V.

11
Cerberus, LLC 

Cerberus F
​ TP Server 
User Manual 
Detailed steps and help on configuring Cerberus FTP Server. 
C​ONTENTS 
1.0 Introduction 15 

1.1 Description 15

1.2 Guide 15

2.0 Minimum System Requirements 16 

2.1 Hardware Requirements 16

2.2 Operating Systems 16

2.2.1 Cerberus FTP Server 11.0 16

2.2.2 Cerberus FTP Server 10.0 and 9.0 16

3.0 Installation 17 

4.0 Upgrading an Existing Installation 20

4.1 Method 1: Using the Auto-updater 20

4.2 Method 2: Manually downloading and running the latest Installer 21

5.0 Getting Started - Initial Setup Wizard 22 

5.1 The Wizard 22

5.1.1 Step 1 - Licensing 22

5.1.2 Step 2 - Initial User Creation 23

5.1.3 Step 3 - Network Setup 24

5.1.3.1 Public IP Auto-detection for Passive Mode FTP 24

5.1.4 Step 4 – Security 25

5.1.4.1 Web Administration Password 26

5.1.5.2 Protocol Security 26

5.1.5.3 Final Steps 26

6.0 Getting Started - Network Setup 27 

2
 6.1 Basic Setup so users can connect from the Internet 27

6.1.1. Step 1 - Control Connection 27

6.1.2 Step 2 - Passive Mode 27

6.1.3 Step 3 - Firewall 27

7.0 How many types of FTP are there? 28 

7.1 Controlling what types of FTP are Allowed 28

7.1.1 Restricting FTP connections at the User level 28

7.1.2 Restricting FTP connections at the Listener level 29

8.0 SSH2 SFTP Setup 30 

8.1 About SSH SFTP Support in Cerberus FTP Server 30

8.2 Supported SSH2 Key Exchange Methods 30

8.3 Supported SSH2 Ciphers 30

8.4 Supported SSH2 MAC Algorithms 31

8.5 Adding an SSH2 SFTP Listener 31

8.6 Allowing SSH2 SFTP Connections through a Firewall 31

8.7 Enabling or Disabling Existing SFTP Listeners 31

9.0 Configuring the Server 32 

9.1 Allowing External Access to your Server 32

9.1.1 The control connection 32

9.1.2 The data connection 32

9.2 Common Network Configurations 33

9.2.1 Configuration 1: Your computer is connected directly to the Internet 33

9.2.2 Configuration 2: Your computer is connected to a router, and the router is connected to
the Internet 33

3
10.0 The Summary View 35 

10.1 Understanding the Summary View 35

10.2 Common System Messages 35

10.2.1 “FTP Listener X can allow unencrypted control or data connections” 36

10.2.2 “HTTP Listener X only accepts unencrypted connections” 36

10.2.3 “HIPAA Non-compliance: One or more listeners allows non-encrypted traffic” 36

10.2.4 “FXP is enabled and could leave the server vulnerable to an FTP bounce attack” 37

10.2.5 “Server is configured to allow FTP data connection to reserved ports” 37

10.2.6 “You should set a Remote Access password” 37

11.0 The User Manager 38 

11.1 About Cerberus FTP Server Authentication 38

11.2 Adding a new user 38

11.3 Configuring a user for SSH Public Key Authentication 41

11.4 The Virtual Directory System 42

11.5 Simple Virtual Directory mode 42

11.6 Standard Virtual Directory mode 42

11.6.1 A Virtual Directory Mode Example 42

11.6.2 Variables that can appear in Virtual Directory Names and Paths 43

11.7 Adding a virtual directory to a user account 43

11.8 Virtual Directory Permissions 44

12.0 Cerberus Group Accounts 45 

12.1 About Groups 45

12.2 Overriding Group settings for a User 46

12.3 Adding a new group 46

4
13.0 User Policy Settings 48 

13.1 Password Complexity Requirements 48

13.2 Password Change Policy 49

13.3 Password History 50

13.4 Authentication Order 50

13.5 Authentication Requirements 51

14.0 General Settings 53 

14.1 Configuring General Settings 53

14.2 General 54

14.3 Network 54

14.4 Notification 55

15.0 Protocol Settings 56 

15.1 FTP/S Settings 57

15.1.1 PASV Port Range 57

15.1.2 Advanced FTP/S Settings 57

15.1.2.1 FTP Directory Listing Time Format 57

15.1.2.2 FTP MDTM Time Format 57

15.1.2.3 FTP Compression 58

15.1.2.4 FTP Miscellaneous 58

15.2 SSH SFTP Settings 59

15.3 Advanced SSH Settings 59

15.4 HTTP/S Settings 59

16.0 Configuring Logging Support 61 

16.1 Auditing 61

5
 16.2 Log File Location 61

16.2.1 On Windows Vista, Windows 2008 and above 61

16.2.2 On Windows 2003, XP, and 2000 61

16.3 Configuring Logging 61

16.3.1 Example Syslog log4j.xml Configuration File 63

16.3.2 Example Daily Rollover log4j.xml Configuration File 63

16.3.3 Log File Location and Naming 64

16.4 Screen Logging Settings 64

16.4.1 Root Log Level 64

16.4.2 Syslog Support 66

17.0 Interface Settings 67 

17.1 Configuring Interface Settings 67

17.2 Types of Listeners 68

17.3 Adding a New Interface Listener 68

17.4 Interface Settings 69

17.5 The "Default" Interfaces 71

17.6 Interface Status Controls 71

17.7 The HTTP/S Web Client 72

17.8 Security 72

17.8.1 Additional Web Client features include: 72

17.9 Public File Sharing 73

17.10 Emailing a link to a Public File 73

17.12 Adding an HTTP/S Listener 74

17.13 Web Client Customizations 75

6
 17.13.1 Changing the Company Logo and Login Image 75

17.13.2 Changing the Login Welcome Message 76

17.13.3 Custom Web Client Themes 76

17.13.4 Further Web Client Customizations 76

18.0 Web Account Requests 77 

18.1 Allowing Users to Request Accounts through the Web 77

18.1.1 Requesting a New Account 77

18.1.2 Enabling or Disabling Account Requests 78

18.2 Approving or Denying Account Requests 78

19.0 Security Settings 80 

19.1 Configuring Security Settings 80

19.1.1 Digital Certificate Support 80

19.1.2 About Certificate Authorities 80

19.3 TLS/SSL Security 81

19.3.1 General 81

19.3.2 Advanced TLS Options 83

19.3.3 DUO 2FA 84

Setting up DUO in Cerberus 85

19.3.4 Client Verification 86

19.5 DSA Certificates and Ephemeral Diffie-Hellman Keys 87

19.6 Elliptic Curve SSH Support 87

20.0 Remote Settings 88 

20.1 Configuring Remote Settings 88

20.1.1 General SOAP Settings 89

7
 20.1.2 SOAP TLS Settings 90

20.1.3 Administrator Accounts 90

20.1.4 Secondary Web Administration Accounts 91

21.0 Setting up a Database for Statistics 92 

21.1 Installing Microsoft SQL Server 2012 LocalDB 93

21.1.1 For the 64-bit version of Cerberus FTP Server: 93

21.1.2 For the 32-bit version of Cerberus FTP Server: 93

21.2 Selecting a Database 93

21.3 Database Backup and Restore 94

22.0 Advanced Settings 95 

22.1 Configuring Advanced Settings 95

22.1.1 Send and Receive Buffers 95

22.1.2 Interface Advanced Settings 96

22.1.3 Advanced Windows Settings 96

23.0 The IP Manager 97 

23.1 General Settings 97

23.1.1 Adding a single IP address to the IP manager policy 98

23.1.2 Adding a range of IP addresses to the IP manager policy 98

23.1.2.1 CIDR Support 98

23.1.3 Deleting an IP addresses from the current policy 98

23.1.4 Searching for an IP Address 98

23.2 The "Auto-Blocking" page 98

23.2.1 Immediately Ban these Users 100

23.2.2 Differences in Auto-blocking between Allow and Deny mode 100

8
24.0 The Event Manager 101 

24.1 About Event Rules 101

24.2 The Event Targets page 101

24.2.1 Available Target Types 102

24.2.1.1 SMTP Server Targets 102

24.2.1.2 Executable Targets 102

24.2.1.3 HTTP Post Targets 103

24.2.2 Adding a New Event Target 103

24.2.3 Modifying an existing event target. 103

24.3 The Rules page 103

24.4 Editing a Rule 103

24.4.1 Available Event Rule Types 104

24.4.2 Adding a New Rule or Editing an Existing Rule 106

24.4.2.1 To add a new rule: 106

24.4.2.2 To edit an existing rule: 106

24.4.3 Changing the Name of a Rule 106

24.5 Adding Rule Conditions 106

24.5.1 Rule Matching Modes 106

24.5.2 Rule Variables 107

24.5.2 Comparison Operations 107

24.5.3 Deleting an Event Condition 107

24.6 Rule Actions 107

24.6.1 Adding Rule Actions 108

24.6.2 To add a new Action to a Rule: 108

9
 24.6.3 Editing an Existing Rule Action 109

24.6.4 Deleting an Existing Rule Action 109

24.6.5 Changing the order an action is executed 109

24.6.6 Creating a Failure Action 109

24.6.6.1 Removing a failure action 110

24.7 Event Tasks 110

24.8 Adding a schedule to an Event Task 110

25.0 Adding and editing Event Task Actions 111 

26.0 Folder Monitors 111 

26.1 Other Event Settings 111

27.0 The Report Manager 112 

27.1 Generating a Report 113

27.1.1 File Access Reports 114

28.0 Localization 115 

29.0 LDAP Authentication 116 

28.1 Default Virtual Directory Mapping for LDAP Users 118

29.1 Setting up Active Directory Authentication using LDAP 120

29.2 LDAP User to Cerberus Group Mapping 122

29.2.1 Creating an LDAP User to Cerberus Group Mapping 122

29.2.2 Removing an LDAP mapping 123

29.3 LDAP User Two Factor Authentication Control 123

30.0 Active Directory Authentication 123 

30.1 About Active Directory Integration 123

30.2 Default Virtual Directory Mapping for AD Users 125

10
 30.2.1 Active Directory FTP Security Group 127

30.3 Authenticating Against more than one Active Directory Domain 127

30.4 Understanding Windows Authentication 127

30.4.1 The "Guest" Account 127

30.5 Active Directory User to Cerberus Group Mapping 127

30.5.1 Creating an AD User to Cerberus Group Mapping 128

30.5.2 Creating an AD Group to Cerberus Group Mapping 128

30.5.3 Removing an AD mapping 129

30.6 Domain Controller Bind Options 129

30.7 AD User Two Factor Authentication Control 130

31.0 Entering a license for Cerberus FTP Server 131 

31.1 The Registration dialog box 131

32.0 The Synchronization Manager 133 

32.1 Backup Server Requirements 134

32.2 Available Settings 135

32.2.1 Backup Server 135

32.2.2 Synchronization Settings 135

33.0 Server Certificates 135 

33.1 What is a Server Certificate? 136

33.2 Can I just use a Self-Signed Certificate? 136

33.3 More Information 136

34.0 Certificate Signing Request 136 

34.1 Creating a Certificate Signing Request 137

34.2 Submitting your CSR to a Certificate Authority 138

11
 34.3 Assigning your Certificate and Private Key in Cerberus FTP Server 138

35.0 Installing a Digital Certificate 138 

35.1 Digital Certificate Support 139

35.2 Creating a Self-Signed Certificate 139

35.2.1 Steps to Create a Self-Signed Certificate: 139

35.3 Using a Certificate created by a 3rd Party Certificate Authority 141

35.3.1 Steps to Import a 3rd Party Certificate: 141

36.0 Clustering 141 

36.1 Failover Clustering and Load Balancing 142

36.2 Load Balancing Exceptions 142

37.0 Web Services API Support 142 

37.1 What is SOAP and How Does Cerberus Use It? 143

37.1.1 What is SOAP? 143

37.1.2 How Cerberus uses SOAP 143

37.1.3 What you can do with SOAP 143

37.2 Available Features 143

37.3 Example SOAP applications 144

37.4 Access URL 144

37.5 Security Considerations 145

37.6 Calling Cerberus SOAP API from PowerShell 145

37.6.1 Introduction 145

37.6.2 Quick Start - HelloCerberus.ps1 146

37.6.3 Stepping Through the Code 147

37.6.4 Security Considerations 149

12
 37.6.5 Securing Cerberus SOAP API Service Endpoint 150

37.6.6 Conclusion 151

37.7 Understanding Cerberus SOAP API 152

37.7.1 Introduction 152

37.7.2 Where to Go From Here 155

37.7.3 Conclusion 156

37.8 Cerberus User Modifications with PowerShell 161

37.8.1 Introduction 161

37.8.2 Running Example-UserManipulation.ps1 161

37.8.3 Setup SOAP Connection 162

37.8.4 Create a New Test User 163

37.8.5 Get a list of All Cerberus Users 164

37.8.6 Modify Email Address of a User 165

37.8.7 Change Password of a User 166

37.8.8 Add Virtual Directory to a User 167

37.8.9 Delete a User 169

37.8.10 Conclusion 169

37.9 Cerberus Group Modifications with PowerShell 169

37.9.1 Introduction 169

37.9.2 Code Walk-Through 171

37.10 Cerberus SOAP API Reference 181

38.0 Command Support 188 

38.1 FTP Commands Supported 188

13
14
1.0 I​NTRODUCTION 

1.1 D​ESCRIPTION  

Cerberus FTP Server provides a secure and reliable file transfer solution for the demanding IT
professional or the casual file sharer. Supporting SFTP, FTP/S, and HTTP/S, Cerberus is able to
authenticate against Active Directory and LDAP, run as a Windows service, has native x64 support,
includes a robust set of integrity and security features and offers an easy-to-use manager for controlling
user access to files and file operations.

1.2 G​UIDE

For additional help and troubleshooting information, take a look at the ​Cerberus FTP Server FAQ​.

You can also access the most recent ​help documentation online​.

15
2.0 M​INIMUM​ S​YSTEM​ R​EQUIREMENTS  
This section describes the minimum hardware and software requirements to install and run Cerberus
FTP Server.

2.1 H​ARDWARE​ R​EQUIREMENTS 

● 2GHz x86 or x64 processor

● 2 GB RAM (4 GB or higher recommended

● WXGA (1280 x 768) or higher-resolution monitor

2.2 O​PERATING​ S​YSTEMS 

Note: The latest Service Packs for your operating system are required in all cases.

2.2.1 C​ERBERUS​ FTP S​ERVER​ 11.0 

● Windows 7
● Windows 8
● Windows 10
● Windows Server 2012 and R2
● Windows Server 2016
● Windows Server 2019

2.2.2 C​ERBERUS​ FTP S​ERVER​ 10.0 A

​ ND​ 9.0 

● Windows 7
● Windows 8
● Windows 10
● Windows Server 2008 and R2
● Windows Server 2012 and R2
● Windows Server 2016
● Windows Server 2019

The latest Service Packs for your operating system is ​highly​ recommended.

16
3.0 I​NSTALLATION  
Close all other programs (recommended) before installing Cerberus FTP Server and make sure that
you install it logged in as Administrator or a member of the Administrators group if you are installing it
on a Windows Server system.

1. Download the latest version of Cerberus FTP Server from ​http://www.cerberusftp.com/download/

We recommend the 64-bit version of Cerberus FTP Server.

2. Double click or run the ​CerberusInstall64.exe​ self-extracting installer.

3. You will see the initial setup screen. To continue you will need to check the box to confirm your
acceptance of the licensing agreement. Select the "​I agree to the License terms and conditions​"
checkbox and click ​Install.

17
3. Wait for the installer to finish.

18
4. Click ​Finish ​or press the​ Run ​button to launch the Cerberus FTP Server Administration Tool.

19
4.0 U​PGRADING​ A
​ N​ E​XISTING​ I​NSTALLATION 
There are two methods for upgrading an existing installation of Cerberus FTP Server. You can use the
built-in auto-updater, or you can download the latest installer and run it to manually upgrade your
installation. Both methods are discussed below.

When upgrading using either method, the installer first stops the Cerberus FTP Server service,
uninstalls the existing Cerberus FTP Server installation, then installs the latest release. The
uninstallation only affects the actual program files. The server configuration and user settings are never
removed.

An upgrade usually takes about 5 minutes, and almost never requires a reboot. The Cerberus FTP
Server service will be unavailable during the upgrade.

NOTE:​ We always recommend making a backup of your users and settings from the Cerberus ​Tools​ menu before
upgrading. Select the ​Backup Users and Settings​ option to create a zip file of all of your Cerberus settings and users.

4.1 M​ETHOD​ 1: U​SING​ ​THE​ A​UTO​-​UPDATER 

The Cerberus FTP Server automatic updater will check for a new release of Cerberus FTP Server, and
allow you to download and run the updater to upgrade your installation. To check for an update and,
optionally, install it:

1. Select the ​Help​ menu option from the main menu.

2. Select the ​Check for Update​ menu option.
3. You will see the ​Upgrade Check​ dialog. It will list the current version installed, including whether
you have the 32-bit or 64-bit version installed, and any updates that are available.
4. If no ​updates​ are available, the Current Version and Latest Version will be the same, and the
Update​ button will be disabled. If this is the case, you have the latest release and can press the
Close​ button to end the update process.
5. If a new release is available, the ​Update​ button will become enabled and a list of changes since
your current version was released will be listed in the release notes list box.
6. Press the ​Update​ button to automatically download the latest release and begin the update
process.
7. Once the download has completed, the Cerberus UI will close and shutdown and the installer will
automatically launch. You should select the default options for any questions in the installer. The
installer will automatically remove your existing installation (users and settings are never removed
during an uninstallation) and then install the latest release. All of your existing users and settings
will be preserved.
8. Finish the installation and you are done. The latest version of Cerberus FTP Server should now
be installed and running.

20
4.2 M​ETHOD​ 2: M​ANUALLY​ ​DOWNLOADING​ A
​ ND​ ​RUNNING​ ​THE​ ​LATEST​ I​NSTALLER 

You can manually download the latest installer and use it to upgrade your installation if you cannot use
the auto-updater. The installer will upgrade an existing installation to the latest release. To download
and run the latest installer:

1. Go to the Cerberus Download page

2. Download the latest 32-bit or 64-bit installer.
3. Shutdown the Cerberus FTP Server UI. Go to the File menu and select the Exit menu option. You
should also shut down the Cerberus FTP Server Window Service. The installer will normally be
able to shut down the service, but on rare occasions, the automatic shutdown will not work.
Shutting down the Cerberus Windows Service before installation ensures a restart will not be
necessary after the installation completes.
4. Launch the installer. You should select the default options for any questions in the installer. The
installer will automatically remove your existing installation and install the latest release. All of
your existing users and settings will be preserved.
5. Finish the installation and you are done. The latest version of Cerberus FTP Server should now
be installed and running.

21
5.0 G​ETTING​ S​TARTED​ - I​NITIAL​ S​ETUP​ W​IZARD  

5.1 T​HE​ W​IZARD 

The Getting Started Wizard will appear when you start Cerberus FTP Server for the first time. The
wizard is designed to walk you through the basic steps of configuring the server to allow clients to
connect. At the end of the Getting Started Wizard, your server should be ready to accept connections
from FTP, FTPS, SSH SFTP, and HTTP clients.

5.1.1 S​TEP​ 1 - L​ICENSING 

The Licensing page allows the administrator to select the licensing option most appropriate for their
intended use of Cerberus FTP Server. There are two options:

● Selecting “​As a Company, Government entity, or Educational institution”​ enables a 25 day

trial period of the Enterprise edition of Cerberus FTP Server. During the trial period, the server will
perform and function as the Enterprise edition. Cerberus FTP Server reverts to the Home edition
after the evaluation period expires and a message indicating that the server is unregistered will
be added to the server welcome message for each connection. At any time, including after the
trial period has expired or even if "For Personal Use" was selected at startup, Cerberus may be
turned into the full commercial Personal, Standard, Professional, or Enterprise edition by entering
a valid registration code into the license dialog.

● Selecting the ​“For Personal, Home Use Only”​ option immediately causes Cerberus to function
as the Home edition. This license is only permitted for at home, personal use of the FTP server.
The Home edition is limited to at most 5 simultaneous FTP or FTPS connections. A message
indicating that the server is Cerberus FTP Server Home edition will also appear in the FTP
welcome message whenever a client connects to the server. In all other respects, Cerberus FTP
Server Home edition is functionally equivalent to the licensed Personal edition.

Licensing Page of the Getting Started Wizard

22
5.1.2 S​TEP​ 2 - I​NITIAL​ U​SER​ C​REATION 
The User Creation page will allow you to automatically create a simple user account with access to a
directory on the local machine. You can use this account to test out your initial connection to the server.
You can turn off the creation of the user account by un-checking the "Create an Initial User?" checkbox.

You can create an ​anonymous​ user that will be created under the User Manager.

The ​anonymous​ user will have download and upload-only access to the "C:\ftproot" directory as their root
drive. This directory will be created if it does not already exist.

Please note, creating an anonymous user allow anyone to connect to your FTP server without
specifying a password. Using the default settings, anyone can view and download any file from
your "C:\ftproot" directory and any subdirectories of that directory.

You can further customize the newly added user, or create and manage additional users, through the
User Manager after the "Getting Started" wizard has finished.

23
5.1.3 S​TEP​ 3 - N​ETWORK​ S​ETUP 

The Network Setup page detects basic network settings and tries to provide advice on any changes that
may need to be made because of the computer's network configuration.

5.1.3.1 P​UBLIC​ IP A​UTO​-​DETECTION​ ​FOR​ P​ASSIVE​ M​ODE​ FTP

The most complex task in configuring basic FTP access to your server is preparing the machine to
accept FTP data connections. Unlike SSH SFTP or HTTP/S protocols, FTP is complicated by the need
for two connections for each client session. The first connection is established when the client initially
connects and is used to exchange commands and status between the FTP server and the client. A
second connection is created every time a directory listing or file transfer takes place. Whenever a
directory listing or file transfer is requested, the FTP server has to respond with an IP address and port
that the client can connect over to establish the secondary data connection. To aid the server in
determining what IP address to give to the client, the server can be configured to automatically detect
the IP address of the server on the internet and use this IP address when sending the client connection
instructions.

24
After clicking the Next button on the Network Setup page a dialog prompt will ask whether you want to
allow Cerberus to automatically attempt to detect your public IP address. We normally recommend you
answer ​Yes​ here. Answering yes will instruct Cerberus to automatically attempt to detect and use the
correct external IP address when clients request passive FTP data connections.

5.1.4 S​TEP​ 4 – S​ECURITY 

The last page of the Getting Started Wizard will allow the administrator to configure a few basic server
security settings.

25
Cerberus FTP Server fully supports TLSv1/SSLv3 encryption over FTP (FTPS), HTTPS, and SSH
SFTP.

To enable FTPS, HTTPS, and SSH SFTP support, a digital certificate must be generated for the server.
This digital certificate contains the necessary security data to allow the server to establish encrypted
connections with clients.

Cerberus FTP Server will automatically generate a new self-signed certificate for you the first time you
run the Getting Started Wizard. You can replace the certificate at any time through the Security page of
the Server Manager.

5.1.4.1 W​EB​ A​DMINISTRATION​ P​ASSWORD

You also have the option to configure a web administration and remote API access password on the
Security Wizard page. You should set a strong password here even if you are not using web
administration. Please note that the password strength estimation meter is only meant as a guide. It will
flag obviously poor passwords but there is no official weighting system and this meter should only be
utilized as a loose guide to improving your password.

5.1.5.2 P​ROTOCOL​ S​ECURITY

The last option allows you to configure the server to only accept encrypted FTP connections. Normal
FTP has no encryption and therefore allows passwords and data to be transmitted unencrypted over a
network.

Fortunately, it is possible to establish a normal unencrypted FTP connection and then "upgrade" the
connection to secure encryption through special FTP commands (this enhanced protocol is called
FTPES). This type of connection depends on the client issuing FTP commands instructing the server to
establish encryption before accepting login credentials. However, the client can also continue as a
normal FTP connection without enabling encryption. This situation allows for unencrypted connections
and presents a security issue for servers.

If you wish to allow FTPES secure connections, but not FTP, then you must instruct the server to
require encryption before allowing a connection to proceed.

Checking this option does exactly that. It requires the client to upgrade the connection to use encryption
before allowing login.

5.1.5.3 F​INAL​ S​TEPS

Click the Finish button to complete the Getting Started Wizard. Your server is now ready to accept local
network FTP/S, SSH SFTP, or HTTP/S web client connections. Please take a look at the next section
for any changes that might need to be made to your firewall or router to allow connection from outside of
your local network to reach your server.

26
6.0 G​ETTING​ S​TARTED​ - N​ETWORK​ S​ETUP  

6.1 B​ASIC​ S​ETUP​ S​ O​ U

​ SERS​ ​CAN​ C
​ ONNECT​ ​FROM​ T​ HE​ I​NTERNET  

FTP connections within your local network usually work without any problems. However, when you want
the FTP server to be available outside of your local network, additional steps are often necessary to
make the server visible to the outside world. The following steps are usually required to allow Cerberus
FTP Server to be accessed from the Internet:

6.1.1. S​TEP​ 1 - C​ONTROL​ C​ONNECTION 

The control connection port Cerberus FTP Server is listening on needs to be forwarded from your router
to the machine hosting Cerberus. The default port that Cerberus listens on is port 21. Consult your
router documentation for instructions on how to setup port forwarding. Finishing this step will allow
Internet users to establish a connection with your server. The next step is making sure ​passive mode​ is
configured so that directory listings and file transfers work.

6.1.2 S​TEP​ 2 - P​ASSIVE​ M​ODE 

To allow passive mode to work properly, you must forward the passive range of ports from your router
to the machine running Cerberus. See ​"My IP address begins with 192.168.xxx.xxx. Is there anything
special I have to do for people to see my FTP Server on the Internet?" ​for detailed instructions on how
to make sure passive mode is set up properly. If you don't perform this step, users may be able to log in
but directory listings may hang and timeout.

6.1.3 S​TEP​ 3 - F​IREWALL 

Make sure any firewalls you are running are allowing connections on port 21. Cerberus will
automatically attempt to add itself to the Windows Firewall Exception list (you will be prompted to allow
this). However, you may still have to manually add an exception to allow port 21 connections into your
computer.

27
7.0 H​OW​ M
​ ANY​ T​ YPES​ ​OF​ FTP A
​ RE​ ​THERE​? 
There are three types of FTP connections possible (Cerberus FTP Server supports all three):

FTP​: Plain, unencrypted FTP that defaults over port 21. Most web browsers support basic FTP.

FTPS​: Implicit SSL/TLS encrypted FTP that works just like HTTPS. Security is enabled with SSL as
soon as the connection starts. The default FTPS port is 990. This protocol was the first version of
encrypted FTP available, and while considered deprecated, is still widely used. None of the major web
browsers support FTPS.

FTPES​: Explicit FTP over SSL/TLS. This starts out as plain FTP over port 21, but through special FTP
commands is upgraded to TLS/SSL encryption. This upgrade usually occurs before the user credentials
are sent over the connection. FTPES is a somewhat newer form of encrypted FTP (although still over a
decade old), and is considered the preferred way to establish encrypted connections because it can be
more firewall friendly. None of the major web browsers support FTPES.

 7.1 C​ONTROLLING​ W
​ HAT​ T​ YPES​ ​OF​ FTP A
​ RE​ A​LLOWED 

You can control the types of FTP connections allowed at both the user level, and at the listener level.

7.1.1 R​ESTRICTING​ FTP C

​ ONNECTIONS​ ​AT​ ​THE​ U​SER​ ​LEVEL 

​ equire Secure Control​ ​and​ ​Require Secure Data​ ​constraints are

For a user or group account, the​ R
meant to enforce that the connection is encrypted using either FTPS or FTPES. If Require Secure
Control is checked, FTP over port 21 will be denied login if the user attempts to authenticate without
upgrading the connection to use encryption. If the FTP connection is upgraded to use encryption
(upgraded to FTPES), then the user will be allowed to send login credentials and attempt to login.
Cerberus requires an FTP listener to allow FTP or FTPES connections.

FTPS connections are always encrypted, and connections that come through on an FTPS listener will
always be allowed to attempt to login.

The user and group constraints​ A ​ llow FTP​ a

​ nd​ ​Allow FTPS​ ​is meant to control what protocol a user
can login over. If​ ​Allow FTP​ ​is selected for a user, then both FTP and FTPES connections will be
allowed to attempt to login over an FTP listener. This can be further restricted to only allowing FTPES
connections by selecting the​ Require Secure Control​ ​and​ ​Require Secure Data​ ​constraints for the
user.

28
You can create combinations of these options to allow exactly the type of protocol and security settings
that you prefer.

For example:

To allow any protocol, as long as it is secure, leave​ ​Allow FTP​ ​and​ ​Allow FTPS​ ​checked, and make
sure​ ​Require Secure Control​ a
​ nd​ ​Require Secure Data​ ​are checked.

This will allow connecting over implicit FTPS listeners on port 990, and explicit FTPES connections over
FTP listeners on port 21 (as long as the connection gets upgraded to TLS/SSL encryption before the
user attempts to login).

7.1.2 R​ESTRICTING​ FTP C

​ ONNECTIONS​ ​AT​ ​THE​ L​ISTENER​ ​LEVEL 

In addition to the fine-grain control, administrators have at the user level, broader restrictions can be
enforced at the listener level. FTP listeners also have the​ ​Require Secure Control​ ​and​ ​Require
Secure Data​ ​settings. These settings are checked first, before a user even attempts to login. If
the​ ​Require Secure Control​ ​and ​Require Secure Data​ ​options are specified for an FTP listener, then
only secure FTPES connections will be allowed. These settings are enforced before the individual user
settings are checked.

29
8.0 SSH2 SFTP S​ETUP 

8.1 A​BOUT​ SSH SFTP S​UPPORT​ ​IN​ C​ERBERUS​ FTP S​ERVER 

Cerberus FTP Server Professional edition and higher supports the SSH2 File Transfer Protocol, also
known as SFTP. SFTP is a network protocol that provides secure and reliable file access, file transfer,
and file management functionality. Features of the protocol include resuming interrupted file transfers,
directory listings, getting and setting file attributes, and remote file removal.

There are currently 6 different versions of the SFTP protocol, with versions 3 - 6 being in common use
by modern SFTP clients. Cerberus supports SFTP version 3, 4, 5, and 6 clients.

Cerberus also supports ​SSH public key authentication​.

