- Computers & electronics
- Software
- GlobalSCAPE
- FIPS
- User Guide
- 154 Pages
GlobalSCAPE FIPS Secure FTP Server User Guide
Secure FTP Server FIPS is a hardened file/data transfer server that provides secure data transactions over standard Internet protocols. It supports operation with the GlobalSCAPE Cryptographic Module (GSCM). Secure FTP Server FIPS extends beyond standard FTP servers by providing support for: • Multiple protocols: FTP, FTP/S (SSL/TLS), optionally SFTP (SSH2) and HTTP/S (SSL) • Post-transaction processing using highly configurable event rules • Data reliability and integrity guarantees • Automation of complex and time-consuming tasks • Local and remote administration of multiple servers and/or sites • Flexible authentication choices • Highly configurable user, account, and site settings
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
Secure FTP Server (FIPS) v3.3
User Guide
GlobalSCAPE, Inc. (GSB)
Corporate Headquarters
Address:
6000 Northwest Parkway, Suite 100
San Antonio, TX (USA) 78249
Sales: (210) 308-8267
Sales (Toll Free): (800) 290-5054
Technical Support: (210) 366-3993
Web Support: http://www.globalscape.com/support/
© 2004-2008 GlobalSCAPE, Inc. All Rights Reserved
Contents
Upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)...........17
Contents y iii
User Guide
iv y Contents
Contents
Creating and Configuring Users and User Setting Levels....................................... 69
Contents y v
User Guide
Automation Using Event Rules and Commands ...................................................... 91
vi y Contents
Contents
Contents y vii
User Guide
viii y Contents
Introduction to Secure FTP Server - FIPS
GlobalSCAPE ® Secure FTP Server - FIPS is a hardened file/data transfer server that provides secure data transactions over standard Internet protocols. Secure FTP Server - FIPS supports operation with the
GlobalSCAPE Cryptographic Module (GSCM).
Secure FTP Server - FIPS extends beyond standard FTP servers by providing support for:
• Multiple protocols: FTP, FTP/S (SSL/TLS), optionally SFTP (SSH2) and HTTP/S (SSL)
• Post-transaction processing using highly configurable event rules
• Data reliability and integrity guarantees
• Automation of complex and time-consuming tasks
• Local and remote administration of multiple servers and/or sites
• Flexible authentication choices
• Highly configurable user, account, and site settings
Secure FTP Server - FIPS provides:
Data Protection and Encryption - GlobalSCAPE Secure FTP Server - FIPS protects intellectual property, trade secrets, and customer files transferred over the Internet using secure protocols including
FTPS (SSL/TLS), and optionally SFTP (SSH2) and HTTP/S (SSL).
Guaranteed Delivery and Data Integrity - Secure FTP Server - FIPS extends the industry standard FTP with strong reliability features, including post transmission integrity verification, mid-file recovery, and automatic restart
Tracking and Auditing - Secure data delivery requires strong audit trails for tracking and nonrepudiation. Secure FTP Server - FIPS provides industry standard logging (W3C, NCSA, Microsoft IIS
Extended), email notification of completed transactions, and digital certificates for proof of identity.
Programmatic Interface - Secure FTP Server - FIPS can be controlled through its Windows
Administrator Interface, or through its Component Object Model (COM) interface. The COM API is a programmatic interface that lets you control the server from your own custom applications using any
COM-enabled programming language.
Accelerated Transfers - Secure FTP Server - FIPS supports multi-part (segmented) transfers for faster delivery of large files over large geographical distances. Multi-part transfers require the use of compatible clients such as CuteFTP Professional.
Life-Cycle Management - Secure FTP Server - FIPS lets you quickly and efficiently manage the removal of users, manage temporary accounts, address the revocation and if necessary re-issuance of expired or compromised public-keys or certificates.
Authentication and Authorization - Secure FTP Server - FIPS supports password, public-key, or onetime-password authentication. User profiles can be managed internally or externally through NTLM,
Active Directory (AD), or ODBC data sources.
User and Group Management - Manage system resources including bandwidth, folder access, file types and more using granular or site-wide controls provided for user and group management. Visually manage folder permissions via Explorer-like Virtual File System view. Inherit or override permissions, grant administrative, guest, or anonymous permissions or deny access altogether.
FIPS-Compliant Protocols and Ciphers y 9
User Guide
10 y Introduction to Secure FTP Server - FIPS
FIPS 140-2 Certification
The Federal Information Processing Standard (FIPS) Publication 140-2 specifies the security requirements of cryptographic modules used to protect sensitive information. Secure FTP Server - FIPS supports operation with the FIPS 140-2 Validated GlobalSCAPE Cryptographic Module (GSCM). Secure
FTP Server - FIPS is designed to operate only with the GSCM initialized into the FIPS-approved mode; you cannot operate the Secure FTP Server - FIPS application without the GSCM being initialized into the
FIPS-approved mode.
When the Secure FTP Server - FIPS application is started, a series of startup tests, including Known
Answer Tests (KAT) and library-integrity checks, determine whether the GSCM is initialized successfully.
If the GSCM is not initialized successfully, encryption services are disabled, an error message appears, all Sites and protocols are disabled, and a Windows Event log is created.
If GSCM initialization fails, when you attempt to restart the Site, a message indicates that the Site cannot be restarted, because GSCM initialization failed. After you dismiss the message, the Secure FTP Server
Administrator (client) closes. If restarting the Server service does not correct the issue, contact
GlobalSCAPE Customer Support for assistance.
FIPS-Compliant Protocols and Ciphers
The Secure FTP Server - FIPS application supports all of the
file transfer protocols currently supported by
the non-FIPS version of Secure FTP Server (FTP, FTPS, SFTP, HTTP, and HTTPS). SSL protocols
(FTPS or HTTPS) are FIPS-compliant protocols. The SSL library is loaded when the Server service is started, and a message box displays which protocols are in use and which of the protocols in use are
FIPS compliant.
The FIPS-compliant protocols (HTTPS and FTPS) use the FIPS-approved algorithms provided by the
FIPS 140-2 validated GlobalSCAPE Cryptographic Module (GSCM) for SSL/TLS and certificate generation. Imported certificates that were signed using non-FIPS compliant algorithms will be invalid.
FIPS-approved cryptographic algorithms are listed in the table below.
The following cipher combinations are supported during SSL/TLS negotiation:
• SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1
HMAC
• SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1
HMAC
• SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1
HMAC
FIPS-Compliant Protocols and Ciphers y 11
User Guide
Approved Cryptographic Algorithms
When operating in FIPS Mode, the GSCM provides the following FIPS-approved cryptographic algorithms:
• Triple-DES
• Advanced Encryption Standard (AES)
• Digital Signature Algorithm (DSA)
• Rivest, Shamir, Adleman (RSA) for Digital Signatures
• Secure Hashing Algorithm (SHA-1 and SHA-2)
• ANSI X9.31 Appendix A.2.4 pseudo-random number generation
The following table summarizes the set of FIPS approved cryptographic algorithms.
Algorithm Type Algorithm Standard
Algorithm
Validation
Certificate
Symmetric Cipher
Symmetric Cipher
Triple-DES - CBC,
CFB8, CFB64, ECB,
OFB modes
SP800-67
AES (128, 192, 256 bit keys) - CBC, CFB8,
CFB128, ECB, OFB modes
FIPS 197
Asymmetric Algorithm RSA
ANSI X9.31 (Ref: 10),
RSASSA-
PKCS1_V1_5 (Ref:
11),
RSASSA-PSS
586
618
287
Use
Encryption, Decryption
Encryption, Decryption
Signature Generation,
Signature Verification
Asymmetric Algorithm DSA FIPS 186-2 240
Signature Generation,
Signature Verification
Message Digest
Message
Authentication
Random Number
Generation
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
HMAC-SHA-1
HMAC-SHA-224
HMAC-SHA-256
HMAC-SHA384
HMAC-SHA-512
FIPS 180-2
FIPS 198
ANSI X9.31 Appendix
A.2.4
ANSI X9.31 Appendix
A.2.4
666
320
388
Hashing
Integrity
Random Number
Generation
12 y FIPS 140-2 Certification
FIPS 140-2 Certification
Non-Approved Cryptographic Algorithms
When the GSCM is operating in FIPS-approved mode, a small subset of additional non-FIPS approved algorithms are allowed by the FIPS 140-2 standard and provided by the GSCM.
The following table summarizes the set of non-approved cryptographic algorithms allowed while in the
FIPS-approved mode of operation.
Algorithm Type Algorithm
Asymmetric
Algorithm
DH (provides 80 to 256 bits of equivalent encryption strength)
Asymmetric
Algorithm
RSA (provides 80 to 150 bits of equivalent encryption strength)
Standard
ANSI X9.42-2001 (Ref:
13)
PKCS #1 (Ref: 11)
Use
Key
Agreement
Key Wrapping
FIPS-Compliant Protocols and Ciphers y 13
User Guide
14 y FIPS 140-2 Certification
Installing and Activating the Software
System Requirements
In order for the server to run effectively, you need to have:
• Windows 2000 or later
• 400 MHz Pentium II or higher
• 128 MB minimum (256MB+ suggested) of free memory
• Any Windows-compatible display system
• Internet Explorer 4.0 or higher
• A working Internet connection for product registration and for the product trial. An internet connection is not required to run a registered copy.
Activating the Software
You must register the software with either a serial number or a trial serial number before you can use it.
Registration must be performed through the Administrator on the server computer. You cannot register through a remote installation of the Administrator.
You can also email the manual registration information to GlobalSCAPE Technical Support .
GlobalSCAPE will confirm your registration and send you a .reg file. You can send the email from any computer with Internet access; just remember to transfer the .reg file to the computer on which you are installing the software.
To register the Server
1. Start the Administrator.
2. Provide the user name and password to connect to the Server.
3. On the main menu, click Help, then click Enter Secure Server (FIPS) Serial Number.
5. On the Personal Details page, provide your name, email address, company, and address, then click Next. If the registration fails, choose from the following:
• Retry online registration
• Launch Web registration form. This takes you to the GlobalSCAPE Web site where you can register.
• Email a registration request to GlobalSCAPE Support. A support representative will contact you with your registration information.
6. If you are behind a proxy, click Configure HTTP Proxy to configure the proxy settings.
Note:
If a firewall or a proxy server is in use, your network administrator should ensure that port 80 is open during the registration process.
7. If activation is successful, a message confirming activation appears. Click OK.
Note:
The SFTP module is optional and requires purchase of an SFTP Module License.
System Requirements y 15
User Guide
Activating the Modules
If you are using one of the modules, you must activate them in the Administrator. On the main menu, the
Help submenu provides options for entering the serial number of purchased modules.
To activate the Modules
1. On the main menu, click Help, then click one of the following:
• To activate SFTP, click Enter SFTP Module Serial Number.
• To activate HTTP/S, click Enter HTTP/S Serial Number.
• To activate ARM, click Enter ARM Serial Number.
The Registration Wizard appears.
2. Follow the instructions in the wizard to complete the activation process.
3. Refer to the applicable topics in the help file for configuring SFTP, HTTP/S, and ARM.
Upgrading the Software
• If you are upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server
(FIPS), see the procedure
• If you are upgrading a non-FIPS version of Secure FTP Server to a newer a non-FIPS version of
Secure FTP Server, use the following procedure. The upgrade or update process does not reset or otherwise affect your server configuration or user settings.
Note:
If you have installed
clients, you must run the installer on each remote computer.
To upgrade from a non-FIPS version to a newer a non-FIPS version
1. Download the most recent release of Secure FTP Server from http://www.globalscape.com/support/reg.asp
and save it to your desktop.
2. Document the administrator account user name and password for the existing FTP server.
4. Back up the existing Server installation folder. At a minimum, the following files should be saved:
• *.aud (User database)
• *.cfg (Site configuration and user permissions)
• *.bak (Backup of .cfg file from previous session)
• *.pvk (SSH key pair)
• *.crt (Certificate)
• *.key (Private keys)
• Any other third-party certificate or key files you may be using.
5. Execute the file that you downloaded (gsftps.exe), click Repair, then click Next and follow the instructions.
6. When the upgrade or update is finished,
.
16 y Installing and Activating the Software
Installing and Activating the Software
Upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)
If you are upgrading from a non-FIPS version of Secure FTP Server (versions 3.0 to 3.3) to Secure FTP
Server (FIPS), the installer determines whether an old version of Secure FTP Server exists on the system. The installer will not upgrade versions prior to 3.0.
If a prior version is detected you will be asked if you want to keep the current configuration. If you click
Yes, then the following occurs:
• The old configuration file is copied to the new Secure FTP Server (FIPS) installation directory.
• The old Server service is stopped and disabled.
• You are not prompted for an initial administrator or database username or password.
If the migration is successful, the FIPS installation attempts to use the configuration and certificate files from the previous version of Secure FTP Server in their original location. The service or Sites will not
start if the certificates do not meet FIPS requirements
.
Note:
Do not move or delete any of the files in the prior version's installation folders. The new installation of
Secure FTP Server (FIPS) will look for important files in the prior installation location. If you want to remove the old version, ensure that the new installation is working before uninstalling the prior version.
If an error occurs when copying over the previous configuration or if you selected not to copy the configuration over (e.g., you installed to a different computer) then follow the steps below to manually upgrade.
Remote Clients
A remote Secure FTP Server client (Administrator interface) cannot connect to a Secure FTP Server
(FIPS) service. Once the configuration files are copied over to the new installation folder, your remote clients that previously connected to the Secure FTP Server service will attempt to connect to the Secure
FTP Server (FIPS) service. You must configure the remote clients to use a different port to connect to the
Server if you are not disabling or removing the non-FIPS Server service.
SSL Authentication Error on Connection to Secure FTP Server (FIPS)
After the installation has completed, if an SSL authentication error occurs when you connect to the
Server, there may be a problem with your SSL certificates due to FIPS 140-2 hashing function requirements. If the certificates used by the Server are MD-5, not SHA-1, you will need to recreate or import certificates that are SHA-1.
To correct the SSL authentication error
• Certificates created in Secure FTP Server and some 3rd-party generated certificates employ an
MD5 hashing function. FIPS 140-2 requires SHA-1 hashing function instead. Do one of the following: o Create new certificates in the Server. Refer to
Creating Certificates for details.
o Redirect SSL settings to the correct certificates. Refer to
details. o For 3rd-party certificates, you will need to repurchase or reacquire the certificate pair and request that the certificates use SHA-1 instead of MD-5.
To manually upgrade from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)
1.
Stop the prior version's Server service . If the service is configured to start automatically when
Windows starts, in the Windows Services dialog box, change its properties to disabled. (If you want to keep it running in parallel, make sure the IP ports are unique for the protocols in use so that it does not cause a port conflict.)
Upgrading the Software y 17
User Guide a. In the Windows Services dialog box, right-click the service, then click Properties.
2. Run the Secure FTP Server (FIPS) installer (gsftps_fips.exe).
3. Leave the non-FIPS Secure FTP Server installation as is, but copy (not move) the configuration file (FTP.cfg) to the Secure FTP Server (FIPS) installation location.
Do not copy any user- or application-created files (.aud, .bak, .crt, key, .pvk), because FTP.cfg references the prior Secure FTP Server installation directory for those files. If the Server cannot locate the files, it will recreate them, and you will lose any prior configuration, user accounts, certificates, etc.
4.
and open the Administrator interface.
5. In the Administrator, edit the various Server and Site settings to point to the new paths in the
FIPS installation folder for the .aud, and other user/server-created files. (You also need to do this on each
client computer after you run the installer to upgrade the Administrator.)
6. Copy the old files over to new installation folder.
7. Confirm that they are read in. Stop the service, rename the prior installation folder, then start the
FIPS service, with no errors.
8. You can now delete the files from the prior installation or uninstall the prior version; however, it is not necessary. Just make sure everything is working (users, groups, VFS, settings) as you want them before you delete or uninstall anything.
If you need additional information or help, visit the Support Center .
Setting Windows System Services
Windows NT Permission Rules
In order to secure your system, you should
create a user account for the Server and grant restrictive
permissions to that user account. When you are assigning permissions to individual folders or directories in Windows NT, you may want to reference the following rules. These rules differ somewhat from the VFS rules that govern Server permissions.
The rules below determine the permissions that are ultimately granted to a user in Windows NT:
1. Explicit denial: All users or groups assigned "No Access"
If the user or a group that the user is in has been assigned "No Access," that user is explicitly prohibited from using the file, folder, or drive. No other permissions will change this.
2. Cumulative permissions: Permissions are combined when a user is not explicitly denied
access
If the user is not explicitly denied access, the user's permissions are combined. For example, if user Cal is given read and write permissions for Folder1, and Cal is also in a group that is given execute permissions for that folder, then Cal will be able to read, write, and execute files in
Folder1.
3. Implicit denial: A user or group that has never been granted any access at all will not be
given access
If the user or a group containing the user is not granted any permissions, that user or group will be denied access. Access must be specifically granted.
18 y Installing and Activating the Software
Installing and Activating the Software
Creating a User Account for the Server
In order to run the Server securely as a service, you need to create a user account for it in Windows.
Note:
Setting up a user account increases security, but is not required to run the Server.
To create a user account in Windows XP Professional or Windows 2000
1. After you install the Server, open the Computer Management console. (e.g., on the Desktop, right-click My Computer, then click Manage.) the
User dialog box appears.
3. Create the user account (e.g., GSFTPServer), click Create, then click Close. appears.
7. In the right pane, in the Policy column, double-click Act as part of the operating system. The
Properties dialog box appears.
9. Select the new user you just added (GSFTPServer), click Add, then click OK.
13. If necessary, assign permissions for this user account in Windows.
14. Assign the server to the new user account and
log the server on as a service .
To create a user account in Windows NT
1. After you install the server, open the User Manager (Control Panel > Administrative Tools >
User Manager).
2. On the main menu, click File, then click New User to create a new user account for
"GSFTPServer". The User Properties dialog box.
Setting Windows System Services y 19
User Guide
3. Provide the Server's information, as shown below, then click OK.
4. On the main menu bar, click Policies, then click User Rights. The User Rights Policy dialog box appears.
6. In
8. Make sure that the drop-down list at the top of this dialog has your own computer selected. Click the Show Users button and select GSFTPServer from the list
10. Click OK in both dialogs.
11.
for this user account in Windows.
12. After assigning permissions, you should assign the server to the new user account you have created and then
log the server on as a service .
20 y Installing and Activating the Software
Installing and Activating the Software
Setting Windows NT Permissions for the Server
After it is installed, the Server has access to local folders and files. To run it as a service with permissions
to the network and mapped drives; however, you must create an NT account for the server
, assign the
server service to the account, and log the server on as a service
.
Using the Windows NT permissions, set the permissions of this user for files or drives to be as restrictive as possible, while still allowing the Server to run. After carefully determining which files and network folders your users will need to access, gradually increase the permissions.
Note:
Using NT Authentication, users permissions override the Server's permissions. For example, if the server has read-only access to folder1, but user John Doe has read and write permissions to folder1,
John Doe has those same permissions when he accesses folder1 through the Server.
