Become a Box Certified: AI Professional — and score an exclusive t-shirt reserved for the first 100 people who pass. Click here

Box Status
Print

I'm Having Trouble Using FTP with Box

Developer , User , Migration , SSO , FTP , FTPES , FTPS , two-step verification , Troubleshooting , webapp_swarm , webapp_swarm_kb , Article , Product Utilization , Box Web Application , Established

Box supports FTPS (file transfer protocol) and SFTP (SSH File Transfer Protocol, also known as Secure File Transfer Protocol) for Business and Enterprise customers. It is not available for Personal accounts (Free or Pro) or trial accounts. The purpose of FTP is for bulk migration of data. FTP is designed to be used for initial bulk upload and occasional bulk download of files from your account -- we do not recommend FTP as your main access method.

FTPS, and FTPES are supported, but not unencrypted FTP. When uploading a file with FTP, you will NOT receive email notifications. This is intentional. Please note that we support Passive mode FTPS, but not Active mode FTPS.

SFTP is also supported as a more secure option. See Using Box with SFTP

NOTE: Make sure you have FTP enabled for your account by going to the Admin Console (ask the admin of the enterprise), then going to Enterprise Settings > Box Clients > Server.  Make sure "Box FTP Server" is enabled as shown below: 

Box FTP Server enablement

To enable SFTP for your account. Ask the administrator of your enterprise to go to Admin Console > Integrations > Box SFTP Server and enable it as shown below: 

Box SFTP Server enablement

To Connect to Box with FTP Client

To Connect to Box with Finder (Advanced users on Mac)
 

FTP (Mac):

  1. On a Mac, open Finder and select Go > Connect to Server. In the Window that appears, type the FTP address in the address box:

    ftps://ftp.box.com
    Then enter your Box username and password.

  2. Click "Connect"

  3. You will then be connected to the  server in your finder window

  4. Click on any folders that appear in the text box, and download whichever files you would like by dragging them to your computer.

  5. Use the Finder "Eject" option to close the connection.

FTP with Windows Command Line:

Windows built-in FTP command line utility cannot support passive mode (even though "quote pasv" returns without any error). For customers that need command line FTP utility on Windows, please search for the "MOVEit Freely Free Command-line Client". Note: MOVEit Freely by default launches in active mode. You will need to use the -a argument when launching MOVEit Freely to start it in passive mode or use the passive command after the session is established to toggle passive mode.

FTPS with curl:

Open a terminal session

  • To connect to Box via FTPS over Port 990:
shell> curl -1 --disable-epsv --ftp-skip-pasv-ip -u username@example.com --ssl-reqd ftps://ftp.box.com:990

To upload a file (example using FTPS):

Open a terminal session:

shell> curl -1 --disable-epsv --ftp-skip-pasv-ip -u username@example.com --ssl-reqd --upload-file filename ftps://ftp.box.com/

Note: Without the trailing "/" in the dir name: "ftp://ftp.box.com/dir/", a "551 Box: Not Found" error will be generated.

To download a file (example using FTPS):

Open a terminal session:

shell> curl -u username@example.com ftps://ftp.box.com/apple.png -o ~/Downloads/apple.png

Note: Curl doesn't stay connected like a typical connect command. For further help, type either command in your terminal: man curl or curl --help

 

FTPS is FTP with support for Transport Layer Security (TLSv1.2).

FTPS has two modes of operation:

  • Implicit: Port 990 is implicit. No handshake.
  • Explicit: Port 21. Also known as FTPES.

Firewall incompatibilities

Because FTP utilizes a dynamic secondary port (for data channels), many firewalls were designed to snoop FTP protocol control messages to determine which secondary data connections they need to allow. However, if the FTP control connection is encrypted using TLS/SSL, the firewall cannot determine the TCP port number of a data connection negotiated between the client and FTP server. Therefore, in many firewalled networks, an FTPS deployment will fail when an unencrypted FTP deployment works. FTP relies on two channels to transfer data: the command channel and the data channel. If FTP is not working on your network, it could be because your firewall is blocking access to the data channel ports.

  • This problem can be resolved with the use of a limited range of ports for the data channel. 
  • Configure your firewall to allow ports 10,000 - 29,999 for the data channel.
  • If using SFTP, configure your firewall to also allow port 22.

SSO (Single Sign On)

FTP as a transfer protocol does not support single sign-on. If SSO is enabled for your account, you must create a Box-specific password to supplement your SSO login. To do this, use a browser to log in to your Box account and go to Account Settings > Account. Then scroll down (if necessary) to the Authentication section:

  • Because you are using Single Sign On (SSO), you will need to create a unique password to use with external applications that do not support SSO. If you have forgotten your current password, you may reset it.

Two-Step Verification

If you have Two-step verification turned on for your account, the workflow for logging in is as follows:

  • Try and login normally with your Box specific password
  • You will receive a text message with a six-character alphanumeric confirmation code separated by a space
  • Login again with that six-character code as your FTP password

Note: FTP is not accessible when using Authenticator App based 2-Step Verification. Please login to Box via a browser and change to SMS-based 2-Step Verification.

