Microsoft Ftp Service Commands



Overview

MOVEit Freely (a.k.a. 'ftps.exe') is a secure command-line FTP client for Windows. It accepts syntax similar to Microsoft's built-in 'ftp.exe' FTP client to make migrations to secure FTP easy.

From the Start menu, select Help. Select the Index tab, and then type ftp utility. In the list box, double-click the ftp utility entry. For a list of all FTP commands, double-click the (untitled #0) entry. Connect to FTP Server via Command Line. To connect to any FTP server from windows open its command prompt and for Linux open terminal window. Now you have required IP or Hostname of FTP server and login credentials to connect with a specific user. C: ftp ftp.tecadmin.net 2. Upload Single File to FTP Server.

Designed with professional system administrators in mind, MOVEit Freely duplicates Microsoft client syntax from commands to error messages. In addition to embracing Microsoft FTP, MOVEit Freely extends the functionality of command-line FTP with the addition of secure channel communication, passive mode transfers and resumption of transfers.

Type cd then the path to the remote server's directory in which you have permission to transfer files via FTP. For example, type: cd M:InetPubEFTRootMySiteUsrjbug. You are now ready to transfer files between your local directory and the remote directory using FTP commands such as put and get. DOS FTP commands are slightly different than regular FTP commands. The requested action is being initiated; expect another reply before proceeding with a new command. (The user-process sending another command before the completion reply would be in violation of protocol; but server-FTP processes should queue any commands that arrive while a preceding command is in progress.). Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. Copies a local file to the remote computer using the current file transfer type.

MOVEit Freely runs on Microsoft Windows 10 (32-bit and 64-bit), Windows 8.1 (32-bit and 64-bit), Windows 8 (32-bit and 64-bit), or Windows 7 (32-bit and 64-bit) and can take the place of the Microsoft command-line FTP client in all scripts. Simply replace 'ftp' in your existing scripts with 'ftps'.

MOVEit Freely also implements a 'file integrity' mode. This is a transfer mode that compresses files on-the-fly, and checks a file checksum to ensure that the file was transferred successfully. This mode is selected automatically when transferring to/from a MOVEit Transfer FTP server; it is not available with other types of servers.

MOVEit Freely features:

  • FTP and FTP/S (FTP over SSL) file transfers
  • Explicit (RFC-conforming) and implicit FTP/S connection modes
  • Active and passive file transfer modes
  • Client certificate support
  • Ability to halt script execution on first error
  • Client-side NAT support for legacy FTP servers
  • On-the-fly data transmission compression to conserve bandwidth and speed transfers (where available)
  • Resuming of partial transfers (where available)
  • Cryptographic-quality file integrity checks to guard against truncation or corruption during transit (MOVEit Transfer transfers only)
  • USB-Friendly 'Portable' deployment

Like other command-line utilities, MOVEit Freely can be driven by an automated script such as a Windows batch file. In turn, these scripts can be scheduled by Windows Scheduled Tasks.

Table of Contents

Requirements

MOVEit Freely is a standalone executable that does not require any other software, assuming the operating system is Microsoft Windows 10 (32-bit and 64-bit), Windows 8.1 (32-bit and 64-bit), Windows 8 (32-bit and 64-bit), or Windows 7 (32-bit and 64-bit).

Installation

To install MOVEit Freely, run the MOVEit Freely installation package. This package will ask into which folder and which 'Start menu' program group you would like to install the application. It will change your 'PATH' variable to allow you to run MOVEit Freely from any command prompt. (You may be prompted to log off after the installation to allow this to occur.) The installation will also install a 'Start Menu' link to this documentation.

If Windows Firewall is running--which is the default under Windows Vista and Windows Server 2008--then 'active mode' FTP transfers will be blocked until you create an 'exception' for MOVEit Freely in the firewall. (This is the case with any FTP client.) To create an exception, use Control Panel | Windows Firewall | Allow a program through Windows Firewall.

Command Line

MOVEit Freely must be executed from a shell ('command prompt'). MOVEit Freely is a 32-bit program, not a 'legacy' DOS program.

(If you plan on using MOVEit Freely with MOVEit Transfer servers only, Ipswitch also provides, at no cost, a similar command-line client called 'MOVEit Xfer' that securely transfers files over firewall/proxy-friendly HTTPS instead of FTPS.)