Windows NT permissions can be edited through the Security tab in the Properties of an object. On the
Security tab, select Permissions to display and edit the permissions for the object. The appearance of this window is slightly different for files and directories, but in both cases, the following permissions can be granted to users or groups:
(Read)
• W
• D
• P (Edit permissions)
• O (Take ownership)
Keep in mind that you have the option to grant or withhold read and write permissions. Read-only permissions are the most secure, because they allow users to access a file, but not to change it. For example, most users will need limited read access to the Windows folders (C, WinNT); however, most
FTP Servers will not need any access to these directories at all.
In addition to the individual permissions, Windows NT permissions also provide access levels that are simply pre-built sets of the existing permissions. Typically, you assign an access level to a user rather than granting individual permissions. One such access level is called "No Access," which does not contain any permissions.
To view and edit the permissions for a folder or file
1. In Windows Explorer, right-click the file or folder, then click Properties. the files and directories and for different versions of Windows (W2K, XP, etc.).
For more information about setting permissions to folders and files, refer to the Windows Help documentation for your specific operating system. (e.g., click Start, click Help and Support, then search on keyword permission.)
Logging the Server on as a Service
Note:
The logon as a service right is automatically granted in Windows XP Professional, 2003, and 2000.
Follow the instructions below based on your operating system, or refer to the Microsoft Help pages. (Click
Start, then click Help and Support.)
Windows XP Professional, Windows 2003, and Windows 2000
appears.
Setting Windows System Services y 21
User Guide
2. In the left pane, expand the Local Policies node, then click User Rights Assignment. The
Policy name and Security Setting appear in the right pane.
3. In the right pane, double-click Log on as a service. The Log on as a service Properties dialog box appears.
4. Click the user you want to add (e.g., GSFTPServer), then click OK.
Licenses, Registrations, and Trademarks
Registrations & Trademarks
© 2001 - 2008, GlobalSCAPE, Inc. All rights reserved.
GlobalSCAPE is a registered trademark of GlobalSCAPE, Inc.
The GlobalSCAPE and Secure FTP Server - FIPS logos are trademarks of GlobalSCAPE, Inc.
Zlib License Agreement
This program includes Info-Zip Software which was used by GlobalSCAPE pursuant to the following license. zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.1, November 17th, 2003
22 y Installing and Activating the Software
Installing and Activating the Software
Copyright (C) 1995-2003 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly [email protected]
Mark Adler [email protected]
Release Notes
Release notes are available in the installation directory.
Version history is also available online at http://www.globalscape.com/gsftps/history.aspx.
Release Notes y 23
User Guide
24 y Installing and Activating the Software
Configuring Secure FTP Server
Starting and Stopping the Server
The Server starts automatically and runs as a Windows system service. If you close the Administrator, the
Server continues to run in the background as a system service.
To start or stop the Server with the Administrator
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu, click Edit, then click Service Applet Settings. The Transfer Engine Service
Settings dialog box appears.
3. Click box.
To start or stop the server using the Services option in the Control Panel
2. In the Name column, click GlobalSCAPE Secure FTP Server (FIPS), then right-click and click
Start (or Stop).
To start or stop the server from the command line
3. Click OK.
4. To start the Server, at the prompt type:
Net start "globalscape secure ftp server"
(Include the quotation marks.)
5. To stop the Server, at the prompt type:
Net stop "globalscape secure ftp server"
(Include the quotation marks.)
6. After the service is started or stopped, type Exit.
Note:
If Install service is the only button enabled in the Transfer Engine Service Settings dialog box, click it, then click Start service.
WARNING:
Any time you run a server, you expose your computer to outside users. There is the potential for exposing files and programs on your computer and network to malicious outside users, particularly if the Server is compromised.
Although you can set folder permissions from within the Server Administrator, you can add an extra level of protection by establishing a user account for the Server and then limiting folder access through the Server's user account permissions. This establishes a stopgap until server/system integrity can be restored if the Server is ever compromised.
To configure the server to run securely
1.
Create a user account for the server
2.
Assign permissions to this user account
Starting and Stopping the Server y 25
User Guide
3. Assign the server to the account
4.
Log the server on as a service
5. If necessary, configure the server's user account to
map a virtual folder to a network drive
.
The Administrator
The Administrator is the graphical user interface to the Server. After you install one or more Servers, configure clustering services, if used, and configure the Server to run as a Windows service, you then configure the connection to the Server in the Administrator.
The Server is configured by default to run when the operating system starts. The Administrator is used to connect to the Server to create Server Groups, Servers, and Sites, manage user accounts and permissions, set security protocols, define commands, and configure Event Rules.
The Administrator connects to the Server on either a local or remote computer. You can install the
Administrator on as many computers as you like, but the Server may only be installed on computers with valid Server software licenses.
The Server employs an inheritance hierarchy to manage its Server, Site, and User settings, and Group permissions. The settings on the Server are inherited at the Site level; the settings on the Site are inherited at the User Setting Level; the settings on the User Setting Level are inherited by the users assigned to that User Setting Level. The parent settings can be overridden at each level.
• The left pane of the Administrator provides a tree view of Server components, which include the
,
that are used to connect to and communicate with the Server.
• The right pane of the Administrator provides tabs that contain the configuration options for the item selected in the left pane. For example, when you select a Server in the left pane, the right pane contains the configuration options for the selected Server.
To open the Administrator
• Launch the Administrator by clicking the shortcut on the Start menu or the desktop (cftpsai.exe).
Server Groups and Servers
Server Groups are at the top of the Server's setting hierarchy and allow you to group multiple servers.
You can add as many Server Groups as you need.
Servers control the settings for one or more Servers, either locally or remotely. Servers consist of one or more physical file transfer servers (Secure FTP Server - FIPS) running on your local or remote system.
Creating, Deleting, and Renaming Server Groups
To create a new Server Group
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main, click File, then click Add New Group of Servers. The Create New Group dialog box appears. the tree and in reports and log files.
To rename a Server Group
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the Server Group you want to rename.
26 y Configuring Secure FTP Server
3. On the menu bar, click Configuration, then click Rename.
Configuring Secure FTP Server
4. Next to the Server Group's icon, type a different name.
To delete a Server Group
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the Server Group you want to delete, then do one of the following:
• On the main menu, click File, then click Remove Group of Servers.
• Right-click, then click Remove Group of Servers.
Defining a Server
To define a Server
1. In the Administrator, click the Server tab.
2. On the main menu, click File, then click Add New Secure FTP Server. The Add New Server dialog box appears. the reports and log files.
4. Do one of the following:
• If the Server is on the computer on which you have opened the Administrator, click Local
host.
• If the Server is on a different computer, click Remote host, then provide the Host IP address and Port of the Server computer. Leave the port at 1100 unless you want to use a different port to administer the Server remotely.
To remove a Server from the tree
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the Server you want to remove, then do one of the following:
• On the main menu, click File, then click Remove Server.
• Right-click the Server, then click Remove Server.
A warning appears, reminding you that your log in information will be lost.
WARNING:
When you delete a Server, you also delete all of your login information; you must manually recreate it.
Defining a Server y 27
User Guide
Connecting to a Server
Ensure the Server service is running. The administrator username and password are created during installation. You can manage multiple Servers with a single Administrator.
To connect to a local server
1. Launch the Administrator.
2. In the left pane, click the Server you want to administer.
3. On the main menu, click File, then click Connect to FTP Server. The Connect to Secure FTP
Server dialog box appears.
To connect to a remote server
Note:
1. Launch the Administrator.
2. In the left pane, click the Server to which you want to connect.
3. On the main menu, click File, then click Connect to FTP Server. The Connect to Secure FTP
Server dialog box appears..
Remote Administration
To connect to the Server from a remote Administrator, you must first configure the Server locally on the
Server computer and then configure the remote Administrator.
To configure remote administration using SSL, refer to Configuring Secure Remote Administration .
Note:
To reconnect, start, or stop the Server service from a remote location, the remote computer must
on the Server computer with the appropriate administrative privileges.
To configure the Server for remote administration
1. Launch the Administrator on the Server computer.
2. In the left pane,
to the Server you want to configure for remote administration.
3. In the right pane, click the Remote Administration tab.
• 1000 is the default port for Secure FTP Server (non-FIPS)
• 1221 is the default port for Secure FTP Server (FIPS)
28 y Configuring Secure FTP Server
Configuring Secure FTP Server over SSL for more secure administration.
Yes to configure secure administration, or No to administer the Server over a clear connection. connections.
To configure the remote Administrator
1. Launch the Administrator on the remote computer.
2. In the left pane, click the Server tab, then click the Server Group to which you will add the remote
Server.
3. On the main menu, click File, then click Add New FTP Server. The Add New Server dialog box appears.
5. Type a name for the remote Server.
Configuring Secure Remote Administration
Create or acquire an
SSL certificate , and then consider whether you need
SSL.
Once engaged, SSL encrypts all of your remote administration sessions.
To enable SSL during remote administration
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Server you want to configure.
3. In the right pane, click the Remote Administration tab. the certificate and key.
Note:
If you do not already have a certificate and you are administering a local server, you can create a certificate using the Certificate Creation Wizard located on the menu bar under Tools.
You cannot use the Certificate Creation Wizard to create a certificate for a remote server. If you need to create a certificate for a remote machine, you must open the Administrator and use the
Certificate Creation Wizard locally on that machine.
If you set up secure administration over an SSL connection, you will not be able to use the COM interface from remote machines.
Configuring Secure Remote Administration y 29
User Guide
Starting and Stopping the Server Remotely
To start or stop the Server remotely
1. In the Administrator, click Edit, then click Service Applet Settings. The Transfer Engine
Service Settings dialog box appears.
3. In the text box, type or paste the IP address of the server you want to administer.
Note:
The remote Administrator you are logged on to passes your user name and password to the
Windows System Services on the computer running the Server. The account you log on with must have administrative rights on that server to make any changes to the Server service running on it.
5. Click box.
Importing and Exporting Configuration Files
You can import or export configuration files between Servers. This is useful for load balancing or for help with backing up configurations. You can also include user data, custom commands, and Event Rules you have configured.
To import configuration data
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu, click Configuration, Import/Export. The Import/Export wizard appears.
4. Specify the path to the file you want to import, then click Finish.
To export configuration data
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu, click Configuration, Import/Export. The Import/Export wizard appears.
4. Click one or more the following to export:
5. Specify the path to the folder to which you are saving the file, then click Finish.
Note:
Import/Export does not import or export SSL certificate data, SSH public keys, account passwords or
.
30 y Configuring Secure FTP Server
Configuring Secure FTP Server
Copying a Server Configuration to Another Computer
There are many reasons for copying or migrating server configuration:
• Moving a Proof of Concept (PoC) in your staging environment without wanting to re-create all the settings, and configuration data.
• Creating a standard configuration for installation on multiple computers.
• Updating server software with a fresh install rather than patching.
Installation and Deployment Considerations
Check the following before moving a configuration from the source to the target system:
• Set the prototype site Administrator Home IP to All Incoming. It must not be bound to a specific
IP address unless the system you are deploying to is bound to the same IP.
• Verify the target system’s installation paths are the same as the installation path on the source computer. For example, if you installed the server on drive C:, then install on drive C: on the target, too. If the drive letters are different, change the drive letter on the target before installing the software.
• Verify the Server root and location of the .aud file (if you are using GlobalSCAPE’s authentication manager). The drive letters on the target system must match those on the target in order for the
Virtual File System (VFS) to find the Server root. (Otherwise, all permissions and groups will be lost.)
• Use the same administrator username and password when installing on the source and target systems.
Deploy Duplicate Configurations
To set up the deployment configuration
1. Install and register the product on the source system.
2. Configure as desired. This includes sites, users, groups, file and folder permissions, event rules, user settings, etc.
3. Exit the Administrator and stop the Server service in the Services dialog box (in the Windows
Control Panel).
4. Copy the following files from the server installation directory over to the target machine:
• FTP.cfg
• [YourSite].aud
• All .bak and .update files
5. Create the same physical folder structure on the target system as the folder structure created by the configuration of the source machine. (Simply copy the FTP folder structure from the source to the target.)
6. Install and register the product on the target system.
7. Cancel the automatic site setup wizard that appears the first time you run the Administrator.
8. Exit the Administrator Interface and stop the Server service in the services dialog box.
9. Paste the files gathered from the source system into the server installation folder on the target system, overwriting existing files as necessary (which should only be the FTP.cfg file at this point).
10. Restart the server service and log in using the Administrator.
11. Double-check server and site configuration. The target system is now configured.
Copying a Server Configuration to Another Computer y 31
User Guide
Changing the Global Administration Password or Exit Prompt
The Server Global Settings dialog box allows you to change the administrator password and exit prompts.
To change the administrator password or prompts
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu, click Edit, then click Server Global Settings.
• If you want to enter your login information every time you connect the Administrator to the server, select the Prompt for administrator interface login and password check box.
If you are within a secure environment, you can clear this check box to be logged in automatically, with no prompt.
• If you want to change your administrator password, click Change Administrator
Password. In the Administrator Account Settings dialog box, provide the new password, then click OK.
• If you want to be prompted when you exit the Administrator, select the Prompt on
administrator exit check box. You can choose to either leave the Server running or stop the Server when you close the Administrator. Typically, you will leave the Server running so that it can continue to service FTP requests.
Updating the Server's User Information from the Authentication Database
You can set the Server to check the user authentication database automatically at regular intervals to ensure the Server's user information is correct and up-to-date. This feature updates the Server only. You must manually refresh user information in the Administrator in order to see changes on-screen.
To automatically update authentication information
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Server that you want to configure.
3. In the right pane, click the Server Options tab.
Engine service to check for changes to the authentication database. If you do not want the service to check, click Never refresh user list automatically.
Note:
When you click Refresh in the Administrator, it only checks the Server service for updated user information. It does not check the authentication database.
32 y Configuring Secure FTP Server
Configuring Secure FTP Server
Tweaking Logging with the Registry
You can adjust logging by changing values in the registry.
WARNING
These options are for advanced users only; it is recommended that you back up the registry before you make any changes to it.
Registry Location
HKey_Local_Machine\Software\GlobalSCAPE Inc.\GlobalSCAPE Secure FTP Server
(FIPS) 3.3
Values
LogBufferSize - DWORD
• This value is the size of the [m_nBufferLen] member of CBaseLog.
• The default is 255.
QueueBufferSize - DWORD
• This is the value of the [m_nQueueBufferMaxLen] member of CBaseLog.
• The default is 32768.
LogFlushTimer - DWORD
• This is the value, in milliseconds, used by the QueueTimerProc to wait for flushing data to the disk.
• The default is 60000 (1 minute).
Note:
Do not set LogFlushTimer to 0. It will max out the server CPU. The lowest setting you should use is
1.
Note:
Be sure to stop and restart the Server service after making any changes to the registry.
Controlling Access by IP Address
By default, all IP addresses are granted access to the Server. Alternately, you can grant access to only one specific IP address or a range of IP addresses, or deny access to one specific address or a range of addresses.
To grant or deny access by IP address
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site, then click the IP Access tab.
The TCP/IP Access Restrictions area displays the IP addresses that are granted or denied access. By default, all IP addresses are granted access.
Note:
If the Ban IP address after excessive invalid commands check box is selected on the Site's
Advanced tab, and a user triggers this action, their IP address will appear in this list. If the invalid commands were not malicious and you do not want to ban the IP address, you can remove it from the list by clicking it, then clicking Remove.
Tweaking Logging with the Registry y 33
User Guide
4. Specify the IP address or range of IP addresses to deny or grant access to the Site. The Server allows wildcards to select ranges of IP addresses.
• If most IP addresses are allowed access, click Granted access, then list the exceptions to the rule.
• If most IP addresses are denied access, click Denied access, then list the exceptions to the rule.
6. Click Apply to save the changes on the Server.
Configuring SMTP Email Notification
address for an outgoing mail server, an email address for the administrator account, and other details.
To set up the server to send email notifications
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the Server you want to configure.
3. In the right pane, click the SMTP Configuration tab. the send outgoing messages. the
The default is 25.
6. Do one of the following:
• If the Server can connect to the mail server without a log in, leave the Server requires
authorization check box cleared.
• If the mail server requires a user name and password from the Server computer, select the Server requires authorization check box, then provide the Authorization information. the server. would like for the "From Name" field. the you would like for the "From Address" field.
34 y Configuring Secure FTP Server
Configuring Secure FTP Server server administrator, or any name you wish. the of the person that should be notified of server events.
Connection Problems
If you are having problems connecting, ensure that:
• Your username and password are correct. They are case sensitive.
• The host IP address and port are correct.
• The Server service is running.
Note:
If the service is not running, you might be able to
• The network connection is functioning.
Server Statistics
To monitor current statistics at the server, site and user level
1. In the Administrator, connect to the server
, then click the Status tab.
2. In the left pane, select the Server, Site, or connected user to view the related statistics (described below).
Note:
After selecting a user in the left window, you can click Kick User in the right pane to disconnect a user from a site. This does not disable the user, but stops unacceptable activities while you
the user's access.
Server Statistics
• When the server was started
• The local time for the server
Site Statistics
Current statistics shown here include:
• Site Root Folder
Connection Problems y 35
User Guide
• Site FTP Port Number
• When the server was started
• The local time for the server
User Connection Statistics
Current statistics shown here include:
• Login
• ID
• When the connection was made
• Total time connected
• The data type, such as ASCII
• The transfer mode, such as stream
• The data connection, if applicable.
• The last three transfers
• The current working directory
Server Security Considerations
Storing your username and password name may be convenient, but it is not secure. The password is available to anyone who uses the Server machine.
Changing the administrator password and port is a good option if you do encounter a security breach.
Note:
It is so easy to configure the Server that many administrators do not give careful consideration to administrative password or port changes. If you do not remember your password and port, you will not be able to connect to the server.
You may encounter port conflicts while attempting to run two sites with implicit SSL encryption. Keep this in mind as you configure multiple Sites' encryption options.
Carefully consider inheritance as you begin to grant folder access to different VFS groups. Creating virtual folders gives users access to all subfolders.
Setting VFS access with patterns of inheritance derived from parent folders in a logical manner ensures that permission groups have predictable access to folders.
36 y Configuring Secure FTP Server
Creating and Configuring Sites
Authentication Types
The Server supports three database types for authenticating users: GlobalSCAPE Secure FTP Server
(FIPS) Authentication,
, and
Authentication. Once a Site has been configured through the Create Site Wizard, you cannot change the authentication method.
• GlobalSCAPE Secure FTP Server (FIPS) Authentication does not rely on outside sources for user information (accounts protected from the OS). All information is contained within the .aud file located in the server engine (cftpste.exe) folder. All information is encrypted and can only be modified through the Administrator.
• ODBC Authentication allows all users in an external ODBC database to have access to the server. See the topics under ODBC book for more information on configuring ODBC authentication.
• NT (NTLM/AD) Authentication. Using this method, the Server assigns permissions to users from the NT User Database on the system that is running the server. The Server queries the Primary
Domain Controller (PDC) for your domain and adds all domain users.
ODBC
Using an ODBC Data Source for User Authentication
The Server allows you to use any ODBC-compatible database as a source for user authentication. You may add and remove users and set certain permissions using your existing database utility or through the
Administrator.
