How to Configure Cerberus FTP Server for SFTP and FTPS on Windows

Troubleshooting Common Cerberus FTP Server Issues: Step‑by‑Step FixesCerberus FTP Server is a powerful Windows-based file transfer solution supporting FTP, FTPS, SFTP, and HTTP/S. Even with a mature product, administrators may encounter connectivity, authentication, transfer, or performance issues. This guide walks through common problems, how to diagnose them, and concrete step-by-step fixes.

---

1. Connection failures — clients can’t reach the server

Symptoms: Clients fail to connect, time out, or report “connection refused.”

Causes to check:

• Server not running.
• Incorrect listening ports or IP bindings.
• Firewall or NAT blocking ports.
• DNS or hostname resolution errors.
• TLS/SSL misconfiguration (for FTPS/HTTPS).

Step‑by‑step fixes:

1. Verify service status:
   • Open Services (services.msc) and ensure “Cerberus FTP Server” is Running, or open Cerberus Admin and confirm the server shows Online.
2. Confirm listening ports:
   • In Cerberus Admin, go to Server > Listeners and check which ports are enabled (default FTP 21, SFTP 22, FTPS often 990 or explicit on 21, HTTP/S ⁄₄₄₃).
   • Use netstat: netstat -ano | findstr :21 to see if the process is listening.
3. Check IP bindings:
   • Ensure Cerberus is bound to the correct network interface or set to “All IPs” if appropriate.
4. Test local connectivity:
   • From the server, run telnet localhost 21 (or Test-NetConnection -ComputerName localhost -Port 21 in PowerShell) to verify local listening.
5. Review firewall rules:
   • On the server, open Windows Defender Firewall > Inbound Rules and allow the Cerberus executable and required ports. If using a network firewall or cloud provider, open the same ports there.
6. NAT/Port forwarding:
   • If clients connect from the internet through NAT, ensure router forwards external port 21 (and data ports for passive FTP) to the server’s internal IP. Configure Cerberus with the external IP or use NAT helper settings.
7. DNS and hostname:
   • Test resolution: nslookup your.ftp.domain from a remote client. If it fails, fix DNS A records.
8. TLS/SSL issues (FTPS/HTTPS):
   • If connections fail only for secure protocols, temporarily enable insecure/plain FTP to confirm basic connectivity, then re-check certificate bindings (see TLS section below).

---

2. Passive mode data transfer failures

Symptoms: Control connection succeeds but directory listings or file transfers hang or fail.

Causes to check:

• Passive port range not configured/open.
• Server behind NAT without correct external IP configuration.
• Firewall blocking data ports.

Step‑by‑step fixes:

1. Configure passive port range:
   • In Cerberus Admin, Server > FTP > Passive mode, set a narrow range (e.g., 50000–50100).
2. Open ports in firewall:
   • Allow the passive range plus port 21 (or explicit FTPS port) in Windows Firewall and any external firewalls.
3. NAT/External IP:
   • In Passive mode settings, set the external IP address or enable “Use server external IP from STUN” if available — ensure Cerberus knows the public IP to send in PASV responses.
4. Test from remote client:
   • Use an FTP client in passive mode and capture logs to confirm the server’s PASV response contains the public IP and ports are reachable.
5. Verify with port check tools:
   • From outside the LAN, attempt to connect directly to the passive port shown in PASV to verify reachability.

---

3. Authentication failures — users can’t log in

Symptoms: Valid credentials rejected; anonymous login issues.

Causes to check:

• Incorrect username/password.
• Domain authentication or LDAP issues.
• Account locked/expired or home directory misconfigured.
• Permissions on filesystem.

Step‑by‑step fixes:

1. Verify credentials:
   • Try logging in via Cerberus Admin or local test client. Reset password if needed.
2. Check account settings:
   • In Users & Groups, ensure the user is enabled, not expired, and assigned the correct authentication method (Local, Active Directory, LDAP).
3. Active Directory / LDAP:
   • Confirm server can reach domain controllers/LDAP servers and that bind credentials are correct. Test using Cerberus’s Directory services test tool or using ldp.exe / PowerShell LDAP queries.
4. Home directory and permissions:
   • Ensure the user’s home folder exists and Cerberus service account has NTFS permissions. If Cerberus runs as a local/System account, confirm it has access or run the service under a domain/service account with rights.
5. Account lockout/policy:
   • Check domain account lockout/policy if using AD. Unlock or adjust as needed.
6. Anonymous login:
   • If anonymous logins fail, ensure the Anonymous user is enabled and points to a valid directory with proper permissions.

---

4. TLS/SSL certificate problems (FTPS/HTTPS)

Symptoms: Clients warn about invalid certificates, connections fail, or SFTP (which uses SSH keys) is confused with FTPS.

Causes to check:

• Expired or mismatched certificate.
• Private key not installed/bound correctly.
• Intermediate CA missing.
• Using the wrong protocol: FTPS vs SFTP.