8.2 S​UPPORTED​ SSH2 K​EY​ E​XCHANGE​ M​ETHODS 

Cerberus supports both Diffie-Hellman and Elliptic Curve Diffie-Hellman (ECDH) SSH2 key exchange
methods. The following exchange methods are supported:

● diffie-hellman-group1-sha1
● diffie-hellman-group14-sha1
● diffie-hellman-group-exchange-sha1
● diffie-hellman-group-exchange-sha256
● ecdh-sha2-nistp256
● ecdh-sha2-nistp384
● ecdh-sha2-nistp521

8.3 S​UPPORTED​ SSH2 C​IPHERS 

The following SSH ciphers are supported:

● des ​(disabled by default)

● 3des-cbc
● aes256-cbc
● aes192-cbc
● aes128-cbc
● aes256-ctr
● aes192-ctr
● aes128-ctr

30
8.4 S​UPPORTED​ SSH2 MAC A​LGORITHMS 

The following SSH MAC algorithms are supported:

● hmac-sha1
● hmac-sha1-96
● hmac-sha2-256,
● hmac-sha2-256-96
● hmac-sha2-512
● hmac-sha2-512-96
● hmac-ripemd160 (disabled in FIPS mode)
● [email protected] (disabled in FIPS mode)

8.5 A​DDING​ ​AN​ SSH2 SFTP L​ISTENER 

You must first have at least one SFTP listener for Cerberus to be able to accept SFTP connections.
Cerberus FTP Server will automatically add and enable SFTP listeners​ ​on each available IP address
the first time it is run so you normally do not need to add an SFTP listener. However, if you've previously
removed an SFTP listener you can add a new one from the Listeners page of the Server Manager.

To add a new SFTP listener:

1. Open the Server Manager

2. Select the ​Listeners​ page
3. Press the “New” button The "Add New Listener" dialog box will appear to ask for the interface
details (interface IP, type, and port combination)
4. Select the IP address that you want to listen for connections on
5. Select the ​SSH SFTP​ interface type
6. Enter the port you wish to listen on (the default for SSH2 SFTP is 22). Cerberus will automatically
pre-populate the port with the default port for the type of listener you are adding
7. Press the ​Add Listener​ button to add the listener
8. The listener should now be added to the Interfaces list.

8.6 A​LLOWING​ SSH2 SFTP C​ONNECTIONS​ ​THROUGH​ ​A​ F​IREWALL 

SFTP connections use port 22 by default. You may need to allow that port through your firewall to the
machine running Cerberus FTP Server. You may also need to make sure your router is forwarding
incoming connections on that port to the machine running Cerberus FTP Server.

8.7 E​NABLING​ O
​ R​ D​ISABLING​ E​XISTING​ SFTP L​ISTENERS 

In addition to adding and deleting interfaces, Cerberus allows an administrator to disable or enable an
existing interface. This feature can be used to temporarily disable a listener or to re-enable a listener
that has become disabled because of a port conflict or trial license expiration.

31
9.0 C​ONFIGURING​ ​THE​ S​ERVER  

9.1 A​LLOWING​ E​XTERNAL​ A​CCESS​ T​ O​ Y​ OUR​ S​ERVER  

Depending upon your connection to the Internet, you may need to configure your router or firewall
before users outside of your local network can see your FTP server. Communication with an FTP server
is done through two connections, a control connection, and a data connection. Ensuring these
connections can be established are the two areas where special attention is usually needed.

9.1.1 T​HE​ C
​ ONTROL​ C
​ ONNECTION 

The control connection is always the first connection established with an FTP server. The control
connection's purpose is to allow clients to connect and to send commands to the server (and receive
server responses). Port ​21​ is considered the default control connection port, and this is the default port
that Cerberus FTP Server will configure your IP interfaces to listen on for new connections. Using the
default port is not mandatory - the administrator is free to change the interface to use any free port on
the system as the listening port. However, if the administrator is running a software-based firewall, the
administrator must be certain that [incoming] connections are not blocked on the port chosen for the
control connection. If the port that Cerberus is listening on is blocked, no one will be able to see or
connect to the FTP server.

9.1.2 T​HE​ ​DATA​ C

​ ONNECTION 

The second type of connection is called the data connection. This is the connection that an FTP server
uses to exchange file listings and transfer files on. When an FTP client uses the control connection to
instruct Cerberus FTP Server to send a file listing or transfer a file, the actual data exchange takes
place on the data connection. The data connection is usually where most of the confusion and problems
arise for FTP server administrators.

There are two different ways a data connection can be established between an FTP client and an FTP
server. The first is commonly called ​active​ FTP. In this mode, an FTP client sends the IP address and
port that the client is currently listening for data connections on to the FTP server. The client
accomplishes this by sending the server a ​PORT​ command over the control connection. Using the
address and port from the ​PORT​ command, the FTP Server then connects to the client and sends the
file or file listing. When using ​active​ FTP, the administrator has to make sure that port 20 on the
machine that Cerberus FTP Server is running on is open for outgoing connections. The reason for this
is because when using ​active​ FTP, the server always establishes connections from port 20. Most
firewalls allow outgoing connections automatically, so manually opening up port 20 for outgoing
connections is usually not necessary.

The other way to establish a data connection between client and server is to use ​passive​ FTP. ​Passive
mode was introduced to get around common problems with client firewalls. Instead of the FTP server
connecting to the FTP client, the client connects to the FTP server using a port previously
communicated using the ​PASV​ command. When a client issues the ​PASV​ command, the FTP server
responds with a port that the server is currently listening on for data communication. Problems occur
with ​passive​ FTP when the firewall that Cerberus FTP Server is running on is blocking the selected

32
ports. To get around this problem, the administrator is required to open up the range of ports that
Cerberus has reserved for ​passive​ FTP connections. You can configure what range of ports Cerberus
FTP Server uses for ​passive​ FTP mode by looking under the 'Advanced' tab of the Server manager.

Failures during ​LIST, NLST, MLST, RETR​, or ​STOR​ operations can usually be attributed to problems
with the data connection.

9.2 C​OMMON​ N​ETWORK​ C​ONFIGURATIONS 

A PC running Cerberus FTP Server with access to the Internet often fits into one of two configurations:

9.2.1 C​ONFIGURATION​ 1: Y​OUR​ ​COMPUTER​ ​IS​ ​CONNECTED​ ​DIRECTLY​ ​TO​ ​THE​ I​NTERNET 

This is the simplest network configuration you can have and usually requires little or no configuration to
Cerberus FTP Server to allow full access. This configuration is most common with dial-up, DSL, cable
modem, and other broadband users. However, machines connected to the Internet directly often employ
a software firewall to provide some protection against unwanted intrusion attempts. While some firewall
software can automatically detect an FTP server and properly configure itself, the administrator usually
has to manually configure the firewall. See the explanation above about the control and data connection
for common ports that have to be allowed through a firewall.

9.2.2 C​ONFIGURATION​ 2: Y​OUR​ C

​ OMPUTER​ I​ S​ C
​ ONNECTED​ ​TO​ ​A​ ​ROUTER​, ​AND​ ​THE​ ​ROUTER​ ​IS​ C
​ ONNECTED​ ​TO​ ​THE 
I​NTERNET 

Routers usually act as firewalls, so the same problems that can occur in Configuration 1 can occur here.
Follow the advice in Configuration 1 to resolve firewall problems.

In addition to the firewall problems that can occur in this network configuration, there is now the problem
that the IP address you are using on your machine is not the IP address that the Internet sees for your
machine. Other users on the Internet usually see your router's IP address instead of your PC's private
address. Routers are devices on your network, just like your PC, and they have their own IP address,
and that is the IP address the router tells other computers is your address when you go out on the
Internet. When a user attempts to connect to the FTP server, they need to use the Internet-facing IP
address of the router (the router is where the connection is really happening), not the private address of
the computer Cerberus FTP Server is running on. When the router receives the connection attempt it is
then able to forward the connection to your computer.

The first thing to check in this configuration is that your router is sending all of the FTP traffic to the
computer Cerberus FTP Server is running on. Most routers have a web-based configuration utility that
you can use to configure ​Port Forwarding​. Specifically, you will want to make sure you forward the
control and possible data connection ports to the computer running Cerberus FTP Server.

There is one more problem that crops up in this network configuration. To properly allow ​passive
transfer mode, the administrator will have to make sure Cerberus is giving out the router address in
response to PASV requests. You can automatically enable this by making sure "WAN IP Autodetection"
is enabled in the 'General' tab of the Server Manager. Alternately, you can enter the IP address of the

33
router manually for each interface in the "Use different IP for PASV mode" IP box under the Server
manager's 'Listeners' tab.

While more complicated network configurations are possible, most users will fall into one of the above
configurations.

34
10.0 T​HE​ S​UMMARY​ V​IEW  

10.1 U​NDERSTANDING​ ​THE​ S​UMMARY​ V​IEW 

The Summary View provides the administrator with a one-page overview of the server's configuration
and any potential security issues that may be present.

Every time a configuration change is made the server scans the current Cerberus configuration at
startup to look for any potential security issues that might result from the current system configuration.
System warnings and messages are displayed in the System Messages list and each protocol type is
given an overall security status indicator.

Cerberus FTP Server Summary View

The possible status for each protocol type is:

Secure​ All listeners currently active for this protocol type are configured to accept only
encrypted connections.
Not Secure​ Some or all listeners currently active for this protocol type are configured to allow
unencrypted connections.
Disabled There are no listeners currently active on the server for this protocol. 

10.2 C​OMMON​ S​YSTEM​ M​ESSAGES 

There are generally two types of system messages displayed in the System Messages list - general
messages and security messages.

35
Anytime a protocol is listed as Not Secure there will be a system security message detailing the reason.
Common system messages, their explanation, and resolution, if applicable, are detailed below.

10.2.1 “FTP L​ISTENER​ X C

​ AN​ A
​ LLOW​ U
​ NENCRYPTED​ C
​ ONTROL​ ​OR​ D
​ ATA​ ​CONNECTIONS​” 

Explanation​: Normal FTP has no encryption and therefore allows passwords and data to be transmitted
in the clear over a network. To address this security issue, two secure forms of FTP were developed
called implicit FTPS and explicit FTPES. Implicit FTPS is very similar to HTTPS and takes place on a
completely separate port from typical FTP. Interfaces of this type are always encrypted and considered
secure. Explicit FTPES, however, starts on a normal unencrypted FTP connection and is then
"upgraded" to a secure connection through special FTP commands. This type of connection depends on
the client issuing commands instructing the server to enable encryption. However, the client can also
continue as a normal FTP connection without enabling encryption. This situation allows for unencrypted
connections and presents a security issue for servers.

Resolution​: To resolve this issue and still allow FTP access there are two possible solutions. One is to
remove all FTP listeners and only enable FTPS listeners. FTPS listeners only accept encrypted
communications and are considered secure.

If you wish to also allow FTPES secure connections then you must instruct the server to require
encryption before allowing a connection to proceed. To require the FTP listener to require encryption,
go to the Listeners page of the Server Manager and for each FTP interface, select the Require Secure
Control and Require Secure Data options.

For more detailed information, please take a look at our information page describing the ​different forms
of FTP and secure FTP​.

10.2.2 “HTTP L​ISTENER​ X ​ONLY​ ​ACCEPTS​ ​UNENCRYPTED​ ​CONNECTIONS​” 

Explanation​: Connections of type HTTP are always unencrypted and are therefore very susceptible to
inspection on a network. System administrators are encouraged to disable HTTP listeners in favor of
secure HTTPS listeners.

Resolution​: To resolve this issue the system administrator must disable any HTTP listeners in the
system, or set the redirect to HTTPS flag on the HTTP listener to make sure the connection is
immediately redirected to HTTPS. HTTPS listeners will not trigger a security issue.

10.2.3 “HIPAA N​ON​-​COMPLIANCE​: O​NE​ O

​ R​ ​MORE​ ​LISTENERS​ ​ALLOWS​ ​NON​-​ENCRYPTED​ T​ RAFFIC​” 

Explanation​: HIPAA requires all data to be encrypted before being sent over a network. You have an
active listener that allows data to be transmitted without encryption.

An FTP listener without the Require Secure Control and Require Secure Data settings will trigger this
warning. An HTTP listener that is not configured to redirect to HTTPS will also result in a warning.
Allowing SSH SFTP to use no encryption (configured from the ​Advanced​ section on the S ​ ecurity​ page
of the Server Manager) will also result in a warning.

36
Resolution​: To resolve this issue the system administrator must disable any HTTP listeners in the
system (or redirect them to HTTP), configure FTP listeners to require encryption and make sure SSH
SFTP listeners are not allowed to use any encryption for connections.

10.2.4 “FXP I​ S​ E​ NABLED​ ​AND​ ​COULD​ ​LEAVE​ ​THE​ ​SERVER​ ​VULNERABLE​ ​TO​ ​AN​ FTP B
​ OUNCE​ ​ATTACK​” 

Explanation​: FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use
the PORT command to request access to ports indirectly through the use of the victim machine as a
middle man for the request.

Resolution​: Go to the ​Advanced​ page of the Server Manager and check the option to Deny FXP
Transfers.

10.2.5 “S​ERVER​ ​IS​ ​CONFIGURED​ ​TO​ A

​ LLOW​ FTP D
​ ATA​ C
​ ONNECTION​ ​TO​ ​RESERVED​ ​PORTS​” 

Explanation​: You will receive this warning if you have configured Cerberus to allow FTP data
connections to ports less than 1025. Ports 1 through 1024 are intended for system services, so those
ports are called reserved ports. FTP should normally not be allowed to establish data connections within
that port range.

Resolution​: Go to the ​Advanced​ page of the Server Manager and check the option to Deny Reserved
Ports.

10.2.6 “Y​OU​ S​ HOULD​ S​ ET​ A

​ ​ R​EMOTE​ A​CCESS​ ​PASSWORD​” 

Explanation​: Web administration and SOAP API remote access use an admin password to control or
deny access to the server.

Resolution​: Go to the Remote page of the Server Manager and set an admin password.

37
11.0 T​HE​ U​SER​ M​ANAGER  

11.1 A​BOUT​ C​ERBERUS​ FTP S​ERVER​ A​UTHENTICATION  

Cerberus FTP Server can manage user accounts from three different sources. The first is the default
Cerberus FTP Server user database. The Cerberus default user database is displayed in the User List
box on the Users page of the User Manager. The accounts within the default database are users
created just for Cerberus FTP Server. The directions on this page are for adding a user to this default
database.

You may also use Cerberus FTP Server to authenticate Active Directory users when the machine
hosting Cerberus is part of a domain (or the local NT account database), even if the computer Cerberus
FTP Server is installed on is not the domain controller. See the page Active Directory Authentication for
more information on how to configure Cerberus to allow authentication of Active Directory domain users.

Finally, users can also be authenticated against an LDAP service. See the section on configuring
Cerberus for LDAP authentication for more information.

NOTE​: Active Directory and LDAP authentication are only available in the Professional and Enterprise editions of
Cerberus FTP Server.

11.2 A​DDING​ ​A​ N

​ EW​ ​USER 

Users can be added and modified in the Cerberus FTP Server user database by opening up the ​User
Manager​ and selecting the ​Users​ tab.

To add a user, click the ​New​ button from the button group along the right side of the page. A new user
form will appear under the user list box. All usernames must be unique and are case insensitive. Once
you have entered the new username, continue filling out the remaining fields. The user can then be
configured by clicking on the additional buttons above the details.

38
A list of configurable properties for that user are:

Profile

Password The password for the user.

Note​: The Password always displays as 7 (*) characters.

Group A Cerberus FTP Server ​Group​ that this user belongs to.

Constraints

Anonymous If checked, the user password is ignored and the user can be logged in
using any password.

Disabled Determines whether the account can log in or not. A disabled account
cannot log in into the server.

Max Logins The maximum number of connections this user can make to the server at
the same time.

39
Disable Date If a date is set here then the account will become disabled after the date
specified.
Note​: The granularity of the timer is 30 minutes. The account will be
disabled within 30 minutes of the time set.

Maximum Upload Filesize This field can be used to limit the maximum size of an uploaded file. This
value defaults to unlimited. The file size is specified in bytes. Specify 0
or any non-positive value to reset the maximum file size to unlimited.

Allowed IP Addresses A comma-separated list of IP addresses that this user can login from. If
no IP addresses are specified then no per-user IP address filtering is
enforced. IP addresses can be specified as a single IP, a range of IP
addresses separated by a dash, e.g. 192.168.0.100 - 192.168.0.150, or a
CIDR-formatted IP address range. Multiple formats can be combined,
with each single IP or range separated by a comma. Note, global IP
address deny lists or allow lists are always enforced first, regardless of
this setting.

Authentication

SSH Authentication Determines the authentication requirements for logging into an SFTP
Method interface. Valid options are:

● Password Only​: Require only a password for authentication.

● Public Key Only​: Require only a valid ​public key for

authentication

● Public Key and Password​: Require both a valid public key and
a valid password for authenticating a user

Multifactor Determines if 2 Factor authentication is allowed or required.

Authentication (2FA)
● Allow 2 Factor: ​This option allows users to set up 2fa if they
choose to
● Require 2 Factor for HTTP/S: ​This makes 2fa a requirement
when using the HTTP/S web client.
● Do not allow SSH SFTP logins (No 2FA): ​This option will not
allow users to login via SSH SFTP when 2FA is enabled.
● Do not allow FTP/S logins (No 2FA) : ​This option will not allow
users to login via FTP/S when 2FA is enabled.

Allowed Protocols

40
Permitted Login
Controls which protocols a user is allowed to login with. If a protocol is not
Protocols (Allowed
checked then the user will not be allowed to login using that protocol.
Protocols)

Require Secure Control (Applies to FTP only) If enabled, this user can only login to the server
(Allowed Protocols) using a secure TLS/SSL encrypted connection.

Require Secure Data (Applies to FTP only) If enabled, file transfers will only be allowed over
(Allowed Protocols) secure TLS/SSL encrypted connections.

11.3 C​ONFIGURING​ A
​ ​ ​USER​ F​ OR​ SSH P​UBLIC​ K​EY​ A​UTHENTICATION 

The procedure for configuring a user for SSH Public Key Authentication in Cerberus FTP Server is:

1. Open the Cerberus FTP Server ​User Manager​. The default page is the ​Users​ tab.
2. Select the User from the ​Cerberus Users​ list that you wish to configure for Public Key
Authentication.
3. Click on the ​Authentication ​tab for the selected user. The ​Authentication ​Requirements
dialog will appear.

4. Select the ​Public Key Only​ or ​Public Key and Password​ radio option. The ​Key Path​ edit box
and file selection button will become visible/enabled.
5. Select the folder button next to the ​Key Path​ edit box. A file selection dialog box will appear.

41
 6. Select the public key file you wish to use for the selected user. Press the ​Open​ button to select
the file.
7. Press the ​OK ​button on the Change ​SSH Authentication Requirements​ dialog to close and
save the new SSH authentication settings.
8. Press the ​Close​ button on the ​User Manager​ to save the changes to the selected user.

11.4 T​HE​ V​IRTUAL​ D​IRECTORY​ S​YSTEM 

The virtual directory (VD) system allows the administrator to attach any directory or drive to the root.
When a client requests the root directory from the server, the VDs you specify are sent to the client. The
client can also navigate to any of the VD directories' subdirectories. The VD system takes care of all
path translation. Security settings can be specified for each virtual directory. All subdirectories under the
VD inherit the security settings of the VD. There are 2 modes that a user account can operate in with
respect to the virtual file system. The two modes are simple and standard mode.

11.5 S​IMPLE​ V​IRTUAL​ D​IRECTORY​ ​MODE 

When a user account uses simple directory mode, the administrator can only assign one directory to
represent the virtual directory for that user. Instead of that directory being seen as a subdirectory off of
the root, the virtual directory selected will be the directory the user is placed in when they first log into
the server. In other words, the directory selected as the virtual root directory will be the root directory.

11.6 S​TANDARD​ V​IRTUAL​ D​IRECTORY​ ​MODE 

In standard mode (the ​Simple Directories​ option is unchecked), the administrator may add as many
directories as virtual directories to a user account as desired. The directories selected will appear as
subdirectories off of the root when the designated user logs into the server.

11.6.1 A V​IRTUAL​ D​IRECTORY​ M​ODE​ E​XAMPLE 

Let's take a user with one simple virtual directory called ​ftproot​ that maps to ​C:\ftproot​.

42
 Virtual Directory Settings for a User

In ​Simple Directory​ mode, the remote root directory that the user sees, "​/​", is mapped directly to
C:\ftproot​ on the server. The actual virtual directory name is ignored (you can think of it as always
being named "​/​"). The user will see all files and folders in ​C:\ftproot​ listed in their root directory. They
can upload and download files directly into the root directory and they will be uploaded or downloaded
to ​C:\ftproot​ on the server.

When not in simple directory mode, the root directory "​/​" doesn't map to anything. Instead, the root
directory "​/​" becomes a virtual file system that you can attach sub-directories to. When not in simple
directory mode, you can add as many virtual directories to a user account as you like and the virtual
directory name will become a sub-directory in the virtual root. However, you have to change to that
sub-directory before you can upload or download anything. If you try to upload a file to the root folder "​/​"
then the operation is invalid because the path "​/​" doesn't map directly to a folder on the server. You
would need to specify the path ​/ftproot​ to upload or download files from the virtual directory ​ftproot​.

11.6.2 V​ARIABLES​ ​THAT​ C

​ AN​ A
​ PPEAR​ ​IN​ V​IRTUAL​ D​IRECTORY​ N​AMES​ ​AND​ P​ATHS 

The special variable ​%USER%​ can be present in a virtual directory name or path. When present,
the ​%USER% ​variable is replaced by the user's username during login.

11.7 A​DDING​ ​A​ V

​ IRTUAL​ D
​ IRECTORY​ ​TO​ ​A​ ​USER​ ​ACCOUNT 

Each user can be assigned different virtual directories. A virtual directory is added to a user account by
using the User Manager.. To add a virtual directory to a user, first:

1. Select the user in the "Cerberus Users" list

2. Next, scroll down to see the user details for the selected user. Click on the button labeled
"​Virtual Directories​".
3. Click “New” to open the “Add a Virtual Directory” window.
4. Enter the path to the directory, or use the folder select option to navigate to the directory you
wish to add. If using the folder select option, select the folder you want, and press the "​Select​"
button on the dialog box. The directory you selected should appear in the “Path” section.
5. Enter a name for your Virtual Directory.
6. Next, select the permissions for your Virtual Directory. And then click “Add”

43
The directory should appear in the "Virtual Root list" list box. To configure the newly added directory,
double click on the directory name in the list box. The Edit a Virtual Directory window will appear .Place
a check beside any permission that you would like to grant to the virtual directory and all of that
directories subdirectories.

11.8 V​IRTUAL​ D​IRECTORY​ P​ERMISSIONS 

Each virtual directory that you add for a user can have a separate and distinct set of access
permissions. The settings applied to a top-level virtual directory filter down to all of that root directory's
subdirectories.

Permissions can only be assigned at the top, root level. To edit the permissions for a virtual directory:

1. Select the user in the Users page of the User Manager

2. Scroll down to see the user details for the selected user. Click on the button labeled "​Virtual
Directories​".

3. Double click on the virtual directory name in the list box. The Edit a Virtual Directory window will
appear. Place a check beside any permission that you would like to grant to the virtual directory
and all of that directories subdirectories

Permissions for virtual directories

44
12.0 C​ERBERUS​ G​ROUP​ A​CCOUNTS  

12.1 A​BOUT​ G​ROUPS  

Using groups simplifies administration of multiple accounts by letting you assign permissions once to a
group, instead of multiple times to each individual user. You can add Virtual Directories and basic user
settings to a group and have users inherit those permissions. By default, when a user is assigned a
group, that user inherits all of the group's settings. However, those settings can still be overridden for
the user account.

When a user is a member of a group, the user's settings on the Users page will be grayed out, and the
actual value displayed for each grayed setting is the value of the group that the user belongs to.

Virtual directories for the user account are a combination of the group's virtual directories, and any
virtual directories you assign specifically to the user account.

Cerberus FTP Server User Manager- Groups page

45
12.2 O​VERRIDING​ G​ROUP​ ​SETTINGS​ ​FOR​ ​A​ U​SER 

You can always override the group settings for a user by clicking on that user in the User Manager, and
then selecting toggling the group icon to the right of the setting to the user icon. Once you have toggled
to the user setting, select your setting different from the group value and click ‘Update User’. You can
revert back to the group setting by clicking on the user icon and toggling it back to the group icon.

12.3 A​DDING​ A
​ ​N
​ EW​ ​GROUP  

A group can be added and modified in Cerberus by opening up the User Manager and selecting
the ​Groups​ tab. To add a group, select the ​New​ button. A new group will appear under the group list
box. All group names must be unique and are case insensitive. Once you have entered the new group
name, press "Update Group" to commit the change. The group can then be configured by clicking on
the group name in the group list box. A list of configurable properties for that group will appear below
the Cerberus Group list.

Those properties are:

Profile

Group Name The unique name for the group

Description A brief summary or way identify the group

Members

Group Member List This list displays native Cerberus members of the group as well as any LDAP
and AD user and group mappings.

Constraints

Anonymous If checked, the password for any user that is part of this group is ignored and
the user can be logged in using any password.

Disabled Determines whether the account can login or not. A disabled account cannot
login to the server.

User Can Change Controls​ whether a user that​ belongs to the group can change their password
Password through the HTTP/S web client or through SSH SFTP or FTP commands.

Max Logins The maximum number of connections this user can make to the server at the
same time.

Disable Date If a date is set here then the group will become disabled after the date
specified. All users that are members of this group will also become disabled.
Note​: The granularity of the timer is 30 minutes. The account will be disabled
within 30 minutes of the time set.

46
Maximum Upload File This field can be used to limit the maximum size of an uploaded file. This
Size value defaults to unlimited. The file size is specified in bytes. Specify 0 or any
non-positive value to reset the maximum file size to unlimited.

Allowed IP Addresses A comma-separated list of IP addresses that members of this group can login
from. If no IP addresses are specified then no per-group IP address filtering
is enforced. IP addresses can be specified as a single IP, a range of IP
addresses separated by a dash, e.g. 192.168.0.100 - 192.168.0.150, or a
CIDR-formatted IP address range. Multiple formats can be combined, with
each single IP or range separated by a comma. Note, global IP address deny
lists or allow ists are always enforced first, regardless of this setting.

Authentication

SSH Authentication Determines the SSH authentication requirements for users that are members
of this group. Valid options are:

● Password Only​: Require only a password for authentication.

● Public Key Only​: Require only a valid ​public key for authentication

● Public Key and Password​: Require both a valid public key and a
valid password for authenticating a user

Allowed Protocols

Allow FTP Both FTP and FTPES connections will be allowed to attempt to login over an
FTP listener

Require Secure (Applies to FTP only) If enabled, members of this group can only login to the
Control server using a secure TLS/SSL encrypted connection.

Require Secure Data (Applies to FTP only) If enabled, members of this group can only initiate file
transfers over secure TLS/SSL encrypted connections.

Allow Protocols to Controls which protocols a member of this group is allowed to login with. If a
Login protocol is not checked then the user will not be allowed to login using that
protocol.

Virtual Directories

Is Simple Directories In simple directory mode the administrator can only assign one directory to
represent the virtual directory for a user that is a member of this group.

47
13.0 U​SER​ P​OLICY​ S​ETTINGS 

13.1 P​ASSWORD​ C​OMPLEXITY​ R​EQUIREMENTS 

These settings only apply to Cerberus Native accounts.

Minimum Length The password must be at least x characters long.

Require at Least ​x​ Letters The password must contain at least x count of letters.

Require at Least ​x​ Numbers The password must contain at least x count of numbers.

Require at Least ​x​ Special The password must contain at least x count of special
Characters characters (e.g.: %, $, #).

48
13.2 P​ASSWORD​ C​HANGE​ P​OLICY 

These settings only apply to Cerberus Native accounts.

Require Password The server will require that native account passwords be changed after
Change Every ​x​ Days this number of days. Not all protocols have standard support for
password changing, and not all clients implement that support when it
does exist. To overcome this limitation, you can disable password
expiration checking for specific protocols. Note, marking a user account
password as requiring a change on the next login requires the password
change option to be checked.

Applies to FTP​ - When checked, this policy is enforced for FTP/S

account access. Note, FTP does not have a standard way of changing or
prompting the user to change an account password. Cerberus supports
a common extension that allows changing the user password using
the SITE PSWD oldpassword newpassword command. However, using
that command requires the user to be logged in. The protocol does not
have a mechanism for informing the user of an expired password during
login. As a result, there is no way to change an expired password via
FTP once it has expired. The user will be unable to login via FTP.

Applies to SSH SFTP​ - When checked, this policy is enforced for SSH
SFTP account access. SSH has a standard method of allowing users to
change their passwords, but many SFTP clients do not implement it.

Applies to HTTP​ - When checked, this policy is enforced for HTTP/S

account access. Cerberus handles the logic of making sure the user is
properly prompted for changing an expired password during login, so this
method is supported by all web browsers.

49
13.3 P​ASSWORD​ H​ISTORY 

These settings only apply to Cerberus Native accounts.

Remember Last ​x​ Passwords Cerberus will save a secure hash of the last specified number of
passwords that the user has used.

Can't Reuse Last ​x Cerberus will prevent a user from changing their password to any
Passwords password used within the specified history count.

13.4 A​UTHENTICATION​ O​RDER 

Cerberus FTP Server can authenticate against several different types of data sources. The current
possible authentication sources include the ​Native user system​, ​Active Directory (AD)​, and ​LDAP​.
You can have multiple AD and LDAP servers configured and Cerberus will check each one and attempt
to match a username and password. Cerberus will try each authentication source in order until a
successful authentication occurs or until all sources fail authentication.

The order that authentication sources are checked is determined by the Authentication Order list box.
You can move authentication sources up and down in order depending upon your needs.

50
13.5 A​UTHENTICATION​ R​EQUIREMENTS 
The Disable Account and Password Storage Format options only apply to Cerberus Native accounts.
Disable Account After ​x​ Failed Attempts
Password Storage Format
Disable Account Last Login Exceeded
Stop Authentication Chain if User Exists
Auto-Create Variable Directories
Create Home Directory As User For AD
The Native account becomes disabled after ​x​ number
of consecutive failed login attempts. The counter is
reset on a successful login.
This is the method Cerberus uses to ​store user
account password information​. Options are SHA1,
SHA256, and SHA512. All options are salted and are
performed using FIPS compliant crypto routines if the
server is in FIPS mode.
Native accounts become disabled if they exceed x
number of days without a successful login.
If a user is found in an authentication source but the
password is incorrect, don't proceed to check the
other authentication sources. Just fail the
authentication request.
The variable ​%USER%​ can be used in virtual
directory names and paths. This variable is evaluated
to the account's name when the user logs in. Selecting
this option ensures that virtual directory paths with the
%USER%​ variable in them will be automatically
created when the user account is evaluated during
login.
This setting influences how home directories are
created for Active Directory users when the default
virtual directory mapping mode in AD is set to ​Global
Home/%USER%​ mode. Normally, Cerberus creates
the home directory while under the service account. If
this option is enabled, Cerberus will impersonate the
51

Use UPN for Home Directory for AD
Follow Active Directory Referrals
AD user before creating the directory. This ensures
the home directory is owned by the AD user instead of
the service account.
This setting influences how home directories are
created for Active Directory users when the default
virtual directory mapping mode in AD is set to Global
Home/%USER% mode. If this option is checked,
Cerberus will always use the AD user's UPN name as
the home directory name, instead of the user's login
name. AD users can usually use either their
SAMAccount or their UPN name. Checking this option
will ensure the user is always placed in the same
home directory, regardless of whether they login with
their SAMAccount or UPN name.
When querying a domain controller, a referral is the
way that a directory server communicates that it does
not contain the data required to complete a query, but
has a reference to a server that may contain the
required data. If this option is selected, Cerberus will
query other domain controllers to get a complete set
of results.
52
14.0 G​ENERAL​ S​ETTINGS  

14.1 C​ONFIGURING​ G​ENERAL​ S​ETTINGS 

The general settings page contains options for connection timeout, network detection, login
notifications, and auto-update settings.

