Customize Directory Access for File Transfers
Use the SFTP Directories pane to customize directory access for file transfer. By default, when a client user starts an SFTP session, the user has access to files and directories located within the configured Login directory (the Windows user profile folder by default). You can configure SFTP directories to:
- Provide users with access to additional local or network resources using their own credentials.
- Provide users with access to network resources based on the rights associated with an alternate user.
- Provide users with access to resources on a remote SFTP server.
Note
- Customized directory settings affect all SFTP and SCP2 connections.
- By default, customized directories do not affect SCP1 connections. This means that users executing scp transfers from older OpenSSH clients have access to all files and folders allowed to them by the operating system, regardless of the current SFTP Directories settings. To apply customized directory settings to SCP1 transfers, go to the Permissions tab and select Use SFTP accessible directory settings for SCP1 .
To customize directory access
-
Start the server console, and then click Configuration.
-
Click SFTP Directories.
-
Click Add. The Accessible Directory Settings dialog box opens.
-
Specify virtual and physical directory values:
Value Comments Virtual directory Enter the actual directory path; for example, C:\Users\DownloadsLocal or UNC directory Enter the actual directory path; for example, C:\Users\Downloads. UNC paths must include a server name and share. For example:\\server\share\publicMapped drives are not supported. The following options are available for specifying user directories:
- %D The user's User profile folder.
- %H The user's Home folder
- %u The user’s login name.
- %U The user's domain name and login in the format domain.username.
Note
Do not use %u or %U to point to a location within a user's Windows profile folder. Neither of these options works correctly for this purpose. Use these options to create your own user-specific locations in some other location, for example on a shared network file server. For details, see Pattern Strings in Directory Paths.
-
(Optional) Modify the options under Permissions . You can use this feature to limit user file access to one or more of the following: browse, download, upload, delete, and rename.
-
(Optional) By default Use the client user account to connect to this directory is selected. With this default option, the drive you specify is available to the client user only if he or she has access rights to that network location. To grant access rights based on the rights associated with an alternate user, select Use a specified account to connect to this directory . (This option is available only if Local or UNC directory specifies a UNC path.) The user you select must be joined to the same domain as the server or to a domain that is trusted by the server's domain.
Caution
Be careful when configuring access with any credential other than the client user's own credential. When you configure an alternate credential to provide access to any folder on a server, Windows will allow access to other folders on the same server that are accessible to the alternate credential. For more information about this risk and how to handle it securely, see Best Practices for Using Cached Credentials.
-
Click OK.
-
Save your settings.
More information
Configure access to directories on a remote server
You can configure Reflection Gateway to access to files on a remote SFTP server, so that users logging into the Reflection Gateway server can upload or download files to and from the remote server.
You can map multiple accessible directories on one or more remote servers in addition to (or instead of) providing access to directories on the Reflection Gateway server. For example, you might use the default configuration to provide access to the user's home directory (/Home) on the Reflection Gateway server, and configure access to a second directory (/guest/uploads in the example below) and call the virtual directory Uploads.
In this example, the Home directory is on the Reflection Gateway server. Access is provided by the user's credentials on the server. Access to the Upload directory is provided by an account called adminuser on a remote server called Host2.
With the configuration above, if you set the user's login directory equal to /, the user will see two directories, Home and Uploads. Here's a sample command line session from a client user (Joe) connecting to a Reflection Gateway server (rsithost) with this configuration:
>sftp Joe@rsithost
Password Authentication
Joe's password:
/>ls
Home
Uploads
/>
To configure access to a directory on a remote SFTP server
-
From the SFTP Directories pane click Add.
-
For Virtual directory , specify the directory name that you want your users to see; for example
Uploads. -
Select Remote SFTP server . This opens the Remote SFTP Server Connection dialog box.
-
For Host , specify the name or IP address of the remote server. The port for the connection to this server is set to 22 by default. Edit this if your server uses a different port.
-
Under Host key , click Retrieve . If Reflection for Secure IT can connect to this server, it retrieves its public key and displays a confirmation box. Click OK to accept this key. Reflection for Secure IT uses this key to confirm the remote server host identity when it connects to this host.
-
Under Authentication , for Remote SFTP username, specify a user account on the remote server. You can configure either password or public key authentication for this user.
For Do This Password authentication Specify the remote user's password in the Password box. This password is saved securely in the Reflection for Secure IT database and used to authenticate to the remote server. Public key authentication Select Public key authentication. Click Import private key and browse to the user's private key. To use public key authentication, you must first have a public/private key pair for the user you specified for Remote SFTP username, and configure the remote server to authenticate this user using the public key. The private key is saved securely in the Reflection for Secure IT database and used to authenticate to the remote server. -
Under Remote base directory , click Browse . This opens a browse dialog box showing directories on this server. Browse to select a directory to make available to client users. The directory must be one that is available to the user you specified in the Username field. The directory you select is entered in the Path field.
Note
You can also specify paths using
%uand%U. For details, see Pattern Strings in Directory Paths.The user directories must exist; they are not created automatically. -
Click Test Connection to test these settings. You can use the Details button on the Test Connection dialog box if you need to troubleshoot problems.
-
Click OK to close the open dialog boxes.
-
Save your settings.
Control Upload and Download Access
By default, users have full access to the directories configured on the SFTP Directories pane. You can use directory permissions to limit what kinds of actions users can perform.
To configure accessible directory permissions
Note
This change affects both SCP2 and SFTP transfers.
-
Start the server console, and then click Configuration .
-
Click Permissions and select Use SFTP Accessible Directory settings for SCP1 .
-
Click SFTP Directories .
-
Select a directory and click Edit .
-
Under Permissions , configure the access you want to allow. For example, to allow users to view and download files, but disallow any changes to the server files, leave Browse and Download checked, and clear Upload , Delete, and Rename .
-
Click OK.
-
Save your settings.
Caution
Client users may have a number of ways to access server files and directories. Factors to consider when configuring your server include session access, tunneling access, and file and directory permissions configured on the system.
More information