In order to use an external ODBC data source you must:
•
Create tables in an ODBC data source
•
Establish a System Data Source Name (DSN) in the ODBC Source administration tool
•
Configure Secure FTP Server to use the System DSN
• Install Microsoft Data Access Components (MDAC) 2.6 or higher
If you are using the server on Windows XP, you do not need to install MDAC 2.6 or higher on your computer. For any other Windows operating system, you can download MDAC 2.6 or 2.7 from http://www.microsoft.com/data/download.htm
If you are using an Access database, you may also need to download a Jet driver. For information about
Jet drivers, see Article ID: 282010 on the Microsoft Support pages: http://support.microsoft.com/kb/282010/en-us.
For information about MDAC 2.6, see Article ID: 271908 on the Microsoft Support pages: http://support.microsoft.com/kb/271908/en-us .
Authentication Types y 37
User Guide
Creating Tables for your ODBC Data Source
You must create two tables in the database for your data source:
The ftpserver_users table lists the user accounts and permissions groups in the site. A user account uses the information from all fields. A permissions group only uses the ID, Name, and Description fields and is used only for organizational purposes, not as a user login.
Field Name
ID (Primary Key)
Name
Password
Description
Data Type Field Size
AutoNumber Long Integer
Text
Text
Text
50
200
200
Description
User ID
Login name for this user
Password for this user
Description for this user
Anonymous
Fullname
Number
Text
Regular vs. SKEY (OTP) password type. 0 = standard FTP password, 1=MD4 OTP, 2=MD5
OTP.
Integer only
OTP Seed to be used for MDX Passwords - used by OTP accounts only.
Long Integer 0=Normal Password, 1=Any password
200 required
User's full name
Phone
Pager
Fax
Text
Text
Text
200
200
User's phone number
User's pager number
200 User's fax number
200 comments
HomeDirectory Text 512 Secure FTP Server use only
Note:
HomeDirectory must be created for ODBC authentication to work properly with the Server, but you cannot use it for user account directories.
38 y Creating and Configuring Sites
Creating and Configuring Sites
The ftpserver_ids organizes users into "groups" of permission levels. For each permissions group to which a user belongs there should be one entry in the table below.
Field Name
ID
Data Type Field Size
AutoNumber Long Integer
Description
Unique ID for the record (key field). ftpserver_users table. A corresponding (where ftpserver_ids.User_ID = ftpserver_users.ID) ftpserver_users record must exist with Type = 1.
Integer
User_ID user record belongs to. A corresponding
(where ftpserver_ids.Group_ID == ftpserver_users.ID) ftpserver_users record must exist with Type = 0.
Establishing a System Data Source Name (DSN)
After you have created your database, you must associate it to your system.
To establish a system DSN
4. Click the applicable driver.
Create Tables for your ODBC data source
or the supplied database.
Using a DSN-Less Connection with ODBC Authentication
You can create a Site with a DSN-less connection to your authentication database. If you have several simultaneous database connections, a DSN-less connection may be slightly faster than a DSN connection.
To create a site with a DSN-less connection
1. In Secure FTP Server Administrator,
connect to the server , then click the Server tab.
2. On the main menu, click Configuration, then click Create New Site.
3. Give the site a name, choose the IP address and Port.
6. Provide the connection string, then click OK.
You must know the correct driver to use with your database. Create a connection string using the examples below. The connection string includes the name of the driver you need for your database, the location of your database, the name of your database, and, if necessary, a user name and password to access the database.
ODBC y 39
User Guide
For local databases the connection string must include:
• Database path and name, including the file extension [Dbq=]
• Username [Uid] and Password [Pwd] are required only if the database is password protected
For remote databases your connection string must include:
If you are pointing to Access 2000 database on the local machine named Example that was in the xyz sub-folder of your c drive the connection string is:
Provider=MSDASQL;Driver={Microsoft Access
Driver(*.mdb)}Dbq=c:/xyz/Example.mdb;Uid=;Pwd=;
If you have a remote MYSQL database named Example your connection string is:
Provider=MSDASQL;DRIVER={MySQL ODBC 3.51
Driver};SERVER=10.10.10.1;DATABASE=Example;UID=myusername;PWD=mypasswor d;
Note:
Do not put any line breaks in your connection strings.
You must have MDAC version 2.7 or higher to use a DSN-less connection.
Creating Sites
You can create and manage multiple Sites through a single Server. Each Site must connect to a separate
IP address, port, or both. When you create a new Site, FTP access is automatically enabled. After you create the Site, you can configure the
To create a new Site
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the Server for which you are creating the Site.
3. On the main menu, click Configuration, then click Create New Site. The Create New Site window appears. the however, you can enter any value between 1 and 65,535. (If you are using the site for secure
FTP connections, you can later turn off plain FTP access on the Connection Options tab.)
Note:
Assigning port numbers under 1024 may lead to conflicts with other programs running on your computer.
7. If you want the site to start immediately, select the Start site automatically after creation check box.
40 y Creating and Configuring Sites
Creating and Configuring Sites
Authentication.
• If you need to use NT Authentication see
Creating a site that uses NT authentication .
• If you need to use ODBC authentication, see
Creating a site that uses ODBC authentication
.
10. Provide the path to store the user database. Leave the default path unless you want to store the authentication database in a new location.
11. In the User list refresh interval list, specify how often the Server should check the database for new users.
12. Click Next.
13. In the Default FTP Root Folder area, specify a path to the root folder for the site.
14. Select the Create standard subfolders check box to automatically create Bin, Pub, Usr and
Incoming folders with appropriate permissions under the root folder. This is selected by default, but is only necessary if you are trying to mimic a typical default *nix Server setup.
15. Select the Enable anonymous access to the server check box to create an anonymous account that does not require a password. The account will have limited permissions.
16. Select the Auto assign home folders to site users check box to automatically create a user folder under \Site Root\Usr\ when a new user is added.
17. Click Finish. If the root folder has not already been created, you are prompted to do so: Click
Yes. The folder is created and the Create New Site wizard closes.
Creating a Site that uses NT Authentication
Secure FTP Server can create sites using the NT user authentication database so users can connect to the site with their NT user name and password. Permissions are assigned to users from the NT User
Database on the domain of the system that is running the Server. Secure FTP Server queries the Primary
Domain Controller (PDC) for your domain and adds all domain users.
Users are listed as soon as you open the site you created using NT Authentication. You cannot add or change users from Secure FTP Server, but you can change their permissions, settings and status on the server.
Warning:
NT Authentication transmits passwords over the network without data encryption. To avoid exposing your passwords to possible theft,
use SSL connections
with NT Authentication.
To create a site
1. Follow the steps in Creating Sites up to specifying an authentication method.
Active Directory (AD) Authentication, or NTLM Authentication to match what is used on the server's domain. the from the machine's current domain, or Custom, and supply the domain name that has the authentication database you want to use. in the domain's database, or Custom and supply a group name for users that will have access to the Server.
Creating a Site that uses NT Authentication y 41
User Guide
7. If you specified Active Directory Authentication, in the Use this user attribute as logon name list, specify the attribute based on what your database uses. the authentication database for new users.
10. Specify the path to the root folder for the Site.
11. If you are trying to mimic a typical default *nix Secure FTP server setup, select the Create
standard subfolders check box to automatically create Bin, Pub, Usr and Incoming folders with appropriate permissions under the root folder.
12. Select the Auto assign home folders to site users check box to automatically create a user folder under \Site Root\Usr\ when a new user is added.
13. Click Finish. If the root folder has not already been created, you are prompted to do so: Click
Yes. The folder is created and the Create New Site wizard closes.
Creating a Site that uses ODBC Authentication
Secure FTP Server can create sites that use an ODBC database for authentication.
To create ODBC database authenticating site
1. Follow the steps in Creating Sites up to specifying an authentication method.
the
Authentication Options appear. database. the database for new users.
7. Specify a path to the root folder for the Site.
8. If you are trying to mimic a typical default *nix Secure FTP server setup, select the Create
standard subfolders check box to automatically create Bin, Pub, Usr and Incoming folders with appropriate permissions under the root folder. the account that does not require a password. The account will have limited permissions.
10. Select the Auto assign home folders to site users check box to automatically create a user folder under \Site Root\Usr\ when a new user is added.
11. Click Finish. If the root folder has not already been created, you are prompted to do so: Click
Yes. The folder is created and the Create New Site wizard closes.
Starting and Stopping Sites with the Server Running
To start Sites
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the toolbar, click Go. A submenu appears.
3. Click the Site you want to start. To start all of them, select All Sites.
42 y Creating and Configuring Sites
Creating and Configuring Sites
To stop Sites
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the toolbar, click Stop. A submenu appears.
3. Click the Site you want to stop. To stop all of them, select All Sites.
Note:
If you stop a Site while users are connected, the users will be disconnected and file transfers may be interrupted.
Disconnecting Problem Users
The Server provides the following methods to disconnect problem users:
•
•
Disconnecting after a defined number of invalid commands
•
•
Disabling an account after a defined number of incorrect login attempts
•
Setting a maximum idle time limit
To block anti-timeout schemes
Many FTP clients send random commands such as REST 0, PWD, TYPE A, LIST, etc., to an FTP server to keep the session alive while the client is idle. The Server can attempt to block these schemes.
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Options tab.
To disconnect users after a defined number of invalid commands
The server can automatically disconnect and even ban the IP addresses of users who send an excessive number of invalid commands to the server:
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
Disconnect user after <n> consecutive invalid commands and type the number of invalid commands allowed before you disconnect the user. You may permanently ban the user's
IP address from the site by selecting the Ban IP address after excessive invalid commands
check box. You may later remove the ban on the user by removing their IP address from the list
in the site's IP Access tab.
To allow or disallow the NOOP command
Many FTP clients send a NOOP command to the server during idle times to keep the connection alive.
You can choose whether to allow the NOOP command. If you disallow the NOOP command, it will be considered an invalid command and treated according to your settings under Disconnect after [Number
of] invalid commands.
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
Disconnecting Problem Users y 43
User Guide
3. In the right pane, select the Security tab.
NOOP command check box to treat the NOOP command as an invalid command.
Note:
If you are banning users who send excessive invalid commands and treating NOOP as an invalid command, then you will be banning users for sending the NOOP command. You may later remove the ban on the user by removing their IP address from the Site's list in the
check box in a user account indicates that the account is inheriting parameters from the User Setting
Level.
To disable an account after a defined number of incorrect login attempts
The server can automatically disable user accounts if users try to connect with the wrong password too many times.
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, select the Security tab.
Disable account after <n>incorrect password retries and enter the maximum number of password retries you want to allow in the corresponding box. A gray check box in a User account indicates that the account is inheriting parameters from the User Setting Level.
Enabling time out
You can automatically disconnect users after a specified time of inactivity.
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, select the Quota tab.
4. In the right pane, click the tab and select the Enable time out check box. Specify the maximum allowable seconds of inactivity allowed before the user is disconnected.
Flooding and Denial of Service Prevention
You can configure the server to ban IP addresses automatically that may potentially be associated with a
DoS (Denial of Service) attack. The Server monitors connection patterns, tracks each user's activity density, and then bans IP addresses with unnaturally dense activity.
To activate Auto-ban
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the IP Access tab.
44 y Creating and Configuring Sites
Creating and Configuring Sites
4. Specify a sensitivity level using the slider bar, and specify one of the following ban periods:
• Ban IPs for time period proportional to sensitivity (higher = longer)
If you select this option, IPs are banned temporarily. The server will restrict this IP's access to the server for a minute or two. The amount of time a user is banned from the site depends on the server security setting you selected using the slider bar. Choosing to ban users temporarily means that if the server makes a mistake and identifies an ordinary, but very active user as a threat, the user will soon be able to reconnect to the
FTP site.
Banning an IP address temporarily protects the server from attacks. If the server is correct and a temporarily banned IP was the source of an attack, the server will not be harmed by the attempted attack. The server's resources will remain free or minimally burdened, instead of being completely bogged down by the attacking IP.
When you ban IP addresses temporarily, the level of security you set for the slider indicates both the number of seconds the user can attempt to occupy all of the server's resources before being banned and the number of seconds the user will be banned.
The higher the security, the shorter the amount of time before the user is banned and the longer the user will remain banned.
• Ban IPs permanently (Add to TCP/IP Access restrictions list)
If you elect to ban permanently the IP addresses of users whose activity fits the pattern of an attack, those users will be immediately banned as soon as they exceed the number of connections allowed for your security level. If the server has banned a user, you will need to modify the TCP/IP
restrictions list to allow access.
Modifying Messages
The Server can display messages to users in the following situations:
•
•
•
•
Connection Message
The connection message appears when a user first connects, but before a user logs on.
To modify the Connection message
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Messages tab.
Modifying Messages y 45
User Guide
Login Message
Login messages may be applied at the user or User Setting Level. Users automatically inherit the message applied to their User Setting Level. You can optionally display a message unique to a User.
To modify the login message for a User or User Setting Level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Main tab.
• Use Default. You cannot add an additional message when a user connects. The default message for a successful login is:
230-Login OK. Proceed.
• Add to Default. This option places the default message on one line, then adds the message you typed into Login message. For users, the message set at the User Setting
Level is the default.
• Replace Default. The server does not display the default message, but displays the message you type in to the Login message box. For users, the message is defaulted at the User Setting Level.
• None. No messages appear when a user logs in.
Maximum Connections Message
You can configure a site to allow only a specified number of maximum simultaneous connections. If you choose this option, you can specify a message for users when the maximum simultaneous connections number is exceeded.
To modify the Maximum Connections message
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Messages tab. connections number is exceeded.
Exit Messages
The Server can send an exit message when the client closes the session gracefully by using the FTP
QUIT command.
To modify the exit message
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Messages tab.
46 y Creating and Configuring Sites
Creating and Configuring Sites
Specifying a PASV IP or PASV Port Range
If the is behind a firewall or NAT device, you may need to specify the Server's IP address or range of ports the Server chooses from when issuing IP:PORT information to clients.
To specify a PASV connection through a range of ports
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Options tab.
Note:
This usually applies under SSL sessions when the NAT or firewall device cannot see and therefore properly map the internal IP address of the Server, or when the NAT or firewall device is misconfigured. It is recommend you first try connecting to the Server with this field left as is.
Note:
This is used primarily to limit the amount of ports used for the data connection portion of the FTP session, especially when the firewall or NAT device was configured to only allow traffic on certain ports.
Note:
If you specify a PASV mode port range, you must open the same range of ports on your firewall.
Allowing HTTP Transfers
To enable HTTP transfers at the Site level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab. the port number is 80.
Note:
For a user to access the Server using HTTP, Allow access using HTTP protocol must be selected at the user or user setting level.
Multi-Part Transfers
The Server supports multi-part transfers and can accept multi-part uploads from advanced FTP clients such as CuteFTP Professional. The user must have appropriate privileges and be authorized to connect multiple times concurrently. The connecting client takes care of most details, including splitting the file apart, sending the multiple parts, and then requesting that the server to join them again upon receipt. The
COMB command joins the parts back together. The benefits of segmented (multi-part) and concurrent delivery for accelerated transfers include:
• Accelerate throughput and maximize available bandwidth available to the client by allowing uploaded files to be split apart and transferred in multiple segments simultaneously.
• Command can be toggled on or off.
Specifying a PASV IP or PASV Port Range y 47
User Guide
The COMB command is a proprietary command and is not defined nor endorsed by any FTP-related
RFC; however, the command can be integrated with other servers using the following syntax:
COMB <TF> <SF 1> … <SF n> where
<TF> is the path to target file, which will contain the combined data from the source parts.
<SF #> are the source files (parts).
Which means "combine n source files (SF 1...n) into one file (TF)."
• If the target file already exists, then server appends source files to it.
• The server will delete all the source files once combined successfully.
• All file names should be in quotation marks.
Connection Protocols
Protocols and Security
The Server supports the following protocols: FTP, FTPS, SFTP, HTTP, and HTTPS. The protocols are configured and enabled/disabled at the Site level, at the User Setting Level, or per user.
FTP
The FTP protocol is an interactive file-transfer mechanism that enables file transfers between Internet sites, or, more specifically, between two systems. It was created for transferring files independently of the operating system used, for example between a Macintosh and Windows PC. FTP’s more notable features include handling for specific error situations and ensuring that a file sent from point A to point B will get there reliably.
The FTP protocol specification (RFC 959) was published many years ago when security was not a priority issue. As security became a concern, secure mechanisms such as SSL and TLS were adapted to help protect the FTP session from being intercepted or exploited. Secure FTP Server provides security with
FTPS (using SSL/TLS).
HTTP
HTTP is the communication protocol for establishing a connection with a Web server and transmitting
HTML pages to the client browser or any other files required by an HTTP client application.
HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and server only for the immediate request, after which the connection is subsequently closed. Each time you need something from the Server, your client (browser) makes a connection, gets that file, and then the connection is closed. Since you do not connect and stay connected, the browser remembers your username and password for you, so it can send the authentication hash along with every new connection request.
For example, when you put http://www.globalscape.com/gsftps/https.asp in your browser's address bar and press ENTER, your browser uses HTTP as specified in the URL to send a command to the Server running at the host name www.globalscape.com with the HTTP command "GET /gsftps/https.asp
HTTP/1.1," and the Server replies with that file (the HTML that makes up the page). In that page, there are references to a number of files (e.g., images, CSS documents, flash files), and your browser makes a separate connection to get each one of those resources.
48 y Creating and Configuring Sites
Creating and Configuring Sites
How does HTTP support in Secure FTP Server differ from a typical Web Server?
Secure FTP Server is primarily a file transfer server, not a Web server. This means it is not meant to
"serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web browser). However, there are provisions for transferring files in the HTTP protocol, which is a convenience when a connecting partner, customer, or employee does not have an FTP client installed, but does have an HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX control or Java applet).
When the Server is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload) or GET (download) files to the Server, provided the client supports both of these HTTP commands. Most
Web browsers only support the GET command or, if they support the PUT command, they provide no interface for browsing to the user's local file system in order to select and upload (PUT) files onto the
Server. A few dedicated clients (such as CuteFTP Professional) and various thin clients (based on
ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to transfer files to the Server in both directions.
HTTP Limitations in Secure FTP Server
• The Server allows you to customize messages sent by the Server upon connection, login, maximum connections reached, and disconnect (for FTP sessions). Due to the nature of the
HTTP protocol, custom login messages are not displayed for connecting HTTP clients.
• Another limitation of HTTP is that after a connection is established, the browser sees the Server's root folder instead of the user's home holder. A workaround is to setup a distinct
Site
for HTTP sessions.
• Microsoft Internet Explorer browsers that have installed MS04-004 Cumulative Security Update for Internet Explorer (832894), no longer support URLs that contain username info, even though they are properly formed URLs. This problem is unique to Internet Explorer, and does not affect the other major browsers. For more information, refer to http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp
.
• If you create an Event Rule that sends a notification email for each successful login event, an email is sent every time a user connected through HTTP changes directories. This is a result of
HTTP being a stateless protocol and can result in a large volume of notification emails even when performing typical directory browsing.
HTTPS
HTTPS is the protocol for accessing a secure Web server when authentication and encrypted communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443.
The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL
(Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-themiddle attacks.
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate and a public key for encryption. If the client trusts the Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and the Server will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.
