How to Set up BackupChain FTP / FTPS Server

How to Set up the Built-in FTP/FTPS Server

BackupChain includes a server-grade, yet simple to use, FTP and FTPS server. With this component you can set up your own secure remote storage server.

Unlike many FTP servers on the market, BackupChain’s FTP server supports secure and encrypted transfers, file name path lengths of up to 32,767 Unicode characters, and has virtually no file size limitation. This ensures that all file names are preserved and that all kinds of files on a Windows file server can be backed up correctly over the wire without issues.

Server-side scanning database

BackupChain’s FTP server offers more than just FTP. When you are dealing with very large file server backups, the files will be likely distributed over thousands if not millions of folders. When scanning folders, FTP is very inefficient because a separate request if necessary to obtain the list of files in each folder. BackupChain FTP Server, only in the Server Editions of BackupChain, contains a server-side scanning feature that compiles an up-to-date list of all files and folders on the server and transfers that to the client in compressed form. The client can then detect file changes on its own. This method eliminates 100% of all folder lookup requests and reduces transmission to just new and changed files and the initial server scan request. The benefit is especially dramatic when dealing with very large file server backups, where time savings can exceed 90%.

For VM-related or small scale backups, the server-side scanning feature is not necessary, as the number of files and folders is small, even if the files themselves are rather large. You can switch off the use of server-side scanning in the Speed tab of your backup task (“Enable folder cache” setting).

Incremental and Differential Deduplication

BackupChain supports incremental, file-level deduplication over plain FTP. This allows efficient backups of large virtual machines and databases over the wire via the traditional incremental backup scheme: a full, compressed backup is followed by N increments or differentials, forming a backup chain.

Security Features

BackupChain’s FTP Server will ban an IP address for three minutes if the user name / password combination is incorrect. If you accidentally misspell the password or user name when connecting to the server, you need to wait three minutes before retrying. This helps counteract brute force attacks. Also the password has to be at least eight characters long.

The FTP server can be configured with permitted IP ranges per user, so that you can minimize the probability for an attack. By only allowing a particular IP or specific IP ranges to access a user’s data, you can be certain that no outsider can try to break into the account from other locations.

Reliability Features

BackupChain’s FTP connections are automatically reconnected and resumed when a link breaks. If the link fails for extended periods, the file is skipped and an error is logged.

Setting up the FTP Server

Select “FTP Server” and “Edit FTP Server Settings” from the main menu:

The FTP Server Settings screen opens up:

Note: In order to change the base FTP server’s settings, such as port numbers, you need to take the server offline (left-most button at the bottom “Turn FTP Server OFF”) if the server is currently running. The other settings found in the User Accounts tab may be edited while the FTP server is running.

First you need to select a primary port and PASV port number. It’s recommended to use numbers above 5000 and the numbers shouldn’t conflict with other services installed on the computer.

You can check the local availability of the port numbers you entered by clicking “Check Port Availability” or by using the command-line utility “netstat” with –a switch: “netstat –a” to see all occupied ports on a system.

If you have a DSL or wireless home router with UPnP capabilities, you can check the option “Automatic Internet Router Configuration” and then click “Check Port Availability” to have BackupChain automatically open up the ports with your Internet router. The Windows Service “SSDP Discovery” Service needs to be enabled and running for this feature to work and your Internet router must support UPnP configuration.

For FTP transfers, you either need a static IP address on the Internet or a dynamic DNS service, such as no-ip.com or dyndns.org. Basically you need to provide a host name for external computers to access your FTP server. The example above uses the internal IP address “192.168.1.247” but you could also enter a static public IP address instead if you have one, or a domain name, like “myserver.mydomain.com”.

In order to use FTPS (FTP over TLS / SSL), which is an encrypted and secure form of FTP that doesn’t expose user name and passwords or data to other parties that may be eavesdropping the link, you need to either use a self-signed server certificate, or if you bought an SSL certificate you can provide the full path to the pfx file name and the password you used when you created the certificate with the certificate authority.

“Require SSL connections” will cause BackupChain to drop client links that do not ‘upgrade’ to a secure link when connecting; i.e., only secure links will be accepted to proceed with user authentication and data transfers.

“Use Certificate File” allows you to select your SSL certificate in pfx file format. If you don’t select one, the server will generate a self-signed certificate automatically and you can still use encrypted links via FTPS.

Adding FTP Users

Switch to the User accounts tab and click “add new user”:

You need to have at least one FTP user set up and have assigned that user to a folder on your computer. That folder will be used to store the incoming backups of that user. In our example above, user name “BaltimoreStoreEast” with password “12345678” is assigned to the folder W:\baltimoreeast.

You can create as many users as you like and assign them to different folders. Each FTP user is confined to their private folder and cannot enter other folders on your computer.

