Enabling FTP Services on a NetWare 4.11 Server
Articles and Tips:
01 Apr 1999
Editor's Note: "Technically Speaking" answers your technical questions, focusing on network management issues. To submit a question for a future column, send an e-mail message to nwc-editors@nwconnection.com, or send a fax to 1-801-228-4576.
By installing Novell's FTP Service on a NetWare 4.11 server, you can publish both entire volumes and individual directories on your company's network or intranet to the Internet. Users can then upload and download files by using any TCP/IP-enabled workstation with a LAN or an Internet connection and FTP client software. Because users can transfer files without logging in to the NetWare 4.11 server that is running Novell's FTP Service, you do not need to provide a NetWare license for FTP connections. To provide security, Novell's FTP Service uses Novell Directory Services (NDS) to authenticate non-anonymous user connections.
Novell's FTP Service was included in two products: intraNetWare, which consists of NetWare 4.11 and several Internet and intranet components, and Novell's UNIX File and Print Services for NetWare 4.11. This article explains how to install and configure Novell's FTP Service on a NetWare 4.11 server. (This article assumes that you are using the intraNetWare CD-ROMs.)
INSTALLING NOVELL'S FTP SERVICE ON A NETWARE 4.11 SERVER
Before installing Novell's FTP Service, you must ensure that TCP/IP is enabled on the server. You must also configure each workstation that requires access to Novell's FTP Service. You can enable these workstations to use TCP/IP directly or to use Novell's IP Gateway, which allows IPX-based devices and services to access IP-based devices and services. (Like Novell's FTP Service, the IP Gateway is one of the Internet and intranet components included with intraNetWare. The IP Gateway is also included in Novell's BorderManager product.)
You install Novell's FTP Service from the UNIX Services for intraNetWare CD-ROM. After you have inserted this CD-ROM into the server's CD-ROM drive, you need to mount the CD-ROM by entering the following command at the server console:
CD MOUNT ALL
The CD-ROM is mounted as the NWUXPS volume. After you have mounted the CD-ROM, run the INSTALL utility by entering the following command at the server console:
LOAD INSTALL
The INSTALL utility's main screen appears. From the main screen you select Product Options, and you then select the Install a Product Not Listed option. When the INSTALL utility prompts you to specify an installation path, you press the F3 key and enter the following installation path:
NWUXPS:NWUXPS
After Novell's FTP Service has been installed, the UNICON utility runs automatically, enabling you to configure the services you want to load when you start NetWare 4.11. When the UNICON utility's main menu appears, you select the Start/Stop Services option, and you then select the FTP Server option. At this point, Novell's FTP Service should be running.
In addition, Novell's FTP Service is automatically added to the UNISTART.NCF file, which starts this service each time you reboot the NetWare 4.11 server.
You should keep in mind that Novell's FTP Service is an on-demand service. In other words, the FTP NetWare Loadable Modules (NLMs) are not loaded on the server unless a workstation initiates an FTP request. When an FTP request is initiated, the NetWare 4.11 server automatically loads the FTP NLMs. After an amount of idle time that you define, the NetWare 4.11 server unloads the FTP NLMs. (The next section explains how you can change parameters for Novell's FTP Service, including the parameter for the amount of idle time that must pass before the NetWare 4.11 server unloads the FTP NLMs.)
CONFIGURING NOVELL'S FTP SERVICE ON A NETWARE 4.11 SERVER
When you install Novell's FTP Service, an anonymous user account is automatically created on the FTP server. This anonymous user account, which requires no password, allows all users to access the public files stored on your company's FTP server.
If you do not want to provide this type of access to your company's FTP server, you can disable the anonymous user account by configuring Novell's FTP Service to deny anonymous logins. Users must then enter their fully distinguished username and password to log in to the FTP server. (A user's fully distinguished name includes the complete path from the User object to the [Root] object in the NDS tree.) Novell's FTP Service uses the username and password to authenticate users to NDS before granting users access to the FTP server. (Unlike a workstation login to a NetWare 4.11 server, all usernames and passwords are case sensitive with Novell's FTP Service.)