Use the following command syntax to run MOVEit Freely:

...where args is zero or more of:

  • -a starts the program in passive mode. By default, the program is in active mode. This can be changed during a session with the passive command.
  • -c:connect_timeout_secs to set the connect timeout in seconds. This is the amount of time that the program will wait for a successful connection to the server. The default is 30 seconds.
  • -csn:store to set the name of an alternate Microsoft Certificate Store from which an optional SSL client certificate (with private key) will be selected. . This defaults to 'MY' (a.k.a. 'Personal'), which is the name Windows stores certificates for the currently-logged-in user. This option is very rarely used, because when client certificates are used, they are usually in the default location.
  • -ccn:common_name to specify the Common Name (CN) of an optional SSL client certificate; for example, 'Thawte Freemail Member'. This must be specified in order to enable client certificates, and the named certificate must already be present in the current user's Windows Certificate Store. (This is typically configured via Internet Explorer's Tools / Internet Options / Content / Certificates.) The default is to not support client certificates. Use this option only if the remote FTP server requires client certificates. Because Common Names usually contain spaces, you will usually need to use double quotes: '-ccn:Thawte Freemail Member'. Some SSL hardware tokens, such as Aladdin's eToken, may also be used with MOVEit Freely to provide credentials, provided that the SSL hardware certificate store is accessible through the Windows certificate store interface. See also the -pfxfile:filename option.
  • -d to display commands sent to the server. Passwords, however, are still masked when this mode is in use.
  • -e:sslmode to select the SSL encryption mode. sslmode must be one of:

    sslmodeMeaning
    off
    no SSL encryption (default)
    tls-p or onencrypts both control and data with the AUTH TLS and PROT P commands. ('explicit')
    on-cccthe same as 'on', except that after signon, the CCC command is sent to switch the control connection to unencrypted mode. Data connections will be encrypted. With this option, the username and password are encrypted, but other FTP commands are in cleartext.

    This option is used when a firewall between the client and the server is using Network Address Translation to change the client's view of the FTP server's IP address. This option the firewall to inspect and rewrite PORT commands and PASV responses, to account for this IP address mapping. Without this feature, if you are using encrypted sessions with certain firewalls, you might have to use the -natpasv or -natact:ip command-line options instead.

    The 'on-ccc' option is not frequently used, because many FTP servers do not support the CCC command.

    tls-cencrypts only the control connection with the AUTH TLS command. Encryption of the data connection can be changed during the session with the prot command.

    prot p sets data connections to be protected (encrypted);
    prot c sets data connections to be cleartext (unencrypted).

    tls-c-ccclike 'tls-c', except that after signon, the CCC command is sent to switch the control connection to unencrypted mode. Data connections will not be encrypted. See the above discussion of 'on-ccc'.
    implicitencrypts both connections without the use of an AUTH command; usually to port 990.
    implicit-cccthe same as 'implicit', except that after signon, the CCC command is sent to switch the control connection to unencrypted mode. Data connections will be encrypted. See the above discussion of 'on-ccc'.

  • -n to not prompt for username and password at startup.
  • -natact:ip to use ip as our IP address in 'Client NAT' mode in active (as opposed to passive) FTP mode. See Client NAT.
  • -natpasv to ignore the IP address in the PASV reply in 'Client NAT' mode when in passive FTP mode. Instead, use the address of the control connection. See Client NAT.
  • -password:pw is the default password. If this is not specified, the program will prompt for a password upon initial connect.
  • -pfxfile:filename specifies a file from which a client certificate is to be read. The first private certificate in the file will be used. This is an alternative to the -ccn parameter, for when the client certificate is not installed in a Windows store. The filename must be in .PFX format (also known as .P12 format). If the file is protected by a password, use the -pfxpw parameter.
  • -pfxpw:password specifies the password to be used with -pfxfile. See also -pfxpwfile.
  • -pfxpwfile:filename specifies the name of a file that contains the password to the file given by -pfxfile. Do not use both -pfxpw and -pfxpwfile.
  • -ports:low-high specifies the port range to use on the client side of TCP data connections. For example, you might specify -ports:8000-8009. MOVEit Freely will restrict the port numbers it uses to be greater than or equal to low, and less than or equal to high. For active mode, this restricts the port numbers sent by the PORT command. For passive mode, this controls the port number of the originating end of the connection. This very rarely used option exists to accommodate highly restrictive firewall rules. Without this option, MOVEit Freely will allow the operating system to choose port numbers.
  • -quiterror to quit on any error. This will exit a script file without reading any more commands.
  • -resume to attempt to resume transfers if the destination files exist.
  • -s:filename to read commands from a script file (do not use redirection). The default is to read commands from the console.
  • -t:data_timeout_secs to set the data socket timeout in seconds. This applies to both the amount of time to wait for the server to connect back (on a non-passive data port), and the amount of time to wait without data before declaring a data socket dead. The default is 120 seconds.
  • -user:username is the default username. If this is not specified, the program will prompt for a username upon initial connect.
  • -z to not warn about problems with FTP server certificates, instead accepting any certificate. By default, if there is a problem with a certificate, MOVEit Freely will display a dialog, asking whether you want to accept the certificate. The most common problem is that a certificate was issued by a non-trusted certification authority, as happens with test certificates.

