All Products
Search

This Product

    Bastionhost:Perform SFTP-based O&M

    Document Center

    Bastionhost:Perform SFTP-based O&M

    Last Updated:Mar 31, 2026

    Connect an SFTP client to Bastionhost to transfer files between your local machine and managed assets, with all operations automatically audited. This topic covers two SFTP clients: SecureFX and FileZilla.

    Prerequisites

    Before you begin, ensure that you have:

    • Assets and users added to Bastionhost, with users authorized to access the assets. See Create a host, Manage users, and Authorize assets and asset accounts

    • The O&M address of your Bastionhost instance. Find it on the Overview page in the Bastion Host Information area. See Bastionhost page overview for details

      Bastionhost assigns a fixed O&M address in domain name format and uses dynamic IP addresses to ensure security against attacks. Always use the domain name — not the resolved IP address — to avoid connection failures caused by IP changes.

      概览

    • SecureFX or FileZilla installed on your macOS machine

    How it works

    Both SecureFX and FileZilla route Secure File Transfer Protocol (SFTP) traffic through Bastionhost to your managed assets, so all file transfer activity is logged and auditable.

    • SecureFX connects directly to Bastionhost over SSH on port 60022. After authenticating, you browse assets from within the client.

    • FileZilla does not support SSH proxies natively. Instead, open a local SOCKS5 tunnel via the command line — connecting to Bastionhost on port 60022 — then point FileZilla through that tunnel directly to the asset's IP address on port 22.

    Use SecureFX

    1. Start SecureFX.

    2. In the upper-left corner, click Connect. In the dialog box, click the 加号图标 icon.

      mac新建sftp连接

    3. In the dialog box, enter the O&M address of the bastion host in the Hostname field, set the port to 60022, enter your Bastionhost username, and click OK. The default SSH port is 60022. To change the port, see Configure the bastion host port number.

      mac连接sftp

    4. Select the bastion host entry and click Connect.

      mac登录sftp

    5. In the Enter Secure Shell Password dialog box, enter the username and password of your Bastionhost account and click OK.

      mac输入用户名密码

    6. If two-factor authentication (2FA) is enabled for your Bastionhost user, enter the verification code and click OK. To configure 2FA, see Enable two-factor authentication.

      mac输入mfa_sftp

    7. After logging on, browse to the asset management page. Double-click a transcoding directory (ignore any error message that appears), then right-click the blank area and select Refresh to transcode the host directory name. If the asset directory is not accessible, try the following: For more troubleshooting guidance, see FAQ about SFTP-based file transmission.

      • Verify that the host account credentials are stored in Bastionhost. If not, add them. See Manage a host account.

      • Clear the SecureFX cache.

      If the issue persists, join DingTalk group 33797269 for technical support.

      image

    8. (Optional) Log on to the Bastionhost console to review the audit records for file upload and download operations. See Log on to the console of a bastion host and Search for and view sessions.

    Use FileZilla

    FileZilla does not support SSH proxy configuration natively. The setup has two stages: open a SOCKS5 tunnel through Bastionhost, then connect FileZilla through that tunnel to the target asset.

    Stage 1: Open a SOCKS5 tunnel

    1. Open a terminal.

    2. Run the following command to establish a SOCKS5 tunnel through Bastionhost:

      PlaceholderDescription
      <bastionhost-username>Your Bastionhost account username
      <bastionhost-om-address>The O&M address of your Bastionhost instance (domain name format)
      ssh -T -N -D 127.0.0.1:1080 -oport=60022 <bastionhost-username>@<bastionhost-om-address>

      Replace the placeholders: The default SSH port is 60022. To change it, see Configure the bastion host port number.

      image

    3. Enter your Bastionhost account password and press Enter. Keep the terminal window open — closing it terminates the tunnel.

    4. If two-factor authentication (2FA) is enabled for your Bastionhost user, enter the verification code. To configure 2FA, see Enable two-factor authentication.

    Stage 2: Connect FileZilla through the tunnel

    1. Start FileZilla and go to Settings. Under Generic proxy, select SOCKS5, enter 127.0.0.1 in the Proxy host field, enter 1080 in the Proxy port field, and click OK.

    2. Open Site Manager and click New site. Fill in the following fields and click Connect: In the confirmation dialog box, click OK.

      FieldValue
      HostIP address of the target asset
      Port22
      Logon TypeNormal
      UsernameHost account username on the asset
      PasswordHost account password on the asset

    3. After the connection is established, transfer files between your local machine and the asset. All operations are audited through Bastionhost.

    4. (Optional) Log on to the Bastionhost console to review the audit records for file upload and download operations. See Log on to the console of a bastion host and Search for and view sessions.

    What's next

    Review common issues and solutions for SFTP file transfer in FAQ about SFTP-based file transmission.