-as user-name.
user- This user-name will be used instead of that log-in-as user-name that's been
name configured for the authenticator.

If a field is required without the field preceding it, simply return the preceding field (or fields) as a null.

An SECSH format public key starts like this:

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "imported-openssh-key"
AAAAB3NzaC1yc2EAAAABIwAAAIEA44J6LBloMWVvhOjMHZPnmgJWw+UWBl9nFEWa

An OpenSSH format public key starts like this:

ssh-dss AAAAB3NzaC1kc3MAAACBAJ3hB5SAF6mBXPlZlRoJEZi0KSIN+NU2iGiaXZXi9CDrgVxTp6/
sc56UcYCp4qjfrZ2G3+6PWbxYso4P4YyUC+61RU5KPy4EcTJske3O+aNvec/20cW7PT3TvH1+sxwGry

Examples

SELECT PasswordHash, HomeFolder,Groups,Salt FROM Users WHERE UserName='%UserName%'

SELECT Password, HomeFolder,null,null,SSHPublicKeyRSA FROM Users WHERE UserName='%UserName%'

SELECT Password, HomeFolder,null,null,SSHPublicKeyRSA,SSHPublicKeyDSA FROM Users WHERE UserName='%UserName%'

Default user settings

Users connecting via this method are subject to the settings of the "defaultDatabase" user, which may be found in the Users panel (and by selecting 'Show system
users/folders/sites' in the main form's Options menu).
The administrator may, for example, enable only certain protocols for database user connections.

By default, the home folder is shown as /DatabaseUser. If the home folder is not provided by the query, the value of this folder will be used (which is a macro folder by default).
If a home folder is provided by the query, the query's value will be used, but /DatabaseUser will still be displayed as the name of the user's home directory. The displayed name
can be changed by modifying the name of the DatabaseUser system folder (which can be found in Folders panel if the "Show system users/folders/sites" menu item is currently
checked) to use a macro, as described here.

For detailed steps on configuring external database users, please refer to Step-by-step guide: Authenticate users from a database .
HOW TO CONFIGURE AUTOMATIC WINDOWS OR ACTIVE DIRECTORY USERS
The Automatic Windows authentication method allows the administrator to enable login of any Windows user without having to manually add each user to CompleteFTP's
internal user-list. It is configured in the General User Settings dialog, accessed from the User panel.

The feature may be enabled by checking the checkbox in the Enabled column. In the Professional Edition (or better) logins may be restricted to one or more Active Directory
(AD) or local groups by listing them in the Configuration dialog (opened by the Configure link).

For detailed instructions, please refer to Step-by-step guide: Allow all users from a Windows group to log in .

Users connecting via this method are subject to the settings of the "defaultWindows" user, which may be found in the Users panel (and by selecting "Show system
users/folders/sites" in the main form's Options menu).

The administrator may, for example, enable only certain protocols for Automatic Windows user connections. If distinct settings are required for specific users then those users
should be added explicitly as Windows users in the Users panel.

By default, the home folder is /MyDocuments, which resolves to the logged-in user's Windows My Documents folder. This may be changed by modifying the Home Folder
property of the defaultWindows user. If a separate folder (other than /MyDocuments) is required for each folder then a Network/Macro Folder should be used. This type of
folder allows the insertion of a %UserName% macro into a path, which is replaced by the logged-in user's user-name. To do this, create a new virtual folder of the type
Network/Macro Folder and set the Home Folder property of the defaultWindows user to this folder. The Network/Macro Folder's path could, for example, be set to
H:\Homes\%UserName%, which would mean that when a user called Joe logs in their home folder would effectively be H:\Homes\Joe.

Administrators may optionally map different Windows/AD groups to different log-in-as users by specifying them in the Configuration dialog. This is done by adding =username
after each Windows group in the list. For example, ADGroup1=LogInAsUser1;ADGroup2=LogInAsUser2 would instruct CompleteFTP to use the user settings of the
CompleteFTP user LogInAsUser1 for all AD users in the AD group, ADGroup1, and the settings of LogInAsUser2 for all users in ADGroup2.
HOW TO CONFIGURE GATEWAY USERS
Gateway users are an Enterprise Edition feature of CompleteFTP. Gateway users are users who are authenticated by a different server - often residing in a different location.

Gateway users are analogous to automatic Windows users - they permit the login of any user located on a remote machine (rather than the current machine) without having to
manually add each user to CompleteFTP. The remote users must be accessible via FTP, FTPS or SFTP on the remote machine.

To authenticate users on a different server, a gateway authenticator must be configured as described here.

Users connecting via this method are subject to the settings of the "defaultExtension" user, which may be found in the Users panel (and by selecting "Show system
users/foldes/sites" in the main form's Options menu).

The administrator may, for example, enable only certain protocols for gateway user connections.

If gateway users are to access the remote filesystem that they are authenticated for, they need to change directory into a gateway folder or have their home directory set to the
gateway folder corresponding to that server. In the latter case, the defaultExtension user must have its home directory set to the gateway folder. If the gateway folder set as the
home directory is configured to use the gateway connection then each user authenticated on the remote server will get their own home directory on the remote directory (the
same directory they would have if they logged into the remote server directory instead of via CompleteFTP).
HOW TO CONFIGURE SINGLE SIGN-ON (SAML) USERS
Background
What is Single Sign-On?

Single Sign-On (SSO) is a concept in which multiple systems delegate authentication of users to a single authentication server. The main advantage of this is that accounts for
access to many systems may be maintained in a single system. Since many different systems need to communicate, a standards-controlled protocol is required.

What is SAML?

One of the most common SSO protocols is SAML (Security Assertion Markup Language). SAML involves three parties: a normal web-browser, a Service Provider (SP) and an
IDentity Provider (IDP). The SP is the web-server that the person using the browser wants to access, and the IDP is the server on which the person has an account.

The basic assumption of SAML is that there is a trust-relationship between the SP and the IDP. In particular, the SP trusts the IDP when the IDP says that the client is allowed
to log in. This relationship is established through the exchange of SSL certificates wrapped up in packages referrred to as metadata. The SP must almost always have the
IDP's metadata installed before it can accept connections, so that it can verify messages from the IDP. The IDP doesn't always require the SP's metadata as it doesn't itself
expose sensitive data. The exchange of metadata must happen before logins are possible.

SAML in CompleteFTP
CompleteFTP (Enterprise Edition only) can be configured as a SAML SP. This means that it can delegate authentication to a IDP. It can't itself act as an IDP.

SAML is configured in the Other Authenticators section of the General User Settings dialog, which is accessible from the Users panel.

The first step in configuring SAML in CompleteFTP is to enable the SAML authenticator in the Other authenticators section of the General Users Settings dialog.

After this, click the Configure link to open the SAML Single Sign-On Configuration dialog.
The first step in configuring SAML is to add the IDPs. For each added IDP, a button will be added to CompleteFTP's login form.

Adding the IDP's metadata

IDPs are added using their metadata. The IDP's metadata must be either downloaded from the IDP server or sent by the IDP's administrators. Once received it must be added
to the configuration by clicking the 'Add IDP' link, which allows for reading from a file or for direct download from a website.

After adding the IDP metadata the name must be entered. This name will appear on the IDP's button on the login page, as shown below:

Two other fields may also be entered, depending on the circumstances:

User attribute: if the IDP doesn't send a user-name in the default format, or if a specific attribute is to be used instead of the default user-name, then the User attribute field
may be set. It's the name of the SAML attribute whose value holds the user-name. A SAML attribute is a name-value pair that's included in the message that the IDP sends
to the SP once authentication has succeeded. It can be something like a user-name, an ID of some sort or an e-mail address. Some attributes are defined by Uniform
Resource Names (URNs). For example, urn:oid:0.9.2342.19200300.100.1.3 is the URN for an e-mail address. The attributes that are available depend on how the IDP is
configured. CompleteFTP will log the available SAML attributes at the Information level if the user-name could not be determined, so it can be helpful to monitor the real-
time log while testing.
User prefix: The user prefix is prepended to the user-name returned by the IDP. For example, if the user prefix is 'onelogin-' the IDP returns 'marius' for the user-name then
CompleteFTP will use the user-name, 'onelogin-marius'. This can help avoid name-clashes between local CompleteFTP users and those from the IDP.

Validating the IDP's certificate

As mentioned above, the IDP tells CompleteFTP that it's safe to give access to a user by means of a SAML assertion. SAML assertions are digitally signed using the IDP's
private key, allowing CompleteFTP to verify their origin using the IDP's certificate, which is included in the IDP's metadata. An additional level of security can be added by
validating the IDP's certificate against the Windows Certificate Store.

If the checkbox labelled 'Validate certificates against the Windows Certificate Store' is ticked then the IDP's certificate will be verified against the Windows Certificate Store
every time a SAML assertion is received. The main condition for a certificate to be considered valid is that the certificate of the Certificate Authority (CA) that issued it is
installed in the Trusted Root Certification Authorities store for the machine in the Windows Certificate Store. This can of course only be done if the certificate was actually
issued by a CA in the first place, which is often not the case.

The validation option is off by default placing the onus on the administrator who adds the IDP's metadata to make certain that the metadata is from the intended source. This
can usually be done by downloading it over an HTTPS connection directly from the IDP website. If there's any doubt then the validation option should be enabled.

Setting information about the SP

Some IDPs require the SP's metadata. The SP metadata is available for download from CompleteFTP at the URL that's presented when the 'Save SP metadata' link is clicked.
The metadata won't be correct until (1) the site's URL has been set, (2) the administrative contact details have been filled in, and (3) the SAML configuration has been applied
to the server.

The site's URL is the URL that users will be directed back to after they're successfully authenticated, so it must be a URL that resolves to root directory of the CompleteFTP
server. It's important that the correct protocol is used; usually it will be HTTPS. Note that if your site is configured to use a non-standard port (80 for HTTP and 443 for HTTPS)
then the site URL must include the port number (e.g. https://mydomain.com:1443).

Custom configuration settings

The SAML configuration is stored in XML. A means of editing the XML directly is provided in case customizations other than those presented by the configuration form are
required. This should usually not be attempted unless instructed to do so by EnterpriseDT support.

Specifying group membership via IDP

CompleteFTP supports group claims and a custom attribute called 'group', which allows group membership to be controller from the IDP. The values of the group claim and
the group custom attribute are matched against the names of CompleteFTP groups and where there's a match the authenticated user will be a member of that group. For
convenience, the value of the custom group attribute may be a comma-separated list, but since both the group claim and the custom attribute are arrays, multiple groups may
also be specified as distinct elements in the array of values.

Testing the SAML configuration

Once SAML has been configured and applied to the server, go to the CompleteFTP login page. There should be an additional button labelled with the name of the IDP. Click
this button to login via the IDP. Check the real-time log in case of errors.

Note that there are many different implementations of the SAML protocol and there's a chance that your version of CompleteFTP is incompatible with some of them. Please
contact support if you're unable to get an IDP to work with CompleteFTP.
HOW TO SET USER QUOTAS
CompleteFTP (Professional and Enterprise Editions only) supports the use of disk quotas and bandwidth quotas, so that users can be restricted in their use of system
resources.

By default, no quotas are enforced - they have to be set explicitly for each user. This is done by going to the Users panel in the CompleteFTP manager, and setting the values
in the Quotas and Limits section amongst the properties that are listed.

Disk usage is set in megabytes (MB) and is a cumulative limit across all sites.

Upload and download bandwidth limits are set in kilobytes/second (kB/s). Note that bandwidth is not set in kilobits/second (kbs), and that bandwidth limits apply per site (so that
in the Enterprise Edition, if a user is enabled on multiple sites then their total bandwidth is [number of sites] x [set bandwidth]).
HOW TO SET UP PUBLIC KEY AUTHENTICATION
Users connecting to CompleteFTP via SFTP or SCP (supported in the Professional and Enterprise Editions) can authenticate themselves in two different ways (if the server
permits it).

Password authentication simply uses their existing username and password

Public key authentication requires the client to register a public key with the server, and to supply the corresponding private key when logging in. The private key is not sent
to the server, but is used to sign certain data that the server confirms (using the registered public key) was signed by the client.

Enabling public key authentication

There are two places public key authentication is enabled. The Site's authentication methods is the primary place, in the SFTP/SCP/SSH settings. Public key authentication is
enabled by default.

Public key authentication uses either the RSA or DSA algorithm, and this can also be set via SFTP->Advanced SFTP Settings->Algorithms. Normally the default of All is used.

The other place is in each user's properties (Enterprise Edition only). In the Authentication section, the SSH methods can be specified. They are combined with the Site
authentication methods. A method has to be set for both the user and site to be available for that user.

Setting up the user's keys

For a user to use public key authentication, a keypair (consisting of a private key and a public key) must be generated, and the public key registered with CompleteFTP. Both
RSA and DSA can be used.

Select the user in the Users window, and then select the ellipsis (...) on the right of "Public keys" in the user details window.

This brings up the "Manage Public Keys" dialog, which displays the currently loaded public keys for this user.

Use "Generate a new keypair for this user and add it to the list" to create a new keypair. Make sure the private key you are prompted to save is kept securely - it is required by
clients to authenticate as this user.

You can also use "Import a public key and add it to the list" to import existing RSA or DSA public keys for this user. Public keys can also be deleted and exported. Note that the
Professional and Enterprise Editions permit multiple RSA and multiple DSA keys for each user.

For step by step instructions on setting up public key authentication, please refer to Step-by-step guide: Set up public-key authentication for a user .
HOW TO CONTROL USER ACCESS BY IP ADDRESS
It's possible to configure CompleteFTP to allow specific users to connect only from specific IP addresses. This is done via the user property called 'Allowed IP addresses' in the
User Properties panel (as shown below), but for this to have any meaning it's necessary to firstly deny access from other IP addresses.

Denying access from other IP addresses

Denying access from IP addresses other than those allowed for specific users must be done via the IP filtering property in the Site Properties panel, as follows:

1. Open the Site Properties panel

2. Expand the IP Filtering and Auto-banning category
3. Select the IP filtering property
4. Click the ellipsis button on the right
5. Select 'Allow over deny'
6. If there's currently a rule that allows all connections, change this to deny all.

Once this is done, no connections will be allowed from any IP address. Note that more information on IP filters may be found in the section on IP Filtering and Auto-Banning.

Allowing specific IP addresses for specific users

Now that CompleteFTP has been configured to deny connections by default, we can go ahead and allow specific users to connect from specific IP addresses, as follows:

1. Go to the Users panel

2. Select one or more users
3. If you're in the Overview panel, right-click and select Properties to open the User Properties panel.
4. Select the property labelled 'Allowed IP addresses'.
5. Enter the IP address(es) from which the user is to be allowed to connect. Separate multiple IP addresses with commas. Domain-names may also be used.
6. Apply the changes

Note that entering allowed IP addresses simply automatically creates the appropriate user-specific IP filter rules (see here). More specifically, an 'allow rule' is created for the
specified IP addresses the users on each site on which the user is enabled. Further customization of these rules may be done via the Site Properties panel.

For step by step instructions with pictures, please refer to Step-by-step guide: Accept connections only from specific users at specific IP addresses .
HOW TO SET UP CLIENT CERTIFICATES (FTPS)
For FTPS, clients can be forced to supply a valid client certificate (not available in the Standard Edition). This setting can be found by navigating to Settings->FTP/FTPS-
>Advanced FTP/FTPS Settings->Security Settings. The "Clients must supply certificates" setting is set to "Don't require valid certificate" by default, but can be changed to
"Require valid certificate".

If a valid certificate is required, all FTPS clients must send a certificate that may be validated against the Windows certificate store. This means that its issuer's certificate must
be in the Windows 'Trusted root certificate authorities' store. This store may be managed using the Windows Administrative Tools, or by clicking '...' to the right of this security
setting (this will bring up the Certificate Management dialog).
HOW TO MAKE A USER'S HOME DIR ROOT
Typically users see their home directory as a path, if the defaults are used. This is the absolute virtual filesystem path, e.g. "/home/javaftp".
It is sometimes desirable to make the user's home directory the root, i.e. "/". This is a configuration setting for the site. See the Users panel's General User Settings for more
details on enabling this feature.
HOW TO SET PASSWORD POLICIES
System-wide password policies are accessible from the Password policies link on the General User Settings dialog box, found in the Users panel. The Password Policies dialog
is shown below. For security, it is recommended that must have at least 6 characters, must be mixed-case and must contain a digit are enabled.

Store encrypted passwords is not enabled by default. Usually, passwords for non-Windows users are not stored for security reasons. Instead, a hash of the password is stored,
and when users log in, the hash of the password they supply is compared with the stored hash.

If Store encrypted passwords is enabled, passwords for non-Windows users will be stored in encrypted form. This is less secure than using a hash, but does mean that the
adminstrator is able to retrieve passwords.

Note that Windows users do not have passwords stored by CompleteFTP in any way. Instead, standard Windows authentication is used.

Permit password changes is not enabled by default. If it is enabled, non-Windows users can use the SITE command CPWD to change their password. SFTP also has a
mechanism permitting the changing of a password (which must be supported by the SFTP client).

Must be mixed-case, must contain a digit, and must contain a special character are not enabled by default.

Any passwords that are less than the Minimum password length will be rejected.
HOW TO MAKE USER ACCOUNTS EXPIRE
User accounts can be made to expire by setting an expiry date in the user properties. Once a user has expired they will no longer be able to log into any site using any
protocol. The user's account remains in CompleteFTP, and the account's user-name remains reserved until the account is deleted. The account may be reactivated by
clearing or modifying the expiry date.

To set, user expiry date, open the Users panel, select the user and look for the user property labelled 'Expires' and either enter the full expiry date, or click the down-arrow to
open a calendar control and select the date there. The expiry date may be cleared by clicking the 'x'.
HOW TO MANAGE GROUPS
Groups may be used to simplify management of access of users to system resources, such as files or custom commands.

Groups of users can be managed via the Manage Groups dialog box which can be opened by selecting the Groups link at the bottom of the Users panel and then selecting
Manage groups from the menu.

The Manage Groups dialog box is used for adding and removing users from groups.

This dialog box allows you to create new groups and add users to those groups. Once groups have been created as desired, permissions may be assigned to those groups.

Group permissions for a given folder may be set by going to the Folders panel; selecting the folder; setting the Group of the folder; clicking on the Permission property and
checking the checkboxes in the group section of the permission editor.
FILE SHARING
CompleteBox is a application installed on user's computers that allows them to easily store and share their files on a server machine running CompleteFTP Professional or
Enterprise.

This is known as collaborative file sharing and storing, and it requires CompleteFTP in either the Professional or Enterprise Editions, running at least version 8.0.

To store or share files, file sharing must first be enabled in CompleteFTP. Users install CompleteBox and use it to share their local files. Files can be stored on the server for
private use, or shared with others.

The Professional Edition includes 50 CompleteBox licenses and the Enterprise Edition includes unlimited CompleteBox licenses.

The CompleteBox desktop application is shown below:

HOW TO ENABLE FILE SHARING
CompleteBox enables storing or sharing of local files on a CompleteFTP server instance, which must be either the Professional Edition or the Enterprise Edition.

There are a few settings that must be enabled in CompleteFTP for CompleteBox users to begin using CompleteBox to share or store their files. If file-sharing is enabled during
installation, all the settings below should already be enabled. The settings below should be checked if there are any problems getting file-sharing to work.

1. File sharing must be enabled in CompleteFTP. The CompleteFTP site must have sharing enabled, as described here. If it's turned off then users will no
longer be able to connect via CompleteBox and shared files will no longer be available via HTTP/S.
2. Public HTTP access must be enabled, as described here. It is enabled by default. If it is disabled then files that have been shared via a link will not be
accessible to users who have not logged in.
3. HTTPS must be enabled, as described here. It is enabled by default. If it's disabled then shared files will not be accessible via a link.
4. The anonymous system user must be enabled, via the Users tab. Use 'Show system users/folders/sites' in the Options menu at the bottom left of the
window to display it. It is enabled by default. As with public HTTP access above, if it is disabled then files that have been shared via a link will not be
accessible to users who have not logged in.

5. If a user is to share files, then their account must be enabled for sharing and they must be a member of the users group (as shown below). If a user's
sharing is disabled then they will no longer be able to connect via CompleteBox and any files that they have shared will no longer be accessible.

Finally, sufficient CompleteBox user licenses must be enabled in CompleteFTP so that every user who is file sharing has a user license. Each person requires a user license.
The license count is based on the edition of CompleteFTP being used (from 10.0 onwards). The Professional Edition includes 50 user licenses, while the Enterprise Edition
includes unlimited licenses.
HOW TO INSTALL COMPLETEBOX
To share a local file, the CompleteBox client must be installed on the local machine that files are being shared from.

Getting the installer

The CompleteBox installer is shipped with CompleteFTP server. After CompleteFTP has been installed, the CompleteBox installer can be found from the CompleteFTP
program group in the Windows Start Menu.

The installer can also be downloaded from your company's CompleteFTP website. On the default index page of the server, a link "Get started with file sharing" provides
installer links.

The CompleteBox installer can freely redistributed, although it may only be used with a CompleteFTP server.

Running the installer

The installer is a executable that requires administrator permissions to run.

If you are upgrading, it is important to upgrade CompleteFTP first. Older versions of CompleteBox will work with the latest version of CompleteFTP (as well as previous versions
of course), but the latest version of CompleteBox requires the latest version of CompleteFTP.

Once installed, CompleteBox runs as a Windows system tray application. It can be opened by clicking on its icon in the Windows system tray.

An account on the file sharing server is required, and the credentials must be entered when prompted. The file sharing server must have sufficient user licenses free to permit
an additional file sharer. The server settings dialog is shown below:

Once installed, files can now be stored or shared.

FILE SHARING VS FILE STORING
CompleteBox is an application installed on user's computers that allows them to easily store and share their files on a CompleteFTP
server machine set up for this purpose.

Sharing a file means that the file is uploaded to the server and a public URL is generated by which others can download the shared
file. You share a file so others can have access to it. A shared file is marked as "Shared", and has a link icon superimposed on its file
icon.

Storing a file means that the file is uploaded to the server for the user's private use. No URL is available, and no-one other than the
user can access the file. A stored file is marked as "Stored".

Why store and not share?

There are two reasons why a CompleteBox user might use file storage without sharing.

Backup. The first reason is that it is a useful way to quickly back up files onto a server. Select and upload, and your local files are
now safely stored in case of a local machine failure.

File synchronization. The second reason is for private synchronization of files between machines. If you work in two locations (e.g. a
work location and a home location), you can upload from one machine, and later download onto another. CompleteBox file synchronization will help you to keep files on both
machines identical.
HOW TO SHARE FILES WITH COMPLETEBOX
Sharing a file with CompleteBox means that the selected file is uploaded to the server and a public URL is generated by which others can download the shared file. Provided
someone is given the URL, the file is publicly available.

To share a local file, the CompleteBox client must be installed on the local machine that files are being shared from, as described here. The main dialog is displayed by
selecting the CompleteBox icon in the Windows system tray, shown below.

Click on the green cross to display a file open dialog box for selecting files to share, or drag and drop files onto the dialog. Make sure the "Share file(s) with others" checkbox
at the base of the dialog is ticked - if it is not, the files are stored but not shared. Sharing is the default.

Multiple files can be selected in the file open dialog by holding down the control key and selecting each file. Once selected, the files will be shared on the file sharing server via
a secure connection. A unique link (i.e. a URL) is generated that can be emailed to the end-user of the file. Links are configured to expire in 30 days by default. If a single file is
shared, the share URL is sent to the clipboard.

Note also that files can be drag-and-dropped or copy-and-pasted onto the main CompleteBox window, and Windows Explorer has a menu item "CompleteBox" which will store
or share the selected files.
Right clicking on a shared file in the list will display the right-click menu shown below, which allows the sharing to be stopped, the file removed, the link copied to the clipboard,
and the file properties to be displayed. Multiple files can be selected by holding down the control key and selecting each file. Control-A will select all files listed.

Additional options allow the forced copying of the local file to the server, or from the server to local file. This is in case you know the local or remote file to be the authorative
one, and you want the other copied over, irrespective of which is the most recent file. You can also open the link in a browser, open the local file, or email the URL to someone.

Finally, Control-C can be used to copy the selected files to the clipboard. Select a target directory in Windows Explorer, and Control-V will paste copies of these files into the
directory.

For step by step instructions on how to share a file with CompleteBox, please refer to Step-by-step guide: Share a file using CompleteBox .
HOW TO STORE FILES WITH COMPLETEBOX
Storing a file with CompleteBox means that the selected file is uploaded to the server, but no URL is generated and the file is not available to anyone except its owner. Typically
this is done for backup, or for a user to share their own files with themselves on two different computers.

To store a local file, the CompleteBox client must be installed on the local machine that files are being shared from, as described here. The main dialog is displayed by
selecting the CompleteBox icon in the Windows system tray, shown below.

Click on the green cross to display a file open dialog box for selecting files to share, or drag and drop files onto the dialog. Make sure the "Share file(s) with others" checkbox
at the base of the dialog is unticked as below (otherwise the file will be shared).

Multiple files can be selected in the file open dialog by holding down the control key and selecting each file. Once selected, the files will be stored on the file sharing server via
a secure connection.

Note also that files can be drag and dropped onto the main CompleteBox window, and Windows Explorer has a menu item "Store in CompleteBox" which will store or share the
selected files.

Right clicking on a stored file in the list will display the right-click menu shown below, which allows the stored file to be shared, the file to be removed, and the file properties to
be displayed. Multiple files can be selected by holding down the control key and selecting each file. Control-A will select all files listed.

Additional options allow the forced copying of the local file to the server, or from the server to local file. This is in case you know the local or remote file to be the authorative
one, and you want the other copied over, irrespective of which is the most recent file. You can also open the local file.
FILE SYNCHRONIZATION
Once a local file has been shared or stored on the server, there is the possibility that either copy will become out of date. This means the file needs to be synchronized, i.e. the
local copy and the server copy need to be made identical.

This can happen in two ways. The local file could be modified by the user, or the remote file could be modified. The remote file
could be modified if the same user uses CompleteBox on a different machine to upload a change. If this happens, CompleteBox
will show that the files are different by displaying a "needs synchronizing" message under the filename, and changing the icon for
the file.

A red double arrow means both the local and remote file have changed since the last synchronization. In this case, you will be
prompted to select which file should be the authorative one.

A yellow arrow means either the local or the remote file have changed since the last synchronization. When you synchronize, the
most recently changed file will be copied over the older file. The arrow indicates the direction of the copy. Pointing to the right
means the local file will be copied over the server file, and pointing to the left means the server file will be copied over the local
file.

How to synchronize files

To synchronize the local and server files, right-click on the filename and use the Synchronize file with server menu item, as shown
below. This will ensure the latest copy is the local and the remote file - it works via the timestamp.

You can also synchronize all out-of-date files via the green synchronize button that appears on the bottom left of the CompleteBox file listing, shown on the left.

Manually overriding synchronization

Occasionally, you may find that you want to overwrite local changes that you have not yet synchronized to the server. For example, you may have made some local changes,
and wish to discard them. This can be done by right-clicking on the filename and choosing More -> Copy file from server. This copies the server file over the local file, erasing
the local changes. The Copy file to server menu item does the oppposite, forcing the local file to be copied to the server, overwriting any changes in the server file.
HOW TO CONFIGURE COMPLETEBOX
CompleteBox's configuration dialog is found by selecting the cog icon on the main dialog that displays the list of shares, shown on the left.

Clicking the cog icon shows the following dialog:

There are various options controlling if CompleteBox is started with Windows, as well as enabling or disabling the Windows Explorer integration.

The CompleteBox client automatically refreshes its shared files listing every 10 seconds from the server while the window is active, and this can be altered. The default share
expiry time of 720 hours (30 days) can also be changed here.

The credentials can also be changed in this dialog - both the username and password, and the sharing server that is being used.

Finally, if any problems are experienced that require contacting support, detailed logging can be switched on, and the zipped log file emailed to support. Note that this slows
down file transfers considerably, and should only be used temporarily. The log file can be found at

C:\Users\username\AppData\Local\EnterpriseDT\CompleteBox\CompleteBox.log
CLUSTERING
The Enterprise Edition of CompleteFTP provides support for clustering of multiple servers across different machines (from 7.0). Native clustering is not supplied, but in
combination with a hardware or software load balancer (e.g. Microsoft NLB) load balancing and failover can be achieved.

What CompleteFTP Enterprise supplies is synchronized and instantaneous server configurations across the cluster. A server instance is designated as the primary server, and
configuration changes made on the primary are instantly propagated to all the secondary servers in the cluster. Hence the most suitable architecture is an active/active cluster
setup - in an active/passive cluster, configuration changes cannot be propagated to the dormant machine. A single instance of the CompleteFTP Manager can control all the
servers in the cluster. An architecture diagram is shown below:

The diagram shows three clients connecting to a cluster via a router. This could be be done via any supported protocol, such as FTPS, SFTP or HTTPS. The router would be
capable of load-balancing and/or failover control. It directs incoming requests to one of the three servers. The way in which it selects the server depends on how it's
configured. The three servers are all running CompleteFTP and are configured to all be capable of responding to the same requests. One of the servers is set to be the
primary from within CompleteFTP. All configuration changes must be made via this server. It is responsible for distributing configuration changes to the secondaries. This is
done in near-real-time. While CompleteFTP takes responsibility for synchronizing configuration changes between the three servers, it does not synchronize the files on the
Hard Disk-Drive (HDD) - this is left to Windows DFS. The Windows DFS (Distributed File-System) is a feature of Windows Server 2008/2012 that synchronizes files and
directories between server instances in near-real-time.

The diagram above shows an architecture where user's files are store locally on each server. Below is an architecture where files are on network storage:

DFS is now not required on the CompleteFTP servers since no user-files need to be synchronized between them.

In situations where load is very high it may be preferable to minimize load on the primary node. In this case the following architecture could be used:
The main motivation for this is to reduce the load on the primary node. The primary node is more important than the secondaries since it's a central point for synchronization of
configuration data for the following reasons: it's the node to which the administration console (CompleteFTP Manager) must connect in order to make configuration changes it
is responsible for distributing those changes to the secondaries it is the node from which a secondary that is booting up will request a configuration update. While this
architecture is preferable to the other architectures, it is by no means essential - it is only marginally better.

One important caveat relates to HTTP/S. As each HTTP/S session is local to each CompleteFTP server, the load balancer will need to ensure all connections from the same
external IP address are directed to the same CompleteFTP instance in the cluster. A future release will replicate HTTP/S session caches across the cluster, alleviating this
requirement for the load balancer.
HOW TO ENABLE CLUSTERING
The Enterprise Edition of CompleteFTP supports clustering as described in detail here.

A CompleteFTP cluster consists of a primary server and one or more secondary servers. All configuration changes are made on the primary and propagated to the
secondaries within seconds.

To set up a cluster, CompleteFTP needs to be installed and running on the machine designated as the primary, and also on the machines that will host secondary servers. It
must also be possible for the primary server to be able to communicate with the secondary servers across the network via:

1. the protocol that is initially set for the admin user on each secondary (admin user can be found in Users panel by selecting "Show system users/folders/sites" in the main
form's Options menu), and
2. the protocol that will be used by all servers after they have been added to the cluster

It is important that firewall rules are configured to allow this server to server communication. By default, the SFTP protocol is used, which requires communication on port
14983.

It is also important that each secondary server's IP filtering rules permit the primary server to contact them (by default the rules only permit connections LAN IP addresses).
This requires connecting locally to each secondary server, and opening the Admin Site configuration (in Sites panel by selecting the "Show system users/foldes/sites" menu
item). Add an IP Filter rule that allows the primary server to connect to the secondary.

To designate a server as a primary server, the CompleteFTP manager must be connected to that server. In the Overview panel, the Servers window is used to control the
servers. Select Add server to add another server as a secondary - this will automatically designate the current server that the CompleteFTP manager is connected to as the
primary.

Add server brings up the dialog box below:

Enter the details of the secondary server, and select the Next button. In the follow dialog, select the Add button to add the secondary server to the cluster. A progress report
will be produced, detailing the registration process. As part of this process, the secondary server has its configuration overwritten with a copy of the primary server's
configuration.

If the registration process is successful, the new server will now be a secondary server in the cluster that is controlled by the primary. All future configuration changes on the
primary will be instantly propagated to the secondary as soon as they are applied (provided the "Sync enabled" checkbox is checked, which means automatic synchronization
of changes). Also note that the frequency of synchronization can be altered from the default 60 seconds.

Once a server has been added to create a cluster, the servers will be listed in the Servers tab, together with the sites they support and the last time they were contacted (i.e.
synchronized with the primary's configuration).The end result should look like the image below:
Additional servers can be added by using the "Add server" link at the bottom left of the Servers tab, or by using "Add server" from the menu that is shown when the right mouse
button is clicked. Servers can also be removed from the cluster by selecting "Remove server".

For step by step instructions on how to set up a cluster, please refer to Step-by-step guide: Set up a cluster .
HOW TO CHANGE PRIMARIES
Sometimes it is necessary to choose a different machine in the cluster to be the primary server. Perhaps the current primary needs replacing or upgrading, for example.

If the new primary-to-be is not yet in the cluster, first add it to the cluster as a secondary server.

To select a secondary server in the cluster as the new primary, highlight it in the server list, and use the right mouse button click menu to choose "Select as primary". This
menu is shown below.

