FTP Adapter Security Recommendations


With the FTP adapter, BizTalk Server can receive files from a File Transfer Protocol (FTP) server and send files to an FTP server for other applications. BizTalk Server does not act as an FTP server.

FTP is, by nature, not secure: The user name, password, and other credentials traverse the network in clear text. Likewise, files uploaded or downloaded move across in clear text and can be easily viewed or tampered with along the way. Moreover, an attacker could spoof the FTP server itself, known as a rogue server attack. In this case you cannot tell if a particular FTP server is indeed the computer that you intended to communicate with.

To overcome these problems, the enhanced FTP adapter in BizTalk Server 2013 R2 supports the SSL/TLS protocol that ensures data confidentiality through encryption.

For general security considerations when you use the FTP protocol, see the Internet FAQ Archives Web site (http://go.microsoft.com/fwlink/?LinkId=24779). For general security recommendations when you use the FTP protocol and firewalls, see the ISAserver.org Web site (http://go.microsoft.com/fwlink/?LinkId=25225). For more information about the FTP adapter, see FTP Adapter.

We recommend that you use the following guidelines for securing and deploying the FTP adapter in your environment:

  • By default, BizTalk Server does not configure the FTP. For more information about how to configure the FTP adapter, see Configuring the FTP Adapter.

  • To achieve secure file transfer, you must configure the SSL -specific properties provided by the FTP adapter. For more information, see Enhancements to the FTP Adapter.

  • The FTP adapter supports FTP Request for Comments (RFC) 959. For more information about FTP RFC 959, see the World Wide Web Consortium (W3C) (http://go.microsoft.com/fwlink/?LinkId=24781)Web site. The FTP adapter does not support the Secure FTP (SFTP) protocol.

  • You can use the FTP adapter across firewalls. Depending on the type of firewall you use, you may have to configure one or more of the following firewall properties: username, password, computer, port, firewall type (none, socks 4, socks 5), and mode.

  • We recommend you place the remote FTP server in a secure location. You must ensure the physical and network security of this server to minimize rogue server attacks.

  • The FTP adapter supports the use of Enterprise Single Sign-On (SSO). For more information, see Implementing Enterprise Single Sign-On.

  • By default, the FTP receive adapter must have write permissions in the FTP server because the adapter deletes the file from the server after download. However, in BizTalk Server 2013 R2, the FTP adapter supports downloading of files from read-only locations. For more information, see Enhancements to the FTP Adapter.

Community Additions