The following elements work together to establish a secure HTTPS connection:
Client: The client must have SSL capabilities.
Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by the Server's certificate in order to establish an SSL connection.
Connection Protocols y 49
User Guide
Session Key: The client and the Server use the session key to encrypt data. It is created by the client via the Server's public key.
Public Key: The client encrypts a session key with the Server’s public key. It does not exist as a file, but is produced when a certificate and private key are created.
Private Key: The server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.
Certificate Signing Request: A certificate signing request is generated each time a certificate is created.
A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.
Note
In Web pages that use HTTPS, the URL begins with https rather than http. HTTP clients should connect using standard requests (i.e. https://domain_name). You can configure the Server to provide connecting clients with a certificate, and even require that the client provide a certificate upon connection (to validate the client's identity further).
FTPS, SSL, and TLS
FTPS is an enhancement to standard FTP that uses standard FTP commands (and protocol) over secure sockets. FTPS adds SSL security in both the protocol and data channels. FTPS is also known as FTP-
SSL and FTP-over-SSL. You might also see the term SSL used in conjunction with TLS. SSL has been merged with other protocols and authentication methods into a new protocol known as Transport Layer
Security (TLS). The Server employs SSL/TLS to perform FTPS to keep your data secure.
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate and a public key for encryption. If the client trusts the Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and the Server will be able to decrypt the data.
The Server supports SSL for client and server authentication, message integrity, and confidentiality. You can configure the Server's security features to verify users' identities, allows users to verify your identity, and to encrypt file transfers. The key to understanding how SSL works is to understand the elements that take part in the process.
Elements that Work Together to Establish a Secure SSL Connection
• Client: The client needs to be an FTP client with SSL capabilities.
• Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by the Server's certificate in order to open an SSL connection.
• Session Key: The client and the Server use the session key to encrypt data. It is created by the client via the Server’s public key.
• Public Key: The client encrypts a session key with the Server’s public key. It does not exist as a file, but is produced when a certificate and private key are created.
• Private Key: The server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.
• Certificate Signing Request: A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.
50 y Creating and Configuring Sites
Creating and Configuring Sites
SSL must first be enabled at the Site and Server level, and then can be enabled per User Setting Level and User. The Server provides administrators the ability to specify the symmetric key
cipher
(s) and the ordering of those ciphers for establishing SSL sessions. The Server validates inbound SSL sessions, and allows or denies connections based on specified or approved ciphers.
Secure FTP Server supports two levels of authentication with SSL:
• High - The server is configured so that it contains a certificate, but does not require a certificate from the FTP client.
• Highest - The server is configured so that it provides a certificate and requests a certificate from the client. The server compares the client certificate to a list contained in its Trusted Certificates database. The server either accepts or rejects the connection based upon a match.
SFTP (SSH)
Note:
The SFTP module is optional in Secure FTP Server (FIPS) and requires purchase of an SFTP
Module License.
SFTP is an FTP-like protocol that uses SSH1 and SSH2 protocols to provide security. When clients make an SFTP (SSH2) connection with Secure FTP Server there are two components or layers involved: the
Transport and Authentication layers.
Transport Layer
When users first attempt to connect to your SFTP site, the user's client software and the server determine whether the transmission should be encrypted or clear, compressed or uncompressed, which Method
Authentication Code (MAC) to use, and what kind of encryption (cipher) to use.
Once the encryption method is chosen:
1. The Server sends a public key to the client.
2. The client generates a session key, and encrypts it with the server’s public key.
3. The client then sends the encrypted session key back to the server.
4. The server then decrypts the session key with its private key and from that time all transmitted data is encrypted with the session key.
Authentication Layer
After the Transport Layer is established, the server attempts to authenticate the client.
There are two methods the Server can use for authentication.
• Public Key Authentication Method: publickey
To use this method, the client will need a private key and public key. The public key is passed to the Server. The Server encrypts a random number with the public key and sends it to the client.
1. The client asks the user for a passphrase to activate the private key.
2. The private key decrypts the number and sends it back to the server.
3. The server recognizes the number as correct and allows the connection.
• Password Authentication Method: password
Using this method, the client sends its password to server. The client does not need to encrypt the password explicitly, because it will be automatically encrypted by the Transport Layer mentioned above. With this type of authentication, the connection will fail if the Transport Layer cannot encrypt the data.
After the encryption method is established, and authentication is complete, the two systems are ready to exchange secure data. The client sends a secured FTP connection along the encrypted data tunnel, the Server responds and the user can then transfer files securely.
Connection Protocols y 51
User Guide
Explicit Versus Implicit SSL
Netscape originally developed Secure Socket Layer (SSL) for secure Web browsing. When both a client and server support the AUTH SSL command security is accomplished through a sequence of commands passed between the two machines. The FTP protocol definition provides at least two distinct mechanisms by which this sequence is initiated: explicit (active) and implicit (passive) security.
Explicit Security: In order to establish the SSL link, explicit security requires that the FTP client issue a specific command to the FTP server after establishing a connection. The default FTP server port is used.
This formal method is documented in RFC 2228.
Implicit Security: Implicit security automatically begins with an SSL connection as soon as the FTP client connects to an FTP server. In implicit security, the FTP server defines a specific port for the client
(990) to be used for secure connections.
Note:
Implicit SSL is discussed in various SSL drafts but is not formally adopted in an RFC. For strict compliance to standards, use the explicit method.
Because implicit SSL has a dedicated port strictly used for secure connections, implicit SSL connections require less overhead when you establish the session. A variety of FTP servers support this mode.
You can think of implicit security as "always on" and explicit security as "turn on." The following diagram contrasts implicit and explicit SSL connections.
SSL Certificates
The key to understanding how SSL works is to understand the elements that take part in the process. A key element of SSL is the SSL certificate. A public-key certificate, usually just called a certificate, is a digitally signed document that ties the value of the public-key to the identity of the Server service that holds the corresponding private key.
Typically, a certificate contains the following information:
52 y Creating and Configuring Sites
Creating and Configuring Sites
• The Server’s public key value, which the clients use to encrypt a session key. (The client and the server use the session key to encrypt data.) This public-key does not exist as a file, but rather is produced when a certificate and private key are created.
• The Server’s identifier information, such as the name, email address, common domain name, and other details.
• The validity period (the length of time that the certificate is considered valid)
• Issuer or signer identifier information
• The digital signature of the issuer, which attests to the validity of the binding between the server public key and the organization's identifier information.
There are many certificate types or standards, with the Server supporting the most common ones. The
Server can import into its certificate store any client-provided certificate of type PKCS 7 or 12, and the
X.509 DER encoded standard. For the certificate that the server itself provides (to the connecting client during the SSL handshake), it supports X.509 and PKCS #12 only. Note that PKCS #12 embeds both the certificate AND private key into a single file. The default type that is created by the Server is x.509 base-
64 standard DER encoded.
Before a certificate can be used for securing connections, it must be created (generated) and signed (or vouched for). Certificates can be created directly from the Server, or by a trusted Certificate Authority
(CA), which is an independent and trustworthy entity responsible for issuing and managing digital certificates, including revocation of certificates that are expired or are otherwise unauthorized. Once created, a certificate should be signed. By digitally "signing" a newly issued certificate, the signer guarantees the authenticity of the data held in the signee’s certificate. The Server can sign its own certificates; however, it is recommended that the certificate be signed by a trusted 3rd-party CA.
When generating a new certificate, the Server creates a self-signed certificate and a certificate signing request (or CSR) file that you can send to a CA for signing and then import into the Server.
Files created by the Server:
• Private key file (.key) - The private key should never be distributed to anyone. It is used to decrypt the session that is encrypted by the public key.
• Certificate request file (.csr) - Each time you create a certificate using the Server, a Certificate request file is also created. This file can be signed by the Server's Certificate Signing Utility or sent to intermediate certificate authority such as GeoTrust, Verisign (www.verisign.com), or
Thawte (www.thawte.com) for signing.
• Certificate file (.crt) - This is a self-signed certificate. To obtain a 3rd-party signed certificate, you must send the certificate signing request file to a Certificate Authority (CA) such as Verisign,
Geotrust, or Thawte. The CA in turn will send you a new .crt file with which you can replace your self-signed one.
SSL Certificate Chain-of-Trust
Trust in a certificate is established when you have a copy of the signing certificate in your certificate store
(for example, the Server’s store or Internet Explorer's Trusted Root Certification Authority for clients). The certificate does not necessarily have to be signed by a root CA; it can be signed by subordinate intermediate CA, as long as there is a valid certification path from the signing certificate to a trusted root certificate, meaning that none of the certificates in the certification path have been revoked or is expired.
Note:
The Server supports one level of trust when requiring certificates from connected SSL clients. That is, if certificate A is trusted, then certificate B signed by certificate A is also trusted. However, if certificate C is signed by certificate B, then certificate C is not trusted.
Connection Protocols y 53
User Guide
FTP Commands Supported
Below is the list of FTP commands that the Server supports and will give a known response to, followed by a few commands that it recognizes, but gives an error message of "202 Command not implemented, superfluous at this site."
For more information about these FTP commands, see RFC959 at http://faqs.org/rfcs/rfc959.html
.
Command
ABOR
ALLO
APPE
AUTH
CCC
CDUP
COMB
Description
Abort a file transfer
Allocates sufficient storage space to receive a file
ALLO size [R max-record-size]
Append data to the end of a file on the remote host
APPE remote-filename
Used to initiate an SSL encrypted session
(clear command channel for FTPS transfers)
Change working directory to the parent of the current directory
Combines file segments into a single file on the server
CWD remote-directory
FEAT
HELP
LIST
MDTM
MKD
MLSD
MLST
MODE
NLST
NOOP
OPTS
PASV
PBSZ
PORT
PROT
List all FTP features that the server supports
Display a list of all available FTP commands
Send list of file names and details
Display date/time file was modified, in the format YYYYMMDDhhmmss. YYYY is the four-digit year, MM is the month from 01 to 12, DD is the day of the month from 01 to 31, hh is the hours from 00 to 23, mm is the minutes from 00 to 59, and ss is the seconds from 00 to 59.
Create (make) a remote directory
Display an abbreviated list of a remote directory's files and subdirectories
Display detailed file or directory information
Sets the mode in which data is to be transferred to one of the following:
S - Stream
B - Block
C - Compressed
The default mode is Stream. (only "s" or "z" are supported)
Send list of file names (no details)
Do nothing; often used to keep the session alive.
Used to specify optional parameters for the command that follows the OPTS command, if that command supports such optional parameters. (The commands "mslt" and "mode z level X," where x=1-9, are supported.)
PASS <password>
Enter passive mode
If the Server receives this command, it sets it to 0.
Specifies the host and port to which the server should connect for the next file transfer.
Used to set the protection level to be used for data transfers. PROT P is used to secure the data channel; PROT C is used to clear the data channel.
54 y Creating and Configuring Sites
Creating and Configuring Sites
XCUP
XCWD
XMKD
XNOP
XPWD
XRMD
XCRC
Command
PWD
QUIT
REIN
REST
RETR
RMD
RNFR
RNTO
SIZE
SSCN
STOR
STOU
SYST
TYPE
Description
Display current directory (print working directory)
Closes the connection and terminates the FTP session.
Reinitialize the connection and cancels the current user/password/account information
Sets the point at which a file transfer should start
REST position
Begins transmission of a file from the remote host. Must be preceded by either a PORT command or a PASV command to indicate where the server should send data.
RETR remote-filename
Deletes the named directory on the remote host
RMD remote-directory
Rename from (followed by an RNTO command to specify the new name for the file)
RNFR from-filename
Rename to (after sending an RNFR command to specify the file to rename, this command is used to specify the new name for the file)
RNTO to-filename
SITE site-specific-command
Display size of a file
SIZE remote-filename
(extension for secure site-to-site transfers)
STAT [remote-filespec]
Begins transmission of a file to the remote site. Must be preceded by either a PORT command or a PASV command so the server knows where to accept data from.
STOR remote-filename
Begins transmission of a file to the remote site; the remote filename will be unique in the current directory.
Displays a string of "215 UNIX Type: L8"
Sets the type of file to be transferred.
TYPE type-character [second-type-character]
"type-character" can be A (ASCII text) or I (image, binary data)
The second-type-character specifies how the text should be interpreted. It can be N (Nonprint; not destined for printing. This is the default if second-type-character is omitted), T (Telnet format control <CR>, <FF>, etc.), or C (ASA Carriage Control).
USER username
(same as CDUP)
(same as CWD)
(same as MKD)
(same as NOOP)
(same as PWD)
(same as RMD)
Compute CRC32 checksum on specified file
Connection Protocols y 55
User Guide
The following commands are recognized, but not supported:
Command
ACCT
SMNT
STRU
Description
(Account) Send account information
(Structure mount) Mount a different file system data structure without altering login or accounting information
(File Structure) Set file transfer structure
SFTP
Enabling SFTP on the Site
To enable SFTP
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
Create to create a site key pair. The Create SSH2 Public/Private Keypair dialog box appears.
6. Type a name for the key pair, the location to store it, then click Finish. The Server generates and stores the key pair. the allow for encrypting SFTP sessions. the authentication.
Apply. A message appears telling you the site must be restarted for the changes to take effect. Click Yes.
If you want to change the SFTP port, click the Connection Options tab and specify the port number next to Enable SFTP (SSH2) access on port. (22 is the default port for the SFTP protocol.)
SFTP Transport Layer Settings
Message Authentication Codes (MAC) are algorithms used to confirm that data has not been altered between the client and server.
To select Message Authentication Codes (MAC)
1. In the Administrator, connect to the server
, then click the Server tab. SFTP should be enabled .
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
• hmac-md5
• hmac-md5-96
• hmac-sha1
• hmac-sha1-96
56 y Creating and Configuring Sites
Creating and Configuring Sites
SFTP Algorithms
To specify encryption algorithms (ciphers)
1. In the Administrator, connect to the server
, then click the Server tab. SFTP should be enabled .
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
• aes128 - Advanced Encryption Standard (AES) block cipher using 128-bit keys.
• ARCFOUR - Arcfour is intended to be compatible with the RC4 cipher trademarked by
RSA Data Security, makers of the famous OpenPGP program. It uses a 128-bit key and provides good security.
• cbc - Cipher Block Chaining is an encryption technique used with block ciphers where the previous encrypted block is used as a basis for encrypting the next block, so that every block has to be in the correct order to be decrypted properly.
• CAST128 - This cipher is the CAST block cipher using 128-bit keys.
• Triple DES (3DES) - This algorithm uses a 24-bit triple key to encrypt data 3 times. The
24-bit key is split into 3 8-bit segments and each is used for encryption. Triple DES is fast, but not as strong as the other algorithms.
• Blowfish - The Blowfish algorithm is a public-domain block cipher method using a 128bit key. Blowfish was intended to be a replacement for 3DES. It provides good security.
• Twofish - Twofish is an improved version of Blowfish. It provides the strongest security available in the Server and should protect your data in most transfers. Secure FTP
Server recognizes Twofish encryption using 128- and 256-bit keys.
Assigning a Site's IP Address and Port
A Site's IP address is specified when it is created. You can define a listening port number and IP address for each Site. The default for FTP Sites is 21. You can specify any value between 1 and 65,535. You can change the Site's IP address and port using the procedure below.
Warning:
Assigning a port number below 1024 may lead to conflicts with other programs running on your computer.
To change the listening (incoming) IP address and/or port
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Options tab.
Creating SSH2 Public/Private Keypairs
When clients attempt to create an SFTP connection with the Server, the Server must send a key to the client verifying its identity. You can create the necessary key with the Server and use the same key for several Sites, or create separate keys for individual sites.
Connection Protocols y 57
User Guide
To create a key pair
1. In the Administrator, connect to the server
, then click the Server tab.
2. Do one of the following:
• On the main menu, click Tools, then click SSH2 Key Pair Generation Wizard.
• On the Site's SFTP tab, next to the Site Key Pair box, click Create.
The Create SSH2 Public/Private Keypair wizard appears.
3. Specify a key pair name and location to store it, then click Next. The password page of the wizard appears.
4. Provide and confirm the passphrase. The passphrase cannot contain more than 256 characters, cannot contain only spaces and periods, and cannot contain the following characters:
• / (forward slash)
• \ (back slash)
• [ (left bracket)
• ] (right bracket)
• ; (semicolon)
• : (colon)
• | (pipe)
• = (equal sign)
• , (comma)
• + (PLUS sign)
• ? (question mark)
• < (left angle bracket)
• > (right angle bracket)
• { (left curly brace)
• } (right curly brace
Finish. While the Server is creating the key, the Generating Key Pair message appears, then a confirmation message appears.
6. The confirmation message displays the location and file names of the key pair files. Click Yes, to continue or No if you do not want to add the public key to the SFTP key manager.
7. If you click Yes, the Add key to storage dialog box appears.
8. Provide a descriptive name for the public key, then click OK. The new key will now appear in the
SSH Key Manager.
Note:
To use the key for other sites, rather than click Create, in the Site key pair box of the SFTP
Settings tab enter or browse to the path where you stored the key.
Allowing Access Using SFTP Password Authentication
SFTP is configured and enabled at the
Site
level. You can also disable and enable SFTP access at User
Setting Level and user level.
To allow users to connect using SFTP
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Security tab.
58 y Creating and Configuring Sites
Creating and Configuring Sites
• Specified in Settings Level - (Only an option for users.) Requires what is specified at the User Settings Level (the default).
• Password only - Require the user to provide the password to authenticate their connection.
• Public key only - Require the user to provide the public key to authenticate their connection. If this is selected, you must also select the public key from the respective dropdown menu.
• Public key & Password - Require the user to provide both the public key and the password to authenticate their connection. If this is selected, you must also select the public key in the Select public key list that appears.
Note:
If the check box is grayed out, the user is inheriting the permission or requirement from the User
Settings Level.
Viewing, Importing, Renaming, and Deleting Client Keys
SFTP/SSH Keys defined for a Site appear in the SSH Key Manager. The SSH Key Manager displays the key name, fingerprint, and username assigned.
To view, import, rename, or delete keys
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
• Name - displays the name of the key. When a key is imported, no assigned usernames are displayed.
• Fingerprint - displays the fingerprint of the key.
• Assigned - displays the username(s) assigned to the key. Multiple usernames are separated by commas.
5. Do one of the following:
• To sort keys, click the Name or the Fingerprint column.
• To import keys, click Import, then browse for and select the key. You can import any
.pub file accessible from the computer on which the Administrator is installed.
• To delete a key, click the key in the list, then click Delete.
• To rename a key, click the key in the list, then click Rename, or press F2.
SSL
Enabling FTPS and HTTPS (SSL) at the Site Level
The Server has robust SSL configurations that allow you to configure SSL connections on all sites, at the site level, at the user setting level, or at the user level. You can also configure SSL with a combination of these four levels. SSL must first be enabled at the Site and Server level; then can be enabled per User
Settings Level and user.
To enable SSL at the site level
1. In the Administrator, connect to the server
, then click the Server tab.
Connection Protocols y 59
User Guide
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. To allow both standard FTP connections and SSL connections, select the Enable FTP access
on port check box, and specify the port number. Clear the Enable FTP access on port check box to allow only SSL connections to the Site.