Certificate Updating

If your FTP client does not automatically accept certificates from ftp.box.com you can manually collect them using these steps:

On Mac/Linux run the following command:

  1. openssl s_client -showcerts -verify 5 -connect ftp.box.com:21 -starttls ftp
  2. Type "Quit" after you see "220 Service ready for new user."
  3. Save the first certificate returned. Copy all including:
    1. -----BEGIN CERTIFICATE-----
    2. -----END CERTIFICATE-----
  4. Save to a file (i.e. ftp.box.com.pem) using one of the following extensions:
    1. .pem (common for certificates and keys)
    2. .crt (used for certificates)
    3. .cer (sometimes used for certificates)
  5. Import into your FTP client.

Windows has built-in PowerShell commands that can retrieve SSL certificates.

  1. Open PowerShell as Administrator and run the following command to fetch the certificate:
  2. $tcpClient = New-Object System.Net.Sockets.TcpClient("ftp.box.com",990)
    $stream = $tcpClient.GetStream()
    $sslStream = New-Object System.Net.Security.SslStream($stream,$false)
    $sslStream.AuthenticateAsClient("ftp.box.com")
    $cert = $sslStream.RemoteCertificate
    $cert | Format-List *
    $certData = $cert.GetRawCertData()
    $base64Cert = [System.Convert]::ToBase64String($certData, 'InsertLineBreaks')
    $pemCert = "-----BEGIN CERTIFICATE-----`n$base64Cert`n-----END CERTIFICATE-----"
    $pemCert | Set-Content -Path $env:USERPROFILE\Desktop\ftp.box.com.pem"
    Write-Output "Certificate saved to: "$env:USERPROFILE\Desktop\ftp.box.com.pem"
  3. Import into your FTP client.

Notes and Troubleshooting:

  • To access Box's FTP server, you must set Box FTP Server to available. To do this, from your Admin Console, in the left navigation click Enterprise Settings > Box Clients > Server. This option should be enabled by default. If Box FTP Server is disabled, Box displays an Authentication Failed message when you attempt to log in from the FTP client.
  • To access Box's SFTP server see steps at Using Box with SFTP. If SFTP is not enabled, you will see an error when you try to authenticate: 
    • FATAL ERROR: No supported authentication methods available (server sent: Authentication failed. The API returned an error code [403] service_blocked - The application is blocked by your administrator.)
  • FTP as a transfer protocol does not support multi-factor authentication (MFA) as a part of single sign-on (SSO). If SSO is enabled for your account, you must create a Box-specific password to supplement your SSO login. To do this, use a browser to log in to your Box account and go to Account Settings > Account. Then scroll down (if necessary) to the Create External Password section.
  • FTP is not accessible when using Authenticator App based 2-Step Verification. Please login to Box via a browser and change to SMS-based 2-Step Verification.
  • The FTP protocol uses separate channels for authentication and data. Ensure all required ports are allowlisted.
    • Box supports FTPS implicit (port 990), and FTPES explicit (port 21), over passive FTP. Box does not support active FTP.
    • For the data channel, Box uses ports 10,000 - 29,999. Verify that your firewall has these ports open.
    • If using SFTP, port 22 is used. Also see: Using Box with SFTP
  • The maximum file size that can be uploaded to or downloaded from Box via FTPS is 32GB. For other options to upload and download content, see Migrate Content.
  • Box FTP does not display directories containing more than 20,000 items
    Note: Switch to SFTP to view directories containing up to 100,000 items. See: Using Box with SFTP 
  • Error: Connection timed out after 20 seconds of inactivity: Increase your timeout setting. In FileZilla, go to Preferences > Connection > Timeout to do this. Setting this to 120 seconds can be helpful for folders containing large numbers of files.
  • Resuming an upload/download: Box does not support either the REST (restart) or the APPE (append) commands. This means we do not support resumable uploads/downloads on Box for FTP. You must retry any failed upload or download. In this case FTP client log displays 551 Box: Partial-file uploads are not supported.
  • Box FTP does not support TLS session resumption on the data connection.
  • 530 Box: CAPTCHA is required. You have triggered Captcha on your account. To clear Captcha, use your Web browser and Box credentials (or External Password, if you're using SSO) to log in to app.box.com. Make sure to complete the login from the same IP address where the CAPTCHA error occurred.
  • 530 Box: Login rejected: Limit of 40 logins per user already reached.  Your Box account has more than 40 active concurrent FTP connections.
  • Request rate limit exceeded, please try again later. This message indicates that you have reached the maximum number of allowed requests within a certain time frame. To resolve this issue, please reduce the number of simultaneous connections made by your FTP client. If you continue to experience this problem, consider waiting for a few minutes before trying again, or adjust your FTP client's settings to decrease the connection rate.
  • Error on output file. You may have folder names that include trailing space characters. These are not allowed. Rename any folders to remove the extra space.
  • To increase security, we deprecated many old ciphers:
    https://support.box.com/hc/en-us/articles/38411457258387-Legacy-SSL-CBC-mode-Cipher-for-FTPS-End-of-Life-EOL-Notice
  • Upgrade your FTPS/SFTP clients to use stronger encryption ciphers and TLSv1.2 (TLSv1.0 and TLS 1.1 are no longer supported). Your client must use one of these allowed encryption ciphers:
    • chacha20-poly1305@openssh.com
    • aes128-ctr, aes192-ctr, aes256-ctr
    • aes128-gcm@openssh.com, aes256-gcm@openssh.com

If you contact Box Support, please be sure to include a detailed/verbose copy of your FTP client log. If using SFTP, see steps for enabling verbose logging in the troubleshooting section of Using Box with SFTP.

webapp_swarm_kb

Related articles