hostname is the domain name or numeric IP address of an FTP server.

port is the numeric TCP port number to use. The default is 21, unless -e:implicit has been specified, in which case the default is 990.

If no hostname is given on the command line, MOVEit Freely starts without making a connection. In this case, you must issue an open command to connect to an FTP server.

Here are some examples of this syntax in use:

  • FTPS ftp.ipswitch.com
    (Open an INSECURE, INTERACTIVE connection to 'ftp.ipswitch.com')
  • FTPS -e:on ftps.ipswitch.com
    (Open a SECURE, INTERACTIVE connection to 'ftps.ipswitch.com')
  • FTPS -e:on -s:mybatch.txt ftps.ipswitch.com
    (Open a SECURE, BATCH connection to 'ftps.ipswitch.com')

Compatibility with MOVEit Xfer and Microsoft's 'ftp.exe' Client

MOVEit Xfer is a free, command-line application also written and distributed by Ipswitch to communicate with MOVEit Transfer servers using the firewall-friendly HTTPS protocol. (MOVEit Freely communicates with MOVEit Transfer server using the FTPS protocol.) The command-line syntax for MOVEit Xfer was based on existing MOVEit Freely command-line syntax. This uniformity allows people to convert most MOVEit Freely scripts to MOVEit Xfer scripts simply by replacing 'ftps' with 'xfer'.

MOVEit Freely command-line syntax was itself based on the command-line syntax of the Microsoft non-secure ftp.exe client. This uniformity allows people to convert many scripts based on 'ftp.exe' to MOVEit Freely scripts simply by replacing 'ftp' with 'ftps'.

Program Exit Values

MOVEit Freely will return an exit value of zero (0) if no errors occurred during the processing of a file transfer session. See the example below for a batch file that checks the return code for errors. Several different exit codes are returned by MOVEit Freely.

    1 is returned for syntax errors in the command line parameters.
    2 is returned if the -s: parameter points to a file or directory that does not exist.
    3 is returned if any command during the session caused an error, either a 4xx or 5xx response from the server or a syntax or file error detected by MOVEit Freely itself.
    13 is returned if the -s: parameter points to a file whose sharing mode does not allow read access, or if the path is a directory, not a file.
If the -quiterror parameter is specified, MOVEit Freely will exit immediately with an exit code of 3 as soon as an error occurs without reading any more commands from the script file or console.

Resuming Transfers

The -resume parameter can be used to cause MOVEit Freely to attempt to resume a transfer that may have been interrupted in a previous execution. Specifying -resume will change the way that get and put (also mget/mput) work. Resuming transfers requires support on the corresponding FTP server, but not all server implementations have that support. Here is how the -resume parameter works:

When a get operation is performed, MOVEit Freely will first check to see if there is already a local file present. If so, a 'REST xxxxx' command is sent to the server with 'xxxxx' being the size in bytes of local copy of the file. Then, when the file is transferred, the first 'xxxxx' number of bytes are skipped by the server and MOVEit Freely will write the data sent to the end of the local file.

When a put operation is performs, MOVEit Freely will first send a 'SIZE (filename)' command to the server to ask for the number of bytes in the file. Next, MOVEit Freely will send a 'REST xxxxx' command is to the server with 'xxxxx' being the number of bytes to skip when the transfer takes place. The server is responsible for writing the data to the end of the file.

It is important to note that use of the -resume parameter will cancel the ability of MOVEit Freely to overwrite a file if it already exists. A destination file, if it exists, is assumed to be a partially transferred version of the source file. If you often transfer different versions of a file with the same name with overwrite, do not use -resume.