Finally, if the old primary is no longer to be in use, remove it from the cluster (using "Remove Server" from the new primary's menu), and then decommission it.
HOW TO RESOLVE CLUSTERING PROBLEMS
Running a group of servers in a cluster is considerably more complicated than a single server, particularly when first configuring the cluster. This is because configuration
changes are being distributed to all servers in the cluster.

Failure to add server

By default each secondary server's IP filtering rules only permit connections from localhost. A rule must be added to permit the primary server to contact them. This requires
connecting locally to each secondary server, and opening the Admin Site configuration (in Sites panel by selecting "Show system users/folders/sites" in the Options menu at
the bottom left of the window). Add an IP Filter rule that allows the primary server to connect to the secondary.

Forcing configuration updates

There are two simple things that can be tried to resolve any problems. If a secondary is out of date and cannot be synchronized, the right mouse button click menu item"Force
configuration update" can be used to force a secondary server to have its configuration overwritten using the configuration of the primary. An alternative approach is to simply
remove the server from the cluster and re-add it.

Logging

If problems are experienced that cannot be resolved by the above, it will be necessary to look at the log files that are produced in the Monitoring panel. If possible, ensure that
logging is set to the Debug level, as shown below:

Ensure that all log files from every server in the cluster are sent to us. Please ensure that they are zipped and that it is clear which machine each group of logs comes from. A
simple way to do this is to copy each group of files to a directory that has the name of the server, and zip up all these directories into the one zip file.
HOW TO ACTIVATE CLUSTER NODES
A CompleteFTP cluster consists of a primary server and one or more secondary servers. The primary server adds secondary servers to the cluster as described here.

Typically, each server in the cluster (including the primary) must be activated separately, to obtain and set its own activation key.

From version 7.2, there is another way to accomplish activation on clusters for Corporate License customers, using their universal activation key (UAK). If the UAK is installed
first on the primary server, then it will be automatically propagated to each secondary server as it is added to the cluster. This means secondary servers can be automatically
activated from the trial state.
HOW TO UPGRADE A CLUSTER
Upgrading is usually quick and trouble-free and all your configuration data is maintained (as well as being backed up prior to updating).

Please note that all nodes in the cluster must be the same version. Please ensure you download the production installation - the link (including credentials) is included in your
purchase email. The trial installation will not install.

Do the following steps in order:

1. Close CompleteFTP Manager on the primary.

2. Stop the CompleteFTP service on the primary.
3. On each of the secondaries:
Close CompleteFTP Manager if it's open.
Uninstall the old version of CompleteFTP.
Install the new version of CompleteFTP.
Take care to enter the same administrator password on all the nodes.
4. Once you've upgraded each of the secondaries do the same to the primary, again making sure to enter the same administrator password.

The CompleteFTP service will be started on each secondary machine during installation and will keep trying to contact the primary, which will of course fail until it's been
upgraded and restarted. Once the primary has been upgraded it will restart and immediately contact each of the secondaries. As long as the passwords all match the cluster
should now be back online and synchronized again.

In-place upgrades
It's possible to do in-place upgrades of CompleteFTP servers in a load-balancing cluster. The general approach is to load-balance away from each individual machine and
upgrade it while it's not being used, starting with the primary and then continuing with the secondaries until all machines have been upgraded. No configuration changes should
be made during this process, although no serious error should occur if it proves necessary. The cluster will no be fully operational until all machines are running the same
version of CompleteFTP.
GATEWAY
CompleteFTP (Enterprise Edition only) can act as a multiprotocol gateway for other servers. It can present any of its own protocols to a client, and translate them into a
different protocol to talk to another server.

The multiprotocol gateway is an extremely powerful feature. A number of possible uses are described below. Gateway configuration is described here.

Gateway examples

1. Provide secure access to another non-secure FTP server located on the same machine or network. CompleteFTP provides a secure wrapper to the secure server. This
means SFTP or FTPS clients can connect to CompleteFTP, which proxies the requests on to the non-secure server.

2. Add FTP or FTPS support to an existing SFTP server. This means FTP or FTPS clients can access the SFTP server without any other changes than setting up
CompleteFTP to proxy the requests.

3. Add SFTP support to an existing FTP or FTPS server. This means SFTP clients can access the FTP or FTPS server without any other changes than setting up
CompleteFTP to proxy the requests.

4. Add HTTP support to an existing FTP, FTPS or FTPS server. This means SFTP clients can access the FTP or FTPS server without any other changes than setting up
CompleteFTP to proxy the requests.
GATEWAY CONFIGURATION
There are two ways of configuring the gateway to access a particular server. Both cases require a gateway folder to be configured, which is analogous to a remotely mounted
directory. When users login and navigate to a gateway folder, they are actually accessing the remote file system. A gateway folder can be set as a user's home directory.

To configure the gateway to access a remote server, either:

1. Set up a gateway authenticator, where the remote server is used to authenticate a user that is trying to log in. The authenticated connection to the server is saved in the
user's session. Then set up the gateway folder to use the gateway connection, or
2. Set up a gateway folder that uses a specified connection, i.e. the gateway folder has the proxied server's credentials added, and every user that accesses the gateway
folder uses these credentials.
HOW TO CONFIGURE A GATEWAY AUTHENTICATOR
Gateway users require a gateway authenticator to be configured to allow users to be authenticated using a different server. This is a feature of the Enterprise Edition only of
CompleteFTP.

A gateway authenticator is an authentication extension that authenticates user attempting to log in via another server, using whatever protocol is selected. When the user
details are received in CompleteFTP, a login attempt to the remote server is attempted using the supplied credentials.

To configure a gateway authenticator, select "General user settings" link from the Users tab. "Gateway" is listed amongst "Other authentication methods", and has a
"Configure" link that must be selected (below).

This brings up the "Gateway configuration" dialog box which allows the addition and removal of gateways (shown below). Multiple gateways can be configured, meaning
multiple different machines can be tried for authentication, in the order in which they are listed.

There are both "Basic" and "Advanced" connection properties to be configured for each gateway. Usually the basic properties are all that is required - the protocol, the server
address and port, and optionally the initial directory to change to on the remote machine.

If the basic settings are not sufficient, the advanced settings should be examined. These include character encoding; connection settings such as proxies, timeouts and active
and passive settings; directory listing settings such as caching of listings; and transfer settings. These settings permit a fine degree of configuration control over a gateway
authenticator.

If SFTP with public key authentication is required and the users' public keys are to be stored on the remote server then the remote server must (1) be a CompleteFTP server,
(2) have SFTP enabled and (3) have the password authentication method enabled. Even though password authentication must be enabled on the remote server, the user is
indeed verified on that server via their public key.
EVENTS
In CompleteFTP Professional and Enterprise Editions, an event is an action performed by a logged in user on the server, or an action performed by the server itself (a
scheduled event). For example, uploading or downloading a file is an event.

Email notifications can be attached to these events, so that when, for example, a file is uploaded, an email is sent to a specified user providing details of the upload. Email
notifications are described in more detail here.

Process triggers can also be attached to these events, so that when the event is triggered, a program can be launched. Process triggers are described in more detail here.

These events can also be recorded in the audit log. Note that email notifications, process triggers and auditing are not supported in the Standard Edition.
HOW TO SET UP EMAIL NOTIFICATIONS
CompleteFTP supports highly customizable email notifications. This means that when an event such as a file upload occurs, an email can be sent.

To set up email notifications, the mail server (SMTP server) settings must be entered. The server hostname, port number (normally port 25) and optional username and
password are entered in the Email Notification tab found from the Events panel. SSL connections are also permitted by checking the "Enabled SSL/TLS" checkbox. For SSL,
the port number will most likely need to be changed - the default SMTP SSL port is 465.

The list of current notifications is displayed in the Email Notification tab. Use Remove to delete notifications, and Add to create a new notification.

Enter an appropriate name for the notification, and select what Events the notification is applicable for. The various fields are described below.

Events
Processes may be triggered by any of the types of events listed below. By default events are only triggered when an operation, such as a file upload, succeeds, but they may
also be triggered on failure. This is determined by the checkboxes labelled 'Trigger on success' and 'Trigger on error'.

Upload file
When a file has been uploaded. All macros are available.

Download file
When a file has been downloaded. All macros are available.

Move file
When a file has been renamed or moved. All macros are available.

Delete file
When a file has been deleted. All macros are available.

Create folder
When a new folder has been created by a user. All macros are available.

Move folder
When a folder has been renamed or moved by a user. All macros are available.

Delete folder
When a folder has been deleted by a user. All macros are available.

Log in
When a user logs in. All macros are available.

Log out
When a user logs out. All macros are available.

Server start
When the CompleteFTP Windows service starts. By default, the service is configured to restart automatically in case of failure, so this event can be useful to alert administrators
of such failures.

Server stop
When the CompleteFTP Windows service stops gracefully. This event will not trigger if the service stops ungracefully.

Site start
[Enterprise Edition only] When a site starts.

Site stop
[Enterprise Edition only] When a site stops.

Auto-ban
When an IP address has been auto-banned.

SSL/TLS certificate expired

When a user tries to connect via FTPS or HTTPS and the server certificate has expired.

Cluster synchronization failed

[Enterprise Edition only] When the primary fails to synchronize with a secondary.

Filters

Filters restrict events based on a set of criteria that are defined by the administrator. These criteria may be based on (1) the folder in which a file-operation is taking place, (2)
the user performing the operation, and/or (3) the site on which the operation is taking place.

Folder filter

The folder- or file-path filter may be used to select the files/folders for which the event should be triggered. By default Windows-style wildcards are used for matching. For
example, if the event should be triggered only for files with the extension .dat in the folder /Home/MyUser then the filter should be set to /Home/MyUser/*.dat. If the event
should be triggered for files named test.dat in any directory, then the filter should be set to */test.dat.

Filters may be inverted by checking the checkbox labelled 'Inverse'. If this is done then the event will occur for all files/folders that don't match the filter.

Regular expressions (.NET-style) may also be used. To use these, the filter should be prefixed by 'regex:'. Information on .NET regular expressions may be found on the
Microsoft(tm) website. Note that multiple filters may be defined using regular expressions using the syntax, regex:^(/Folder1/.*|/Folder2/.*), which would match
anything underneath the folders, /Folder1 and /Folder2.

User filter
A user filter may be used to select the users for which an event should occur or, if it's inverted, the users for which it shouldn't occur. By default it will occur for all users. Users
may be selected simply by checking the box next to them in the dropdown list that's displayed when the user filter control is clicked.

Site filter

[Enterprise Edition only] A site filter may be used to select the sites for which an event should occur or, if it's inverted, the sites on which it shouldn't occur. By default it will
occur on all sites. Sites may be selected simply by checking the box next to them in the dropdown list that's displayed when the site filter control is clicked.

From address

Enter the email address that the email notification is set to be from. The %OwnerEmail% (email address of folder owner) or %LoginEmail% (email address of logged-in user)
macros may be used here.

To address

Enter the email address that the email notification is sent to. The %OwnerEmail% (email address of folder owner) or %LoginEmail% (email address of logged-in user) macros
may be used here.

Subject

Enter the subject of the notification message. Various macros can be used here.

Message

Enter the body of the notification message. Various macros can be used here.

For an example on setting up an email notification, please refer to Step-by-step guide: E-mail notification when a file is uploaded .
HOW TO SET UP PROCESS EXECUTION TRIGGERS
CompleteFTP supports highly customizable process execution triggers. This means that when an event such as a file upload occurs, a process can be launched (e.g to move a
file after it has been uploaded).

Process control

In the Process Execution tab, the maximum number of concurrent processes (default 200) and the maximum run time can be set. The latter setting have a default of 0 which
means no limit.

Creating and editing triggers

The list of current process triggers is displayed in the Process Execution tab. Use Remove to delete triggers, and Add to create a new trigger.

When adding, enter an appropriate name for the trigger, and select what Events the trigger is applicable for. The various fields are described below.

Events
Processes may be triggered by any of the types of events listed below. By default events are only triggered when an operation, such as a file upload, succeeds, but they may
also be triggered on failure. This is determined by the checkboxes labelled 'Trigger on success' and 'Trigger on error'.

Upload file
When a file has been uploaded. All macros are available.

Download file
When a file has been downloaded. All macros are available.

Move file
When a file has been renamed or moved. All macros are available.

Delete file
When a file has been deleted. All macros are available.

Create folder
When a new folder has been created by a user. All macros are available.

Move folder
When a folder has been renamed or moved by a user. All macros are available.

Delete folder
When a folder has been deleted by a user. All macros are available.

Log in
When a user logs in. All macros are available.

Log out
When a user logs out. All macros are available.
Scheduled
Events occur at a predefined schedule, such as once per hour or at midnight every weekday. See here for details. Since this event is not related to any particular session
macros related to users and files are not available.

Server start
When the CompleteFTP Windows service starts.

Server stop
When the CompleteFTP Windows service stops gracefully. This event will not trigger if the service stops ungracefully.

Site start
[Enterprise Edition only] When a site starts.

Site stop
[Enterprise Edition only] When a site stops.

Auto-ban
When an IP address has been auto-banned.

SSL/TLS certificate expired

When a user tries to connect via FTPS or HTTPS and the server certificate has expired.

Cluster synchronization failed

[Enterprise Edition only] When the primary fails to synchronize with a secondary.

Filters

Filters restrict events based on a set of criteria that are defined by the administrator. These criteria may be based on (1) the folder in which a file-operation is taking place, (2)
the user performing the operation, and/or (3) the site on which the operation is taking place.

Folder filter

The folder- or file-path filter may be used to select the files/folders for which the event should be triggered. By default Windows-style wildcards are used for matching. For
example, if the event should be triggered only for files with the extension .dat in the folder /Home/MyUser then the filter should be set to /Home/MyUser/*.dat. If the event
should be triggered for files named test.dat in any directory, then the filter should be set to */test.dat.

Filters may be inverted by checking the checkbox labelled 'Inverse'. If this is done then the event will occur for all files/folders that don't match the filter.

Regular expressions (.NET-style) may also be used. To use these, the filter should be prefixed by 'regex:'. Information on .NET regular expressions may be found on the
Microsoft(tm) website. Note that multiple filters may be defined using regular expressions using the syntax, regex:^(/Folder1/.*|/Folder2/.*), which would match
anything underneath the folders, /Folder1 and /Folder2.

User filter
A user filter may be used to select the users for which an event should occur or, if it's inverted, the users for which it shouldn't occur. By default it will occur for all users. Users
may be selected simply by checking the box next to them in the dropdown list that's displayed when the user filter control is clicked.

Site filter

[Enterprise Edition only] A site filter may be used to select the sites for which an event should occur or, if it's inverted, the sites on which it shouldn't occur. By default it will
occur on all sites. Sites may be selected simply by checking the box next to them in the dropdown list that's displayed when the site filter control is clicked.

Type

CompleteFTP supports five types of process triggers:

Program
Execute a specified executable. The full path of the executable must be set in the 'Program file' field. Any required arguments may be specified in the 'Arguments' field. These
may includes any of the macros displayed when the button to the right of the field is clicked (e.g. %FileName%, %LoginUserName%). The working directory may be specified in
the 'Directory' field. Note that if there's a possibility that there's a space character in a macro variable then the macro should be in quotes.

Batch script
Batch scripts use the common DOS/Windows batch commands. Scripts should be entered directly into the 'Script' field. Various macros may be entered manually or inserted by
selecting them from the menu that's displayed when the button to the right of the 'Script' field is clicked (e.g. %FileName%, %LoginUserName%). The working directory may be
specified in the 'Directory' field. Note that if there's a possibility that there's a space character in a macro variable then the macro should be in quotes. If an existing batch file is
to be executed then the 'Program' type should be used with the path of the batch file as the 'Program file' argument.

Powershell script
Powershell scripts use the standard Microsoft Powershell syntax. Scripts should be entered directly into the 'Script' field. Various macros may be entered manually or inserted by
selecting them from the menu that's displayed when the button to the right of the 'Script' field is clicked (e.g. %FileName%, %LoginUserName%). The working directory may be
specified in the 'Directory' field. Note that if there's a possibility that there's a space character in a macro variable then the macro should be in quotes. If an existing Powershell
file is to be executed then the 'Program' type should be used with the path of the batch file as the 'Program file' argument.

JSS script

JSS (Javascript Server-Side) is Javascript combined with a set of API's for common tasks and integration with CompleteFTP. JSS scripts are executed within the CompleteFTP
service.

The JSS API's provide access to CompleteFTP's virtual file-system and commonly used functionality, such as FTP/SFTP, HTTP, e-mail and databases. Various macros are
available within a JSS process trigger script via properties of the variable called event. These can be inserted into the script via the button to the right of the editor.

JSS permits use of .NET classes (e.g. var xmlDoc = new System.Xml.XmlDocument()) so the standard .NET libraries are available if required.

FTP script
FTP scripts are a sequence of commands similar to those used in command-line FTP applications (e.g. GET and PUT), preceded by a set of commands to set connection
parameters. Full details may be found here. Note that JSS includes an FTP/SFTP client (see here) so, since Javascript allows proper programming as opposed to just a fixed
sequence of commands, in many cases using JSS scripts is recommended above of FTP scripts.

For an example on setting up a process trigger, please refer to Step-by-step guide: Move a file to another directory after it's been uploaded .
SCHEDULED EVENTS
CompleteFTP allows events to be triggered according to a user-specified schedule. This schedule may consist of a sequence of specific times or of a repeated pattern. There
are three ways to define a pattern: by even time intervals, by days of the week or by a cron expression.

Schedules may be defined using the Set Schedule dialog. This is accessed on the Process Triggers panel by selecting the Change link next to the "Scheduled" checkbox of
the event.

The four methods of setting a schedule are listed on the left. When one of these is selected the editor for that method will be displayed in the centre. On the right is a list of the
next (up to) 50 times that the defined event will be triggered.

Specific times

A schedule of specific times is defined by creating a list of dates and times using the following interface:

The 'Next 50 events' list will only list future events and a warning will be shown when OK is pressed if there are no future events.

Even time intervals

This is the easiest way to define an event that is to be trigged every n seconds, minutes, hours, days or months.

It's important to note that the counter restarts from zero when it passes the maximum value of the particular unit that is selected. For example, if 23 minutes is selected and the
time is currently 13:11 then the event will trigger at 13:23, then 13:46 and then again at 14:00. It's therefore best to use factors of the maximum value, such as 30 seconds, 15
minutes or 6 hours.

Days of the week

Events may be specified to trigger at a certain time on specific days of the week. For example, at noon on weekdays:
Cron expression (advanced)
If none of the simpler methods of defining schedules cover your requirements then cron expressions probably will. Cron expressions are a powerful concept often used in Unix-
like operating systems. Please refer to this Wikipedia article for an explanation. Note however that CompleteFTP's cron expressions also includes seconds.

The interface for specifying cron expressions allows you to select a common pattern from the list at the top. If this doesn't meet your requirements then it may be customized by
modifying each of the components in turn. The button to the right of each component text-field allows you to select from a set of common values for that field. You may also edit
the cron expression directly in the text-field labelled 'Cron pattern'. The field at the bottom provides a verbal description of the current cron expression.

For an example on creating a process trigger for scheduled event, please refer to Step-by-step guide: Add a scheduled task .
HOW TO WRITE A JSS EVENT
A JSS event is a process trigger event written in JSS (Javascript Server-Side).

Creating a JSS event

Creation of process triggers event is described in How to set up process triggers. To create a JSS event, select the type "JSS script".

Tutorials
The tutorials below demonstrate common usecases of JSS events:
1. Tutorial 1: demonstrates an uploading event which is triggered when user uploads a file to server.
2. Tutorial 2: demonstrates error handling using a try-catch statement.
3. Tutorial 3: demonstrates how to create a JSS event using multiple uploads.
4. Tutorial 4: demonstrates how to work with scheduled events.

Note: if you run these tutorials on localhost, note that the script's uploading of the file will trigger the same event again.

Apart from the normal JSS API you also have access to the new Ftp class. You can find the reference for Ftp class here.

For easier debugging, use the pop-out real-time log via the View/Show logging window, Monitoring/Open in window, and in Events/Show log.

Now please proceed to Tutorial 1.

TUTORIAL 1
Before reading this tutorial, please make sure you have CompleteFTP installed, and two users ('user1' and 'user2') created (see here).

This tutorial will implement a JSS process trigger that automatically transfers to a remote server a file that has just been uploaded to your server.

Steps

1. Open CompleteFTP Manager and select the Events tab. In Process Triggers panel click on Add button to add a new event.

2. Choose the Upload file event.

3. Keep the "Trigger on success", choose the JSS script and enter the script below:

var ftp = new Ftp("172.16.0.106", "user2", "123456");

ftp.connect();
ftp.upload(event.virtualPath, event.fileName);
ftp.close();
console.log("Upload complete");

This script uses the Ftp class (a part of the JSS API). As you can see, three arguments are passed to the constructor: the IP address of the remote host, the user-name
and the password. The connect() method is then called to connect to the server. Calling this method is optional as the client will automatically connect when any other
method is called if it hasn't already connected. Calling it explicitly may be useful for error-handling. The upload method is then called to upload a file from the local virtual
file-system to the remote server. After uploading, the close() method is called to close the connection (again, this is optional as it happens automatically when the script
completes).

The process trigger should now look like this:

Note that, if another FTP server is not available then, for the purposes of this tutorial, the same server (i.e. 'localhost') can be used in the script. If you choose to do this,
however, then you must make ensure that this event doesn't trigger again when the script uploads the file. You can do this by using the user filter to exclude the user,
 'user2'. To do this, click the 'User filter' control, select 'user2' from the list and then check the 'Inverse' checkbox to the right.

If you don't do this then the upload operation in the script will trigger the upload event, which will execute the script, ad infinitum.

4. When you've done scripting, click on 'Apply Changes' to save and start using this event.

Testing your process trigger

Now your new JSS process trigger is ready to use. Let's check it using Filezilla. If you're new to Filezilla, please check the how to use Filezilla here.

1. Open Filezilla and connect to server as user1.

2. Upload a file to server.

3. Now connect to the remote server as user2 and you will see the same file has also been uploaded to this account's home folder.
Now please proceed to Tutorial 2.
TUTORIAL 2
You have created the first JSS event (see Tutorial 1). Now it's time to add some error handling to your script.

The tutorial below will show you a way to add error handling using try-catch statement.

Steps

1. Open the the event you created in Tutorial 1.

2. Edit it by putting all the curent code into try block and add the catch block. To check the error handling, we change the username to an invalid one (in the example below,
the 'user3' doesn't exist in the server).

Sample script

Here is the sample script which is used in this tutorial.

try {
var ftp = new Ftp("myftpserver", "myusername", "mypassword");
ftp.connect();
ftp.upload(event.virtualPath, event.fileName);
ftp.close();
console.log("Upload to myftpserver complete");
} catch (error) {
console.error("Upload of " + event.fileName + " failed: " + error);
}

Checking result
Now your error handling is ready to use, let's check it.

1. Open Filezilla and connect to server as user1.

2. Upload a file to server.

3. Now we check the CompleteFTP logging and get the error log as the format we set in catch block.

Now please proceed to Tutorial 3.

TUTORIAL 3
Now it's time to create a more complex JSS event. The tutorial below will show you how to create a JSS event which can work with multiple uploading.

Steps

1. Open the the event you created in Tutorial 2.

2. Now we add one more server to upload the file to (if you have more than one server please feel free to add them in). Then we add a for loop to loop through these servers.

Sample script

Here is the sample script which is used in this tutorial.

var servers = [
{ host: "myftpserver1", userName: "myusername1", password: "mypassword1" },
{ host: "myftpserver2", userName: "myusername2", password: "mypassword2" },
];
for (var i in servers)
try {
var server = servers[i];
var ftp = new Ftp(server.host, server.userName, server.password)
ftp.connect();
ftp.upload(event.virtualPath, event.fileName);
ftp.close();
console.log("Upload to " + server.host + " complete");
} catch (error) {
console.error("Upload of " + event.fileName + " failed: " + error);
}

Checking result
Now your new JSS event is ready to use, let's check it using Filezilla.

1. Open Filezilla and connect to server as user1.

2. Upload a file to server.

3. Now connect to the first remote server as user2 and you will see the same file has also been uploaded to this account's home folder.

4. Now connect to the second remote server as user3 and you will see the same file has also been uploaded to this account's home folder.
Now please proceed to Tutorial 4.
TUTORIAL 4
Automatically upload a file to a server may not always result in success, there are some reasons which may fail the uploading. In CompleteFTP, we can add one more event
which triggers after an pre-defined schedule to re-upload the file to server until it's successfully uploaded. This tutorial will show you how to do.

Steps

1. Create a user and folder with the credentials below:

User-type: Non-Windows user

User-name: queueOwner
Type of home folder: Windows folder
Windows path of home folder: C:\FTP\Queue
Virtual path of home folder: /Queue.

Then set queueOwner as the owner of the /Queue folder.

2. Clear all group permission of this folder to prevent other users from accessing it.

3. Add the queueOwner user to the admins group. This will give queueOwner permission to access any folder in the virtual file-system, which it will need to be able to do in
order to distribute the files that have been uploaded.
4. Create a file called variables.json that we'll use to store app variables in C:\FTP\Queue. Here is the content, in which the "ftpserver.com", "myusername", "mypassword", and
"/Home/myusername/" are your credentials:

{
"fileCounter": 0,
"remoteServer": {
"hostName": "ftpserver.com",
"userName": "myusername",
"password": "mypassword",
"directory": "/Home/myusername/"
}
}

5. Create a process trigger that adds newly uploaded files to the queue. Notice that script is configured to run as the queueOwner user.

var db = new JsonDB("/Queue");

// get a number for the uploaded file

var fileNumber;
db.update("/variables", function(variables) {
variables.fileCounter = variables.fileCounter + 1;
fileNumber = variables.fileCounter;
});

// write an entry in the queue for the file

db.write("/items/" + fileNumber, {
path: event.virtualPath,
uploader: event.loginUserName,
uploaded: new Date()
});

console.log("File " + event.virtualPath

+ " added to queue as item number " + fileNumber);

6. Add another process trigger that periodically takes items in the queue and uploads the corresponding files. Notice again that the script runs as the queueOwner user.

var db = new JsonDB("/Queue");

// get the remote server details from database and increase the counter
var remoteServer = db.read("/variables.remoteServer");

// prepare the FTP client

var ftp = new Ftp();
ftp.hostName = remoteServer.hostName;
ftp.protocol = remoteServer.protocol;
ftp.userName = remoteServer.userName;
ftp.password = remoteServer.password;
ftp.serverDirectory = remoteServer.directory;

// get queued items from database

var items = db.read("/items");
for (var i in items) {
var item = items[i];
try {
ftp.upload(item.path);
console.log("Queued file uploaded successfully " + item.path);

// remove the item from the queue

db.remove("/items/" + i);
} catch (error) {
console.log("Failed to upload " + item.path + ": " + error);
 }
}

Checking result

Now your new JSS events is ready to use, after an upload we can see the file in /Queue/items folder and can see the re-uploading after the interval we set.

1. Open Filezilla and connect to server as user1.

2. Upload a file to server.

3. Now check the Queue folder, you will see the sub folder "items" has been created and it contains a file.

4. Check the log to see the scheduled event triggers. Here is the log after 3 files have uploaded.
HOW TO WRITE FTP SCRIPTS
FTPScript is a powerful yet simple scripting language specifically for FTP, FTPS and SFTP.
Command overview
Most commands are fairly self explanatory, and are described in the script command reference.
The set command is used to set various parameters that are used during the session, such as username, password, timeout and so on. Many of these parameters are optional
(e.g. port, timeout). The most important parameter is the protocol.
Various macros can be inserted into the script at execute time.
The local working directory may be set in the process trigger definition inside CompleteFTP Manager, or it may be set using the localdir command inside the script. All uploads
and downloads that do not specify a full path will use the set local working directory.
Sample code
A sample script is shown below:

# Sample SFTP script for uploading a file to another server

set remotehost=otherftpserver.com
set user=myusername
set password=mypassword
set protocol=sftp

# connect to the server

open

# upload the file for which the trigger occurred to the server
# note quotes around path as it may contain spaces
put "%WindowsPath%" %FileName%

# disconnect
close
SCRIPT COMMAND REFERENCE
Scripting and shell commands are described in the table below. Abbreviations for commands are noted in the command description.

Where the command has optional arguments, they are shown in square brackets, e.g. open [host[:port]] means that for the open command, the host and port are optional
parameters (but if the port is supplied, the host must be supplied).

Command Description
help [command] Prints out help for a specific command, or if no command is specified, a list of
supported commands is provided.
Prints out version details.
version
Can use ver as an abbreviation.
Switches debug on or off. If debug is already on, it is switched off (and vice versa).
debug When debug is enabled, more information is displayed when commands are
executed.
Sets various parameters used during the session, many of which are optional.
Syntax is set name=value
Note that 'set' can be omitted, and thus protocol=ftp is a valid command.
Variables can be created this way. If an unknown variable is set using the 'set'
command, then a variable of that name and value is created, e.g. myprotocol=ftp
creates a variable called 'myprotocol' set to the string value 'ftp'.
set The value of variables can be printed out using echo.
The value of all set variables can be printed out using set without any arguments.
The set command also supports a feature originally found on Unix systems called
backquoting. This is where a variable is assigned the value of the output of a
command, which must be surrounded by back quotes (the '`' symbol).
For example, to set the variable 'currendir' to the value of the current remote working
directory, use set currentdir=`pwd`.
set connectmode Sets the connection mode for data transfers and listings. Not applicable for SFTP
protocol. Possible values are active or passive., e.g. set connectmode=active.
set connectmode Sets the connection mode for data transfers and listings. Not applicable for SFTP
protocol. Possible values are active or passive., e.g. set connectmode=active.
Set the protocol to be used. Note that the protocol cannot be changed while
connected. Supported protocols are shown below:

Protocol Description

ftp "Plain" FTP protocol

ftps FTPS, i.e. FTP over SSL

(explicit mode)
set protocol
ftpse FTPS, i.e. FTP over SSL
(explicit mode)

ftpsi FTPS, i.e. FTP over SSL

(implicit mode).

sftp SFTP, i.e. FTP over SSH

Note that server validation is switched off by default.

set connectmode Sets the connection mode for data transfers and listings. Not applicable for SFTP
protocol. Possible values are active or passive., e.g. set connectmode=active.
set remotehost Sets the remote host to be connected to, e.g. set remotehost=ftp.gnu.org

set user Sets the username, e.g. set user=javaftp. This username is used for all
supported protocols.
set password Sets the user's password, e.g. set password=javaftp. This password is used for
all supported protocols.
set localdir Sets the local working directory. All uploads and downloads that do not specify a full
path will use this directory. e.g. set localdir=D:\work\tmp

set servervalidation Enables or disables server validation (disabled by default). Possible values are true
or false.
Sets the path of the client certificate to use for client validation for FTPS. Currently
supports PEM, CER and PFX file formats for certificates. Note that the password
set clientcert must also be set via certpassword.
Once set, client validation is automatically switched on.
set certpassword Sets the password (or passphrase) of the client certificate used for client validation
(FTPS).
Sets the path of the server's public key to use for server validation for SFTP.
Supports OpenSSH and SECSH file formats. More typically set knownhosts is
set serverpublickey used.
Can also use serverkey.
Server validation must also be switched on via set servervalidation=true
set knownhosts Sets the path of the known_hosts file to use for server validation for SFTP.
Server validation must also be switched on via set servervalidation=true
 Sets the path of the client private key file to be used for public key authentication in
SFTP. Supports PuTTY, OpenSSH and SSH.com private key formats. Note that the
set clientprivatekey clientprivatekeypass must also be set.
Can also use clientkey.

Sets the passphrase of the client private key file to be used for public key
set authentication in SFTP.
clientprivatekeypass
Can also use clientkeypass.
set timeout Optional. Sets the timeout in seconds for read or write operations. The default is 0
(which is an infinite timeout). e.g. set timeout=10
set port Optional. Defaults are determined by the protocol. Sets the port number to connect
to, e.g. set port=21
Optional. Only applicable for active mode. Sets the data port range that the client
set dataports will listen on for listings and transfers. The low port number must be listed first, e.g.
set dataports=10100-10140
set loglevel Optional. Sets the logging level. 0 means no logging, while 5 is the maximum log
level (the default). e.g. set loglevel=4
set logfile Sets the name or full path of the logfile to direct logging to, e.g. set
logfile=C:\temp\ftp.log
Echos the value of a variable to standard output, whether user-defined or a system
echo variable such as 'protocol'. The variable must be preceded by a '$' to identify it as a
variable, e.g. echo $protocol.
A synonym for echo is print.
Opens the connection to the remote server. The user and password must already be
set via the set command. If the remote host is not already set, it must be supplied
open [host[:port]] here (and will override any previous setting for this connection attempt). The port
number can also be optionally supplied (but the host must be provided). e.g. open
edtmobile:21
Can also use connect.

Change the current transfer mode to binary mode. Binary is the default.
binary
Can use bin as an abbreviation.
ascii Change the current transfer mode to ASCII mode. Binary is the default.
Can use asc as an abbreviation.
pwd Print the current remote working directory.

