Box Status
Print

I'm Having Trouble Using FTP with Box

Developer , User , Migration , SSO , FTP , FTPES , FTPS , two-step verification , Troubleshooting , webapp_swarm , webapp_swarm_kb , Article , Product Utilization , Box Web Application , Established

Box supports FTPS (file transfer protocol) for Business and Enterprise customers. It is not available for Personal accounts (Free or Pro) or trial accounts. The purpose of FTP is for bulk migration of data. FTP is designed to be used for initial bulk upload and occasional bulk download of files from your account -- we do not recommend FTP as your main access method.

FTPS, and FTPES are supported, but not unencrypted FTP or SFTP. When uploading a file with FTP, you will NOT receive email notifications. This is intentional. Please note that we support Passive mode FTPS, but not Active mode FTPS.

NOTE: Make sure you have FTP enabled for your account by going to the Admin console (ask the admin of the enterprise), then going to Integrations, and expand the Server section.  Make sure "Box FTP Server" is enabled.

To Connect to Box with FTP Client

To Connect to Box with Finder (Advanced users on Mac)

FTP (Mac):

  1. On a Mac, open Finder and select Go > Connect to Server. In the Window that appears, type the FTP address in the address box:

    ftps://ftp.box.com
    Then enter your Box username and password.

  2. Click "Connect"

  3. You will then be connected to the  server in your finder window

  4. Click on any folders that appear in the text box, and download whichever files you would like by dragging them to your computer.

  5. Use the Finder "Eject" option to close the connection.

FTP with Windows Command Line:

Windows built-in FTP command line utility cannot support passive mode (even though "quote pasv" returns without any error). For customers that need command line FTP utility on Windows, please search for the "MOVEit Freely Free Command-line Client". Note: MOVEit Freely by default launches in active mode. You will need to use the -a argument when launching MOVEit Freely to start it in passive mode or use the passive command after the session is established to toggle passive mode.

FTPS with curl:

Open a terminal session

  • To connect to Box via FTPS over Port 990:
shell> curl -1 --disable-epsv --ftp-skip-pasv-ip -u username@example.com --ssl-reqd ftps://ftp.box.com:990

To upload a file (example using FTPS):

Open a terminal session:

shell> curl -1 --disable-epsv --ftp-skip-pasv-ip -u username@example.com --ssl-reqd --upload-file filename ftps://ftp.box.com/

Note: Without the trailing "/" in the dir name: "ftp://ftp.box.com/dir/", a "551 Box: Not Found" error will be generated.

To download a file (example using FTPS):

Open a terminal session:

shell> curl -u username@example.com ftps://ftp.box.com/apple.png -o ~/Downloads/apple.png

Note: Curl doesn't stay connected like a typical connect command. For further help, type either command in your terminal: man curl or curl --help

 

FTPS is FTP with support for Transport Layer Security (TLSv1.2).

FTPS has two modes of operation:

  • Implicit: Port 990 is implicit. No handshake.
  • Explicit: Port 21. Also known as FTPES.

Firewall incompatibilities

Because FTP utilizes a dynamic secondary port (for data channels), many firewalls were designed to snoop FTP protocol control messages to determine which secondary data connections they need to allow. However, if the FTP control connection is encrypted using TLS/SSL, the firewall cannot determine the TCP port number of a data connection negotiated between the client and FTP server. Therefore, in many firewalled networks, an FTPS deployment will fail when an unencrypted FTP deployment works. FTP relies on two channels to transfer data: the command channel and the data channel. If FTP is not working on your network, it could be because your firewall is blocking access to the data channel ports.

  • This problem can be resolved with the use of a limited range of ports for the data channel. 
  • Configure your firewall to allow ports 10,000 - 29,999 for the data channel.

SSO (Single Sign On)

FTP as a transfer protocol does not support single sign-on. If SSO is enabled for your account, you must create a Box-specific password to supplement your SSO login. To do this, use a browser to log in to your Box account and go to Account Settings > Account. Then scroll down (if necessary) to the Authentication section:

  • Because you are using Single Sign On (SSO), you will need to create a unique password to use with external applications that do not support SSO. If you have forgotten your current password, you may reset it.