53
14.2 G​ENERAL 

The general settings page contains options for connection timeout and hiding the main Cerberus
window.

Use idle connection Controls whether idle connections should be terminated after a period of
timeout inactivity. The ​Idle Connection Timeout (seconds)​ value controls how
long a connection to the server can remain idle without being terminated.

Use HTTP/S web

Controls how long (in seconds) a web client session can remain idle
client idle session
before the session becomes invalid and the user has to login again.
timeout (in seconds)

Minimize window to If selected, Cerberus FTP Server will start hidden when windows starts up.
tray on startup Only the tray icon will appear. You can restore the graphical interface by
double-clicking on the Cerberus tray icon, or right-clicking on the tray icon
and selecting "Show/Hide Server"

14.3 N​ETWORK 

Controls general network settings.

Detect WAN IP at If enabled, Cerberus will attempt to detect the external address that
Startup Internet computers see for connecting to the network this machine is
located on. This is usually the external router address. Enabling this option
is important for ensuring passive connections work correctly.

Add to Windows If selected, Cerberus FTP Server will attempt to add itself to the Windows
Firewall Exception Firewall Exception list. This setting is disabled on operating systems that
List do not support the Windows Firewall (Windows 2000 and below).

Detect IPv6 If selected, Cerberus FTP Server will attempt to detect any IPv6
Addresses addresses that the system has initialized. You can leave this setting
disabled if you are not using IPv6.

Bind to Localhost If selected, the server will bind to the IPv4 loopback addresses 127.0.0.1,
Address and (if IPv6 is enabled) the ::1 loopback address.

54
14.4 N​OTIFICATION 

Controls user login notification settings.

Display taskbar If enabled, Cerberus will display a small notification window on the
notification window bottom-right corner of the desktop whenever a user attempts to login to
on user login the server.

Check for Updates Controls how often the server will check for updates. Possible values are:
Never, Daily, Weekly, or Monthly.

55
15.0 P​ROTOCOL​ S​ETTINGS 
The Protocols page allows you to control individual settings that affect the security, functionality, and
compatibility of the different secure file transfer protocols.

56
15.1 FTP/S S​ETTINGS 

15.1.1 PASV P​ORT​ R​ANGE 

These settings control passive FTP options.

Start First port in the port range to use for passive connections.
End Last port to use for passive connections before wrapping back
around to the Start port.
Randomize Passive Ports A security option that when enabled causes the server to choose
a cryptographically random, unused passive port from the
passive port range. When this option is disabled the server
selects a passive port from the passive port range incrementally.
Deny FXP Transfers File eXchange Protocol (FXP) is a method of data transfer which
uses the FTP protocol to transfer data from one remote server to
another (inter-server) without routing this data through the
client’s connection. Conventional FTP involves a single server
and a single client; all data transmission is done between these
two. In the FXP session, a client maintains a standard FTP
connection to two servers and can direct either server to connect
to the other to initiate a data transfer.
Deny Reserved Ports Do not allow passive or active port requests below port 1024.

15.1.2 A​DVANCED​ FTP/S S​ETTINGS 

15.1.2.1 FTP D​IRECTORY​ L​ISTING​ T​IME​ F​ORMAT

This setting determines the time zone format for the file list returned in response to the LIST and NLST
commands. Most clients expect dates and times to be UTC format.

Universal Time (UTC) The default, send file date/time in UTC format.

Local Time Send file date/time in local time.

Advertise FTP MLST/MLSD
Retrieve Owner/Group
information for file listings
Allow the FTP server to advertise to clients that it supports the
MLST/MLSD command (recommended).
Includes the owner and group of each file in responses to the
LIST and NLST command. NOTE: This will slow down file
listings.

15.1.2.2 FTP MDTM T​IME​ F​ORMAT

The FTP command, ​MODIFICATION TIME (MDTM),​ can be used to determine when a file in the server
file system was last modified. This command has existed in many FTP servers for many years, as an
adjunct to the REST command for STREAM mode. As a result, this command is widely available.

57
This command is also frequently used in a non-standard fashion to set file modification times. Cerberus
supports both the standard MDTM command for retrieving file times and the non-standard use for
setting the date/time on a file.

NOTE:​ ​Setting dates and times requires FTP client support. There is often a setting that has to be enabled in many FTP
clients before an uploaded or downloaded file will have its date/time set. Consult your FTP client documentation on how to
enable this setting. Cerberus automatically supports setting a file date/time without any additional configuration.

Universal Time (UTC) Most FTP clients expect the ​MDTM​ command to process
date/time values in UTC format and this is the default. Selecting
this option will cause Cerberus to interpret and send dates in UTC
format.
Local Time Interpret and send dates in local time (not RFC compliant).

Set Modification Time When clients attempt to use the non-standard MDTM extension to
set a date/time for a file, this setting determines whether the file
modification time will be set.
Set Access Time When clients attempt to use the non-standard MDTM extension to
set a date/time for a file, this setting determines whether the file
access time will be set.

15.1.2.3 FTP C​OMPRESSION

Cerberus FTP Server 5.0 and higher support MODE Z compression for FTP directory listings, uploads,
and downloads.

Allow MODE Z Compression
Disable Compression on Local
Network
The default, send file date/time in UTC format.
The benefits of compression on the local network can often time
be outweighed by the time it takes to compress that data. It is
recommended that compression be disabled for local network
connections. (recommended)

15.1.2.4 FTP M​ISCELLANEOUS

These are FTP settings that don’t fit anywhere else.

Allow FTP Renames to Overwrite
Existing Files
Allow FTP TLS Upgrade
Use Optimized File Sending
When this option is enabled an FTP client can issue a rename
command and overwrite an existing file.
The FTP server will advertise and allow clients to upgrade plain
FTP connections to encrypted FTP connections (FTPES) when
this option is enabled (recommended).
Uses the built-in Windows API for potentially faster file sending
on Windows Server machines. This option only applies to plain
FTP transfers. It provides no benefit for encrypted file transfers.

58
15.2 SSH SFTP S​ETTINGS 
Ignore SSH Window Size
Require Encryption on SFTP
Use Legacy Handles for SFTP
Mask Server Identification
15.3 A​DVANCED​ SSH S​ETTINGS 
Active Key Exchange
Active SSH SFTP ciphers
Active MAC
15.4 HTTP/S S​ETTINGS 
These are advanced settings for controlling HTTP/S web client defaults for all users.
Public Domain Name
Client Domain Allow List
Some SFTP clients do not correctly request an increase in the
SSH channel window size. Enabling this option will allow those
connections to continue even after exceeding the available
channel window space.
Although most clients won’t request an unencrypted connection,
the SSH protocol does allow it. Check this option to disallow
unencrypted SSH connections. This option should always be
enabled for production servers.
If you are connecting to Cerberus using a very old FTP client
that only supports legacy algorithms, and Cerberus is refusing
to connect, this is an option to try.
This option switches Cerberus to use the legacy SSH library.
If this option is checked, the server will use a generic
identification string for the welcome message during SSH
connections. The server will also omit the server header for
HTTP/S connections.
The SSH key exchange algorithms that the server will advertise
as supported to SSH clients.
The cipher algorithms advertised by Cerberus to clients during
secure connection negotiation for SSH2 SFTP. You can select
the algorithms you want advertised using this list.
The HMAC algorithms advertised by Cerberus to clients during
secure connection negotiation for SSH2 SFTP. You can select
the algorithms you want advertised using this list.
This option is used for sending out Account Request email
notifications and Password reset emails.
To prevent against host header attacks when sharing public
file links or client-initiated password reset requests, you can
add a list of allowed public domain names for your server.
59
Temp Upload Directory HTTP/S web client uploads are stored in this directory as they
are uploaded. When the upload completes, the file is moved
to its final destination.

If this edit box is left blank, the temporary upload directory

defaults to the temporary files directory for the account
running the Cerberus FTP Server Windows Service for native
accounts and LDAP accounts. For AD accounts, it defaults to
the temporary folder for that AD user on the server machine.

This field can be used to override the defaults for all account
types.

Optional Headers to Include Allows the administrator to determine if the listed HTTP
headers should be sent to clients for HTTP/S web client
connections.

60
16.0 C​ONFIGURING​ L​OGGING​ S​UPPORT  

16.1 A​UDITING 

Cerberus FTP Server provides comprehensive logging of all file and user operations and provides both
on-screen logging, file logging, and Syslog support. File-based logging can be managed through an
XML configuration file that can control nearly all aspects of how log data is written to a file.

16.2 L​OG​ F​ILE​ L​OCATION  

Cerberus FTP Server logging is implemented through the ​Apache Log4cxx​ framework, a robust
logging package modeled after the popular log4j Java logging package. The default configuration logs
up to 5000 KB of data to a single file and then rolls over to a new log file. The past 10 log files are kept
by default but log file size, naming, and history are all completely configurable through the log4j.xml file.

The log file is located at the following location:

16.2.1 O​N​ W​INDOWS​ V​ISTA​, W​INDOWS​ 2008 A

​ ND​ ​ABOVE  

C:\ProgramData\Cerberus LLC\Cerberus FTP Server\log

16.2.2 O​N​ W​INDOWS​ 2003, XP, A

​ ND​ 2000 

C:\Documents and Settings\All Users\Application Data\Cerberus LLC\Cerberus FTP Server\log

You can also open the log file by simply clicking on the ​Open Log File​ link on the ​Log​ tab of the main
user interface console as demonstrated below:

16.3 C​ONFIGURING​ L​OGGING  

The ​log4j.xml​ configuration file is one level above in the "Cerberus FTP Server" folder. An example
log4j.xml file is below.

There is an example of a size-based log appenders which roll over after the log file reaches a certain
maximum size and that limit the number of log files that are kept. These types of loggers are limited to
at most 13 saved log files.

61
There is also daily log file appender example (with no maximum number of kept log file limits), and a
Syslog log appender example.

<?xml version="1.0" encoding="UTF-8" ?>

<log4j:configuration xmlns:log4j='http://logging.apache.org/' debug="false">

<appender name="FILE" class="org.apache.log4j.rolling.RollingFileAppender">

<rollingPolicy
class="org.apache.log4j.rolling.FixedWindowRollingPolicy" >
<param name="activeFileName" value="log/server.log" />
<param name="fileNamePattern" value="log/server.%i.log" />
<param name="minIndex" value="1" />
<param name="maxIndex" value="5" />
</rollingPolicy>
<triggeringPolicy
class="org.apache.log4j.rolling.SizeBasedTriggeringPolicy">
<param name="maxFileSize" value="5000KB" />
</triggeringPolicy>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern"
value="[%d{yyyy-MM-dd HH:mm:ss}]:%7.7p [%6.6x] -
%m%n" />
</layout>
</appender>

<appender name="ERROR_FILE"
class="org.apache.log4j.rolling.RollingFileAppender">
<rollingPolicy
class="org.apache.log4j.rolling.FixedWindowRollingPolicy">
<param name="activeFileName" value="log/server_error.log"/>
<param name="fileNamePattern"
value="log/server_error.%i.log"/>
</rollingPolicy>
<triggeringPolicy
class="org.apache.log4j.rolling.SizeBasedTriggeringPolicy">
<param name="maxFileSize" value="5000KB"/>
</triggeringPolicy>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="[%d{yyyy-MM-dd
HH:mm:ss}]:%7.7p [%6.6x]
- %m%n"/>
</layout>
<filter class="org.apache.log4j.varia.LevelRangeFilter">
<param name="LevelMin" value="ERROR" />
</filter>
</appender>

<root>
<level value="INFO" class="org.apache.log4j.xml.XLevel" />

62
 <appender-ref ref="FILE"/>
<appender-ref ref="ERROR_FILE"/>
</root>
</log4j:configuration>

Possible values for the ​<level value="​LEVEL​" class="org.apache.log4j.xml.XLevel" />​ tag's ​level
parameter are:

● TRACE
● DEBUG
● INFO
● WARN
● ERROR

16.3.1 E​XAMPLE​ S​YSLOG​ ​LOG​4J​ .​ X

​ ML​ C​ONFIGURATION​ F​ILE 
The below log file example shows a Syslog logger.

<?xml version="1.0" encoding="UTF-8" ?>

<log4j:configuration xmlns:log4j='http://logging.apache.org/' debug="false">

<!-- Add a Syslog appender -->

<appender name="syslog" class="org.apache.log4j.net.SyslogAppender">
<param name="SyslogHost" value="127.0.0.1"/>
<param name="Facility" value="USER"/>
<param name="FacilityPrinting" value="true"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern"
value="%t %5r %-5p %-21d{yyyyMMdd HH:mm:ss,SSS} %c{2} [%x] %m
%n"/>
</layout>
</appender>

<root>
<level value="INFO" class="org.apache.log4j.xml.XLevel" />
<appender-ref ref="syslog"/>
</root>
</log4j:configuration>

16.3.2 E​XAMPLE​ D​AILY​ R​OLLOVER​ L​ OG​4J​ .​ X

​ ML​ C​ONFIGURATION​ F​ILE 
The below log file example shows a simple daily rollover logger.

<?xml version="1.0" encoding="UTF-8" ?>

<log4j:configuration xmlns:log4j='http://logging.apache.org/' debug="false">

63
 <!-- Add a Daily log file appender that will roll over to a new log file each
night -->
<appender name="DAILY_ROLL"
class="org.apache.log4j.rolling.RollingFileAppender">
<rollingPolicy class="org.apache.log4j.rolling.TimeBasedRollingPolicy">
<param name="FileNamePattern"
value="log/daily_server.%d{yyyy-MM-dd}.log"/>
</rollingPolicy>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="[%d{yyyy-MM-dd
HH:mm:ss}]:%7.7p [%6.6x] - %m%n" />
</layout>
</appender>

<root>
<level value="INFO" class="org.apache.log4j.xml.XLevel" />
<appender-ref ref="DAILY_ROLL"/>
</root>
</log4j:configuration>

16.3.3 L​OG​ F​ILE​ L​OCATION​ A

​ ND​ N​AMING 

You can change the location and name of the file created under the various log appenders using the
appropriate field. For the default RollingFileAppender logger with a FixedWindowRollingPolicy you will
need to change both the activeFileName and fileNamePattern parameters in the​ log4j.xml​ file. For the
DailyRollingFileAppender you will just need to change the File parameter associated with the logger.

If using a relative log file path, the path is relative to the ​C:\ProgramData\Cerberus LLC\Cerberus FTP
Server​ folder.

16.4 S​CREEN​ L​OGGING​ S​ETTINGS  

In addition to the file-based log, Cerberus also displays the current log output to the graphical user
interface while the server is running. Options for the screen-based logging can be controlled through the
Logging settings tab of the Server Manager.

16.4.1 R​OOT​ L​OG​ L​EVEL 

Controls the root log level for all log appenders. All log appenders inherit the root log level as their
lowest threshold. The default level is INFO.

Log appenders can be set at a higher log level threshold than the root logger, but they cannot be set at
a lower level. For example, if the Syslog appender is set to DEBUG, but the root log level is set to INFO,
the Syslog will still only write out log information at the INFO level.

64
The DEBUG level is for troubleshooting, and the root log level should not be left at this level for regular
production use because of the excessive logging produced.

65
16.4.2 S​YSLOG​ S​UPPORT 

Cerberus FTP Server 5.0 and higher supports Syslog integration. Administrators can control Syslog
settings from this page.

Enable Syslog
Enable syslog logging
logging

Syslog Host The address of the machine hosting the syslog server.

Syslog Facility The syslog facility value that should be associated with the syslog
events.

66
17.0 I​NTERFACE​ S​ETTINGS 

17.1 C​ONFIGURING​ I​NTERFACE​ S​ETTINGS 

An interface or listener is simply an IP address, port, and protocol combination that the server is
accepting connections on. For example, you can add an FTP listener on port 21 and attach it to an IP
address. It can be an IPv4 or IPv6 address. The "Default" interfaces represent the settings that will be
applied for newly detected interfaces. There are several different parameters that each interface can
have:

67
17.2 T​YPES​ ​OF​ L​ISTENERS 

There are seven types of listeners that you can add to an IP address:

FTP Traditional FTP, default port 21

FTPS Implicit FTP with TLS/SSL encryption, default port 990

SSH SFTP SSH2 File Transfer Protocol, default port 22

HTTP HTTP, default port 80

HTTPS
HTTP with TLS/SSL encryption, default port 443
HTTP for web administration, default port 8080
HTTP Admin
HTTP with TLS/SSL encryption for web administration, default port 8443
HTTPS Admin

The first two allow regular FTP as well as​ ​different forms of secure FTP​ ​while the SSH2 SFTP listener
is for establishing connections over the SFTP protocol (a completely different protocol from FTP,
despite the similar name). The HTTP and HTTPS listeners allow web client connections to the server
using either the unsecure HTTP protocol or encrypted HTTPS protocol.

There are two types of secure FTP connections possible, FTPS and FTPES. FTPS is usually referred to
as implicit FTP with TLS/SSL security. Its closest analog is HTTPS. It is basically the FTP protocol over
a TLS/SSL secured connection. This form of secure FTP is deprecated but widely supported and still in
use. This is what Cerberus FTP Server​ ​FTPS listener​ ​is for and this type of listener typically listens on
port 990. Note, the settings "Require Secure Control" and "Require Secure Data" are meaningless for
this type of listener. Connections established to an FTPS listener can only be established securely.

FTPES, which is often referred to as​ ​explicit FTP​ ​with TLS/SSL security, is a modification of the FTP
protocol that starts out over an insecure, normal FTP connection and is then upgraded to a secure
connection through FTP command extensions during login. This is the preferred method of secure FTP
because it allows SPI firewalls to know that there is FTP traffic occurring on the connection. You
establish FTPES sessions using a normal Cerberus FTP Server​ ​FTP listener​, typically over port 21.
Both unencrypted FTP and explicit TLS/SSL connections can be established to this type of listener. You
cannot establish an implicit FTPS connection over this type of listener.

17.3 A​DDING​ ​A​ N​EW​ I​NTERFACE​ L​ISTENER 

Cerberus FTP Server supports adding multiple listening interfaces for a given IP address. This allows
you to have Cerberus accepting connections from different protocols on multiple ports. The only
requirement is that each listener be on a unique IP/port combination. You can add FTP, FTPS (for
implicit secure FTP only), SSH2 SFTP, HTTP or HTTPS listeners.

68
Press the "New" button in the interface list box to add a new interface. A new dialog box will appear to
ask for the interface details (interface IP, type, and port combination). Selecting a listener from the list
and right clicking will give you a menu where you can delete the selected interface listener.

17.4 I​NTERFACE​ S​ETTINGS 

Listen Port This setting is the port that this interface will listen on for the ​control
connection.

Max Connections The setting determines the maximum number of simultaneous

connections that can connect to this interface listener.

Require Secure (Applies to FTP only) If enabled, only secure control connection will be
Control allowed. This is required to protect passwords from compromise on
unsecured networks with FTP.

Require Secure Data (Applies to FTP only) If enabled, only secure data connections will be
allowed. All directory listings and file transfers will be required to be
encrypted.

Don't Use External IP

If this option is checked, Cerberus will always use the internal IP address
for Passive
when the incoming connection originates on the local network.
connections

Always Use Internal If this option is checked, Cerberus will always use the internal IP address
IP for plain FTP when the incoming connection is plain FTP to ensure insecure FTP
connections remain inside your network.

Passive IP Options ● Auto Detect​ - If WAN IP auto detection is enabled then use the
WAN IP for the PASV command, otherwise use the interface's IP.

● Specify PASV IP​ - Allows the administrator to specify what IP

address is returned in response to a PASV command

● Use DNS service​ - Allows use of DNS names like

www.cerberusftp.com. The address specified will be examined at
regular intervals and the IP address that represents that DNS
name will be used in PASV commands.

69
Show Welcome If checked, the server will send a welcome message during user login for
Message FTP/S, SSH SFTP, and the HTTP/S web client (note, some FTP and
SFTP clients won't display the welcome message).

Allow User Updates (Applies to HTTP/S only) If checked, the user will be allowed to update his
or her personal account information (first name, last name, email, or
telephone number) through the HTTP/S web client.

Allow Web Account (Applies to HTTP/S only) If checked, users can request new accounts
Requests through the HTTP/s web client.

Company Name (Applies to HTTP/S only) The company name to display in the web client
page title

Logo Image (Applies to HTTP/S only) The logo image to display in the web client
header. This file's dimensions should be 230 by 70.

Login Image (Applies to HTTP/S only) The image to display on the web client login
page. This file's dimensions should be 70 by 70.

Default Web Directory (Applies to HTTP/S only) The default number of entries that appear in the
List Count web client file list.

Show Time zone on (Applies to HTTP/S only) Toggles displaying time zone information for files
Dates and directories in the web client

Display Local Time (Applies to HTTP/S only) Toggles between displaying server local time or
UTC time for files and directories in the web client

Configure CAPTCHA (Applies to HTTP/S only) Configures Google reCaptcha for the web client
login and web requests pages.

Redirect requests to (Applies to HTTP only) Any requests that come in over this HTTP listener
HTTP/S listener will be redirected to the same address using HTTPS.

70
17.5 T​HE​ "D​EFAULT​" I​NTERFACES 

There is a Default interface for each type of listener (FTP, implicit FTPS, SFTP, HTTP, and HTTPS).
When a new interface (IP address) is detected, that interface will receive an FTP, FTPS and SFTP
listener and each of those listeners will be assigned the values of the appropriate "Default" interface at
the time of detection. For example, If the "Default FTP" interface was defined to be on port 21, then
when a new interface is detected for the first time it will receive an FTP listener on port 21 with the
values of the Default FTP interface. Those settings then become the settings for the newly detected
interface. Note that the new interface's settings are not linked to the "Default" interface in any way. The
"Default" interface simply represents the values that newly detected interfaces will be initialized with.
Changing the values of the "Default" interface wouldn't change any values on existing or previously
detected interfaces.

For example, when you first install Cerberus FTP Server, the "Default FTP" interface is set to port 21
(the default FTP listening port) and all interfaces detected during that first start will receive FTP listeners
with that port value. If you later change the "Default FTP" interface settings then that change will have
no effect on existing interfaces.

It is also worth noting that Cerberus remembers the settings for interfaces that were previously detected
but might have changed. For servers that have dynamic addresses that constantly change or cycle
between a range of addresses, Cerberus will "remember" the old values and apply those instead of the
"Default" settings if that interface address is later detected again.

Un-checking the box next to each Default interface will disable automatic listener activation for that
interface type when a new interface is detected.

17.6 I​NTERFACE​ S​TATUS​ C​ONTROLS 

Interfaces can also be enabled or disabled from the main Cerberus FTP Server user interface:

Enabling or disabling a listener

Select a listener and right-click. Click the Enable/Disable menu item to toggle enabling or disabling a
listener. Disabled listeners will no longer accept connections.

71
17.7 T​HE​ HTTP/S W​EB​ C​LIENT 

Available in Cerberus FTP Server Enterprise edition, the ​HTTP/S web client​ capability allows any user
with access to a common web browser to easily connect to the server to perform file operations
(uploading, downloading, deleting, renaming, creating directories, and zipping and unzipping files and
directories) using a desktop or mobile web browser.

You can also grant users the ability to generate a public link to any file, and email that link to someone
from directly within the web client.

The web client is a native web application that requires no plug-ins or external tools to use. The web
client relies on HTML and JavaScript for all of its functionality, and will run on any modern web browser.

17.8 S​ECURITY 

Administrators can also configure the server to allow or require users to authenticate using two factor
authentication when connecting using the web client. We currently support TOTP-compliant one-time
password applications, as well as direct integration with DUO Security.

17.8.1 A​DDITIONAL​ W​EB​ C​LIENT​ ​FEATURES​ I​ NCLUDE​: 

Fully tested against IE 9.0+, the latest version of Firefox, Chrome, and Safari
● No file size limitations and can efficiently handle file uploads and downloads of any size
● Simultaneous file upload, and upload drag and drop support in Firefox, Safari, Chrome, and IE
10+
● Upload Resume support

72
 ● Confirmation dialogs for file deleting, zipping, and unzipping
● Right-click Cut/Copy/Paste support for moving and copying files and folders between other
folders
● Web-based with no software or plugins to install for end users
● Allow users to request new accounts through the web
● Allow users to reset forgotten passwords using email link requests combined with security
questions
● Configurable anti-bot security using reCAPTCHA for logins and account requests.
● Generate and email a public file link (with optional password protection) from within the web client
● Custom Theme support using the popular Bootstrap 3 framework
● Desktop and mobile Browser Optimized

17.9 P​UBLIC​ F​ILE​ S​HARING 

Public file sharing allows a user to can take any file and generate a unique, time-limited, public link
to that file and share it with anyone. The public link can also be password protected. The
administrator has full control over public file sharing. The administrator has to grant explicit sharing
privileges to a user's virtual folder before the user can share files publicly from that folder.

Cerberus FTP Server HTTP/S Web Client

A user can revoke access to the public link at any time through the Shares page of the web client.

17.10 E​MAILING​ ​A​ L​ INK​ ​TO​ ​A​ P​UBLIC​ F​ILE 

In addition to public file sharing, users can also email a link to a public file directly from within the web
client. Users just need to click the "Email" button on a file (and have the appropriate folder permissions
granted by the administrator for sharing) to open a message dialog for emailing the file.

73
 Cerberus FTP Server HTTP/S Web Client

Cerberus FTP Server will use the first SMTP server configured in the Event Manager's Targets page as
the email server for sending emails.

17.12 A​DDING​ ​AN​ HTTP/S L​ISTENER 

The Cerberus FTP Server web client can be accessed by adding an HTTP or HTTPS listener to
Cerberus FTP Server's listener list. You can add a new HTTP/S listener from the ​Listeners​ page of the
Server Manager​.

To add a new HTTP or HTTPS listener:

1. Open the Server Manager

2. Select the ​Listeners​ page
3. Select the "plus" icon next to the interface list box to add a new interface. The "Add New
Listener" dialog box will appear to ask for the interface details (interface IP, type, and
port combination)
4. Select the IP address that you want to listen for connections on
5. Select the interface type (HTTP or HTTPS for web client access)
6. Enter the port you wish to listen on. Cerberus will automatically pre-populate the port
with the default port for the type of listener you are adding
7. Press the ​Add​ button to add the listener

The listener should now be added to the Interfaces list. Press ​Ok​ to close the Server Manager and save
you changes.

74
17.13 W​EB​ C​LIENT​ C​USTOMIZATIONS 

The HTTP/S web client can be customized in several ways. Options for changing the default
settings are discussed in the following sections.

17.13.1 C​HANGING​ ​THE​ C​OMPANY​ L​OGO​ ​AND​ L​OGIN​ I​MAGE 

You can change the company logo displayed on the web client by specifying your own logo file.

1. Go to the ​Listeners​ page of the ​Server Manager​ (pictured above)

2. Select the HTTP/S interface you wish to change (not the default interface)
3. Press the file selection button across from the Logo Image edit box
4. Select the image file you wish to use and press Ok. The preferred image size is 230 x 70.

The login image displayed on the login page is also customizable using the same procedure as for
the company logo. The preferred login image size is 70 x 70 pixels.

The image format for both logos should be one that is supported by all web browsers. We
recommend ​PNG​, ​GIF​, or ​JPEG​.

75
17.13.2 C​HANGING​ ​THE​ L​OGIN​ W​ELCOME​ M​ESSAGE 

If you select the Show Welcome Message option for the HTTP/S listener then the server welcome
message is displayed next to the login credentials box when a client logs in on that listener. This
message can be customized from the Messages page of the Server Manager.

17.13.3 C​USTOM​ W​EB​ C​LIENT​ T​HEMES 

The HTTPS web client comes installed with several themes, but administrators can easily adapt and
add their own. The web client was redesigned in version 7.0 to use the popular Bootstrap 3 framework.
You can develop your own custom CSS theme file and drop it in:

C:\Program Files\Cerberus LLC\Cerberus FTP Server\webadmin\client\custom

Then, restart the Cerberus FTP Server Windows Service to have it automatically detect and make
available the new theme.

A theme file is simply a css file that contains your own custom overrides of the default Bootstrap 3
theme. Any files your CSS file references should be relative to the custom folder. Cerberus will detect
the new CSS file during startup and make it available as a theme (the theme name is based on the file
name) on the Accounts page of the web client.

17.13.4 F​URTHER​ W​EB​ C​LIENT​ C​USTOMIZATIONS 

The HTTP/S web client can be further customized by modifying the underlying template files. However,
any changes made to those template files will be overwritten whenever Cerberus FTP Server is
upgraded. We are working on ways to allow more permanent and lasting changes to the web client. The
relevant template files are in:

C:\Program Files\Cerberus LLC\Cerberus FTP Server\webadmin

and

C:\Program Files\Cerberus LLC\Cerberus FTP Server\webadmin\client

The client-index.tpl file is probably the best place to start for modifying the overall look of the web client.
The template files are cached in memory in Cerberus after the first time they are read, so a restart of the
underlying Cerberus FTP Server Windows Service is required before any changes to these files will
take effect.

76
18.0 W​EB​ A​CCOUNT​ R​EQUESTS  

18.1 A​LLOWING​ U​SERS​ T​ O​ R​EQUEST​ A​CCOUNTS​ ​THROUGH​ ​THE​ W​EB 

Users can request new accounts through the HTTP/S Web Client. A "Request a New Account" link will
appear on the login page if the administrator decides to allow web account requests.

HTTP/S Login Page with "Request a New Account" Link

18.1.1 R​EQUESTING​ ​A​ N​EW​ A​CCOUNT 

The account request page allows a user to submit a request for a new account to the Cerberus FTP
Server system administrator. The user can set a password for the account (subject to password policy
rules) at the time of the account request. This relieves the administrator from having to set a new
password for the user and from having to securely distribute that password.

Event Rules can be enabled on the server to automatically email the administrator whenever a new
account request is made.

77
18.1.2 E​NABLING​ O
​ R​ D​ISABLING​ A​CCOUNT​ R​EQUESTS 

The link can be enabled or disabled for any HTTP or HTTPS listener by selecting that listener in the
Listeners page of the Server Manager.

Enable Account Requests

18.2 A​PPROVING​ O
​ R​ D​ENYING​ A​CCOUNT​ R​EQUESTS 

Administrators can view pending account requests through both the ​Account Requests​ page of the
User Manager​ in the Cerberus GUI, or through the Account Requests administrator web page.
Accounts can be approved or denied through either method by selecting an account and using the
Approve ​or ​Delete​ button.

Approved accounts are automatically created and activated in the ​Users​ page of the ​User Manager
and can be further customized there.

78
The Cerberus FTP Server Account Request Page of the User Manager

79
19.0 S​ECURITY​ S​ETTINGS  

19.1 C​ONFIGURING​ S​ECURITY​ S​ETTINGS 

The security settings page allows the administrator to configure all aspects of Cerberus FTP Server
SSL/TLS and SSH security. To enable TLS/SSL connections between FTP and HTTP clients and the
server, you need a server certificate and a private key.