When a user enters his or her username and password, Novell's FTP Service authenticates the user to NDS and determines the default server and home directory that are defined for this user in NDS. If the user is authenticated, Novell's FTP Service grants this user access to the FTP server and to the other network resources for which this user has rights, beginning with the user's default server and home directory.
You can use the UNICON utility to change parameters for Novell's FTP Service, including the parameter that allows you to enable or disable anonymous logins. To change parameters for Novell's FTP Service, you select the Manage Services option from the UNICON utility's main screen. When the Manage Services menu appears, you select the FTP Server option, and you then select the Set Parameters option. From the Set Parameters screen, you can enable or disable anonymous logins, and you can change other parameters for Novell's FTP Service.
You can also use the UNICON utility to change the maximum number of concurrent FTP sessions and the maximum length of each FTP session. (The default setting for the maximum number of concurrent FTP sessions is nine. The default setting for the maximum length of each FTP session is unlimited.) You can adjust these settings to prevent the FTP server from becoming overburdened by file transfers.
In addition, you can use the UNICON utility to change the amount of idle time that must pass before the NetWare 4.11 server unloads the FTP NLMs and stops the FTP server. (The default setting is no log out after idle time. If you keep the default setting, the FTP Server will unload the active NLMs after the specified time as long as there are no active connections.) You can decrease the amount of idle time if you want to recover server resources faster. You can increase the amount of idle time if you want to maintain the FTP server longer, depending on how users access this server.
For example, if users transfer files infrequently, you can enter a low setting so the NetWare 4.11 server unloads the FTP NLMs as quickly as possible. The system resources are then available to other services. On the other hand, if users transfer files on a regular basis, you can enter a high setting to maintain the FTP NLMs for subsequent users.
You can also use the UNICON utility to define the volumes that users can access through the FTP server. You can define volumes that both anonymous and authenticated users can access. By default, anonymous users and authenticated users can access the SYS volume, but you can specify a directory if you do not want to grant anonymous users access to the entire SYS volume.
You can even use the UNICON utility to define the default name space used by the FTP server. The available options are DOS, which supports only file names that conform to the 8.3 specification, and Network File System (NFS), which supports long file names.
If you want to enable the NFS name space as the FTP server's default name space, you must complete two simple steps before you change the parameter. First, you load the NFS name space by entering the following command at the server console:
LOAD NFS.NAM
Second, you add the NFS name space to the necessary volumes by entering the following command at the server console:
ADD NAME SPACE TO <volume_name>
(Replace <volume_name> with the actual name of a volume on the server.) This command prompts the NetWare 4.11 server to automatically load the name space support NLM whenever the server is restarted. After you have entered both commands, you can use the UNICON utility to change the default name space to NFS. (The default setting is DOS.)
In addition, you can use the UNICON utility to enable intruder detection, which prevents unauthorized users from accessing the FTP server. If you enable intruder detection, you can also track the number of times unauthorized users tried to access the FTP server within a period of time that you specify.
You can even use the UNICON utility to specify what information is recorded in a log file on the FTP server. You can select one of the following options to set up a log file:
None. If you choose this option, Novell's FTP Service records no information.
Statistics. If you choose this option, Novell's FTP Service records the number of files copied to and from the FTP server during each FTP session.
Logins. If you choose this option, Novell's FTP Service records login information for all users who connect to the FTP server, including each user's username and IP address.
File. If you choose this option, Novell's FTP Service records file information for all FTP sessions, including the file name, the file size, and the transfer time for each file copied to and from the FTP server.