When MOVEit Freely 'file integrity mode' is used with MOVEit Transfer, a partial transfer that is completed by using the -resume parameter is verified, by checksum, that the entire destination file matches the source file.

When using -resume for put operations with MOVEit Transfer, only files that have been detected by MOVEit Transfer as previously incomplete transfers can be resumed. That is, a file which was completely received by MOVEit Transfer cannot be extended using the -resume feature.

Commands

Once MOVEit Freely is started, it prompts for and reads single-line commands. The commands are read from the console, or from the script filename if the -s parameter has been specified on the command line. If the -quiterror parameter has been used and an error is encountered, (either a 4xx or 5xx response from the server or a syntax or file error detected by MOVEit Freely itself), MOVEit Freely will exit without reading any more commands from the console or script file.

If a command that has required parameters is entered without the parameters, MOVEit Freely will prompt for the parameters, using the same prompts as Windows 2000's FTP.EXE.

For many commands, to enter a parameter containing spaces, you must enclose the parameter in double quotes. For instance, to retrieve a file named My Document.txt, you should say get 'MyDocument.txt'. The only exceptions to this rule are the dir, lcd, ls, and quote commands, which do not require double quotes.

Legal FTP commands are listed below. Optional parameters are enclosed in brackets ([]).

![cmd]

Executes a shell command on the local machine. If cmd is not specified, a copy of the command interpreter is launched. You can type as many Windows commands as you like. When you are finished, type exit to return control to MOVEit Freely. If cmd is specified, that command is executed, then control is returned to MOVEit Freely, with no need to type exit.

?

Displays a list of the available MOVEit Freely commands.

about

Displays a brief description of MOVEit Freely, the current version, and a link to the vendor's website.

append localfilename [remotefilename]

Appends a local file to an existing file on the server. If remotefilename is not specified, the name of the file on the remote system will be the same as localfilename. You may put ' around the filenames in order to include spaces in the names. If the remote file does not exist, many FTP servers will create a new one, treating the command as if it were a put.

ascii

Tells the FTP server to switch to ASCII transfer mode.

bell

Toggles the flag that indicates whether to sound a bell after the completion of certain commands. These commands are the commands that cause data to be transferred: dir, ls, get, put, mget, mput.

binary

Tells the FTP server to switch to binary transfer mode.

cd directory

Changes the working directory on the server.

close

Closes the connection to the server without exiting the program.

debug

Toggles the flag that indicates whether commands sent to the FTP server are echoed to the console.

delete filename

Deletes a filename on the FTP server.

dir [filemask] [outputfile]

Gets a directory listing from the FTP server. If outputfile is specified, the output goes to that file instead of to the console.

get remotefilename [localfilename]

Microsoft ftp site

Retrieves a file. If localfilename is not specified, the file will be saved to the local system as remotefilename. You may put ' around the filenames in order to include spaces in the names.

hash

Toggles the flag that says whether to print a '#' for every 2048 bytes transferred.

help

Displays the list of commands accepted by MOVEit Freely.

lcd

Changes the local directory.

ls [filemask] [outputfile]

Displays a list of files on the remote system, with file names only. If outputfile is specified, the output goes to that file instead of to the console.

mdelete remotefilemask

Deletes multiple files from the remote system. MOVEit Freely implements this by executing the equivalent of an 'ls' command, then doing a delete for each filename returned. If prompting is on, MOVEit Freely prompts for whether to actually delete the file. The responses are: 'y' or just <Enter> to fetch that file, q to quit, or anything else to not delete the file.

mget remotefilemask

Retrieves multiple files from the remote system. MOVEit Freely implements this by executing the equivalent of an 'ls' command, then doing a get for each filename returned. If prompting is on, MOVEit Freely prompts for whether to actually get the file. The responses are: 'y' or just <Enter> to fetch that file, q to quit, or anything else to not transfer the file.

Examples of remotefilemask:

  • *.* (Get all files - however, some remote systems omit files without 'extensions')
  • * (Get all files - however, some remote systems omit files with 'extensions')
  • *.txt (Get all files with an extension of 'txt')

mkdir remotedirectory

Makes a directory on the remote system.

