Labels

Set Up SFTP/Applicaion Server On Azure VM behind Firewall

SSH Session Control Data Channel Totally Encrypted SFTP Client porl 20 SFTP Server

Scenario:

Set Up SFTP Server On Azure VM behind FortiGate Firewall.

1. Business request

Set up a file transfer server with public internet access.

2. security concern

The common ways are FTP, FTPS, or SFTP:


SET p TCP 22 port Sepration connections for command and file data Encrypted command and file data connection Key-based authentication Host identity verification TCP 21 Yes Typically runs over TCP port 21 or 990 Yes Yes Through 3-Party Certificate

The FTPS requires applying the certificates to the FTP service, So I deceived to go for SFTP.
SolarWinds SFTP & SCP Server is a Free SFTP server App.


3. Deployment

3.1 Set up SFTP on VM

Download the software to Server and install it

https://www.solarwinds.com/free-tools/free-sftp-server

Redirect the Root Directory

TCP 、 5 L , 一 冖 Tray 40W1 」 P1010Cd R81 心 一 Delete 「 亠 e ' 「 Ditedory Cont ' 5 「 TP/SCP ServerSettings C 「 TP Pmt 一 A m 一 「 、 renam 為 ! 一 f 5 」 ova-mite S 「 一 $ trat ero 「 , 3 : 一 lat the SFTP/SCP severwa allow ' Criyapp : 。 SFTP

Create user to login

SVTP/SCP r , Settings Conf 亡 「 一 2 一 1 刂 一 d 「 or 宁 5 「 T 「 、 SC 「 sewer

verify the SFTP service is running on localhostCommand Prompt sftp 127.0.0.1 •licrosoft Windows [Version 18.8.17763.1697] 2818 microsoft Corporation. All rights reserved . : : \ Users >sftp 127 .ø.ø.l 127 .ø.ø.l's password:

3.2 Config Host firewall and Azure NSG to allow SFTP service

Add Port 22 TCP into host firewall

Add Port 22 TCP into Azure NSGFTPSFTP 'SVR.CSG Source O Source port ranges Destination x Delete Destination IP addresses/ClDR ranges 10.11.44 Service @ Custom Destination port ranges • O Protocol @ TCP C) u0P Action @ Allow O Deny Priority* O

Verify the SFTP service is reachable for internal user

lireless LAN adapter Wi-Fi: Connection-specific DNS Link-local IPv6 Address . . . IPv4 Address. . . . . . . . . . Subnet mask . . . Default Gateway . Suffix . : cflogln . : fe8e: . : 192.168.18.181 . : 2ss.2ss.2ss.e . . : 192.168.10.1 18.11.4.4 rhe authenticity of host •18.11.4.4 (1€.11.4.4)' can't be established. key fingerprint is SHA2S6:JPKlÆEHTouzexHzNeC+AV4hupXwqAa9x9DktvtLiSYc. use yoy to con.tgnue connecting (yes/no)? — 

3.3 Config Fortigate firewall to allow external access

Firewall Port Fording Dashboard Security Fabric Firewall policy Local In policy oospolicv Service Database Schedules Virtual Ips pools Traffic S I vapers Traffic Shaping Policy Shaping Profile Profiles VPN Edit Virtual IP VI P type Name CMn nts Color SFTP_22 Writea Change 01955 Interface O Type IP address/range O Mapped IP address/range Optional Filters port Forwardi ProtcKoI port O Map to port staticNAT 10.1104 1011.44 scTP ICMP

Firewall policy rule with Whitelist control

Security Fabric Network System Policy & Objects Firemll policy Local In Policy IPv4 DOS Policy Addresses Internet Service Database Services Schedules Virtual IPS IP Pools protocol Options Traffic Shavers Trafic Shaping policy Traffic Shapins Profile Security Profiles VPN User & Authentication vviFi & switch controller Log Report o Name O Incoming Interface Outgoing Interface Source Destination Schedule Service Action SFTP To Internet External_port (portl) Internal_Port (port2) SFTP.WhiteList_'..•• SFTP_22 always SSA Ø DENY ACCEPT Inspection Mode Flow-based Proxy based Firewall / Network Options Protocol Options Secu rity Profiles AntiVirus web Filter Application Control File Filter SSL Inspection C —default default certificate-inspection

Test SFTP connection from approved external IP


Contributed by Trevor Shi.

 

Labels:

Comments

Post a Comment

Popular Posts

Disclaimer

This blog is not intended to be advice on how to manage your environment. these accounts are based on experiences of my own lab. Always approach information you find outside official documentation with skepticism and follow the golden rule: Never test in production.