19.1.1 D​IGITAL​ C​ERTIFICATE​ S​UPPORT 

Cerberus FTP Server supports RSA, DSA and Elliptical Curve (EC) keys. Support for elliptical curve
ciphers with FTPS and HTTPS is available with Cerberus FTP Server 6.0 and higher.

There are generally two options for obtaining a digital certificate (with private key):

1. You can generate your own self-signed certificate using the Cerberus ​Create Cert​ button.

2. You can obtain a certificate from a recognized certificate authority (CA)

Which is more appropriate really depends upon your goals. If you just want to make sure that client and
server connections are securely encrypted then a self-signed certificate is all you need. It has the benefit
of being easily created through Cerberus and completely free.

If your goal is to make sure that your clients can verify that the server they are connecting to is legitimate
and ensure they don’t see any warning messages about being “unable to verify the server” then using a
certificate signed by a trusted certificate authority is required. You will have to contact one of the
recognized Certificate Authorities such as Comodo, Thawte, Verisign or one of the many other recognized
Certificate Authorities and request a server certificate (for a price).

A note about secure connections​: Cerberus supports FTPS, FTPES, SFTP, and HTTPS encryption.
To establish a secure connection you must connect to the server with a client that supports one of those
secure methods. For secure FTPES, FTPS, or SFTP, this will require a dedicated FTP client, not a web
browser. ​No​ web browsers natively support any type of secure FTP.

19.1.2 A​BOUT​ C​ERTIFICATE​ A​UTHORITIES 

You only need to worry about setting up and validating against a certificate authority if you (the server)
want to authenticate the certificates coming from your FTPS and HTTPS clients. If you are not
concerned with verifying your FTPS and HTTPS clients using certificates, then you can safely ignore all
of the certificate authority configuration information. Just select the ​No verification​ setting (the
default). ​Note: ​Client certificate verification is completely separate from SSH SFTP public key
authentication. ​SSH SFTP public key authentication​ is configured on a per user basis.

80
19.3 TLS/SSL S​ECURITY  

Cerberus uses the settings here for all secure connections.

Security settings page of the Server Manager

19.3.1 G​ENERAL 

These are basic TLS/SSL settings applicable to secure client FTPS, HTTPS, and SSH connections and
encrypted HTTPS SOAP messages.

Enable Explicit This must be enabled to allow secure access to the server. NOTE: A
TLS/SSL certificate and private key must be available before TLS/SSL encryption
will be available.

Enable FIPS 140-2

Enable the ​FIPS 140-2 certified​ encryption module for Cerberus FTP
Mode
Server. Selecting this option enables encryption using only FIPS 140-2

81
 certified algorithms. ​Only available in the Professional and Enterprise
edition​.

Certificate Path The full path to your public certificate. The public certificate is exchanged
with the client during TLS/SSL encryption and is examined by the client
to verify the server. Supported key types include RSA, DSA, and Elliptical
Curve keys.

Private Key Path This is the server's private key. The private key is used to encrypt
messages to the client. The client can use the server's public key to
decrypt messages encrypted with the server's private key. The private
key is not sent to the client. If your public and private key are in the same
file then set this path to be the same as the Public Certificate.
NOTE​: The public and private key can be in the same file. If your public
and private key are in the same file then set this path to the same path as
your Public Certificate path. Cerberus understands both DER and PEM
encoded certificate formats.

Needs Key Password Check this option if the digital certificate is encrypted.

Password The key password used to decrypt your digital certificate.

CA Certificate Path A file containing a PEM-encoded list of Certificate Authorities with which
to verify client certificates against. Cerberus FTP Server will also use this
file to load and send the entire certificate chain for the server certificate
when a client connects. Many CAs call this a CA bundle file.

Create Cert Cerberus will generate a Self-Signed Certificate that will allow encrypted
connections.

Verify Cerberus will attempt to verify that the certificate at the Public and Private
key path is recognized and readable with the given password.

82
19.3.2 ​AD
​ VANCED​ TLS O​PTIONS 

Security Profiles These are common security settings. Selecting a security profile from the
dropdown list will immediately modify the server’s security settings to
match that profile.

Server Cipher During SSL/TLS session negotiation, the connecting client sends an
Preference ordered list of cipher suites to the server. The first suite in the list is the
one most preferred by the client. Normally, the server honors the client
preference by selecting the suite most preferred by the client among the
list of suites that both the client and server support.

If this option is selected, the server selects the suite that the server itself
most prefers among those that both the client and server support. This
can be used to, for example, enforce that the strongest cipher that both
the server and client support be used for the connection.

Verify Client
Certificate Common Cerberus can be configured to provide additional post-verification client
Name certificate checking. Specifically, you can require the certificate common

83
 name to match the FTP username. This option can be accessed by
pressing the ​Advanced​ button.

Check the option to enable certificate common name to FTP username

checking.

SSL Cipher String The ciphers that Cerberus uses during secure connection negotiation for
TLS/SSL can be controlled through a text string. This option can be
accessed by pressing the ​Advanced​ button.

An example string:

ALL:!LOW:!EXP:!ADH:@STRENGTH

The string follows the same cipher string format as the ​OpenSSL ciphers
string​.

Allow SSLv3, TLS1.0, These 4 settings allow you to enable or disable support for SSLv3.0,
TLS1.1, TLS1.2 TLSv1.0, TLSv.1.1, and TLSv1.2 respectively.

19.3.3 DUO 2FA 

Keep your accounts safe with two-factor authentication by Duo.

Duo combines modern two-factor authentication with advanced endpoint security solutions to protect
users from account takeovers and data breaches.

Two-factor authentication is one of the best ways to protect against remote attacks such as phishing,
credential exploitation and other attempts to take over your accounts. Without your physical device,
remote attackers cannot pretend to be you in order to gain unauthorized access to corporate networks,
cloud storage, financial information, etc.

After successful primary authentication, users simply approve a secondary authentication request pushed
to the Duo Mobile smartphone app. Users may also authenticate by answering a phone call or by entering
a one-time passcode generated by the Duo Mobile app, a compatible hardware token, or received via
SMS (Short Message Service).

Before starting

1. Sign up for a​ DUO Account​.

84
2. Log in to the ​Duo Admin Panel​ and navigate to ​Applications​.

3. Click ​Protect an Application​ and locate ​Auth API or Web SDK​ in the applications list. Click ​Protect
this Application​ to get your ​integration key​, ​secret key​, and ​API hostname​.

Setting up DUO in Cerberus

In the ​Server Manager​, Open ​Security, ​Click on​ “DUO 2FA”, ​ and Check "​Enable DUO 2FA
Integration​"

Enter the details of your Duo account. (​Hostname, Integration Key, Secret Key​) and select ​Update​.

DUO is now enabled and will replace the default HOTP implementation.

85
19.3.4 C​LIENT​ V​ERIFICATION 

Cerberus FTP Server can be configured to require FTPS and HTTPS clients to verify themselves using
digital certificates. When given a CA file, Cerberus will verify that the client certificate is signed and valid
for the given certificate authorities. Cerberus will also make sure the certificate hasn't been revoked if a
CRL is specified. ​This feature is only available in Cerberus FTP Server Professional and
Enterprise edition and currently only applies to FTPS, FTPES, and HTTPS connections.

No Verification This is the default option. Cerberus will not require nor will it verify digital
certificates

Verify Certificate
Cerberus will attempt to verify that the certificate presented by the client
is signed and valid. It will compare the certificate against the certificate
authorities present in the CA Certificates File. Any FTPS or HTTPS
connection attempts without a valid certificate will be denied when this
option is selected.

CRL File A file containing a PEM or DER-encoded list of key serial numbers that
have been revoked. Note, the CRL must have been signed by the CA
certificate.

86
19.5 DSA C​ERTIFICATES​ A
​ ND​ E​PHEMERAL​ D​IFFIE​-H​ELLMAN​ K​EYS 

Cerberus FTP Server includes support for ​DSA certificates​. Unlike RSA certificates, DSA certificates
cannot be used for key exchange (a necessary part of establishing an SSL or SSH connection), and
additional pieces of information, known as Diffie-Hellman (DH) parameters, are required to allow key
exchange using DSA.

DH parameters are computationally very expensive to generate, and it isn’t feasible (or necessary) to
generate those parameters in real-time. Cerberus FTP Server includes DH parameters for 512, 1024,
2048, and 4096 bit keys. The parameters were pre-generated using strong sources of pseudo-random
entropy, and are used during DH key exchange to generate new, temporary keys for each SSL session.

Cerberus looks for the DH parameter files in the ​C:\ProgramData\Cerberus LLC\Cerberus FTP
Server\certificates ​directory. You can freely replace the included parameter files with your own,
pre-generated versions if you desire. If the existing files are deleted, Cerberus will attempt to re-create
the missing files during startup by generating new ones. This can take a ​very​ long time, and Cerberus
will appear to hang during startup while the files are generated. Deleting the existing DH parameter files
is ​not recommended​.

19.6 E​LLIPTIC​ C​URVE​ SSH S​UPPORT 

Cerberus FTP Server 4.0.9 and higher support Elliptic Curve Diffie-Hellman (ECDH) key agreement,
Elliptic Curve Digital Signature Algorithm (ECDSA), and elliptic curve public keys for SSH SFTP as
specified in RFC 5656. Only the required NIST curves at 256, 384, and 521 bits with uncompressed
points are currently supported. Please see this page for more information on ​elliptic curve cryptography
support.

87
20.0 R​EMOTE​ S​ETTINGS  

20.1 C​ONFIGURING​ R​EMOTE​ S​ETTINGS  

The remote settings page allows the administrator to configure web administration access and remote
Application Programming Interface (API) access to Cerberus FTP Server. Cerberus allows remote
access to the server administrator via a web browser-based interface and via the normal Cerberus FTP
Server Graphical User Interface (GUI) when running in Windows Service mode.

For software developers, Cerberus exposes several APIs for controlling all aspects of the server using
the SOAP web services.

Remote settings page of the Server Manager

88
20.1.1 G​ENERAL​ SOAP S​ETTINGS 

The remote access settings control HTTP and HTTPS web administration, as well as SOAP API access
to Cerberus FTP Server.

When Cerberus is running as a Windows Service, the GUI connects to and communicates with the
Cerberus Windows Service through a remote access API called SOAP. The Cerberus Windows Service
listens for SOAP connections on the Port specified under the Remote Settings page. That port must be
available for Cerberus to listen on, or the GUI will be unable to connect to the service.

HTTP Port The port that the SOAP service and web administration pages will be
served from.

Use Secure HTTP Select this option to allow only secure HTTPS connections for the web
(HTTPS) administration and SOAP access. A restart of the underlying Cerberus
FTP Server Windows Service is required after changing this parameter.

Allow Remote SOAP Enable SOAP-based remote access. SOAP is an API for connecting
Access programmatically to the server. When this setting is enabled, applications
can make SOAP calls to the server from outside the local machine
(subject to authentication).

NOTE:​ Local SOAP access is always enabled. The Cerberus UI requires

SOAP access to enable communication between the UI and the
underlying Cerberus Windows Service.

89
20.1.2 SOAP TLS S​ETTINGS 

You can control what SSL protocols are supported, as well as what ciphers to allow for SOAP-based
SSL connections. Changes to these settings require a service restart.

20.1.3 A​DMINISTRATOR​ A​CCOUNTS 

There is always a primary admin account, with full permissions to all server functions. The primary
admin account is highlighted in green lettering in the administrator list.

Primary Admin The username used to access the web administration page. This
Username username is also used for basic authentication when using the SOAP
web services API to access the server.

Primary Admin The password used to access the web administration page. This
Password password is also used for basic authentication when using the SOAP
web services API to access the server.

90
 NOTE:​ This is also the username and password used when accessing
Cerberus as a Windows Service from the Cerberus GUI. Normally,
administrators won't be prompted for this password and the GUI will
automatically connect to the service whenever it is started.

The administrator can also control the server through web administration. The web administration
feature has nearly the same capabilities as the desktop user interface. Most server functions can be
controlled through web administration.

20.1.4 S​ECONDARY​ W​EB​ A​DMINISTRATION​ A​CCOUNTS 

You can assign additional web administration users, and limit their access to different aspects of the
server like user management, reporting, etc.

Secondary web administration users can be managed on the Remote page.

Note: ​Secondary web administration users cannot access the SOAP API. Only the primary admin user
can use the SOAP API at this time.

91
21.0 S​ETTING​ U
​ P​ A
​ ​ D​ATABASE​ F​ OR​ S​TATISTICS 
Cerberus FTP Server supports collecting and reporting detailed session and file access statistics using
an ODBC-compliant database. A database connection must be configured in Cerberus before the
server will begin collecting statistics. The reporting database connection will also be used by the
Reporting Manager for generating reports.

The following databases are currently supported (others may work with appropriate ODBC driver
installed):

● Microsoft SQL Server 2012 and 2014 LocalDB

● Microsoft SQL Server 2017 and 2017 ODBC
● Microsoft SQL Server 2012 and 2014 Enterprise
● Microsoft Azure SQL Server
● MySQL Server 5.2 and higher

Database Configuration page for Statistics Collection

92
21.1 I​NSTALLING​ M​ICROSOFT​ SQL S​ERVER​ 2012 L​OCAL​DB 

The quickest and easiest database option is Microsoft Server 2012 LocalDB. LocalDB is a light-weight,
embedded database option from Microsoft that is suitable for local, low-utilization database traffic. It has
a relatively small footprint, and installs quickly. You will also need the Microsoft SQL Server 2012 Native
Client ODBC driver for connecting to LocalDB. Links to both products are below.

To download and install LocalDB:

If you are running the 64-bit version of Cerberus FTP Server, make sure you download and install the
x64 version of SQL LocalDB and the corresponding x64 SQL Server 2012 Native Client driver.

21.1.1 F​OR​ ​THE​ 64-​BIT​ V

​ ERSION​ O
​ F​ C​ERBERUS​ FTP S​ERVER​: 

Microsoft SQL Server 2012 LocalDB x64 (for 64-bit Windows)

SQL Server 2012 Native Client (64-bit)

21.1.2 F​OR​ ​THE​ 32-​BIT​ ​VERSION​ ​OF​ C​ERBERUS​ FTP S​ERVER​: 

Microsoft SQL Server 2012 LocalDB x86 (for 32-bit Windows)

SQL Server 2012 Native Client (32-bit)

After installing SQL Server 2012 LocalDB and the SQL Server 2012 Native Client, you can go to the
Server Manager's Reporting page and select the ​SQL Server Native Client 11.0​ driver.

21.2 S​ELECTING​ A
​ ​ D​ATABASE 

If you are setting up a new database connection for the first time you will need to enable statistics
collection and select a database ODBC driver. You can accomplish these tasks using the steps below:

1. Open the​ ​Server Manager​ ​and go to the​ ​Reporting​ ​page.

2. Open the Drivers select box and select the ODBC database driver appropriate for your database
type (i.e. ODBC Driver 13.1 for SQL Server for a remote connection to Microsoft SQL Server).

For Microsoft SQL Server installations other than LocalDB, we recommend downloading and installing
the ​Microsoft ODBC Driver 13.1 for SQL Server​. Some reporting features may not work
with the default SQL Server ODBC driver installed on most machines.

3. The connection parameters available for your driver type will now appear and must be filled in.
4. After filling in the ODBC driver connection parameters, press the Connect button to test your
connection.
5. If there are no errors after pressing the​ ​Connect​ ​button, press the​ ​Create Tables​ ​button to create
the necessary database tables for Cerberus to write to the database.
6. If​ ​Create Tables​ ​was successful then you are finished setting up your connection.
7. Check the "​Enable Statistics Collection​" checkbox.

93
The ​Connect​ button will test that Cerberus can establish a connection to the database, and run a quick
search for the necessary Cerberus statistics tables. If this is the first time connecting to the database,
and the tables do not exist, click the ​Create Tables ​button to allow Cerberus to try to create the
necessary tables on the database.

If you are using a database that requires a username and password, the user account must have
permission to create a database, and tables in the database. Statistics collection and reporting will not
work if the user account does not have create database and create table permissions.

Once you have verified a working database connection, and that the database and tables exist, select
the ​Enable Statistics Collection​ checkbox to enable statistics collection.

21.3 D​ATABASE​ B​ACKUP​ A

​ ND​ R​ESTORE 

The Backup and Restore buttons are currently only supported when connecting to Microsoft SQL Server
databases. The buttons will be disabled when any other database type is selected. The buttons allow
downloading a copy of a local database, and later restoring it. Note, the database will be saved to the
local machine where the database is running. If you click the Backup button for a remote database, the
database will be saved to the selected path ​on the remote server running the database​. The same goes
for restoring a database. The database must be on the local machine.

Non-SQL Server databases should be backed up using whatever backup system is native to that
database.

94
22.0 A​DVANCED​ S​ETTINGS  

22.1 C​ONFIGURING​ A​DVANCED​ S​ETTINGS 

The advanced settings page contains options for passive mode, running as a Windows Service, network
buffers, and power management.

Advanced page of the Server Manager

22.1.1 S​END​ A
​ ND​ R​ECEIVE​ B​UFFERS 

These settings control the size of the buffers used for data transfers. Cerberus will read and write
packets of this size for send and receive operations.

Socket Send Specifies the total per-socket buffer space reserved for sends. This value
is in bytes.

Socket Receive Specifies the total per-socket buffer space reserved for receives. This
value is in bytes.

95
FTP Send The size of the send buffer used for reading file data and writing data to
the network for unencrypted FTP transfers, in bytes

FTP Receive The size of the receive buffer for reading network data and writing data to
files for unencrypted FTP transfers, in bytes.

22.1.2 I​NTERFACE​ A​DVANCED​ S​ETTINGS 

These are advanced settings for Interfaces.

Undetected IP If Cerberus fails to detect an IP Address, you can input the undetected IP
Address address here. A service restart is required after adding the IP.

22.1.3 A​DVANCED​ W​INDOWS​ S​ETTINGS 

These settings are only available on Windows NT and higher.

Respond to power If enabled, Cerberus will attempt to gracefully shutdown and startup in
management events response to power suspend and resume events. May allow more graceful
recovery from suspending and resuming the system.

Shutdown Server
Detects operating system shutdown or restarts and tries to gracefully
when Windows is
terminate all connections and ensure all server settings are saved.
shutting down

Try Alternative Active Uses an older method of checking an AD Active Directory user's group
Directory Group information. This fallback method may work in some situations when
Check Cerberus cannot reliably detect all of the groups an AD user is a direct
member of.

96
23.0 T​HE​ IP M​ANAGER  

23.1 G​ENERAL​ S​ETTINGS 

The Cerberus FTP Server IP Manager allows an administrator to selectively allow or deny access to the
FTP server based upon IP address. The IP manager functions in one of two policy modes, either
denying any IP addresses listed from logging into Cerberus FTP Server (functioning as a Deny list), or
only allowing IP addresses listed to log in (an Allow list). The policy mode is controlled by a radio button
at the bottom of the ​General​ tab page.

General page of the IP Manager

The IP list shows the IP address or IP address range and how long that address or address range is
blocked for. Possible options for block time are "Forever" (Deny mode), "Never" (Allow mode), or a
date/time value.

If a date/time value is present, the IP address or IP address range is blocked from connecting until that
date/time has elapsed (Deny or Allow mode). You can change how long an IP address entry is blocked
for by right-clicking on that IP entry and selecting "Change Time" from the menu that appears.

97
23.1.1 A​DDING​ A
​ ​ ​SINGLE​ IP A
​ DDRESS​ ​TO​ ​THE​ IP M
​ ANAGER​ ​POLICY 

IP addresses can be managed individually, or whole ranges of addresses can be affected by the current
policy. To add a single address to the current policy, make sure the "Assign a range of addresses"
checkbox is unselected. Then, enter the IP address you wish to add to the first IP address box. Finally,
click the "Add" button immediately below the IP address box.

23.1.2 A​DDING​ A
​ ​R
​ ANGE​ ​OF​ IP A
​ DDRESSES​ ​TO​ ​THE​ IP M
​ ANAGER​ ​POLICY 

To add a range of addresses, first ensure the "Assign a range of addresses" checkbox is selected.
Then, enter the beginning IP address in the "IP From" box and the ending IP address in the "IP To" box.
The range will be interpreted as a contiguous range of addresses to block or allow. Finally, click the
Add​ button immediately below the IP address box.

23.1.2.1 CIDR S​UPPORT

You can also enter a range of IP addresses in CIDR notation using the CIDR edit box. You can enter
one CIDR range or multiple CIDR ranges. To enter multiple CIDR ranges, separate each CIDR range
with a space or comma. The CIDR address will be converted to a contiguous range and added to the IP
Manager list.

23.1.3 D​ELETING​ A
​ N​ IP A
​ DDRESSES​ ​FROM​ ​THE​ C
​ URRENT​ ​POLICY 

To delete either an IP address or range of IP addresses from the current policy, select the item from the
"IP Addresses" list view box. Once selected, press the Delete button. You can also select and delete
multiple items at once from the IP manager by ctrl or shift-clicking multiple items in the list box. NOTE:
You can also delete an IP address or a range of IP addresses by right-clicking on the selected IP and
selecting "Delete" from the menu that appears.

23.1.4 S​EARCHING​ F​ OR​ A

​ N​ IP A​DDRESS 

You can use the "Find" button at the top of the IP list box to search for an IP address in the list box. The
"Find" button will select the first IP address or range of IP addresses containing the IP address you are
searching for.

23.2 T​HE​ "A​UTO​-B​LOCKING​" P

​ AGE 

The other use for the IP manager is the ability to configure an auto-blocking policy for the FTP server.
Administrators can use the auto-blocking policy to help prevent DoS (Denial of Service) and brute force
password guessing. If the auto-blocking policy is enabled, a user that continually fails to log into the
server will be blocked from trying after a certain number of failed attempts. The number of failed
attempts and the length of time the IP address will be blocked from attempting to log in can be
configured from the "Auto-Blocking" page.

When ​Enable Auto-Blocking​ is enabled a failed attempt is logged whenever a user enters an incorrect
password or tries to login with an invalid username. If ​Enable DoS Protection​ is selected then any
attempt to connect to the server will be counted towards auto-blocking, even if the connection doesn't
attempt to authenticate. This can help prevent DoS attacks that try to tie up connections and

98
overwhelm the server. DoS Protection can also be useful for services continuously probing the server
with garbage data attempting to find security vulnerabilities. However, a successful login from an IP
address resets the "Failed login attempts" counter to zero for the IP address.

The number of failed login attempts can be configured from the ​Pre-Blocked Settings​ frame. The ​Time
before login counter reset​ edit control can be used to set the amount of time that must elapse before
the ​Failed login attempt​ counter is reset.

The length of time an address is blocked can be configured using the ​Auto-Block Timeout​ setting.
Select the Forever radio button to block a flagged IP address indefinitely, or select the "Block for X
minutes" radio button to set the length of time the address is blocked. Once an address is blocked, the
timeout period must elapse before the address is allowed to log in again.

IP addresses that have recently failed logins, but have not yet exceeded the ​Failed login attempt
threshold, are displayed in the ​IP Addresses being "watched"​ list view. You can freely delete an
address from the list view. Deleting the address has the effect of resetting the ​Failed Login attempt
counter for that address to zero.

Auto-blocking page of the IP Manager

99
23.2.1 I​MMEDIATELY​ B​AN​ ​THESE​ U​SERS 

Certain usernames are often tried by automated bots. You can configure Cerberus to automatically
block the IP of any connection that attempts to login using one of these banned usernames.

23.2.2 D​IFFERENCES​ I​ N​ A​UTO​-B

​ LOCKING​ B
​ ETWEEN​ A​LLOW​ ​AND​ D​ENY​ M
​ ODE 

How auto-blocking works differs depending upon whether the IP manager is functioning in Deny or
Allow mode. If the IP manager is functioning in Deny mode (denying addresses listed in the IP
manager), then whenever a connection exceeds the failed login attempt threshold, that connection's IP
address is added to the deny list.

Auto-blocking works differently for Allow mode (allowing only addresses listed to login to the server). In
Allow mode, whenever a failed login attempt exceeds the failed login threshold, the IP address is either
removed from the IP manager's list of allowed IP addresses (if auto-blocking is set to block failed logins
forever) or blocked for the Auto-Block Timeout period. The exception is if the IP address is part of a
range of IP addresses. If an IP address is part of a range of allowed IP addresses, that range is not
deleted.

100
24.0 T​HE​ E​VENT​ M​ANAGER 

24.1 A​BOUT​ E​VENT​ R​ULES 

Available in​ Cerberus FTP Server Enterprise edition​, the Event Manager allows an administrator to
configure email notification, perform file operation or batch file actions, and carry out certain server
operations based off of server events.

Event rules are based on the simple premise that an event occurs that triggers an action. There are
several different rule types, and for each rule type there is a corresponding event that can trigger that
rule.

You can further restrict a rule by specifying additional conditions on the event that must exist before the
rule's actions are taken.

For example, suppose you have a folder into which customers can upload files. You can set up an event
rule that monitors that folder, and when someone uploads a file into that folder, the rule moves the file to
another folder, and then sends an email to an administrator informing them that a file has been moved.

You can also set up a rule that only moves particular files. For example, you can configure the rule to
move only the files that end in .zip, or you can route particular files to different folders.

An event rule consists of a triggering event (e.g. a File Transfer), any optional conditions affecting that
event (e.g. uploaded by a specific user), and the resulting actions that are carried out (e.g. moving the
file, or sending an email to an administrator). You can modify your rules any time in the event manager.

24.2 T​HE​ E​VENT​ T​ARGETS​ ​PAGE 

The Event Targets page allows an administrator to add email servers, executable files, and HTTP
endpoints as event targets. Many of the actions you can invoke as part of an event rule, or scheduled
task, require an event target. For example, the "Email someone" action requires an email server, and
the "Launch an executable" action requires the file path to the executable file. Those event targets can
be defined here.

There are also certain server actions that can require an SMTP server, like public file sharing, or
password expiration notification. You will first need to add at least one SMTP server here before the
server can carry out those operations.

101
24.2.1 A​VAILABLE​ T​ARGET​ T​YPES 

There are three different types of event targets you can add for use in event rules and scheduled tasks.

24.2.1.1 SMTP S​ERVER​ T​ARGETS

You can add SMTP servers using the SMTP Server Target box. Cerberus currently supports the SMTP
protocol, including SMTP with SSL encryption and STARTTLS. If your server requires it, SMTP server
credentials can be configured by selecting the ​SMTP Authentication​ checkbox.

24.2.1.2 E​XECUTABLE​ T​ARGETS

Cerberus can be configured to launch an .exe, .bat, or .com file as an action for any event. Just select a
file path and press the "​Update​" button to make an executable target available for selection when
adding and editing rules. Command line options for the executable are specified on a per action basis
from the rule editing page.

102
24.2.1.3 HTTP P​OST​ T​ARGETS

This option allows you to specify a URL that will receive an HTTP or HTTPS POST containing all of the
rule's variables. Variables are included in a POST request using ​application/x-www-form-urlencoded
encoding.

24.2.2 A​DDING​ A
​ ​ N​EW​ E​VENT​ T​ARGET 

Press the ​New​ button at the top of the Event Targets page. A dialog will prompt you for the type of
target you wish to add.

24.2.3 M​ODIFYING​ ​AN​ E​ XISTING​ ​EVENT​ ​TARGET​. 

Select the event target in the Targets list. An edit section for that target will appear below the event
targets list. Press the ​Update​ button after making your changes to save those settings to the server.

24.3 T​HE​ R​ULES​ ​PAGE 

The Rules page provides an overview of all of the rules you have added. From this page you can Add,
Delete, Clone, or Enable and Disable a rule.

You can enable or disable a rule from this page. Whenever a rule is disabled, that rule is no longer
checked whenever the system generates an event that would normally trigger the rule.

Selecting a rule from the Event Rules table will open up a summary of the rule for editing.

103
24.4 E​DITING​ A
​ ​ R​ULE 

Select a rule from the rules list to open it for editing.

Rule Editing in the Event Manager

24.4.1 A​VAILABLE​ E​VENT​ R​ULE​ T​YPES 

A rule is defined by the type of event that triggers it. Each rule has a single event type associated with it.
When that event occurs, any rules associated with that event type are triggered. The following rule
event types are available:

This event is triggered whenever a user uploads a

File Transfer Event file to the server, or downloads a file from the
server through an authenticated Cerberus
account. This event is not generated for public
share file downloads. There is a separate event
for public file downloads.

This event is triggered whenever the server

IP Blocked Event adds an IP address to the block list.

104
 This event is triggered whenever a user account
User Account Blocked Event is locked out because of a policy violation (too
many failed login attempts).

This event is triggered whenever a user account

User Disable Date Elapsed is disabled because the disable date for the
account has elapsed, or because the account
has exceeded the last login time threshold.

This event is triggered when an account

Account Password Expiring Event password is set to expire. The number of days
before expiration that this event is sent is based
upon the password expiration policy settings.

This event is triggered when a new account

New Account Request Event request is submitted through the HTTP/S web
client.

This event is triggered whenever a user

Login Event attempts to login to the server.

This event is triggered whenever a user

Logoff Event attempts to login to the server.

This event is triggered whenever a user creates

Directory Created Event a directory on the server.

This event is triggered whenever a user deletes

File Deleted Event a file or folder on the server.

This event is triggered when a file or directory is

File Move/Copy Event moved or copied by a user.

This event is triggered whenever the server

Upgrade Available Event detects that a new version of Cerberus FTP
Server is available.

This event is triggered whenever a public file

Public File Share Event share link is generated for a file by a user. A
public file share link is generated whenever a
user uses the Share or Email button in the
HTTPS web client to generate a new public link.

This event is triggered whenever a publicly

Public File Download Event shared file is downloaded from the server. This
event will not be generated for a file download
by an authenticated (logged in) Cerberus user.

This event is triggered after the server attempts

Backup Server Synchronized to synchronize settings to a backup server.

105
24.4.2 A​DDING​ A
​ ​ N​EW​ R​ULE​ ​OR​ E​DITING​ ​AN​ E​XISTING​ R​ULE 

24.4.2.1 T​O​ ​ADD​ ​A​ ​NEW​ ​RULE​:

1. Go to the​ Event Rules​ page of the Event Manager

2. Click the ​New​ button. The ​Add a New Rule​ dialog will appear.
3. Select the ​Rule Type​ for your new rule option. The rule type will determine what server event
triggers this rule.
4. Enter a name for your rule in the ​Rule Name​ edit box.
5. Press the​ Add New Rule ​button on the Add A New Rule dialog to save and add the new Event
Rule. The event rule will be selected and ready for editing on the Event Rules page.

24.4.2.2 T​O​ ​EDIT​ ​AN​ ​EXISTING​ ​RULE​:

1. Go to the​ Event Rules​ page of the Event Manager

2. Select the name of the existing rule you wish to edit from the event rules table. The event rule
should appear and be ready for editing.

24.4.3 C​HANGING​ T​ HE​ N​AME​ O

​ F​ A
​ ​ R​ULE 

You can change the name of an existing rule by selecting it in the rules table. You can then modify the
Rule Name under the Rule Summary section. After entering the new Rule Name, press the Update
button attached to the Rule Name text field.

24.5 A​DDING​ R​ULE​ C​ONDITIONS 

You can add a new condition to an event rule by pressing the Create button in the Event Conditions
header. The new condition section will appear below the header.