Perform a detailed listing of the current directory if no directory is supplied as an

dir [remotedir] argument, or of the supplied remote directory.
See ls for a similar command. A synomyn of dir is ls -l.
Perform a simple listing (just filenames) of the current directory if no directory is
ls [remotedir] supplied as an argument, or of the supplied remote directory. If ls -l is used, a
detailed listing is supplied.
See dir for a similar command. A synomyn of ls -l is dir.
cd remotedir Change the current remote working directory to remotedir.
cdup Change the current remote working directory to its parent directory.
mkdir remotedir Create the remotedir directory.
rmdir remotedir Delete the remotedir directory. It must be empty.
Download a remotefile to the local host. The localfile parameter can be a filename
or the full path of a local file. If it is a filename, the current local working directory is
prepended.
get remotefile
[localfile] Note that the localfile parameter is optional - if not supplied, the downloaded file is
saved in the current local working directory with the name of remotefile.
The remotefile parameter can be a filename or a path. Not all servers support the
use of a path - in this case navigate to the correct remote directory using cd.
Upload a local file to the remote host. The localfile parameter can be a filename or
the full path of a local file. If it is a filename, the current local working directory is
put localfile prepended.
[remotefile] The remotefile parameter should be a filename or a path. Not all servers support the
use of a path - in this case navigate to the correct remote directory using cd.
If the remotefile parameter is not supplied, the local file name will be used.
Append the contents of a local file to a remote file (if it exists) on the remote host.
The localfile parameter can be a filename or the full path of a local file. If it is a
append localfile filename, the current local working directory is prepended.
[remotefile] The remotefile parameter should be a filename or a path. Not all servers support the
use of a path - in this case navigate to the correct remote directory using cd.
If the remotefile parameter is not supplied, the local file name will be used.
Rename a remote file from remotefile1 to remotefile2. Note that both parameters
rename remotefile1
should be filenames, not full paths.
remotefile2
Can use ren as an abbreviation.
lrename localfile1 Rename a local file from localfile1 to localfile2. Note that paths can be used as well
as filenames.
localfile2
Can use lren as an abbreviation.
Delete a remote file in the current remote working directory.
delete remotefile
Can use del as an abbreviation.
 Delete a local file in the current local working directory, or specify a path for the file to
ldelete localfile be deleted.
Can use ldel as an abbreviation.
Delete multiple remote files that match the wildcard in the current remote working
directory.

mdelete wildcard Wildcards supported are '?' for a single matching character, and '*' for multiple
matching characters. e.g. to delete all text files in the current remote directory, use
mdel *.txt
Can use mdel as an abbreviation.
Upload multiple local files that match the wildcard in the current local working
directory to the current remote working directory.
mput wildcard
Wildcards supported are '?' for a single matching character, and '*' for multiple
matching characters. e.g. to upload all text files from the current local working
directory, use mput *.txt
Download multiple local files that match the wildcard in the current remote working
directory to the current local working directory.
mget wildcard
Wildcards supported are '?' for a single matching character, and '*' for multiple
matching characters. e.g. to download all text files from the current remote working
directory use mget *.txt
Closes the connection to the remote server.
close
Can also use bye, quit, exit or disconnect.
quote command Sends the quoted command to the server and displays the response.
Sends a SITE command to the FTP server with the supplied parameters. These
parameters can vary widely between FTP servers. This command is not applicable
site parameters to SFTP servers.
For example site CHMOD 0600 /home/user/privatefile might be used to change the
permissions of a file on an FTP server that supports this feature.
auth Change from unencrypted 'plain' FTP into secure FTP.

Change the protection level of the data channel in FTPS.

Supported options are clear (or c) to set data channels to unencrypted, and private
protect clear (or p) to set data channels to encrypted. e.g. protect clear
or Alternatively private has the same effect as protect private, and clear has the same
effect as protect clear.
protect private
An abbreviation for protect is prot, which combined with the argument abbreviations
means that to set the data channels to unencrypted could be done with prot c, and
to set to encrypted could be done with prot p.
clear In FTPS, change the protection level of the data channel to private. Identical to
protect private.
private In FTPS, change the protection level of the data channel to private. Identical to
protect private.
In FTPS, clears the control channel, setting it back to plain unencrypted text. This
can be useful when using firewalls, which need to be able to inspect the control
ccc channel to open data channel ports.
Once ccc has been called, no more protect commands can be used. This is a
security measure inherent in the protocol.
record recordfile Record subsequent commands to the supplied filename. Most useful from within the
shell to record a session.
stop Stop recording commands to file.
NOTIFICATION MACROS
Email notifications and process triggers support a variety of macros. Email notifications can use these macros in the Subject and Message fields, while process triggers can
use them in scripts or program arguments. The macros are described in the table below.

Macro Description
%FilePath% Full path of file in the virtual file-system
%FileName% Name of file
%FolderPath% Path to folder in the virtual file-syste,
%WindowsPath% Path of file in the Windows file-system
%WindowsFolder% Path to folder in the Windows file-system
%WindowsFileName% Name of file in Windows
%OwnerEmail% Email address of owner of folder
%OwnerUserName% Username of owner of folder
%OwnerFullName% Full name of owner of folder
%LoginEmail% Email address of logged-in user
%LoginUserName% Username of logged-in user
%LoginFullName% Full name of logged-in user
%Event% Event that caused the notification
%Notification% Name of this notification
%PathFilter% File filter of this notification
%SiteName% Name of site
%ClientIP% IP address of client
Indicates whether or not an operation succeeded. If it succeeded the
%TransferStatus%
value will be 'success', otherwise it will be 'failure'.
%Time% Time of event
%Date% Date of event
%DateAndTime% Date/time of event
Formatted timestamp of event. The word 'format' should be replaced by
%Timestamp:format% aFor
.NET date/time formatting string (see here and here ).
example, the macro %Timestamp:yyyy/MM/dd HH:mm:ss%
would produce a string like "2012-02-08 16:33:21".
HOW TO WRITE YOUR OWN EVENTS (ENTERPRISE EDITION ONLY)
CompleteFTP supports email and process-trigger event handlers. Event extension classes can be written so that custom events are invoked when particular events occur.
For example, it may be desirable to implement a custom auditing system that logs events to a proprietary database.
See event extensions for more details.
WEB-APP HOSTING WITH COMPLETEFTP
Web-apps can be hosted by CompleteFTP using Javascript Server-Side (JSS). Once enabled (see below) for a web-site and a user, any file that has the extension, .jss, is
assumed to contain JSS code, that will be executed when accessed via HTTP or HTTPS.

While JSS supports traditional web-app where HTML is mostly generated on the server, it excels particularly at Single-Page Applications (SPA's) as it uses a method of client-
server communications (AJAX) that makes it trivial to invoke a server-side Javascript function from a browser-based script. This will be described in the JSS Web-App Basics
section.

Enabling JSS for web-apps

A file with a .jss extension will be run as JSS if:

1. JSS is enabled on the site serving up the page, AND

2. JSS is enabled for the either:
a. the logged in user, OR
b. user who owns the folder that contains the file

If these conditions are not satisfied then the file will be served up the same as an non-JSS file.

JSS is enabled for a site by checking the JSS enabled checkbox in the Site Settings category, HTTP/HTTPS -> Server-side Javascript (JSS):

JSS is enabled for a user by checking the JSS (Server-side Javascript) checkbox in the Site Properties category, Scripting and Shells:

Note that for JSS web-apps to be available to unauthenticated users, JSS must be enabled for the owner of the /Public folder, i.e. anonymous, which it isn't by default.

For more information on how to host a web-app in CompleteFTP, please refer to Step-by-step guide: Host a web-app in CompleteFTP .
 JSS WEB-APP BASICS
This article will summarize the basic concepts of developing JSS web-apps. It starts with the traditional page-request style of programming in which entire pages are requested
from the server and then moves onto AJAX-style Remote Procedure Calls (RPC's) used in Single-Page Applications (SPA's)

1. Where to place JSS code in a web-app

2. Serving a basic request
3. Handling user input
4. Building responses using templates
5. Calling a server-side function via RPC
6. Combining simple requests and RPC
7. Asynchronous RPC
8. Uploading and downloading files
9. Including other JSS files
10. Controlling accessibility of JSS functions
11. Extending JSS using .NET
12. Exploring Further

For information about the API available to JSS developers please refer to the JSS API Guide.

1. Where to place JSS code in a web-app

Assuming that JSS is enabled (see here), JSS code will be executed for an HTTP request if:

1. it's in a file that's directly referenced by the request, e.g. http://myhost/mydir/myfile.jss and the user has permission to read the file
or
2. it's in a file named index.jss and the request is for any non-existent resource in the same directory or in a subdirectory of the file and the user has permission to read the
file and all directories between the file and the requested resource

Note that option 2, above, makes it possible to implement REST APIs using JSS. The request.restPath property allows the script to ascertain which resources was requested.

2. Serving a basic request

A response to a basic HTTP request may be made by calling the write() method of the response object, as follows:

response.write("<body><html>Hello world</html></body>");

which will respond with an HTML page displaying:

Hello world

JSS is ECMAScript 3 compliant, so nearly all Javascript syntax in common use is supported, for example:

function _getMessage(i) {
return "Hello world " + i;
}

var html = "<html><body>";

for (var i=0; i<3; i++)
html += _getMessage(i) + "<br>";
html += "</body></html>";

response.write(html);

Here a function is called when building the HTML response. The underscore is prepended to the function to indicate that it's not to be called via RPC. This script will output:

Hello world 0
Hello world 1
Hello world 2

3. Handling user input

User-submitted form data and URL arguments may be accessed via the request variable. For example, if a form with a text-box called firstName is submitted, then the
following may be used to access the value of this field:

var firstName = request.form.firstName;

response.write("<body><html>Hello " + firstName + "</html></body>");
 which, if the value of the firstName field is Jack, will return:

Hello Jack

4. Building responses using templates

JSS supports templates, which facilitates the separation of Javascript and HTML code into separate files.

For example, if a template file called hello1.html contains the following:

<html>
<body>
<form method=post>
Name: <input type=text name=firstName value={{firstName}}>
<input type=submit>
</form>
<br>
{{message}}
</body>
</html>

and a JSS file called hello1.jss contains:

var data = {};

if (request.form.firstName != undefined) {
data.firstName = request.form.firstName;
data.message = "Hello " + request.form.firstName;
} else {
data.firstName = "";
data.message = "Please enter your name";
}
response.writeUsingTemplateFile("hello1.html", data);

then a request to hello1.jss will return:

Name:

Submit

Please enter your name

Notice that the tag {{message}} in hello1.html was substituted by the field with the same name, message, of the Javascript object that was passed to the
writeUsingTemplateFile(file, data) method.

Once the field has been filled and the button clicked, the following will be returned:

Name:
world

Submit

Hello world

If a template is to be provided as a string rather than a file then the writeUsingTemplateString(template, data) may be used.

5. Calling a server-side function via RPC

Clients may invoke server-side Javascript functions simply by calling them (or, to be precise, their automatically generated proxies). For example, say the server has a JSS file
called hello2.jss with the following contents:

function hello(name) {
return "Hello " + name + " from the server";
}

This is Javascript code that will be run on the server.

Now, say we have an HTML file called hello2.html with the following contents:

<html>
<body>
<script src="hello2.jss"></script>
<script>
 var message = hello("world");
document.write(message);
</script>
</body>
</html>

When the HTML is rendered in the browser, the result will be:

Hello world from the server

This message is generated on the server by the Javascript function and returned by the call to the hello() function. Notice that all code, client-side and server-side, is
Javascript and that no AJAX code was written. This is possible because the request to hello2.jss returns the Javascript code required to remotely invoke the hello()
function in hello2.jss.

The Javascript code that's returned by the request to hello2.jss is compressed for efficiency. The uncompressed code may be viewed by a request to hello2.jss?
proxy=uncompressed. It contains the auto-generated proxy-code that the browser needs to call the server function. Note that the JSON-RPC protocol is used (see JSS
Remote Procedure Calls (RPC)), so there's no problem modifying the auto-generated proxy-code, or even completely replacing it with, for example, jQuery Ajax code.

Proxies that wrap the functions in a class may be generated by adding a class argument. For example, hello2.jss?class=Hello will wrap the function in a class called
Hello such that the hello method may be called as follows:

var helloObject = new Hello();

helloObject.hello();

Proxies that use promises may be generated by adding a proxy argument. For example, hello2.jss?proxy will allow methods to be called as follows:

hello().then(
function(message) {
document.write(message);
},
function(err) {
document.write(err.message);
}
);

6. Combining simple requests and RPC

If a JSS file that contains RPC functions is also to handle basic HTTP requests then the request-handling code should be placed inside a function called processRequest().
This function's job is to write the HTTP response that will be returned to the client. For example, the following JSS script, hello3.jss, returns the HTML to the client, which
then invokes a function by RPC.

function hello(name) {
return "Hello " + name + " from the server";
}

function processRequest() {
var html = "<html><body>\n";
html += "<script src="hello3.jss?proxy></script>\n";
html += "<script>\n";
html += " var message = hello('world');\n";
html += " document.write(message);\n";
html += "</script>\n";
html += "</body></html>";
response.write(html);
}

Note that the Javascript code that's inside the quotes in the processRequest() function will be run on the client, and will call the code that's in the hello() function, which will
be run on the server.

It is important to note that this server-side code is called in two different contexts. When hello3.jss is first called by the browser (without parameters), the default
processRequest() is called to write the response. But the script referred to in the HTML generated by processRequest() is hello3.jss?proxy. The "proxy" parameter
indicates that rather than calling the default processRequest(), the caller wants the RPC proxies generated and returned to the browser so that the hello function can be
called via RPC.

7. Asynchronous RPC

Both synchronous and asynchronous remote procedure calls are supported. If an additional argument is provided then it's assumed that the function is to be called
asynchronously and that the additional argument is a callback function. For example, in the above example, the hello() function would be called asynchronously like this:

function onHello(message) {
document.write(message);
}

hello("world", onHello);

If a second additional argument is provided, it will be assume to be an error-callback function, which will be called if an error occurs. For example,

function onHelloSuccess(message) {
document.write(message);
}

function onHelloError(error) {
document.write("Error: " + error);
}

hello("world", onHelloSuccess, onHelloError);

If no error-callback is provided then a default error-handling function will be used.

Although JSON-RPC is used by default, calls may optionally be made using form-based RPC (see JSS Remote Procedure Calls (RPC)). This may be done by including a flag
after the error-handler, e.g.

hello("world", onHelloSuccess, onHelloError, false);

This tells the proxy-function to use forms instead of JSON-RPC.

8. Uploading and downloading files

JSS makes it easy to upload and download files. If the desired response to a request is to return a file from the virtual file-system then this may be achieved by setting the
response.downloadFile property to the path of the file to be downloaded.

If a request contains one or more files to be uploaded (usually via the input type=file element in a form) then CompleteFTP will look for a Javascript function called
getUploadPath(fileName, contentType) and call it to find out where (in the virtual file-system) the file is to be uploaded. If no such function is found then the file will be
uploaded to the same directory as the script, if possible.

If an error occurs during upload then a function with the name errorHandler(errorMessage, errorType) will be called, if available. Again, an alternative name may be
provided by including an element with the name errorHandler and with the name of the desired error-handling function as its value.

9. Including other JSS files

Other JSS files may be included via the include(scriptPath) function. This function evaluates the contents of the included JSS file in the global scope, regardless of what
scope it's called from, so any functions and variables declared in the file will have global scope.

10. Controlling access to RPC functions

When developing a complex JSS application it's important to manage the accessibility of the API. All functions in the global namespace will be available via RPC. If this is not
desired then the publish function may be used. For example, if in our hello example a second function was needed but that function wasn't itself to be accessible via RPC,
then the following code would be used:

(function() {
function getSource() {
return "server";
}

function hello(name) {
return "Hello " + name + " from the " + getSource();
}

publish("hello", hello);
})();

Since all functions are declared inside a function-block there are no functions in the global namespace until the call to the publish function pushes the hello function into it.
Note that the name of the function and the function itself must be provided separately.

Public APIs are vulnerable to denial of service attacks so by default CompleteFTP restricts the number of invocations to 100 per minute. This may be changed by providing an
additional argument to the publish function, as follows:

publish("hello", hello, { maxCallsPerMinute: 10 });

Since one JSS file may be included in another JSS file using the include function, it's sometimes desirable to allow another JSS file to invoke a function without also exposing
it publically. This may be done by providing a serverOnly argument, as follows:

publish("getSource", getSource, { serverOnly: true });

Functions that are published as serverOnly will not be included in proxies and may only be invoked by other JSS scripts.
11. Extending JSS using .NET

JSS can call .NET methods that are defined in a JSS extensions - see here.

12. Exploring Further

Details on the API available in JSS are in JSS API Guide. Information on the RPC protocol used in JSS may be found in JSS Remote Procedure Calls (RPC).
USING TEMPLATES
JSS supports templates, which facilitates the separation of Javascript and HTML code into separate files.

JSS templates work by expanding tags in a template using values provided by a hash or object. There are no if statements or any other logic - just tags, which are shown by
double curly braces, e.g. {{name}}.

This tag expansion happens on the server-side - in the server-side JSS file, Javascript objects are supplied to a render method that takes the HTML file containing the tags
and produces the expanded HTML file. See this example.

Variables

Variables are the most basic tag. A {{name}} tag in a basic template will try to find the name key in the current context. If there is no name key, an empty string is substituted.

All variables are HTML escaped by default. If you want to return unescaped HTML, use {{name}}}. You can also use & to unescape a variable, e.g. {{& name}}.

Sections

Sections render blocks of text one or more times, depending on the value of the key in the current context. They begin with a pound and end with a slash., e.g. {{#item}} and
{{/item}}.

If the key has a value of false or is an empty list, the HTML between the pound and slash is not returned. If the key exists and is non-false, the HTML between the pound and
the slash is rendered one or more times - once for every item in the list.

JSS templates are based on Mustache templates. More detailed examples and extended capabilities such as lambdas are explained here.
WEB-APP EXAMPLES
Live JSS examples are hosted on our public server and can be found here.

If you are reading this documentation from a machine that is hosting a running instance of CompleteFTP, you may be able to view the JSS examples on your own server, here.
CUSTOM EXTENSIONS
CompleteFTP Enterprise Edition allows you to customize CompleteFTP and integrate it with other IT systems by means of extensions (a.k.a. plug-ins). Extensions may be
entered directly into CompleteFTP Manager as Javascript (JSS) or by means of .NET assemblies developed using C# or VB.NET.

There are six types of extensions:

Authentication extensions: authenticate users using your own scheme or by integrating with external systems [JSS, .NET]
File-system extensions: develop your own file-system [JSS, .NET]
Custom command extensions: implement your own commands that can be called from any protocol [JSS, .NET]
Event extensions: handle user or system events in your own code [.NET only, for JSS see JSS process triggers]
IP filter extensions: if the inbuilt IP filtering feature doesn't match your requirements you can develop your own [JSS, .NET]
JSS-to-.NET bridge extensions: call .NET methods from JSS [.NET only]
HOW TO WRITE A .NET EXTENSION
A CompleteFTP .NET Extension is a .NET assembly, usually a DLL, which contains a class that extends the one of the CompleteFTP extension base-classes (see below). The
assembly can be developed in C#, VB.NET or any other .NET language. If you don't already have Visual Studio then you can use one of Microsoft's free Visual Studio Express
or Community products. This feature is only available in the Enterprise Edition.

Please note that from CompleteFTP 11.0, the .NET 4 framework is required to build .NET extensions. All extension DLLs will need to be recompiled with the target framework
set to .NET 4.

Types of .NET Extensions

For details on the type of .NET extension that you are developing please go to:

Authentication extensions
File-system extensions
Custom command extensions
Event extensions
IP filter extensions
JSS-to-.NET bridge extensions

Creating a .NET extension

To create a CompleteFTP .NET extension:

1. Open Visual Studio.

2. Create a new project of type Class Library.
3. Add a reference to the CompleteFTPServer.dll. You can find this in the directory C:\Program Files\CompleteFTP\Server. If you are on a 64-bit machine then it will be in
C:\Program Files (x86)\CompleteFTP\Server. Make sure the Specific Version property is set to false so that you don't have to rebuild the assembly each time you
upgrade CompleteFTP.
4. If you are using CompleteFTP 11.0 or later, ensure the target framework in your application settings is .NET 4.
5. Added references (using or import) to the namespaces required for your type of extension.
6. Make sure your new class extends the appropriate base-class.
7. Override the appropriate methods.
8. Add any logging you require.
9. Build the project.

Registering a .NET extension in CompleteFTP

Extensions must be registered with CompleteFTP. To do this:

1. Open CompleteFTP Manager.

2. Select the Extensions panel.

3. Click 'Add extension'.

4. Select '.NET Extension'.

5. Select 'Extension type'. (e.g. 'Authentication')

6. Select .NET Assembly file in Select .NET Assembly Dialog. Note that the assembly is read by the System user, so this user must have access to the file.

7. Select the class of the extension. (A DLL file can contain more than one class, so user has to select a class)
 8. Input the name of editor class, including namespace. (Optionally)

9. Some extension types require you to perform an additional registration step, such as adding a new folder-type, or granting permissions to site-commands.
10. Click the Apply button.

11. Test your .NET Extension by using a FTP client

Reloading a .NET extension in CompleteFTP

.NET assemblies cannot be reloaded if they are altered. If you need to make a change to the code of the extension then you will need to restart the CompleteFTP service to
force it to reload the DLL. While developing it is sometimes helpful to run CompleteFTP in console mode. This may be done by closing the CompleteFTP service and then
selecting Run server in console from the Window start menu.
.NET Framework Versions

The .NET assembly file must be built with a version of the .NET Framework runtime that the same as or older than the .NET Framework version on which CompleteFTP is
running. This can be controlled by editing the supportedRuntime element in the file, CompleteFTPService.exe.config in the Complete FTP installation folder. E.g. if you
want your CompleteFTP's extensions run on .NET Framework 4.0, you need make sure that 4.0 appears before 2.0 inside the supportedRuntime element and that .NET 4.0
is installed on your machine.
.NET AUTHENTICATION EXTENSIONS
Use this type of extension to implement any authentication scheme. .NET Authentication Extensions are known as authenticators. The server calls methods in your class to find
out whether or not a particular user-name/password combination or user/public key combination is valid. Your class can do whatever it needs to do to work out whether or not it
is valid, such as calling a webservice or invoking an RPC.

Creating a .NET Authentication Extension

General instructions on building CompleteFTP .Net extensions may be found here.

.NET Authentication Extension classes must extend EnterpriseDT.Net.FtpServer.Core.Authenticator.

CompleteFTP includes a number of predefined authenticators, such as the external database authenticator, the gateway authenticator (Enterprise Edition only), the automatic
Windows users (AWU) authenticator, and the SAML single sign-on authenticator.

Note that the order of precedence for authentication is as follows:

1. users explicitly defined within CompleteFTP (both non-Windows and Windows).

2. external database users, gateway users, SAML single sign-on users, and custom authentication extensions
3. automatic Windows users (AWU).

So if a user is explicitly defined in CompleteFTP and also in an extension, then the extension will never be used to authenticate the user.

When a .NET Authentication Extension is used, the defaultExtension user (which may be found in Users panel and by selecting "Show system users/folders/sites" in the main
form's Options menu) is used as a template for user details once login has been successful (shown below).

There are two ways to implement a .NET Authentication Extension. The simple .NET Authentication Extension is the most straightforward, and should be attempted first. If more
flexibility is required, consider writing an advanced .NET Authentication Extension.

Note that once an authenticator has been written, it must be registered in CompleteFTP with an Extension Type of authenticator. This is done via the CompleteFTP manager. It
must then be enabled by selecting the Enabled check box in the General User Settings dialog box, accessible from the Users tab in the manager.
 SIMPLE .NET AUTHENTICATION EXTENSIONS
In many (or even most) cases, authenticators can be written as described below. If this is not flexible enough for a particular application, an advanced .NET Authentication
Extension may be required.

The only method that needs to be implemented is LoadedUserInfo LoadUserInfo(IUserInfo suppliedUserInfo). When the server calls this method in your
authenticator, it supplies user information that enables your extension to look up that user's authentication details from an external source. You then return a LoadedUserInfo
object from this method, which contains the user's home directory, password hash and/or public keys. The authenticator caches this loaded user object, and uses it to
authenticate the user.

See the class reference for more details of the classes and interfaces involved.

Example 1 shows sample source code for implementing password authentication. See Example 2 for an example of public key authentication and password authentication.

Optionally, the void SetPassword(IUserInfo suppliedUserInfo, string oldPassword, string newPassword) can also be implemented. This can be used to
change the user's password in the external user data source. Ultimately, this method is called via the FTP SITE command, CPWD, or via the SSH/SFTP password changing
mechanism.

SSH/SFTP also permits servers to force a password change on clients. This can be implemented by setting the LoadedUserInfo.MustChangePassword property on the
LoadedUserInfo object that is returned from LoadUserInfo. FTP does not permit the server to force a user to change their password.

See Example 3 for how to force and implement password changes in SSH.

Example 1

Below is the source code for a sample authenticator which supports password authentication. For simplicity, the password is hardcoded, whereas in production code, it would
be retrieved from a data source. The password is not stored - instead, the PasswordHash field is populated when the Password field is set. The PasswordHash field can be set
directly - normally only password hashes would be stored.

using EnterpriseDT.Net.FtpServer.Core;

namespace EnterpriseDT.Net.FtpServer.Extensions.Test
{
public class SimplePasswordAuth : Authenticator
{
public override LoadedUserInfo LoadUserInfo(IUserInfo suppliedUserInfo)
{
if (suppliedUserInfo.UserName=="fred")
{
LoadedUserInfo info = new LoadedUserInfo();
info.Password = "fredspassword";
return info;
}
else
return null;
}
}
}

Example 2

Below is the source-code for a sample authenticator which allows a user to log via SFTP using public key authentication or by password authentication. For simplicity, the
public keys are hard coded, whereas in production code they would be retrieved from a data source.

using System.Text;
using EnterpriseDT.Net.FtpServer.Core;

namespace EnterpriseDT.Net.FtpServer.Extensions.Test
{
public class PublicKeyTest : Authenticator
{
public override LoadedUserInfo LoadUserInfo(IUserInfo suppliedUserInfo)
{
LoadedUserInfo info = new LoadedUserInfo();
info.RSAPublicKeys.Add(RSAPublicKey);
info.DSAPublicKeys.Add(DSAPublicKey);
info.Password = "mypassword";
return info;
}

private byte[] RSAPublicKey

{
get
 {
string key = "---- BEGIN SSH2 PUBLIC KEY ----\r\n" +
"Comment: \"imported-openssh-key\"\r\n" +
"AAAAB3NzaC1yc2EAAAABIwAAAIEA44J6LBloMWVvhOjMHZPnmgJWw+UWBl9nFEWa\r\n" +
"62IFDrJDg6+kJ2DQD8vOTsQmNjk88O3v+r0r/rr+QrotuLrdjrXBvrRrQNMfEbMo\r\n" +
"LhSmUVEFR/Yy3HjVRT6DHhJYPpr1xaXE6++fo5b2ax1zw+d1fPsh53lbAhrCHV9b\r\n" +
"NIOimDk=\r\n" +
"---- END SSH2 PUBLIC KEY ----";
return Encoding.ASCII.GetBytes(key);
}
}

private byte[] DSAPublicKey

{
get
{
string key = "---- BEGIN SSH2 PUBLIC KEY ----\r\n" +
"Comment: \"imported-openssh-key\"\r\n" +
"AAAAB3NzaC1kc3MAAACBAPos9tWoXLcd//dOGbaA+1TCO9vEi0jQOQM85j34E4Ua\r\n" +
"Sza5yjS3vI9K9XchJirbNYrRQNmgM2yn3fUDdTPU5eES+mZRy9K9qpAesk4Ghpwu\r\n" +
"btWc3e0APkQTUAoRHL8yiW1tHrRdV6yrowgKDPrIccnL90wYAZFHmUmwIeiESjTB\r\n" +
"AAAAFQDhvm9w83LDeixC3oPW+FOKk673dQAAAIBObehA6t+eRtNTocY1sb7Dly0O\r\n" +
"ReeRWo+mHEyUts78ayAN7YFNzTd8UXmUgw8gyGFtO/tXrkeLG46vMhL/0402ek9Z\r\n" +
"jNcDq2vF1InYIaOxceuRqg99VGQUqrjEWchIG5egDgtOKRAUtUyK7I52CXG3wN9/\r\n" +
"2Oq+WOoUztJCSwgmwwAAAIEAu4G5CHifmoTsBVcObaRkW8UqrTCmz7C84W6AaXA5\r\n" +
"uBlwtTIBlAUnKzfqStpC76rucJ6i3R9Nk+gHrDb4v6uA6at2UZDlHZlwPCg88fk7\r\n" +
"Nbi5umH9B/QSfm+GQOd+ttD54FOcR+lwmerJ+f1mzSX9v9ZrVi+xJJ6Jp+5NDa7g\r\n" +
"KtM=\r\n" +
"---- END SSH2 PUBLIC KEY ----";
return Encoding.ASCII.GetBytes(key);
}
}

}
}

Example 3

Below is the source-code for a sample authenticator which allows a user to login via SFTP by password authentication, but forces the user to change their password. This is an
SSH-specific mechanism that many SSH clients support.

There are three requirements for doing this. Firstly, the LoadedUserInfo object must have the MustChangePassword property set to true. The void
SetPassword(IUserInfo suppliedUserInfo, string oldPassword, string newPassword) method must be overridden to allow the new password to be set - throw
an InvalidPasswordException if the new password does not pass the required checks. And finally, in the Password policies dialog found from the link in the General User
Settings dialog box (accessible from the Users tab in the manager), Permit password changes must be selected.

using EnterpriseDT.Net.FtpServer.Core;

namespace EnterpriseDT.Net.FtpServer.Extensions.Test
{
public class ChangePasswordAuth : Authenticator
{
private const string PASSWORD = "javaftp";
private string password = PASSWORD;

public override LoadedUserInfo LoadUserInfo(IUserInfo suppliedUserInfo)

{
LoadedUserInfo info = new LoadedUserInfo();
info.Password = password;
info.MustChangePassword = (password == PASSWORD);
return info;
}

public override void SetPassword(IUserInfo suppliedUserInfo, string oldPassword, string newPassword)

{
if (oldPassword == newPassword)
throw new InvalidPasswordException("New password must be different");
password = newPassword;
}
}
}
 ADVANCED .NET AUTHENTICATION EXTENSIONS
Simple .NET Authentication Extensions can usually be used to accomplish what extension developers require. However at times more complicated scenarios require more
flexibility.

As with simple extensions, advanced .NET Authentication Extension classes must extend EnterpriseDT.Net.FtpServer.Core.Authenticator.

However instead of overriding the LoadUserInfo method, they override the CheckUserName and Authenticate methods. In the
EnterpriseDT.Net.FtpServer.Core.Authenticator base class implementation, LoadUserInfo is called by CheckUserName. But LoadUserInfo need not be overridden
- instead CheckUserName can be overridden and LoadUserInfo need not be called at all.

Similarly, the Authenticate method is implemented in the Authenticator class, and if it is provided in CheckUserName or indirectly via LoadUserInfo, the
LoadedUserInfo class containing the user's data will automatically used to authenticate the user. However Authenticate can be overridden to authenticate in whatever way
the extension writer prefers.

The primary requirement when overriding CheckUserName is to ensure that IsValidUserName property of the supplied IUserInfo argument is set to true for a valid user.
When overriding Authenticate, ensure that the IsCorrectPassword property of the supplied IAuthenticationInfo argument is set to true for password authentication,
o r IsValidKey is set to true for public key authentication. IAuthenticationInfo.AuthenticationMethod can be inspected to determine if password or public key
authentication is being used. IsValidRSAKey and IsValidDSAKey can be used to determine if a key blob is the correct public key matching what the user has supplied as
part of their public key authentication process.

See the class reference for more details of the classes and interfaces involved.