220 Microsoft Ftp Service Command Auth Tls

mput localfilemask

Sends multiple files to the remote system. MOVEit Freely implements this by getting a list of local files matching the mask, then doing a put for each filename returned. If prompting is on, MOVEit Freely prompts for whether to actually put the file. The responses are: 'y' or just <Enter> to send that file, or anything else to not transfer the file.

open hostname [port]

Connects to an FTP server. If port is not specified, MOVEit Freely will attempt to connect on port 21.

passive

Toggles the flag that says whether to use passive mode. In passive mode, the remote FTP server accepts data connections from MOVEit Freely for each data transfer. In the more traditional non-passive mode, MOVEit Freely accepts data connections from the remote FTP server.

(Passive mode is often required by firewalls and proxy servers.)

prompt

Toggles the flag that says whether to prompt for transfers during an mget or mput.

put localfilename [remotefilename]

Sends a file to a remote FTP server. If remotefilename is not specified, the name of the file on the remote system will be the same as localfilename. You may put ' around the filenames in order to include spaces in the names.

pwd

Displays the working directory on the FTP server.

quit

Closes the connection, if any, and exits the program.

quote remotecommand

Sends an arbitrary command to the remote system.

remotehelp

Displays a list of commands available on the remote FTP server.

rename oldfilename newfilename

Renames a file on the remote system.

rmdir directory

Removes a directory on the remote system.

status

Displays the status of various flags.

user

Prompts for username and password. Used when you are connected to an FTP server, but not necessarily logged in.

type [ascii | binary]

Displays the current transfer type. If ascii or binary are specified, first tells the FTP server to switch to that type.

verbose

Toggles the flag that indicates whether responses from the FTP server are displayed on the console. There is rarely a reason to turn this mode off.

Examples

Simple Script Example

The following script and command line retrieve all files named *.rpt from the Incoming directory of an FTP server. Passive mode is used.

The command line is:

ftps -s:GetRpt.in ftp.bigcorp.com

The contents of GetRpt.in are:

Note that the lines in the script are simply the lines of text that would be entered by the user if the transfer were done interactively rather than via a script. The 'prompt' command is necessary to turn off prompting for use inside a script.

Batch File to Upload a Single File

The following batch file lets a user upload a single file using a single command. If you save the following snippet as 'uploadit.bat', usage would be: 'uploadit (hostname) (username) (password) (file_to_transfer)'

Batch File that Checks for Errors

This batch file checks the exit code from MOVEit Freely to see if any errors occurred. The -quiterror parameter will make the program exit as soon as there is an error without reading any more commands from the script file.

Secure FTP Host to Insecure FTP Host

Included with this documentation is a longer script example ('samplecopy.bat') which retrieves all the files from a folder on a secure FTP server and places them into a folder of an insecure FTP server.

This batch file invokes MOVEit Freely twice (once for each of the two hosts). Immediately before invoking the client, the batch file builds up a temporary command file. These command files (as well as a temporary work folder) are deleted before the batch file exits.

Piping Directory Lists and Other Output to a File

People who write scripts around MOVEit Freely often find it useful to be able to write directory listings and other FTP output to a file. The standard Windows executable-level pipe makes this easy.

Here is a one-line command which signs onto a secure FTP server, runs a script ('myscript.txt') and pipes all output to a file ('xxx.txt').

The 'myscript.txt' script file contains the following commands.

The 'xxx.txt' output file will contain output similar to the following. The directory list begins after the '150' response. Alternately, a 'dir' command could be used in place of 'ls' if the intent was to view a 'column-view' directory listing.

FTP Protocol 101

Unlike most other Internet protocols FTP requires not one but TWO TCP/IP connections to function properly. The first connection is called the 'control channel' and is initiated by an FTP client to an FTP server. (Nothing unusual so far.) FTP commands such as 'USER' and 'PWD' and simple responses are sent and received across this the control channel.

The second connection is called the 'data channel'. Actual file data - including DIRECTORY LISTINGS - is sent across the data channel. Unlike the control channel, the data channel does NOT remain connected throughout an FTP sessions, but is only connected and available when needed.

Most FTP servers 'listen' for control channel connections on TCP port 21. (Or port 990 when FTP over SSL implicit mode is used.) Data channels are not as predictable, however.

In 'ACTIVE' mode the CLIENT tells the SERVER which remote port to use and a data connection is opened by the SERVER from port 20 back to the CLIENT on a random 'high port'. (A 'high port' is a TCP port numbered 1024-65535).

'Active Mode' FTP

In 'PASSIVE' mode the SERVER tells the CLIENT which remote port to use and a data connection is opened by the CLIENT from a random high port back to the SERVER on a random 'high port'.