A rule's actions are carried out whenever that rule's event trigger happens. For example, a Login Event
rule will be triggered whenever a user logs into the server. Conditions (also called filters) can be placed
on rules to further modify if an event matches a rule. For example, a Login Event rule can have a filter
placed on it that requires the username of the user logging in to match a specific name, or be in a list of
names, before the rule's actions are invoked. There are three modes that influence how conditions or
filters are applied.

24.5.1 R​ULE​ M​ATCHING​ M​ODES 

The three rule matching modes are:

Match All Events This rule will always be triggered whenever the rule's event occurs.

Match If Any Filters This rule will be triggered whenever the rule's event occurs and if ​any​ of
Match the conditions listed are fulfilled

106
Match If All Filters This rule will only be triggered whenever the rule's event occurs and
Match if ​all​ of the conditions listed are fulfilled

24.5.2 R​ULE​ V​ARIABLES 

Each event type has specific variables that can be used as part of a condition or action. A rule condition
consists of a variable, a comparison operation to perform on that variable, and a set of values to
compare the variable to. For example, an IP Blocked event has an ​{{IP}}​ variable associated with it that
contains the IP address that was blocked. You can use the variable in a condition to help decide if the
event should trigger the rule.

You can determine what rule variables are available for each event type by looking in the ​Rule
Variables​ combo box.

24.5.2 C​OMPARISON​ O​PERATIONS 

A condition is basically a comparison operation of an event variable to a set of values. The comparison
operations you can perform are detailed below:

● > (Greater than or Equal To)

● ≥ (Greater than)
● < (Less than)
● ≤ (Less than or Equal To)
● = (Equal To)
● != (Not Equal To)
● Contains
● Does Not Contain
● Starts with
● Ends with
● Regular Express match

Once a comparison operation is selected, you can enter the ​values​ to compare to. There is a text field
labeled “​Values”​ below the comparisons select control that you use to enter values to compare the rule
variable to. Multiple values can be entered by separating the values with a comma. Each value is
checked, and if any are a match then the condition is considered fulfilled (or true).

Press the ​plus (+) button​ next to the Values text box to add the new rule condition to the event rule.

The new event condition will appear at the bottom of the Event Conditions section.

24.5.3 D​ELETING​ ​AN​ E​VENT​ C​ONDITION 

You can delete an existing event condition by pressing the red ​X​ button next to the event condition.

107
24.6 R​ULE​ A​CTIONS 

Rule actions are the operations the administrator wishes the server to carry out in response to server
events that match their rule conditions. Event actions can be of two types:

1. Normal top-level actions that get executed sequentially, or

2. Failure actions that get executed whenever the event action they are associated with fails

Actions are normally executed one after the other, in a sequential order. Failure actions are always
associated with a top-level action, and only get executed if the action they are associated with fails. The
failure action is executed right after the action it is associated with.

Each top-level action has a “​Stop on Failure​” option. If the “Stop on Failure” option is checked, no
further actions will be executed for the event rule if the action fails (other than any failure action
associated with the top-level action).

24.6.1 A​DDING​ R​ULE​ A​CTIONS 

When an event matches all of the conditions of a rule then the rule actions are carried out. The current
rule actions allow an administrator to:

● Send an email message detailing the event that occurred

● Send an email session report of all user activity when a user logs off
● Launch an external process
● Perform a file copy, move, delete or directory create or delete operation
● Perform a user or group delete or disable
● Add a configurable delay before the next action is invoked
● Create a backup file of the server configuration

Each action can have optional parameters such as the email name and address to send a message to,
or the ‘path from’ and ‘path to’ for a file move or copy operation. In addition, rule variables can be
specified as parameters for the external processes command line or file operation parameters. You can
use a rule variable as a parameter and when the rule is actually triggered, the variable's value will be
substituted for the variable. You specify variables by enclosing the variable in double brackets,
i.e. ​{{U}}​.

24.6.2 T​O​ ​ADD​ A

​ ​N
​ EW​ A​CTION​ ​TO​ ​A​ R​ULE​: 

These instructions assume you have selected a rule for editing from the rules tables.

1. Go to the ​ACTIONS​ header section of the event rule.

2. Press the ​Create​ button in the ACTIONS header. The new action section will appear below the
ACTIONs header.
3. Select an action from the Action drop-down list (i.e., Email someone)
4. Select any secondary actions associated with that action (i.e, an email server for emailing
someone)
5. New fields will appear below the Actions drop-down lists based on the action and secondary
action selected

108
 6. Fill in the details for that action (i.e., an email address)
7. If you for the rule action list to stop executing if this action fails then select the “​Stop on Failure​”
option for the action.
8. Press the ​plus (+) button​ to add the new action to the rule

The new event action will be added to the bottom of the Actions section. New actions will be added to
the bottom of the list, and will be executed in the order they appear in the list.

24.6.3 E​DITING​ ​AN​ E​XISTING​ R​ULE​ A​CTION 

You can edit an existing rule action by selecting the ​Action​ button to the left of the event action. Selecting the
Action button will bring up a menu of available operations you can perform on the event action.

Select the Edit Action button from the menu that appears to have the action selected in the Actions
section.

24.6.4 D​ELETING​ A
​ N​ E​XISTING​ R​ULE​ A​CTION 

You can delete an existing rule action by selecting the ​Action​ button to the left of the event action.

Select the ​Delete​ button from the menu that appears to have the action deleted from the event rule.

24.6.5 C​HANGING​ T​ HE​ O

​ RDER​ ​AN​ A
​ CTION​ ​IS​ ​EXECUTED 

You change the existing execution order of event actions by selecting the ​Action​ button of the event
action you wish to change.

Select the ​Move Action Up​ or ​Move Action Down​ to swap positions with the action above or below the
selected action.

109
24.6.6 C​REATING​ A
​ ​ F​AILURE​ A​CTION 

Each action can have a failure action associated with it. Failure actions are additional actions that only
get executed whenever the action they are associated with fails. For example, you can add an “Email
Someone” failure action to an action to email the administrator whenever the top-level action the failure
actions is associated with fails. Or, you can try the action a second time as your failure action.

The same action options are available as failure actions as are available for top-level actions.

To create a failure action, create a new action as you normally would for a top-level action. Use the
Move Up or Move Down action options to place the new failure action below the top-level action you
wish it to be associated with.

Once the action you wish to associate as failure action is below the top-level action, select the “Assign
as Failure Action” option from the Actions button next to the failure action. You will now see the action
become indented under the top-level action, and the text “if fail then” appear in front of the failure action.

24.6.6.1 R​EMOVING​ ​A​ ​FAILURE​ ​ACTION

Removing a failure action just requires pressing the Action button associated with the failure action’s top-level
action, and then selecting the “​Detach Failure Action​” option from the menu that appears.

Detaching a failure option from a top-level action will make the failure action a normal top-level action again.
You can then move it around, re-assign it as a failure action of another top-level action, or delete it.

24.7 E​VENT​ T​ASKS 

Event tasks are similar to event rules. However, rather than being triggered whenever an event like a
file upload or directory creation occurs, event tasks are time-based, and occur on an admin-defined
schedule.

Administrators can configure event tasks to occur once, or to repeat every minute, hour, day, week,
weekday, month, or year.

You can create and edit event tasks on the Event Tasks page of the Event Manager.

24.8 A​DDING​ A
​ ​ S​ CHEDULE​ T​ O​ A
​ N​ E​VENT​ T​ASK 

Schedules can be added to event tasks in a similar way that event conditions are added to event rules.

1. Specify a Start Date for the scheduled task. If you do not specify a Start Date then the task will
be executed immediately.
2. Select how often you want the task to repeat. You can select a period and frequency. For
example, every 5 hours.
3. Press the ​plus (+) button​ to add the schedule to the task.

110
25.0 A​DDING​ A
​ ND​ E​ DITING​ E​VENT​ T​ASK​ A​CTIONS 
Please see the section on ​adding and editing actions​ in the​ Event Rules help​ section. The process
is identical for scheduled tasks.

26.0 F​OLDER​ M​ONITORS 

The Folder Monitor page allows you to configure the server to monitor a top level folder and subfolders
for setting up a file retention policy.

You can configure a directory and subdirectories to be monitored for files older than a specified time
period. The directory will be checked at an administrator-defined interval, and files older than the
specified age will be deleted.

Folder Monitor for configuring file retention policies

111
26.1 O​THER​ E​VENT​ S​ETTINGS 

The event settings page allows the administrator to configure settings like the email template logo,
whether to include server information in event emails, and other global event settings.

Default Email Event The email heading title at the top of each event notification email.
Title

Custom Email Icon Allows the administrator to include their own icon logo with event
Path notification emails, instead of the default logo icon.

Include Icon in Emails Determines whether or not the default or customer email icon path is
included with each event notification email.

Include Server Origin Determines whether or not the server version and machine name are
in Emails included with each event notification email.

Include Event Determines whether or not the basic event description is included with
Description in Emails each event notification email.

112
27.0 T​HE​ R​EPORT​ M​ANAGER 
Administrators can use the statistics and reporting feature to generate detailed reports of client activity
based on user names, dates ranges, and file access.

The Report Manager Overview Page

27.1 G​ENERATING​ A
​ ​ R​EPORT 

Administrators can use the statistics and reporting features in Cerberus FTP Server Enterprise edition to
generate detailed reports of client activity based on user names, dates ranges, and file access. In
addition to client activity, the administrator can also generate native account reports indicating account
creation and last login dates.

NOTE:​ Using the Report Manager requires that a ​report database​ be configured.

113
 Cerberus FTP Server Report Manager

An administrator can generate three types of reports:

● Login Sessions
● File Access
● User Account Status

27.1.1 F​ILE​ A​CCESS​ R​EPORTS 

File access reporting can by filtered by file name, date and time, and user name. The file reports contain
important information about a file transfer, including:

● The full local path of the file

● The type of file operation performed on the file (upload, download, rename, delete, copy)
● The user that accessed the file
● The IP address the user accessed the file from
● The date and time the access occurred
● The protocol used to access the file (FTP, FTPS, SSH SFTP, HTTP, or HTTPS)
● The type of encryption used, if any, to perform the file operation

114
The administrator can also use the Include feature to decide what type of file activity to include in the
report (downloads, uploads, file renames/moves, public file shares, etc.).

115
28.0 L​OCALIZATION   
The ability to translate languages directly from Web Administration is very useful if you want to quickly
change any text from the web client (i.e. the name of a menu item, button or description).

In order to edit a translation of a language, find the language in the ​Locale Name​ list. Now, you will see
the language tags, default translation and the translation for these languages tags in the language that
you’re editing. ​(For a language that we don't have a translation for you will see the default English
values.)​ Use the filter option at the top of the page to help find a specific language tag.

29.0 LDAP A​UTHENTICATION  

Cerberus FTP Server Professional is able to authenticate users against LDAP directory services. The
Lightweight Directory Access Protocol​, or ​LDAP​, is an application protocol for querying and
modifying ​directory services​ running over TCP/IP.

Administrators can easily integrate Cerberus and LDAP or LDAPS (LDAP over SSL). All you need are a
few parameters describing the LDAP service.

What do I need to use LDAP Authentication?

116
An LDAP service and some information about the server hosting the LDAP service:

Server This parameter is the ​FQDN​ or IP address of the LDAP server to search.

Port The network port of the LDAP server.

Enable SSL This checkbox determines whether the connection to the LDAP server is
encrypted. The LDAP server must support encryption for this to work. Port
389 is the default port for unencrypted LDAP and port 636 is the default
LDAPS port.

Label A label you can use to help identify the configuration you are setting up

Base DN The distinguished name to use as the search base.

Search Scope Base, One Level, Subtree

Username attribute The name of the uid attribute for a user in the directory.

Search Filter LDAP filter used to limit results when searching the directory for
users.This filter can be used to limit authentication to only certain object
types or to members of certain groups.

Search Filter Examples

(objectClass=User)

The above filter will include only search entities that have the object class
User​.
(memberof:1.2.840.113556.1.4.1941:=cn=FTPUsers,CN=Users,
dc=corp,dc=cerberusllc,DC=local)

The above filter will include all users that are members of the group
FTPUsers​.

Do not​ add a filter including the ​Username Attribute​ here, as this attribute
is handled by Cerberus.

I.e., if the ​Username Attribute​ is ​sAMAccountName​, Cerberus will

automatically create a string like
(&(objectClass=User)(sAMAccountName=ftpUser))

117
 where ​ftpUser​ is the name of the user that attempted login.

User DN The FDN of an account with read privileges to the LDAP server.

Password The password for the User DN account. This password is encrypted when
saved.

By default, all LDAP users are assigned the same virtual directories and permissions. These defaults
are configured under the ​Default Virtual Directory Mapping Mode​ section of the LDAP Users page.
However, if you wish to customize the directory and permission mappings for individual LDAP users
then you can do so using the ​User Custom Mappings​ tab.

The ​User Customer Mappings​ section allows you to override the default settings for a user by
mapping individual LDAP users to Cerberus groups. The mapped LDAP users will receive the settings
and virtual directories from the mapped group, instead of the defaults.

28.1 D​EFAULT​ V​IRTUAL​ D​IRECTORY​ M​APPING​ ​FOR​ LDAP U​SERS 

The​ Default Virtual Directory Mapping​ modes work as follows:

Global Home Every LDAP account will use the directory specified under the "Global Home"
edit box as the FTP root. This is the simplest option, and every LDAP user is
assigned this one directory as their root folder.

The Cerberus permissions on this folder can be restricted through the

Permissions​ button to the right of the Global Home edit box.

118
Global Every LDAP account will use a subdirectory off of the "Global Home"
Home\%USER% directory that is the same as the account's name. This directory will be
created automatically, if it doesn't exist, when the user logs in.

The Cerberus permissions on this folder can be restricted through the

Permissions​ button to the right of the Global Home edit box.

LDAP User Every LDAP account will use the directory attribute defined here to determine
Attribute what virtual directories to add to their account.

This attribute can have multiple values, and each value will be added as a
separate virtual directory.

The default value will be a valid Windows directory path. By default, the last
directory of the file path will be used for the virtual directory name, and the
user will have full permissions to the directory path.

The value can be customized into 3 semicolon separate components to

customize the added virtual directory path into a full directory path, a virtual
directory name, and a permissions set for the virtual directory.

For example, the value for the attribute could be:

C:\ftproot\user\andrew;home;2047

The first part is the directory path, the second is the directory name, and the
third is a bit mask indicating the permissions the user has for that virtual
directory.

The directory permissions field for a virtual directory is a simple bit mask.
Permissions have the following values:

Permission Value

DOWNLOAD 1

UPLOAD 2

RENAME 4

DELETE 8

CREATEDIR 16

LIST DIRECTORIES 32

119
 LIST FILES 64

DISPLAY HIDDEN FILES 128

ZIP 256

UNZIP 512

SHARE 1024
Just add the values up to achieve the desired permissions. e.g.,
Download, Upload, Rename, and Delete permissions would be (1 + 2 + 4
+ 8) = ​15​.

Granting all permissions would be ​2047​.

Cerberus Default The specified Cerberus Group will be used to determine what directories and
Group Directories what settings to apply to the LDAP user when they login, including any
and Permissions security requirements associated with the group.

29.1 S​ETTING​ ​UP​ A​CTIVE​ D​IRECTORY​ A​UTHENTICATION​ ​USING​ LDAP 

The following steps detail the procedure for enabling LDAP Authentication to verify credentials against
Active Directory. The steps are similar for connecting to other LDAP servers, such as OpenLDAP or
ApacheDS.

​ erver​ and ​Port​ attribute

1. Ensure you are on the ‘​Server Overview​’ tab. Change the LDAP Port S
in the LDAP Users page to the host name and port number of the Active Directory:

● e.g., Server: hostname.domain.com ​or​ an IP address:192.168.0.100

● Port: 389 is the default for unencrypted LDAP connections. Port 636 is the default for
LDAPS encrypted connections.

2. Enter a ​Label​ to help you identify this configuration, for example: ‘HQ Domain”

3. Change the ​Base DN​ to the proper base for the Active Directory.

Simply specifying the base suffix will not work in this attribute. For Active Directory, it would
usually be the cn=Users plus base suffix. e.g.: for domain ​corp.cerberusllc.com​ :

CN=Users,DC=corp,DC=cerberusllc,DC=com

or for local domain ​corp.cerberusllc.local​ :

CN=Users,DC=corp,DC=cerberusllc,DC=local

4. Select the ​Search Scope​ (Base, One Level, Two-Levels)

120
 This setting controls how deep into the directory to search for users. This setting combined with
the Base DN and Search Filter determines which users are matched for authentication. ​One
Level​ is usually the best setting for typical Active Directory configurations.

5. Change the ​Username Attribute​.

This attribute is the one that the LDAP module will search for in Active Directory and attempt to
match against the supplied FTP username. It is often the UID attribute on many LDAP servers.
For example, if users login using their Common Name, the value of this attribute would be ​cn​.
For Active Directory, the login name is usually mapped to ​sAMAccountName​ as it is the
attribute in Active Directory most like UID. For Active Directory, it is usually best to
specify ​sAMAccountName​.

6. Change the ​Search Filter​.

This string is an LDAP search string used to locate and filter the account in Active Directory.
This filter can be used to make sure only certain types of objects are checked for authentication.
(objectClass=User)

The above filter will include only search entities that have the object class ​User​.

(memberof:1.2.840.113556.1.4.1941:=cn=FTPUsers,CN=Users,dc=corp,dc=cerberusllc,DC=loc
al)

The above filter will include all users that are member of the group ​FTPUsers​. D
​ o not​ attempt
to add the uid search attribute here. Cerberus will automatically append an attribute filter to
select the correct account based on the User DN Attribute, e.g., if the User DN Attribute is
sAMAccountName​, Cerberus will automatically create a string like

(&(objectClass=User)(sAMAccountName=​ftpUser​))

where ​ftpUser​ is the name of the user that attempted login.

7. Select a ​Cerberus Default Directory​.

The specified Cerberus Group will be used to determine what directories and what settings to
apply to the LDAP user when they login, including any security requirements associated with
the group.

8. Click on the ‘​Bind Options​’ tab. Change the DN for the ​User DN​ bind attribute to a user with
the right to read the Active Directory.

Anonymous access to Active Directory is not allowed, so a bind account is needed. This is
simply an account for Active Directory that has read ability on the attribute to which the user will
authenticate. An example might be

121
 cn=administrator,CN=Users,DC=corp,DC=cerberusllc,DC=local​. Enter the password for the
user account. Note: This password will be encrypted in memory and before being saved to disk.

9. Enter the ​User DN Password​. This is the password for the user with the right to read the Active
Directory.

10. Once done, be sure to click ‘Save’ (The diskette icon)

11. Verify that the settings are correct by clicking the ​Connect​ button. You should see the user DNs
from Active Directory that are able to log in to Cerberus FTP Server. Note: Unless "Use FQDN"
is checked, only the value of the ​User DN Attribute​ will be displayed in the LDAP user list. It is
this value that will be compared against the FTP username to determine an account match.

12. Select a Cerberus FTP Group to represent the virtual directories and permissions for LDAP
users. Note that the "isAnonymous" setting on the group is ignored. The group cannot be
anonymous.

Cerberus FTP Server is now configured for authentication against an LDAP server (Active Directory, in
this case).

Other, optional LDAP settings are available in the ‘User MFA Settings’ and ‘User Custom Mappings’
sections. See the relevant sections of this document for details.

29.2 LDAP U​SER​ T​ O​ C​ERBERUS​ G​ROUP​ M​APPING 

You can customize the directory and permission mappings for individual LDAP users through the ​LDAP
Directory Mapping​ tab. Customizing an LDAP account is accomplished by mapping an LDAP user
account to a Cerberus group account. This mapping will override the default Cerberus Group and
directory mapping, specified on the LDAP Users page, for the mapped LDAP account.

29.2.1 C​REATING​ ​AN​ LDAP U​SER​ ​TO​ C​ERBERUS​ G​ROUP​ M​APPING 

Mappings between an LDAP User and a Cerberus Group can be achieved by first selecting an LDAP
user. Then, select an LDAP user (or simply typing the name of the LDAP user in the edit box) and then
select a Cerberus Group. Select the ​Assign​ button and a mapping entry will be placed in the mapping
list box to indicate the LDAP user will now have the same constraints and virtual directory mappings as
the selected Cerberus Group.

122
 Configuration page for LDAP User to Cerberus Group Mapping

29.2.2 R​EMOVING​ ​AN​ LDAP M

​ APPING 

To remove a mapping, simply select the mapped entry and press the ​Remove​ button.

29.3 LDAP U​SER​ T​WO​ F​ACTOR​ A​UTHENTICATION​ C​ONTROL 

If you wish to disable two factor authentication (2FA) for an LDAP user that has 2FA enabled, you can
select an LDAP user from the selection box in this section to view and optionally disable 2FA on their
account. The user can then log into the web client without having to do the additional 2FA authentication
step. They can re-enable 2FA if they wish by logging in and viewing their account settings.

30.0 A​CTIVE​ D​IRECTORY​ A​UTHENTICATION  

30.1 A​BOUT​ A​CTIVE​ D​IRECTORY​ I​NTEGRATION  

Cerberus FTP Server Professional and Enterprise editions are able to ​authenticate users on a Windows
domain​ (or the local NT account database), even if the computer Cerberus FTP Server is installed on is
not the domain controller. The domain may be a pre-Windows 2000 domain (NT4), a domain configured
to use Active Directory, or the local system account database (use "." as the domain for authenticating

123
against local machine accounts). However, the machine Cerberus FTP Server is running on must be a
member of the domain you wish to authenticate users against.

Configuring Cerberus to use Active Directory authentication simply requires enabling Active Directory
authentication and telling the server the name of the domain to authenticate against. The rest of the
configuration is automatic. Users are able to FTP into the server using the same username and
password they use to log into their workstations on the domain. For the purpose of access to files and
folders, the FTP user has the same access as the Active Directory user with the same name. All
operations on the server by the user are carried out while impersonating the Active Directory user.

Important Security Consideration:​ There is an exception to impersonation for Active Directory

authentication when using SFTP and ​Public Key only​ SSH authentication. The Active Directory user can
still be authenticated with Public Key only authentication, but the Active Directory user cannot be
impersonated. Only ​Password ​or ​Public Key and Password​ SSH authentication methods support AD
user impersonation.

To allow Active Directory authentication, you will need to check the ​Enable Windows Authentication
for this Domain​ checkbox under the User Manager's ​AD Users​ tab. Once checked, Cerberus will
attempt to authenticate users from the domain listed in the ​Domain​ edit box.

Active Directory Authentication page

124
30.2 D​EFAULT​ V​IRTUAL​ D​IRECTORY​ M​APPING​ ​FOR​ AD U​SERS 

Active Directory accounts are always configured for simple directory mode (See ​Adding a New User​ for
more information about simple mode) if any mode other than ​Cerberus Group​ is selected for
the ​Default Virtual Directory Mapping​ mode.

The​ Default Virtual Directory Mapping​ modes work as follows:

Global Home Every AD account will use the directory specified under the "Global Home"
edit box as the FTP root. This is the simplest option, and every AD user is
assigned this one directory as their root folder.

The Cerberus permissions on this folder can be restricted through the

Permissions​ button to the right of the Global Home edit box. NTFS
permissions for the AD user still apply.

Global Every AD account will use a subdirectory off of the "Global Home" directory
Home\%USER% that is the same as the account's name. This directory will be created
automatically, if it doesn't exist, when the user logs in.

The Cerberus permissions on this folder can be restricted through the

Permissions​ button to the right of the Global Home edit box. NTFS
permissions for the AD user still apply.

AD User Home Every AD account will use that account's home directory as the FTP root.
Directory
The Cerberus ​permissions​ on this folder can be restricted through the
Permissions button to the right of the Global Home edit box. NTFS
permissions for the AD user still apply.

AD Directory Every AD account will use the directory attribute defined here to determine
Attribute what virtual directories to add to their account.

This attribute can have multiple values, and each value will be added as a
separate virtual directory.

The default value will be a valid Windows directory path. By default, the last
directory of the file path will be used for the virtual directory name, and the
user will have full permissions to the directory path.

The value can be customized into 3 semicolon separate components to

customize the added virtual directory path into a full directory path, a virtual
directory name, and a permissions set for the virtual directory.

125
 For example, the value for the attribute could be:

C:\ftproot\user\andrew;home;2047

The first part is the directory path, the second is the directory name, and the
third is a bit mask indicating the permissions the user has for that virtual
directory.

The directory permissions field for a virtual directory is a simple bit mask.
Permissions have the following values:

Permission Value

DOWNLOAD 1

UPLOAD 2

RENAME 4

DELETE 8

CREATEDIR 16

LIST DIRECTORIES 32

LIST FILES 64

DISPLAY HIDDEN FILES 128

ZIP 256

UNZIP 512

SHARE 1024

Just add the values up to achieve the desired permissions. e.g., Download,
Upload, Rename, and Delete permissions would be (1 + 2 + 4 + 8) = ​15​.

Granting all permissions would be ​2047​.

Use Default Group The specified Cerberus Group will be used to determine what directories and
Directories and what settings to apply to the AD user when they login, including any security
Permissions requirements associated with the group.

126
30.2.1 A​CTIVE​ D​IRECTORY​ FTP S​ECURITY​ G​ROUP 

Optionally, you can also configure a Security Group for FTP users. This will cause Cerberus FTP Server
to check that the Active Directory user is a member of the listed Active Directory Global security group
before allowing login. If selected, only members of the security group will be allowed to login.

30.3 A​UTHENTICATING​ A​GAINST​ ​MORE​ ​THAN​ O

​ NE​ A​CTIVE​ D​IRECTORY​ D​OMAIN 

Cerberus FTP Server can be configured to authenticate against multiple domains. Select the ​AD
Users​ page on the main menu and click the ‘​Domains​’ drop down menu in the top right corner. Enter
the domain name in the ​Add A New Domains​ form and click ​Add​.This will add a new domain tab to the
AD User ​Domains ​drop down. This new domain can now be configured.

30.4 U​NDERSTANDING​ W​INDOWS​ A​UTHENTICATION 

Active Directory user authentication is intended for experienced system administrators that understand
the NT security model. Novice users, or users wishing to avoid the details of Windows security, should
leave Windows Authentication disabled and stick with native Cerberus FTP Server users.

30.4.1 T​HE​ "G​UEST​" A​CCOUNT 

In Windows, the ​Guest​ account lets people log on to a computer when they don't have a personal
account defined on the computer, in the computer's domain, or in any of the domains that the
computer's domain trusts. Like the Administrator account, the ​Guest​ account is a built-in account with a
fixed SID; although you can rename the account, it can't, by default, be deleted. Unlike the Administrator
account, the ​Guest​ account doesn't require a password for logon, which is why it's disabled by default.
A ​Guest​ account re-enabled by mistake would pose a significant security hole.

To help guard against this potential security hole, an administrator cannot enable Cerberus FTP
Server's Windows authentication integration if the ​Guest​ account is enabled.

30.5 A​CTIVE​ D​IRECTORY​ U​SER​ ​TO​ C​ERBERUS​ G​ROUP​ M​APPING 

By default, all AD users are assigned the same virtual directories and permissions. These defaults are
configured on the Domain tab of the AD Users page. However, if you wish to customize the directory
and permission mappings for individual AD users then you can do so using the ​User & Group Custom
Mappings​ button. You can select individual AD accounts and map them to Cerberus group accounts,
or, you can map AD group accounts to Cerberus group accounts. Configuring an AD user to group
mapping will override the default Cerberus Group and directory mapping specified for all AD users.

127
 Configuration page for AD User to Cerberus Group Mapping

30.5.1 C​REATING​ ​AN​ AD U​SER​ T​ O​ C​ERBERUS​ G​ROUP​ M​APPING 

Mappings between an AD User and a Cerberus Group can be achieved by clicking on ​AD Users​ on the
main menu. Select an AD domain using the ‘domain’ drop down. Then, click the ‘​New​’ button in the
‘​Active Directory User to Cerberus Group Mapping​’ section. Select an AD user from the AD Users
list box (or simply type the name of the AD user in the edit box) and then select a Cerberus Group. Click
the ​Add Mapping​ button and a mapping entry will be placed in the ‘​Active Directory User to Cerberus
Group Mapping​’ section to indicate the AD user will now have the same constraints and virtual
directory mappings as the Cerberus Group they are listed under.

30.5.2 C​REATING​ A
​ N​ AD G​ROUP​ ​TO​ C​ERBERUS​ G​ROUP​ M​APPING 

Customizing each individual AD User to a Cerberus group can be a time-consuming task if you have
many users, especially if you can divide up large groups of users into just a few groups.

To make maintaining large numbers of users easier, you can use the AD group to Cerberus group
mapping capability. On the ​AD Users​ page, you can map AD groups to Cerberus groups.

128
When an AD user logs into Cerberus, the server will check the ​direct​ AD group memberships for that
AD user and see if there are any AD group to Cerberus group mappings. If a mapping is founds, the
virtual directories for that Cerberus group will added to the virtual root for the AD user. Only the virtual
directories from the Cerberus groups are added to the AD user. No other constraints are transferred.

Click on ​AD Users​ on the main menu. Select an AD domain using the ‘domain’ drop down. Then, click
the ‘​New​’ button in the ‘​Active Directory Group to Cerberus Group Mapping​’ section. Select an AD
group from the AD Groups list box (or simply type the name of the AD group in the edit box) and then
select a Cerberus Group. Click the ​Add Mapping​ button and a mapping entry will be placed in the
‘​Active Directory Group to Cerberus Group Mapping​’ section to indicate the AD group will now have
the same virtual directory mappings as the Cerberus Group they are listed under.

Note:​ The Default Group and Default Virtual Directory mappings are still applied to the user when AD
group to Cerberus group mappings are present, unlike AD user to Cerberus user mappings.

30.5.3 R​EMOVING​ ​AN​ AD M

​ APPING 

To remove a mapping, simply select the mapped entry by clicking the box at left, select the drop down
menu next to ‘​New​’ and select ​Delete Mapping​.

30.6 D​OMAIN​ C​ONTROLLER​ B​IND​ O​PTIONS 

By default, Cerberus makes queries and binds to objects in the domain using the credentials of the
account running the Cerberus FTP Server Windows Service.You can provide alternative credentials and
options here to customize how Cerberus authenticates when binding to objects in the domain.

129
In the ​AD Users​ page, select the ‘​Binding Options​’ tab. Enter the Username and Password of the
alternate account you wish to have Cerberus authenticate with when binding to the domain. There are
also two other options:

● Use Sealing:​ If this option is selected, Cerberus encrypts data using Kerberos.​ Alternate
binding credentials cannot be specified when using Kerberos sealing.​ Select the Use
SSL/TLS option to encrypt data and use alternative credentials.
● Use SSL/TLS​: If this option is selected, the channel is encrypted using SSL/TLS encryption.
Active Directory requires that the Certificate Server be installed to support SSL/TLS.

If any changes are made to the settings on this page, ensure you click the diskette icon to save your
changes.