RESTRICTING ACCESS VIA THE RESTRICT.FTP FILE
Using the UNICON utility to change parameters for Novell's FTP Service is only one way of restricting access to the FTP server. You can also restrict access to the FTP server by directly editing the RESTRICT.FTP file, which is automatically created in the SYS:ETC directory when you install Novell's FTP Service. You can edit the RESTRICT.FTP file to prevent certain users from accessing the FTP server or to prevent users from certain IP addresses or domains from accessing the FTP server. (To view the default RESTRICT.FTP file, see "FTP Server Access Control File.")
USING NDS TO MANAGE ACCESS TO THE FTP SERVER
Because Novell's FTP Service is integrated with NDS, you can also manage access to the FTP server through NDS. For example, you can configure the FTP server to act as a border device between your company's network and the Internet or between LANs on your company's WAN. In this capacity, the FTP server allows users to connect to volumes on servers that are located on an IPX network or behind a firewall.
For example, suppose that Novell's FTP Service is running on server A, which is connected to the Internet via a LAN interface board to a router or via a WAN interface board using TCP/IP. Further suppose that server A is also connected to your company's network through another LAN interface board using only IPX. Authenticated users can transfer files through Novell's FTP Service on server A. These users can also access files stored in their home directory on server B, which is an IPX-based server located on your company's network. Authenticated users can access their home directories in this way because Novell's FTP Service determines each user's default server and home directory upon authentication to NDS.
Because Novell's FTP Service is integrated with NDS, you can also provide an additional layer of security when using authenticated logins: If you want to make particular volumes on the FTP server available only to authenticated users, you can physically remove these volumes from the FTP server and migrate them to the server on your company's network that stores each user's home directory. Authenticated users can then access these volumes, while anonymous users--who can access only volumes on the FTP server--cannot.
CONCLUSION
Novell's FTP Service is an efficient FTP solution that is easy to install, configure, and manage. By installing Novell's FTP Service on a NetWare 4.11 server, you can set up an FTP server that anonymous users can access, or you can set up an FTP server that uses the power of NDS to authenticate users through your company's network or the Internet.
For more information about managing Novell's FTP Service, you may want to check out Novell's online documentation at http://doc1.provo.novell.com/web/iamg.nfs21.english/adminenu/@Generic__BookTextView/12950. This documentation covers several topics, such as managing user accounts, tuning FTP parameters, and detecting unauthorized access.
Mickey Applebaum has worked with NetWare for more than 14 years. Mickey provides technical support on the Internet for The Forums (http://theforums.com) and operates Proactive Team Solutions, a consulting firm located in Salt Lake City, Utah.
FTP Server Access Control File
This file determines who can access files through the FTP server. The username must be specified to gain access. The default configuration allows all users access.
Syntax: <username> [ACCESS=DENY,GUEST,NOREMOTE,READONLY] [ADDRESS=<hostname>,<hostgroup>] <username> All users. e.g. "*" All users from a NDS context. e.g. "*.OU=sales.O=acme" NDS user relative to the default context. e.g. "bill" Complete Canonicalized NDS name. e.g. ".CN=Admin.O=acme" <username> is required and must be the first field in the line. ACCESS= This option limits user access to the server. This option is case sensitive and is not required. DENY Denies access to the server. This parameter overrides a previously declared global access. GUEST Restricts the user to the home directory on the server running the FTP server. NOREMOTE Restricts the user to the local server. User Cannot access any remote servers. READONLY Restricts the user from storing any files on the server. ADDRESS= This option restricts access for users from a specific host or set of hosts (hostgroup). This option is case sensitive and is not required.
Examples:
The following example specifies that all users have access to the local server but cannot access remote NetWare servers.
* ACCESS=NOREMOTE
The following example specifies that all users from the OU called SALES have full access, but must connect from the host hostname.
*.OU=SALES.O=ACME ADDRESS=hostname
The following example specifies the user ADMIN cannot access the FTP server.
.ADMIN.O=ACME ACCESS=DENY
The following default entry of "*" allows all users access to the FTP server.
* Originally published in Novell Connection Magazine
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.