Example 1

Below is the source-code for a sample authenticator which allows a user to log in with the username, myusername, and the password, mypassword. The user's home directory
will be C:\Temp if the defaultExtension's home-directory is set to %ExternalHomeFolder%.

using EnterpriseDT.Net.FtpServer.Core;

namespace MyTestAuthenticator
{
public class PasswordAuthenticator : Authenticator
{
public override void CheckUserName(IUserInfo userInfo)
{
if (userInfo.UserName == "myusername")
userInfo.IsValidUserName = true;
}

public override void Authenticate(IAuthenticationInfo authInfo)

{
if (authInfo.AuthenticationMethod == AuthenticationMethod.Password && authInfo.Password == "mypassword")
{
authInfo.IsCorrectPassword = true;
authInfo.HomeDirectory = "C:\\Temp";
}
}
}
}

Example 2

Below is the source-code for a sample authenticator which allows a user to log in with the username, myusername via public key authentication. For simplicity, the public keys
of the user are hard coded, whereas in production code they would be retrieved from a data source. The user's home directory will be C:\Temp if the defaultExtension's
home-directory is set to %ExternalHomeFolder%.

using System.Text;
using EnterpriseDT.Net.FtpServer.Core;

namespace MyTestAuthenticator
{
public class PublicKeyAuthenticator : Authenticator
{
public override void CheckUserName(IUserInfo userInfo)
{
if (userInfo.UserName == "myusername")
userInfo.IsValidUserName = true;
}

public override void Authenticate(IAuthenticationInfo authInfo)

{
 if (authInfo.AuthenticationMethod == AuthenticationMethod.PublicKey)
{
if (authInfo.KeyAlgorithm == PublicKeyAlgorithm.DSA)
{
authInfo.IsValidKey = IsValidDSAKey(DSAPublicKey, authInfo);
}
else
{
authInfo.IsValidKey = IsValidRSAKey(RSAPublicKey, authInfo);
}
if (authInfo.IsValidKey)
authInfo.HomeDirectory = "C:\\Temp";
}
}

private byte[] RSAPublicKey

{
get
{
string key = "---- BEGIN SSH2 PUBLIC KEY ----\r\n" +
"Comment: \"imported-openssh-key\"\r\n" +
"AAAAB3NzaC1yc2EAAAABIwAAAIEA44J6LBloMWVvhOjMHZPnmgJWw+UWBl9nFEWa\r\n" +
"62IFDrJDg6+kJ2DQD8vOTsQmNjk88O3v+r0r/rr+QrotuLrdjrXBvrRrQNMfEbMo\r\n" +
"LhSmUVEFR/Yy3HjVRT6DHhJYPpr1xaXE6++fo5b2ax1zw+d1fPsh53lbAhrCHV9b\r\n" +
"NIOimDk=\r\n" +
"---- END SSH2 PUBLIC KEY ----";
return Encoding.ASCII.GetBytes(key);
}
}

private byte[] DSAPublicKey

{
get
{
string key = "---- BEGIN SSH2 PUBLIC KEY ----\r\n" +
"Comment: \"imported-openssh-key\"\r\n" +
"AAAAB3NzaC1kc3MAAACBAPos9tWoXLcd//dOGbaA+1TCO9vEi0jQOQM85j34E4Ua\r\n" +
"Sza5yjS3vI9K9XchJirbNYrRQNmgM2yn3fUDdTPU5eES+mZRy9K9qpAesk4Ghpwu\r\n" +
"btWc3e0APkQTUAoRHL8yiW1tHrRdV6yrowgKDPrIccnL90wYAZFHmUmwIeiESjTB\r\n" +
"AAAAFQDhvm9w83LDeixC3oPW+FOKk673dQAAAIBObehA6t+eRtNTocY1sb7Dly0O\r\n" +
"ReeRWo+mHEyUts78ayAN7YFNzTd8UXmUgw8gyGFtO/tXrkeLG46vMhL/0402ek9Z\r\n" +
"jNcDq2vF1InYIaOxceuRqg99VGQUqrjEWchIG5egDgtOKRAUtUyK7I52CXG3wN9/\r\n" +
"2Oq+WOoUztJCSwgmwwAAAIEAu4G5CHifmoTsBVcObaRkW8UqrTCmz7C84W6AaXA5\r\n" +
"uBlwtTIBlAUnKzfqStpC76rucJ6i3R9Nk+gHrDb4v6uA6at2UZDlHZlwPCg88fk7\r\n" +
"Nbi5umH9B/QSfm+GQOd+ttD54FOcR+lwmerJ+f1mzSX9v9ZrVi+xJJ6Jp+5NDa7g\r\n" +
"KtM=\r\n" +
"---- END SSH2 PUBLIC KEY ----";
return Encoding.ASCII.GetBytes(key);
}
}
}
}
.NET FILE-SYSTEM EXTENSIONS
A .NET file-system extension is a .NET assembly (usually a DLL) that contains a class that extends the class
EnterpriseDT.Net.FtpServer.FileSystem.FileSystemAdapter. The assembly can be developed in C#, VB.NET or any other .NET language. If you don't already have
Visual Studio then you can use one of Microsoft's free Visual Studio Express or Community products.

Creating a .NET file-system extension

General instructions on building CompleteFTP .NET extensions may be found here. In addition to the registration steps described in the general instructions, a .NET file-system
extension must have a folder-type defined. The folder-type determines which extension should be used for a specific folder-type.

Once a new folder-type is added, it will be displayed in the list of folder-types that is displayed when a user adds a new folder to the virtual file-system.

File-system extension classes must extend EnterpriseDT.Net.FtpServer.FileSystem.FileSystemAdapter or one of its subclasses, e.g. WindowsAdapter,
FolderAdapter or SpecialFolderAdapter. The base-class, FileSystemAdapter, is a concrete class but it disallows all operations, some of its methods must therefore be
overridden to make it functional. For example, if directory-listing and downloading are to be supported then GetFileInfos and GetReadStream must be implemented at a
minimum. Many FTP clients do things like checking sizes and modification dates before downloading, so methods like GetFileLength and GetModifiedTime may also need
to be implemented.

Example

Below is the source-code for a sample .NET file-system extension whose only function is to display file-names in upper case.

using System.Windows.Forms;
using EnterpriseDT.Net.FtpServer.Core;
using EnterpriseDT.Net.FtpServer.FileSystem;
using EnterpriseDT.Net.FtpServer.FileSystem.Windows;

namespace MyTestAdapter
{
public class UpperCaseFileNameAdapter : FolderAdapter
{
public override VirtualFileInfo[] GetFileInfos(ISession session, IFileSystemNode node, string path, string pattern)
{
VirtualFileInfo[] files = base.GetFileInfos(session, node, path, pattern);
foreach (VirtualFileInfo f in files)
f.Name = f.Name.ToUpper();
return files;
}
}
}

Creating an editor for a .NET file-system extension

A .NET file-system extension can optionally have a visual editor associated with it. This editor simply needs to pop up a form when a particular method is called. Extension
editors must extend the class EnterpriseDT.Net.FtpServer.FileSystem.FileSystemAdapterEditor. They should be placed in the same assembly as the
FileSystemAdapter extension itself. At a minimum they must override the IsUserConfigurable property and the ShowConfigDialog method. The IsUserConfigurable
method should return true. The ShowConfigDialog takes an argument of type IFileSystemNode, which represents a folder in the virtual file-system. The job of the
ShowConfigDialog method is to change the IFileSystemNode's Configuration property and return true if it has changed it.

Every method of FileSystemAdapter takes an argument of the same type, i.e. IFileSystemNode. Thus every method will have access to the user-configurable
Configuration property. This is how, for example, each Windows folder in the virtual file-system is mapped to a specific Windows folder on the hard-disk.

Example

The following example opens a FolderBrowserDialog and allows the user to select a Windows path. Notice that the node.Configuration property is only set if the OK-
button was pressed by the user.

public class TestAdapterEditor : FileSystemAdapterEditor

{
public override bool ShowConfigDialog(IWin32Window parent, IFileSystemNode node)
{
FolderBrowserDialog browser = new FolderBrowserDialog();
if (node.Configuration!=null)
browser.SelectedPath = node.Configuration;
if (browser.ShowDialog(parent) == DialogResult.OK)
{
node.Configuration = browser.SelectedPath;
return true;
}
else
return false;
}
}

Overview of File-System Adapter Classes

All file-system adapters must extend directly or indirectly from FileSystemAdapter. If you want your adapter to access the Windows file-system then it's probably much easier
to extend from one of its subclasses, such as FolderAdapter. For example, if you only want to implement some special mapping between the virtual file-system and the
Windows file-system then you can simply override the GetWindowsPath method, which is responsible for mapping virtual paths into real paths.

FileSystemAdapter
namespace: EnterpriseDT.Net.FtpServer.FileSystem
editor: None

Every file or directory operation that the user initiates is done by means of a FileSystemAdapter. This includes uploading, downloading, renaming and deleting files, as well
as creating, listing and deleting directories. Most of these operations are implemented by a single method. The class itself can be instantiated, but does nothing of value. It
yields empty listings and allows no uploads, downloads, deletes, etc. Any method or all methods may be overridden in subclasses to add functionality. As stated previously, it's
often desirable to extend FolderAdapter since it already implements all methods required for interfacing with the Windows file-system, but may be modified as required.

Most methods of FileSystemAdapter take at least the following three arguments: session, node and path. The session contains information about the user's current
session; the node has information about the folder in the virtual file system that the user is accessing; and the path is the path relative to the last virtual folder on the path. So
if, for example, the user is accessing the file /a/b/c/d/e.txt, which is in a subfolder of the virtual directory, /a/b/c, then the path argument will be d/e.txt. The value of
the property node.Configuration is the value set by the adapter editor (see above) when the virtual folder was created by the user.

WindowsAdapter extends FileSystemAdapter (abstract)

namespace: EnterpriseDT.Net.FtpServer.FileSystem.Windows
editor: None

Provides all the functionality necessary for CompleteFTP to access the Windows file-system except for the mapping of paths in the virtual file-system into real Windows paths.
When it needs to map a path in the virtual file-system to a Windows path it calls its own abstract method, GetWindowsPath. The main job of the subclasses of
WindowsAdapter is to implement this method.

FolderAdapter extends WindowsArchiveAdapter

namespace: EnterpriseDT.Net.FtpServer.FileSystem.Windows
editor: FolderAdapterEditor

This is the main adapter for the Windows file-system. The editor sets the node.Configuration property to an absolute Windows path. The GetWindowsPath concatenates
this absolute Windows path and the path passed to the GetWindowsPath method to return the full Windows path of the folder on in the Windows file-system.

SpecialFolderAdapter extends WindowsArchiveAdapter

namespace: EnterpriseDT.Net.FtpServer.FileSystem.Windows
editor: SpecialFolderAdapterEditor
Adapter for special Windows folder, such as the My Documents folder. The editor sets the node.Configuration property to a tag indicating which special folder is required.
The GetWindowsPath returns the real Windows path of this folder for the user whose session is being accessed.

Overview of Other Classes

ISession

namespace: EnterpriseDT.Net.FtpServer.Core

Provides information about the current user-session, including the name of the user and the IP address of the client.

IFileSystemNode

namespace: EnterpriseDT.Net.FtpServer.FileSystem

A file-system node is a folder in the virtual file-system. Every folder that you see in the virtual file-system view has a single file-system node associated with it. The most
important property of IFileSystemNode is Configuration, which stores the path or other configuration that the visual editor set when the user configured the folder in
CompleteFTP Manager.

VirtualFileInfo
namespace: EnterpriseDT.Net.FtpServer.FileSystem

Used to pass directory listing information from the FileSystemAdapter to CompleteFTP.

VirtualFileMode
namespace: EnterpriseDT.Net.FtpServer.FileSystem

Logging

The class EnterpriseDT.Util.Debug.Logger may be used to write messages to the CompleteFTP log. This can be very useful when debugging your adapter. To use this
class, create a static instance of it in your adapter class and call its Error, Warn or Debug method to write something to CompleteFTP's log file. For example:

using EnterpriseDT.Util.Debug;

public class UpperCaseFileNameAdapter : FolderAdapter

{
private Logger log = Logger.GetLogger("UpperCaseFileNameAdapter");

public override VirtualFileInfo[] GetFileInfos(ISession session, IFileSystemNode node, string path, string pattern)
{
log.Debug("Listing requested");
...
}
}

Class Reference
Class: FileSystemAdapter
bool DirectoryExists(ISession session, IFileSystemNode node, string path)
Returns true if a directory exists and false otherwise.
void CreateDirectory(ISession session, IFileSystemNode node, string path)
Create a directory at the given path.
VirtualFileInfo[] GetFileInfos(ISession session, IFileSystemNode node, string path, string pattern)
Return an array of VirtualFileInfo objects corresponding to the files in the given directory that match the given pattern.
void DeleteDirectory(ISession session, IFileSystemNode node, string path)
Delete the given directory.
bool FileExists(ISession session, IFileSystemNode node, string path)
Returns true if a file exists and false otherwise.
void DeleteFile(ISession session, IFileSystemNode node, string path)
Delete the given file.
bool IsFileLengthKnown(ISession session, IFileSystemNode node, string path)
Returns true if the length of the given file is known and false otherwise.
long GetFileLength(ISession session, IFileSystemNode node, string path)
Returns the length of the given file in bytes.
DateTime GetModifiedTime(ISession session, IFileSystemNode node, string path)
Returns the time when the given file was last modified.
void SetModifiedTime(ISession session, IFileSystemNode node, string path, DateTime dateTime)
Set the last-modified time of the given file.
Stream GetReadStream(ISession session, IFileSystemNode node, string path)
Returns a stream that may be used for reading the given file (used for downloads).
void OnReadStreamClosed(ISession session, IFileSystemNode node, string path, Stream stream)
 Called when the read-stream (created by GetReadStream) is closed.
Stream GetWriteStream(ISession session, IFileSystemNode node, string path, VirtualFileMode mode)
Returns a stream that may be used for writing to the given file (used for downloads).
void OnWriteStreamClosed(ISession session, IFileSystemNode node, string path, Stream stream)
Called when the write-stream (created by GetWriteStream) is closed.
bool MoveFile(ISession session, IFileSystemNode fromNode, string fromPath, FileSystemAdapter toAdapter, IFileSystemNode toNode, string
toPath)
Move the given file from one location in the virtual file-system (defined by fromNode and fromPath) to another location (defined by toAdapter, toNode and toPath). For simple file
renaming, the fromNode will be the same as the toNode and the toAdapter will be the 'this' adapter.
string GetAdapterFilePath(ISession session, IFileSystemNode node, string path)

void Initialize(IPlugInInfo info)

Called when the extension is first created.
void Dispose()
Called when the extension is disposed of.
.NET CUSTOM COMMAND EXTENSIONS
A .NET custom command extension is a .NET assembly (usually a DLL) that contains a class that extends the class EnterpriseDT.Net.FtpServer.Core.CustomCommands.
The assembly can be developed in C#, VB.NET or any other .NET language. If you don't already have Visual Studio then you can use one of Microsoft's free Visual Studio
Express or Community products.

Creating a .NET custom command extension

General instructions on building CompleteFTP extensions may be found here. In addition to the registration steps described in the general instructions, permissions must also
be granted for users and/or groups to access a .NET custom command extension, otherwise no users will be able to invoke the commands.

Permissions for .NET custom command extensions are managed in the Permissions tab of the Extensions panel in CompleteFTP Manager, as shown below. The commands in
a .NET custom command extension may be executed by a user that's been directly given or is a member of a group that has been given permission to do so.

Commands are added to a .NET custom command extension simply by adding methods. By default the name of the method becomes the name of the command. If a
CustomCommandName attribute is defined then that becomes the name of the command. All names are case-insensitive. The arguments of the method become the arguments
of the command. All the arguments must be strings. Custom commands may return one or more lines of text.

The way in which a command is executed by a client depends on the protocol. In FTP custom commands must be preceded by SITE. For example, the inbuilt change password
command may be invoked as follows:

ftp> site cpwd mypassword

200-CPWD successful
200 SITE command successful.
ftp>

Note that if you're using Microsoft ftp.exe then you need to enter "quote site mypassword".

Example

The following example implements the ubiquitous Hello World example as a Custom command:

using EnterpriseDT.Net.FtpServer.Core;

namespace SampleExtensions
{
public class HelloWorldCustomCommands : CustomCommands
{
public string HelloWorld()
{
return "Hello world!";
}

[CustomCommandName("HelloWorld2")]
public string HelloWorldWithArgs(string argument1, string argument2)
{
return "Hello world!\n" + argument1 + "\n" + argument2;
}
 }
}

The first method has no arguments and defines no CustomCommandName attribute. This means that it must be called by its full name, "HelloWorld" (case is ignored). The
second method has two arguments, so two arguments must be entered when the command is executed by the client. This method also defines a command-name, so that
name, "HelloWorld2", must be used when the command is executed by the client. In addition, it illustrates that multiple lines may be included in a reply.
 .NET EVENT EXTENSIONS
A .NET Event Extension is a .NET assembly (usually a DLL) that contains a class that extends the class EnterpriseDT.Net.FtpServer.Trigger.Trigger. The assembly
can be developed in C#, VB.NET or any other .NET language. If you don't already have Visual Studio then you can use one of Microsoft's free Visual Studio Express or
Community products.

Creating a .NET Event Extension

General instructions on building CompleteFTP extensions may be found here.

.NET Event Extension classes must extend EnterpriseDT.Net.FtpServer.Trigger.Trigger and implement the OnTriggerEvent method. This method is called each time
one of the following events occur: LogIn, LogOut, ChangeDirectory, UploadFile, DownloadFile, MoveFile, DeleteFile, CreateFolder, DeleteFolder and
MoveFolder.

The OnTriggerEvent is passed a single argument of type TriggerEvent. This class contains various information about the event that occurred and the user-session in
which it occurred.

Example
The following example implements a minimal auditing .NET Event Extension, which simply logs all events to a CSV file in the user's temporary directory, which base on value of
environment variables 'TEMP' of system. Normally, this folder can be C:\Users\{username}\AppData\Local\Temp or C:\Windows\Temp.

using System;
using System.IO;
using EnterpriseDT.Net.FtpServer.Trigger;

public class AuditingEventHandler : Trigger

{
public override void OnTriggerEvent(TriggerEvent eventInfo)
{
string auditFilePath = Path.Combine(Path.GetTempPath(), "audit.csv");
using (StreamWriter auditFile = File.AppendText(auditFilePath))
{
auditFile.WriteLine("{0:yyyy-MM-dd hh:mm:ss},{1},{2},{3},{4}",
DateTime.Now, eventInfo.EventType, eventInfo.Session.UserName,
eventInfo.Path, eventInfo.OldPath);
}
}
}

Class Reference
Class: Trigger

All .NET Event Extensions must extend this class. Only the OnTriggerEvent method needs to be implemented. It is called every time an event occurs. If any initialization needs
to be done then that may be placed in the Initialize method, and any required clean-up code may be placed in the Dispose method.

void OnTriggerEvent(TriggerEvent eventInfo)

Called every time an event occurs.
void Initialize(IPlugInInfo info)
Called when the Trigger is created. Perform any initialization tasks here. info.PlugInConfiguration contains the configuration entered by the user.
void Dispose()
Called when the Trigger is disposed of. Perform any clean-up tasks here

Class: TriggerEvent

Contains information describing a particular event

TriggerEventType EventType
Type of event. Possible values are LogIn, LogOut, ChangeDirectory, UploadFile, DownloadFile, MoveFile, DeleteFile, CreateFolder, DeleteFolder and
MoveFolder.
ISession Session
Provides information about the current user-session, including the name of the user and the IP address of the client.
string Path
Path of file (if any)
string OldPath
Previous path of file (valid for MoveFile and MoveFolder events only).
 JSS-TO-.NET BRIDGE EXTENSIONS
JSS-to-.NET bridge extensions may be used to call into .NET from JSS thus offering wide extensibility to the JSS platform. It might be used, for example, to wrap a simple .NET
function so that it may be used in JSS or as a bridge between JSS and a .NET API for a web-service.

A JSS-to-.NET bridge extension is a .NET assembly (usually a DLL) that contains a class that extends the class EnterpriseDT.Net.FtpServer.Core.PlugIn and has one
or more methods with the JavascriptInvokable attribute. The assembly can be developed in C#, VB.NET or any other .NET language. If you don't already have Visual
Studio then you can use one of Microsoft's free Visual Studio Express or Community products.

Creating a JSS-to-.NET Bridge extension

General instructions on building CompleteFTP extensions may be found here.

JSS-to-.NET bridge extension classes must extend EnterpriseDT.Net.FtpServer.Core.PlugIn. Each method that is to be exposed to JSS must have a
JavascriptInvokable attribute. If the JavascriptInvokable attribute specifies a name then this is the name by which the method must be called from JSS. If no name is
specified then the name of the .NET method is used.

Arguments may be passed to a method and values returned. Javascript numbers will be cast to .NET doubles; Javascript string will be case to .NET strings; arrays will be cast
to List<object>; and Javascript objects will be cast to Dictionary<string, object>.

Example

The following example implements methods that calculate hashes using two algorithms, MD5 and SHA1. Notice that the JavascriptInvokable attributes specify the names
that should be used to call them from JSS, i.e. calculateMD5 and calculateSHA1.

using System;
using EnterpriseDT.Net.FtpServer.Http.Javascript;
using System.Web.Security;
using EnterpriseDT.Net.FtpServer.Core;

public class HashFunctions : PlugIn

{
[JavascriptInvokable("calculateMD5")]
public string CalcMD5(string s)
{
return FormsAuthentication.HashPasswordForStoringInConfigFile(s, "MD5");
}

[JavascriptInvokable("calculateSHA1")]
public string CalcSHA1(string s)
{
return FormsAuthentication.HashPasswordForStoringInConfigFile(s, "SHA1");
}
public override void Dispose()
{
throw new NotImplementedException();
}
public override void Initialize(IPlugInInfo info)
{
throw new NotImplementedException();
}
}
 HOW TO ADD LOGGING TO A .NET EXTENSION
The class EnterpriseDT.Util.Debug.Logger may be used to write messages to the CompleteFTP log. This can be very useful when debugging your .Net extension. To use
this class, create a static instance of it in your extension class and call its Error, Info, Warn or Debug method to write something to CompleteFTP's log file. For example:

using EnterpriseDT.Util.Debug;

public class UpperCaseFileNameAdapter : FolderAdapter

{

private static Logger log = Logger.GetLogger("UpperCaseFileNameAdapter");

public override VirtualFileInfo[] GetFileInfos(ISession session, IFileSystemNode node, string path, string pattern)
{

log.Debug("Listing requested");

...

}
}
HOW TO WRITE A JSS EXTENSION
A JSS Extension is an extension written in JSS (Javascript Server-Side).

JSS uses standard Javascript syntax and supports the JSS API, which gives access to resources such as the CompleteFTP virtual file-system.
JSS supports the use of standard .NET classes, which can be instantiated in the same way as in C# (e.g. new FullDotNetClassName();).
JSS can call into custom DLLs using JSS-to-.NET Bridge Extensions.
JSS code may be stored in the CompleteFTP configuration or in external files. Changes to JSS files are detected in real time.

Three types of JSS extensions are supported:

Authentication extensions
File-system extensions
Custom-command extensions
IP filter extensions

Note that this feature is only available in the Enterprise Edition.

Creating a JSS extension

To create a CompleteFTP JSS extension:

1. Open CompleteFTP Manager.

2. Select the Extensions panel then select the Extensions tab.

3. Click 'Add extension'.

4. Select 'Javascript (JSS) extension'.

5. Select extension type. (e.g. 'Authentication').

 6. Enter the code for your extension. You can write it in CompleteFTP's syntax-highlighting editor or any of your favourite Javascript editors then add this JSS file to
CompleteFTP editor by 'File/Open from/File on server...'.

7. Some extension types require you to perform an additional registration step, such as adding a new folder-type, or granting permissions to site-commands.
8. Click the Apply Changes button.

9. Test your JSS Extension by using an FTP client.

Note: Full details of JSS API are provided in the JSS API Reference.

Registration of JSS extensions

Some JSS extensions must be registered in order for them to take effect. This is done automatically for authentication and file-system extensions when they are created, but it
must be done manually for custom-command extensions. Each type of JSS extensions has its own method of registration:

IP filter extensions
IP filter extensions will be used as soon as they're added.

Authentication extensions
Custom authenticators will only be used if they're enabled in the 'Other authentication methods' list in General User Settings in the Users panel.

Custom Command extensions

Only users who have permission for a particular custom command extension may invoke the commands that it defines. Permission may be granted to individual users or groups
in the Permission tab in the Extensions panel, as the example below.

File-System extensions
Folders that use a custom file-system extension may only be created if they have a folder-type defined for them. This is done in the Folder Types tab of the Extensions panel.

Saving a JSS extension

For the JSS code in CompleteFTP's editor, you can save it by choosing 'File/Save to/File on server...' then choose where to save the file and name the file.

After that, the file can be loaded by 'File/Open from/File on server...'.

For a quick save after editing, you can use 'File/Save [Ctrl+S]' or just click on Apply Changes.
JSS AUTHENTICATION EXTENSIONS
Use this type of extension to implement any user-name/password authentication scheme, or to support public key authentication in SFTP. JSS Authentication Extensions are
known as authenticators. The server calls functions in your extension to find out whether or not a particular user-name/password combination or user/public key combination is
valid. Your class can do whatever it needs to do to work out whether or not it is valid, such as calling a webservice or invoking an RPC.

Creating a JSS Authentication Extension

General instructions on building CompleteFTP JSS extensions may be found here.

There are two ways to implement a JSS Authentication Extension. The simple JSS Authentication Extension is the most straightforward, and should be attempted first. If more
flexibility is required, consider writing an advanced JSS Authentication Extension.

For step by step instructions on how to create your own authentication method, please refer to Step-by-step guide: Add my own authentication method .

Note that once an authenticator has been written and Apply Changes, it will be automatically registered in CompleteFTP. It can be enabled/disabled by selecting/deselecting
the Enabled check box in the General User Settings dialog box, accessible from the Users tab in the manager, as shown below.

Precedence
CompleteFTP includes a number of predefined authenticators, such as the external database authenticator, the gateway authenticator (Enterprise Edition only), the automatic
Windows users (AWU) authenticator, and the SAML single sign-on authenticator.

Since a user-name can potentially be authenticated by more than one authenticator it's necessary to define the order in which the various authenticators are accessed. This
order of precedence is as follows:

1. users explicitly defined within CompleteFTP (both non-Windows and Windows).

2. external database users, gateway users, SAML single sign-on users, and custom authentication extensions
3. automatic Windows users (AWU).

For example, if a user with a given user-name is explicitly defined in CompleteFTP, but authentication using that user-name is also available via an extension, then the
extension will never be used to authenticate the user since it has lower precedence. This can sometimes cause confusing when testing.

When a JSS Authentication Extension is used, the defaultExtension user (which may be found in Users panel and by selecting "Show system users/folders/sites" in the main
form's Options menu) is used as a template for user details once login has been successful.
 SIMPLE JSS AUTHENTICATION EXTENSION
Use simple authentication when the password, password-hash or public key are known by the authenticator.

The only method that needs to be implemented is:

loadUserInfo(userName, userInfo)

When the server calls this method in your authenticator, it supplies user information that enables your extension to look up that user's authentication details from an external
source. This function returns authentication information for the user with the given user-name.

The first argument is simply a string containing the supplied user-name.

The second argument, userInfo, has the following fields:

userName - the user-name being presented by the client.

siteName - the name of the site that the client is connecting to.
remoteEndPoint - object with two fields, ip and port.
session - object containing information about the session.

The function may either return the password-hash or an object containing any of the following fields:

password - the password of the user.

passwordHash - the password hash (either MD5 or SHA).
passwordSalt - the salt of the password hash.
homeDirectory - home directory to be used (Windows path).
groups - list of groups that the user is to be a member of.
tags - object whose fields are arbitrary name-value pairs that will be available via the system.user.tags field for the lifetime of the user's session.
dsaPublicKey - an DSA key (in any common format).
dsaPublicKeys - an array of DSA keys if there are more than one.
rsaPublicKey - an RSA key (in any common format).
rsaPublicKeys - an array of RSA keys if there are more than one.
mustChangePassword - force the user to change their password (SSH only).

If the user cannot be authenticated then null should be returned.

Examples
Example 1

This example illustrates an authenticator which shows sample source code of using a global associative array (a.k.a. object) to store user account data.

var users = {
fred: { password: "password" },
mark: { password: "password", homeDirectory: "C:\\Temp" }
};

function loadUserInfo(userName) {
console.log("Authenticating " + userName);
return users[userName];
}

Example 2

This example illustrates an authenticator which authenticates by reads user accounts from a JSON file.

var users = system.getFile("/Admin/Extensions/users.json").readObject();

function loadUserInfo(userName) {
return users[userName];
}

Example 3

This example illustrates an authenticator which authenticates from a SQL Server Compact database. The database has a single table, Users, with two columns, userName and
password.

// open the database - will create if doesn't exist

var db = system.openDatabaseSync("/Admin/Extensions/Authenticators/users.sdf");

// authentication function
function loadUserInfo(userName) {
var userInfo = null;
 db.readTransaction(function(transaction) {
var res = transaction.executeSql("SELECT * FROM Users WHERE userName=?", [userName]);
if (res.rows.length>0) {
var row = res.rows[0];
userInfo = { password: row.password };
}
});
return userInfo;
}

Example 4

This example illustrates an authenticator which authenticates by fetching the user account data via HTTP (JSS supports HTTP GETs).

var usersFile = http.get("http://localhost/users.json").body;

var users = JSON.parse(usersFile);

function loadUserInfo(userName) {
return users[userName];
}
 ADVANCED JSS AUTHENTICATION EXTENSION
Use advanced authentication when the password or password hash are unknown by the authenticator; usually when authentication is being handled by an external system.

There are two methods that needs to be implemented are:

checkUserName(userName, userInfo)

authenticate(userName, password, authInfo)

When the server call these methods in your authenticator, it supplies user information that enables your extension to look up that user's authentication details from an external
source.

function checkUserName(userName, userInfo)

Indicates whether or not the given user-name is valid. If true is returned the CompleteFTP won't allow other authenticators to try to authenticate this user.

If it's not possible to determine whether or not a user-name is valid also having a password then this method may return true regardless of the value of userName. However, if
this is done then no authenticators (with lesser precedence) will be utilized.

The first argument is a string containing the user-name. If that's all that's required then the second argument may be left out.

The second argument, userInfo, has the following fields:

userName - the user-name being presented by the client.

siteName - the name of the site that the client is connecting to.
remoteEndPoint - object with two fields, ip and port.
session - object containing information about the session.

function authenticate(userName, password, authInfo)

Authenticates the client. This method will only be called if checkUserName return true.

The first and second arguments are strings containing the user-name and the password, respectively. If that's all that's required then the third argument may be left out.

The third argument, authInfo, has the following fields.

userName - the user-name being presented by the client.

password - the password being presented by the client.
siteName - the name of the site that the client is connecting to.
remoteEndPoint - object with two fields, IP and port.
session - object containing information about the session.
authenticationMethod - authentication method being used - either 'Password' or 'PublicKey'.
keyAlgorithm - the key algorithm - either 'DSA' or 'RSA'.

This method may return either a boolean or an object containing the following fields:

isCorrectPassword - indicates whether or not the password is correct (only used if authenticationMethod is 'Password').
isValidKey - indicates whether or not the public key is correct (only used if authenticationMethod is 'PublicKey').
homeDirectory - home directory to be used (Windows path).
mustChangePassword - indicates whether or not the user will be forced to change their password (SFTP/SCP only).
groups - array of the names of groups (strings) of which the user should be a member.
tags - object whose fields are arbitrary name-value pairs that will be available via the system.user.tags field for the lifetime of the user's session.

The methods isValidDSAKey(key) and isValidRSAKey(key) may be used to check keys. The argument must be a public key in a common format such as OpenSSH.
 JSS FILE-SYSTEM EXTENSIONS
A JSS file-system extension is a set of Javascript functions that define the behaviour of the files and folders within a folder of the CompleteFTP virtual file-system.

CompleteFTP's virtual file-system is available via the system.getFile(path) method. This method returns objects of the File class. The fact that an object is returned does not
imply that a file exists on that path; this may be checked using the exists() method.

Developing a JSS file-system extension

General instructions on writing CompleteFTP JSS extensions may be found here. Remember that file-system extensions are linked to the file-system via a folder-type, so an
entry for the file-system extension being developed must be present in the folder-type tab before a folder of that type may be added to the virtual file-system. It's created
automatically but it's important to understand this linkage. Once a folder-type has been created the file-system extension may be tested by creating a folder of that type in the
virtual file-system, and then listing that folder using a client such as FileZilla.

At a minimum a JSS file-system extension must implement a function called getFileInfos(), which returns a file-listing. For example, this code will generate a listing
containing three files (file1.txt, file2.txt and file3.txt):

var files = {
"file1.txt" : "File 1",
"file2.txt" : "File 2",
"file3.txt" : "File 3"
};

function getFileInfos(path) {
var fileInfos = [];
for (var fileName in files)
fileInfos.push({
name: fileName,
isDirectory: false,
length: files[fileName].length
});
return fileInfos;
}

getFileInfos() returns an array of objects. Each object in the array describes one file: its name (name) , whether or not it's a directory (isDirectory) and its length
(length). The path argument specifies the path of the subdirectory to be listed relative to the directory that this file-system extension is handling. In this case it may be
ignored since no subdirectories are returned in the listing.

The capability of downloading the 'files' may be added as follows:

function read(path) {
if (files[path])
return { text: files[path] };
else
throw "No such file: " + path;
}

Here the path argument becomes important since it specifies which file is to be read. The object returned implicitly defines the type of the contents. Here the object has a
property named text. Any of the following may be returned:

Return value: Used when...

{ file: '/folder/file.dat' } the file being downloaded is at another location in the virtual file-system.
{ text: 'some text' } the content of the 'file' being downloaded is text.
{ base64: 'c29tZSB0ZXh0' } the content of the file is binary. It will be converted to binary before sending to the client.

Uploading may be implemented as follows:

function onWriteBegin(session, node, path) {

return { type: "text" };
}

function write(path, data) {

files[path] = data;
}

The method, onWriteBegin(), is called when uploading of the file commences. It instructs CompleteFTP on what to do with the incoming file. In this case we're expecting text
to be uploaded. The write() method is called when the upload has completed. Here we simply store it in the files object.

onWriteBegin() may also return a type of 'file' and 'base64'. If 'file' is returned then a second property, path, must also be returned, which defines the path in the
virtual file-system where the incoming file should be stored (e.g. { type: 'file', path: '/mydir/myfile.dat' }. In this case the content of the file is not buffered in
memory, but is streamed straight to disk so very large files can be handled. If a binary file is expected then 'base64' may be returned, in which case a base-64 encode string
is passed to the write() method.
 For File system extension example, please check here.