30.7 AD U​SER​ T​WO​ F​ACTOR​ A​UTHENTICATION​ C​ONTROL 

If you wish to disable two factor authentication (2FA) for an AD user that has 2FA enabled, you can
select an Active Directory user from the selection box in this section to view and optionally disable 2FA
on their account. The user can then log into the web client without having to do the additional 2FA
authentication step. They can re-enable 2FA if they wish by logging in and viewing their account
settings.

130
31.0 E​NTERING​ A
​ ​ L​ ICENSE​ F​ OR​ C​ERBERUS​ FTP S​ERVER  

31.1 T​HE​ R​EGISTRATION​ D

​ IALOG​ ​BOX 

Using Cerberus FTP Server for commercial use past the 25 day evaluation period requires a license
key. Once you have purchased and received a license key, you need to enter the license key details in
the registration dialog box.

To open the registration dialog box, go to the ​Licensing​ menu item.

131
Click the ​Register License​ button.

132
Open your license email and copy everything starting at and including "-----BEGIN REGISTRATION-----"
all the way until and including "-----END REGISTRATION-----". Paste the copied text into the
Registration Code​ box.

Press the ​Save​ button. Another dialog box will appear, after you press enter, to inform you of correct or
incorrect registration information. Please note that a service restart is required after entering a new
license key. Cerberus will prompt you to restart after successfully entering a new license key.

Once you have successfully registered Cerberus FTP Server, the "About" page in ​‘Licensing’​ will
display the registration contact name, company name, purchase date, and for how long the license
entitles the user to free upgrades.

32.0 T​HE​ S​YNCHRONIZATION​ M​ANAGER 

Cerberus FTP Server Professional and Enterprise editions support automatically replicating users and
settings from a primary or master server to other running Cerberus FTP Server machines. This
capability allows administrators to maintain active backups of a main server in case of failure, or to
ensure a cluster of servers contain identical configurations while only having to manage one machine.

The Synchronization Manager is used from the machine you want to use as the primary server. The
Manager allows an administrator to designate one or more running Cerberus instances for syncing. With
the exception of machine-specific configuration information, the other servers become exact copies of
the primary server. Each server that is being synced to will have its users and settings replaced by the
users and settings on the primary server.

The replication process can be configured to occur at regular intervals to ensure that all of your synced
servers are kept current with the primary server.

The server instances must all be running the same version, and have unique license keys.

133
 Cerberus Synchronization Manager

32.1 B​ACKUP​ S​ERVER​ R​EQUIREMENTS 

To add a backup server to the synchronization list, that backup server must be running the same
version of Cerberus FTP Server as the primary server and have a valid, unique license key. All users,
groups, and other settings will be synchronized to the backup servers, ​except​:

● License keys
● SOAP and remote/web administration settings
● Server certificate, private key, CA, and CRL security settings
● Client SSH public key files

134
32.2 A​VAILABLE​ S​ETTINGS 

32.2.1 B​ACKUP​ S​ERVER 

Server The hostname or IP address of a backup server

Port The remote administration port of the backup server to connect to.

Secure Connection Instructs this server to connect using TLS/SSL security to the backup
server. This setting must always be enabled.

Username The remote administration account username on the remote server.

Password The remote administration account password on the remote server. This
value will be encrypted before being saved to disk.

32.2.2 S​YNCHRONIZATION​ S​ETTINGS 

These are basic server synchronization settings. You can enable and set server synchronization
intervals using these settings.

Enable Server Checking this setting will enable automatically replicating this server's
Synchronization users and settings to the added backup servers. This replication will
occur at the sync interval, in minutes.

Sync Interval How often, in minutes, to synchronize this server's setting to the backup
servers.

135
33.0 S​ERVER​ C​ERTIFICATES 

33.1 W​HAT​ ​IS​ ​A​ S​ERVER​ C​ERTIFICATE​? 

The most common use of a digital certificate is to verify that a user (or server) sending a message is
who he or she claims to be, and to provide the receiver with the means to encode a reply.

There are generally two options for obtaining a digital certificate (and the accompanying private key).

1. You can generate your own self-signed certificate using the Cerberus FTP Server Getting
Started Wizard.

2. You can obtain a certificate from a recognized Certificate Authority

Which is more appropriate really depends upon your goals. If you just want to make sure that client and
server connections are securely encrypted then a self-signed certificate is all you need. It has the
benefit of being easily created through Cerberus and completely free.

If your goal is to make sure that your clients can verify that the server they are connecting to is
legitimate and to ensure they don't see any warning messages about being "unable to verify the server"
then using a certificate signed by a trusted certificate authority is required. You will have to contact one
of the recognized Certificate Authorities such as Comodo, Thawte, Verisign or one of the many other
recognized Certificate Authorities and request a server certificate (for a price).

33.2 C​AN​ I ​JUST​ ​USE​ A

​ ​ S​ELF​-S​IGNED​ C​ERTIFICATE​? 

Yes, but your users will not be able to easily verify your server's identity. If you are using Cerberus FTP
Server exclusively on your own private network, or are just looking to test Cerberus FTP Server out
before deploying it on the Internet, a self-signed certificate is more than adequate. You can always
change your certificate later to one signed by a recognized Certificate Authority.

33.3 M​ORE​ I​NFORMATION 

● Creating a Certificate Signing Request

● Creating a Self-Signed Certificate

● Importing a 3rd Party Certificate

● Exporting a certificate from the Windows Certificate Store for use by Cerberus FTP Server

136
34.0 C​ERTIFICATE​ S​IGNING​ R​EQUEST 

34.1 C​REATING​ A
​ ​ C​ERTIFICATE​ S​IGNING​ R​EQUEST 

The first step in requesting a certificate from a Certificate Authority (CA) is usually creating what is
called a Certificate Signing Request (CSR).

Certificate Signing Request Wizard

Access the CSR form by going to ‘Tools’, ‘Generate a CSR’. Fill in all of the required fields for the CSR
and then press the ​Generate​ button. After you select the Generate button a directory selection dialog
will appear to allow you to specify a directory to save the private key and certificate signing request.

Make sure you save both the private key file, and the CSR file. You will need both of these files.

137
34.2 S​UBMITTING​ Y​ OUR​ CSR ​TO​ ​A​ C​ERTIFICATE​ A​UTHORITY 

You will submit the CSR file to your CA and keep the private key file. Once your CA has approved your
CSR they will issue you a signed public certificate file. This signed public certificate file from your CA
and the private key file, created during your certificate signing request, together represent your server
public and private key pair.

The CA will usually provide several different format options for the signed public certificate. The
preferred format is a PEM-formatted certificate (the same format Apache web server uses). PEM is also
called a Base64 encoded DER certificate. You can tell if a certificate is in this format by opening it in a
text editor, and looking for the beginning and ending lines "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----".

34.3 A​SSIGNING​ Y​ OUR​ C​ERTIFICATE​ ​AND​ P​RIVATE​ K​EY​ ​IN​ C​ERBERUS​ FTP S​ERVER 

The final step involves assigning the signed public certificate and private key files as your public key
pair in the Security page of the Server Manager.

1. Open the Server Manager by selecting the ​Server Manager​ item from the main menu.

2. Select the ​Security​ tab.

3. Under the Server Key Pair group, Click the file selection button next to
the ​Certificate​ edit control.

4. A file & directory browser window will appear that will allow you to select the public certificate
provided from your certificate authority.

5. Under the Server Key Pair group, Click the file selection button next to the ​Private
Key​ edit control.

6. A file & directory browser window will appear that will allow you to select the server's private
key. This file was generated when you first created your CSR.

7. Most CAs provide a CA bundle file that contains all of the intermediate CA certificates leading
up to your signed certificate. If your CA provides a CA bundle file, download and assign that file
to the ​CA File​ field.

138
35.0 I​NSTALLING​ A
​ ​ D​IGITAL​ C​ERTIFICATE 

35.1 D​IGITAL​ C​ERTIFICATE​ S​UPPORT 

There are generally two options for obtaining a digital certificate (and a private key).

1. You can generate your own certificate using the Cerberus ​Create Cert​ button.

2. You can obtain a certificate from a recognized Certificate Authority

Which option is more appropriate really depends upon your goals. If you just want to make sure that
client and server connections are securely encrypted then a self-signed certificate is all you need. It has
the benefit of being easily created through Cerberus and completely free.

35.2 C​REATING​ A
​ ​ S​ELF​-S​IGNED​ C​ERTIFICATE 

If you just want to be sure that connections are security encrypted then a self-signed certificate is
sufficient for your organization.

35.2.1 S​TEPS​ ​TO​ C​REATE​ A

​ ​ S​ELF​-S​IGNED​ C​ERTIFICATE​: 

1. Open the Server Manager by selecting the ​Server Manager​ item from the main menu.

2. Select the ​Security​ tab.

Security settings page of the Server Manager

3. Click the ​Create Self Signed Cert​ button

139
4. A ”​Create a Self-Signed Certificate”​ dialog will appear that asks for certificate details. The
organization details that you use will be displayed to the FTP client user when they securely
connect to your server. The Key Type should normally be RSA for maximum client compatibility.
They Key Length value controls how strong the generated keys are and should normally be set
to 2048. The default validity period for the certificate is 1095 days (3 years). Press
the ​Generate​ button to create the certificate.

Create a Self-Signed Certificate dialog

5. A self-signed certificate will be created and Cerberus will be automatically configured to use it.

6. Click ​Ok​ to close the Server Manager. If no certificate was previously being used then Cerberus
will configure itself immediately to use the new certificate. You may need to restart the FTP
server service if you were overwriting a previous certificate.

140
35.3 U​SING​ ​A​ C​ERTIFICATE​ C
​ REATED​ B
​ Y​ A
​ ​ 3​RD​ P​ARTY​ C​ERTIFICATE​ A​UTHORITY 

If your goal is to make sure that your clients can verify that the server they are connecting to is
legitimate, and to ensure users don't see any warning messages about being "unable to verify the
server", then you must use a certificate signed by a trusted certificate authority. You will have to contact
one of the recognized Certificate Authorities such as Comodo, Thawte, Verisign or one of the many
other recognized Certificate Authorities and request a server certificate (for a price).

35.3.1 S​TEPS​ T​ O​ I​MPORT​ A

​ ​ 3​RD​ P​ARTY​ C​ERTIFICATE​: 

1. Ensure that you have a digital certificate and private key in a format that Cerberus FTP Server
understands. First, you will need to generate a new certificate (either by purchasing one from a
public Certificate Authority, or you can install a Certificate Authority in your domain). You need
to have a public certificate and a private key along with the passphrase for the private key.

2. Open the Server Manager by selecting the ​Server Manager​ item from the main menu.

3. Select the ​Security​ tab.

4. Under the Server Key Pair group, Click the ​Certificate​ ​...​ button.

5. A file open dialog will appear that will allow you to select the public certificate provided from
your certificate authority.

6. Under the Server Key Pair group, Click the ​Private Key...​ button.

7. A file open dialog will appear that will allow you to select the server's private key. If your public
and private key are in the same file then set this path to be the same as the Certificate file path.
NOTE​: Cerberus understands both DER and PEM encoded certificate formats.

8. Needs Key Password​ - Check this option if the digital certificate is encrypted.

9. Password​ - If the digital certificate is encrypted then this is the password used to decrypt your
digital certificate. The password is the same password you used to create the certificate request
with your 3rd party certificate authority.

10. Click the ​Verify​ button to verify that Cerberus FTP Server can read the certificate and private
key. If there are no errors then the certificate is valid and can be used by Cerberus.

11. Click ​Ok​ to close the Server Manager. If no certificate was previously being used or the
certificate file path changed then Cerberus will configure itself immediately to use the new
certificate.

141
36.0 C​LUSTERING 

36.1 F​AILOVER​ C​LUSTERING​ A

​ ND​ L​OAD​ B​ALANCING 

Cerberus FTP Server does not natively support clustering. However, using Active Directory or LDAP
authentication, and a hardware or software load balancer (such as Microsoft NLB), you can achieve
simple load balancing and failover with Active Directory or LDAP authenticated accounts.

To achieve Active Directory or LDAP-based load balancing, each Cerberus FTP Server machine is
configured to point to the same AD or LDAP database, and requests can be load balanced to any of the
available servers in that fashion. Many of our customers use such an arrangement for achieving simple
failover and load balancing support.

Cerberus FTP Server Professional and Enterprise editions can now be configured to automatically
synchronize all user accounts and settings to one or more other Cerberus servers. This new capability
allows native Cerberus accounts, as well as customizations to Active Directory and LDAP
authentication, to be easily synchronized across several Cerberus instances. Combining the new
synchronization manager​ with shared storage between Cerberus FTP Server machines allows for
multiple active backup and failover servers.

36.2 L​OAD​ B​ALANCING​ E​XCEPTIONS 

HTTP/S web client traffic cannot be load balanced using a simple connection balancer. The HTTP/S
session database is local to each Cerberus machine, and any load balancer will have to ensure that all
of the connections coming from a single IP are routed to the same Cerberus machine. We are working
on a solution that will bring full clustering support to Cerberus FTP Server in the near future.

142
37.0 W​EB​ S​ERVICES​ API S​UPPORT 
The Cerberus FTP Server Graphical User Interface (GUI) and underlying Windows Service use a
distributed remote protocol called SOAP for communication. The primary function of the SOAP API is to
allow communication between these two services. However, we've made the API available so that
anyone can use it to programmatically control the server.

Please note:​ The SOAP API can change between releases. We do try to maintain backwards
compatibility, but sometimes we have to make breaking changes in the interests of improving the API.
Always refer to the actual WSDL included with the Cerberus distribution you are using for the latest
definitions.

37.1 W​HAT​ I​ S​ SOAP A

​ ND​ H​OW​ D​OES​ C​ERBERUS​ U​SE​ I​T​? 

37.1.1 W​HAT​ ​IS​ SOAP? 

SOAP is an acronym for Simple Object Access Protocol. SOAP is a method of describing operations
that can be performed by a service. Many programming languages have tools that support SOAP,
allowing developers to easily write programs and scripts to utilize services exposed through SOAP.

37.1.2 H​OW​ C​ERBERUS​ U

​ SES​ SOAP   

Cerberus uses SOAP to define commands that can be issued to Cerberus FTP Server. Nearly
everything that can be done from the Cerberus Administration GUI is described in Cerberus’ SOAP API:
adding, removing, and modifying users, groups, and interfaces, retrieving server statistics and
managing public shares, to name a few.

The complete API is described by two files, Cerberus.wsdl and ns1.xsd, both of which can be
downloaded from your Cerberus FTP Server on the HTTPS Admin listener port. By default, the URLs
are https://localhost:8443/wsdl/Cerberus.wsdl and https://localhost:8443/wsdl/ns1.xsd.

Together, these files define 87 operations and 65 object types. The list of supported operations (as of
version 10.0.10.0) are listed at the bottom of the Understanding Cerberus SOAP API guide.

37.1.3 W​HAT​ Y​ OU​ C

​ AN​ D
​ O​ W
​ ITH​ SOAP 

Cerberus SOAP API allows you to integrate Cerberus into your existing IT solutions. Using the API,
Cerberus FTP Server can exchange data and events with the rest of the applications serving your
users.

With the API you might:

● Write specialized tools for administering Cerberus FTP Server

● Perform mass changes to Cerberus users and groups
● Synchronize users and groups between Cerberus and other stores (e.g. Active Directory)

143
37.2 A​VAILABLE​ F​EATURES 

Programmers can now access most of Cerberus FTP Server's common functions through a new Web
Services interface. These services use SOAP 1.2 over HTTP or HTTPS and do not require a separate
HTTP server. Cerberus FTP Server's implementation of Web Services includes a built-in, lightweight
HTTP stack.

The following functionality is available through the Web Services API:

● Listing the current Cerberus FTP Server user and group accounts

● Adding new users or groups and modifying existing users and groups

● Deleting users or groups

● Retrieving user or group information

● Adding new virtual directories or modifying existing directories for a given user or group

● Deleting a virtual directory for a given user or group

● Getting the server's current started or stopped status

● Stopping or Starting the server

● Retrieving server statistics

● Retrieving and modifying interface details

● List, terminating, and blocking active connections

● Retrieving and saving configuration information

Refer to the included ​Cerberus.wsdl​ file for specifics on the Web Services interface to these functions.
You can view an ​example Cerberus.wsdl online here​.

37.3 E​XAMPLE​ SOAP A

​ PPLICATIONS 

We have two example applications available that use the SOAP API. There is an example .NET project
available here:

.NET SOAP Example Application

A newer, simpler WCF-based client application is available for download here:

WCF SOAP Client Example

144
37.4 A​CCESS​ URL 

Make sure you enable SOAP access from the ​Remote​ settings page on the Server Manager. You can
access the SOAP service WSDL on your local machine at the
URL ​http://localhost:10001/wsdl/Cerberus.wsdl​.

Make sure you have ​Enable Web Administration​ selected to view the actual WSDL. If Web
Administration is not enabled you will still be able to use the WSDL to develop SOAP services but you
won't be able to use the built-in web server to view the WSDL using the URL link. The WSDL is located
in the installation directory where Cerberus is installed.

37.5 S​ECURITY​ C​ONSIDERATIONS 

By default, Cerberus FTP Server's Web Services access is turned off. Before allowing Web Services
access to Cerberus FTP Server, you should be well aware of the security implication that this entails.
While it is the user's responsibility to be knowledgeable of Web Services and the risks associated with
using them, here are some reminders:

● Make sure the port you are running the Web service on is properly locked down. If you are only
using Web Services to communicate between programs on the same machine, the port
Cerberus is running the Web Services on shouldn't be accessible from outside of the local
machine.

● When using Web Services, remember that anyone with access to the port that the Web
Services is running on can send service requests to Cerberus FTP Server. This can represent a
serious security risk. Make sure you set a strong Remote access password.

● HTTP, the backbone of Cerberus FTP Server's Web Services, transmits information as
unencrypted text. Anything you send over HTTP has the potential to be intercepted and read.
Cerberus also has the option of using SSL/TLS support for Web Services over HTTPS. Using
HTTPS instead of HTTP significantly increased the security of any data transmitted.

Cerberus FTP Server uses the gSOAP toolkit to implement Web Services. You can find out more about
gSOAP at the ​gSOAP home page​.

37.6 C​ALLING​ C​ERBERUS​ SOAP API ​FROM​ P​OWER​SH

​ ELL 

37.6.1 I​NTRODUCTION 

In this example, we use PowerShell to demonstrate calling Cerberus SOAP API. PowerShell’s inclusion
in Windows and relatively simple syntax make it a natural starting point for experimentation and
prototyping.

145
PowerShell expertise isn’t required to follow this guide. Nor is any experience with SOAP or XML.
However, previous experience writing script in some shell language is recommended. Review
Microsoft’s PowerShell documentation or a beginner’s guide if necessary.

Note:​ The example code has been tested with PowerShell version 5.1 and it may not run correctly on
older versions.

37.6.2 Q​UICK​ S​TART​ - H​ELLO​CE​ RBERUS​.P

​ S​1 

The example script ​HelloCerberus.ps1​ calls ​ServerInformation​, which requests basic information
from Cerberus FTP Server. While the results are very simple, the code and concepts introduced are
relevant to all Cerberus SOAP API operations.

To begin:

1. Open a PowerShell console on the same system hosting Cerberus FTP Server
2. Copy HelloCerberus.ps1 to the local hard drive of the same system
3. Paste the command below into the PowerShell console, hit Enter, and confirm by typing ‘Y’ and
hitting Enter.

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

See ​Execution Policy​ below for more information on this command

4. Type the ampersand character (&) into the console, then drag and drop HelloCerberus.ps1 from
File Explorer the PowerShell console.
5. Hit Enter in the PowerShell console to execute the script.
6. Provide the username and password of the Cerberus primary administrator account when
requested.

If successful, the console will contain basic information about the running Cerberus FTP Server.
Hostname, status, and version information will be displayed:

PS C:\> Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

Execution Policy Change

The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic
at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the
execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default
is "N"): Y

PS C:\> &C:\Cerberus\Scripts\HelloCerberus.ps1

version : CerberusFtp.Version
hostname : DESKTOP-QFAOC1H
isStarted : True

146
 isSuccess : True
isSuccessSpecified : True
message :

maj : 10
min : 0
maint : 10
build : 0

37.6.3 S​TEPPING​ T​HROUGH​ ​THE​ C​ODE 

What took place in HelloCerberus.ps1 can be summarized in five parts. Let’s take the most important
lines of code from and examine them in detail.

1: Get Credentials

Every Cerberus SOAP operation requires credentials to authenticate the request. Since it is bad
practice to store credentials directly within a script, HelloCerberus.ps1 either takes the credentials from
the command-line or requests them interactively from the user.

The lines above check if credentials were provided on the command-line. If not, the ​Get-Credential
command is called to request them from the user. Depending on the shell environment, the user may be
presented with a pop-up window or a text input prompt. The result is stored in a variable named
$CerberusCredentials​ to be used authenticate later requests to Cerberus FTP Server.

PowerShell offers many options for ​storing credentials securely​ when authentication is required but user
interaction is not possible. More complicated automation scenarios will need to use some of these
techniques.

2: Create a SOAP Proxy

New-WebServiceProxy​ is used to read the SOAP API definition provided by Cerberus. It returns an
object used by the script to make subsequent requests of Cerberus FTP Server.

147
This seemingly simple command triggers a cascade of activity. The Cerberus SOAP API definition is
retrieved from your Cerberus FTP Server. The definition is translated into dependent types which are
placed in the CerberusFtp namespace of the current shell environment.

The ​$CerberusSvc​ variable stores a newly-created object with methods representing every API
operation supported by Cerberus FTP Server. ​$CerberusSvc​ object is later used to issue requests to
your running Cerberus FTP Server.

3: Prepare the Request

All Cerberus SOAP API operations follow the same pattern: a ​request​ object is sent to the server and a
response​ object is received in reply. All operations require credentials, so all ​request​ objects will contain
at least a username and password.

Most operations require additional information, like the name of a user or group when retrieving such
objects, or a complete user or group object when making modifications.

The lines above prepare a request object to call ​ServerInformation​. Technically, this syntax creates a
hash table​. Because the hash table’s names and values are consistent with a
ServerInformationRequest​ object, the conversion is made automatically when we call
ServerInformation​.

The inner hash table, named credentials, is populated with the primary administrator account username
and password. At this time, only the primary administrator account is allowed to make SOAP requests.

4: Send the Request

The ​$CerberusSvc​ object contains every operation available in Cerberus SOAP API, so making
requests of Cerberus FTP Server is just a matter of calling methods on the object.

In the above line, we call ​ServerInformation​, passing the ​$request​ object to the method. We store the
result in a variable named ​$infoResponse.​

148
5: Interpret the Response

Response objects vary from one operation to another, but generally, they contain a “result” value
indicating success or failure of the operation and a “message” value containing details of the success or
failure. If successful, additional data will be contained in the response.

In these lines, PowerShell emits the content our response object’s “result” member and the “version”
information contained within the result.

The main logic of the script is complete. In relatively few lines of code, we’ve opened a connection to,
authenticated with, and retrieved information from Cerberus FTP Server. The bulk of the work was
handled by the .NET SOAP tools. See ​Understanding Cerberus SOAP API​ below for greater detail on
how SOAP definitions relate to PowerShell code.

37.6.4 S​ECURITY​ C​ONSIDERATIONS 

A shrewd reader will note that many lines in HelloCerberus.ps1 were not detailed in the previous
section. This code is used to ensure a successful experience when running this script against a new
Cerberus FTP Server installation. This section and the comments throughout HelloCerberus.ps1 outline
the reasons for this code.

PowerShell Execution Policy

Execution Policy is a Windows security feature that restricts PowerShell code based on its origin. The
default settings restrict all script execution, so a change must be made before HelloCerberus.ps1 is
allowed to run. The Quickstart instructions achieved this by running this line before executing the script:

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

This command disables execution policy checking for the duration of the PowerShell process, but
leaves existing local machine and user policies unmodified. See Microsoft’s ​Set-ExecutionPolicy
documentation for greater detail.

NOTE:​ In Windows Domain environments, Execution Policy may be controlled by system administrators
via Group Policy. Consult with your domain administrators if Set-ExecutionPolicy is ineffective.

Securing Code

Ensuring the integrity of executable code is critical to system security. Scripted code is no different.
Administrative scripts may run with elevated privileges, utilize sensitive credentials, and access critical

149
resources. If the content of a script is compromised, then any credentials and resources used by the
script are also compromised.

Bare minimum​, use NTFS permissions to restrict write-access to scripts. Write-access should be as
restricted as possible in production.

Ideally​, a system to cryptographically sign scripts should be employed, but this is a significant
undertaking. This may require coordination with your IT department to issue, deploy, and trust
code-signing certificates. Implementing such a system is outside the scope of this guide.

Self-Signed Certificate

PowerShell’s default settings reject self-signed, expired, or otherwise misconfigured certificates when
establishing an HTTPS connection. HelloCerberus.ps1 includes a function
Disable-CertificateValidation​ to work-around this restriction.

In production, however, this must not be used. Cerberus FTP Server should be configured with a
legitimate certificate issued by a trusted certificate authority. Once in place, default certificate validation
will succeed, eliminating the need for the workaround.

37.6.5 S​ECURING​ C​ERBERUS​ SOAP API S​ERVICE​ E​NDPOINT 

Cerberus FTP Server configuration may be used to restrict or relax access to the SOAP service
endpoint, according to needs. The configuration options are found under Configure, Remote tab, SOAP
Administration Settings.

150
Use Secure HTTPS

Determines whether SOAP requests are accepted on HTTP or HTTPS.

Recommended​: HTTPS should be used whenever possible.

Allow Remote SOAP Access

When unchecked, SOAP requests must originate from the localhost (thus PowerShell requests must be
run locally); Remote connections are refused.

Recommended:​ Unchecked unless remote SOAP clients are a business requirement.

SOAP TLS Protocols

TLS 1.2 is the most secure option. Others are provided for compatibility with SOAP clients incapable of
1.2.

Recommended:​ TLS v1.2 enabled, others disabled.

37.6.6 C​ONCLUSION 

151
The Cerberus SOAP API offers great potential for automating Cerberus FTP Server administration to
those who need it. In the next installment, we’ll perform operations more interesting than
ServerInformation. Look forward to example code that adds, removes, and modifies Cerberus users.

37.7 U​NDERSTANDING​ C​ERBERUS​ SOAP API 

37.7.1 I​NTRODUCTION 

In ​Cerberus SOAP API with PowerShell​ above, we used a small script to issue a simple command to
Cerberus FTP Server. It is not necessary to completely understand SOAP to make use of Cerberus
SOAP API. However, being casually aware of the infrastructure behind your code is a good idea. This
document pulls back the curtain a bit, providing insight into how SOAP bridges the gap between
PowerShell and your Cerberus FTP Server.

From WSDL to PowerShell

Cerberus.wsdl​ and ​ns1.xsd​ are in two XML formats, ​Web Service Definition​ Language and ​Xml Schema
Definition​. Generally, you will not need to read these files directly to know how to call SOAP APIs; The
.NET toolchain automatically creates PowerShell object types according to the definitions in these files.
As an exercise, however, we will trace the definitions for the ​ServerInformation​ operation used by
HelloCerberus.ps1.

Here is the excerpt from ​Cerberus.wsdl​ which first defines the ​ServerInformation​ operation:

<operation name="ServerInformation">
<documentation>
Service definition of function tns__ServerInformation
</documentation>
<input message="tns:ServerInformationRequestMessage" />
<output message="tns:ServerInformationResponseMessage" />
</operation>

The above fragment describes an operation named ​ServerInformation​ supported by Cerberus FTP
Server. The operation takes a ​ServerInformationRequestMessage​ object and replies with a
ServerInformationResponseMessage​. To see what these message objects contain, the references
must be followed within ​Cerberus.wsdl:​

<message name="ServerInformationRequestMessage">
<part name="in" element="tns:ServerInformationRequest" />
</message>
<message name="ServerInformationResponseMessage">
<part name="out" element="tns:ServerInformationResponse" />
</message>

The messages are composed of ​ServerInformationRequest​ and​ ServerInformationResponse​ parts,

respectively. These are further defined within ​Cerberus.wsdl:​

152
 <!-- operation request xsd:element -->
<xsd:element name="ServerInformationRequest">
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="ns1:AuthenticatedRequest">
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>

<!-- operation response xsd:element -->

<xsd:element name="ServerInformationResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="result" type="ns1:ServerInformation" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>

These lines describe the request and response objects as complex types, defined in the ​ns1
namespace. The ​ns1​ namespace is defined near the top of ​Cerberus.wsdl​:

<xsd:schema
targetNamespace="http://cerberusllc.com/service/cerberusftpservice"
xmlns:ns1="http://cerberusllc.com/common"
attributeFormDefault="qualified"
elementFormDefault="qualified">
<xsd:import
namespace="http://cerberusllc.com/common"
schemaLocation="./ns1.xsd" />

This fragment says further schema definitions can be found in external file, ​ns1.xsd​. Within ​ns1.xsd​,
the definitions of the ​AuthenticatedRequest​ and ​ServerInformation​ types can be found:

<xsd:complexType name="Credentials">
<xsd:sequence>
<xsd:element name="user" type="xsd:string" />
<xsd:element name="password" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>

<xsd:complexType name="AuthenticatedRequest">
<xsd:sequence>
<xsd:element name="credentials" type="ns1:Credentials" />
</xsd:sequence>
</xsd:complexType>

153
 <xsd:complexType name="ServerInformation">
<xsd:sequence>
<xsd:element name="version" type="ns1:Version" />
<xsd:element name="hostname" type="xsd:string" />
<xsd:element name="isStarted" type="xsd:boolean" />
</xsd:sequence>
<xsd:attribute name="isSuccess" type="xsd:boolean" use="optional" />
<xsd:attribute name="message" type="xsd:string" use="optional" />
</xsd:complexType>

<xsd:complexType name="Version">
<xsd:sequence>
</xsd:sequence>
<xsd:attribute name="maj" type="xsd:int" use="required" />
<xsd:attribute name="min" type="xsd:int" use="required" />
<xsd:attribute name="maint" type="xsd:int" use="required" />
<xsd:attribute name="build" type="xsd:int" use="required" />
</xsd:complexType>

With the fragment above, the definition is complete. The​ AuthenticatedRequest​ and
ServerInformation​ types contain nested objects of ​Credentials​ and ​Version types​, respectively.

When ​New-WebServiceProxy​ consumes the WSDL and XSD files, it generates corresponding .NET
types, usable to PowerShell. You can run the ​New-WebServiceProxy​ command interactively to examine
these types.

Here is an example:

PS C:\> $CerberusFtpSvc = New-WebServiceProxy -Uri

"https://localhost:8443/wsdl/cerberus.wsdl" -Namespace CerberusFtp -Class
CerberusFtp

PS C:\> [CerberusFtp.AuthenticatedRequest].DeclaredProperties | Select-Object

Name,PropertyType

Name PropertyType
---- ------------
credentials CerberusFtp.Credentials

PS C:\> [CerberusFtp.ServerInformation].DeclaredProperties | Select-Object

Name,PropertyType

Name PropertyType
---- ------------
version CerberusFtp.Version
hostname System.String
isStarted System.Boolean
isSuccess System.Boolean

154
 isSuccessSpecified System.Boolean
message System.String

The above console transcript first creates a new web service proxy object using ​New-WebServiceProxy.​
Passing the​ -Namespace​ parameter instructs the command to create necessary types within the
“CerberusFtp” namespace.

