Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Defining FTP-SFTP Conversion Rules (SSH Tectia Client with EFT Expansion Pack)

On the FTP-SFTP Conversion page, you can define the filter rules used for FTP-SFTP conversion.

Defining an FTP-SFTP conversion rule

Figure 4.38. Defining an FTP-SFTP conversion rule

Type the name of your FTP application in the Application to capture field or click Browse... to locate an application.

Click the Add... button to define a new filter rule in the Filter Rule dialog box. Click Edit... to modify and Delete to remove.

Defining a filter rule

Figure 4.39. Defining a filter rule

  • Any host or IP address: The rule is used for all addresses.

  • Hostname: The rule is used for connections to the defined DNS address(es). The engine will resolve the IP address using a DNS query. This value can be a regular expression. See Appendix B.

  • IP address: The rule is used for connections to the defined IP address(es). This value can be a regular expression. See Appendix B.

  • Ports: Select a single port or a port range and define port numbers for the captured connections. If this is undefined, the rule will be used for all ports.

  • Action: Select one of the following:


    The connection is made directly to the host without tunneling, using the host's IP address if it can be resolved. If it cannot be resolved, the connection fails.


    The connection is blocked. Applications usually inform the user that the connection is refused.


    The FTP-SFTP connection is made to the Secure Shell server specified in the profile.

  • Select a server profile for the FTP-SFTP connection from the second drop-down list.

    To allow the FTP client application to specify the SFTP server to be connected, you can create a profile with * (an asterisk) as the hostname and select that profile here. See Defining Connection Settings.

  • Fall back to DIRECT if secure connection cannot be established: If creating the SFTP connection fails, the Connection Broker will normally return a "host not reachable" error. However, when this check box is selected a direct (unsecured) FTP connection is used instead.


    Make sure the application uses passive mode for file transfer connections. When SSH Tectia Client is connected to a plaintext FTP server in fallback mode, file transfers in active mode are not supported.

  • Use pseudo IP: When this check box is selected and the FTP application attempts connection using a hostname, the Connection Broker assigns a pseudo IP address for the host instead of doing a DNS query. When the check box is not selected, a normal DNS query is made.

    Pseudo IPs cannot be used if the connection profile does not specify the SFTP server (it has * as the hostname).

    The fallback and pseudo IP options cannot be enabled at the same time. If they are, and the secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.

When an application connects to a host, filters are used to determine the correct action to apply to the connection. The filter list is scanned through to find a filter that matches the connection. The first filter that matches the DNS or IP address of the connection is used. Filters are evaluated from top down. Use the arrow buttons to organize the list.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now