'Passive Mode' or 'Firewall-Friendly' FTP

Over the years, firewalls became increasingly involved in site-to-site file transfers, and most firewalls learned enough about the FTP protocol that they could DYNAMICALLY open up high ports for FTP data transfer without requiring addition configuration by actually reading FTP control channels. In other words, a firewall technician dealing with regular FTP would typically only need to define a single 'FTP' rule on his firewall and would not need to define additional rules to cover the data ports.

FTP over SSL

With the introduction of FTP over SSL, however, FTP-aware firewalls lost the ability to dynamically open data ports because the firewalls could not longer read the control channels. This meant that firewall technicians needed to start defining ranges of ports for FTP sessions to use. The rules required to get FTP over SSL to work properly were often alarming to security people for good reason. For example, a basic FTP over SSL 'ACTIVE DATA PORT' rule might allow OUTBOUND connections from the FTP server to ANY high port ANYWHERE on the Internet. A basic FTP over SSL 'PASSIVE DATA PORT' rule might allow INBOUND connections from ANYWHERE on the Internet to ANY high port on the FTP server. Obviously, some improvements needed to be made.

At this point we can safely discard the idea of using FTP over SSL in ACTIVE mode, however, because any FTP client which supports FTP over SSL also supports PASSIVE mode. (FTP over SSL in ACTIVE mode also requires a great deal of holes to be poked in CLIENT firewalls, so it is good we do not need to deal with it.) This leaves only FTP over SSL in PASSIVE mode to worry about.

Ftp Put Command

The knock against the FTP over SSL PASSIVE data port rule defined above is that it allows traffic from ANY Internet address to ANY high port on the FTP server. It's easy to begin defining rules which restrict the ANY Internet addresses to SPECIFIC Internet addresses, but an address spoofer would still have access to ANY high port on the FTP server. (This is also really only an option for organizations which a finite number of users and do not have restrictions on immediately firewall changes.) However, if you have a decent FTP server (e.g. MOVEit DMZ), it is relatively easy to tell the FTP server itself to confine its passive data ports to a finite range (e.g. 15000-15020). Now, your passive data port rule can have a finite range of ports too, and because the SERVER is in charge of port assignments during PASSIVE transfers, you never need to do anything to your FTP CLIENTS but tell them to use PASSIVE mode. (Some CLIENT firewalls will need this range of ports configured in them too, but it's still less work than dealing with ACTIVE mode over SSL.)

MOVEit Freely complies with RFC 959 (regarding the FTP protocol) and uses SSL to encrypt both the control and data channels. (In particular, MOVEit Freely does not implement the single channel, usually port 22 'secure FTP over SSH' mode.)

Client NAT

MOVEit Freely provides a client Network Address Translation ('client NAT') capability to help overcome problems with poorly-configured FTP servers and firewalls. These problems can prevent you from performing transfers over data ports, even if you can connect and login on the control port. These problems occur in two similar circumstances:

  • In active mode, the FTP server may be unable to connect to the client's IP address due to an intervening network firewall.
  • In passive mode, you may not be able to connect to the FTP server because the address it has told the client to connect to is not reachable by the client.

These problems are particularly likely to occur in secure mode. In non-secure mode, many firewalls will automatically make adjustments to the PORT and PASV transactions on-the-fly to compensate for the client and server being on different networks. This is not possible with secure connections, because the firewall is unable to decrypt and rewrite the transactions.

Although these problems are best addressed by reconfiguring the FTP server and/or firewall, users of MOVEit Freely do not always have administrative access to do so. MOVEit Freely thus provides two command-line parameters that allow the user to work around these problems on the client end.

  • The -natact:ipaddr parameter tells MOVEit Freely to tell the FTP server, in active mode, to connect to MOVEit Freely on IP address 'ipaddr' rather than the client's actual IP address. In order to use this parameter, you must know an address by which the server can access your PC. Note: You cannot use this feature with the MOVEit Transfer FTP server in active mode, because of a security feature in MOVEit Transfer that prevents the 'hijacking' of a data port. Use passive mode instead.
  • The -natpasv parameter tells MOVEit Freely to ignore the IP address specified by the FTP server when the FTP server tells Freely to make a data connection in passive mode. Instead, when this parameter is specified, MOVEit Freely will connect to the IP address that it used to make the control connection.