Note:
If you clear Enable FTP access, you must enable one or more of the other connection options or no one will be able to connect to the site.
5. To allow SSL connections over HTTPS, select the Allow HTTPS transfers on port check box and specify the port number. (The default is 443.)
6. To allow FTPS (SSL), select the Allow implicit FTPS (SSL) on port check box and specify the port number.
7. To allow FTPS (SSL/TLS), select the Allow explicit FTPS (SSL/TLS) on default FTP port check box and specify the port number.
Note:
If the implicit Allow implicit FTPS (SSL) on port check box is selected, you can change the implicit SSL port. The default port is 990, which is normally used by FTP clients that support implicit SSL .
the
If you used the Create SSL Certificate Wizard and selected the Set up Server to use the
generated certificate check box, then the Certificate and Private Key file paths will already be completed. Otherwise, choose the files using the associated folder icon. the created. An incorrect passphrase generates errors when you select Apply.
10. Click Require certificates from connecting clients.
11. If Require certificates from connecting clients is not selected, then clients that support SSL can connect to the Server without supplying a certificate. If this box is selected, then FTP clients requesting an SSL connection must present a certificate before the Server will allow them to connect. The client certificate must be in the Trusted Certificates database or signed by a certificate in the Trusted Certificates database. If the client has a certificate that does not meet those conditions, the connection is denied. However, its certificate is placed in the Pending
Certificates database, where it can later be added to the Trusted Certificate Database. If the client does not present a certificate, the connection is denied.
12. Click Apply to save the changes.
Disabling SSL Connections
You can disable SSL support for every user on the Server by disabling SSL support at the Site level, or you can disable SSL for a specific user or User Setting Level.
To disable SSL connections for a site on the Server
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
5. Clear BOTH the Allow explicit FTPS (SSL) and Allow implicit FTPS (SSL) check boxes.
60 y Creating and Configuring Sites
Creating and Configuring Sites
Note:
If SSL connections are disabled at the Site level, they are also disabled for all User Setting Levels and users on the Site.
To disable SSL connections for a user or User Setting Level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right-hand pane, click the Security tab.
Creating Certificates
A self-signed certificate contains a public key, information about the owner of the certificate, and the owner's signature. It has an associated private key, but it does not verify the origin of the certificate through a third-party certificate authority.
To achieve the highest level of authentication between critical software components, do not use selfsigned certificates, or use them selectively.
A certificate on the client must be associated with the Server in order to initiate an SSL connection. When you are administering the Server on the local computer, you can create certificates using the Certificate
Creation Wizard (Tools, then click Certificate Creation Wizard) or import your own. There are three types of files associated with an SSL certificate key pair:
• Private key file (.key) - The private key should never be distributed to anyone. It is used to decrypt the session, which is encrypted by the public key.
• Certificate request file (.csr) - Each time you create a certificate using the Server, a Certificate request file is also created. This file can be signed by the Server's Certificate Signing Utility or sent to an intermediate certificate authority, such as GeoTrust, for signing.
• Certificate file (.crt) - This is a signed certificate, whether self-signed or signed by an intermediate certificate authority.
For maximum compliance with security standards, you should use a trusted authority-signed SSL certificate. You can import certificates or use this wizard to create your own. The private key (.key) and certificate request (.csr) files are created at the same time. You are prohibited from creating certificates for the Server while remotely administering the Server because this action can create a security breach.
Any certificates you create remain on the computer on which you created them, unless you take special steps to deliver and associate these files with another computer.
To create an SSL certificate
1. In the Administrator, connect to the server
, then click the Server tab.
2. Do one of the following:
• On the main menu, click Tools, then click Certificate Creation Wizard.
• On the toolbar, click the New SSL Certificate icon.
The Create SSL Certificate wizard appears. the
The wizard saves the .key, .csr, and .crt files in this folder.
Connection Protocols y 61
User Guide
Note:
If you are purchasing a signed certificate from a certificate authority (CA), you usually need to forward the contents to the CA. Locate the .csr and open it in a text editor, then copy and paste the contents into an email.
the private key. The passphrase can be any combination of characters or spaces. Do not lose the passphrase; the certificate is useless without it. the keys are faster, larger keys are more secure. before continuing. The information you provide is stored in the certificate.
10. In the State/Province box, provide the name of the state or province.
11. In Organization box, provide the name of your organization, or any other designator.
12. In the Common Name box, provide the common name or fully qualified domain name, such as www.globalscape.com. (Typically, the name or domain name associated with the Site.)
13. In the E-Mail box, provide your email address in the format [email protected].
14. In the Unit box, type any other information about your organization, such as department name.
15. In the Country box, provide the 2-letter ISO country code using uppercase letters.
16. Click Next. The Certificate Options page appears.
17. If Use this certificate for server authentication is cleared, the wizard saves only the certificate files in the folder you previously specified. If selected, the wizard associates the certificate to the administration service or a site(s) you specify.
Note:
Associating a new certificate with a site requires a restart of the site, and any active users will be disconnected, so it is recommended that you associate certificates when Sites are inactive or stopped.
18. If Add this certificate to the Trusted Certificate list is selected, the wizard adds the certificate to the Trusted Certificates database. Use this feature if you are creating certificates for user distribution. You can limit Server access to just the users that have the certificate. You can verify the addition to the Trusted Certificate database by clicking Tools, then Certificate Manager, or on the toolbar, click the Certificate Manager icon
19. In the Apply certificate to list, specify the component of the Server affected.
20. Click Finish.
Selecting a Certificate
To assign a certificate you have created or obtained to a site
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab. the check box or both.
6. Select the private key by clicking the browse button next to the Private Key file path.
62 y Creating and Configuring Sites
Creating and Configuring Sites when creating the certificate.
Signing a Certificate
The Server can sign certificate requests created by other clients. Typically, the client certificate request is signed with the certificate created for the server. If a certificate from the Server's Trusted Certificates database is used to sign client certificates, then all certificates you sign are automatically trusted.
To sign a certificate request
1. Obtain the Certificate Signing Request file (.csr). This can be done through email or any other file delivery method.
2. In the Administrator, connect to the server
, then click the Server tab.
3. On the main menu, click Tools, then click Certificate Signing Utility, or click the Certificate
Signing Utility icon. The Certificate Signing Utility dialog box appears.
Signing Request (.csr) file you want to sign. the different. date. the certificate database in order for clients submitting the signed certificate to connect to the Site.
10. Click OK. The new certificate is saved in the folder you specified.
11. Return the certificate file (.crt) to the user.
Trusted Certificates
If you require certificates from connecting clients before they can connect, then their certificate must be in the Trusted Certificates Database or signed by a certificate in the Trusted Certificate Database.
The Certificate Manager is used to manage the SSL certificates for a Site.
To open the Certificate Manager
1. In the Administrator, connect to the server
, then click the Server tab.
Connection Protocols y 63
User Guide
2. On the main menu, click Tools, then click Certificate Manager, or click the Certificate Manager icon on the toolbar. The Certificate Manager appears.
• To view all of the certificates for a Site, click the Site down arrow to select the Site. The certificates for the selected Site appear in the Trusted Certificates and Pending
Certificates lists.
• To view the properties of a certificate, click the certificate in the list, then click Properties.
The Certificate Contents dialog box appears, showing the Issuer and Subject information and the dates the certificate is valid.
• To import certificates for a Site, see
• To
.
• To remove a certificate from the Trusted Certificates or Pending Certificates list, click
Remove.
• To create a new certificate, see
.
Importing a Certificate
To import a certificate to a Site
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu, click Tools, then click Certificate Manager. The Certificate Manager appears.
3. In either the Trusted Certificates or Pending Certificates list, click Import.
4. Browse to the folder that contains the client's certificate file and click the file.
Note:
The Server can import a digital certificate from the following formats: PEM, Base64 Encoded
X509, DER Encoded X509, PKCS#7, PKCS#12.
The Private Key associated with the digital certificate must be in one of the following formats:
PEM, DER, PKCS#8, PKCS#12.
64 y Creating and Configuring Sites
Creating and Configuring Sites determine the format, or if the import fails, you can manually convert a digital certificate to one of the above formats and import it. Consult the distributor/vendor of your certificate for details on this process.
The certificate is added to the Trusted Certificates database. Clients submitting that certificate are now able to connect to the Server.
Exporting a Certificate
To export a certificate from the database
1. In the Administrator, connect to the server
, then click the Server tab.
Tools, then click Certificate Manager from the menu. The Certificate Manager dialog box appears.
3. In either the Trusted Certificates or Pending Certificates list, click Export, and browse to the folder where you want to save the certificate file.
4. Type a name for the certificate file, then click Save.
Importing Certificates from Microsoft IIS 5
To use a certificate that you are using in IIS 5 you must:
1.
Add a Certificate Snap-in to your Microsoft Management Console.
2.
Export the certificate from IIS 5.
3.
Import the certificate into the Server.
To add the certificate "Snap-in"
1. On the computer containing the certificate you want, select Start, then Run, and then type mmc to open the Microsoft Management Console.
2. On the Console menu, click File, then click Add/Remove Snap-in.
4. Click Certificates, then click Add.
7. Close the Add Standalone Snap-in dialog.
To export the certificate from IIS 5
7. Provide the password you used when you created the certificate, then click Next. This will create a .pfx file.
Connection Protocols y 65
User Guide
To import the certificate into the Server
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. To allow FTPS (SSL), select the Allow implicit FTPS (SSL) on port check box and specify the port number.
5. To allow FTPS (SSL/TLS), select the Allow explicit FTPS (SSL/TLS) on default FTP port check box and specify the port number. the to browse and click the .pfx file you created. the to browse and click the .pfx file you created.
8. Type the password you used when you created your certificate in Private key Passphrase.
Site-Level Transfer and Connection Settings
Setting Maximum Concurrent Logins
You can set the maximum number of connections to the Server at the Site level. With multiple Sites, this means that some Sites can allow more users than other Sites.
To restrict the number of user logins
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. Select the Max concurrent logins check box, then specify the maximum number of logins you want to allow to a user at any given time. If the box is cleared, the Server does not restrict the number of logins.
5. Click Apply.
Setting Maximum Connections per User (Site Level)
Note:
The Site level sets the limit for all sub levels. For example, if the Site level Max connections per
user is 5, and a user's Max connections per user is set to 10, the user can still only connect to the
Server 5 times simultaneously.
To set maximum connections per user at the Site level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab. the number. If the box is cleared, a user can create an unlimited number of concurrent connections to the Site (or according to the limits defined at the User or User Setting Level).
66 y Creating and Configuring Sites
Creating and Configuring Sites
Setting Maximum Connections per IP for a Site
You can set the maximum number of simultaneous connections emanating from the same IP address at the Site, User Setting Level, and per user.
Note:
The Site level sets the limits of the User and User Setting Levels.
To set maximum connections per user account at the user and User Setting level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab. the simultaneous connections you want to allow from the same IP address.
Banning Unwanted File Types
The Server can block the upload or download of certain files. You can specify which files to block using wildcards or exact file names.
For example, to block a file called virus.wav, you can type any of the following: virus.wav
(blocks the specific file)
*.wav
(blocks all wav files)
*.wa?
(blocks all files whose extension starts with wa)
Note:
Take care when defining files to block using with wildcards so that you do not block files that you want to allow.
To ban files
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. In the Banned File Types area, select the Exclude the following files from the site check box, then type the filename or wildcard representation (*.mp3 or *.mp?) for the file(s) you want to exclude from the Site. Separate multiple entries with commas.
5. Click Apply.
Site-Level Transfer and Connection Settings y 67
User Guide
68 y Creating and Configuring Sites
Creating and Configuring Users and User Setting Levels
How User Setting Levels Work
Every client account or user must be a member of a User Setting Level . User Setting Levels exist within a Site . User Setting Levels consist of a group of security and access-control settings used as a template.
Each new user is assigned to a User Setting Level whose settings determine how the Server resources may be used. One User Setting Level might be quite restrictive, while another might allow more access to resources. For example, power users would be assigned to a setting level allowing greater flexibility in using the Server resources while guest users would be assigned to a more restrictive level where use of the Server resources is very limited. User Setting Levels allow an administrator to make changes at the
User Setting Level that affect all users within the level. The basic profile of individual users can also be changed (overriding the template). Users can also be moved between User Setting Levels; users that are moved inherit the properties of the new User Setting Level, but retain any modifications (overrides) made by the administrator.
The Server installs with one User Setting Level named Default Settings. Additional User Setting Levels can be added to define access to the Server resources for various types of users. You cannot delete the
Default Settings User Setting Level when it is the only User Setting Level.
Note:
User Setting levels apply to the Server resources. Permissions assigned to Groups control access to folders on your system.
Creating User Setting Levels
You can create one or more user setting levels before or after creating users and subsequently assign users to the desired user setting level. This allows you to control the server’s resources while still giving your users the flexibility they need to transfer essential files.
To create a new User Setting Level
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu click Configuration, then click Create New User Setting Level. The Create
New User Setting Level dialog box appears.
5. Optionally, type a Description for the User Setting Level.
7. Click the new User Setting Level, then click the Main tab.
8. The User Setting Level is enabled by default. To disable it, clear the Enable this settings level check box.
9. If this is to be the default settings level, click Set as default. The Site name in the tree becomes bolded.
10. In the Description box, type a description (optional).
11. See Specifying a User's Home Folder
for details about specifying the home folder for all users in this User Setting Level.
12. In the Login message box, click the appropriate action from the drop-down menu above the text box, then, if necessary, edit the Login Message in the text box. The available actions include:
• Use default - Use the default login message (specified in the Default Settings node of the User Setting Levels).
• Add to default - Add the message in the text box to the default login message.
How User Setting Levels Work y 69
User Guide
• Replace default - Replace the default login message with the message in the text box.
• None - Do not display a login message.
13. Select the Restrict IP Access check box if you want to use the TCP/IP Access Restrictions area to restrict access to the Server by IP address. See
Controlling Access by IP Address for
details of using this feature.
14. Click the Security tab. For information about the settings on this tab, see:
• Security Options o
o
Allowing users to change their passwords
o
Allowing users to verify file integrity
o
Restricting User to a Single IP Address
• Protocol permissions: o
Enabling and Managing Connection Protocols
15. Select the Quota tab. For information about the settings on this tab, see:
• Transfer Limits: o
Setting maximum transfers per session
o
• Connection: o
o Setting maximum transfer speeds o
Setting maximum connections per IP
o
Setting maximum connections per User
• Disks Quota: o Configure user disk quotas
16. Click Apply to save the changes.
Inheritance
A user initially shares the settings of the User Setting Level in which the account was created. When you view user properties, inherited settings are marked by gray check boxes. You can override inherited settings by clearing or selecting the check box.
The check boxes toggle through three settings:
• Inherited - A gray check box means no changes have been made by the administrator to the settings inherited from the User Setting level. This is a neutral indicator and simply means the user's setting is the same as the User Setting Level for that option.
• Overridden, allowed- A black check mark indicates that the administrator has overridden this inherited setting. This setting is enabled for the user even if it is disabled in the User Setting
Level.
• Overridden, not allowed- A blank check box means the administrator has overridden this inherited option. This setting does not apply to the user, even if it is enabled in the User Setting
Level.
70 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
You can change a user’s User Setting Level by dragging and dropping the user into a different level. The account's inherited settings change to reflect the settings of its new User Setting Level; however, if an account contains modified (overridden) settings and is moved to a new User Setting Level, those modifications remain in effect at the new User Setting Level.
Adding Users to a Site
To add a new user to a site
1. In the Administrator, connect to the server
, then click the Server tab.
2. On the main menu, click Configuration, then click Create New User. The New User Account
Setup dialog box appears.
3. In the Site list, click the Site to which you want to add a user.
4. Provide the new user's First Name and Last Name. The Server creates a Username in the format of [First_Initial_Last_Name]. You can overwrite this.
5. Provide and confirm the User password.
• Standard - A plain text password is required.
• Anonymous - Any password, including nothing, allows an anonymous connection.
• Anonymous (Force Email) - Any well formed email address is the password.
• OTP S/KEY MD4 - Used for logging in to an OTP-enabled server.
• OTP S/KEY MD5 - Used for logging in to an OTP-enabled server.
7. (Optional) In the Description box, type descriptive details of the user (e.g., Paris Office). the assign the user.
10. Select both Create user home folder and Grant FULL permissions check boxes to create a user folder located in the Site root folder and to give the user full permissions to that folder.
Adding Users to a Site y 71
User Guide
11. Click Next.
12. By default, all new Users are members of the All Users group. On the Setup user groups page, double-click the left- or right-facing arrows to add/remove the new user to/from Groups.
13. Click Finish to create the new user account.
Specifying a User's Home Folder
You can specify the user's login folder at User Setting Level or per user. This is typically set at the user level, but the User Setting Level can override the user setting.
When you create a Site and select the Auto assign home folders to newly created users check box, each user account that is created will have a home folder added as a subfolder of the home folder for the
User Setting Level to which the user is added. So, for example, if you add a user jsmith to the User
Setting Level "Power Users," and that User Setting Level's home folder has a path of /Usr/Power Users/ in the VFS, then this new jsmith account will be generated with a home folder in the Server's VFS of
/Usr/Power Users/jsmith. This is the default behavior when creating a user within the Administrator, however, you can override/change that behavior when the Site is created. If the user is created using the
COM interface, or the user appears in the Server list as a result of Active Directory, LDAP, or ODBC querying the user account list in real time and finding out that it IS a valid user but not yet added to the
Server, then a home folder is added as a subfolder of the home folder for the User Setting Level to which the user is added.
For Sites that use NTLM/AD authentication, if the user account has a Home Folder defined by the AD administrator, then the Server's VFS will not create a physical folder for the new user, but instead creates a virtual folder that points to the path specified in Active Directory for the home folder for that user
(sometimes called a roaming profile). Therefore, if jsmith exists on the AD controller as a valid user with a home folder mapped to \\192.168.20.19\common_file_share\jsmith, then when jsmith becomes a new user on the Server (using the same path/User Setting Level from the above example), then jsmith will be assigned the home folder /usr/Power Users/jsmith which is a virtual folder pointing to
\\192.168.20.19\common_file_share\jsmith.
To set a user's home folder
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user you want to configure.
3. In the right pane, click the Main tab.
Note:
If you want to ensure that the User Setting Level is not controlling the user's home folder, clear the Home folder check box at the User Setting Level.
5. Click the folder icon next to the Home folder box. The Browse dialog box appears.
6. Click the folder in which you want the user's folder placed, then click OK.
Note:
If you type or paste a path in the Home folder box, the Server does not verify that the folder exists.
7. To make the home folder the user's root folder, click the Treat home folder as default root
folder check box.
Note:
When the Treat home folder as default root folder check box is cleared, if you built the Site with the defaults, the user's root folder is /Usr/<username>. If the check box is selected, the user cannot browse above their home directory.
72 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
Enabling or Disabling a User Setting Level or User
When you disable a User Setting Level, you disable any users in that User Setting Level that are not enabled independently of the User Setting Level.
When you disable users, their accounts and user folders are not removed, allowing you to easily enable or disable the account as needed.
To enable or disable an user setting level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the User Setting Level or user that you want to enable/disable.
3. In the right pane, select the Main tab.
4. Do one of the following:
• To disable the user account, clear the Enable this user account check box.