Step‑by‑step fixes:

1. Confirm protocol:
   • FTPS uses TLS/SSL; SFTP uses SSH. Ensure client and server are set to the same protocol.
2. Check certificate validity:
   • In Cerberus Admin, Server > TLS, view the bound certificate and confirm expiration and CN/SAN match the hostname clients use.
3. Install full certificate chain:
   • Import intermediate CA certificates into the server’s certificate store and bind the full chain in Cerberus.
4. Private key and permissions:
   • Ensure private key is accessible to the Cerberus process. If using PFX, import into Personal store and bind to Cerberus.
5. Test with openssl:
   • From a remote machine: openssl s_client -connect your.ftp.domain:990 -showcerts to inspect the chain and cert details.
6. Update clients:
   • Some clients may require explicit trust or SNI — ensure client supports the server’s TLS settings (TLS 1.⁄₁.3) and ciphers.
7. Renew or replace expired cert:
   • Use a CA (or Let’s Encrypt via a reverse proxy) to obtain a new certificate and bind it.

---

5. File transfer performance or timeouts

Symptoms: Slow uploads/downloads, frequent timeouts, or inconsistent transfer speeds.

Causes to check:

• Network bandwidth limits.
• Disk performance on server.
• Antivirus or real‑time scanning intercepting files.
• Encryption overhead with FTPS/SFTP.
• TCP windowing or MTU issues.

Step‑by‑step fixes:

1. Measure baseline:
   • Use iperf between client and server to check raw network throughput. Measure disk I/O separately (e.g., Diskspd or Windows Performance Monitor).
2. Adjust Cerberus transfer settings:
   • Check concurrent transfer limits and bandwidth throttling in Cerberus Admin; increase limits if safe.
3. Check antivirus:
   • Temporarily disable or create exclusions for Cerberus directories and the Cerberus executable to see if speed improves.
4. Test with plain FTP:
   • Compare encrypted vs plain transfers to isolate encryption overhead.
5. TCP tuning:
   • Ensure NIC drivers are updated and offloading features are correctly set; review MTU and window scaling on network devices.
6. Monitor logs:
   • Check Cerberus logs for repeated retries or errors that may indicate transient network issues.

---

6. Permission and filesystem errors

Symptoms: Users see “permission denied,” can’t create files/directories, or file listings are incomplete.

Causes to check:

• NTFS permissions mismatch.
• Virtual root or chroot settings misconfigured.
• Disk quotas or full filesystem.

Step‑by‑step fixes:

1. Verify NTFS permissions:
   • On the server, open folder Properties → Security and ensure the Cerberus service account (or user impersonation account) has necessary rights (Read/Write/Modify as needed).
2. Check Cerberus virtual paths:
   • In user profile, confirm virtual root mappings and that paths point to existing folders.
3. Disk space and quotas:
   • Check free space and any configured quotas that might prevent writes.
4. Impersonation settings:
   • If using per-user impersonation, ensure credentials are correct and those accounts can access the filesystem.

---

7. Logs and diagnostics — where to look

Quick places to inspect:

• Cerberus logs (Server > Logs in Admin): connection logs, transfer logs, and event logs.
• Windows Event Viewer for service-level errors.
• Network captures (WireShark) for protocol-level debugging.
• Client logs — many FTP clients provide detailed session logs.

Practical steps:

1. Increase log verbosity temporarily in Cerberus Admin to capture error details.
2. Reproduce issue while logging to get correlated timestamps.
3. Use Wireshark to capture a failing session (filter by IP and ports) to see handshake/PASV responses.
4. For AD/LDAP: capture LDAP traffic or use built-in test tools to verify binds and searches.

---

8. Backup, upgrade, and configuration restore

Symptoms: After upgrades or config changes, behavior changes or service stops.

Step‑by‑step fixes:

1. Backup configuration:
   • Export Cerberus configuration before major changes (Server > Backup/Restore).
2. Test upgrades in staging:
   • Apply updates in a test environment before production.
3. Roll back if needed:
   • Use the previously exported config or Windows system restore if an upgrade breaks functionality.
4. Keep binaries updated:
   • Use the vendor’s recommended upgrade path and read release notes for breaking changes.

---

9. SFTP (SSH) specific issues

Symptoms: SFTP connections fail while FTP/FTPS work fine.

Causes to check:

• SSH host key missing or mismatched.
• Port or listeners for SFTP not enabled.
• User shell/permissions issues for SFTP.

Step‑by‑step fixes:

1. Enable SFTP listener:
   • In Cerberus Admin, confirm SFTP listener is enabled and set to the correct port (default 22).
2. Verify host keys:
   • Regenerate or reimport SSH host key(s) if clients report mismatch. Ensure key permissions allow Cerberus access.
3. Authentication method:
   • If using public key auth, confirm user’s public key is correctly stored in their profile and that key format is supported.
4. Test with sftp/scp client:
   • Use an SFTP client (e.g., OpenSSH sftp) with verbose mode: sftp -vvv user@host to see handshake details.

---

10. Common quick fixes checklist

• Restart Cerberus service after config changes.
• Verify Windows updates/patches haven’t impacted network services.
• Ensure time synchronization (Kerberos/AD depends on clock skew).
• Check for port conflicts with other services.
• Recreate problematic user accounts if configuration seems corrupt.

---

Example troubleshooting scenario (brief)

Problem: Remote users can connect but cannot list directories; transfers hang.

1. Confirm control connection OK (telnet to port 21).
2. Capture PASV response — server returns internal IP 192.168.x.x.
3. Fix: In Cerberus passive mode settings, set external IP (or enable STUN), open passive range in firewall, and restart service.
4. Verify: Remote client now lists directories and transfers complete.

---

If you want, I can produce a printable checklist, a shorter quick‑reference guide, or step-by-step commands tailored to your server’s Windows version and network setup.