How to Connect Legacy Implementations via FTP

Warning

This article is only for existing customers with a legacy FTP implementation. If you do not have an existing FTP implementation, instead learn how to access File Staging.

Legacy implementations can access the staging server through an FTP client or the command line. For the best performance, we recommend FileZilla.

If you are experiencing issues uploading large files, increase the FTP client timeout setting to 180 seconds.

Client Settings

Section link for Client Settings

Use the following settings with an FTP client:

• Protocol: FTP (File Transfer Protocol)
• Encryption: Require explicit FTP over TLS (FTPS).
  • This is a security requirement. You cannot connect to the server without this setting.
  • Your network infrastructure must support FTPS traffic.
• Port: This is usually not necessary and will default to Port 21.
• Host: vlt-{POD_ID}-ftp.veevavault.com. For example, if you Vault is on POD VV1-42, your POD_ID is 42. This value will change if your Vault is migrated to a different POD.
  • Some Vaults may be able to use the host: {vaultDNS}.veevavault.com. For example, veepharm is the domain in veepharm.veevavault.com. This does not work in all configurations.
• Timeout: 180 seconds if uploading large files.
• User: {vaultDNS}.veevavault.com+{username}
  • For example, verteo.veevavault.com+johndoe@verteo.com
  • This is the same username used for your standard login.
• Password: Your login password for this Vault.
  • This is the same password used for your standard login.
  • You can also use a valid session ID.
• Login Type: Normal
• Transfer File Type: Transfer files as binary
• Transfer Mode: Passive. Active mode is not supported.
• TLS Session Reuse: If your client has this setting enabled, disable it.

The staging server does not support SAML SSO authentication.

If you have remote verification enabled on a proxy or a firewall, FTP traffic from computers on your network to Veeva file staging servers might be refused. If possible, work with your IT department to disable remote verification. If it cannot be disabled, contact Veeva Support.

Network & Firewall Settings

Section link for Network & Firewall Settings

In addition to your FTP client settings, your network environment may require some modification. Before trying to connect to the File Staging Server via FTP, ensure your network and firewall are configured as follows.

Outbound firewall filters must permit TCP traffic on these ports to the Host:

• 21
• 56000-56100
• If you are using the Vault Domain in the Host setting:
  • port 21 needs to be open to the Host IP address
  • 56000-56100 need to be open to the vlt-{POD_ID}-ftp.veevavault.com IP address.
  • If you have multiple Vaults on multiple PODs, please contact support for an address range that encompasses all of them.

Firewall filters should be configured by IP address, not DNS name. Your network team can retrieve the address from DNS. Some firewalls will use the DNS name for reverse lookups, which will fail. Others will scan the TLS handshake to get the connection domain name value and fail the data connections as they do not look like normal web traffic.

If the client is behind a Network Address Translation (NAT) device, the NAT device must ensure that all connections generated by the FTP session are translated to the same source IP address. NAT devices with IP address pools without “stickiness” are incompatible with the FTP service. This limitation also impacts Active-Active firewalls with separate NAT addresses but without “stickiness” for the TCP connections.