Basic Troubleshooting

Ipswitch rarely deals with 'control channel' problems encountered through MOVEit Freely because these problems provide such instant feedback to the user. For example, a user who cannot connect or sign on to an FTP server will usually contact the technician in charge of the particular FTP server rather than the client software vendor.

The problems Ipswitch does hear about are typically 'data channel' problems instead. Specifically, these involve the inability to start a data transfer or perform a directory listing. (Many people do not know that FTP directory listing are technically data transfers too.)

To troubleshoot these problems, be sure you are running MOVEit Freely in DEBUG mode (so you can capture a log), try to replicate the problem and see if it is described by one of the situations described below.

'Six Octet' PORT Syntax

Before proceeding, however, you need to know how to read 'six octet' PORT syntax you will see using many clients and servers.

In this format, the first four octets are the IP address the remote machine is telling the client to connect to. (i.e. '192.168.3.15') The two remaining octets describe the port the remote machine is telling the client to connect to, but this calculation requires a calculator. Take the fifth octet, multiply by 256 and add the sixth octet to get the complete port number. (i.e. 15x256+180= '4020')

Blocked ACTIVE Data Channel

In this situation, the FTP client asks the FTP server to connect to a specific port on the FTP client, but access to that port is blocked by a client firewall or a server firewall. Note the 'PORT' command being issued by the client.

Solution:

  • If you are using FTP over SSL, consider using PASSIVE mode transfers instead.
  • If you are not using FTP over SSL, consider switching to an 'FTP-aware' firewall or use explicit firewall rules to un-block the data channel ports.

Blocked PASSIVE Data Channel

In this situation, the FTP server asks the FTP client to connect to a specific port on the FTP server, but access to that port is blocked by a client firewall or a server firewall. Note that there is no 'PORT' command being issued by the client. Instead, the server sends its IP address to the client.

Solution:

  • If you are using FTP over SSL, use explicit rules to un-block the data channel ports.
  • If you have control over the FTP server, consider limiting the PASSIVE data channel ports to a specific range to avoid a confrontation with your security team.
  • If you are not using FTP over SSL, consider switching to an 'FTP-aware' firewall or use explicit firewall rules to un-block the data channel ports.

Incorrect Server Address using PASSIVE mode with FTP over SSL

In this situation, the FTP server returns an IP address (usually an internal IP address) to be used for passive data transfer which is different than the IP address to which you connected the client. (In the example below, '192.168.3.15' != '33.44.55.66') This is another situation which used to be taken care of automatically by 'FTP aware' firewalls before FTP over SSL existed.

Solution:

  • If you have control over the FTP server, configure the correct external NAT address on the server itself to avoid the need to deploy this fix to all your clients. (Major commercial FTP over SSL servers, including MOVEit DMZ, have the built-in ability to send the correct IP address to clients in a NAT environment.
  • Use MOVEit Freely's Client NAT capability.
  • See Ipswitch Secure FTP v. NAT White Paper for more information.

Distribution

The standard MOVEit Freely installation packages will automatically set the 'PATH' variable to include the folder into which MOVEit Freely was installed. This allows users to invoke the MOVEit Freely client from any command line prompt. Use the standard MOVEit Freely installation packages for distribution if your clients will write their own scripts OR are replacing existing FTP client scripts.

USB-Friendly 'Portable' Deployment

'A portable app is a computer program that you can carry around with you on a portable device and use on any Windows computer. When your USB thumbdrive, portable hard drive, iPod or other portable device is plugged in, you have access to your software and personal data just as you would on your own PC. And when you unplug, none of your personal data is left behind.' (Rare Ideas, LLC, 2005)

MOVEit Freely can be deployed/installed as a USB-Friendly 'Portable' application. Simply copy the contents of a MOVEit Freely archive file (e.g., 'MOVEitFreely.zip') into a folder on your USB drive or other portable device.

With command line applications, MOVEit Freely included, your personal information is generally confined to what you have written in batch files or piped out into log files. Please remember to keep any such batch or log files on the portable drive too.

You may wish to add the portable directory in which you installed MOVEit Freely to your PATH if you want to be able to invoke MOVEit Freely from any folder without specifying a full path to the executable. If you often find yourself running command-line applications in a portable environment, you will also probably want to create a portable 'Launch Command Line' shortcut and/or batch file on your portable device so your favorite utilities are always available in command-line sessions.