There are a number of other functions that may be implemented to add other capabilities such as file deletion and folder creation. The section below is the full list of interfaces.

Full details of JSS APIs

Full details are provided in the JSS API Reference

Folder listing
// Return a directory listing as an array of objects. The objects may have the following fields:
// name - string,
// isFolder - boolean,
// length - number (optional),
// modifiedTime - Date (optional),
// createdTime - Date (optional),
function getFileInfos(path, session, node)

File reading
// Read the file at the given path. Return one of the following:
// { file: 'path-of-file' },
// { text: 'text-content' } or
// { base64: 'base64-encoded-bytes' }
function read(path, session, node)

// Release any used resources at the end of a read operation (optional)

function onReadEnd(path, session, node)

File writing
// Instructs CompleteFTP what to do with the file that's being written. Return one of the following:
// { type: 'file', path: 'path-of-file' },
// { type: 'text' } or
// { type: 'base64' }
// If type is 'text' or 'base64' are returned then the content will be passed to the write function once
// the content has been streamed to the server.
function onWriteBegin(path, session, node)

// Called when a file has finished streaming to the server.

// If the onWriteBegin method specified the type as 'text' then the second argument, data, is the
// text and the third argument, length, is the number of characters. If the type is 'base64' then
// data is base64-encoded bytes and length is the number of bytes prior to encoding. If the type
// is 'file' then data is null and length is the size of the file.
function write(path, data, length, session, node)

File attributes
// Indicate whether or not the file-length is known (only used for HTTP requests)
function isFileLengthKnown(path, session, node)

// Return the file-length in bytes of the file at the given path. If this method is not provided
// then getFileInfos is called to get the file-length.
function getFileLength(path, session, node)

// Return the time when the file at the given path was last modified. If this method is not
// provided then getFileInfos is called to get the timestamp.
function getModifiedTime(path, session, node)

// Set the time that indicates when the file at the given path was last modified.
function setModifiedTime(path, session, node)

// Return a string that canonically defines the given virtual file-system path from the point of
// view of this adapter (e.g. a Windows adapter returns the Windows path)
function getAdapterFilePath(path, session, node)

Existence/deletion/creation
// Indicate whether or not a file exists. Return true or false.
function fileExists(path, session, node)

// Delete the file at the given path. No return value required.

function deleteFile(path, session, node)

// Indicate whether or not a file exists. Return true or false.

function directoryExists(path, session, node)

// Delete the directory at the given path. No return value required.

function deleteDirectory(path, session, node)

// Create a directory at the given path

function createDirectory(path, session, node)

Rename/move/copy
// Move/rename the file at fromPath to toPath. No return value required.
function moveFile(fromPath, toPath, session, fromNode, toNode)

// Copy the file at fromPath to toPath. No return value required.

function copyFile(fromPath, toPath, session, fromNode, toNode)

Inheritance
// Return the type of file-system adapter to inherit functionality from - "windows" or "default".
function getBaseType()

// Return the Windows path of the file/folder at the given virtual file-system path.
function getWindowsPath(path, session, node)
JSS CUSTOM COMMAND EXTENSIONS
User-defined commands can be implemented in Javascript - each command is implemented by a Javascript function. The commands may be accessed as SITE commands in
FTP/FTPS and as regular commands in SSH terminal. They may also be invoked via HTTP/HTTPS (if enabled as a web feature) using a URL of the format shown below and
the result is returned in JSON format.

http://hostname/CustomCommand/commandName?arg1=val1

The following function defines a command called 'Hello' which takes one argument:

function Hello(who)
{
return 'Hello ' + who;
}

All arguments are strings.

Commands added in this way are available to all users who have permission for the 'CustomCommandScript' extension. These permissions may be modified in the Permissions
tab of the Extensions panel.

.NET objects may be instantiated using the 'new' keyword followed by the fully qualified name, e.g.

function Hello(who)
{
var b = new System.Text.StringBuilder();
b.Append('Hello').Append(' ').Append(who);
return b.ToString();
}

Static methods and properties of .NET objects may be accessed using their fully qualified name, e.g.

function HostName()
{
return System.Environment.MachineName;
}

Creating a JSS custom command extension

To add JSS custom commands extension:

1. Open CompleteFTP Manager.

2. Select the Extensions panel then select the Extensions tab in sub menu.
3. Click 'Add extension'.

4. Select 'Javascript(JSS) extension'.

5. Select 'Custom Command'

6. Write your command

7. Select Permissions tab and grant permission for groups or users to use this extension.

8. Click the Apply Changes button.

9. Test your JSS Extension by using a FTP client
 JSS IP FILTER EXTENSIONS
Use this type of extension to implement any IP filtering scheme required. IP filtering is used to deny or allow access by specific IP addresses or ranges of IP addresses.
CompleteFTP offers two inbuilt filtering schemes, auto-banning and rule-based, so a custom IP filter extension need only be implemented if neither of these schemes satisfy
requirements. Examples of other types of IP filtering that could be implemented include:

IP filtering by country using a geo-location web-service.

IP filtering by blacklisted user-name.

Sample code for both of these are provided below.

Creating a JSS IP Filter Extension

General instructions on building CompleteFTP JSS extensions may be found here.

An IP filter extension must implement a single Javascript function with the signature:

function getFilterAction(ipAddress)

The ipAddress is a string containing the IP address. The function must return one of the following data-types:

A boolean where true means allow and false means deny.

A string whose value is allow, deny or allowAlways. The last value will cause auto-banning to be turned off for that IP address meaning that there's no limit to the
number of authentication failures allowed.
An object with two fields: action and reason. The value of the action field may be either of the two types above, and the value of the reason field is a text description of
why the connection was disallowed. This description will be logged.

Example: Filtering by country

There are many geo-location web-services available, even free ones like freegeoip.net. This web-service will return geo-location data for an IP address in response to a simple
HTTP GET request of the format, freegeoip.net/{format}/{IP_address}. If the format is set to JSON then a JSON object is returned that includes a field, country_code,
that is the two-letter code of the country in which the IP address is location. To filter by country, we just need to check this field. If we wish to only allow access from, say,
Australia then we just need to verify that the country_code is AU. This can be done by the following code:

function getFilterAction(ipAddress) {
var geoData = http.json("https://freegeoip.net/json/" + ipAddress);
return geoData.country_code == "AU";
}

The http.json function makes a HTTP request to a given URL, parses the (JSON) response and returns it as a Javascript object. Note that connections from localhost are
always allowed.

It's a good idea to provide a reason so that the logs show why a connection was denied. This may be done as follows:

function getFilterAction(ipAddress) {
var geoData = http.json("https://freegeoip.net/json/" + ipAddress);
if (geoData.country_code == "AU")
return true;
else
return {
action: "deny",
reason: "Outside Australia"
};
}

Note that, for the sake of performance, it would be a good idea to cache the geo-location data so that fewer requests would need to be made to the geo-location web-service.
Some sort of storage would be required for this, as is the case in the following example.

Example: Filtering by user-name blacklist

One of the attacks most commonly observed in logs is the password attack. This involves trying to log in using commonly used user-name/password combinations. Some of the
most common user-names are root, admin and Administrator, so it makes sense to automatically disallow any IP addresses from which login-attempts employing those
user-names have been made.

To implement this in JSS we need storage for our user-name blacklist and also for our list of IP addresses that have used the blacklisted user-names. An SQLite database is
an easy option as it's lightweight, stores data in a single file and the required driver is included with CompleteFTP. The database must have two tables:

UserNames where the blacklisted user-names will be stored.

IPAddresses where the IP addresses that have attempted to log in with those user-names will be stored.

An SQLite database stores its data in a single file, so we must specify the place where this file is stored. In the code below, it's assumed that a folder has been created at
 /Databases in the virtual file-system and that this folder maps to a suitable location in the Windows file-system.

Assuming that the IPAddresses table contains all the IP addresses from which clients have tried to authenticate using blacklisted user-names, the following IP filter extension
code will block connection attempts from those IP addresses:

function getFilterAction(ipAddress) {
if (isIPAddressDenied(db, ipAddress))
return {
action: "deny",
reason: "previously used blacklisted user-name"
};
else
return true;
}

function isIPAddressDenied(db, ipAddress) {

var dbFile = system.getFile("/Databases/blacklist.sqlite3");
if (!dbFile.exists())
return false;
else {
db = system.openDatabaseSync(dbFile.fullPath);
var found = false;
db.readTransaction(function(tx) {
var res = tx.executeSql("SELECT * FROM IPAddresses WHERE ipAddress = ?", [ipAddress]);
found = res.rows.length > 0;
});
return found;
}
}

The isIPAddressDenied function first checks to see if the database file exists if it doesn't then it returns false to indicate that the IP address is not banned. If the database
file does exist then it opens it and queries the IPAddresses table for the given IP address, and returns true if it finds it there.

Since IP filters don't have see the user-names associated with incoming connections, we need an authentication extension to check the user-name against the blacklist and
add the IP address of the client if the user-name is found there. The following code achieves this:

function loadUserInfo(userName, userInfo) {

console.log(userName);
var db = getDB();
if (isUserNameBlacklisted(db, userName))
addIPAddress(db, userInfo.remoteEndPoint.ip);
return null;
}

function isUserNameBlacklisted(db, userName) {

var found = false;
db.readTransaction(function(tx) {
var res = tx.executeSql("SELECT * FROM UserNames WHERE userName = ?", [userName]);
found = res.rows.length > 0;
});
console.log(found);
return found;
}

function addIPAddress(db, ipAddress) {

db.transaction(function(tx) {
tx.executeSql("INSERT INTO IPAddresses VALUES (?)", [ipAddress]);
});
}

function getDB() {
var dbFile = system.getFile("/Databases/blacklist.sqlite3");
var db;
if (!dbFile.exists()) {
db = system.openDatabaseSync(dbFile.fullPath);
db.transaction(function(tx) {
tx.executeSql("CREATE TABLE UserNames (userName TEXT)");
tx.executeSql("CREATE TABLE IPAddresses (ipAddress TEXT)");
});
} else
db = system.openDatabaseSync(dbFile.fullPath);
return db;
}

The loadUserInfo function is called when authentication of a user is required as described in the section on Simple JSS Authentication Extension. isUserNameBlacklisted
queries the database to see if the given user-name is in the blacklist. addIPAddress adds the given IP address to the list of banned IP addresses, which is the list that the
associated IP filter extension checks (above). The getDB function checks to see if the database has already been created. If it has then it opens it and returns an object that
can be used to access it. If it hasn't then it creates it and the required tables.

Adding user-names to the blacklist can be done with a SQLite editing tool such as DB Browser for SQLite, or a JSS web-app could be developed that provides a way to do this.
 JSS RPC REFERENCE
CompleteFTP makes it very easy to call JSS functions as Remote Procedure Calls (RPC). It does this by automatically generating client-side proxies for calling server-side
functions, meaning that adding a remotely invocable server-side function is as easy as adding a client-side function.

Which functions are available via RPC?

Functions declared in the global scope and those referenced by the publish function (without the serverOnly flag) are automatically made available via RPC when the URL
of the .jss file in which they're defined are referenced by allowed script tag in HTML. The Javascript code required to call them is automatically generated by CompleteFTP
(see here).

The following example illustrates some usages:

function globalFunction() {
}

(function () {
function publishedFunction() {
}

function serverOnlyFunction() {
}

function internalFunction() {
}

publish("publishedFunction", publishedFunction);
publish("serverOnlyFunction", serverOnlyFunction, { serverOnly: true });
}());

Both globalFunction() and publishedFunction() are available for RPC, the former because it's a global function and the latter because it's published using the publish
function. Neither internalFunction() and serverOnlyFunction() are not available via RPC, but serverOnlyFunction() may be called by any other .jss file that
includes it using the include function because it's published with the serverSide flag.

Calling via RPC

Two forms of RPC are supported: JSON-RPC and form-based RPC.

JSON-RPC

CompleteFTP uses JSON-RPC 2.0 for client-server communications. JSON-RPC is a minimalist JSON-based RPC protocol. For example, the call to the hello() function in the
Introduction to JSS is marshalled as

{"jsonrpc": "2.0", "method": "hello", "params": ["world"], "id": 1}

which returns the result in the following form:

{"jsonrpc": "2.0", "result": "Hello world from the server", "id": 1}

Errors are returned as:

{"jsonrpc": "2.0", "error": {"code": 0, "message": "An error occurred"}, "id": 1}

Form-based RPC

CompleteFTP also supports form-based RPC via standard HTTP GET and POST. If an element named method is included in the form then the Javascript function with that
name will be called. The arguments in the call will match the elements in the form - in the same order. Thus the hello() function in the Introduction to JSS may be called by
HTTP-POST using the following HTML:

<html>
<body>
<form method=post>
<input type=hidden name=method value=hello>
<input type=text name=firstName>
<input type=submit>
</form>
</body>
</html>

Alternatively it may be invoked by HTTP-GET via the following URL:

http://hostname/directory/script.jss?method=hello&firstName=world

In both these cases the result is returned in the JSON-RPC format, i.e.
{"jsonrpc": "2.0", "result": "Hello world from the server", "id": 1}
MONITORING
The Monitoring panel in the CompleteFTP manager displays real-time logging; details about the currently connected users; the IP addresses that have been auto-banned;
server log files; and performance statistics (in Professional and Enterprise Editions only).

Real-time logging

Recent logging message from the server are shown in the real-time logging panel.

Connections

In the client connections tab the current connections to the server are shown. The Kill selected connection option can be used to immediately disconnect a user from the
server. The admin user cannot be killed.

Auto-bans
In the auto-banned IP addresses tab, all currently auto-banned IP addresses are shown. Selecting an IP address and clicking Remove selected ban(s) will unban an IP
address. Choosing Permanently ban select IP address(es) will add a permanent filter banning the selected IP addresses. In the Professional and Enterprise Editions, auto-
banning can be configured as shown below and as described here.

Performance
(Professional and Enterprise Editions only) A variety of real-time statistics can be charted, such as the number of connections, the number of file uploads and downloads, and
the bytes uploaded and downloaded. These can be charted cumulatively and for each protocol.
REAL-TIME LOGGING
The Real-time Logging panel shows server logging messages in real-time. This is particularly useful when testing a new configuration or trouble-shooting a problem. The panel
is available in three places in CompleteFTP Manager:

1. As a standalone window that can be opened via the menu that's shown when the button in the bottom-left of the CompleteFTP Manager window is clicked.
2. As a dockable panel in the Overview tab.
3. As a tab in the Monitoring tab.

This description applies to all three instances as their behaviour is nearly identical.

Once the Show link is clicked, the Real-time Logging panel is ready to start reporting activity taking place on the server.

Server messages will keep scrolling down the page until Pause is pressed.

The amount of detail shown in the server messages panel is controlled via the dropdown list labelled Level. Available levels are Error, Warning and Information. A higher level
of detail called Debug becomes available when the server's logging level itself is set to Debug, which may be done in the Log Files panel.

Messages may be orderd by clicking on a column-heading. They may also be filtered by Category, Session or User by clicking either on the Filter link or on the small filter icon
at the top right of these columns. When this is done a list of checkboxes shows up - one for each displayed value of the selected coloumn. If no checkboxes are checked then
no filtering will be done on that column. If one or more checkboxes are checked then only rows that have those values will be displayed.

The panel may be cleared at any time by clicking Clear. If one or more rows are selected then the Copy to clipboard link will be enabled. Clicking this will copy all of the
selected rows to the clipboard.
HOW TO VIEW THE SERVER LOG FILES
CompleteFTP has a sophisticated logging system based on log4net.

Logs are extremely useful for diagnosing problems or simply for monitoring what is happening on the server. Logs can be viewed remotely via the CompleteFTP manager. The
CompleteFTP manager also produces its own log file.

The Log Files tab in the Monitoring panel displays the server's log files. A log file may be viewed by selecting it in the top window that displays the logs.

The Diagnostics.log contains all available logging (depending on the level set). The Errors.log contains the last few hundred lines of logging after an error has been logged - it
does not contain the full log file.

As the log files are downloaded to the manager (as the manager may be running on a different machine), it is necessary to select the Refresh option on the right hand side of
the view of the log file to see the latest logging information if some time has passed after initially viewing the file.

The logging level can be set in this window. By default, it is set to "Information". If problems occur, this should be set to "Debug" or "All" to obtain more details on what is going
on in the server.

It is important to realise that setting the logging level to "Debug" or "All" can result in a large amount of logging, and can also have a significant impact on performance. These
levels should only be used to diagnose problems, and the level should then be set back to "Information".

Note that the Save to local disk option directly above the panel displaying the log file contents can be used to save a copy of the selected log file to disk.
HOW TO VIEW THE MANAGER LOG FILES
The CompleteFTP manager also produces a log file, which may be useful to diagnose any connectivity problems or other issues.

The normal location of the manager's log file is C:\Users\username\AppData\Local\EnterpriseDT\Complete FTP\Logs where username is the name of the user account that is
running the manager. Of course this log file is stored on the machine which is running the manager - which is not necessarily the machine running the CompleteFTP service.
HOW TO CHANGE THE LOG FILE LOCATION
The log file locations can be changed via the following steps. The CompleteFTP manager should still be able to view the log files after changing the location.

1. Open CompleteFTPService.exe.config, which is in the install directory. This may require administrative privileges. This is basically a log4net configuration file, and you can
change the location of log files there.

2. Make a copy before modifying it!

3. Modify

%folder{CommonApplicationData}\\Enterprise Distributed Technologies\\Complete FTP\\logs\\Diagnostics.log

and similar paths to set your desired location, e.g.

D:\\CompleteFTP\\logs\\Diagnostics.log

4. Restart the CompleteFTP service to reread the configuration file.

CompleteFTP should now be logging to your new log files.

HOW TO ENABLE AUDITING
CompleteFTP supports the use of an audit log. The audit log records all important file transfer operations as well as login/logout.

To enable the audit log, go to the Log Files tab found on the Monitoring tab in the manager, and select the "Configure Auditing" link. Select the "Auditing on" radio button.

Once enabled, CompleteFTP will record every operation in an auditing log file. Log files are 'rolled' by day such that each file contains all the operations for a given day. The
file 'Audit.log' contains today's operations. Older files are named using the convention 'Audit.log.YYYYMMDD'. The number of days stored may be changed in this panel (or
select "Keep forever" to keep all log files).
HOW TO MODIFY THE LOGGING CONFIGURATION
CompleteFTP's sophisticated logging system is based on log4net. log4net is highly configurable. If modifications are to be made to the log4net configuration then the full
log4net configuration should be placed into a file called LogConfig.xml, which should be placed in the directory, C:\ProgramData\Enterprise Distributed
Technologies\Complete FTP\Logs. This will prevent changes from being overwritten when CompleteFTP is upgraded. The default log4net configuration may be found in
C:\Program Files (x86)\Complete FTP\Server\CompleteFTPService.exe.config. The XML node, <log4net>, and all of its sub-nodes, should be copied into the
LogConfig.xml file and used as a basis for a new configuration.

How to log to syslog

It is sometimes a requirement to direct logging output to syslog. This is normally a daemon that listens on UDP port 514. This can be done via the following steps.

1. Create the LogConfig.xml file as described above

2. Add a new appender section:

<appender name="Syslog" type="log4net.Appender.RemoteSyslogAppender">

<param name="RemoteAddress" value="127.0.0.2" />
<layout type="log4net.Layout.PatternLayout" value="%-5p %type: %m%n"/>
</appender>

and add an appender reference to the list of existing appenders:

<root>
<level value="ALL" />
<appender-ref ref="Recent Logging Messages" />
<appender-ref ref="Recent Error Messages" />
<appender-ref ref="Syslog" />
<appender-ref ref="Audit" />
<appender-ref ref="Config" />
</root>

3. Restart the CompleteFTP service to reread the configuration file.

CompleteFTP should now be logging to syslog.

HOW TO PRODUCE CLEAN LOG FILES
The best way to troubleshoot problems is to send a 'clean debug log' to support. This is a log file that contains, as far as possible, only information related to the problem at
hand. Note that from version 8.0, the server diagnostics file is preferred, as it contains the configuration file as well as logging.

The summary steps for producing a 'clean debug log' are as follows:

1. Set the logging level to Debug (or All, for even more detail)
2. Stop the CompleteFTP service
3. Delete the existing log file
4. Start the CompleteFTP service again
5. Reproduce the error
6. Send support the (zipped) log file

This, of course, assumes that the service can be stopped without impacting users. If the service cannot be stopped, perform steps 1, 5 and 6 only.

The detailed steps:

1. Set the logging level to Debug:

a. Open CompleteFTP Manager and connect.

b. Select the Monitoring tab and then select Log Files.
c. Set the Logging level to 'Debug' and click 'Apply Changes'.
d. Close CompleteFTP Manager.

2. Stop the CompleteFTP service:

a. Open the Services item in the Windows Control Panel.

b. Select CompleteFTP and hit the stop button.

3. Delete the existing log file:

a. Select 'Log Files' from the CompleteFTP menu group in the Windows start menu.
b. Find 'Diagnostics.log' and delete (or rename) it.

4. Start the CompleteFTP service again:

a. Open the Services item in the Windows Control Panel.

b. Select CompleteFTP and hit the start button.

5. Reproduce the error:

a. Do whatever it was that caused the error. E.g. connecting with an SFTP client and getting an error.

6. Send the (zipped) log file to EDT support:

a. Select 'Log Files' from the CompleteFTP start menu (in Windows).
b. Zip up the Diagnostics.log file and e-mail it to support
HOW TO GET DIAGNOSTICS FOR SUPPORT
To solve technical issues, diagnostic log files that illustrate the issue should be zipped up and sent to support. Please note that a current support agreement is required for
technical support. If your support agreement has expired, please contact us to obtain a renewal quote.

There are three different scenarios listed below. Please send us the files listed for your scenario.

1. Server issues. These are the most common issues, and require a debug level server log file. See here. If you are having difficulties with a client connecting, please also
obtain a client log file at the highest possible debug level.

2. Manager issues. This is for when difficulties are experienced getting the CompleteFTP manager to connect to the server.

In the connect dialog box, choose "Other settings ..." and set the logging level to "Full diagnostic". Then try connecting to the server.
The log file should appear here:
C:\Users\\AppData\Local\EnterpriseDT\Complete FTP\Logs\Diagnostic.log
It may also be helpful to provide a server log file.

3. Installation and migration issues. This is when difficulties are experienced installing or migrating CompleteFTP from one machine to another.

Please send us C:\Program Files (x86)\Complete FTP\install.log and C:\Program Files (x86)\Complete FTP\Server\bootstrapper.log.
PERFORMANCE
We are often asked how well CompleteFTP will perform with x users. The short answer is, it depends.

Client applications vary enormously in what they do. Some applications are batch jobs that transfer a single file once per day, while others are transferring every minute. Some
applications transfer tiny files, while others transfer large files that can take many minutes, or even hours. The primary constraint on performance will be how many
simultaneous transfers are being made at any given time.

CompleteFTP has a low memory footprint so memory should rarely be an issue. For simultaneous transfers, the limiting factors are going to be CPU and bandwidth. CPU is
particularly important for encrypted transfers (i.e. SFTP, FTPS and SCP), as encryption is computationally expensive. If CompleteFTP is being run in a VM, we recommend
allocating at least 2 vCPUs to the VM. If many clients are transferring simultaneously, obviously bandwidth is also going to limit transfer speeds.

If performance is mission critical, it is advisable to simulate the production scenario to ensure that CPU and bandwidth is adequate. It is quite easy to do a basic simulation of
many clients - run multiple instances of a test client that continually transfers files back and forth. You may wish to run a few instances on different machines. That should
provide a reasonable idea of how well the system is going to perform.
ADMINISTRATOR ACCESS
CompleteFTP offers a suite of options for administration/configuration:

CompleteFTP Manager - Windows application offering full control over the server configuration [All editions].
CompleteFTP WebAdmin - mobile-friendly (responsive) web-app useful for user management and monitoring [Professional Edition or better].
Command-Line Interface (CLI) - automation of configuration tasks [Enterprise Edition only].
Configuration Object Model - object model exposing (almost) all aspects of the server configuration accessible through Javascript (JSS) [Enterprise Edition only].

CompleteFTP Manager
The CompleteFTP Manager Windows application provides the most flexibility, and this guide is primarily concerned with describing its capabilities. The manager connects to
the administrator site hosted on the server, and the administrator site settings can be changed as described at this link.

CompleteFTP Manager:

CompleteFTP WebAdmin
The CompleteFTP WebAdmin web-app is aimed at day-to-day operational tasks such as user and file-system management and server health monitoring. Since it's responsive,
it may be used on both desktop computers and mobiles as shown below.

CompleteFTP WebAdmin on the desktop:

CompleteFTP WebAdmin on a mobile:

COMPLETEFTP ADMIN WEB-APP
Professional and Enterprise Editions include the CompleteFTP Admin Web-App for day-to-day administration tasks including user management, folder management and server
monitoring.

The Admin Web-App is not suitable for initial set-up and major reconfiguration of CompleteFTP since it doesn't support site-wide operations such as enabling/disabling
protocols, adding advanced authentication methods and configuring events. Those operations should be done using CompleteFTP Manager.

By default, the web-app is available via HTTPS on port 14,985, so if you're browsing this page from a CompleteFTP server and the admin site is accessible from your browser
(by default it's restricted to clients on the server's LAN) then you can access it here. You can use the same credentials as those required for CompleteFTP Manager.
HOW TO CHANGE THE ADMINISTRATOR SITE SETTINGS
The Admin panel (shown below) displays the settings for the Administrator site in the Standard Edition and Professional Edition. The administrator user name can be set in this
panel, and the administrator password can also be changed.

More detailed administrator settings can be modified by selecting Show advanced administrator connection settings. These settings apply only to the Admin site and are
described in the Site/Sites section. For example, the protocol used to connect to the Admin site can be change.

In the Enterprise Edition, the Admin site is displayed in Sites by selecting 'Show system users/folders/sites' in the main form's Options menu (shown below).

The Admin site is used to administer the server instance. The adminstrator connects to the Admin site via the Complete FTP Manager. By default the Admin site listens on port
14982 for FTP/FTPS, and port 14983 for SSH/SFTP. From version 6.1, the default protocol is set to SFTP, as it is a more secure protocol than FTP.

Note that the SSH Terminal option must be enabled for the Admin site if SSH access is required for command-line administration as described at this link.
HOW TO MANAGE THE SERVER REMOTELY
The production installer allows the CompleteFTP manager application to be installed separately on any machine, and no license is required. The only requirement is that the
server is reachable from the manager machine.

Once installed, the hostname of the server must be supplied (instead of the default localhost). The default port is 14983, and SFTP is used for the communication protocol. An
example is shown below:

There are two configuration changes you may need to make:

1. If the manager machine is outside the local network, you may need to add firewall rules that permit it to connect to the server via SFTP on port 14983.
2. By default the "Admin" site on the server only permits connections from localhost. This is for security reasons. You will need to set an IP filtering rule for the "Admin" site that
allows external IP addresses to connect to CompleteFTP. See here for how to change the Admin site settings.
HOW TO ADD EXTRA ADMINISTRATOR USERS
(REQUIRES ENTERPRISE EDITION)

Often, users want to add extra CompleteFTP administrators, so that they have several accounts with administrator access. This is only possible in the Enterprise Edition.

It is very straightforward to add local admin users, i.e. CompleteFTP users that have administrator privileges. Use the Add user link in the Users tab of the CompleteFTP
manager, and select the Admin User menu item.

If you want an existing Windows user to be set as an administrator, it is more complicated. The steps are shown below:

1. Add the Windows user to CompleteFTP

2. Set the home directory of the user on the Admin site to /Admin (see note below)
3. Add the user to the admins group

By default, the Admin site is not shown the dialog that allows you to set the home directory of a user. You'll need to select "Show system users/folders/sites" in the Options
menu at the bottom left of the window in order to make it appear there.
HOW TO DO COMMAND-LINE ADMINISTRATION
(REQUIRES ENTERPRISE EDITION)

In the Enterprise Edition, some administration tasks can be performed using the SSH command-line. The Admin site by default listens on port 14983 for SSH/SFTP. Note that
the SSH Terminal option for the Admin site must be enabled for SSH clients to connect (note that Admin site is displayed in Sites panel by selecting "Show system
users/folders/sites" in the Options menu at the bottom left of the window).

Any command-line SSH client can connect to this port (14983) using the admin user's credentials and use the available commands. On Windows, PuTTY is a good free option
for an SSH client. On Unix systems, command-line SSH clients are usually freely available and installed by default.

Once the terminal window is shown after connecting, type 'help' to see what commands are currently available. Type 'help command' to find out more about each command.

There are commands for adding and deleting users, adding and removing folders, controlling permissions, and for encrypting and decrypting files on the server, all detailed
here.

Multiple commands can also be placed into a script and run on the server as described here.

An example of using PuTTY to access the Admin site is shown below:

ADMINISTRATION WITH UNIX-LIKE SCRIPTS
(REQUIRES ENTERPRISE EDITION)

In the Enterprise Edition, administrative commands can be scripted, i.e. they can be saved to a file and the contents of the file can be executed as a script on the administrative
site. For example, this could be used to add many users at once. This would be difficult to do using the CompleteFTP manager, and still tedious via the command-line. Instead,
the script could be generated and then executed in one command.
Like command-line administration, scripts must be run with an SSH client that can run scripts remotely. On Windows, a popular free tool is plink, part of the PuTTY suite of free
SSH tools.
The example below shows how to run a script on the Admin site using plink. Note that the port number of the Admin site (default 14983) must be specified via the -P option:

plink.exe -P 14983 admin@localhost -m adminscript.txt

For example, the contents of a script that adds three users, and then adds a Windows folder mounted as "/downloads" to the virtual file system that belongs to user5 is shown
below:

useradd -c "user 1" -n user1 -r password test1

useradd -c "user 2" -n user2 -r password test2
useradd -c "user 3" -n user3 -r password test3
folderadd -t windows -v /downloads -p d:\\downloads -u test1 -g users

When this script is run using plink, the password is prompted for, and the script is run on the Admin site of the server, as shown below. The scriptfile in this example is
adminscript.txt:
ADMINISTRATION WITH JSS SCRIPTS
(REQUIRES ENTERPRISE EDITION)

CompleteFTP's configuration can be modified using Javascript (i.e. JSS) . All administration-related tasks involve the Config object returned by the system.getConfig()
function.

There are several ways to execute such scripts:

1. Interactively in the SSH terminal

2. JSS script files piped to CompleteFTP via SSH
3. JSS custom commands executed via SSH
4. JSS web apps used interactively through a browser

These will be detailed below.

1. Interactively entering JSS configuration commands

1. Make sure that SSH terminal is enabled for the Admin site
2. Make sure that SSH terminal is enabled for the admin user
3. Select JSS for the SSH terminal shell setting for the admin user (under the Scripting and Shells category)
4. Install an SSH client such as OpenSSH (e.g. in the Windows Subsystem for Linux) or plink
5. Connect to port 14983 as the admin user. If a public key-pair has been set up for the admin user then no password will be required, otherwise you will be prompted for the
password.
6. Enter the JSS statements on line at a time.
For example, the following adds a user via OpenSSH run on Windows Subsystem for Linux using a public key for authentication:

john@Warp:~/tmp$ ssh admin@localhost -p 14983

admin@myserver:/Admin> var userName = "testuser";
admin@myserver:/Admin> var password = "password";
admin@myserver:/Admin> var homePath = "C:\\Temp";
admin@myserver:/Admin> var config = system.getConfig();
IMPORTANT! Changes to the config will not be saved until applyChanges() is called.
admin@myserver:/Admin> var newFolder = config.folders.add("/Home/" + userName, "windows", homePath);
admin@myserver:/Admin> var newUser = config.users.add();
admin@myserver:/Admin> newUser.userName = userName;
admin@myserver:/Admin> newUser.password = password;
admin@myserver:/Admin> newUser.siteMapping[0].homeFolder = newFolder.fullPath;
admin@myserver:/Admin> config.applyChanges();

2. Executing JSS script files via SSH

After repeating steps 1 to 4 from section:

1. Create a text file called adduser.jss containing the required JSS script
For example, the following script adds a user:

var userName = "testuser";

var password = "password";
var homePath = "C:\\Temp";
var config = system.getConfig();
IMPORTANT! Changes to the config will not be saved until applyChanges() is called.
var newFolder = config.folders.add("/Home/" + userName, "windows", homePath);
var newUser = config.users.add();
newUser.userName = userName;
newUser.password = password;
newUser.siteMapping[0].homeFolder = newFolder.fullPath;
config.applyChanges();

Note that all the constructs of EC3-level Javascript may be used.

