An application, a script, or a user triggers a file transfer.

The FTP client in the File Transfer Client machine starts a file transfer to the FTP server in File Transfer Server.

The Tectia connection capture module captures the connection before it leaves the client side. Tectia ConnectSecure checks and applies the filter rules that specify which connections to capture. The filter rules are defined in the Connection Broker configuration. Connections can be captured based on the FTP application used and the destination address and/or port.

Tectia ConnectSecure can extract the user name, password, and destination host name from the secured FTP application, and use them for authentication and connection setup with the Secure Shell server.

The Connection Broker module creates an authenticated and encrypted Secure Shell tunnel to a Secure Shell server. The user can be authenticated with the FTP username and password, or with public keys. The Secure Shell server can be the FTP server specified in the original FTP request, or another server can be configured in the filter rules.

The secure tunnel is terminated at the Secure Shell server.

The Secure Shell server forwards the connection to the FTP Server, and the FTP server can continue with post-processing of the transferred files. If the FTP server is located on a third host, the connection from the Secure Shell server to the FTP server will be unsecured. This is why it is recommended that there is at least one Secure Shell server in each physically secured area, for instance in a machine room.