How to enable FTP/FTPS
Buru SFTP Server (2.15.0+) supports the FTP and FTPS protocols in addition to the standard SSH-based SFTP and SCP. This allows you to provide file access to clients that require traditional FTP/S connections. Setting up FTPS is slightly more involved than SFTP because it relies on X.509 certificates rather than SSH keys.
FTP vs. FTPS modes
Buru SFTP Server supports four distinct FTP modes that determine how security and encryption are handled.
| Mode | Description | Typical Port | Encryption |
|---|---|---|---|
explicitPlain | Plain FTP without encryption. | 21 | No |
explicitTls | FTP that requires an explicit TLS upgrade to encrypt the session. | 21 | Yes |
explicit | FTP with an optional TLS upgrade; actual encryption depends on client support. | 21 | Optional |
implicit | FTP with implicit TLS where the session is encrypted from the very beginning. | 990 | Yes |
Avoid using explicit and explicitPlain modes in untrusted networks, as data may be transmitted unencrypted.
About X.509 certificates
An X.509 certificate contains the server's public key and identity information, signed by a trusted Certificate Authority (CA) or self-signed. The server holds a corresponding private key separately. During the TLS handshake, the client uses the certificate to verify the server's identity and the two sides negotiate an encrypted channel.
Certificates are required for all encrypted modes (implicit, explicitTls, and explicit). If you are only using explicitPlain, no certificate is needed — skip straight to configuring endpoints.
Using a CA-signed certificate
For production use, obtain a certificate from a trusted CA such as Let's Encrypt, DigiCert, or GoDaddy. This typically involves generating a Certificate Signing Request (CSR) on your server and submitting it to the CA for identity or domain verification. The exact process varies by CA and is beyond the scope of this article.
Using a self-signed certificate
Certificate groups
A certificate group bundles one or more certificate files and is referenced by FTP endpoints to secure connections. You can define multiple groups, each distinguished by name. A group with no name is the default group. Certificates can be referenced as files or from the Windows certificate store using a certificate path.
Each endpoint for an encrypted mode must reference a certificate group, and that group must contain at least one valid certificate.
Passive mode settings
When clients use passive mode (PASV), the server tells the client which IP and port to use for the data connection. The external address controls the IPv4 address or hostname sent to the client (hostnames are resolved at startup). The data port range restricts which ports are used for passive data transfers (defaults to 49152–65535).
Configure via the Web Admin
All FTP settings are managed on the Server configuration ⇒ FTP settings page.
1. Set up certificate groups
In the FTP certificate groups section, a default (unnamed) group is pre-created. To add named groups, click Add certificate group.
To add a certificate to a group:
- Existing certificate: Click Add existing certificate and specify the certificate path.
- New self-signed certificate: Click Add new self-signed certificate, enter the subject (e.g.,
CN=my-domain.com), and click Create. The file is saved to theftp/certificatessubdirectory in the configuration directory.
2. Configure endpoints
In the FTP endpoint configuration section, when no endpoints are defined, you can click Add default endpoints to create standard endpoints for port 21 (explicit) and port 990 (implicit). Otherwise, add or modify endpoints manually.
3. Enable FTP for users
FTP is disabled for all users by default. Use the FTP enabled for users by default selector to enable it globally, or leave it disabled and enable it for individual users in step 5.
4. Save and restart
Click Save and restart to apply the changes.
5. Enable FTP for individual users (optional)
To enable FTP on a per-user basis instead, navigate to Users ⇒ select the user ⇒ FTP / SFTP path mappings and enable the FTP protocol for that user.
Configure manually
1. Generate a self-signed certificate (optional)
If you don't have a CA-signed certificate, generate a self-signed one using the burusftp certgen command:
mkdir C:\ProgramData\Rebex\BuruSftp\ftp\certificates
burusftp certgen -s "CN=my-domain.com" C:\ProgramData\Rebex\BuruSftp\ftp\certificates\my-domain-certificateSee also: Generate Self-signed X.509 Certificates (CLI).
2. Set up certificate groups
Add your certificates to the ftp.certificateGroups section in config.yaml:
ftp:
certificateGroups:
- certificates:
- 'C:\ProgramData\Rebex\BuruSftp\ftp\certificates\my-domain-certificate.pfx'See also: certificate path format.
3. Configure endpoints
Endpoints are defined in the ftp.bindings section of config.yaml. Each encrypted endpoint must reference a certificate group. If omitted, the default (unnamed) group is used.
ftp:
certificateGroups:
- certificates:
- 'C:\ProgramData\Rebex\BuruSftp\ftp\certificates\my-domain-certificate.pfx'
bindings:
# Explicit FTP/FTPS on all IPv4 addresses (uses default certificate group)
- port: 21
ipAddress: 0.0.0.0
mode: explicit
# Implicit FTPS on all IPv4 addresses (uses default certificate group)
- port: 990
ipAddress: 0.0.0.0
mode: implicit4. Enable FTP for users
FTP is disabled for all users by default. Enable for a specific user using burusftp user update:
burusftp user update <user> --ftp enabledEnable for all users globally via ftp.enabledForUsersByDefault:
ftp:
enabledForUsersByDefault: true5. Restart the service
Restart the service
Restart the Buru SFTP service for the changes to take effect:
services.msc, find Rebex Buru SFTP Server, right-click and select Restart.burusftp svc restartnet stop RebexBuruSftp && net start RebexBuruSftpRestart-Service RebexBuruSftp