2. Execute the script as follows:

john@Warp:~/tmp$ ssh admin@localhost -p 14983 < adduser.jss

3. Creating JSS custom commands for administration

1. Open CompleteFTP Manager

2. Select the Extensions panel
3. Click Add extension → JSS (Javascript) extension → Custom commands
4. Enter a Javascript function that performs the administrive task.
For example, the following function adds a user with a given user-name, password, and Windows home directory:

function CustomAddUser(userName, password, homePath) {

// get configuration
var config = system.getConfig();

// create the home folder

var newFolder = config.folders.add("/Home/" + userName, "windows", homePath);

// create a new user

var newUser = config.users.add();
newUser.userName = userName;
newUser.password = password;
newUser.siteMapping[0].homeFolder = newFolder.fullPath;

// apply the changes

config.applyChanges();
}

5. Install an SSH client (it's not necessary to set JSS as the SSH terminal shell)
6. Execute the custom commands as follows:

john@Warp:~/tmp$ ssh admin@localhost -p 14983 "CustomAddUser testuser password C:\\Temp"

4. Developing custom administration web-apps (Adminlets)

For information on developing 'adminlets', please refer to the EnterpriseDT repository on GitHub.
ADMINISTRATOR COMMAND-LINE
Folder commands
Command Description Usage
chgrp Change the group of a folder chgrp group virtualpath
in the virtual filesystem e.g. chgrp mygroup /test
chmod [u|g|o][+|=|-]permissions[,]... virtualpath (permissions in Unix format,
either octal or synmbolic using r (read), w (write) and x (execute)
e.g. chmod u=rwx,g=rx,o=r /test
Change the permissions of
a folder in the virtual The operator + causes the selected mode to be added to the existing file
chmod
filesystem. Uses Unix-style mode; - removes the selected mode; and = causes them to be assigned
permissions. and all other modes removed.
'u' designates owner permissions, 'g' represents group permissions, and
'o' represents the rest of the world's permissions.
chmodx [u|g|o][+|=|-]extendedpermission[,]... virtualpath (permissions must
be one of those listed below
e.g. chmodx u+DirList /test)
The operator + causes the selected mode to be added to the existing file
mode; - removes the selected mode; and = causes them to be assigned
and all other modes removed.
'u' designates owner permissions, 'g' represents group permissions, and
'o' represents the rest of the world's permissions.

Permission Description
None No permissions
FileRead File reading permission
FileWrite File writing permission
FileDelete File delete permission
Change the extended
permissions of a folder in FileAppend File appending permission
chmodx
the virtual filesystem. Uses FileRename File rename permission
CompleteFTP permissions. FileExecute File execute permission
DirList Directory list permission
DirChange Change into directory permission
DirCreate Create a subdirectory permission
DirRename Rename directory permission
DirDelete Delete directory permission
IgnoreFilters Ignore file filters for this directory
AllRead All read permissions
AllWrite All write permissions
AllExecute All execute permissions
ReadOnly Read only permissions
All All available permissions

Change the owner of a

chown username virtualpath
chown folder in the virtual
e.g. chown myuser /test
filesystem
folderadd -t virtual|windows|networkmacro -v virtualpath [-p path] [-u
username] [-g groupname] [-c]
e.g. folderadd -t windows -v /test/temp -p d:\\temp -c (to create a
virtual Windows folder pointing to d:\temp)

-t
Create a new folder in the virtual|windows|networkmacro the type of folder to create
virtual filesystem. For -v virtualpath the virtual path of the new folder
folderadd Windows virtual folders, the
Windows folder specified -p path the Windows path of the new folder (for
will be created if it does not Windows and network folders)
exist. the name of the user owning the new
-u username
folder (optional)
the name of the group owning the new
-g groupname folder (optional)
create the corresponding Windows folder
-c for type "windows" if it does not exist
(optional)
encrypt [-h] -s sourcefile -d destination
encrypt Encrypt a file in the virtual
filesystem. e.g. encrypt -s /home/myuser/test_plain.txt -d
/home/myuser/test_encrypted.txt
Decrypt a file in the virtual decrypt [-h] -s sourcefile -d destination
decrypt filesystem that has e.g. decrypt -s /home/myuser/test_encrypted.txt -d
previously been encrypted. /home/myuser/test_plain.txt
Delete an existing folder in
folderdel the virtual filesystem folderdel -v virtualpath
foldermod -v virtualpath -p pathtochangeto
Modify an existing Windows
foldermod folder in the virtual e.g. foldermod -v /test/temp -p d:\\downloads (to modify /test/temp to
filesystem point to d:\\downloads). Note that foldermod can only be used for
Windows folders.
User commands
Command Description Usage
useradd [-h] [-i] [-c comment] [-d Windows_home_dir] [-n fullname] (-p
hashedpassword|-r rawpassword) [-k publickeystring] username

-h show help text

-i ignore error if user already exists
-c comment descriptive comment for user (optional)
-n fullname full name of user (optional)
-d
Add a new non-Windows Windows_home_dir Windows home directory of user (optional)
user. Optionally, the MD5 hashed password for user (MD5 or SHA1, not
hash of the password can -p hashedpassword recommended)
useradd be set rather than using the
raw password (which will be -r rawpassword supplying raw password of user which is
converted to a hash). recommended
-k publickeystring the user's public key as a base64 encoded string
username the username of the user to be created

e.g. useradd -c "Test user" -n "Tester" -r test1234 test

e.g. useradd -c "Test user" -n "Tester" -r test1234 -d d:\\temp test (sets
d:\temp as test's home directory)
e.g. useradd -r test1234 -k AAAAB3NzaC....7gKtM= test

usermod [-h] [-c comment] [-d home_dir] [-e true|false] [-n fullname] [-k
publickeystring] [-p hashedpassword|-r rawpassword] [-t tcpipprotocols]
username

-h show help text

-c comment descriptive comment for user (optional)
-d
new Windows home directory of user (optional)
Windows_home_dir
-e true|false enable (true) or disable user (false)
-n fullname full name of user (optional)
-k publickeystringthe user's public key as a base64 encoded string
hashed password for user (MD5 or SHA1, not
-p hashedpassword
recommended)
supplying raw password of user which is
-r rawpassword recommended
usermod Modify an existing user.
where tcpipprotocols is a string listing protocols to
be set, added to or removed from the user and in
the format: =protocol1,protocol2,...|-
-t tcpipprotocols protocol1,protocol2,...|+protocol1,protocol2,...

Protocols available are:

ftp,ftps,sftp,scp,ssh,sshforwarding,http,https
username the username of the user to be modified

e.g. usermod -t =ftp,ftps,sftp,scp username (to set these protocols for

this user)
e.g. usermod -t +ssh,sshforwarding username (to add these protocols for
this user)
e.g. usermod -d d:\\temp username (to set d:\\temp as /Home/username)
e.g. usermod -e false username (to disable this user)

Delete a user. This cannot

userdel be undone! userdel username

Site commands
Command Description Usage
Start all sites (other than the
start admin site, which is required start
to be running to access this
command)
Stop all sites (other than the
admin site, which is required
stop to be running to access this stop
command). Use with caution,
as calling it will stop all public
sites.

General commands
Command Description Usage
Display help text for help commmand
help commands e.g. help useradd
End current administrator
logout logout
session
End current administrator
quit session quit

version Returns the current server version

version
SECURITY OVERVIEW
Security is a never-ending battle when it comes to servers - there is always the threat of a malicious attacker gaining access to your systems and causing damage.

Fortunately, there are a number of steps that can be taken as detailed in how to secure your server that will minimize the possibility of your CompleteFTP server being
compromised.

The most important of these is to keep your software up to date with the latest patches (both CompleteFTP and Windows), and to actively monitor your system for signs of
intruders.
HOW TO DISABLE SSL 3.0
The world-wide standard for securing TCP connections began as the Secure Sockets Layer, or SSL. SSL 3.0 was succeeded by Transport Layer Security (TLS) in 1999, and
together they are often known as SSL/TLS. Servers have generally kept SSL 3.0 available as an option so that older secure clients can connect to them without supporting
TLS, but vulnerabilities such as POODLE mean that SSL 3.0 support is a security risk that should be avoided.

SSL 3.0 support is disabled by default from version 8.1.3 of CompleteFTP, so upgrading to 8.1.3 is highly recommended. SSL 3.0 can still be enabled if required, but it is not
recommended unless HTTPS is not being used (i.e. HTTPS is disabled and only FTPS is being used). POODLE is not easy to exploit via FTPS, and so the risk is not high if
HTTPS is not enabled.
LICENSING OVERVIEW
The Licensing panel displays licensing details for the CompleteFTP server installation that the manager is currently connected to. This panel is slightly different depend on
what kind of license is applying.

Trial license

In trial mode, you are offered a fully-operational trial version of CompleteFTP. The trial period expires after 31 days and you can view how many days you have left in the trial
via the Licensing panel.

The Edition displays the product edition that's installed (Free, Standard, Professional or Enterprise Edition). Some features are only available in higher editions. Click the
'compare editions' link to see a comparison.

The View prices/purchase license link opens the CompleteFTP Pricing page on the enterprisedt.com website. Licenses may be purchased from there either online or by
purchase order. Online orders are processed instantly, allowing you to activate your server within a minute or two.

Once a license has been purchased, you must use it to activate CompleteFTP via the Apply purchased license link. See here for more details on how to activate the paid
editions.

During trial period, you can easily switch between editions. In case you switch to the lowest one, i.e. Free Edition, the Licensing panel will be given a different name, i.e.
'Activation'.
Free Edition can be activated free of charge for permanent use via the 'activate for free' link. See here for more details on how to activate the Free Edition.

Paid license

Once you have activated a paid license, the Licensing displays your purchased license's details including the purchased edition and the purchase reference.

The paid license never expires but you may want to activate a new license over the top of your existing license via the Apply new license link. This is useful when upgrading
from a lower edition to a higher edition.

If you need to move/migrate this installation of CompleteFTP to another machine then you must first release the activation on the existing machine by clicking the Release
activation link and following the instructions. Once you done this you will be able to activate CompleteFTP on the new machine using the same license.

Your initial purchase of CompleteFTP included a 12 month support agreement, which provided you with updates and access to support by experienced engineers. If you'd like
to maintain this support agreement then you may like to purchase an extension via the Extend/renew support agreement link.

Free license

Once you have activated the Free Edition, the Activation panel displays your free license's details.

If you find that the Free Edition that you previously activated doesn't have all the features that you need then you may want to upgrade to a higher edition. Click the Upgrade to
higher edition link to purchase a paid edition. As soon as a license is purchased, use the Apply new license link to activate your purchased license.

Technical support is not included in the Free license, but you can purchase a support package separately via the Purchase support agreement link.
HOW TO RESOLVE RESTRICTED MODE
If CompleteFTP detects an invalid or missing license, it goes into restricted mode. In this mode it only permits local connections (i.e. connections originating from the same
machine it is installed on).

This problem is generally because of a migration to a new machine. It is also possible if CompleteFTP is running in a virtual machine that the machine's ID has been changed.
In both these scenarios the machine ID encoded in the license does not match that of the new machine.

The resolution is to activate the installation. This necessarily uses up one of your purchased licenses. If you are moving your CompleteFTP installation, you can contact
support to request an additional license be allocated.
HOW TO AUTOMATICALLY IMPORT A LICENSE
Sometimes it can be extremely useful to be able to automatically import an activation key into a CompleteFTP configuration file (config.sdf).

For example, this may be required in a failover scenario. If CompleteFTP is set up on a primary machine, and a secondary machine maintains a backup, administrators may
choose to regularly copy config.sdf across to the failover machine.

However the primary machine's config.sdf file will contain the activation key for the primary machine. The activation key for the failover machine must be inserted in config.sdf
for CompleteFTP to operate with this configuration file on the failover machine.

This is easily accomplised by entering the activation key via Enter Activation Key in the Licensing panel. However this is a manual process, and it may be desirable for the
process to be automated.

Updating the activation key automatically can be accomplised with the license utility that can be found in the Server directory of the installation (typically C:\Program
Files\Complete FTP\Server). This utility permits importing or exporting of the activation key to or from config.sdf:

license -c config.sdf [-i infile|-e outfile|-d] [-h]

-c config.sdf : CompleteFTP configuration file
-i infile : file to import activation key from
-e outfile : file to dump activation key to
-d : delete the activation key from the database
-h : show this help

For example, to import an activation key saved in a text file:

license -c C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\config.sdf -i license.txt

Note that this tool will not work with CompleteFTP clustered servers (as replicating the configuration is the task of the cluster). The Enterprise Edition is required for cluster
support. You can contact us to upgrade to the Enterprise Edition from the Standard or Professional Editions if you wish to access this functionality.
SUPPORT
The Enterprise Distributed Technologies website offers a rich question & answer board for discussion of the CompleteFTP server. It is fully searchable and contains advice
and answers to many issues that administrators have faced when using the server.

The Frequently Asked Questions should also be consulted before contacting support.
HOW TO CONTACT SUPPORT
Customers and those trialing a product may open a support ticket. Before doing so, please check our support page, as your question may be answered there.

When contacting support with a problem, always include the following:

your purchase reference

a detailed explanation of the issue. If your description is vague, we'll have to reply to ask for more details, and that means resolving the issue will take longer.
the relevant diagnostics files
any relevant information or logging from a client application if it is having problems connecting. Ensure the maximum log level is being used.
the version of CompleteFTP you are using, if that is not shown in the log file

Please include as much information as possible; it will save you the time that it takes us to ask for it.

Please check your spam folders for our replies if you haven't seen a reply from us within 24 hours.
FREQUENTLY ASKED QUESTIONS
Frequently Asked Questions are an excellent source that should always be consulted prior to contacting support
COMPLETEBOX REVISION HISTORY
Version Description

Version 1.2.0.0 Major new feature - support for password-protected sharing.

Numerous minor bug fixes.
(31 March, 2018)
Version 1.1.6.0 Fix errors after sleep/resume.
(1 November, 2018)
Version 1.1.5.0 Added support for encrypted file shares (requires CompleteFTP 11.0).
(6 February, 2018)
Version 1.1.4.0 Minor bug fix that meant after some time CompleteBox was unresponsive.
(17 July 2017)
Version 1.1.3.0 Minor GUI fixes. Now highlights file just uploaded.
(14 April 2017)
Version 1.1.2.0 Fix issue where an attempt to share a file that is locked for reading was retrying repeatedly.
(18 March 2016)
Fix auto copy to clipboard.
Version 1.1.1.0 Fix failure to refresh file-list when changing user.
(20 July 2015) Fix "server copy changed" bug when server time out of synch with client.

Made localizable.
Version 1.1.0.0 Fixed documentation links.
(7 July 2014) Minor bug fixes.

Version 1.0.0.3 Fixed Reshare bug. If resharing after an idle period, the interface would be locked and displaying a message about retrying to
connect to server.
(27 December 2013)
Version 1.0.0.2 Fix CompleteBox right-button click from Windows Explorer stopped working bug.
(12 December 2013)
Version 1.0.0.1 First release of file-sharing client CompleteBox, designed to work with CompleteFTP server.
(2 December 2013)
PROTOCOL OVERVIEW
FTP (File Transfer Protocol) is a long established Internet standard designed to transfer files (and information about files) across computer networks.

FTP is defined in the standards document known as RFC959.

FTP requires a client program (an FTP client) and a server program (an FTP server). The client can fetch files and file details from the server, and also upload files to the
server. The server is generally password protected.

FTP commands are initiated by the client, which opens a TCP connection called the control connection to the server. This control connection is used for the entire duration of
a session between the client and server. A session typically begins when the client logs in, and ends when the quit command is sent to the server. The control connection is
used exclusively for sending FTP commands and reading server replies - it is never used to transfer files.

Transient TCP connections called data connections are set up whenever data (normally a file's contents or file listings) is to be transferred. For example, the client issues a
command to retrieve a file from the server via the control channel. A data connection is then established, and the file's contents transferred to the client across it. Once the
transfer is complete, the data connection is closed. Meanwhile, the control connection is maintained.

See also:

Active and Passive Modes

FTP Commands

Sample Scenarios

Data Types

Session Commands

File Commands

Directory Commands
ACTIVE AND PASSIVE MODES

Data connections may be set up in two different ways, active and passive. Note that active and passive refer to the operation of the FTP server, not the client.

Passive mode

In passive mode, the client sends a PASV command to the server. This tells the server to listen for a connection attempt from the client, hence the server is passively waiting.
The server replies to PASV with the host and port address that the server is listening on. The client deciphers this reply and when a data connection is required, attempts to
initiate the connection to the server at this address.

Active mode

In active mode, the server actively connects to the client. To set up active mode, the client sends a PORT command to the server, specify the address and port number the
client is listening on. When a data connection is required, the server initiates a connection to the client at this address.

Generally the server is responsible for closing data connections.

Next: FTP Commands

FTP COMMANDS

FTP commands sent across the control connection consist of simple text strings (and follow the Telnet protocol - see RFC 854). For example, to retrieve a file, the client sends
"RETR filename" on the control connection to the FTP server. To transfer a file, the client sends "STOR filename".

The FTP server acknowledges each command with an FTP reply, which consists of a three digit number followed by human-readable text. The first digit indicates if the
response is good, bad, or incomplete. If an error occurred, the second digit may be used to indicate what type of error occurred. Similarly, the third digit can indicate more
details of the error.

The first digit is the most important, and the five possible values are described below:

Reply Description
1yz Positive Preliminary reply. The request action has been initiated, but another reply is to be expected
before the client issues another command.
2yz Positive Completion reply. The requested action has successfully completed, and the client may
issue another command.
3yz Positive Intermediate reply. The command has been accepted, but more information is required. The
client should send another command in reply.
4yz Transient Negative reply. The command failed, but it can be retried.
5yz Permanent Negative Completion reply. The command failed, and should not be repeated.

Next: Sample Scenarios

SAMPLE SCENARIOS
Example 1

For example, to change directory the client sends:

CWD dirname

The server responds with:

250 CWD command successful

As the reply begins with a ‘2’, we know the command sequence is completed.

However if we attempt to change directory to one that does not exist:

CWD nonexistentdir

The server responds with:

550 nonexistentdir: The system cannot find the file specified.

As the reply begins with a ‘5’ we know that the command failed.

Example 2
To transfer a text file, we issue a ‘RETR’ command to the server. However to transfer the file we require a data connection to be set up. This can be done using active or
passive mode.

As discussed previously, in active mode, the client sends a ‘PORT’ command, indicating what address and port number the server should connect to:

PORT 192,168,10,1,4,93

The first four digits are the IP address, and the last two encode the port number (in two 8-bit fields, the first being the high order bits of the 16-bit port number).

The server responds with:

200 PORT command successful.

This indicates that the data connection has been established.

Next, the ‘RETR’ command is issued:

RETR abc.txt

The server responds with:

150 Opening ASCII mode data connection for abc.txt(70776 bytes).

The reply begins with a ‘1’, so we know that the command was successful, but the server will be sending another reply – the client cannot issue another command until this is
received.

Eventually, the server sends:

226 Transfer complete.

The command sequence is complete, the file has been transferred, and the client can issue another command.

See RFC959 for details about the second digit, and more extensive examples.

Note that most standard command-line FTP clients support debug mode, which displays the FTP commands that are being sent to the server, and the reply strings that are
received back. Typing “debug” at the prompt will usually put the client into debug mode.

Next: Data Types

DATA TYPES
The two most common data types in usage are ASCII and binary.

ASCII is the default data type, and is intended for the transfer of text files. A line of text is followed by <CRLF>. Note that different operating systems use different end of line
terminators.

Binary type (known as IMAGE in FTP) is used to transfer binary files. A byte-by-byte copy is made of the source file. Graphical images, video and executable files are all binary
files. If they are transferred as ASCII, they will be corrupted.

Next: Session Commands

SESSION COMMANDS
To begin an FTP session, the USER command is sent to the server:

> USER ftpuser

The server responds with:

331 Password required for ftpuser.

The client must respond with the password:

> PASS mypassword

The server responds with:

230 User ftpuser logged in.

The session is now established, and the user can begin issuing various file and directory- related commands.

To end the session, the client sends:

> QUIT

The server responds with:

221

The session is now closed, and any further attempt to send commands to the server will fail.
Next: File Commands
FILE COMMANDS
FTP supports numerous file-related commands.

Files can be deleted (DELE) and renamed (RNFR,RNTO) as well as stored (STOR) and retrieved (RETR). When a file is stored, it can be written over or appended to (APPE).

See the Sample scenarios examples for more details.

Next: Directory Commands

DIRECTORY COMMANDS
FTP supports a variety of directory-related commands.

Directories can be created (MKD), removed (RMD), or changed into (CWD, CDUP).

Two types of directory listings can be made with FTP.

The LIST method obtains a list of files (and possibly directories). If a directory is specified, the server returns a list of files in the directory, together with system specific
information about the files. The file information sent will vary depending on the server system. The data type should be set to ASCII for this file name list. If no directory is
specified, details of the current working directory listing are sent.

The NAME LIST (NLST) method is similar to LIST, but only file names are returned. No other information about the files is sent. Again, the data type should be set to ASCII

Next: FTPS - Securing FTP with TLS

FTPS - SECURING FTP WITH TLS
A significant problem with "plain" FTP is that it is not secure - usernames, passwords and data are sent across the network in the clear. This means eavesdroppers sniffing the
network will have little trouble obtaining credentials and copies of the transferred files.

FTPS was designed to fix this by encrypting communications using the SSL/TLS protocol, which is specifically designed for securing network connections.

FTPS is an IETF standard as described in RFC 4217.

See also:
· Implicit FTPS and Explicit FTPS
· Securing Control and Data Channels
· FTPS Commands
· FTPS Usage
IMPLICIT FTPS AND EXPLICIT FTPS
An early version of FTPS is now known as implicit FTPS. Upon connecting, implicit FTPS clients automatically start securing the connection using SSL/TLS.

This is a problem for unencrypted FTP clients - they will no longer be able to connect on a server port that requires securing the connection immediately. If FTP and FTPS
(implicit) are to be supported on the same server, they require different port numbers. Typically, implicit FTPS uses port 990 rather than the standard FTP port 21.

Explicit FTPS fixed this by requiring the AUTH command to be sent by the client prior to securing the connection. This meant that unencrypted FTP clients can connect on the
same port as FTPS clients - the unencrypted clients simply never send an AUTH command and the session remains unencrypted. FTPS clients send the AUTH command prior
to logging in so that credentials are secured.

Implicit FTPS clients can still be found, but explicit mode is always preferred. Unless implicit mode is required it is best to have implicit mode FTPS disabled in CompleteFTP.

Next: Securing Control and Data Channels

SECURING CONTROL AND DATA CHANNELS
FTP sessions use two channels: control and data. Only one control-channel is used in each session, but several data-channels may be used – one for each data transfer.
The AUTH command only secures the control-channel. Data- channels are not secured until PBSZ and PROT commands are issued. These commands tell the server
whether or not subsequent data-channels should be secure.

Clients can connect to FTPS servers in unencrypted mode, and then switch to secure mode upon request. To do so, the client issues an AUTH command, upon which the
client and the server negotiate a secure connection. After the switch, all FTP commands are encrypted, but importantly, data is not encrypted unless further commands are
provided.

Next: FTPS Commands

FTPS COMMANDS
Three commands are used, AUTH, PBSZ, and PROT. One of these, PBSZ, appears to be redundant and is probably included only to satisfying the RFC specification.

AUTH (AUTHentication)

The AUTH command takes a single parameter which defines the security mechanism to be used, usually 'SSL' or 'TLS'.

AUTH TLS

WIth this command, an attempt is made to negotiate a TLS connection on the control channel.The server tries to validate itself to the client by sending its certificate (Server
Validation). It may also involve the client sending its certificate to the server (Client Validation).

PBSZ Protection Buffer SiZe)

The PBSZ command is intended to define the buffer-size to be used by the security mechanism when it is encrypting data on the data-channel. However for TLS this setting is
redundant and a value of '0' is always passed as a parameter.

PBSZ 0

While this call is redundant, it is required and must precede the PROT command.

PROT (data channel PROTection level)

PROT defines whether or not the data channel is to be protected or not. Either the data channel is Clear (the default), or Private. Clear means that no security is used on the
data-channel (meaning files are transmitted without encryption), and Private means that the data-channel should be encrypted. So there are two possible PROT commands:

PROT C

for an unsecured data-channel, and

PROT P

for an encrypted data-channel.

Next: FTPS Usage

FTPS USAGE
A typical explicit FTPS session might consist of the following sequence of commands:

> USER (user-name)

Provide user-name
> PASS (password)
Provide password
> LIST
Get a directory listing
> AUTH TLS
Switch to TLS on control-channel
> RETR (file-name)
Download a file (without security)
> PBSZ 0
> PROT P
Switch to TLS on the data-channel
> STOR (file-name)
Upload a file (with security)
> QUIT
End session

In this example, the first three commands (USER, PASS, and LIST) are standard FTP and therefore insecure. The AUTH command causes the rest of the commands to be
sent to the server securely, in other words, an attacker cannot see which commands are issued. The RETR command (to fetch a file from the server), being after AUTH, is
protected, but the actual file that is transferred is not protected since it precedes the PBSZ and PROT commands. PBSZ and PROT tell the server to use TLS on all future
data-channels, thus the file transferred in the STOR command (which stores a file on the server) is secure.

Rules
There are two rules regarding the issuing of explicit FTPS commands that must be followed:

1. AUTH must precede PBSZ

2. PBSZ must precede PROT

Apart from these, a FTPS server has policies regarding access permissions to its resources. These policies will also determine the order in which commands must be issued.
There are too many possible policies to list here, but a few examples of such policies are given below along with their consequences in terms of the issuing of commands.

Policy Consequences
· No unprotected commands AUTH must be issued before any other commands.
· Certain users are not permitted to log in without security. The USER command is rejected for particular users
unless preceded by a successful AUTH command.
· No unprotected data may be transferred A 'PROT P' command (preceded by a PBSZ command)
must be issued before any files are transferred.
· Allow TLS authentication instead of USER/PASS A client certificate must be supplied and USER/PASS
authentication commands are not required.

Next: The Essentials of FTP Security

THE ESSENTIALS OF FTP SECURITY
While users of FTPS may safely remain ignorant of most of the underlying security mechanisms, it is necessary that they understand the basics of public keys and certificates.
In some cases, it is also necessary to understand which encryption/decryption algorithms (or ciphers) are available and what level of protection they offer.

See also:
· Public Key Cryptography
· Certificates and Certificate Authorities (CAs)
· Obtaining Keys and Certificates
· Server and Client Validation
· Hostname Checking
· Selecting Ciphers
PUBLIC KEY CRYPTOGRAPHY

Public Key Cryptography (PKC) is a paradigm which uses a pair of keys in a given communication; one key is used for encrypting the message and the other key is used for
decrypting it. Each key may serve either purpose, but a message encrypted using one key may ONLY be decrypted by the other key.

The following illustration demonstrates how such a pair of keys may be employed for secure communication:

Party A has generated a key-pair. They retain one key, the private key, and distribute they other key, the public key, to Party B in a trustworthy way (see Section 4.1.2).

1. A encrypts a message using the private key and sends it to B. If B is able to decrypt the message using the public key, then B may be confident that the message did in fact
originate from A, since only A has the private key.

2. B encrypts a message using the public key and sends it to A. Since the message may only be decrypted using the private key, and only A has this key, B may be confident
that only A will be able to read the message.

Thus, using A's private/public pair of keys, B can ensure that (1) A is who they purport to be, and (2) Any messages that are sent to A can be read by that party only.
However, the following weakness remain: (1) A cannot be confident that B is who B purports to be, and (2) Communications from A to B may be read by anyone who has the
public key.

While both of these weaknesses may easily be overcome if B has their own key-pair and has provided the public key to A, this is often not practical due to the amount of effort
involved. However, the latter shortcoming may easily be overcome in the following way:

3. B automatically generates a temporary key-pair. Since B may be confident that its messages to A are only read by A, B can securely provide one of the keys to A. Once A
has received this key, they may use it to encrypt any messages sent to B. They may therefore be confident that only B can read any subsequent messages.

Thus, a single private-public key-pair has the potential to offer the following security:

I.Parties receiving messages from the owner of the key-pair can verify that encoded messages originated from the owner.

II.Secure messages may be sent between the owner and other parties.

As mentioned, this presumes that the owner of the key-pair is able to distribute their public keys in a trustworthy manner. In practice, this is achieved by means of public key
certificates and Certificate Authorities.

Next: Certificates and Certificate Authorities (CAs)

CERTIFICATES AND CERTIFICATE AUTHORITIES (CAS)

The previous section emphasized the need for public keys to be distributed in a trustworthy manner. Simply sending the key electronically should not be considered safe as
the message might be tampered with on the way, though this is done in many cases. Having one person physically hand another a memory-stick containing the key would be
probably acceptable, but is usually impractical. The solution used on the Internet is to use a trusted third party called a Certificate Authority (CA).

A CA is an organization which specializes in issuing public key certificates. They only issue certificates to parties (or subjects) after they have provided sufficient documentary
evidence of their identity. There are only a few CAs in the world and, since their viability relies on their trustworthiness, they can usually be relied on to do a good job of
validating their subjects.

Each CA has its own private-public key-pair and its own certificate (called a root certificate). Since there are so few CAs and since they rarely change their keys, it is feasible
for software to be distributed with a list of the certificates of all existing CAs. For example, Microsoft's and Netscape's browsers are both distributed with files containing lists of
root certificates.

A certificate issued to a subject by a CA contains:

the identification of the subject,

the public key of the subject,
the identification of the CA which issued the certificate, and
the digital signature, provided by the CA, which verifies the contents of the message.

A subject's certificate may be validated in the following way:

1. Use the identification of the CA to find the appropriate root certificate.

2. Use that root certificate to check the digital signature and thereby prove that the CA issued the certificate and that the information in the certificate has not been tampered
with.
3. Verify the identification of the subject.

Once this has been done, the party can trust that the public key in the certificate is indeed the public key that they expected. This public key may henceforth be used to
establish secure communications with the subject in the manner described in Section 12.

Note that although the CA has signed a certificate containing the public key of the subject, the CA does not have the subject's private key. To issue a certificate, the CA only
requires access to the public key. The CA obtains this public key from the subject applying for a certificate. It is therefore up to the subject to generate the private-public key-
pair before applying to a CA for a certificate.

Next: Obtaining Keys and Certificates

OBTAINING KEYS AND CERTIFICATES

A private-public key-pair is easy to generate. Likewise, an “uncertified” certificate may be generated with little effort, but obtaining a trustworthy certificate from a CA
necessarily requires some work, time, and (usually) cost. It involves interacting with the CA to prove identity, and waiting for the CA to digitally sign the certificate.

Alternatively OpenSSL may be used. The reader is referred to the OpenSSL Key HOWTO for instructions on generating key-pairs and to the OpenSSL Certificate HOWTO for
generating certificates. It is recommended that keys with a length of at least 768 bits are used. OpenSSL may be obtained from http://www.openssl.org/source/ or
http://www.openssl.org/related/binaries.html.

Next: Server and Client Validation

SERVER AND CLIENT VALIDATION

The previous sections described how public key certificates may be used to validate parties involved in secure communications. They also explained why some work, time, and
cost is involved in obtaining certificates.

The nature of Internet usage is such that it is important to distinguish between server validation and client validation. Server validation allows a client to know that it is talking to
the intended server. Conversely, client validation allows a server to know that it is talking to the intended client.

It is often more important for a client to know that it is talking to the intended server than the converse. The reason for this is often financial. For example, if a client is
purchasing an item from an online retailer, the client needs to be certain that their credit card details are going to the intended destination. While it might be nice for the
retailer to be certain where the money if coming from, it is not usually essential. Therefore, server validation is nearly always used in such transactions, but client validation is
less often used. Other applications, such as Internet banking often use both client and server validation.

In FTPS, both server and client validation by certificate are optional. Though the server's certificate is always sent, it is up to the client whether or not it validates the
certificate. It is up to the client whether or not it will try to validate itself to the server, but some servers have a policy of not allowing unvalidated clients to access some or all its
resources.

It is important to note that, although many FTPS servers don't request client certificates, most require a user-name and password to be sent. If these are sent over a secure
control channel then a reasonable level of client validation is inherent.

Next: Hostname Checking

HOSTNAME CHECKING

One of the steps in server validation is host-name checking. Host-name checking is a simple check that is performed when a secure connection is being established. It
involves comparing the following two items:
· the host-name that is (usually) contained in the certificate which the FTPS server is presenting
· the host-name of the machine on which the FTPS server is running

If they match then one can be confident that the server to which the client is connected is in fact the server to which the certificate was issued. If they do not match, then there's
a possibility that the certificate has been stolen and that the server, to which the client is connected, is attempting to "impersonate" the actual server to which the client is
actually connected. This is a form of "man-in-the-middle" attack, which gives the attacker complete control over the data being sent and received.

Unfortunately, the most widely compatible version of the X.509 certificate standard does not specify exactly how a host-name should be defined within a server certificate. The
convention is that the Common Name (CN) field of the certificate should be used, and, while this is followed by the majority of Certificate Authorities (CAs), it is not universal.

If it is possible to configure the FTPS server's certificate then the Common Name (CN) field of the certificate must be the same as the host-name of the machine on which the
FTPS server is running.

Disabling host-name checking is strongly discouraged and should only be done as a last resort if the FTPS server's certificate cannot be configured so that its CN parameter
contains its host-name.

Next: Selecting Ciphers

SELECTING CIPHERS

SSL and TLS can use a variety of encryption/decryption algorithms (called ciphers). In a single secure connection, as many as four different ciphers may be used for various
purposes; this set of ciphers is called a cipher suite. Each party in a secure connection must designate which cipher suites it is going to support. When a new secure
connection is made, the parties involved try to agree on which cipher suite to use. There must be at least one cipher suite that is available on both sides of the connection for
this to be possible.

