On Unix, the connection capture component performing the transparent FTP tunneling is installed from a separate installation package ssh-tectia-capture. For installation instructions, see Chapter 2.

The transparent FTP tunneling activation requires defining the filter rules for transparent FTP tunneling in the Connection Broker configuration file ssh-broker-config.xml and then running the ssh-capture command.

The following example shows the minimum settings required in the ssh-broker-config.xml file:

<filter-engine>
    <rule  ip-address=".*"
           ports=".*"
           action="FTP-TUNNEL"
           hostname-from-app="YES"
           username-from-app="YES"
           fallback-to-plain="NO" />
</filter-engine>

With this configuration, all connections will be tunneled to the destination Secure Shell servers using transparent FTP tunneling. The host name and the user name received from the originating FTP application are used. Falling back to plaintext mode is not done, so if the secure connection fails, the connection is closed.

You can also use a connection profile to define the target Secure Shell server, and then refer to the profile in the filter rule settings, as in the following example:

<profiles>
  <profile name="paper"
           id="id1"
           host="sshserver.example.com"
           port="22"
           user="">
  </profile>
</profiles>
               
<filter-engine>
    <rule  ports=".*"
           action="FTP-TUNNEL"
           profile-id="id1"
           username-from-app="YES"
           fallback-to-plain="NO" />
</filter-engine>

Notice that when the rule setting username-from-app="YES" is used, no specific user name must be defined in the connection profile settings (user=""). The user name received from the application overrides the user names given in the connection profile.

After the Connection Broker configuration enables transparent FTP tunneling, you can start a tunneled FTP session, for example to ftp.example.org, by running the following command:

$ ssh-capture ftp ftp.example.org

Tectia ConnectSecure has an option for falling back to plaintext FTP if the secure tunnel cannot be created. You can enable fallback to plaintext FTP in the configuration file with the rule setting fallback-to-plain="yes" and then by adding the option -F (alias for --fallback) to the command:

$ ssh-capture -F ftp ftp.example.org

The -F option is effective if ssh-capture cannot connect to Connection Broker and the value of fallback-to-plain in the configuration file cannot be checked.

When allowing fallback to plaintext with setting fallback-to-plain="yes", always specify the port unambiguously in the configuration. Otherwise, the connection to a plaintext FTP server may fail in passive mode file transfer.