Port forwarding feature added

From version 7.4.0, CompleteFTP (Professional and Enterprise Editions only) supports local SSH port forwarding (often known as SSH tunneling). This means SSH tunnels can be established between a client machine and CompleteFTP that other protocols can use.

Why would you use SSH port forwarding (also called SSH tunneling)? There are two reasons - firewalls and security.

Consider the scenario where an employee using a laptop outside the corporate network wants to give a demonstration to a customer using a machine within the corporate network. Perhaps they want to use RDP (the Remote Desktop Protocol) and it has not been set up in secure mode. In this scenario a CompleteFTP server is also within the corporate firewall.


By default, RDP uses port 3389, but say for security reasons the corporate firewall does not permit external connections to this port number. If SSH port forwarding is used, all RDP traffic is transmitted over port 22 (the standard SSH port). There is no need to open the RDP port in the firewall.


What's more, the RDP protocol is transmitted securely over the SSH tunnel. So unsecure protocols can be safely used via SSH tunnels. The only unsecure portion of the route is between CompleteFTP and the destination machine (the RDP machine), and both of these machines are inside the corporate firewall.

Setting up tunneling

How is port forwarding set up? For security reasons, it is disabled by default in CompleteFTP. It must be enabled both for the site and individual users. To enable port forwarding for the site, the Site tab in the CompleteFTP manager must be opened, and SSH Port Forwarding flag enabled, which is under the SFTP/SSH settings section. The users who require port forwarding must also have this option enabled, which is done in the User panel by selecting the user.

On the client side, the tunnel must be set up by an SSH utility such as PuTTY. When PuTTY sets up a local port forward, it listens on the client for connections on the local port specified. When a connection on the client is made to this local port on the local machine, the SSH tunnel is established with CompleteFTP. All the data on this local connection is sent through the tunnel to CompleteFTP, which forwards it to the ultimate destination (set by PuTTY).

Posted by John Faulds in