How to lose $1,000 in 30 seconds.

A little over a month ago I was asked to set up a SFTP server so that our clients could transfer files securely. SFTP is a bit of a misnomer, you would expect it to be a subset of FTP, but it's not. SFTP is actually its own protocol designed as an extension to SSH. The further confuse the issue, SFTP is not the same as FTPS - a little used SSL version of FTP.

I knew that SFTP was more on the Linux side of things, so I decided at first to use linux for this. Even though I'm primarily a Windows shop, I firmly believe in the right tool for the job. I even got a bit of budget to buy RHEL for it. Unfortunately, as I came to find out after trying to set it up, there is a limitation that had me running to another solution. The limitation was part of a requirement handed to me - I couldn't allow our clients to traverse directories and get a list of our other clients. The way openssh implements chroot allows for this to happen and there's no way around it. Your SFTP users will end up in their own directory, but a simple "cd ../ls" will show them a list of your clients (or root directory). I later read that proftpd may not do that, but by then I had opted for a Windows solution.

There are a number of products out there that will do SFTP on Windows - some free, some not. Because this would be something I would be running in a production environment that is client facing, the solution had to include a support option. This narrowed my choices to Serv-U and WS_FTP. I've used both in the past and I always had a pretty decent impression of Serv-U so I installed a demo and started to run it through its paces.

Part of my requirements was that it had to play nice with my large prosumer NAS that I use for cheap disk space. Serv-U was working beautifully up to that point, but from what I could tell it wouldn't do impersonation and it relied upon the service credentials to work properly. This wouldn't normally be an issue if the space was located on a Windows server that was on my domain, but the NAS device has never played nicely with active directory and user credentials. So I decided to give Serv-U support a call to see if they had a quick answer.

I placed the call, and in short order was connected to customer service (funny enough, I was talking to the same guy that did the phone tree!). I informed him that I had a quick 30 second presales question and I was ready to purchase his product immediately if I could get a quick answer.

I was shocked when the gentleman told me that they wouldn't take my question because they didn't do presales support via phone and I had to send in an email and would get a response within a couple of days. When I told him (politely, seriously) that I had my credit card in hand and was ready to purchase the product if I could get an answer to my question he balked and told me again that I could only send an email. He actually managed to sound annoyed that I had even called to begin with.

I know, some of you readers may be asking, "Why not just send in an email? He gave you an option! Stop being so unreasonable" Well, a few reasons - for one, I had to get a solution in that day. The second reason, and something more important to me personally - the guy was just plain rude about it. Here I am, a potential customer ready to purchase his product for $1000 - no small sum - and he was annoyed I was calling for a presales question!

Serv-U being out of the running, I installed the WS_FTP demo and it worked beautifully and I purchased it later that day. It was more expensive - in fact, almost $500 more, but I was willing to pay for it if it worked.

And that my friends, is how you lose $1,000 in 30 seconds.