The bracket syntax allows us to view and query type information of any type visible to PowerShell.
Above, we examine declared properties of ​AuthenticatedRequest​ and ​ServerInformation​.
ServerInformation​ is nearly identical to its corresponding XML in ns1.xsd.

37.7.2 W​HERE​ T​ O​ G​O​ F​ROM​ H​ERE 

Once ​New-WebServiceProxy​ is finished processing the WSDL file, everything you need to make SOAP
requests is available within PowerShell. The ​$CerberusFtpSvc​ object can be examined using the built-in
PowerShell command ​Get-Member​.

Here is an example that yields the 87 basic Cerberus API operations on the proxy object:

PS C:\>$CerberusFtpSvc |Get-Member -Type Method |Where-Object {$_.definition

-like "CerberusFtp*" -and $_.name -notlike "Begin*" -and $_.name -notlike
"End*"}

Pick and interesting one and start examining its associated request and response objects:

PS C:\>$CerberusFtpSvc |Get-Member -Type Method -Name AddUser |fl *

TypeName : CerberusFtp.CerberusFTPService

Name : AddUser

MemberType : Method

Definition : CerberusFtp.AddUserResponse AddUser(CerberusFtp.AddUserRequest

AddUserRequest)

Here, for instance, we have the ​AddUser​ method, which returns a C

​ erberusFtp.AddUserResponse
object and takes a ​CerberusFtp.AddUserRequest ​object. We can drill-down on these types to get an
idea of what the ​AddUser​ will do and how to correctly call it:

PS C:\> [CerberusFtp.AddUserRequest].DeclaredProperties |Select-Object

Name,PropertyType

Name PropertyType
---- ------------
User CerberusFtp.User
saveToDisk System.Nullable`1[System.Boolean]
saveToDiskSpecified System.Boolean
createNonExistentDirectories System.Nullable`1[System.Boolean]
createNonExistentDirectoriesSpecified System.Boolean

155
We see that AddUser requires a CerberusFtp.User object, so we can repeat the above to get insight
into what kind of information a User object contains:

PS C:\> [CerberusFtp.User].DeclaredProperties |Select-Object Name,PropertyType

Name PropertyType
---- ------------
password CerberusFtp.Password
isAllowPasswordChange CerberusFtp.UserPropertyBool
isAnonymous CerberusFtp.UserPropertyBool
isSimpleDirectoryMode CerberusFtp.UserPropertyBool
isDisabled CerberusFtp.UserPropertyBool
maxLoginsAllowed CerberusFtp.UserPropertyInt
requireSecureControl CerberusFtp.UserPropertyBool
requireSecureData CerberusFtp.UserPropertyBool
disableAfterTime CerberusFtp.UserPropertyDateTime
authMethod CerberusFtp.UserPropertyAuthentication
protocols CerberusFtp.ProtocolsAllowed
maxUploadFilesize CerberusFtp.UserPropertyULong
ipAllowedList CerberusFtp.UserPropertyString
groupList CerberusFtp.groupMember[]
rootList CerberusFtp.VirtualDirectory[]
lastLogin System.DateTime
lastLoginSpecified System.Boolean
createDate System.DateTime
createDateSpecified System.Boolean
notifiedExpiringPassword System.Boolean
notifiedExpiringPasswordSpecified System.Boolean
requirePasswordChange System.Boolean
requirePasswordChangeSpecified System.Boolean
email System.String
tel System.String
mobile System.String
desc System.String
fname System.String
sname System.String
name System.String

37.7.3 C​ONCLUSION 

We've covered how the WSDL and XSD files describe Cerberus FTP Server's SOAP API, traced from
those definitions to live .NET objects and types, and demonstrated how they are self-describing using
PowerShell's ​Get-Member​ command. We've only scratched the surface on the ​AddUser​ method, as
there will be other code examples and tutorials demonstrating its use.

156
In closing, here is the complete list of Cerberus SOAP API's 87 operations, current as of 10.0.10:

Cerberus SOAP API Operations (as of version 10.x)

Name Definition
---- ----------
AddDirectoryToGroup CerberusFtp.AddDirectoryToGroupResponse
AddDirectoryToGroup(CerberusFtp.AddDirectoryToGroupRequest
AddDirectoryToGroupRequest)
AddDirectoryToUser CerberusFtp.AddDirectoryToUserResponse
AddDirectoryToUser(CerberusFtp.AddDirectoryToUserRequest AddDirectoryToUserRequest)
AddGroup CerberusFtp.AddGroupResponse
AddGroup(CerberusFtp.AddGroupRequest AddGroupRequest)
AddIp CerberusFtp.AddIpResponse
AddIp(CerberusFtp.AddIpRequest AddIpRequest)
AddUser CerberusFtp.AddUserResponse
AddUser(CerberusFtp.AddUserRequest AddUserRequest)
BackupServerConfiguration CerberusFtp.BackupServerConfigurationResponse
BackupServerConfiguration(CerberusFtp.BackupServerConfigurationRequest
BackupServerConfigurationRequest)
BackupStatisticsDatabase CerberusFtp.BackupStatisticsDatabaseResponse
BackupStatisticsDatabase(CerberusFtp.BackupStatisticsDatabaseRequest
BackupStatisticsDatabaseRequest)
BlockAddress CerberusFtp.BlockAddressResponse
BlockAddress(CerberusFtp.BlockAddressRequest BlockAddressRequest)
ChangePassword CerberusFtp.ChangePasswordResponse
ChangePassword(CerberusFtp.ChangePasswordRequest ChangePasswordRequest)
CommitSettings CerberusFtp.CommitSettingsResponse
CommitSettings(CerberusFtp.CommitSettingsRequest CommitSettingsRequest)
CreateDirectory CerberusFtp.CreateDirectoryResponse
CreateDirectory(CerberusFtp.CreateDirectoryRequest CreateDirectoryRequest)
CreateStatisticsDatabase CerberusFtp.CreateStatisticsDatabaseResponse
CreateStatisticsDatabase(CerberusFtp.CreateStatisticsDatabaseRequest
CreateStatisticsDatabaseRequest)
CurrentStatus CerberusFtp.CurrentStatusResponse
CurrentStatus(CerberusFtp.CurrentStatusRequest CurrentStatusRequest)
DeleteDirectory CerberusFtp.DeleteDirectoryResponse
DeleteDirectory(CerberusFtp.DeleteDirectoryRequest DeleteDirectoryRequest)
DeleteDirectoryFromGroup CerberusFtp.DeleteDirectoryFromGroupResponse
DeleteDirectoryFromGroup(CerberusFtp.DeleteDirectoryFromGroupRequest
DeleteDirectoryFromGroupRequest)
DeleteDirectoryFromUser CerberusFtp.DeleteDirectoryFromUserResponse
DeleteDirectoryFromUser(CerberusFtp.DeleteDirectoryFromUserRequest
DeleteDirectoryFromUserRequest)
DeleteGroup CerberusFtp.DeleteGroupResponse
DeleteGroup(CerberusFtp.DeleteGroupRequest DeleteGroupRequest)
DeleteIp CerberusFtp.DeleteIpResponse
DeleteIp(CerberusFtp.DeleteIpRequest DeleteIpRequest)
DeletePublicShares CerberusFtp.DeletePublicSharesResponse
DeletePublicShares(CerberusFtp.DeletePublicSharesRequest DeletePublicSharesRequest)

157
DeleteRequestedAccounts CerberusFtp.DeleteRequestedAccountsResponse
DeleteRequestedAccounts(CerberusFtp.DeleteRequestedAccountsRequest
DeleteRequestedAccountsRequest)
DeleteUser CerberusFtp.DeleteUserResponse
DeleteUser(CerberusFtp.DeleteUserRequest DeleteUserRequest)
DropStatisticsDatabase CerberusFtp.DropStatisticsDatabaseResponse
DropStatisticsDatabase(CerberusFtp.DropStatisticsDatabaseRequest
DropStatisticsDatabaseRequest)
GenerateStatistics CerberusFtp.GenerateStatisticsResponse
GenerateStatistics(CerberusFtp.GenerateStatisticsRequest GenerateStatisticsRequest)
GetAdminAccounts CerberusFtp.GetAdminAccountsResponse
GetAdminAccounts(CerberusFtp.GetAdminAccountsRequest GetAdminAccountsRequest)
GetAllCurrentConnectionCount CerberusFtp.GetAllCurrentConnectionCountResponse
GetAllCurrentConnectionCount(CerberusFtp.GetAllCurrentConnectionCountRequest
GetAllCurrentConnectionCountRequest)
GetAppPaths CerberusFtp.GetAppPathsResponse
GetAppPaths(CerberusFtp.GetAppPathsRequest GetAppPathsRequest)
GetAuthenticationList CerberusFtp.GetAuthenticationListResponse
GetAuthenticationList(CerberusFtp.GetAuthenticationListRequest
GetAuthenticationListRequest)
GetAutoBlockList CerberusFtp.GetAutoBlockListResponse
GetAutoBlockList(CerberusFtp.GetAutoBlockListRequest GetAutoBlockListRequest)
GetBackupServers CerberusFtp.GetBackupServersResponse
GetBackupServers(CerberusFtp.GetBackupServersRequest GetBackupServersRequest)
GetConfiguration CerberusFtp.GetConfigurationResponse
GetConfiguration(CerberusFtp.GetConfigurationRequest GetConfigurationRequest)
GetConnectedUserList CerberusFtp.GetConnectedUserListResponse
GetConnectedUserList(CerberusFtp.GetConnectedUserListRequest
GetConnectedUserListRequest)
GetCurrentBandwidth CerberusFtp.GetCurrentBandwidthResponse
GetCurrentBandwidth(CerberusFtp.GetCurrentBandwidthRequest
GetCurrentBandwidthRequest)
GetCurrentConnectionCount CerberusFtp.GetCurrentConnectionCountResponse
GetCurrentConnectionCount(CerberusFtp.GetCurrentConnectionCountRequest
GetCurrentConnectionCountRequest)
GetEventRules CerberusFtp.GetEventRulesResponse
GetEventRules(CerberusFtp.GetEventRulesRequest GetEventRulesRequest)
GetFeatures CerberusFtp.GetFeaturesResponse
GetFeatures(CerberusFtp.GetFeaturesRequest GetFeaturesRequest)
GetFileTransfers CerberusFtp.GetFileTransfersResponse
GetFileTransfers(CerberusFtp.GetFileTransfersRequest GetFileTransfersRequest)
GetFolderMonitors CerberusFtp.GetFolderMonitorsResponse
GetFolderMonitors(CerberusFtp.GetFolderMonitorsRequest GetFolderMonitorsRequest)
GetGroupInformation CerberusFtp.GetGroupInformationResponse
GetGroupInformation(CerberusFtp.GetGroupInformationRequest
GetGroupInformationRequest)
GetGroupList CerberusFtp.GetGroupListResponse
GetGroupList(CerberusFtp.GetGroupListRequest GetGroupListRequest)
GetGroups CerberusFtp.GetGroupsResponse
GetGroups(CerberusFtp.GetGroupsRequest GetGroupsRequest)

158
GetHostname CerberusFtp.GetHostnameResponse
GetHostname(CerberusFtp.GetHostnameRequest GetHostnameRequest)
GetInterfaceByID CerberusFtp.GetInterfaceResponse
GetInterfaceByID(CerberusFtp.GetInterfaceByIDRequest GetInterfaceByIDRequest)
GetInterfaceList CerberusFtp.GetInterfaceListResponse
GetInterfaceList(CerberusFtp.GetInterfaceListRequest GetInterfaceListRequest)
GetInterfaces CerberusFtp.GetInterfacesResponse
GetInterfaces(CerberusFtp.GetInterfacesRequest GetInterfacesRequest)
GetIPBlockList CerberusFtp.GetIPBlockListResponse
GetIPBlockList(CerberusFtp.GetIPBlockListRequest GetIPBlockListRequest)
GetLicenseInfo CerberusFtp.GetLicenseInfoResponse
GetLicenseInfo(CerberusFtp.GetLicenseInfoRequest GetLicenseInfoRequest)
GetLogMessages CerberusFtp.GetLogMessagesResponse
GetLogMessages(CerberusFtp.GetLogMessagesRequest GetLogMessagesRequest)
GetMimeMappings CerberusFtp.GetMimeMappingsResponse
GetMimeMappings(CerberusFtp.GetMimeMappingsRequest GetMimeMappingsRequest)
GetProfiles CerberusFtp.GetProfilesResponse
GetProfiles(CerberusFtp.GetProfilesRequest GetProfilesRequest)
GetPublicShares CerberusFtp.GetPublicSharesResponse
GetPublicShares(CerberusFtp.GetPublicSharesRequest GetPublicSharesRequest)
GetRequestedAccounts CerberusFtp.GetRequestedAccountsResponse
GetRequestedAccounts(CerberusFtp.GetRequestedAccountsRequest
GetRequestedAccountsRequest)
GetStatistics CerberusFtp.GetStatisticsResponse
GetStatistics(CerberusFtp.GetStatisticsRequest GetStatisticsRequest)
GetUserCustomSettings CerberusFtp.GetUserCustomSettingsResponse
GetUserCustomSettings(CerberusFtp.GetUserCustomSettingsRequest
GetUserCustomSettingsRequest)
GetUserInformation CerberusFtp.GetUserInformationResponse
GetUserInformation(CerberusFtp.GetUserInformationRequest GetUserInformationRequest)
GetUserList CerberusFtp.GetUserListResponse
GetUserList(CerberusFtp.GetUserListRequest GetUserListRequest)
InitializeInterface CerberusFtp.InitializeInterfaceResponse
InitializeInterface(CerberusFtp.InitializeInterfaceRequest
InitializeInterfaceRequest)
InitializeServer CerberusFtp.InitializeServerResponse
InitializeServer(CerberusFtp.InitializeServerRequest InitializeServerRequest)
ModifyInterface CerberusFtp.ModifyInterfaceResponse
ModifyInterface(CerberusFtp.ModifyInterfaceRequest ModifyInterfaceRequest)
RenameGroup CerberusFtp.RenameGroupResponse
RenameGroup(CerberusFtp.RenameGroupRequest RenameGroupRequest)
RenameUser CerberusFtp.RenameUserResponse
RenameUser(CerberusFtp.RenameUserRequest RenameUserRequest)
RestoreServerConfiguration CerberusFtp.RestoreServerConfigurationResponse
RestoreServerConfiguration(CerberusFtp.RestoreServerConfigurationRequest
RestoreServerConfigurationRequest)
RestoreStatisticsDatabase CerberusFtp.RestoreStatisticsDatabaseResponse
RestoreStatisticsDatabase(CerberusFtp.RestoreStatisticsDatabaseRequest
RestoreStatisticsDatabaseRequest)

159
SaveBackupServers CerberusFtp.SaveBackupServersResponse
SaveBackupServers(CerberusFtp.SaveBackupServersRequest SaveBackupServersRequest)
SaveBlockList CerberusFtp.SaveBlockListResponse
SaveBlockList(CerberusFtp.SaveBlockListRequest SaveBlockListRequest)
SaveConfiguration CerberusFtp.SaveConfigurationResponse
SaveConfiguration(CerberusFtp.SaveConfigurationRequest SaveConfigurationRequest)
SaveMimeMappings CerberusFtp.SaveMimeMappingsResponse
SaveMimeMappings(CerberusFtp.SaveMimeMappingsRequest SaveMimeMappingsRequest)
SaveProfiles CerberusFtp.SaveProfilesResponse
SaveProfiles(CerberusFtp.SaveProfilesRequest SaveProfilesRequest)
ServerInformation CerberusFtp.ServerInformationResponse
ServerInformation(CerberusFtp.ServerInformationRequest ServerInformationRequest)
ServerStarted CerberusFtp.ServerStartedResponse
ServerStarted(CerberusFtp.ServerStartedRequest ServerStartedRequest)
ServerSummaryStatus CerberusFtp.ServerSummaryStatusResponse
ServerSummaryStatus(CerberusFtp.ServerSummaryStatusRequest
ServerSummaryStatusRequest)
SetAdminAccounts CerberusFtp.SetAdminAccountsResponse
SetAdminAccounts(CerberusFtp.SetAdminAccountsRequest SetAdminAccountsRequest)
SetAuthenticationList CerberusFtp.SetAuthenticationListResponse
SetAuthenticationList(CerberusFtp.SetAuthenticationListRequest
SetAuthenticationListRequest)
SetEventRules CerberusFtp.SetEventRulesResponse
SetEventRules(CerberusFtp.SetEventRulesRequest SetEventRulesRequest)
SetFolderMonitors CerberusFtp.SetFolderMonitorsResponse
SetFolderMonitors(CerberusFtp.SetFolderMonitorsRequest SetFolderMonitorsRequest)
SetPublicShares CerberusFtp.SetPublicSharesResponse
SetPublicShares(CerberusFtp.SetPublicSharesRequest SetPublicSharesRequest)
SetRequestedAccounts CerberusFtp.SetRequestedAccountsResponse
SetRequestedAccounts(CerberusFtp.SetRequestedAccountsRequest
SetRequestedAccountsRequest)
SetUserCustomSettings CerberusFtp.SetUserCustomSettingsResponse
SetUserCustomSettings(CerberusFtp.SetUserCustomSettingsRequest
SetUserCustomSettingsRequest)
SetWANIP CerberusFtp.SetWANIPResponse
SetWANIP(CerberusFtp.SetWANIPRequest SetWANIPRequest)
SharePublicFile CerberusFtp.SharePublicFileResponse
SharePublicFile(CerberusFtp.SharePublicFileRequest SharePublicFileRequest)
ShutdownConnectionsOnInterface CerberusFtp.ShutdownConnectionsOnInterfaceResponse
ShutdownConnectionsOnInterface(CerberusFtp.ShutdownConnectionsOnInterfaceRequest
ShutdownConnectionsOnInterfaceRequest)
ShutdownInterface CerberusFtp.ShutdownInterfaceResponse
ShutdownInterface(CerberusFtp.ShutdownInterfaceRequest ShutdownInterfaceRequest)
ShutdownServer CerberusFtp.ShutdownServerResponse
ShutdownServer(CerberusFtp.ShutdownServerRequest ShutdownServerRequest)
StartServer CerberusFtp.StartServerResponse
StartServer(CerberusFtp.StartServerRequest StartServerRequest)
StopServer CerberusFtp.StopServerResponse
StopServer(CerberusFtp.StopServerRequest StopServerRequest)

160
TerminateConnection CerberusFtp.TerminateConnectionResponse
TerminateConnection(CerberusFtp.TerminateConnectionRequest
TerminateConnectionRequest)
TestAndVerifyDatabase CerberusFtp.TestAndVerifyDatabaseResponse
TestAndVerifyDatabase(CerberusFtp.TestAndVerifyDatabaseRequest
TestAndVerifyDatabaseRequest)
VerifyLicense CerberusFtp.VerifyLicenseResponse
VerifyLicense(CerberusFtp.VerifyLicenseRequest VerifyLicenseRequest)

37.8 C​ERBERUS​ U​SER​ M​ODIFICATIONS​ ​WITH​ P​OWER​SH

​ ELL 

37.8.1 I​NTRODUCTION 

So far, we've demonstrated how to connect to Cerberus FTP Server and make SOAP API calls using
PowerShell. We've also explored how PowerShell interfaces with the SOAP API via WSDL.

Now we demonstrate making modifications to Cerberus' native user repository.

Example-UserManipulation.ps1 creates a user, lists all Cerberus users, changes our user's email
address and password, adds a virtual directory to our user, and finally delete them.

We assume you've reviewed previous guides in this series and have successfully run
HelloCerberus.ps1. You should already know how to run PowerShell scripts and know when to change
PS execution policy. You'll once again need the URL to ​Cerberus.wsdl​, served by your Cerberus FTP
Server.

As before, we'll start by running the script, then step through the most significant parts of the script.

37.8.2 R​UNNING​ E​XAMPLE​-U​SER​M​ANIPULATION​.P

​ S​1 

Since our example script makes modifications to the Cerberus User store, it is best not to run it against
your production Cerberus environment; we ​strongly​ recommend that you use a separate instance of
Cerberus for testing.

1. Download the ​script

2. Open a PowerShell console to the downloaded location
3. Run the script

PS C:\> & .\Example-UserManipulation.ps1 -EnableTls12 -DisableCertValidation

If all went well, you'll see something like this in the PowerShell console:

PS C:\> & .\Example-UserManipulation.ps1 -EnableTls12 -DisableCertValidation

Windows PowerShell credential request.
Provide master admin credentials for Cerberus FTP Server
User: Admin
Password for user Admin: *****************
Successfully created user PsSOAPTestUser
Successfully retrieved list of users

161
 PsSOAPTestUser
PsSOAPTestUser exists in the list of users
Successfully updated email address of PsSOAPTestUser
Successfully changed password for PsSOAPTestUser
Successfully added NewRoot to PsSOAPTestUser
Successfully deleted PsSOAPTestUser

Code Walk-Through

Let's review each section of this script.

Note that the style of this script differs from HelloCerberus.ps1. Objects are explicitly created and their
storage variables are type-constrained with the bracket syntax. This results more verbose expressions
like:

[CerberusFtp.User] $newUser = New-Object -TypeName CerberusFtp.User

We've found, though, that this syntax seems to work better with PowerShell's code-completion features.
Hopefully this makes it easier to integrate snippets of this code into your own scripts.

37.8.3 S​ETUP​ SOAP C​ONNECTION 

This is the same code used in HelloCerberus.ps1. Cerberus credentials are requested if not provided.
TLS 1.2 and certificate validation are enabled or disabled according to parameters passed to the script.
The Web Service Proxy object is created. The only significant difference is the addition of the
$EnableTls12​ and ​$DisableCertValidation​ switches:

# Collect credentials if not provided in parameters

if (-not $PSBoundParameters.containsKey('CerberusCredentials')) {
$CerberusCredentials = Get-Credential -Message "Provide master admin
credentials for Cerberus FTP Server"
}

if ($EnableTls12) {
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
}

if ($DisableCertValidation) {
if (-not("dummy" -as [type])) {
add-type -TypeDefinition @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public static class Dummy {

public static bool ReturnTrue(object sender,
X509Certificate certificate,

162
 X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }

public static RemoteCertificateValidationCallback GetDelegate() {

return new RemoteCertificateValidationCallback(Dummy.ReturnTrue);
}
}
"@
}
[System.Net.ServicePointManager]::ServerCertificateValidationCallback =
[dummy]::GetDelegate()
}

# Create Web Service Proxy object and CerberusFtp data-types

$CerberusSvc = New-WebServiceProxy -Uri $WSDLUrl -Class CerberusFtp -Namespace
CerberusFtp

# Override default SOAP endpoint if provided in parameters

if ($PSBoundParameters.ContainsKey('CerberusServiceUrl')){
$CerberusSvc.Url = $CerberusServiceUrl
}

37.8.4 C​REATE​ A
​ ​ N​EW​ T​EST​ U​SER 

To create a user, invoke the ​AddUser​ operation passing a ​CerberusFtp.AddUserRequest o ​ bject

containing a ​CerberusFtp.User​ object. The User object must be populated with all of the properties
you'd like for the user entry.

As always, create a request object corresponding to the operation we're about to invoke:

# Create new AddUserRequest object

[CerberusFtp.AddUserRequest] $addUserRequest = New-Object -TypeName
CerberusFtp.AddUserRequest

Every request needs credentials to authenticate:

# Populate request object with Cerberus Admin credentials

$addUserRequest.credentials = New-Object -TypeName CerberusFtp.Credentials
$addUserRequest.credentials.user = $CerberusCredentials.UserName
$addUserRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

The last bit of information the ​AddUser​ operation requires is a user. Create an object of type
CerberusFtp.User​ and populate relevant properties:

# Create new User object

[CerberusFtp.User] $newUser = New-Object -TypeName CerberusFtp.User

# Populate user object with user details

$newUser.name = $newTestUserName

163
 $newUser.password = New-Object -TypeName CerberusFtp.Password
$newUser.password.value = "TestPasswordChangeImmediately1234!@#$"
$newUser.requirePasswordChange = $true
$newUser.fname = "NewUserFrom"
$newUser.sname = "PowerShell"
$newUser.email = "[email protected]"
$newUser.desc = "This user was created from PowerShell using SOAP"

# Test account not allowed to change its own password

$newUser.isAllowPasswordChange = New-Object -TypeName
CerberusFtp.UserPropertyBool

CerberusFtp.UserPropertyBool​ belongs to a family of types that deal with how user properties interact
with the group membership. We'll cover this in more detail when demonstrating group operations. For
now, just set the ​.value​ to ​$false​ and .​ valueSpecified​ properties to ​$true​:

$newUser.isAllowPasswordChange.value = $false
$newUser.isAllowPasswordChange.valueSpecified = $true

Repeat with the ​.isDisabled​ attribute to ensure no one may login to our new test account:

# Test account disabled

$newUser.isDisabled = New-Object -TypeName CerberusFtp.UserPropertyBool
$newUser.isDisabled.value = $true
$newUser.isDisabled.valueSpecified = $true

Now that the user object is created, we copy it to the request object and invoke the AddUser operation:

# Populate request object with new user object

$addUserRequest.User = $newUser

# Issue the AddUser request

[CerberusFtp.AddUserResponse] $addUserResponse =
$CerberusSvc.AddUser($addUserRequest)

Finally, we test the result of the operation and display feedback accordingly:

# Check response for success or failure

if (-not $addUserResponse.result){
Write-Error "Failed to create user: $($addUserResponse.message)"
} else {
Write-Host "Successfully created user $newTestUserName"
}

37.8.5 G​ET​ ​A​ ​LIST​ ​OF​ A​LL​ C​ERBERUS​ U​SERS 

Now that we've created a new user, we can request a list of users from Cerberus FTP Server and
confirm that our new user exists in the list.

164
Once again, every operation must have a corresponding request object populated with admin
credentials. Going forward, we'll skip details for concepts we've already covered.

# Create new GetUserListRequest object

[CerberusFtp.GetUserListRequest] $getUserListRequest = New-Object
CerberusFtp.GetUserListRequest

# Populate request object with Cerberus Admin credentials

$getUserListRequest.credentials = New-Object -TypeName CerberusFtp.Credentials
$getUserListRequest.credentials.user = $CerberusCredentials.UserName
$getUserListRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

The list of usernames is sent in the ​$getUserListResponse.UserList​ property. In PowerShell, it appears

as an array of strings. We can use the ​-contains​ operator to test the contents of the array for the name
of our new user:

[CerberusFtp.GetUserListResponse] $getUserListResponse =
$CerberusSvc.GetUserList($getUserListRequest)

# Check response for success or failure

if (-not $getUserListResponse.result){
Write-Error "Failed to retrieve user list: $($getUserListResponse.message)"
} else {
Write-Host "Successfully created retrieved list of users"
Write-Host $getUserListResponse.UserList
if ($getUserListResponse.UserList -contains $newTestUserName){
Write-Host "$newTestUsername exists in the list of users"
} else {
Write-Error "$newTestUsername was not found in the list of users"
}
}

37.8.6 M​ODIFY​ E​MAIL​ A​DDRESS​ ​OF​ ​A​ U​SER 

Modifying a user is a compound operation.

1. Retrieve the user with ​getUserInformation

2. Modify the local copy of the user
3. Invoke ​AddUser​ to overwrite the user

# Create new GetUserInformationRequest object

[CerberusFtp.GetUserInformationRequest] $getUserInformationRequest =
New-Object CerberusFtp.GetUserInformationRequest

# Populate request object with Cerberus Admin credentials

$getUserInformationRequest.credentials = New-Object -TypeName
CerberusFtp.Credentials
$getUserInformationRequest.credentials.user = $CerberusCredentials.UserName

165
 $getUserInformationRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

# Populate request object with the username to retrieve

$getUserInformationRequest.userName = $newTestUserName

# Issue the getUserInformation request

[CerberusFtp.GetUserInformationResponse] $getUserInformationResponse =
$CerberusSvc.getUserInformation($getUserInformationRequest)

We check the result of the response to make sure we found an existing user account:

# Check response for success or failure

if (-not $getUserInformationResponse.result){
Write-Error "Failed to retrieve user:
$($getUserInformationResponse.message)"
} else {

Then we change the email address for this user object:

[CerberusFtp.User] $userToModify = $getUserInformationResponse.UserInformation

$userToModify.email = "[email protected]"

We use ​AddUser​ and its corresponding request type ​AddUserRequest​ to both create users and modify
existing users. If the userName matches that of an existing user, the existing user is overwritten. We've
named the request object​ $modifyUserRequest​ to express our intentions clearly:

# Populate request with modified user object

[CerberusFtp.AddUserRequest] $modifyUserRequest = New-Object
CerberusFtp.AddUserRequest

# Populate an AddUserRequest object with the modified user object

$modifyUserRequest.credentials = New-Object CerberusFtp.Credentials
$modifyUserRequest.credentials.user = $CerberusCredentials.UserName
$modifyUserRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

# Copy the newly-modified user object to the $modifyUserRequest object

$modifyUserRequest.User = $userToModify

# Issue AddUser request to modify existing user

[CerberusFtp.AddUserResponse] $modifyUserResponse =
$CerberusSvc.AddUser($modifyUserRequest)

# Check response for success or failure

if (-not $modifyUserResponse.result){
Write-Error "Failed to update user: $($modifyUserResponse.message)"
} else {
Write-Host "Successfully updated email address of $($userToModify.name)"
}
}

166
37.8.7 C​HANGE​ P​ASSWORD​ O
​ F​ A
​ ​ U​SER 

The password is just another property of the ​User​ object. You could modify it in the same fashion we
modified the​ .email ​property. However, password resets are frequent enough that a dedicated operation
is provided. This reduces complexity of copying the whole user object from server to client and back
again.

Use the ​ChangePassword​ operation along with ​ChangePasswordRequest​:

# Create new ChangePasswordRequest object

[CerberusFtp.ChangePasswordRequest] $changePasswordRequest = New-Object
CerberusFtp.ChangePasswordRequest

# Populate request object with Cerberus Admin credentials

$changePasswordRequest.credentials = New-Object CerberusFtp.Credentials
$changePasswordRequest.credentials.user = $CerberusCredentials.UserName
$changePasswordRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

# Populate with the user whose password we wish to change

$changePasswordRequest.userName = $newTestUserName

# Setting adminPasswordReset to true allows us to change the password without

knowing the existing password
$changePasswordRequest.adminPasswordReset = $true
$changePasswordRequest.adminPasswordResetSpecified = $true

# Populate request with the desired password

$changePasswordRequest.newPassword = "ThisIsANewPassword1234!@#$"

Note that the password is sent in plain-text. It is for this reason that we always recommend using
HTTPS for SOAP communication.

Note also that Cerberus FTP Server never stores passwords in plain-text. As soon as the plain-text is
received, Cerberus salts and hashes the value before saving it to the user.