Custom Distribution

If you elect to roll your own distribution of MOVEit Freely, you MUST include:

  • THIS DOCUMENT, AND...
  • MOVEitOverview.pdf, AND...
  • ftps.exe
You will probably also wish to include the supporting images required by this document, all of which are found in the 'images_MoveITFreely' folder.

You will also probably want to include any custom batch files, script input files and/or documentation in your own distribution. Usually all these files are placed into a single 'archive' file (e.g., a 'zip' file), but they may be bundled in other distributions as permitted by the license found in this document.

Other MOVEit Products

Need MISSION-CRITICAL automation?

If you run more than 10 automated MOVEit Freely transfers or need mission-critical automated file-transfer, please consider using MOVEit Central instead of MOVEit Freely. MOVEit Central is a fully-automated, schedule and event driven file transfer engine. It can move files between FTP servers, SSH servers, Windows file shares, email servers and comes with enterprise features such as remote control, task configuration/execution delegation, and automatic retry/resume of failed transfers. (More info...)

Need your own secure file transfer server?

The first Windows-based secure file transfer server to support all three modes of FTP over SSL, the first to add SSH support, and the first one to support both protocols plus browser-based (HTTPS) transfers was MOVEit DMZ. In addition to three secure IN TRANSIT protocols, MOVEit DMZ features integrated FIPS-140-validated AT REST encryption to protect files while they are stored on the server. Request an evalution and join the banks, governments, hospitals and others who have stepped up to MOVEit secure file transfer today! (More info...)

MOVEit Freely LICENSE

MOVEit ® Freely is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. MOVEit Freely is licensed, not sold.

1. GRANT OF LICENSE. This license agreement grants you the following rights:

Installation and Use. You may install and use MOVEit Freely for your personal or company use. There is no charge for such use. You may also make copies of MOVEit Freely for backup and archival purposes.

Distribution. You may make unlimited copies of and may distribute to any party the original MOVEit Freely installation package as long as such distribution is performed without charge. You may reproduce or distribute components of the product (e.g., just 'ftps.exe') as long as all MOVEit Freely documentation (including 'MOVEitOverview.pdf') accompanies the software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble MOVEit Freely, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

Software Transfer. You may not transfer your rights under this license agreement.

Termination. Without prejudice to any other rights, Ipswitch, Inc. may terminate this license agreement if you fail to comply with the terms and conditions of this license agreement. In such event, you must destroy all copies of MOVEit Freely and all of its component parts.

Rental. You may not sell, rent, or lease MOVEit Freely.

3. COPYRIGHT. All title and copyrights in and to MOVEit Freely, the accompanying printed materials, and any copies of MOVEit Freely are owned by Ipswitch, Inc. MOVEit Freely is protected by copyright laws and international treaty provisions. Therefore, you must treat MOVEit Freely like any other copyrighted material.

WARRANTY AND LIMITATION OF LIABILITY

WARRANTY. MOVEit Freely is distributed on an 'as is' basis with no warranty, either expressed or implied.

OTHER WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IPSWITCH, INC. AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, WITH REGARD TO MOVEit Freely, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHERS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION.

Microsoft Ftp Service Commands Admin

LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IPSWITCH, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE MOVEit Freely OR THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF IPSWITCH, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, IPSWITCH, INC.'S ENTIRE LIABILITY UNDER ANY PROVISION OF THIS EULA SHALL BE LIMITED TO THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR MOVEit Freely OR U.S.$5.00; PROVIDED, HOWEVER, IF YOU HAVE ENTERED INTO A IPSWITCH, INC. SUPPORT SERVICES AGREEMENT, IPSWITCH, INC.'S ENTIRE LIABILITY REGARDING SUPPORT SERVICES SHALL BE GOVERNED BY THE TERMS OF THAT AGREEMENT. BECAUSE SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

TRADEMARKS. MOVEit is a registered trademark of Ipswitch, Inc. All names of products and companies used in this document, the software, or the enclosed documentation may be trademarks of their corresponding owners. Their use in this document is intended to be in compliance with the respective guidelines and licenses.

Contacting the Vendor

MOVEit Freely is FREEWARE. Support for MOVEit Freely is normally only available to existing MOVEit Transfer customers and MOVEit Transfer evaluators.

To contact Ipswitch Support, go to:

Information site: http://www.ipswitchft.com
Support site:http://www.ipswitchft.com/support