Note: Passwords need to be at least eight characters long.

AFD: Means “apply file date to file storage”. If enabled, this feature requires that you use “BackupChain FTP Server” type at the client side where you send the backups to the server. The AFD stores the file date of a file into the file system of the server. Otherwise, the file information is kept as a suffix in the file name. This preserves the file date with high accuracy on systems where this can’t be done otherwise. For example, the file with name abc.txt will end up being “abc.txt.fastneurondate201804061919520637UT” without the AFD feature. Note that when you restore files through BackupChain, the original file name is restored as well. The suffix containing the date information is removed during restore. The AFD feature is useful for those settings where you want to be able to access the file as-is directly from the FTP folder and wish to keep the original file name.

Permitted IP ranges. Here you can specify certain IPs and IP ranges that are allowed to access the account. This is a very useful tool and allows you to minimize the attack surface of the server. It’s not unusual for hackers to use port scanners and dictionary based brute force attacks to try to break into servers. By only permitting certain IPs and/or IP ranges, you can protect your server from such attacks. Also note the server will ban a client’s IP for three minutes when the user/password combination is invalid. If you are setting up a server and misspell the password, you will need to wait for three minutes before retrying.

Multiple IPs and ranges can be entered with a comma separator. Enter a range using the ‘-‘ minus symbol. Example entries: 1.2.4.5, 2.3.4.5-2.3.4.255, 10.20.30.40

Starting the FTP Server

After saving all your settings, click FTP Server is Offline and after a pause it should switch to “Online” and indicate that your FTP server has been started.

Testing FTP Server Connectivity

The Test Connectivity button uses the first user on your list to connect to the server internally. This only works if the first user is configured properly and if the server can handle internal connections. If your FTP server is configured with the external IP address and you run the test from inside your LAN, the router must be capable of rerouting the request within the LAN. Some routers can’t and an error will be reported. In those settings you can use the server only from external networks or you need to specify a local IP and use the server only within the LAN.

In order to test external access to your FTP server, and to be sure your firewall and Internet router settings are correct, you need to use another computer outside of your office or home network and connect to the external address you set up with the FTP server.

For example we would open an FTP client or a browser and enter this address:

ftp://backup.fastneuron.com:7777

Then, when the browser asks for a user name and password, we enter “BaltimoreStoreEast” and “12345678”, as configured earlier.

Note that Internet Explorer does not support FTPS; hence, you will have to use an explicit FTPS capable client for testing, such as the test button in BackupChain’s FTP backup target settings.

Current Sessions

In the Current Sessions tab you can see all sessions that are currently connected to the server with speed, IP and user information:

The server also produces a log that you access via the Log Viewer button.

Helpful Hints

If you have not configured internet servers before, feel free to reach out to our technical support team.

Below are some hints to help you set up the network so you can provide access from the public internet to your FTP server:

1. BackupChain’s FTP server needs to be set up as described above before anything else

2. A firewall exception to the Windows Firewall is added automatically. If you use a 3^rd party firewall system, you must allow incoming TCP traffic on the port numbers chosen in the BackupChain’s FTP server configuration screen.

3. Make sure the port numbers you chose are actually available and not in use. Use netstat –a to see if another service is listening on the desired port number.

4. Use non-standard ports for better security, above 5000.

5. Use static IP addresses inside your LAN on the computer running the FTP server

6. Use a static IP address for your internet router so it can be accessed reliably from the internet. If that’s not possible, sign up for a dynamic DNS service that will map a custom domain name to your current IP address and update the mapping automatically.

7. Use port forwarding for the ports configured. If the main port forwards correctly but the data ports don’t, you will see download/upload errors. If only some data ports are affected you will see sporadic connectivity issues in the logs for some files.

8. You need to be aware of the fact that some ISPs block certain ports on either the sender’s or the receiver’s side. If you define a wide range of data ports, one of them could be potentially blocked. It’s best to use high port numbers to avoid this and test the connection from outside to be certain that sender and receiver have a clear path.

9. Some ISP break TCP links after a while on purpose (based on use, duration, port number, and other unknown factors). This will cause connectivity issues. However, BackupChain can recover from most by retrying the operation.

10. Firewalls may be prohibiting outbound traffic (the Windows Defender Firewall generally does not but can be configured that way). Outbound traffic is not needed for the FTP server side.

11.Some smarter router and firewalls try to ‘listen’ into the protocol and may mistake the communication as a malware threat. Use FTPS (explicit FTP over TLS/SSL), which is encrypted, to avoid these issues.

12. Always use FTPS unless there is a good reason not to. Plain FTP exposes the connection password in clear text to eavesdroppers on the network. If FTP is used over a trusted VPN, performance is better without FTPS.