Two-Step Verification

If you have Two-step verification turned on for your account, the workflow for logging in is as follows:

  • Try and login normally with your Box specific password
  • You will receive a text message with a six-character alphanumeric confirmation code separated by a space
  • Login again with that six-character code as your FTP password

Certificate Updating

If your FTP client does not automatically accept certificates from ftp.box.com you can manually collect them using these steps:

On Mac/Linux run the following command:

  1. openssl s_client -showcerts -verify 5 -connect ftp.box.com:21 -starttls ftp
  2. Type "Quit" after you see "220 Service ready for new user."
  3. Save the first certificate returned. Copy all including:
    1. -----BEGIN CERTIFICATE-----
    2. -----END CERTIFICATE-----
  4. Save to a file (i.e. ftp.box.com.pem) using one of the following extensions:
    1. .pem (common for certificates and keys)
    2. .crt (used for certificates)
    3. .cer (sometimes used for certificates)
  5. Import into your FTP client.

Windows has built-in PowerShell commands that can retrieve SSL certificates.

  1. Open PowerShell as Administrator and run the following command to fetch the certificate:

  2. $tcpClient = New-Object System.Net.Sockets.TcpClient("ftp.box.com",990)
    $stream = $tcpClient.GetStream()
    $sslStream = New-Object System.Net.Security.SslStream($stream,$false)
    $sslStream.AuthenticateAsClient("ftp.box.com")
    $cert = $sslStream.RemoteCertificate
    $cert | Format-List *
    $certData = $cert.GetRawCertData()
    $base64Cert = [System.Convert]::ToBase64String($certData, 'InsertLineBreaks')
    $pemCert = "-----BEGIN CERTIFICATE-----`n$base64Cert`n-----END CERTIFICATE-----"
    $pemCert | Set-Content -Path $env:USERPROFILE\Desktop\ftp.box.com.pem"
    Write-Output "Certificate saved to: "$env:USERPROFILE\Desktop\ftp.box.com.pem"
  3. Iimport into your FTP client.

Notes and Troubleshooting:

  • To access Box's FTP server, you must set Box FTP Server to available. To do this, from your Admin Console, in the left navigation click Integrations > Server. This option should be set to available by default. If Box FTP Server is disabled, Box displays an Authentication Failed message when you attempt to log in from the FTP client.
  • FTP as a transfer protocol does not support multi-factor authentication (MFA) as a part of single sign-on (SSO). If SSO is enabled for your account, you must create a Box-specific password to supplement your SSO login. To do this, use a browser to log in to your Box account and go to Account Settings > Account. Then scroll down (if necessary) to the Create External Password section.
  • The FTP protocol uses separate channels for authentication and data. Ensure all required ports are allowlisted.
    • Box supports FTPS implicit (port 990), and FTPES explicit (port 21), over passive FTP. Box does not support active FTP or SFTP.
    • For the data channel, Box uses ports 10,000 - 29,999. Verify that your firewall has these ports open.
  • The maximum file size that can be uploaded to or downloaded from Box via FTPS is 32GB. For other options to upload and download content, see Migrate Content.
  • Box does not display directories containing more than 20,000 items.
  • Error: Connection timed out after 20 seconds of inactivity: Increase your timeout setting. In Filezilla, go to Preferences > Connection > Timeout to do this. Setting this to 120 seconds can be helpful for folders containing large numbers of files.
  • Resuming an upload/download: Box does not support either the REST (restart) or the APPE (append) commands. This means we do not support resumable uploads/downloads on Box for FTP. You must retry any failed upload or download. In this case FTP client log displays 551 Box: Partial-file uploads are not supported.
  • Box FTP does not support TLS session resumption on the data connection.
  • 530 Box: CAPTCHA is required. You have triggered Captcha on your account. To clear Captcha, use your Web browser and Box credentials (or External Password, if you're using SSO) to log in to app.box.com.
  • 530 Box: Login rejected: Limit of 40 logins per user already reached.  Your Box account has more than 40 active concurrent FTP connections.
  • Error on output file. You may have folder names that include trailing space characters. These are not allowed. Rename any folders to remove the extra space.
  • Request rate limit exceeded, please try again later. Reduce the number of simultaneous connections from your FTP client.

If you contact Box Support, please be sure to include a detailed/verbose copy of your FTP client log.

webapp_swarm_kb

Related articles