• To enable the user account, select the Enable this user account check box.
Apply. In the left pane, a red "X" appears over the User Setting Level or user icon that is disabled.
Expiring a User Account
You can specify a user account to expire on a specific date. Expired accounts are not removed from the
Server; they can be enabled at any time.
To disable a user on a specific date (account expiration)
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the User account for which you want to set an expiration date.
3. In the right pane, click the Main tab. date.
Apply to save the changes on the Server. On the specified date, a red "X" appears over the user icon in the left pane, and the User account is disabled.
To enable an expired account
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user account that you want to enable.
3. In the right pane, click the Main tab. box.
Apply to save the changes on the Server. The red "X" disappears over the user icon in the left pane.
Enabling and Managing Connection Protocols
FTP, HTTP, SFTP, and SSL connections are
configured at the Site level and can be enabled at the Site
or User Setting Level, or per user.
To enable a connection protocol for a User Setting Level or a user
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the User Setting Level or user that you want to configure.
Enabling or Disabling a User Setting Level or User y 73
User Guide
3. In the right pane, click the Security tab.
Note:
If the check box contains a gray check mark, the user or User Setting Level is inheriting permission from the parent level.
4. Do one or more of the following:
• To allow/disable FTP access, select/clear the Enable FTP check box.
• To allow/disable HTTP access, select/clear the Enable HTTP check box.
• To allow/disable the SSL access, select/clear the Enable SSL over FTP and HTTP
protocols check box, then do the following: the
Public key only or Password only. b. If you chose Public key only, in the User Certificate list, click the certificate.
• To allow/disable the SFTP access, select/clear the Enable SFTP protocol check box, then do the following:
Password only, Public key only, or Public Key & Password. b. If you chose Public key only or Public Key & Password, in the Authentication
key list, click Edit List. The SFTP Public Key Select dialog box appears.
The SFTP Public Keys that are defined for this Site appear in the dialog box. If no keys appear, see SFTP. the click Add. The selected key(s) appear in the Keys valid for client list. appear in the Authentication key list.
HTML Listing and Upload Form
The Server provides a built-in upload form, which uses the POST method, that automatically displays in the browser when the user access a directory (folder) to which they have upload permission.
To upload a file, users click Browse to find the file on their computer, then click Upload. The file is placed in the folder they are currently browsing. Limitations of the upload form include:
• Inability to mass transfer files
• Inability to rename or delete files
• Inability to create folders
When HTTP transfers are enabled
, a user has
permissions to upload using HTTP
, and that user navigates with a browser to the specified address, the HTML Listing and Upload form appears. This form allows the user to upload and download files from the Server. Typically, the user is only given access to his or her home directory. Users can enter a direct path (UNC is supported if the operating system the user is using also supports it) or they can select Browse and locate the file with the browser's standard file dialog. Note that this upload form limits the user to uploading one file at a time.
Note:
This feature is available if you have the HTTP/S module.
74 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
The look and feel of the HTML Listing and Upload Form can be customized by modifying the cascading style sheet (CSS) used to format the Web page. You can change options such as the background color
(and/or image), fonts used (including specifying font sizes and styles, etc), link colors and decoration, and more.
To customize the HTML Listing and Upload Form
1. On the Server computer, create a CSS file using your favorite text editor and name it
"htmllisting.css."
Note:
You can copy and paste the example script below into a text editor, then edit the formatting as needed. The BODY tag defines the background color, H1 defines the size and color of the URL (in this example, 127.0.0.1), and so on.
2. Save the file in a location where the browser can find it. If Treat home folder as default
is selected for the user accessing the form upload, the home folder is set as the default root folder, and
htmllisting.css should be placed in the folder designated as home folder.
HTML Listing and Upload Form y 75
User Guide
The example style sheet script below changes the background and font style/color of the Upload Form.
BODY
{ background-color:#9bb2c9; background-image:url(logo.gif); background-repeat:no-repeat; background-position: 14px 10px;}
H1
{ font:18px arial; font-weight:bold; line-height:20px; color:#295d97; text-align: center;}
PRE
{ font: 14px arial; font-weight:normal; line-height:20px; color: #295d97;}
FORM
{ font:12px arial; font-weight:normal; line-height:20px; color:#295d97; text-align: center;}
EM
{ font:10px arial; font-weight:bold; line-height:20px; color:#295d97; text-align: center;}
A {color: #0a4966; text-decoration: none; }
A:HOVER {color : #ffffff; text-decoration: none;}
A:ACTIVE {color : #0066cc;}
Restricting Users to a Single IP Address
You can configure a User Setting Level or user to allow connection to a specific IP address. (Wildcards and ranges are not accepted.)
To restrict users to a single IP address
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the User Setting Level or user that you want to configure.
3. In the right pane, click the Security tab.
Changing a User's Password
You can change a user's password from within the Administrator.
To change a user's password
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the account that you want to configure.
3. In the right pane, click the Main tab.
76 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
5. Enter and confirm the password.
• Standard - A plain text password is required.
• Anonymous - Any password, including nothing, allows an anonymous connection.
• Anonymous (Force Email) - Any well formed email address is the password
Accelerating Transfers with Mode Z
Mode Z compression compresses files on the fly for file transfers, saving bandwidth and improving transfer times. The client must also support MODE Z to take advantage of this feature. If MODE Z is enabled, the server will listen for MODE Z requests, then enable it for subsequent transfers from the client that requested it.
To allow a client to use Mode Z compression
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level that you want to configure.
3. In the right pane, click the Security tab.
Configuring User Information
The account-specific details associated with a particular user, such as phone number, pager, and email address, are configured on the Details tab of a selected user. Some of these fields (such as the email address) can be used in other areas (such as the Event Rules) to notify the user of a completed transaction.
To configure User information
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user you want to configure.
3. In the right pane, click the Details tab.
4. Complete each box as needed. (All boxes are optional, and there are no checks for formatting or characters.)
Allowing Users to Change their Passwords
You can allow users who connect to the Server to change their passwords. This can be configured at the
User Setting Level or the User level.
To allow or prohibit a user to change the password
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Security tab.
4. Do one of the following:
Accelerating Transfers with Mode Z y 77
User Guide
5. To allow users to change their passwords, select the User can change password check box.
6. To prohibit users from changing their passwords, clear the User can change password check box.
Allowing Users to Verify File Integrity
Although TCP/IP checks that all packets are received, malformed packets or other mishaps can occur, leading the FTP client to believe that a transfer was successful when it was not.
The Server's file integrity command is defined as XCRC. Once an XCRC enabled client performs a transfer, it can request the server to do a checksum calculation on the file. If it matches the checksum on the client, then the transfer is deemed successful. Performing XCRC checksum calculations is processor intensive; enable or disable the feature accordingly.
XCRC is a proprietary command and is not defined nor endorsed by any FTP-related RFC. Competing servers who want to implement this command may do so using the syntax described below.
XCRC <File Name>
XCRC <File Name>, <EP>
XCRC <File Name>, <SP>, <EP>
SP = Starting Point in bytes (from where to start CRC calculating)
EP = Ending Point in bytes (where to stop CRC calculating)
FTP Client Log Example
COMMAND:> XCRC "/Program Files/MSN Gaming Zone/Windows/chkrzm.exe" 0 42575
• SP and EP are optional parameters. If not specified then it calculates the CRC for the whole file.
If only EP is specified, then the CRC calculation starts from the beginning of the file to the EP.
• This command can be used for a single file at a time. It does not allow file lists as parameters.
• The standard CRC32 algorithm is used (for speed and efficiency).
• A client can invoke this command for uploads, downloads, and single and Multi-Part Transfers.
Server Reply
250 <XCRC>
450 Requested file action not taken
550 Requested action not taken
Indicates
calculated CRC value file is busy file is not found or has no read permission; or the SP or EP are not correct
To enable file integrity (XCRC) checking
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level that you want to configure.
3. In the right pane, click the Security tab.
78 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
User-Level Transfer and Connection Settings
Setting Maximum Transfers per Session for a User
You can set a limit on the number of file transfers allowed per login session at the User Setting Level or per user.
To set the maximum allowed transfers per session
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Quota tab. the be the maximum allowed during the user's session.
Setting Maximum Transfer Size for Users
The maximum transfer size limits the user to a specified number of upload or download kilobytes per session. FTP does not send information to the Server regarding the number of bytes that a user sends.
A user can start a transfer of virtually any size; however, once the limit is reached, the Server will not transfer the rest of the file.
To set the maximum upload size
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Quota tab. the kilobytes) the user may transfer during a session.
Setting Maximum Connections per IP
You can set the maximum number of simultaneous connections emanating from a same IP address at the
Site, User Setting Level, and User level.
Note:
The Site level sets the limits of the user and User Setting Levels.
To set maximum connections per user account at the user and User Setting level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the User or User Setting Level you want to configure.
3. In the right pane, click the Quota tab. the simultaneous connections to the Site from the same IP address. A gray check mark indicates the selection is enabled at the parent level (User Setting Level or Site).
User-Level Transfer and Connection Settings y 79
User Guide
Setting Maximum Connections per User
The maximum number of simultaneous connections for a User can be set at the
and User level.
Note:
The Site level sets the limits of the User and User Setting Levels. For example, if the Site level Max
connections per user is set to five, and a user's User level Max connections per user is set to ten, the user can have a maximum of five simultaneous connections.
To set maximum connections per user account at the user and User Setting Level
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Quota tab. simultaneous connections to the Site for this user. A gray check mark indicates the selection is enabled at the parent level (User Setting Level or Site).
Enabling Timeout
You can automatically disconnect users after a specified time of inactivity, set per user or at the User
Setting Level. The idle timeout setting applies across all connection protocols supported by the Server. If a session has been idle for more than the specified timeout, the user has to log back in.
To set a maximum idle limit for a user or User Setting Level
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the User or User Setting Level you want to configure.
3. In the right pane, click the Quota tab. inactivity allowed before the user is disconnected. (A gray check on a User account indicates the account is inheriting parameters from the User Setting or Site level.)
Note:
Many popular FTP clients have keep-alive functionality that attempts to issue do-nothing commands such as NOOP in order to simulate user activity and prevent a time-out. If Block anti-timeout
schemes is enabled for the Server, such do-nothing commands are ignored and will not reset the counter for the timeout limit.
Setting Maximum Transfer Speeds (User Level)
You can control a user's maximum transfer speeds at the Site, User Setting Level, or per user.
Note:
The Site level sets the limits of the User and User Setting Levels.
To configure maximum transfer speeds at the User and User Setting levels
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the user or User Setting Level that you want to configure.
3. In the right pane, click the Quota tab.
80 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels per second) the user is allowed.
Monitoring User Connections
The Server can monitor user connections in real time, and record activity to a log.
To monitor a user connection
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the user connection that you want to monitor.
3. In the right pane, on the bottom toolbar, click Monitor User.
• In the left pane, the icon next to the user changes from a head to an eye.
• In the right pane, the connection activities are displayed. toggle automatic scrolling on or off.
5. To stop logging the user's activities, click Stop Monitor.
Monitoring User Connections y 81
User Guide
82 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Groups
Permission Groups
Permission Groups set users' Virtual File System (VFS) permissions to files and folders. Just as User
Setting Levels control access to Server resources, such as bandwidth allowances and connectivity privileges, the permission Groups control access to files and folders. The Server creates the following default Groups for every Site: Administrative, All Users, and Guests. You can create new Groups and/or modify the settings for the default Groups. Consider your security and access needs, configure
Groups according to those needs, then add users to the Groups based on the permissions that you want to allow. The Groups node appears in the left pane under the Site node. You cannot move Groups between Sites.
To view Group permissions
• In the Administrator, connect to the server
, then click the VFS tab.
The Permissions pane appears in the right pane.
Groups can provide the permissions shown below as implied by their name (i.e., the Upload File
Permission allows users in the Group to upload files; the Delete Folder Permission allows users in the Group to delete files).
The Inherit permissions from parent folder check box is not available when the parent folder is selected.
By default, the Administrative Group has every permission, the All Users Group has List file permission and Show in List folder permission, and the Guests Group has Download and List file permission, and
Show in List folder permission.
Permission Groups y 83
User Guide
Users' permissions are inherited from the Groups to which they belong. For example, if user jsmith is a member of the Accounting, All Users, and HR Groups, their permissions are combined, giving jsmith
Delete, Append, Show in List, List, and Create permission.
For details of how permissions work, see The Virtual File System (VFS).
Creating Groups
You can create a permission group and add any users from the Site to a group. You can then grant permission to folders by groups rather than granting permissions to each individual user.
To create a permission group
1. In the Administrator, connect to the server
, then click the Server tab.
2. Do one of the following:
• On the main menu, click Configuration, then click Create New Group.
• In the left pane, click Groups.
• In the right pane, click New. The Create New Group dialog box appears. the
Group.
4. Type a name for the Group in the Group Name box. For example, type Password Admins.
Deleting Groups
Deleting permission groups does not delete individual users.
To delete a group
1. In the Administrator, connect to the server
, then click the Server tab.
2. Select the Group you want to configure from the left-hand navigation tree.
3. In the left pane, right-click the Group you want to delete, then click Delete. A confirmation message appears.
4. Click Yes. The users in the deleted Group retain membership in any other of their assigned
Groups and the All Users Group.
84 y Creating and Configuring Groups
Creating and Configuring Groups
Adding or Removing Users in a Group
You can add any user on a Site to any Group on the same Site. You cannot add users from one Site to another Site.
Note:
If a user does not have individual permissions for a folder and is a member of more than one Group, the Server gives the user the least-restrictive access for the folder. You can individually modify user permissions and those modified permissions will outweigh all Group permissions. For example, if a user is a member of three Groups that all have upload permissions to a particular folder, but you have denied that specific user permission to upload to the folder, then the user cannot upload to the folder.
To move users into or out of a group
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Group you want to configure. The Group Membership tab appears.
3. In the right pane, double-click the user or use the arrows to move the user into or out of the
Group. (You can multi-select using SHIFT and CTRL.)
Adding or Removing Users in a Group y 85
User Guide
86 y Creating and Configuring Groups
The Virtual File System
Modifying VFS Permission
Any time a new folder is created, it inherits permissions from its parent folder. Using permission inheritance, administrators can make global access changes by simply changing group access in a parent folder.
You can modify a folder's permissions even while it is inheriting permissions from a parent folder.
To modify a permission
1. In the Administrator, connect to the server
, then click the VFS tab.
2. Click a folder in the VFS structure.
3. Highlight an existing group or user or click Add to add a User or Group to the selected folder.
4. Click the user or group you for which you want to modify permissions.
5. Leave Inherit permissions from parent folder selected and then select any other additional permissions.
Note:
Modifying a permission affects all sub-folders containing the user or Group for which the Inherit
permissions from parent folder check box is selected.
Disabling Inheritance in the VFS
You can override a user’s inherited settings by clearing the Inherit permissions from parent folder check box. If you later decide you want the folder to inherit permissions again, simply select the Inherit
permissions from parent folder check box.
The following procedure describes how to prevent a folder from inheriting its parent folder’s permissions and force a single modified folder to begin inheriting permissions to sub-folders.
To reset all subfolders of a particular parent folder to inherit permissions from that parent, see
To stop or force a folder from inheriting permissions
1. In the Administrator, connect to the server
, then click the VFS tab.
2. In the left pane, click the folder you want to configure.
3. In the right pane, the Inherit permissions from parent folder check box is selected by default.
Do one of the following:
• To force the folder to inherit permissions from a parent folder, leave the Inherit
permissions from parent folder check box selected.
• To stop the folder from inheriting permissions from a parent folder, clear the Inherit
permissions from parent folder check box. A message appears.
4. On the message that appears, click one of the following:
• Copy - duplicates the permissions of the parent level. You may later edit the permissions.
• Remove - deletes all inherited permissions.
• Cancel - aborts the changes and closes the message.
Creating a New Physical Folder
You can create a physical folder in the Virtual File System (VFS).
Modifying VFS Permission y 87
User Guide
To create a new physical folder
1. In the Administrator, connect to the server
, then click the VFS tab.
2. In the left pane, click the folder in which you want to create a subfolder, then do one of the following:
• Right-click the folder, then click New Physical Folder.
• On the toolbar, click the New Folder icon.
• On the main menu, click Configuration, then click New Physical Folder.
The Create Folder dialog box appears.
3. Type a name for the new folder, then click OK. The new folder appears in the tree.
Changing the Name of a Physical Folder
You can change the name of a physical folder on the Server but you cannot change the name of a virtual
folder.
To rename a physical folder
1. In the Administrator, connect to the server
, then click the VFS tab.
2. In the left pane, right-click the folder you want to configure, then click Rename Folder. The folder name becomes selectable.
3. Type the new name and press ENTER.
Deleting a Physical Folder
When you delete a physical folder from within the server, the folder is deleted from the Server and your computer's hard drive.
To delete a physical folder
1. In the Administrator, connect to the server
, then click the VFS tab.
2. In the left pane, right-click the folder you want to delete, then click Delete Folder. A confirmation message appears.
3. Click Yes.
Creating a New Virtual Folder
Virtual folders reference currently existing folders on your computer's hard drive. A virtual folder name is only an alias for the real folder. When you create a virtual folder, you do not have to give it the same name as the folder it references.
1. In the Administrator, connect to the server
, then click the VFS tab.
2. In the left pane, click the folder in which you want to add a virtual subfolder, then do one of the following:
• Right-click the folder, then click New Virtual Folder.
• On the toolbar, click the New Virtual Folder icon.
• On the main menu, click Configuration, then click New Virtual Folder.
The New Virtual Folder dialog box appears. the and browse to the target folder.
88 y The Virtual File System
The Virtual File System box, plus "Virtual" and the full path.
Deleting a Virtual Folder
When you delete a virtual folder, you merely delete a pointer, not the actual folder it references.
To delete a virtual folder
1. In the Administrator, connect to the server
, then click the VFS tab.
2. In the left pane, right-click the folder you want to delete, then click Delete Folder. A confirmation message appears.
3. Click Yes.
Resetting VFS Folder Permissions
Resetting VFS folder permissions on a parent folder forces subfolders to exactly mirror those permissions. This simplifies the permissions status of these folders, making them more predictable
Note:
Resetting folder permissions from a parent folder differs from manually changing the inheritance values of subfolders because in a subfolder you have the option to either mirror the parent folder's permissions or to keep permissions for any new Users and Groups you have added while also mirroring the permissions for all Groups in the parent folder.
To reset folder permissions from a parent folder
1. In the Administrator, connect to the server
, then click the VFS tab.
2. Select the parent folder you want to configure from the left-hand navigation tree.
3. In the left pane, right-click the parent folder you want to configure, then click Reset Subfolders.
4. Click OK.
Deleting a Virtual Folder y 89
User Guide
Mapping a Virtual Folder to a Network Drive
If you want to map a virtual folder to a network drive, you need to establish a separate Windows account for the GlobalSCAPE Secure FTP Server (FIPS) service, with full access to any folder you want to make available on the Server, and your account on the computer on which the Server is running must have full access to any folder you want to make available on the Server.
To map to a network drive
Windows
on the computer where the service is installed.
Note:
This should not be the default (system) account.