# Issue the ChangePassword request

[CerberusFtp.ChangePasswordResponse] $changePasswordResponse =
$CerberusSvc.ChangePassword($changePasswordRequest)

# Check response for success or failure

if (-not $changePasswordResponse.result){
Write-Error "Failed to change password: $($changePasswordResponse.message)"
} else {
Write-Host "Successfully changed password for $newTestUserName"
}

167
37.8.8 A​DD​ V​IRTUAL​ D​IRECTORY​ T​ O​ A
​ ​ U​SER 

As with to password reset, dedicated APIs are provided for adding and removing virtual directories.
Provide the ​userName​ whose directories will be modified and a ​CerberusFtp.VirtualDirectory​ object. If
the ​name​ of the virtual directory matches an existing one, the existing one is overwritten:

# Create a new AddDirectoryToUserRequest object

[CerberusFtp.AddDirectoryToUserRequest] $addDirectoryRequest = New-Object
-TypeName CerberusFtp.AddDirectoryToUserRequest

# Populate request object with Cerberus Admin credentials

$addDirectoryRequest.credentials = New-Object -TypeName
CerberusFtp.Credentials
$addDirectoryRequest.credentials.user = $CerberusCredentials.UserName
$addDirectoryRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

# Populate request object with the target username

$addDirectoryRequest.userName = $newTestUserName

# Create new VirtualDirectory object

$addDirectoryRequest.directory = New-Object -TypeName
CerberusFtp.VirtualDirectory

# Populate virtual directory object with name, path, and permissions

$addDirectoryRequest.directory.name = "NewRoot"
$addDirectoryRequest.directory.path = "c:\testroot"

With twelve defined permissions, this section can be a little verbose:

$addDirectoryRequest.directory.permissions = New-Object -TypeName

CerberusFtp.DirectoryPermissions

# Grant download, upload, list files, list directories, rename, create, and
delete
$addDirectoryRequest.directory.permissions.allowDownload = $true
$addDirectoryRequest.directory.permissions.allowUpload = $true
$addDirectoryRequest.directory.permissions.allowListDir = $true
$addDirectoryRequest.directory.permissions.allowListFile = $true
$addDirectoryRequest.directory.permissions.allowRename = $true
$addDirectoryRequest.directory.permissions.allowDirectoryCreation = $true
$addDirectoryRequest.directory.permissions.allowDelete = $true

# Issue the AddDirectoryToUser request

[CerberusFtp.AddDirectoryToUserResponse] $addDirectoryResponse =
$CerberusSvc.AddDirectoryToUser($addDirectoryRequest)

# Check response for success or failure

if (-not $addDirectoryResponse.result){

168
 Write-Error "Failed to add virtual directory to user:
$($addDirectoryResponse.message)"
} else {
Write-Host "Successfully added $($addDirectoryRequest.directory.name) to
$newTestUserName"
}

37.8.9 D​ELETE​ A
​ ​ U​SER 

The last operation we demonstrate is perhaps the simplest. Provide a valid username and Cerberus
FTP Server will delete the user.

# Create a new DeleteUserRequest object

[CerberusFtp.DeleteUserRequest] $deleteUserRequest = New-Object -TypeName
CerberusFtp.DeleteUserRequest

# Populate request object with Cerberus Admin credentials

$deleteUserRequest.credentials = New-Object CerberusFtp.Credentials
$deleteUserRequest.credentials.user = $CerberusCredentials.UserName
$deleteUserRequest.credentials.password =
$CerberusCredentials.GetNetworkCredential().Password

# Populate request object with username to be deleted

$deleteUserRequest.name = $newTestUserName

# Issue the DeleteUser request

[CerberusFtp.DeleteUserResponse] $deleteUserResponse =
$CerberusSvc.DeleteUser($deleteUserRequest)

# Check response for success or failure

if (-not $deleteUserResponse.result){
Write-Error "Failed to delete user $newTestUserName :
$($deleteUserResponse.message)"
} else {
Write-Host "Successfully deleted $newTestUserName"
}

37.8.10 C​ONCLUSION 

That covers some of the most common operations involving Cerberus native users. In the next guide
we'll cover group manipulation. Adding, modifying, and removing groups as well as adding members to
groups. We'll also revisit the UserPropertyBool type and how constraints get applied to users.

37.9 C​ERBERUS​ G​ROUP​ M​ODIFICATIONS​ ​WITH​ P​OWER​SH

​ ELL 

37.9.1 I​NTRODUCTION 

169
In the last article we made real modifications to Cerberus with the SOAP API. It may not seem like much
to create a single user, but it was an important step in the path to understanding the API.

This time we'll make modifications to Cerberus Group objects. We will create a group, modify its
members, and modify the virtual directories it grants to members. We also explain interactions between
groups and users that determine a user's effective constraints.

Running Example-GroupManipulation.ps1

Once again, we've provided sample code to demonstrate the changes we'll be making. If you've
followed the previous guides closely, you'll recognize similar patterns and even some duplicate code.

We ​strongly ​recommend running this script in a test environment, ​not ​on a production Cerberus
instance.

● Download Example-GroupManipulation.ps1
● Open a PowerShell console and change directory to the script location
● Invoke Unblock-File and/or modify execution policy
● Run the script

Use ​-EnableTls12​ and​ -DisableCertValidation​ flags, if necessary

Supply ​-WSDLUrl​ parameter if Cerberus is on a different host
Supply ​-CerberusServiceUrl ​if running Cerberus 10.0.9 or earlier

For example:

& .\Example-GroupManipulation.ps1 -EnableTls12 -DisableCertValidation

● Provide Cerberus primary admin credentials when prompted

If successful, something like this will appear in the console:

PS C:> & .\Example-GroupManipulation.ps1 -EnableTls12 -DisableCertValidation

Windows PowerShell credential request.
Provide master admin credentials for Cerberus FTP Server
User: Admin
Password for user Admin: *****************
Successfully created group PsSOAPTestGroup
Successfully added groupRoot to PsSOAPTestGroup
Retrieved PsSOAPTestGroup
Successfully modified PsSOAPTestGroup
Successfully retrieved list of groups
PsSOAPTestGroup
PsSOAPTestGroup exists in the list of groups
Successfully created user PsSOAPTestUser
Successfully found PsSOAPTestUser
Successfully made PsSOAPTestUser a member of PsSOAPTestGroup

170
Successfully retrieved PsSOAPTestUser
Group-allowed protocols now overridden by user-allowed protocols
Successfully retrieved PsSOAPTestUser
Successfully removed PsSOAPTestUser from PsSOAPTestGroup
Successfully deleted PsSOAPTestUser
Successfully deleted PsSOAPTestGroup

As you can see, this script creates a group, user, modifies a few of their properties, shuffles the user in
and out of the group, and deletes them both.

37.9.2 C​ODE​ W​ALK​-T​HROUGH 

Group manipulation looks similar to User manipulation since, after all, Groups and Users share many of
the same properties (allowed protocols, permissible IPs, virtual directory lists, for example). ​AddGroup
is invoked for creating and updating groups and ​AddDirectoryToGroup i​ s invoked for modifying virtual
directories on groups.

This script uses a few PowerShell idioms to reduce verbosity in areas we've already covered. We'll call
these out during the walk-through.

Setup SOAP Connection

This section should look quite familiar by now; it is quite similar to the sections in HelloCerberus.ps1 and
Example-UserManipulation.ps1.

The one change is the creation of a hash table containing Cerberus credentials. We'll reuse this object
to initialize request objects later in the script. We make thirteen requests to the Cerberus SOAP API, so
individually initializing the credentials on every request begins to add up.

# Hashtable containing credentials for later request object population

$requestWithCreds = @{
credentials = @{
user = $CerberusCredentials.UserName
password = $CerberusCredentials.GetNetworkCredential().Password
}
}

Create a New Group

Similar to dealing with users, we create a new object, populate the relevant properties and invoke an
Add operation to create it within Cerberus FTP Server.

# The name of the test group

$newTestGroupName = "PsSOAPTestGroup"

# Create new Group object

[CerberusFtp.Group] $newGroup = New-Object -TypeName CerberusFtp.Group
$newGroup.name = $newTestGroupName

171
 $newGroup.desc = "New Test Cerberus Native Group from PowerShell"

We set ​isSimpleDirectoryMode​ and ​protocols​ to allow only​ https.​ Later we'll demonstrate how to
override these on a per-user basis.

$newGroup.isSimpleDirectoryMode = $true
$newGroup.isSimpleDirectoryModeSpecified = $true
$newGroup.protocols = New-Object -TypeName CerberusFtp.ProtocolsAllowed
$newGroup.protocols.https = $true

Finally, create the ​addGroupRequest​ object, invoke the ​AddGroup​ operation and check the result. This
time, when we create the ​CerberusFtp.AddGroupRequest​ object, we initialize its credentials with the
$requestWithCreds​ variable we declared earlier:

# Create addGroupRequest object

[CerberusFtp.AddGroupRequest] $addGroupRequest = New-Object -TypeName
CerberusFtp.AddGroupRequest
$addGroupRequest = $requestWithCreds
$addGroupRequest.Group = $newGroup

# Issue the AddGroup request

[CerberusFtp.AddGroupResponse] $addGroupResponse =
$CerberusSvc.AddGroup($addGroupRequest)

# Check response for success or failure

if (-not $addGroupResponse.result){
Write-Error "Failed to create group: $($addGroupResponse.message)"
} else {
Write-Host "Successfully created group $newTestGroupName"
}

​Add Virtual Directory to a Group

Again, similar to adding virtual directories to users, but a different operation is provided for groups:

# Create a new AddDirectoryToGroupRequest object

[CerberusFtp.AddDirectoryToGroupRequest] $addDirectoryRequest =
$requestWithCreds
$addDirectoryRequest.groupName = $newTestGroupName
$addDirectoryRequest.directory = New-Object -TypeName
CerberusFtp.VirtualDirectory

# Populate virtual directory object with name, path, and permissions

$addDirectoryRequest.directory.name = "groupRoot"
$addDirectoryRequest.directory.path = "c:\groupRoot"
$addDirectoryRequest.directory.permissions = New-Object -TypeName
CerberusFtp.DirectoryPermissions

172
 # Grant download, upload, list files, list directories, rename, create, and
delete
$addDirectoryRequest.directory.permissions.allowDownload = $true
$addDirectoryRequest.directory.permissions.allowUpload = $true
$addDirectoryRequest.directory.permissions.allowListDir = $true
$addDirectoryRequest.directory.permissions.allowListFile = $true
$addDirectoryRequest.directory.permissions.allowRename = $true
$addDirectoryRequest.directory.permissions.allowDirectoryCreation= $true
$addDirectoryRequest.directory.permissions.allowDelete= $true

# Issue the AddDirectoryToGroup request

[CerberusFtp.AddDirectoryToGroupResponse] $addDirectoryResponse =
$CerberusSvc.AddDirectoryToGroup($addDirectoryRequest)

# Check response for success or failure

if (-not $addDirectoryResponse.result){
Write-Error "Failed to add virtual directory to group:
$($addDirectoryResponse.message)"
} else {
Write-Host "Successfully added $($addDirectoryRequest.directory.name) to
$newTestGroupName"
}

​Modify Group Description

Modifying a Group object is a compound operation. Retrieve the existing group object with
GetGroupInformation,​ make modifications, then overwrite the existing group with ​AddGroup​:

[CerberusFtp.GetGroupInformationRequest] $getGroupRequest = $requestWithCreds

$getGroupRequest.name = $newTestGroupName

[CerberusFtp.GetGroupInformationResponse] $getGroupResponse =
$CerberusSvc.GetGroupInformation($getGroupRequest)

if (-not $getGroupResponse.result) {
Write-Error "Failed to retrieve group: $($getGroupResponse.message)"
} else {
Write-Host "Retrieved $newTestGroupName"

$existingGroup = $getGroupResponse.group
$existingGroup.desc = "This group was created for demonstration purposes in
PowerShell"

[CerberusFtp.AddGroupRequest] $modifyGroupRequest = $requestWithCreds

$modifyGroupRequest.Group = $existingGroup

[CerberusFtp.AddGroupResponse] $modifyGroupResponse =
$CerberusSvc.AddGroup($modifyGroupRequest)
if(-not $modifyGroupResponse.result){
Write-Error "Failed to modify group: $($modifyGroupResponse.message)"

173
 } else {
Write-Host "Successfully modified $($existingGroup.name)"
}
}

List Current Groups

A list of all current group names can be retrieved with ​GetGroupList​.

Because the​ GetGroupListRequest​ object contains only credentials and no other request data, we can
get away with passing the ​$requestWithCreds​ hash table as a short-cut. PowerShell manages the
conversion of the hash table to a ​GetGroupListRequest​ object transparently.

[CerberusFtp.GetGroupListResponse] $getGroupListResponse =
$CerberusSvc.GetGroupList($requestWithCreds)

if (-not $getGroupListResponse.result){
Write-Error "Failed to retrieve group list:
$($getGroupListResponse.message)"
} else {
Write-Host "Successfully retrieved list of groups"
Write-Output $getGroupListResponse.GroupList
if ($getGroupListResponse.GroupList -contains $newTestGroupName){
Write-Host "$newTestGroupName exists in the list of groups"
} else {
Write-Host "$newTestGroupName was not found in the list of groups"
}
}

Create New User

This time we create the User object with a nested hash table. This does exactly what you'd expect;
names and values in the hash table populate the ​CerberusFtp.User​ object. PowerShell will emit an error
message if required properties are missing and if unexpected properties are found.

$newTestUserName = "PsSOAPTestUser"

[CerberusFtp.User] $newUser = @{
name = $newTestUserName
password = @{value = "TestPasswordChangeImmediately1234!@#$"}
desc = "This user is for testing group membership modifications"
isDisabled = @{value = $true; valueSpecified = $true}
}

[CerberusFtp.AddUserRequest] $addUserRequest = $requestWithCreds

$addUserRequest.User = $newUser

[CerberusFtp.AddUserResponse] $addUserResponse =
$CerberusSvc.AddUser($addUserRequest)

174
 if (-not $addUserResponse.result){
Write-Error "Failed to create user: $($addUserResponse.message)"
} else {
Write-Host "Successfully created user $newTestUserName"
}

​Add User to Group

There are some surprises in Cerberus' model of the group-user relationship:

Cerberus Users carry a reference to the Group they're a member of.

This is a departure from typical identity systems, where group objects contain references to their
members.

Cerberus does not currently support multi-group membership for native users.

The user property named named "groupList" stores the single group reference.

It is an array, accepting many group names, but only the first is evaluated for user constraints and
virtual directories.

When using SOAP API to add users to groups, group properties are not automatically inherited by the
user.

The GUI Admin tools perform this step for you, whereas in SOAP API, your script must perform this
step, if desired.

As we add the user to the group, we'll demonstrate how all of the above surprises affect our script.

Since we are modifying an existing user, we first retrieve the current user object:

[CerberusFtp.GetUserInformationRequest] $userInfoRequest = $requestWithCreds

$userInfoRequest.userName = $newTestUserName

[CerberusFtp.GetUserInformationResponse] $existingUserResponse =
$CerberusSvc.GetUserInformation($userInfoRequest)

if (-not $existingUserResponse.result){
Write-Error "Failed to find user $newTestUserName :
$($existingUserResponse.message)"
} else {
Write-Host "Successfully found $newTestUserName"

$existingUser = $existingUserResponse.UserInformation

175
 In PowerShell, @() signifies an array and @{} signifies a hash table. So the next line creates an array
containing a single hash table containing a '​name​' property, whose value is the group name:

$existingUser.groupList = @(@{name=$newTestGroupName})

There are twelve user properties that may be inherited through group membership. This bit of code sets
them all to defer to the group's value. We'll cover the details of this "priority" attribute in the next section.

foreach ($propName in @( "authMethod"

"disableAfterTime"
"ipAllowedList"
"isAllowPasswordChange"
"isAnonymous"
"isDisabled"
"isSimpleDirectoryMode"
"maxLoginsAllowed"
"maxUploadFilesize"
"protocols"
"requireSecureControl"
"requireSecureData")
) {
$existingUser.$propName = @{priority = "group"; prioritySpecified = $true}
}

The rest is a typical user update with an invocation of AddUser:

[CerberusFtp.AddUserRequest] $modifyUserRequest = $requestWithCreds

$modifyUserRequest.User = $existingUser

[CerberusFtp.AddUserResponse] $modifyUserResponse =
$CerberusSvc.AddUser($modifyUserRequest)

if (-not $modifyUserResponse.result){
Write-Error "Failed to update exiting user:
$($modifyUserResposne.message)"
} else {
Write-Host "Successfully made $newTestUserName a member of
$newTestGroupName"
}
}

Override Allowed Protocols for Group Member

In the last section, we added the test user to a group and set their properties to "​group​" priority. We'll
explain a little more about what this means and then walk through the code that changes the priority of a
user property to override the group value.

Our existing Group Documentation briefly explains this feature of Cerberus FTP Server.

176
Essentially, Cerberus tags some user properties as ​group-inherited​ or ​user-overridden​ values. The
switch is is expressed intuitively in the User Manager GUI with a toggle button and symbols for each
state:

In SOAP API, this is expressed as a ​priority​ attribute on each property, which may be set to "​group"​ or
"​user"​ accordingly. The attribute defaults to "​user​" for newly created users.

For instance, the ​CerberusFtp.ProtocolsAllowed​ type appears like this in PowerShell. Note the various
protocols which may be allowed, plus the a priority attribute:

PS C:\> CerberusFtp.ProtocolsAllowed].declaredProperties |Select-Object name,

propertyType

Name PropertyType
---- ------------
priority CerberusFtp.UserPropertyPriority
prioritySpecified System.Boolean
ftp System.Boolean

177
 ftps System.Boolean
sftp System.Boolean
http System.Boolean
https System.Boolean

The override takes place on the ​User​ object, so we first retrieve our user from Cerberus FTP Server:

[CerberusFtp.GetUserInformationRequest] $getUserRequest = $requestWithCreds

$getUserRequest.userName = $newTestUserName

[CerberusFtp.GetUserInformationResponse] $getUserResponse =
$CerberusSvc.GetUserInformation($getUserRequest)

if (-not $getUserResponse.result){
Write-Error "Unable to retrieve user: $($getUserResponse.message)"
} else {
Write-Host "Successfully retrieved $($getUserResponse.UserInformation.name)"

We want this user to have both FTPS and HTTPS access, regardless of the constraints set by their
group. We allow these protocols by setting them to ​$true​ on the user ​protocols​ property, then enable the
override by setting priority to "​user"​ and ​prioritySpecified​ to ​$true​:

$existingUser = $getUserResponse.UserInformation
$existingUser.protocols.ftps = $true
$existingUser.protocols.https = $true
$existingUser.protocols.priority = "user"
$existingUser.protocols.prioritySpecified = $true

And now we push the modified user object with ​AddUser:​

[CerberusFtp.AddUserRequest] $modifyUserRequest = $requestWithCreds

$modifyUserRequest.User = $existingUser

[CerberusFtp.AddUserResponse] $modifyUserResponse =
$CerberusSvc.AddUser($modifyUserRequest )

if (-not $modifyUserResponse.result){
Write-Error "Unable to update user: $($modifyUserResponse.message)"
} else {
Write-Host "Group-allowed protocols now overridden by user-allowed
protocols"
}
}

Remove User from Group

As previously mentioned, group membership is stored with the ​User​ object, so removing a user from
their group means making a change to their ​groupList​ property.

[CerberusFtp.GetUserInformationRequest] $getUserRequest = $requestWithCreds

$getUserRequest.userName = $newTestUserName

178
 [CerberusFtp.GetUserInformationResponse] $getUserResponse =
$CerberusSvc.GetUserInformation($getUserRequest)

if (-not $getUserResponse.result){
Write-Error "Failed to retrieve user: $(getUserResponse.message)"
} else {
Write-Host "Successfully retrieved $($getUserResponse.UserInformation.name)"

$existingUser = $getUserResponse.UserInformation

if ($existingUser.groupList.Count -lt 1){

Write-Error "Cannot remove user from group; user is not a member of any
group"
} else {

We empty the groupList property by assigning it an empty array:

$previousMembership = $existingUser.groupList
$existingUser.groupList = @()

This bit of code sets all of the twelve user properties that may be inherited through group membership to
defer to the user's value.

foreach ($propName in @( "authMethod"

"disableAfterTime"
"ipAllowedList"
"isAllowPasswordChange"
"isAnonymous"
"isDisabled"
"isSimpleDirectoryMode"
"maxLoginsAllowed"
"maxUploadFilesize"
"protocols"
"requireSecureControl"
"requireSecureData")
) {
$existingUser.$propName = @{priority = "user"; prioritySpecified = $true}
}

Then we push the modified user with ​AddUser​ and display feedback to the host console:

[CerberusFtp.AddUserRequest] $modifyUserRequest = $requestWithCreds

$modifyUserRequest.User = $existingUser

[CerberusFtp.AddUserResponse] $modifyUserResponse =
$CerberusSvc.AddUser($modifyUserRequest)

if (-not $modifyUserResponse.result){
Write-Error "Failed to update exiting user:
$($modifyUserResponse.message)"

179
 } else {
Write-Host "Successfully removed $newTestUserName from
$($previousMembership.name -join ', ')"
}
}
}

Delete User

Clean up our test user before we're done.

[CerberusFtp.DeleteUserRequest] $deleteUserRequest = $requestWithCreds

$deleteUserRequest.user = $newTestUserName

[CerberusFtp.DeleteUserResponse] $deleteUserResponse =
$CerberusSvc.DeleteUser($deleteUserRequest)

if (-not $deleteUserResponse.result){
Write-Error "Failed to delete user: $($deleteUserResponse.message)"
} else {
Write-Host "Successfully deleted $newTestUserName"
}

Delete Group

Finally, we delete the group.

[CerberusFtp.DeleteGroupRequest] $deleteGroupRequest = $requestWithCreds

$deleteGroupRequest.name = $NewTestGroupName

[CerberusFtp.DeleteGroupResponse] $deleteGroupResponse =
$CerberusSvc.DeleteGroup($deleteGroupRequest)

if (-not $deleteGroupResponse.result){
Write-Error "Failed to delete group: $($deleteUserResponse.message)"
} else {
Write-Host "Successfully deleted $NewTestGroupName"
}

A group cannot be deleted if it still has members. You'll receive an error message like this one if you
try:

result message
------ -------
False The following accounts are still members of this group: PsSOAPTestUser

​Conclusion

180
There are many more Cerberus API operations available beyond user and group management. They
deal with server configuration, listener management, and backup/restore, to name a few. At this point,
you should have all the tools and techniques necessary to explore these operations on your own.

To round out this introduction, the last article will provide an overview of entire Cerberus SOAP API
grouped by functional domain. We'll also identify operations we recommend avoiding, as they're
primarily for internal use.

37.10 C​ERBERUS​ SOAP API R​EFERENCE 

Below is a list of all operations supported by the Cerberus SOAP API as of 10.0.10, grouped by
functional domain, along with a short description of the operation.

Internal Operations​, colored in ​red​, should not be used. They are used internally by the Cerberus GUI.
Misuse may result in server instability and loss of data.

Advanced Operations​, colored in ​orange​ , are low-level operations whose use is discouraged. They are
difficult to use correctly, as they exchange blocks of XML, rather than well-defined objects. Sending
malformed XML to these APIs may result in loss of data and services. Safer alternatives are noted
where available.

Index

● User Management
● Group Management
● Virtual Directory Management
● Interface/Listener Management
● Event Management
● IP Manager
● Folder Monitor
● Reporting Database
● Public Shares
● Account Requests
● Server Information and Status
● Server Configuration
● Backup and Sync
● Startup/Shutdown

User Management
Operations to manage Cerberus native users.

AddUser
Add a user to Cerberus. If the user already exists, it is overwritten.

ChangePassword

181
Change the password of an existing user.

DeleteUser
Remove a user account.

GetUserInformation
Get all properties of a specified user.

GetUserList
Retrieves the list of all native Cerberus user-names.

RenameUser
Renames an existing user.

GetUserCustomSettings
Retrieves a complete XML representation of users’ custom settings. This includes multi-factor
authentication settings and security questions.

SetUserCustomSettings
Sets users’ custom settings given an XML representation of all settings.

Group Management
Operations to manage Cerberus native groups.​

AddGroup
Add new group. If the group name already exists, it is overwritten.

DeleteGroup
Remove group.

GetGroupList
Returns the list of all group names.

GetGroupInformation
Get all properties of a specified group.

GetGroups
Returns an XML representation of all group information. Safer alternative is GetGroupList coupled with
GetGroupInformation.

RenameGroup
Change the name of an existing group.

Virtual Directory Management

Operations to manage virtual directories on both users and groups.

182
AddDirectoryToGroup
Add virtual directory to a group.

AddDirectoryToUser
Add a virtual directory to user account.

DeleteDirectoryFromGroup
Remove a virtual directory from a group.

DeleteDirectoryFromUser
Remove a virtual directory from user account.

Interface/Listener Management
Operations to manage interfaces and connections.

GetInterfaceByID
Retrieve the interface definition for the given interface ID.

GetInterfaceList
Retrieve all interface definitions.

GetConnectedUserList
Retrieve list of currently connected users. Results contain both connection ID and interface ID.

GetCurrentConnectionCount
Retrieve count of current connections to given interface ID.

GetInterfaces
Retrieve XML block representing all listeners. Safer alternatives are GetInterfaceList and
GetInterfacesByID.

InitializeInterface
Start an interface. Returns 'false' if the interface is already started and listening for connections.

ModifyInterface
Modify properties of a given interface.

ShutdownConnectionsOnInterface
Shutdown all connections to the given interface ID.

ShutdownInterface
Shutdown interface. Existing connections are closed.

TerminateConnection
Terminate the given connection ID.

183
Event Management
Advanced operations to manage event rules.

GetEventRules
Retrieve XML block representing configured Event rules.

SetEventRules
Set event rules with properly structured XML block.

IP Manager
Operations to manage IP allow/deny functionality.

GetAutoBlockList
Retrieves XML block representing auto-blocking settings.

SaveBlockList
Set the IP Manager list with XML block.

AddIp
Add an IP or IP range to the IP Manager.

BlockAddress
Block the given address. Removes from IP manager if in white-list mode, adds if in black-list mode.

DeleteIp
Remove an IP address/range from the IP Manager.

GetIPBlockList
Retrieves the current list of tracked IP addresses/ranges from IP Manager.

Folder Monitor
Advanced operations for managing folder monitoring functionality.

GetFolderMonitors
Retrieves an XML block of all currentently-monitored folders.

SetFolderMonitors
Overwrites current list of monitored folders with supplied XML block.

Reporting Database
Operations related to reporting and the Cerberus statistics database.

BackupStatisticsDatabase
Backup reporting database.

CreateStatisticsDatabase

184
Create tables on currently-configured statistics database.

DropStatisticsDatabase
Drop tables from configured reporting database.

GenerateStatistics
Generate statistics report. Returns path to report on Cerberus' host.

RestoreStatisticsDatabase
Restore reporting database from backup.

TestAndVerifyDatabase
Connect and verify configured reporting database.

Public Shares
Advanced operations for managing publicly-shared files.

DeletePublicShares
Removes public shares from the server, represented by a list of GUID strings.

GetPublicShares
Retrieves an XML block of all current public shares.

SetPublicShares
Overwrites public shares with supplied XML block.

SharePublicFile
Create a new public-shared file. Requires login and password of a standard user who has access to the
file/folder.

Account Requests
Operations for managing the list of requested accounts.

DeleteRequestedAccounts
Delete the specified account requests, identified by list of GUID strings.

GetRequestedAccounts
Retrieve XML block of current account requests.

SetRequestedAccounts
Set XML block of account requests.

Server Information and Status

These operations provide information about server configuration and retrieve current statistics on the
server's run-time state.

185
CurrentStatus
Retrieve basic status of Cerberus FTP Server including bandwidth, connections, and start date.

GetAllCurrentConnectionCount
Retrieve current number of active connections.

GetAppPaths
Retrieve Cerberus FTP Server’s working directories.

GetCurrentBandwidth
Retrieve current bandwidth utilization.

GetFeatures
Retrieves list of enabled features and allowed connections.

GetFileTransfers
Retrieve list of files currently in transit.

GetHostname
Get the hostname of the server running Cerberus FTP Server.

GetLicenseInfo
Retrieve detailed license information.

GetLogMessages
Retrieve log messages from the logging queue.

GetStatistics
Retrieve file and connection counts since the last restart. Includes number of files
uploaded/downloaded, total/current connections, and failed up/downloads.

ServerInformation
Retrieve basic information about Cerberus FTP Server.

ServerSummaryStatus
Retrieve overview of Cerberus FTP Server status and configuration. Includes all information from
Cerberus' "Server Configuration and Status Summary" page displayed in the main GUI.

VerifyLicense
Validates a given license string.

Server Configuration
Low-level operations for configuration

186
CommitSettings
Commit changes to configuration.

CreateDirectory
Create a directory on the Cerberus server filesystem.

DeleteDirectory
Delete a directory from the Cerberus server filesystem.

GetConfiguration
Retrieve XML block of all server configuration settings.

GetProfiles
Retrieves a complete XML block of all user profiles. GetUserInformation is a safer alternative.

SaveConfiguration
Save server configuration settings in XML format.

SaveProfiles
Write an XML block of all user profiles. AddUser is a safer alternative.

GetAdminAccounts
Retrieve the list of administrator accounts.

GetMimeMappings
Retrieve the file extension to mime-type map.

SaveMimeMappings
Set the file extension to mime-type map.

SetAdminAccounts
Set the list of administrator accounts.

SetWANIP
Set the publicly available IP address.

GetAuthenticationList
Retrieve XML block of authentication providers in order of priority.

SetAuthenticationList
Set the list of authentication providers in XML format.

Backup and Sync

Operation of Cerberus FTP Server's backup and restore facilities.

GetBackupServers

187
Retrieve XML block representing Cerberus' configured Sync servers.

SaveBackupServers
Set XML block of Cerberus' Sync servers.

BackupServerConfiguration
Creates a backup of the Cerberus FTP Server configuration at the specified location.

RestoreServerConfiguration
Restores Cerberus configuration from backup.

Startup and Shutdown

These operations are for internal use. Do not use these operations. Incorrect use may cause server
instability and loss of service. Use operating system facilities to start and stop the Cerberus service.

InitializeServer
Initializes the server.

ShutdownServer
Shuts down the Cerberus service.

StartServer
Starts Cerberus listeners.

StopServer
Stops Cerberus listeners.

ServerStarted
Checks whether the Cerberus Server has started.

38.0 C​OMMAND​ S​UPPORT  

38.1 FTP C​OMMANDS​ S​UPPORTED 

The following FTP commands are supported by Cerberus FTP Server:

● ABOR ● CLNT ● HELP

● ACCT ● CSID ● LANG
● ADAT ● CWD ● LIST
● ALLO ● DELE ● MDTM
● APPE ● EPSV ● MFMT
● AUTH ● EPRT
● CCC ● FEAT
● CDUP ● HASH

188
● MFCT ● RMDA
● MKD ● RNFR
● MODE ● RNFT
● MLSD ● SITE
● MLST ● SIZE
● MLSD ● STOR
● NLST ● STOU
● NOOP ● STRU
● OPTS ● SYST
● P@SV ● TYPE
● PASS ● USER
● PASV ● XCRC
● PBSZ ● XCUP
● PWD ● XPWD
● PORT ● XMD5
● PROT ● XMKD
● QUIT ● XSHA1
● REIN ● XSHA256
● RETR ● XSHA512
● REST ● XRMD
● RMD

189