Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Defining FTP-SFTP Conversion Rules (SSH Tectia Client with EFT Expansion Pack)

On the FTP-SFTP Conversion page, you can define the filter rules used for FTP-SFTP conversion.

Defining an FTP-SFTP conversion rule

Figure 4.35. Defining an FTP-SFTP conversion rule

Type the name of your FTP application in the Application to capture field or click Browse... to locate an application.

Click the Add... button to define a new filter rule in the Filter Rule dialog box. Click Edit... to modify and Delete to remove.

Defining a filter rule

Figure 4.36. Defining a filter rule

  • Any host or IP address: The rule is used for all addresses.

  • Hostname: The rule is used for connections to the defined DNS address(es). The engine will resolve the IP address using a DNS query. This value can be a regular expression. See Appendix B.

  • IP address: The rule is used for connections to the defined IP address(es). This value can be a regular expression. See Appendix B.

  • Ports: Select a single port or a port range and define port numbers for the captured connections. If this is undefined, the rule will be used for all ports.

  • Action: Select one of the following:


    The connection is made directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.


    The connection is blocked. Applications usually inform the user that the connection is refused.


    The FTP-SFTP connection is made to the Secure Shell server specified in the profile.

  • Select a server profile for the FTP-SFTP connection from the second drop-down list.

    To allow the FTP client application to specify the SFTP server to be connected, you can create a profile with * (an asterisk) as the hostname and select that profile here. See Defining Connection Settings.

  • Fall back to DIRECT if secure connection cannot be established: If creating the SFTP connection fails, the Connection Broker will normally return a "host not reachable" error. However, when this check box is selected a direct (unsecured) FTP connection is used instead.

  • Use pseudo IP: When this check box is selected and the FTP application attempts connection using a hostname, the Connection Broker assigns a pseudo IP address for the host instead of doing a DNS query. When the check box is not selected, a normal DNS query is made.

    Pseudo IPs cannot be used if the connection profile does not specify the SFTP server (it has * as the hostname).

    The fallback and pseudo IP options cannot be enabled at the same time. If they are, and the secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.

When an application connects to a host, filters are used to determine the correct action to apply to the connection. The filter list is scanned through to find a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. Use the arrow buttons to organize the list.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more