Different cipher suites have different levels of security and performance. The lower the level of security, the easier the cipher is to break. Unfortunately, stronger ciphers
usually offer slower performance. Hence, there is a certain level of trade-off between the two. For this reason, the decision on which cipher suites to support is left to the
developers and/or users of SSL and TLS applications.

Every cipher suite has a standard name (e.g. TLS_RSA_WITH_RC4_128_SHA). This name reveals which ciphers are used in the suite.

Some guidelines which may be useful when selecting cipher suites are:

· Triple DES offers high security but relatively poor performance (look for names with the characters, 3DES).

· DES (not 3DES) can be cracked relatively easily

· 128-bit RC4 offers high performance and reasonable security (look for names with the characters RC4_128).

· SHA is preferable to MD5 (choose algorithms whose names ending with SHA ahead of those ending with MD5).

· Export version of algorithms are deliberately weakened; avoid them if possible (i.e. avoid 40-bit suites).
SFTP AND SCP
SFTP is an abbreviation for SSH File Transfer Protocol, and is exactly that - a protocol for transfering files over an SSH connection.

SFTP is not the standard FTP protocol running over SSH. Although SFTP has similar capabilities and even similar commands to standard FTP, these similarities are purely
superficial. The protocol is completely different and incompatible with FTP and its secure extension, FTPS.

SCP is also a file transfer protocol that runs over SSH connections. It is a precursor to SFTP, and allows the copying of files and directories over SSH.

In order to understand SFTP and SCP, it is helpful to have a basic understanding of SSH.

See also:
· SSH - Secure Shell
· SCP - Secure Copy
· SFTP - SSH File Transfer Protocol
· Comparison of FTPS and SFTP
SSH - SECURE SHELL

SSH is a standard designed to allow logging in and execution of commands on a remote computer in a manner similar to telnet, rlogin, and rsh. Unlike these protocols, it does
this through an encrypted network connection thus offering a much higher level of security.

The first version of the standard, SSH-1, was designed in 1995 by Tatu Ylönen. The second version, SSH-2, is being standardized by the IETF SECSH working group. It offers
a higher level of security than its predecessor.

In order for a computer to be able to accept SSH connections, it must be running an SSH server, such as sshd, on a publicly accessible port (usually port 22). The client
computer must have an SSH client, such as CompleteFTP, and be known to the server.

Private/public key-pairs in SSH typically use either the DSA or RSA asymmetric key algorithms. Most SSH servers support both.

Clients perform server validation in SSH via a known hosts file. The client maintains a file containing the hostname (or IP address) of the SSH server, together with the server's
public key. When clients connect to the server, they are sent a copy of the server's public key which they can compare with their own record of the server's public key.

The server authenticates clients who connect to it. The client must be previously set up as an SSH user (or in some cases as a user on the server machine). In password
authentication, the client supplies their password which the server authenticates as belonging to that user. In public key authentication, the client uses its private key to sign
some data, and sends the signature to the server. The server uses the client's public key to verify the signature. In this case the client's public key must be available on the
server.
SCP - SECURE COPY
Since the early days of SSH, file transfers have been supported through a command called SCP. This command simply securely copies files or directories between remote
computers. It provides no other file operations such as listing, deleting, renaming, and directory navigation.

SCP itself does not provide authentication and security - it relies on the underlying protocol, usually SSH.

CompleteFTP offers full support for SCP.

COMPARISON OF FTPS AND SFTP
While FTPS and SFTP are completely different protocols, they offer the same basic feature – secure file transfers. It is therefore common to be faced with the choice of one or
the other. This section provides some pros and cons of these two protocols.

Security

Under ideal conditions SFTP and FTPS are able to offer comparable levels of security, but many SFTP deployments suffer from a vulnerability that is an artifact of SFTP's
close relationship with SSH. The problem arises when you want to allow client SFTP access on a server but not SSH access. This is generally not a problem for pure SFTP
servers (such as CompleteFTP), but for SSH/SFTP servers such as OpenSSH it can be quite complex and error-prone. So if you are not very careful when you set up your
servers, users on machines with the SFTP client installed will be able to use an SSH client to log into the server and execute commands. This is not a problem with FTPS since
this is purely a file transfer protocol and not a remote console protocol.

Upgrading

FTPS is a straight-forward extension to an existing FTP infrastructure. It is supported by most commercial servers and many open source servers (e.g. wu-ftpd and proftpd), so
enabling FTPS on a server is usually just a matter of adding a few configuration options. There is no need to run additional servers since FTPS servers invariably also support
FTP. There is also no need to open additional ports in firewalls since FTPS uses the same ports as FTP. It is important to note that data-transfer problems can sometimes
arise when changing from FTP to FTPS - see "Firewalls" section below.

Certificates

SFTP uses keys rather than certificates. This means that it can't take advantage of the "chains of trust" paradigm facilitated through Certificate Authorities. This paradigm
makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications. FTPS uses
certificates and therefore can take advantage of this paradigm. SFTP clients must install keys on the server.

Firewalls

SFTP often works better through some firewalls since it does not rely on multiple connections like FTP does. As explained in an earlier chapter, FTP and FTPS both use a
control channel to send commands, and a new data connection for each file transfer. While the control channel is usually easily connected, it is common to experience firewall-
related problems when connecting data-channels. This is particularly so in FTPS where the FTP-specific features of most firewalls are ineffective due to encryption. Since
SFTP relies on a single network connection, it does not suffer from these problems.
HTTP PROTOCOL OVERVIEW
HTTP (HyperText Transfer Protocol) is a well established Internet protocol designed to transfer content (e.g. HTML files and images) across networks. HTTP is defined in
numerous RFCs (e.g. RFC 2616), which can be obtained from the Internet Engineering Task Force.

HTTP is a request-response protocol. A client such as a Web browser sends an HTTP request to an HTTP server, which is hosting content such as HTML files and images.
The server sends a response message to the client, which will generally include the content the client requested if it is available. The content (or resources) hosted by the
HTTP server is identified by Uniform Resource Locators, or URLS, using the http or https notation.

The original version of HTTP (HTTP/1.0) used a separate TCP connection to the server for every request-response. This meant that HTML pages with images required a
connection for the page as well as for each image. This was not easily scalable, and HTTP/1.1 can reuse connections multiple times.

See also:

· HTTP methods

· HTTP sessions

· HTTPS
HTTP METHODS
HTTP defines various request methods that clients can send to HTTP servers. Generally they involve performing an action on the specified resource. The most commonly
used request methods are listed below:

Method Description
GET Retrieve the specified resource (usually an HTML page or file).
HEAD Same as GET, except only retrieve the response header, not the body (i.e. the contents of the
requested resource).
POST Submit data to be processed. The data is in the body of the request, and usually comes from an
HTML form.

Next: HTTP sessions

HTTP SESSIONS
HTTP is a stateless protocol. This means the server is not required to maintain state for a user in between a user's HTTP requests. One common solution is to use HTTP
cookies, which are text strings stored by a user's web browser. Typically, a session identifier provided by an HTTP server is stored in a cookie. This cookie is then sent with
every request to the server, and the server is able to match the session id with stored state for the user. Session identifiers normally expire within a few minutes, hours or days,
depending on the server settings.

Next: HTTPS
HTTPS
HTTP is not a secure protocol, in the same way that FTP is not a secure protocol - all data is transmitted unencrypted, including usernames and passwords. The HTTPS
(HyperText Transfer Protocol Secure) protocol was introduced to provide a way to securely send data via HTTP. It is identical in syntax, but uses SSL/TLS to encrypt the data
being sent to and from the server.

HTTPS is especially useful for encrypting usernames and passwords that are being sent to an HTTP server, as well as sensitive individual and corporate data such as credit
cards or other payment transactions.
IETF STANDARDS
RFC 959 - File transfer protocol (FTP)
RFC 2228 - FTP security extensions
RFC 4217 - Securing FTP with TLS
RFC 4253 - The Secure Shell (SSH) Transport Layer Protocol
SSH file transfer protocol
ABOUT THIS MANUAL
Enterprise Distributed Technologies would like to thank Golmote, Jannik Zschiesche and the rest of the PrismJS team for developing and maintaining PrismJS which we use for
syntax highlighting.
HOW TO ACTIVATE FREE EDITION
All that is required to activate CompleteFTP Free Edition is a valid e-mail address. Information related to CompleteFTP, including the announcements of updates, will be sent to
this e-mail. You can opt out of these e-mails at any time. Your e-mail address will not be shared with any other organisation.

To activate CompleteFTP Free Edition, please complete the following steps:

1. Open CompleteFTP Manager and connect to your server.

2. Select the Activation tab.
3. Click 'activate for free'.
4. You will be asked whether or not you have an account with EnterpriseDT. If you do then click 'Yes' and go to Registering additional Free Edition servers below, otherwise
click 'No' .
5. Enter a valid e-mail address, your name and, optionally, the name of your company.
6. Click the button labelled 'Request verification code'. This will tell the EnterpriseDT server to send a verification code to the e-mail address that you entered. It should arrive
within a minute or so.
7. Copy the verification code from the e-mail to the clipboard.
8. Paste the code into the last field on the User Registration Form.
9. Click 'Register'. After a few seconds your account will have been registered and your server activated.

Registering additional Free Edition servers

You can register an unlimited number of Free Edition servers using a single EnterpriseDT account. To do this, follow steps 1 to 3 (above) and then click 'Yes' when asked if
you already have an account. You will then be prompted for your user-name and password. Use the same user-name that you received when you first registered your account.
When you click the Activate button CompleteFTP Manager will automatically activate your server.

Registering Free Edition without a direct Internet connection

If the machine on which CompleteFTP Manager is running doesn't have an Internet connection then please follow the steps below:

1. Open CompleteFTP Manager and connect to your server.

2. Select the Activation tab.
3. Click 'activate for free'.
4. You will be asked whether or not you have an account with EnterpriseDT. Click 'Yes' or 'No'.
5. If you've previously registered for a free license then use the License ID that was e-mailed to you. If you haven't previously registered then follow the 'register now' link in
step 0 to register you account and receive your License ID (by e-mail).
6. Enter the License ID in step 1.
7. Click the link marked 'copy' in step 2 to copy it to the clipboard.
8. Send the link a computer that does have Internet access and open it.
9. On the web-page that opens enter your user-name and password.
10. Copy the Activation Key shown on the web-page to the clipboard.
11. Send the Activation Key to the computer that's running CompleteFTP.
12. Paste the Activation Key into the field in step 4.
13. Click OK to complete activation.

For instructions with pictures on how to activate the free edition, please refer to Step-by-step guide: Activate CompleteFTP free .
HOW TO ACTIVATE STANDARD, PROFESSIONAL OR ENTERPRISE EDITION
An installation of CompleteFTP Standard, Professional or Enterprise Edition may be activated once a license has been purchased. Licenses may be ordered from the
EnterpriseDT web-site.

Once your order has been processed a message will be sent to the technical contact e-mail address that you provided. This message will contain the Purchase Reference of
your order, your user-name and a link that you can use to set your password. You will need your password to activate your installation. Once you have your password please
complete the following steps:

1. Open CompleteFTP Manager and connect to your server.

2. Select the Licensing tab.
3. Click 'Apply purchased license'.
4. If the computer on which CompleteFTP Manager is running has an Internet connection then enter the Purchase Reference, user-name and password and click Activate.
CompleteFTP Manager will then complete the activation automatically.
5. If the computer on which CompleteFTP Manager is running has no Internet connection then click the link at the top of the form to open the Browser-Based Activation form,
then
a. Enter the Purchase Reference in step 1.
b. Click the link marked 'copy' in step 2 to copy it to the clipboard.
c. Send the link a computer that does have Internet access and open it.
d. On the web-page that opens enter your user-name and password.
e. Copy the Activation Key shown on the web-page to the clipboard.
f. Send the Activation Key to the computer that's running CompleteFTP.
g. Paste the Activation Key into the field in step 4.
h. Click OK to complete activation.

Activating with a Universal Activation Key

A. Run the CompleteFTP manager and connect to the CompleteFTP server instance that you wish to activate (the server instance - the CompleteFTP Windows service - may
be running on another machine).
B. Select the "Licensing" menu item from the list on the left in the manager, and then select the "Apply purchased license" link.
C. In the 'Direct Activation' form, click the'here' link at the top to open the 'Browser-Based Activation' form.
D. Paste the universal AK you have been sent into the CompleteFTP manager in Step 4. Select "OK" and it should now be activated, and the license details should be
displayed.

For instructions with pictures on how to activate the paid editions, please refer to Step-by-step guide: Activate the paid editions .

If you need to move an instance of CompleteFTP from one server to another, or are having difficulties with activating, please open a ticket at the EnterpriseDT Helpdesk.
Authenticator Class Reference
Class: Authenticator
Authentication extensions must extend this class. O n l y CheckUserName a n d Authenticate must be overridden. The only job of CheckUserName is to set
userInfo.IsValidUserName to true if the user-name (userInfo.UserName) is valid. Authenticate must set userInfo.IsCorrectPassword to true if the password
(authInfo.Password) is correct for the given user-name (userInfo.UserName). Alternatively, userInfo.IsValidKey must be true if public key authentication is being attempted. If
the home folder of the template user (usually defaultExtension - see below) is set to %ExternalHomeFolder% the value of HomeDirectory should be set to the path of the Windows
directory that you wish to be the home of the user.
By default, users that are authenticated by authenticator extensions use the defaultExtension as a 'template user'. This allows the administrator to set the properties (e.g. permissions) of
these users using the CompleteFTP Manager. The user that is used as a template can be changed by overriding the TemplateUserName. This property should return the name of the user
that is to be used as a template.
The value of the Configuration field entered in the Manager is accessible via the ExtensionConfiguration property.

LoadedUserInfo LoadUserInfo(IUserInfo suppliedUserInfo)

Return an object containing the loaded user details if the user-name (userInfo.UserName) is valid. This method is called automatically in the default implementation of
CheckUserName.
void CheckUserName(IUserInfo userInfo)
Set userInfo.IsValidUserName to true if the user-name (userInfo.UserName) is valid.
void Authenticate(IAuthenticationInfo authInfo)
Set userInfo.IsCorrectPassword to true if the password (authInfo.Password) is correct for the given user-name (userInfo.UserName). Or, if public key
authentication is being used, set userInfo.IsValidKey to true if the key details supplied in the IAuthenticationInfo are valid. If the home folder of the template user
(usually default_external - see above) is set to %ExternalHomeFolder% the value of HomeDirectory should be set to the path of the Windows directory that you wish to be
the home of the user.
void Initialize(IPlugInInfo info)
Perform any required initialization that your extension requires.
void Dispose()
Perform any clean-up that your extension requires.
string LogInAsUserName
Optionally override this property to set a template user other than default_external (see above)
string ExtensionName
Name of the extension entered in the CompleteFTP Manager.
Guid ExtensionID
Identifier of the extension.
string ExtensionConfiguration
Configuration entered for the extension in CompleteFTP Manager.

Interface: IUserInfo
string UserName
User-name that the client is presenting.
IPEndPoint RemoteEndPoint
Holds the client's IP address and port-number.
X509Certificate2 ClientCertificate
SSL certificate presented by the client. The value will be null for all cases except where all of the following are true:
1. the protocol is FTPS or HTTPS
2. CompleteFTP is configured to require client certificates
3. the client certificate has already been validated via the Windows Certificate Store

bool IsValidUserName
Set to true if the user-name is valid.
string SiteName
Name of site that is requesting authentication
Guid SiteID
Identifier of site that is requesting authentication. To obtain the ID for a given site you need to look at the log file; the ID is logged each time a site is started.
List<string> Groups
Names of groups of which the user is a member (in addition to those of the log-in-as user).

Class: LoadedUserInfo
string HomeDirectory
The user's home directory if available.
List<byte[]> DSAPublicKeys
The list of DSA public key blobs for this user. Each key is a byte array of the standard OpenSSH or SECSH formats for public keys.
List<byte[]> RSAPublicKeys
The list of RSA public key blobs for this user. Each key is a byte array of the standard OpenSSH or SECSH formats for public keys.
string PasswordHash
The MD5 hash of the user's password
string PasswordSalt
The salt prepended to the user's password prior to the MD5 hash. This can be null if a salt has not been used.
string Password
Setter only to set the user's password. This populates the PasswordHash field.
bool MustChangePassword
Set to true if the user must change their password
List<string> Groups
Names of groups of which the user is a member (in addition to those of the log-in-as user).
Interface: IAuthenticationInfo
extends IUserInfo
string UserName
User-name that the client is presenting.
IPEndPoint RemoteEndPoint
Holds the client's IP address and port-number.
bool IsValidUserName
Set to true if the user-name is valid.
string Password
Password that the client is presenting.
IsCorrectPassword
Set to true if the password is correct for the given user.
bool MustChangePassword
Set to true if the user must change their password.
bool IsValidKey
Set to true if public key authentication is successful for the given user.
PublicKeyAlgorithm KeyAlgorithm
Provides the public key algorithm used if this is public key authentication.
byte[] KeyCheckData
Provides the key check data if this is public key authentication. To authenticate using public key authentication, the client uses its private key to sign a block of data, producing
SignatureBlob which is sent to the server. The server calculates the same block of data (the KeyCheckData) and verifies using the stored copy of the client's public key that
SignatureBlob was indeed produced by the client signing the same block of data with its private key. The contents of KeyCheckData are defined in RFC 4252 Section 7.
byte[] SignatureBlob
Provides the signature blob if this is public key authentication. See KeyCheckData.
X509Certificate2 ClientCertificate
SSL certificate presented by the client. The value will be null for all cases except where all of the following are true:
1. the protocol is FTPS or HTTPS
2. CompleteFTP is configured to require client certificates
3. the client certificate has already been validated via the Windows Certificate Store

Interface: IPlugIn
PlugInName
Name of plug-in as entered in CompleteFTP Manager.
PlugInConfiguration
Configuration entered by administrator.
COMPLETEFTP CUSTOM CONFIGURER: CFTPCONFIG
The cftpconfig tool may be used for modifying the CompleteFTP configuration database (config.sdf) . Whether run with or without options the tool will always update
config.sdf (schema and/or data) to the latest version of CompleteFTP (unless it's already up-to-date).

By default cftpconfig operates on the configuration file at the default location (i.e. C:\ProgramData\Enterprise Distributed Technologies\Complete
FTP\config.sdf), but this can be changed using the options.

Please note that as cftpconfig operates directly on the configuration file, the CompleteFTP service will need to be restarted to reload the configuration. Until this is done
changes will not be able to be seen in the CompleteFTP manager. Normally this tool should only be used when the service is stopped.

Available options:
/c [file] Customize installation using SQL commands in this file or read from stdin if path is absent or '-' (ctrl+Z to mark end of input).
/f file Configure the given configuration file instead of the configuration file at the default location
/h Show help
/i file Import the configuration in the given file instead of upgrading the configuration at the default location
/o Create a new configuration file rather than upgrading the existing config.sdf. All existing configuration data will be overwritten.
/p password Set administrator password to this
/q query Execute this SQL query (INSERT, UPDATE or DELETE) on the configuration
/r Generate (and write) random administrator password
/v Verbose - write status messages to console

The schema of the CompleteFTP configuration database is available upon request. The SQL syntax is that for SQL Server Compact with the addition of the UPDATE-FROM
command. The syntax of the UPDATE-FROM command is

UPDATE TableA SET FieldA1=AliasB.FieldB1 WHERE FieldA2=value1 FROM TableB AliasB WHERE FieldB2=value2

A tool such as CompactView may be useful in viewing your config.sdf file.

 CONFIGURATION DATABASE SCHEMA
CompleteFTP stores configuration data in a SQL Server Compact database. Modifying this database directly is not generally advised as it's very easy to render CompleteFTP unusable. It is
however possible to do using the cftpconfig tool. EnterpriseDT advises users wishing to perform anything but the simplest property-changes to contact support for advice prior to putting
changes into production.

This document describes the schema of the CompleteFTP configuration database. It lists the fields of the tables along with notes on how rows should be added. Note that the constraints on
the database do not fully embody the format of the data, so the notes should be read carefully.

Tables
Users
Node
SiteUser
Membership
Group
Server
Site
ServerSite
NodeType
PlugIn
PlugInType
Authenticator

Table: User
Purpose: Stores all explicitly defined users. This does not include users that are authenticated using authentication extensions, including
automatic windows users and external database users.
Notes: Create one row for each new user.
Field SQL Type .NET Type Required Default Comments
UserID uniqueidentifier Guid yes Generate new for each user
"SERVER" for non-Windows users and "WINDOWS" for
AuthenticationTypeID nvarchar(40) string yes Windows users
"SERVER" for non-Windows users and "WINDOWS" for
AuthorizationTypeID nvarchar(40) string yes
Windows users
Description nvarchar(100) string no May be NULL. Only used in event-macro
Email nvarchar(256) string no May be NULL. Only used in event-macro
Enabled bit bool yes Usually TRUE
ExpiryDate datetime DateTime no NULL if no expiry
FTPEnabled bit bool no TRUE TRUE if FTP is to be allowed; FALSE otherwise.
FTPSEnabled bit bool no TRUE TRUE if FTPS is to be allowed; FALSE otherwise.
FullName nvarchar(100) string no May be NULL. Only used in event-macro
HTTPEnabled bit bool no TRUE TRUE if HTTP is to be allowed; FALSE otherwise.
HTTPSEnabled bit bool no TRUE TRUE if HTTPS is to be allowed; FALSE otherwise.
PasswordEncrypted image byte[] no Leave as NULL
PasswordHash nvarchar(100) string no NULL for Windows users and MD5 (unsalted) for non-
Windows users
Permissions nvarchar(3) string no NULL for full permissions or 555 for read-only
QuotaSpeedDownload bigint long no NULL or download-speed in bytes/sec
QuotaSpeedUpload bigint long no NULL or download-speed in bytes/sec
QuotaStorage bigint long no NULL or storage-quota in bytes
SCPEnabled bit bool no TRUE TRUE if SCP is to be allowed; FALSE otherwise.
SFTPEnabled bit bool no TRUE TRUE if SFTP is to be allowed; FALSE otherwise.
SSHPublicKeyDSA image byte[] no NULL or OpenSSH format DSA public key
SSHPublicKeyRSA image byte[] no NULL or OpenSSH format RSA public key
SSHTerminalEnabled bit bool no FALSE TRUE if SSH is to be allowed; FALSE otherwise.
SSLCertificate image byte[] no NULL or PEM format SSL cert (no private key)
System bit bool yes Must be FALSE
UserName nvarchar(100) string yes Must be unique. Must include "MYDOMAIN\" for
Windows domain users
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: Node
Purpose: Stores folders of the virtual file-system.
Notes: (1) If each user is to have their own unique home-folder then you must create one row for each user. Set the OwnerID to the GUID
of the new user. (2) If any of OwnerID, GroupID or Permissions is NULL then the permissions will be inherited from the parent.
Field SQL Type .NET Type Required Default Comments
NodeID uniqueidentifier Guid yes Generate new for each folder
Full Windows path for Windows folder. Append ?
Configuration nvarchar(4000) string yes %AutoCreate%" to path to have CompleteFTP create
the Windows folder when it's first accessed by user.
GroupID uniqueidentifier Guid no "8a9b1ba4-5d1b-41f6-893a-f99a319be033" for users
group.
Name nvarchar(100) string yes Must be unique amongst nodes with same
ParentNodeID
"c3435efd-3b78-44b1-b270-79667906afa9" for Windows
NodeTypeID uniqueidentifier Guid yes folder
OwnerID uniqueidentifier Guid no GUID of user who owns the folder
ParentNodeID uniqueidentifier Guid no NULL for root folder, otherwise GUID of parent folder
Permissions nvarchar(12) string no UNIX-style permissions, e.g. 750 is full-control by
owner, read-only by group and none for anyone else.
System bit bool yes Leave as NULL or set to FALSE. Never set to TRUE.
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: SiteUser
Purpose: Stores site-specific information for users - mainly whether or not the user is enabled on the site and what its home-folder is.
Notes: You must create one for every site-user combination. By default there are two sites ('Default Site' and 'Admin') so you must create
at least two rows in this table for each user, each with a different SiteID (see below).
Field SQL Type .NET Type Required Default Comments
"c7a09c8d-4a7c-4b17-90fd-9897562ee979" for default
SiteID uniqueidentifier Guid yes site and "d7183a00-f941-4b89-a3dc-bd3d1a79c2ca" for
admin site.
UserID uniqueidentifier Guid yes GUID of user
Enabled bit bool yes TRUE TRUE for default site and FALSE for admin site
NodeID uniqueidentifier Guid no GUID of home folder. May only be NULL if Enabled is
FALSE
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: Membership
Purpose: Stores membership of users to groups.
Notes: Add at least one row to make the new user a member of the 'users' group.
Field SQL Type .NET Type Required Default Comments
UserID uniqueidentifier Guid yes GUID of user
"8a9b1ba4-5d1b-41f6-893a-f99a319be033" for users
GroupID uniqueidentifier Guid yes group.
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: Group
Purpose: Stores user-groups.
Notes: -
Field SQL Type .NET Type Required Default Comments
GroupID uniqueidentifier Guid yes GUID of group
Name nvarchar(100) string yes Must be unique
System bit bool no Leave as NULL or set to FALSE. Never set to TRUE.
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: Server
Purpose: Stores information about servers, including currently available IP addresses and activation keys. For stand-alone installations
there will be only one row. In clusters each machine will have one row.
Notes: There must be one row for each node in a cluster. For stand-alone installations there will only be one row. MachineName,
LatestMachineID and IPAddresses are set automatically by the CompleteFTP Service.
Field SQL Type .NET Type Required Default Comments
ServerID uniqueidentifier Guid yes GUID of the server
ActivationKey nvarchar(1000) string no Unlocks the purchased edition of CompleteFTP on this
machine
Information about how to connect to this server
ConnectionInfo ntext string no remotely. This field is encrypted and can only be set
using CompleteFTP Manager.
IPAddresses nvarchar(1000) string no Do not set this field.
IsPrimary bit bool no Is this the primary node in the cluster?
LatestMachineID uniqueidentifier string no Do not set this field.
Level of logging produced on this machine. Must be on
LogLevel nvarchar(40) string no of: off, error, warning, information, debug or all.
MachineName nvarchar(100) string no NetBIOS name of machine [Set automatically]
Name nvarchar(100) string yes Must be unique
SyncEnabled bit bool no Is synchronization enabled for this cluster-node?
SyncPeriod int int no Milliseconds between synchronizations
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: Site
Purpose: Stores information about sites.
Notes: By default there are two sites: one for administration and one for general users. The admin site must always exist, but the other
site may be replaced.
Field SQL Type .NET Type Required Default Comments
SiteID uniqueidentifier Guid yes GUID of the site
AnonymousEnabled bit bool Are anonymous FTP connections allowed?
AnonymousHTTPEnabled bit bool no TRUE Is anonymous HTTP enabled on this site?
AnonymousMaxConnections int int Maximum number of anonymous FTP connections.
AnonymousUserID uniqueidentifier Guid UserID of the anonymous user.
ArchiveNavEnabled bit bool no FALSE Is ZIP-file navigation enabled?
ArchiveNavSuffix nvarchar(20) string no .folder Extension to add to ZIP-file when listing ZIP-folder.
AutoBanDuration int int no 60000 Period (in ms) for which an auto-ban remain in force.
AutoBanTriggerCount int int no 10 Number of authentication failures until an IP address is
banned.
AutoBanTriggerPeriod int int no 3600000 Period (in ms) within authentication-failures are counted.
BackslashPathSep bit bool no FALSE Allow backslashes when resolving paths in the file-
system.
Default Windows domain to use when authenticating
DefaultDomain nvarchar(100) string no user-names that don't specify a domain.
NodeID of the folder that's the parent to default user
DefaultHomeDirID uniqueidentifier Guid yes
home-folders
Enabled bit bool yes Is this site enabled?
Character-encoding for all strings in all protocols. NULL,
Encoding nvarchar(40) string no the default, means UTF-8. To get a listing of valid
values, search for 'code page identifiers'
FTPEnabled bit bool yes Is FTP enabled on this site?
FTPSEnabled bit bool yes Is standard (explicit) FTPS enabled on this site?
FTPSImplicitEnabled bit bool yes Is legacy (implicit) FTP enabled on this site?
FTPSVerifyClient b bool yes Require FTPS clients to present their certificates?
Don't show product and version in any communications
HideProductVersion b bool no FALSE
(set to true for PCI compliance).
Should user's home-folders be shown as their root
HomeDirIsRoot b bool no FALSE
folder?
HTMLListingTemplate ntext string no Template to use for HTML listings.
HTTPEnabled bit bool yes Is HTTP enabled on this site?
HTTPSEnabled bit bool yes Is HTTPS enabled on this site?
IPFilterID uniqueidentifier Guid no IPFilterID of site's IP filter.
FTP directory listing format. 'UNIX' for UNIX-style
ListingFormatID nvarchar(40) string yes listings, 'WINDOWS' for Windows-style listings or
'FILENAME' for listings that only show file-names.
Maximum number of simultaneous (non-HTTP)
MaxConnections int int no
connections allowed for this site
MaxConnectionsHTTP int int yes 200 Maximum number of simultaneous HTTP connections
allowed for this site
Maximum number of login attempts allowed in a single
MaxLoginAttempts int int no connection
Name nvarchar(100) string yes Must be unique
IP address to tell clients to connect to for passive-mode
PASVIP nvarchar(100) string no transfers
PASVPortMax int int no Maximum port-number to use for passive-mode transfers
PASVPortMin int int no Minimum port-number to use for passive-mode transfers
PortFTP int int yes Port for FTP and standard (explicit) FTPS
PortFTPSImplicit int int yes Port for legacy (implicit) FTPS
PortHTTP int int yes Port for HTTP
PortHTTPS int int yes Port for HTTPS
PortSFTP int int yes Port for SFTP, SCP and SSH terminal
SCPEnabled bit bool yes Is SP enabled on this site?
SSH authentication-types allowed for SSH (null by
SSHAuthTypes int int no
default)
SSHCipher int int no Ciphers allowed for SSH (null by default)
Compression algorithms allowed for SSH (null by
SSHCompression int int no
default)
SSHKeyAlgorithm int int no Key-types allowed for SSH (null by default)
Key-exchange algorithms allowed for SSH (null by
SSHKeyExchange int int no default)
SSHKeyPairDSA image byte[] yes Site's DSA private key stored in SECSH format.
SSHKeyPairRSA image byte[] yes Site's RSA private key stored in SECSH format.
SSHMAC int int no MAC algorithms allowed for SSH (null by default)
SSHTerminalEnabled bit bool yes Is SSH terminal access enabled on this site?
Site's SSL/TLS certificate in PFX format (by default no
SSLCertificate image byte[] yes
password is used)
SSLCertificatePassword nvarchar(100) string no Encrypted password for certificate (null by default)
SSLCipherSuites int int no Cipher-suites allowed for SSL/TLS (null by default)
Is this a system site? Must be FALSE for all sites
System bit bool no except the admin site.
TimeoutHTTP int int no 1800000 Time-out period for HTTP sessions.
TimeoutIdle int int no Milliseconds of inactivity before a connection is closed.
TimeoutLogin int int no Milliseconds allowed to log in.
Milliseconds to wait for a passive channel connections
TimeoutPassiveWait int int no before giving up.
TimeoutStalled int int no Milliseconds of inactivity before a transfer is considered
to have stalled.
WelcomeMessage nvarchar(2000) string no Message shown to users when they connect to this site
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: ServerSite
Purpose: Stores server-specific information about sites, including enabled-status and IP bindings. For each server in the configuration
there will be a row for each site.
Notes:
Field SQL Type .NET Type Required Default Comments
ServerID uniqueidentifier Guid yes ServerID of the server
SiteID uniqueidentifier Guid yes SiteID of the site
Enabled bit bool no TRUE Is the specified site enabled on the specified server?
FTPInterfaces nvarchar(1024) string no IP addresses to listen on for FTP (null means all).
HTTPInterfaces nvarchar(1024) string no IP addresses to listen on for HTTP (null means all).
SFTPInterfaces nvarchar(1024) string no IP addresses to listen on for SFTP (null means all).
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: NodeType
Purpose: Defines the various types of folders in the virtual file-system.
Notes: Every node-type must have a plug-in of the "File System" type (PlugInTypeID=0).
Field SQL Type .NET Type Required Default Comments
NodeTypeID uniqueidentifier Guid yes GUID of the node-type
CanHaveChildren bit bool yes Can folders of this type have sub-folders?
Name nvarchar(100) string yes Must be unique
PlugInID uniqueidentifier Guid yes PlugInID of the plug-in defining the class that
implements this node-type.
System bit bit no Must be FALSE.
Show this folder-type in the list of folder-types when
Visible bit bit no creating new folders.
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made
Table: PlugIn
Purpose: Defines plug-ins (aka extensions) of all types
Notes: Extensions of the "File System" type (PlugInTypeID=0) will not be usable unless a NodeType has been defined for them.
Extensions of the "Authentication" type (PlugInTypeID=3) must have a row for each site (allowing distinct configurations for each site).
Field SQL Type .NET Type Required Default Comments
PlugInID uniqueidentifier Guid yes GUID of the plug-in
AssemblyPath nvarchar(1024) string no NULL or path to assembly that contains the class
ClassName nvarchar(400) string yes Full name of class that implements the plug-in.
Configuration data for the plug-in. Note that
FileSystemAdapter plug-ins also have the option of
Configuration ntext string no storing configuration information in each individual Node
row that references the plug-in.
EditorClassName nvarchar(100) string no Name of editor class (optional)
Name nvarchar(100) string yes Must be unique
PlugInTypeID uniqueidentifier Guid yes PlugInTypeID of the plug-in-type of this plug-in.
System bit bool yes Must be FALSE.
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made

Table: PlugInType
Purpose: Enumeration of plug-in types.
Notes: Do not modify this table. Values are (0=File System, 1=Custom Commands, 2=Event, 3=Authentication)
Field SQL Type .NET Type Required Default Comments
PlugInTypeID int int yes See notes
Name nvarchar(100) string yes See notes
CreatedTime datetime DateTime yes See notes
ModifiedTime datetime DateTime yes See notes

Table: Authenticator
Purpose: Stores authenticator information for specific sites.
Notes: Plug-ins must be of the Authentication type (i.e. PlugInTypeID=3). There must be one row for each site-authenticator combination).
Field SQL Type .NET Type Required Default Comments
PlugInID uniqueidentifier Guid yes PlugInID of the plug-in.
SiteID uniqueidentifier Guid yes SiteID of the site.
UserID of the log-in-as user that is used as a template
UserID uniqueidentifier Guid yes for users logging in using the references authenticator.
Configuration nvarchar(4000) string no Site-specific authentication configuration.
Enabled bit bool yes Is this authenticator enabled on this site?
CreatedTime datetime DateTime yes Set only when creating
ModifiedTime datetime DateTime yes Update every time a change is made
COMPLETEFTP THIRD-PARTY COPYRIGHT NOTICES
CompleteFTP uses free software packages from a number of different third-party sources, and their copyright notices are included below.