2. Assign restrictive file and folder permissions for this account.
3. If you are mapping to a network drive in a workgroup, create a matching account on the target remote computer. Make certain it uses the SAME user name and password. Restrict permissions to this account to allow users access to only the folders they need.
4. In the Administrator, connect to the server
, then click the Server tab.
5.
for a folder on your networked drive. If you are remotely administering, or the drive is not mapped to your computer, make sure that you use a UNC path name
6. Assign permissions for users by selecting the VFS tab within the Administrator, selecting the folder in question, and then selecting or clearing the appropriate permission boxes.
Note:
You need to have administrative rights on the system the service is running on in order to create accounts.
90 y The Virtual File System
Automation Using Event Rules and Commands
The Server provides extensive automation functionality through commands, Event Rules, and a programmatic interface using COM APIs.
Command-line executables can be configured to execute any program that the server has access from its filesystem. Open a program and provide a specific script or program to execute. You can give users permissions to execute the Command or you can configure an Event Rule to trigger a Command.
Event Rules enable task management automation. Event Rules allow the Server to carry out actions based on predetermined criteria. You can schedule routine tasks after a transfer. Event rules consist of an event trigger, optional Conditions, and Actions.
The Server's COM APIs allow you to program a unique or solution-specific interface and integrate it with the Server's functionality.
Custom Site Commands
Creating a Command
Commands allow connecting users to execute programs with command line arguments on the Server.
The connecting user would issue the command directly from their FTP client.
Note:
Alternately, you can create a Command using the
.
To create a command
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Commands.
3. In the right pane, click New. The Commands appear under the Commands node.
The Commands List tab appears in the right pane.
On the Commands List tab, you can view and remove Commands, and add new Commands.
HTUCustom Site CommandsUTH y 91
User Guide
Name in the Event Rule pane and Custom Command dialog box (in the Select Command dropdown menu), so you should give the Command an intuitive name. For example, instead of
Command 1, you might call it Run CScript. the specify a program, a batch file, or a Windows scripting executable (cscript.exe or wscript.exe). folder that you can use to troubleshoot the command in case of failure. Redirect output to client is used in the extremely rare case in which the command will be launched by a connecting FTP client (if configured to do so).
8. Leave all fields in the Advanced tab as is if you will be running a command from the
Server’s Event Rule system (most common scenario). In the rare case this command will be launched from a connecting FTP client, type the parameters (if any) that will be passed to the command line. The variable format used is %N%. You may specify multiple variables or hardcoded values. (For example: -c %1% %2%).
9. If you want to force the FTP client to send a minimum number of parameters, select the Require
parameters check box and specify the minimum number of parameters required. You can also write a message in the Invalid parameter count message text box that users will receive when the parameter number is not met.
10. If you want the Server to return an error if the launched process fails to respond, select the
Enable process timeout check box and specify the number of seconds the Server should wait before terminating the command.
11. If you want a connecting FTP client to execute the command, click the Permissions tab and verify that the appropriate users have permissions to run the newly created command. If you only want to allow the Server to run the command (from the Event Rule system), leave the
Permission tab as is.
12. Click Apply.
The Custom Command Wizard
The Custom Command wizard steps you through the process of creating a Command to tell the Server to execute programs, scripts, or batch files.
The procedure below describes how to create a Command using the Custom Command Wizard. You
can also create Commands manually and edit existing Commands using the instructions in Creating a
.
To create a command with the Custom Command wizard
1. In the Administrator, connect to the server
, then click the Server tab.
2. Do one of the following:
• On the toolbar, click the New Command icon.
• On the main menu, click Configuration, then click Create New Command.
The Custom Command Wizard appears. the
Command name in Event Rules, so you should give the Command an intuitive name. For example, instead of Command 1, you might call it Run CScript.
92 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands can specify a program, a batch file, or a Windows scripting executable (e.g., cscript.exe or wscript.exe).
8. If you want to force the client to send a minimum number of parameters, select the Use
parameters with this command check box and specify the minimum number of parameters required. the log in the Server installation folder that you can use to troubleshoot the command in case of failure. The Client check box is used in the extremely rare case in which the command will be launched by a connecting client (if configured to do so).
10. If you want the Server to return an error if the launched process fails to respond, select the
Terminate process if it exceeds time limit check box and specify the number of seconds the
Server should wait before terminating the command.
11. Click Next. The final step of the wizard appears.
12. If you want a connecting FTP client to execute the command, provide permissions to the applicable users. If you want to allow only the Server to run the command (from the Event Rule system), leave the Permit execution list blank.
13. Click Finish. The Command is added to the Commands node for the Site.
See
for the procedure for editing the Command, including defining parameters to pass to the Command and an invalid parameter count message.
Viewing and Removing Commands
To view the Commands defined on a Site
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Commands.
• The Commands appear under the Commands node.
• The
On the Commands List tab, you can view and remove Commands, and add new
Commands.
To remove a command
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Commands.
3. Do one of the following:
Custom Site Commands y 93
User Guide
• Click the Command in the Commands List, then click Remove.
• In the left pane, click the Command, then press DELETE.
• In the left pane, right-click the Command, then click Delete.
Enabling and Disabling Commands
You can enable and disable Commands as needed, without deleting them.
To enable or disable a Command
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the Site node for the Site that you want to configure, click Commands, then click a Command in the tree.
3. When you create a new Command, the Enable this command check box is selected. To disable the Command, clear the Enable this command check box.
4. When the Command is disabled, an x within a red circle appears over the Command icon .
Using an Event Rule to Execute a Command (Run a Process)
You can configure the Server to run executables, batch files, and scripts automatically when specific events occur. When the Event Rule is triggered, the Server executes the specified custom Command and attributes.
, then add the command to an Event Rule, as described below.
To execute a Command from the Server’s Event Rule system
1. In the Administrator, connect to the server
, then click the Server tab.
2. Follow the procedure in Creating Event Rules to create a new rule.
3. If you need to apply any conditional behavior, click it in the Conditions list. the added to the Event in the Specify rule condition and action parameters pane. the select '. The Custom
Command dialog box appears.
6. (Optional) In the Specify command parameters box, include any parameters for the command.
For example, type the script name (argument 0) if running a script. You can also select the items in the Available Tags list to add them as parameters. For example: dosomethingwithfile.vbs -file %FS.FILE_NAME%
7. In to specify the folder in which the script or custom command executable resides.
94 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
Event Rules
Introduction to Event Rules
Event Rules automate management tasks. Define an Event Rule to trigger an Action, or several Actions, when specified criteria are met. For example, event triggers (Conditions) can be used to initiate additional activities after a file has been uploaded/downloaded. You can synchronize content across systems, provide an automatic response, or you can trigger a custom command to run a custom application or
script. You can specify Event Rules in the Server consist of Events
affecting the
Event Rule, and the Resulting
When multiple Actions are defined for a single Event Rule, the Server carries out the actions in the following order:
1. Execute Custom Command
3. Stop Processing Rules
Warning:
It is possible to configure Event Rules that create infinitely recursive cycles. Since all Event Rules operate synchronously, a file upload event cannot be completed until all corresponding event actions are finished. This could lead to unpredictable server behavior due to conflicts with shared access to the same files or deleting open files. Be careful not to create circumstances where such recursive cycles might occur. For file upload events, recursive cycles are not typical. It is recommended that you move files on the same server using the filesystem - not FTP.
Creating, Editing, and Disabling event rules
To create an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Site you want to configure.
Configuration > Create New Event Rule from the menu. The Create New Rule window appears.
4. Enter a name for the rule.
5. In
OK. The Create New Rule window closes and the conditions and actions available for your rule are displayed in the right-hand pane.
7. Optionally select any
for the event rule.
to run any custom command you have created for the site.
to send an email message to the address you entered in the server SMTP Configuration tab, and optionally send a message to a user.
• If you want other rules for the event to be ignored if this rule is met, select Stop
processing more rules.
Specify rule condition and action parameters, select the blue and red text links to toggle behavior and select executables, email addresses or define file paths used in definition of the event rule. The Server does not save the rule unless it is adequately defined.
10. Click Apply to enable the rule.
Event Rules y 95
User Guide
Note:
Red links in Specify rule condition and action parameters indicate parameters that have not yet been defined. They must be defined to save the rule.
To edit an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site display in the right-hand pane.
3. Click the Event Rule you want to change, then click Edit.
4. Make any desired changes to the Event Rule, then click Apply.
To disable an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site display in the right-hand pane.
3. Clear the check box next to the event rule you want to disable.
To re-enable an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site display in the right-hand pane.
3. Select the check box next to the Event Rule you want to re-enable.
To delete an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site display in the right-hand pane.
3. Click Event Rule you want to delete, then click Delete. A confirmation message appears.
Using an Event Rule to Execute a Command (Run a Process)
You can configure the Server to run executables, batch files, and scripts automatically when specific events occur. When the Event Rule is triggered, the Server executes the specified custom Command and attributes.
, then add the command to an Event Rule, as described below.
To execute a Command from the Server’s Event Rule system
1. In the Administrator, connect to the server
, then click the Server tab.
2. Follow the procedure in Creating Event Rules to create a new rule.
3. If you need to apply any conditional behavior, click it in the Conditions list. the added to the Event in the Specify rule condition and action parameters pane. the select '. The Custom
Command dialog box appears.
96 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
7. (Optional) In the Specify command parameters box, include any parameters for the command.
For example, type the script name (argument 0) if running a script. You can also select the items in the Available Tags list to add them as parameters. For example: dosomethingwithfile.vbs -file %FS.FILE_NAME%
8. In to specify the folder in which the script or custom command executable resides.
10. Click Apply to save the Event Rule.
Adding or Editing Email Notifications to Event Rules
You can configure Event Rules to send an email when a rule is triggered. The email is sent to the address
defined on the SMTP Configuration
tab of the Server.
To add (or edit) email notifications
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Event Rules.
3. Click the Event Rule to which you want to add (or edit) the email notification.
4. In the pane, in the Specify rule actions pane, select the Send notification email check box.
The Action is added to the rule. the notification email . The Edit
Mail Template dialog box appears. default text, which contains the event name (GlobalSCAPE Secure FTP Server
Notification: %EVENT.NAME%). the default text with the text that you want to appear in the body of the email, or add context variables
(Available Tags) as described in the next step. If you delete all of the HTML tags the message is sent as a plain text message. the surrounded by per cent signs (%text%) will be replaced by the Server with specific information about the event, the user, or the connection.
• If you just want the specific text in your email message, click the text surrounded by the percent sign in the right column of the Available Tags box.
• If you want the specific text and the explanatory text before it, click the text in the left column of the Available Tags box.
9. In order for the CC Mail Notification to user check box to be available, your rule must be based on a User Event. If you want to send a copy of the message to the involved user, select the CC
Mail Notification to user check box. To base a rule on a User Event, create a new rule and select an option from the User Event list.
10. Click OK to save the email settings, then click Apply to save the Event Rule.
Configuring SMTP Email Notification
address for an outgoing mail server, an email address for the administrator account, and other details.
Event Rules y 97
User Guide
To set up the server to send email notifications
1. In the Administrator, connect to the server
, then click the Server tab.
2. Click the Server you want to configure.
3. In the right pane, click the SMTP Configuration tab. the send outgoing messages. the
The default is 25.
6. Do one of the following:
• If the Server can connect to the mail server without a log in, leave the Server requires
authorization check box cleared.
• If the mail server requires a user name and password from the Server computer, select the Server requires authorization check box, then provide the Authorization information. the server. would like for the "From Name" field. the you would like for the "From Address" field. server administrator, or any name you wish. the of the person that should be notified of server events.
Managing Event Rules
When you click the Event Rules node for a Site, the right pane provides controls for managing the Event
Rules defined for that Site. Using this interface, you can do the following:
- If an Event Rule is no longer needed and you are sure you will not need it again in the future, you
simply enable it.
- If you create more than one Rule for a single type of event, the Server prioritizes the rules in the order they appear on the Event Rules list. You can rearrange them using the Rule Priority buttons.
- If you want to disable a Rule temporarily without deleting it, you can disable it by clearing the
Enable this rule check box.
To manage the Event Rules
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Event Rules. The list of configured Event Rules appears in the Event Rules node and in the right pane.
3. Click the Event Rule you want to change.
98 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
To edit an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, expand the Event Rules node, then click the rule.
3. To add a Condition to the Rule, select the check box for the Condition. The Condition appears in the rule pane.
4. To add an Action to a selected Condition, select its check box. The Action appears in the rule pane.
5. Configure the Condition or Action by clicking the underlined variables (red or blue underlined text)
To delete an Event Rule
Note:
You can disable a rule and keep its definition for later use.
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. Right-click the Event Rule, then click Delete. A confirmation message appears.
4. Click Yes. The rule is deleted from the Site.
To change the priority of a Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. In the right pane, under Rule Priority, click Higher and Lower.
To disable an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. In the right pane, clear the Enable this rule check box.
To re-enable an Event Rule
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. In the right pane, click the Enable this rule check box.
Available Events
The following events can trigger actions:
Server Events
• Rotate Log - When the current activity log closes and opens a new one.
• Service Stop - When the Secure FTP Server service stops.
• Service Start - When the Secure FTP Server service starts.
Site events
• Site Start - When the site starts.
Event Rules y 99
User Guide
• Site Stop - When the site stops.
Connection Events
• User connect - When a user connects to the site (this occurs before log in).
• User connect failed - When a user attempts to connect and fails (this can occur before log in).
• User disconnect - When a user disconnects from the site (this can occur before log in).
User Events
• User account disable - If the user account is disabled by the administrator or by the server.
• User quota exceeded - If the user has taken too much disk space on the server.
• User logout - If the user closes a session gracefully.
• User login - If the user logs in to the server.
• User login failed - If the user attempts an incorrect username or password.
• User password change - If the user or administrator changes a user's password.
File System Events
• File delete - If a file is deleted from the site.
• File upload - If a file is uploaded to the site.
• File download - If a file is downloaded from the site.
• File rename - If a file on the site is renamed.
• Folder create - If a folder is created on the site.
• Folder delete - If a folder is deleted from the site.
• Upload Fail - If an upload does not occur.
• Download Fail - If a download does not occur.
• Folder change - If a user navigates to a new folder on the site.
• File move - If a file is transferred to another location.
Available Conditions
Conditions allow you narrow the trigger definition an event rule. Conditions are optional: you do not have to define a condition on an event rule to make it trigger an action, but they do allow fine control over when an action may take place.
Server Conditions
You can only apply these conditions to Server events .
• If service is running - The Server service is currently running.
• If log type - The log type is a specific type.
• If log location - The log location matches a specific path.
• If old log file path - The log file path matches a specific path.
• If new log file path - The log file path matches a specific path.
• If old log file name - The log file path matches a specific path.
• If new log file name - The log file path matches a specific path.
Site Conditions
You can only apply this condition to Site events .
• If site is running - The site has already started and is currently running.
100 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
Connection Conditions
You can apply these conditions to
Connection events , User events
, and
If Remote IP
• a connection is made from a remote IP address that matches a predefined IP address or IP mask.
• a connection is made from a remote IP address that does NOT match a predefined IP address or
IP mask.
If Local IP
• a connection is made to a local IP address that matches a predefined IP address or IP mask.
• a connection is made to a local IP address that does not match a predefined IP address or IP mask.
If Local Port
• a connection is made on a predefined port.
• a connection is made NOT on the predefined port.
• a connection is made on one of a predefined range of ports.
• a connection is made NOT on one of a predefined range of ports.
If Protocol
• an FTP/SSL/SFTP connection has been made or is being used.
• a connection has been made or is being used that is NOT an FTP/SSL/SFTP connection.
User Conditions
You can apply user conditions to
If User
• the user account belongs to a specific group or set of groups.
• the user account does not belong to a specific group or set of groups.
If Login
• a user name matches a specific word.
• a user name does not match a specific word.
• a user name contains a specific string of characters.
• a user name does not contain a specific string of characters.
If Account Enabled
• a user account is enabled.
• a user account is disabled.
If Settings Level
• the user belongs to a predefined Setting Level.
• the user does NOT belong to the predefined Settings Level.
Event Rules y 101
User Guide
If Full Name
• a user's name matches a predefined name.
• a user's full name does not match a predefined name.
• a user's full name contains a predefined string of characters.
• a user's full name does not contain a predefined string of characters.
If Description
• the user's description matches a predefined description.
• the user's description does NOT match a predefined description.
• the user's description contains a predefined string of characters.
• the user's description does NOT contain a predefined string of characters.
If Comment
• the user's comment matches a predefined comment.
• the user's comment does NOT match a predefined comment.
• the user's comment contains a predefined string of characters.
• the user's comment does NOT contain a predefined string of characters.
If Email Address
• the user's email address matches a predefined address.
• the user's email address does NOT match a predefined address.
• the user's email address contains a predefined string of characters.
• the user's email address does NOT contain a predefined string of characters.
If Phone Number
• the user's phone number matches a predefined phone number.
• the user's phone number does NOT match a predefined phone number.
• the user's phone number contains a predefined string of characters.
• the user's phone number does NOT contain a predefined string of characters.
If Pager Number
• the user's pager number matches a predefined number.
• the user's pager number does NOT match a predefined number.
• the user's pager number contains a predefined string of characters.
• the user's pager number does NOT contain a predefined string of characters.
If Fax Number
• the user's fax number matches a predefined number.
• the user's fax number does NOT match a predefined number.
• the user's fax number contains a predefined string of characters.
• the user's fax number does NOT contain a predefined string of characters.
102 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
If Home Folder
• the location of a user's home folder matches a predefined physical location.
• the location of a user's home folder does NOT match a predefined physical location.
If Home Folder is root
• the user's home folder is their root directory.
• the user's home folder is NOT their root directory.
If Quota Max
• the user's account has a size limit equal to a predefined size in Kilobytes.
• the user's account has a size limit less than or equal to a predefined size in Kilobytes.
• the user's account has a size limit less than a predefined size in Kilobytes.
• the user's account has a size limit NOT equal to a predefined size in Kilobytes.
• the user's account has a size limit NOT less than or equal to a predefined size in Kilobytes.
• the user's account has a size limit NOT less than a predefined size in Kilobytes.
If Quota Used
• the user has used a predefined amount (in kb) of allowed disk space.
• the user's filled disk space is less than or equal to a predefined amount (in kb) of allowed disk space.
• the user has used less than a predefined amount (in kb) of allowed disk space.
• the user has NOT used a predefined amount (in kb) of allowed disk space.
• the user's filled disk space is NOT less than or equal to a predefined amount (in kb) of allowed disk space.
• the user has NOT used less than a predefined amount (in kb) of allowed disk space.
If Invalid login attempts
• the user has attempted and failed to login a predefined number of times.
• the user's failed login attempts are less than or equal to a predefined number.
• the user's failed login attempts are less than a predefined number.
• the user has NOT attempted and failed to login a predefined number of times.
• the user's failed login attempts are NOT less than or equal to a predefined number.
• the user's failed login attempts are NOT less than a predefined number.
If User can change password
• the user has permission to change their own password.
• the user does not have permission to change their own password.
If Home IP
• the user's allowed IP address matches a predefined IP address or set of IP addresses.
• the user's allowed IP address does not match a predefined IP address or set of IP addresses.