Software Owner Copyright notice

Copyright (c) 2002-2003, The KPD-Team
All rights reserved.
http://www.mentalis.org/
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

- Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

- Neither the name of the KPD-Team, nor the names of its contributors
Mentalis SSL/TLS The KPD-Team may be used to endorse or promote products derived from this
software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright 2002-2003, The KPD-Team

//
// BigInteger Class Version 1.03
//
// Copyright (c) 2002 Chew Keong TAN
// All rights reserved.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, and/or sell copies of the Software, and to permit persons
// to whom the Software is furnished to do so, provided that the above
// copyright notice(s) and this permission notice appear in all copies of
// the Software and that both the above copyright notice(s) and this
// permission notice appear in supporting documentation.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
BigInteger Chew Keong TAN // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
// OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
// HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL
// INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING
// FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
// NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
// WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
//
//
// Disclaimer
// ----------
// Although reasonable care has been taken to ensure the correctness of this
// implementation, this code should never be used in any application without
// proper verification and testing. I disclaim all liability and responsibility
// to any person or entity with respect to any loss or damage caused, or alleged
// to be caused, directly or indirectly, by the use of this BigInteger class.
//
// Comments, bugs and suggestions to
// (http://www.codeproject.com/csharp/biginteger.asp)
 /*
*
* Copyright (c) 2003 Routrek Networks, Inc. All Rights Reserved.
* Copyright (c) 2002 Chew Keong TAN
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by Routrek Networks, Inc."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
Granados SSH Routrek Networks, Inc. ** 4. The names "Routrek Networks" or "Routrek" must
not be used to endorse or promote products derived from this
Library for .NET Chew Keong TAN * software without prior written permission. For written
* permission, please contact [email protected].
*
* 5. Products derived from this software may not be called "Granados",
* appear in their name, without prior written
* permission of the Routrek Networks, Inc.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL ROUTREK NETWORKS, INC. OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
*/

Copyright (c) 2006, ComponentAce

http://www.componentace.com
All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or other
ZLIB.NET ComponentAce materials provided with the distribution.
Neither the name of ComponentAce nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR
PURPOSE.

FastColoredTextBox Pavel Torgashov License: GNU Lesser General Public License (LGPLv3)
Email: [email protected].

Copyright (C) Pavel Torgashov, 2011-2014.

 //
// PrivateKey.cs - Private Key (PVK) Format Implementation
//
// Author:
// Sebastien Pouliot
//
// (C) 2003 Motus Technologies Inc. (http://www.motus.com)
// Copyright (C) 2004 Novell, Inc (http://www.novell.com)
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
Motus Technologies // without limitation the rights to use, copy, modify, merge, publish,
CryptoConvert and
Inc. // distribute, sublicense, and/or sell copies of the Software, and to
PrivateKey // permit persons to whom the Software is furnished to do so, subject to
Novell, Inc
// the following conditions:
//
// The above copyright notice and this permission notice shall be
// included in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
Copyright (c) 2009-2012, Studio 42
All rights reserved.

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the Studio 42 Ltd. nor the
names of its contributors may be used to endorse or promote products
elFinder Studio 42 derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL "STUDIO 42" BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The MIT License (MIT)
Copyright (c) 2011, The Outercurve Foundation.

Permission is hereby granted, free of charge, to any person obtaining a copy of

this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject
The Outercurve to the following conditions:
JsonSerializer
Foundation The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
OIOSAML.NET Digitaliseringsstyrelsen Mozilla Public License Version 1.1 (modified source published on GitHub)
Copyright (c) 2000 - 2018 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

Bouncy Castle APIs The Legion of the The above copyright notice and this permission notice shall be included in
Bouncy Castle Inc. all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
 The MIT License (MIT)
Copyright (c) 2017 akveo.com

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
ngx-admin akveo.com
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
CUSTOM EXTENSIONS
(REQUIRES ENTERPRISE EDITION)

With CompleteFTP custom extensions you can customize the behaviour of CompleteFTP by integrating your own .NET or Javascript code. Developing an extension involves
building a .NET assembly or developing Javascript code and registering it with CompleteFTP.

Types of Extensions

Five types of extensions are supported:

Authentication extensions
[.NET or JSS] Use this type of extension to implement any authentication scheme. The server calls methods in your class to find out whether the credentials presented by the
client are valid. Your class can do whatever it needs to do to work out whether or not it is valid, such as calling a webservice or invoking an RPC.

File-system extensions
[.NET or JSS] Replace the regular file-system with one of your own design. Once your file-system extension is associated with a virtual folder, it will be called by the server
whenever a client performs file operations (e.g. reading, writing, directory-listing) in that folder. Your class has complete control over how the operations are performed so it
could, for example, tap directly into your company database without accessing any real files.

Custom command extensions

[.NET or JSS] Add your own commands simply by adding methods to your custom command extension. These commands will be available to clients via SITE commands in
FTP/FTPS, via the shell in SSH and via the SSH_FXP_EXTENDED command in SFTP.

Event extensions
[.NET] CompleteFTP comes with e-mail and process-trigger event-handlers. With Event Extensions you can invoke methods on your own .NET classes when particular events
occur. Currently event extensions can be written in .NET only.

JSS-to-.NET bridge extensions

[.NET] This type of extension facilitates invocation of .NET methods from JSS. These extensions must be written in .NET.

Support

Ticket-based support is available to developers of extensions. Please direct questions to Enterprise support. In particular, if you find that data and operations that your
extensions require are not available from the classes described here then don't hesitate to request them to be made available.

Development

We can write extensions for you! Please submit your requirements to [email protected] for a quote.
HOW TO ADD A USER
Both Windows and non-Windows users can be added to CompleteFTP. By default, they will all be assigned home directories within the special folder for Common Application
Data. On XP this is often C:\Documents and Settings\All Users\Enterprise Distributed Technologies\Complete FTP\Users, while on Vista it is something like
C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Users.
See how to add a Windows user for Windows users. Windows users can also be enabled automatically - see how to configure automatic Windows users.
See how to add a non-Windows user and how to add multiple users for non-Windows users, and How to configure external users for users stored in an external database.
HOW TO SET UP A SECURE SERVER
CompleteFTP supports secure FTP via the SFTP protocol (FTP over SSH), and the FTPS protocol (or FTP over SSL). CompleteFTP also supports SCP and HTTPS (but not in
the Standard Edition).

FTPS

FTPS may be enabled by selecting the "FTPS enabled" setting (see the FTP/FTPS group of settings), and its use can be made mandatory (i.e. no 'plain' insecure
connections) by unselecting the "FTP enabled" setting. In this case users can only use FTPS, and ordinary FTP connections will be rejected (i.e. initial connection to the server
must be followed by the AUTH command).
By default, the FTPS and FTP port is port 21.

SFTP

SFTP may be enabled by selecting the "SFTP enabled" setting (see the SFTP/SCP group of settings). Similarly, SCP may be enabled by selecting the "SCP enabled" setting.
By default, the SFTP and SCP port is port 22.
SFTP, SCP and FTPS can be enabled simultaneously (and by default are).

HTTPS

HTTPS (which is HTTP secured over SSL/TLS) may be enabled by selecting the "HTTPS enabled" setting (see the HTTP/HTTPS group of settings).
HOW TO USE HTTP
CompleteFTP supports both public HTTP access to files, and authenticated access to files. HTTP directory listings are also supported (if listing permissions are in place).

Public access

For public (unauthenticated) access, the "anonymous" user (which may be found in Users panel and by selecting "Show system users/folders/sites" in the main form's Options
menu) must be enabled and the "Public HTTP access enabled" setting must be checked. Only the files accessible by the anonymous user can be viewed publicly via HTTP (i.e.
by a web browser without logging in). When the server is being accessed publicly the root of file-system is always the anonymous user's home directory, thus
http://hostname/index.html maps to /Public/index.html in the virtual file-system, assuming that /Public is the anonymous user's home directory (the default). Any access to a
path that is not accessible to the anonymous user will result in an authentication request (i.e. login dialog in the browser). The user will thus be given a chance to authenticate.
Alternatively, the default index.html file has a Login link that can be used to login (or this link, /login, can be placed on any page desired).

Private access

A particular user's files can be accessed via HTTP if the user is authenticated. For example, the user 'javaftp' normally has their files accessible under '/home/javaftp' (as long
as the General User Setting User's home folder appears as root is not selected). So all of the 'javaftp' user's files will be accessible via 'http://hostname/home/javaftp/filepath'.
When an attempt is made to navigate to this URL in a web browser, an authentication dialog will be popped up by the browser, and the 'javaftp' user's credentials can be
entered and a session established. Note that in HTTP all data sent to the server is not secure, especially usernames and passwords. If User's home folder appears as root is
enabled, the authenticated user's files are accessed ia 'http://hostname/filepath', i.e. the '/home/javaftp' part of the URL is not required. The login url http://hostname/login can
be used to authenticate if necessary.

Sessions
HTTP sessions are maintained by a cookie stored in the browser. The timeout for HTTP sessions can be set in Limits & Timeouts (in Settings). A session can also be
terminated by navigating to http://hostname/logout, and can be initiated by navigating to http://hostname/login.
HOW TO USE HTTPS
The HTTPS protocol is the HTTP protocol secured by an SSL/TLS connection. It should be used for when usernames and passwords (as well as any other sensitive data) is
sent via HTTP. A server certificate is required for HTTPS, and one is generated on installation and can be modified via Settings->FTP/FTPS->Advanced FTP/FTPS Settings-
>Security Settings. The default certificate does not have your hostname, and so browsers will raise a warning when the site is navigated to using HTTPS. A certificate authority
(CA) must be contacted to purchase a certificate for your domain to remove the browser warning. To do this, a Certificate Signing Request (CSR) must be sent to the CA. See
how to generate a CSR for more details.
HOW TO PERFORM HTTP UPLOADS
CompleteFTP supports HTTP file uploads to directories where uploads are permitted by the authenticated user. This uses the standard input element with type="file" in an
HTML form. For example: <FORM METHOD=POST ENCTYPE="multipart/form-data" ACTION=".">
<INPUT TYPE=FILE NAME="upfile"><INPUT TYPE=SUBMIT VALUE="Upload File">
</FORM> If a directory is writable, the CompleteFTP directory listing page will include an HTML form permitting HTTP file uploads into this directory.
.NET IP FILTER EXTENSIONS
Use this type of extension to implement a custom IP filtering scheme. The server calls a method in your class to find out whether or not a particular IP address should be
allowed or denied.

Creating a .NET IP Filter Extension

General instructions on building CompleteFTP .NET extensions may be found here.

.NET IP Filter Extension classes must implement the EnterpriseDT.Net.FtpServer.Core.IIPFilter interface, which has one method

IPFilterAction GetFilterAction(IPAddress address)

The IPAddress argument is the IP address of the client attempting to make a connection. The return-value can have any of three values: IPFilterAction.Deny will deny
the connection, IPFilterAction.Allow will allow the connection unless it has been auto-banned due to excessive authentication failures, and
IPFilterAction.AllowAlways will allow the connection irrespective of the number of authentication failures.
JSS API GUIDE
This document provides an overview of the API available within JSS. Full details are provided in the JSS API Reference.

1. HTTP Request and Response

Access to information about an incoming request is through a global variable called request. It provides information on query-arguments, form-arguments and cookies.

Control of the response is provided through a global variable called response. This variable is usually not required in RPCs where the result may simply be returned from the
function. When it is required it is usually to write a response using the write method. Other actions may be to return the contents of a file, which may be done using the
downloadFile property, which should be set to the path of the file that is to be returned. If forceDownload if set then the browser will offer the user to save the file rather than
attempting to render it. Requests may be redirected to other URLs by setting the redirectUrl property.

2. System

The global variable, system, represents the CompleteFTP system. It provides access to the file-system, authentication and users, databases and information about the current
server and site.

3. File-System Access
CompleteFTP's virtual file-system is available via the system.getFile(path) method. This method returns objects of the File class. The fact that an object is returned does not
imply that a file exists on that path; this may be checked using the exists() method. Refer to the API reference for more details.

4. Authentication and Users

A script may log users into CompleteFTP using the system.login(userName, password) method. This method does not return anything, but will throw an exception if
authentication fails. Once a user has logged in, information about them may be access via the system.user property.

5. Server and Site Information

Information about the current server is available via system.server and about the current site via system.site

6. Database Access

CompleteFTP implements the synchronous part of the Web SQL Database API. Databases may be opened or created using the system.openDatabaseSync(connectionString,
version) method. Currently, SQLite, SQL Server Compact, SQL Server, ODBC and OLE DB databases are supported. The first two are embedded databases, which are
contained in a single file, so the connection-string to these contain the path to the database-file in CompleteFTP's virtual file-system. For details on connection-strings, refer to
the API Reference.

Example: A contact database

An SQLite database containing contacts is created as follows:

var db = system.openDatabaseSync("~/contacts.sqlite", "");

db.transaction(function(tx) {
tx.executeSql("CREATE TABLE Contact (ContactID integer PRIMARY KEY, Name text, Phone text);");
});

A row is inserted as follows:

db.transaction(function(tx) {
tx.executeSql("INSERT INTO Contact(Name, Phone) VALUES (?, ?)", ['Joe', '123']);
});

The code below writes the names and phone numbers of all contacts to the system log:

db.readTransaction(function(tx) {
var res = tx.executeSql("SELECT * FROM Contact ORDER BY Name;");
for (var i=0; i<res.rows.length; i++) {
var row = res.rows[i];
console.log(row.Name + ", " + row.Phone);
}
});

7. Templates

The templating engine makes it easy to separate HTML code from Javascript code. The response global variable provides useful templating methods, which are mirrored in the
templater global variable (necessary if response can't be used).

8. Logging
Text may be appended to the CompleteFTP system log using the console.log(message) method. It's logged at the INFO level.
JSS FILE-SYSTEM EXTENSIONS EXAMPLE
Example

Below is the source-code for a sample file-system extension, which create a virtual file-system.

function getFileInfos(path, pattern, session, node) {

var fileInfos = [];
getDB(session, node).readTransaction(function(transaction) {
var res = transaction.executeSql("SELECT name, length, modifiedTime, createdTime FROM Files");
for (var i=0; i < res.rows.length; i ++) {
var row = res.rows[i];
fileInfos.push({
name: row.name,
isFolder: false,
length: row.length,
modifiedTime: row.modifiedTime,
createdTime: row.createdTime
});
}
});
return fileInfos;
}

function onWriteBegin() {
return { type: 'binary' };
}

function write(path, data, length, session, node) {

getDB(session, node).transaction(function(tx) {
tx.executeSql("INSERT INTO Files(name, data, length, modifiedTime, createdTime) VALUES (?, ?, ?, ?, ?)",
[path, data, length, new Date(), new Date()]);
});
}

function read(path, session, node) {

var data = null;
getDB(session, node).readTransaction(function(transaction) {
var res = transaction.executeSql("SELECT * FROM Files WHERE name=?", [path]);
if (res.rows.length > 0)
data = res.rows[0].data;
});
return { binary: data };
}

function deleteFile(path, session, node) {

getDB(session, node).transaction(function(tx) {
tx.executeSql("DELETE FROM Files WHERE name=?", [path]);
});
}

function moveFile(fromPath, toPath, session, fromNode, toNode) {

var success = false;
getDB(fromNode).transaction(function(tx) {
var res = tx.executeSql("UPDATE Files SET name=? WHERE name=?", [toPath, fromPath]);
success = res.rowsAffected > 0;
});
return success;
}

var databases = {};

function getDB(session, node) {
var db = databases[node.path];
if (!db) {
var dbFolder = system.getFile(session.fullHomePath + "/fileDBs");
if (!dbFolder.exists())
dbFolder.createFolder();
var folderName = node.path.substring(node.path.lastIndexOf('/') + 1);
db = databases[node.path] = system.openDatabaseSync(dbFolder.fullPath + "/" + folderName + ".sdf");
}

// create the Files table if it doesn't already exist

if (!tableExists(db, "Files"))
db.transaction(function(tx) {
tx.executeSql("CREATE TABLE [Files] ([name] NVARCHAR(1024), [data] IMAGE, [length] INT, [modifiedTime] DATETIME, [createdTime] DATETIME)");
});
return db;
}
 function tableExists(db, tableName) {
var rowCount = 0;
db.readTransaction(function(tx) {
var res = tx.executeSql("SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = ?", [tableName]);
rowCount = res.rows.length;
});
return rowCount > 0;
}

Main methods
Read file information from database.

function getFileInfos(path, pattern, session, node) {

var fileInfos = [];
getDB(session, node).readTransaction(function(transaction) {
var res = transaction.executeSql("SELECT name, length, modifiedTime, createdTime FROM Files");
for (var i=0; i < res.rows.length; i++) {
var row = res.rows[i];
fileInfos.push({
name: row.name,
isFoldesr: false,
length: row.length,
modifiedTime: row.modifiedTime,
createdTime: row.createdTime
});
}
});
return fileInfos;
}

Write file to database database.

function write(path, data, length, session, node) {

getDB(session, node).transaction(function(tx) {
tx.executeSql("INSERT INTO Files(name, data, length, modifiedTime, createdTime) VALUES (?, ?, ?, ?, ?)",
[path, data, length, new Date(), new Date()]);
});
}

Read file from database and return data as binary.

function read(path, session, node) {

var data = null;
getDB(session, node).readTransaction(function(transaction) {
var res = transaction.executeSql("SELECT * FROM Files WHERE name=?", [path]);
if (res.rows.length > 0)
data = res.rows[0].data;
});
return { binary: data };
}

Delete file out of database

function deleteFile(path, session, node) {

getDB(session, node).transaction(function(tx) {
tx.executeSql("DELETE FROM Files WHERE name=?", [path]);
});
}

Move file

function moveFile(fromPath, toPath, session, fromNode, toNode) {

var success = false;
getDB(fromNode).transaction(function(tx) {
var res = tx.executeSql("UPDATE Files SET name=? WHERE name=?", [toPath, fromPath]);
success = res.rowsAffected > 0;
});
return success;
}

Database methods
Returns database object for the given node.

function getDB(session, node) {

var db = databases[node.path];
if (!db) {
 var dbFolder = system.getFile(session.fullHomePath + "/fileDBs");
if (!dbFolder.exists())
dbFolder.createFolder();
var folderName = node.path.substring(node.path.lastIndexOf('/') + 1);
db = databases[node.path] = system.openDatabaseSync(dbFolder.fullPath + "/" + folderName + ".sdf");
}

// create the Files table if it doesn't already exist

if (!tableExists(db, "Files"))
db.transaction(function(tx) {
tx.executeSql("CREATE TABLE [Files] ([name] NVARCHAR(1024), [data] IMAGE, [length] INT, [modifiedTime] DATETIME, [createdTime] DATETIME)");
});
return db;
}

Returns true if a table with the given name exists in the database.

function tableExists(db, tableName) {

var rowCount = 0;
db.readTransaction(function(tx) {
var res = tx.executeSql("SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = ?", [tableName]);
rowCount = res.rows.length;
});
return rowCount > 0;
}

Common methods
1. readTransaction ( [callback] )
Run the read transaction contained in the given callback function. A SQLTransactionSync object is passed as an argument to the callback. This may be used execute queries. The
transaction is committed if the callback returns normally and rolled back if it throws an exception.

Parameters:

[callback] Function optional

callback function

[transaction] SQLTransactionSync optional

Transaction object which can be used to execute SQL queries.

2. transaction ( [callback] )
Run the non-read transaction contained in the given callback function. A SQLTransactionSync object is passed as an argument to the callback. This may be used execute queries. The
transaction is committed if the callback returns normally and rolled back if it throws an exception.

Parameters:

[callback] Function optional

callback function

[transaction] SQLTransactionSync optional

Transaction object which can be used to execute SQL queries.

3. executeSql ( sqlStatement arguments ) SQLResultSet

Execute the given SQL and return the result as an SQLResultSet object.

Parameters:

sqlStatement String

SQL statement.

arguments Array

Array containing the arguments to substitute into the statement.

Returns:

SQLResultSet

4. getFile ( path ) File

Returns a File object for the given path.
The File object may or may not represent an existing file or directory.

Parameters:
 path String

Path of file

Returns:

File
MULTIPLE SITES
The Enterprise Edition of CompleteFTP supports the creation and administration of multiple sites, in addition to the "default site" (consisting of the default ports for FTP,SFTP
and HTTP/HTTPS) and the "admin site" (the port connected to by the CompleteFTP manager to administer CompleteFTP, 14982 (for FTPS) and 14983 (for SFTP) by default.

For example, it may be desirable to have internal users access one or more intranet sites, and to create a completely different site, using different port numbers, for users
external to the organisation. This could be called the "Public Site". The external user port for FTP might be 10021, and the external user port for SFTP might be 10022.

In this situation the external firewall would be configured to forward external connections to the correct internal port numbers, which would be different to the standard port
numbers for FTP and SFTP. So external FTP users connecting to port 21 on the firewall would be forwarded to port 10021, the port on

Users can also be restricted to use certain sites, so that a separate group of logins can be maintained for external users.

In the Enterprise Edition, the available sites are listed on the left hand side of the Sites panel. Sites can be added via the 'Add site' link, and deleted via the 'Remove' link.
Extreme care should be taken when deleting sites.

The Admin site is displayed in Sites by selecting 'Show system users/folders/sites' in the Options menu at the bottom left of the window. The Admin site cannot be deleted, as it
is required to administer CompleteFTP.
NAME
mustache -- Logic-less templates.

SYNOPSIS
A typical Mustache template:

Hello {{name}}
You have just won ${{value}}!
{{#in_ca}}
Well, ${{taxed_value}}, after taxes.
{{/in_ca}}

Given the following hash:

{
"name": "Chris",
"value": 10000,
"taxed_value": 10000 - (10000 * 0.4),
"in_ca": true
}

Will produce the following:

Hello Chris
You have just won $10000!
Well, $6000.0, after taxes.

DESCRIPTION
Mustache can be used for HTML, config files, source code - anything. It works by expanding tags in a template using
values provided in a hash or object.

We call it "logic-less" because there are no if statements, else clauses, or for loops. Instead there are only tags. Some
tags are replaced with a value, some nothing, and others a series of values. This document explains the different types
of Mustache tags.

TAG TYPES
Tags are indicated by the double mustaches. {{person}} is a tag, as is {{#person}}. In both examples, we'd refer to
person as the key or tag key. Let's talk about the different types of tags.

Variables
The most basic tag type is the variable. A {{name}} tag in a basic template will try to find the name key in the current
context. If there is no name key, nothing will be rendered.

All variables are HTML escaped by default. If you want to return unescaped HTML, use the triple mustache: {{{name}}}.

You can also use & to unescape a variable: {{& name}}. This may be useful when changing delimiters (see "Set Delimiter"
below).

By default a variable "miss" returns an empty string. This can usually be configured in your Mustache library. The Ruby
version of Mustache supports raising an exception in this situation, for instance.

Template:

* {{name}}
* {{age}}
* {{company}}
* {{{company}}}

Hash:

{
"name": "Chris",
"company": "<b>GitHub</b>"
}

Output:

* Chris
*
* &lt;b&gt;GitHub&lt;/b&gt;
* <b>GitHub</b>

Sections
Sections render blocks of text one or more times, depending on the value of the key in the current context.

A section begins with a pound and ends with a slash. That is, {{#person}} begins a "person" section while {{/person}}
ends it.

The behavior of the section is determined by the value of the key.

False Values or Empty Lists

If the person key exists and has a value of false or an empty list, the HTML between the pound and slash will not be
displayed.

Template:

Shown.
{{#nothin}}
Never shown!
{{/nothin}}

Hash:

{
"person": true,
}

Output:

Shown.

Non-Empty Lists

If the person key exists and has a non-false value, the HTML between the pound and slash will be rendered and displayed
one or more times.

When the value is a non-empty list, the text in the block will be displayed once for each item in the list. The context
of the block will be set to the current item for each iteration. In this way we can loop over collections.

Template:

{{#repo}}
<b>{{name}}</b>
{{/repo}}

Hash:

{
"repo": [
{ "name": "resque" },
{ "name": "hub" },
{ "name": "rip" },
]
}

Output:

<b>resque</b>
<b>hub</b>
<b>rip</b>

Lambdas
When the value is a callable object, such as a function or lambda, the object will be invoked and passed the block of
text. The text passed is the literal block, unrendered. {{tags}} will not have been expanded - the lambda should do that
on its own. In this way you can implement filters or caching.
Template:

{{#wrapped}}
{{name}} is awesome.
{{/wrapped}}

Hash:

{
"name": "Willy",
"wrapped": function() {
return function(text) {
return "<b>" + render(text) + "</b>"
}
}
}

Output:

<b>Willy is awesome.</b>
 Non-False Values

When the value is non-false but not a list, it will be used as the context for a single rendering of the block.
Template:

{{#person?}}
Hi {{name}}!
{{/person?}}

Hash:

{
"person?": { "name": "Jon" }
}

Output:

Hi Jon!

Inverted Sections
An inverted section begins with a caret (hat) and ends with a slash. That is {{^person}} begins a "person" inverted
section while {{/person}} ends it.
While sections can be used to render text one or more times based on the value of the key, inverted sections may render
text once based on the inverse value of the key. That is, they will be rendered if the key doesn't exist, is false, or is
an empty list.
Template:

{{#repo}}
<b>{{name}}</b>
{{/repo}}
{{^repo}}
No repos :(
{{/repo}}

Hash:

{
"repo": []
}

Output:

No repos :(

Comments
Comments begin with a bang and are ignored. The following template:

<h1>Today{{! ignore me }}.</h1>

Will render as follows:

<h1>Today.</h1>

Comments may contain newlines.

Partials
Partials begin with a greater than sign, like {{> box}}.

Partials are rendered at runtime (as opposed to compile time), so recursive partials are possible. Just avoid infinite
loops.

They also inherit the calling context. Whereas in ERB you may have this:

<%= partial :next_more, :start => start, :size => size %>

Mustache requires only this:

{{> next_more}}

Why? Because the next_more.mustache file will inherit the size and start methods from the calling context.

In this way you may want to think of partials as includes, or template expansion, even though it's not literally true.
For example, this template and partial:
 base.mustache:
<h2>Names</h2>
{{#names}}
{{> user}}
{{/names}}

user.mustache:
<strong>{{name}}</strong>

Can be thought of as a single, expanded template:

<h2>Names</h2>
{{#names}}
<strong>{{name}}</strong>
{{/names}}

Set Delimiter
Set Delimiter tags start with an equal sign and change the tag delimiters from {{ and }} to custom strings.
Consider the following contrived example:

* {{default_tags}}
{{=<% %>=}}
* <% erb_style_tags %>
<%={{ }}=%>
* {{ default_tags_again }}

Here we have a list with three items. The first item uses the default tag style, the second uses erb style as defined by
the Set Delimiter tag, and the third returns to the default style after yet another Set Delimiter declaration.

According to ctemplates, this "is useful for languages like TeX, where double-braces may occur in the text and are
awkward to use for markup."
Custom delimiters may not contain whitespace or the equals sign.

COPYRIGHT
Mustache is Copyright (C) 2009 Chris Wanstrath

Original CTemplate by Google

SEE ALSO
mustache(1), mustache(7), http://mustache.github.com/
 HOW TO ACTIVATE AN INSTALLATION OF COMPLETEFTP
When a production license has been purchased, the trial installation must be activated.

This usually involves accessing the CompleteFTP Activation System on the Internet, but from 7.1.2, customers who have purchased Corporate licenses can request a universal
activation key which does not require Internet access.

The following steps should be followed if you do not have a universal AK, which will be the majority of users.

A. Run the CompleteFTP manager and connect to the CompleteFTP server instance that you wish to activate (the server instance - the CompleteFTP Windows service - may
be running on another machine). You should run the manager on a machine with internet access (although there is a work around) if you do not have a universal activation
key.
B. Select the "Licensing" menu item from the list on the left in the manager, and then select the "Activate your license" link.
C. Enter your purchase reference in the edit box indicated (Step 1), and then open the supplied URL. You will need the login details provided in your purchase email. If the
credentials and purchase reference are correct, you will see a web page called "CompleteFTP Activation System".
D. Your activation key should be displayed in the text box, and it can be copied and pasted into the CompleteFTP manager in Step 4. Select "OK" and it should now be
activated, and the license details should be displayed.

The following steps should be followed if you do have a universal AK:

A. Run the CompleteFTP manager and connect to the CompleteFTP server instance that you wish to activate (the server instance - the CompleteFTP Windows service - may
be running on another machine).
B. Select the "Licensing" menu item from the list on the left in the manager, and then select the "Activate your license" link.
C. Paste the universal AK you have been sent into the CompleteFTP manager in Step 4. Select "OK" and it should now be activated, and the license details should be
displayed.

If you need to move an instance of CompleteFTP from one server to another, or are having difficulties with activating, please email us.
GETTING SERVER DIAGNOSTICS
Server diagnostic log files can be found in CompleteFTP's configuration directory, usually here:

C:\ProgramData\Enterprise Distributed Technologies\Complete FTP\Logs

From CompleteFTP 8.0, there is a more user-friendly way to collect diagnostic details.

1. Open the CompleteFTP manager and go to the Log Files tab in the Monitoring panel.

2. Ensure that the logging level is set to Debug (or All).

3. Use "Apply changes" to save the changed settings.

4. Restart the CompleteFTP service (optional).
5. Attempt to reproduce the problem.
6. Use the "Save Diagnostics to local disk" link to download a zip file containing a sanitised version of your configuration file (without password hashes etc) and your
Diagnostics.log file.
SFTP – SSH FILE TRANSFER PROTOCOL
The SFTP protocol was developed as a solution to the limitations of SCP. It provides all the operations that have come to be expected with FTP, and is generally preferable.

SFTP does not provide authentication and security itself - it relies on the underlying protocol, usually SSH. The two protocols are commonly used together - so much so that
SFTP generally means that it is running over SSH.

CompleteFTP offers full support for SFTP.

UNIVERSAL ACTIVATION KEYS
CompleteFTP Corporate licenses entitles users to a universal activation key (UAK) for activating CompleteFTP installations.
Normally, activation keys are tied to a specific Windows installation via the Windows SID (Security Identifier). Installations need to be activated via the Internet (although the
specific machine being activated does not require Internet access - the activation key can be obtained using a machine with Internet access).
A UAK is not tied to the Windows SID, so the same activation key will work on all installations. This means it can be hard-coded into silent installations. The UAK has the name
of the licensed owner encrypted in it, which is displayed in the CompleteFTP manager's title bar.
WEB-APP EXTENSIONS

Use this type of extension to implement a web application extension. This is a class which is passed an HTTP request, does something with it, and passes back an HTTP response that is
sent back to the browser. It is only applicable to the HTTP and HTTPS protocols.

CREATING A WEB-APP EXTENSION

General instructions on building CompleteFTP extensions may be found here.

Web-app extension classes must extend EnterpriseDT.Net.FtpServer.Http.WebAppExtension.

Example

Below is the source code for a sample web-app extension that simply displays a "Hello world" message in a browser.

using EnterpriseDT.Net.FtpServer.Http;
using EnterpriseDT.Util.Debug;
using EnterpriseDT.Net.FtpServer.FileSystem;

namespace EnterpriseDT.Demo
{
public class WebAppTest : WebAppExtension
{
private Logger log = Logger.GetLogger("WebAppTest");

public override void Process(WebAppRequest request, WebAppResponse response)

{
log.Info("Process called");
response.SetResponseText("<html><body><h1>Hello world</h1></body></html>");
response.ContentType = "text/html";
}
}
}

HOW TO DEPLOY A WEB-APP EXTENSION