Event Rules y 103
User Guide
If User can connect using SSL
• the user has SSL capability enabled.
• the user does not have SSL enabled.
If User can connect using FTP
• the user has configured a site and has an FTP account.
• the user does not an FTP site with an account configured.
If User can connect using SFTP
• the user has SFTP capability enabled.
• the user does not have SFTP enabled.
File System Conditions
You can apply file system conditions only to File system events
.
If Virtual Path
• the file or folder exists at a predefined virtual location.
• the file or folder does NOT exist at a predefined virtual location.
If Physical Path
• the file or folder exists at a predefined physical location (the full folder path including the file name).
• the file or folder does NOT exist at a predefined physical location (the full folder path including the file name).
If Physical Folder Name
• the file or folder exists in a predefined physical folder (the folder path without a file name).
• the file or folder does NOT exist in a predefined physical folder (the folder path without a file name).
If File Name
• the file name matches a predefined string of characters.
• the file name does not match a predefined string of characters.
Event Properties
You can apply particular properties to specific conditions for Upload Fail and Download Fail only in
File system events , for User Login Failure and User Logout in User events
, and for User Connect Failure in
.
These are special conditions are defined by using the specific reason parameters found in the drop down menu in the specify rule condition and action parameters section.
104 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
File System Events
If Upload Fail (or Download Fail)
• the upload/download was aborted by User.
• connection was closed.
• file was banned type.
• bandwidth quota was exceeded.
User Events
If User Login Failure
• the user account was disabled.
• an invalid password was used.
• the protocol used was not supported.
• the IP was restricted.
• there were too many connections per IP
• there were too many connections per site.
• there were too many connections per user.
If User Logout
• the FTP session was closed due to error.
• the FTP session was closed by a timeout.
• the FTP session was closed by the user.
• the IP address was banned.
• the maximum number of incorrect logins was reached.
• the TCP/IP connection was closed by a peer.
• the User was kicked by the administrator.
Connection Event
If User Connect Failure
• the IP address was rejected.
• the IP address was rejected and banned.
• there were too many connections per IP.
• there were too many connections per site.
Available Actions
Actions are the results of event triggers. You can specify multiple actions to occur from a single trigger.
• Execute command - The custom command in a specific location is triggered.
• Send Notification Email - An email message is sent to the address specified.
• Stop processing more rules - No further rules are processed.
Event Rules y 105
User Guide
ACTIONS
EVENTS
EXECUTE
COMMAND
IN
FOLDER
SEND
NOTICE
STOP
PROCESSING
MORE FILES
SERVER EVENTS
Service Start
Rotate Log
SITE EVENTS
X X X
Service Stop X X X
Timer X X
X X X
X
X
X
X
X
X
Site Start
Site Stop
CONNECTION EVENTS
User Connect
User Disconnect
User Connect Fail
X
X
X
X
X
X
X
X
X
USER EVENTS
Account Disabled
Quota Exceeded
Password Changed
User Login
User Logout
User Login Failure
FILE SYSTEM EVENTS
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
File Delete
File Upload
Before Download
File Download
File Rename
Folder Create
Folder Delete
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
106 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
ACTIONS
EVENTS
Folder Change
File Move
Upload Fail
Download Fail
EXECUTE
COMMAND
IN
FOLDER
X
X
X
X
SEND
NOTICE
X
X
X
X
STOP
PROCESSING
MORE FILES
X
X
X
X
COM
COM APIs
You can interact directly with the Server from your own custom applications using any COM-enabled programming language such as Visual Basic (VB), Java, or C++. You can create a script with the development IDE of your choice.
To create a new script file, you must be familiar with programming concepts and should have experience with COM-enabled programming languages.
For details of using the COM methods and properties, see GlobalSCAPE's
COM API Reference
.
COM y 107
User Guide
108 y Automation Using Event Rules and Commands
The Auditing and Reporting Module (ARM)
Auditing and Reporting
The Auditing and Reporting Module (ARM) captures the transactions passing through the Server and provides an interface in the Administrator where you can use preconfigured or create your own custom reports to query, filter, and view transaction data. Data is stored in a fully relational database, and can be analyzed in real time.
The ARM comes with a number of preconfigured reports to help you start analyzing data right away. The built-in reports were designed to respond to the most common data analysis requests.
If you have needs outside the included preconfigured reports, you can build your own with the report designer.
See the
Descriptions of Preconfigured Reports
for a list and description of preconfigured reports.
See
for a list of the information available in reports.
How the Server Handles SQL data
The Server truncates data values within each audited event SQL transaction to ensure the data value fits within the corresponding database field. The following table lists selected field length values:
Tablename Fieldname
tbl_socketconnections SiteName
Datatype/Field-length
Varchar (50) tbl_protocolcommands VirtualFolderName Varchar (500)
PhysicalFolderName Varchar (500)
Auditing and Reporting y 109
User Guide
Tablename Fieldname
SiteName
Datatype/Field-length
Varchar (50) tbl_customCommands CommandParameters Varchar (1000)
SiteName Varchar (50) tbl_ClientOperations tbl_Actions tbl_EventRules
RemotePath
LocalPath
UserName
Parameters
SiteName
SiteName
EventName tbl_Authentications SiteName
UserName
Varchar (500)
Varchar (500)
Varchar (50)
Varchar (1000)
Varchar (50)
Varchar (50)
Varchar (50)
Varchar (50)
Varchar (50)
Special Characters
The special characters (as defined by the SQL interpreter) within each data value of an audit SQL event are escaped to ensure the data value is stored and retrieved properly from the database. The following special characters are escaped by the Server during generation of SQL statements prior to submission to the database engine:
• Single quote - %
• Open brace - [
• Percent - %
• Underscore - _
Configuring the Auditing and Reporting Module (ARM)
To use Auditing and Reporting with the Server, you have to enable the Auditing and Reporting Module
(ARM), specify the Host/Instance Name, Database Name, and login information, then specify the action to take in case of database error. The procedure below describes how to configure ARM.
To configure ARM:
1. In the Administrator, connect to the server
, then click the Server tab.
2. In the left pane, click the Server you want to configure.
3. In the right pane, click the Server Options tab. the
DSN-less connection string. the you installed the module.)
110 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
9. Select an action for the Server to take if there is an error with the database.
• To stop recording data, select Stop auditing.
• To continue recording data to a file, select Audit to folder, and specify the location of the file.
10. In the Failure notification email address box, specify the email address to which the Server is to send connection error notification. To provide more than one email address, separate the
addresses with a comma or semicolon. The Server uses its global SMTP email settings for SMTP
to send the emails, so make sure that those settings are correct.
Database error emails contain the following information:
• The time the Server detected the database error
• Error code - an indicator of any specific connection error or database engine transaction error codes
• Error description - textual description provided by the database engine for the specific error
• The database instance name and database name
• Secure FTP Server IP address and/or DNS name
• The location of the text file if text file logging was selected
• Instructions for use of RECONNECT to reestablish database communications and instructions for insertion of the SQL transactions using osql
Note:
If you are using Windows 2000 for your server installation, you must update MDAC prior to install.
You can find the latest update at: http://msdn.microsoft.com/data/ref/mdac/downloads/ This does not apply to Windows XP, Windows 2003, or later versions, because they come with a newer version of
MDAC that is compliant.
Installing the Auditing and Reporting Module
Installation and configuration of the Auditing and Reporting module consists of installing the Server with
ARM, selecting the default database, or setting up another database and pointing the Server to it, and then enabling the Server to record data.
Refer to Installing the Software for the procedure for installing the Microsoft SQL Server 2000 Desktop
Engine (MSDE) for ARM.
If you are using your own SQL database to capture the auditing data, see Using SQL Server as the
Using SQL Server as the Auditing Database
Microsoft Desktop Engine MSDE is bundled with the Server as a default database for auditing transactions. MSDE has a built-in size limit of 2GB, limiting it to about a million transactions before the database fills up. MSDE is not supported on the Microsoft Vista operating system, performance throttling occurs when there are more than five (5) concurrent workload batches in progress, and MSDE does not offer OLAP / data warehousing capabilities. Choosing SQL Server over MSDE overcomes these limitations, and provides centralization of data for federation, redundancy, and performance. The procedure below describes how to setup the ARM database in SQL 2005. The process is similar for earlier versions of SQL Server.
To use SQL Server as the auditing database
1. Install Secure FTP Server (FIPS) without the MSDE component, unless you want to perform auditing on the local system for testing purposes.
2. Point the Server to the SQL Server of your choice.
Installing the Auditing and Reporting Module y 111
User Guide
To configure SQL Server for use with the Server
1. On SQL Server, launch Microsoft SQL Server Management Studio or equivalent and provide your administrator login credentials when prompted.
2. In the left pane, expand the Security node, then click the Logins node.
4. Create a new user called gsftpuser and click SQL Sever Authentication.
Note:
If SQL Sever Authentication is not available as a choice, verify that SQL Server has been set up to support Mixed-mode.
alphanumeric and symbol mix at least 8 characters long. click OK.
112 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
9. In the left pane, right-click the Databases node, then click New Database.
10. In the dialog box that appears, name the database gsftpdb.
11. In the Owner field, provide the login name you just created (gsftpuser).
12. In the Database files table, change the Initial size value to 10MB for the gsftpdb logical name
(first row). Leave the gsftpdb_log row alone and click OK.
13. In the left pane under Databases, click the newly created gsftpdb database, then on the Query menu, click New Query. A blank screen appears in the right pane in which you can type in a SQL query.
below into the Query text box. Make sure the query begins with the words if
exists and ends with a parenthesis. Include everything between the sections labeled begin SQL
query and end SQL query.
15. To run the query you just entered, click Execute on the toolbar. A message appears indicating whether the query was able to complete successfully.
16. Expand Databases, then gsftpdb, then Tables. Verify that the database has populated correctly. (The tables defined in the script should have been created.)
Test your connection
1. Create a test connection with your FTP client to the Server and upload and download a few files.
2. Switch back to SQL Server and select the dbo.tbl_ProtocolCommands table under the gsftpdb database icon. It should return several rows with the commands issued by your FTP client from the test connection.
3. You can now pull reports directory from the Server against data audited to the SQL Server.
Using SQL Server as the Auditing Database y 113
User Guide
Note:
If you are running the Administrator you must have an entry in the Administrator computer's DNS for the name of the SQL (or MSDE) server, otherwise the Administrator will not be able to connect to the
SQL Server when attempting to pull reports.
SQL Script
****BEGIN SQL QUERY*** if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_Actions') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table dbo.tbl_Actions
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_Authentications') and OBJECTPROPERTY(id, N'IsUserTable')
= 1) drop table dbo.tbl_Authentications
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_Groups') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table dbo.tbl_Groups
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_CustomCommands') and OBJECTPROPERTY(id, N'IsUserTable') =
1) drop table dbo.tbl_CustomCommands
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_EventRules') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table dbo.tbl_EventRules
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_ProtocolCommands') and OBJECTPROPERTY(id, N'IsUserTable')
= 1) drop table dbo.tbl_ProtocolCommands
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_ResultCodes') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table dbo.tbl_ResultCodes
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_SocketConnections') and OBJECTPROPERTY(id,
N'IsUserTable') = 1) drop table dbo.tbl_SocketConnections
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_Transactions') and OBJECTPROPERTY(id, N'IsUserTable') =
1)
114 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM) drop table dbo.tbl_Transactions
GO if exists (select * from dbo.sysobjects where id = object_id(N'dbo.tbl_ClientOperations') and OBJECTPROPERTY(id, N'IsUserTable')
= 1) drop table dbo.tbl_ClientOperations
GO
CREATE TABLE dbo.tbl_Transactions (
TransactionID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_Transactions PRIMARY KEY CLUSTERED ,
ParentTransactionID numeric(18, 0) NULL REFERENCES tbl_Transactions(TransactionID),
TransactionObject varchar (50) NOT NULL
)
GO
CREATE TABLE dbo.tbl_EventRules (
EventID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT PK_tbl_EventRules
PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
SiteName varchar (50) NULL ,
EventName varchar (50) NULL ,
EventType varchar (50) NULL ,
ConditionValues varchar (1000) NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_Actions (
ActionID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT PK_tbl_Actions
PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
SiteName varchar (50) NULL ,
EventName varchar (50) NULL ,
ActionType varchar (50) NULL ,
Parameters varchar (1000) NULL ,
IsFailedAction bit NULL ,
ResultID numeric(18, 0) NOT NULL ,
EventID numeric(18, 0) NOT NULL REFERENCES tbl_EventRules(EventID),
TransactionID numeric(18, 0) NOT NULL REFERENCES tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_Authentications (
Using SQL Server as the Auditing Database y 115
User Guide
AuthenticationID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_Authentications PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
RemoteIP varchar (15) NOT NULL ,
RemotePort numeric(18, 0) NULL ,
LocalIP varchar (15) NOT NULL ,
LocalPort numeric(18, 0) NULL ,
Protocol varchar (50) NULL ,
SiteName varchar (50) NULL ,
UserName varchar (50) NULL ,
PasswordHash varchar (500) NULL ,
SettingsLevels varchar (500) NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL References tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_Groups (
GroupID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT PK_tbl_Groups
PRIMARY KEY CLUSTERED,
GroupName varchar (50) NULL ,
AuthenticationID numeric(18, 0) NOT NULL REFERENCES tbl_Authentications(AuthenticationID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_CustomCommands (
CustomCommandID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_CustomCommands PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
SiteName varchar (50) NULL ,
Command varchar (50) NULL ,
CommandParameters varchar (1000) NULL ,
ExecutionTime numeric(18, 0) NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_ProtocolCommands (
ProtocolCommandID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_ProtocolCommands PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
RemoteIP varchar (15) NULL ,
RemotePort numeric (18,0) NULL ,
116 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
LocalIP varchar (15) NULL ,
LocalPort numeric (18,0) NULL ,
Protocol varchar (50) NULL ,
SiteName varchar (50) NULL ,
Command varchar (10) NULL ,
CommandParameters varchar (1000) NULL ,
FileName varchar (500) NULL ,
VirtualFolderName varchar (500) NULL ,
PhysicalFolderName varchar (500) NULL ,
IsInternal numeric(18, 0) NULL ,
FileSize numeric(18, 0) NULL ,
TransferTime numeric(18, 0) NULL,
BytesTransferred numeric(18, 0) NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_ResultCodes (
ResultID numeric(18, 0) NOT NULL CONSTRAINT PK_tbl_ResultCodes PRIMARY KEY
CLUSTERED,
Description varchar (100) NULL ,
Category varchar (10) NULL
)
GO
CREATE TABLE dbo.tbl_SocketConnections (
SocketID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_SocketConnections PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
RemoteIP varchar (15) NULL ,
RemotePort numeric (18,0) NULL ,
LocalIP varchar (15) NULL ,
LocalPort numeric(18, 0) NULL ,
SiteName varchar (50) NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_ClientOperations (
ClientOperationID numeric (18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_ClientOperations PRIMARY KEY CLUSTERED ,
Time_stamp datetime NOT NULL ,
Using SQL Server as the Auditing Database y 117
User Guide
Protocol varchar (50) NULL ,
RemoteAddress varchar (50) NULL ,
RemotePort numeric (18, 0) NULL ,
Username varchar (50) NULL ,
RemotePath varchar (500) NULL ,
LocalPath varchar (500) NULL ,
Operation varchar (50) NULL ,
BytesTransferred numeric (18, 0) NULL ,
TransferTime numeric (18, 0) NULL ,
ResultID numeric (18, 0) NOT NULL ,
TransactionID numeric (18, 0) NOT NULL REFERENCES tbl_Transactions(TransactionID) ON DELETE CASCADE
)
****END SQL QUERY***
Alternative Method for Creating Database Tables on SQL Server
Administrators that prefer using command driven tools can use oSQL to create the necessary database and tables. A brief overview is provided below; detailed step-by-step instructions are outside the scope of this documentation.
Gather the following information prior to calling the oSQL command line tool:
1. The SQL Server Host Name or address.
2. The authentication scheme. You will need to know the authentication mechanism allowed on that SQL Server. It may be Windows Authentication only, or Windows Authentication or SQL
Server Authentication.
3. The allowed connection protocols. This can be Named Pipes, which is required for Windows
Authentication, or TCP/IP, which is used by the SQL Server Authentication.
4. The PORT, if TCP/IP. If TCP/IP is the connection of choice, you need to know the PORT on which the SQL Server is listening for connections. The default PORT is 1433. It also supports a way that a client can dynamically determine the port, but this requires that the SQL Server have
UDP port 1434 accessible by remote machines. If this port is blocked by a firewall, you will NOT be able to use the dynamically determine port feature. Typically, SQL Server installations use the default port 1433 (TCP) for connections.
Once you have acquired all of the above information, then you can craft the proper command line
for "oSQL" to connect to the database:
1. Open a command prompt. (Select Start, then click Run. Type cmd, then press ENTER.)
2. Type the following to place the sql file ARM_DBScript_1_1.sql in the Reports folder under the
Server’s installation folder:
[path to oSQL]\oSQL.exe -S [server address] -U [username] -P [password]
-i "[c:\path\to\ARM_DBScript_1_1.sql]\ARM_DBScript_1_1.sql"
For example, type:
”C:\Program Files\Microsoft SQL Server\80\Tools\Binn\oSQL.exe” -S
192.169.19.17 -U jbond -P asd123!f$s1 -i ”C:\Program
Files\GlobalSCAPE\Secure FTP Server\Reports\ ARM_DBScript_1_1.sql"
3. In the Administrator, click the Server tab. You should be
4. In the left pane, click the Server you want to configure.
5. In the right pane, click the Server Options tab.
118 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
9. To test the connection to the database, click Test Connection.
Note:
Both the auditing component and the reporting component of the Server's ARM use ADO to communicate with the data source. The connection string (automatically configured if MSDE is chosen during install) used to connect to that data source can be anything that ADO supports to open a connection. This can be a DSN, or a DSN-less connection string. For more information on
ADO connection strings, search the MSDN library at http://msdn2.microsoft.com/enus/library/default.aspx
; also see Microsoft support article 193332: http://support.microsoft.com/?kbid=193332 .
Auditing Database Errors and Logging
The Server detects errors that occur while trying to connect to the ARM database and can detect errors returned from the database while attempting to perform transactions, including SQL INSERT and
UPDATE statements. If an error is detected while connecting to the database or when performing a transaction on the database (SQL INSERT, UPDATE, etc.) you can configure the Server to send a notification to a specified email address.
The Server also generates a Windows Event Log notification when there is an ARM database error. The log entry indicates whether auditing stopped or if the auditing data is being stored to a log file.
Once the database access is lost, either due to a connection error or transaction (INSERT or UPDATE) error, resumption of auditing to the database requires a restart of the Server or a RECONNECT request by the administrator. If the Server is configured to stop auditing, the administrator must repair the database, and then restart Secure FTP Server or use RECONNECT to resume auditing to the database.
Logging to a Text File
If the Server has been configured to log the SQL statements to a text file, the Server continues to use the text file until either the Server is restarted or until a RECONNECT request is made by the administrator.
The administrator is notified by email that the logging has been switched to the text file. The Secure FTP
Server administrator can then repair the database, resume auditing to the database, and load the recorded text file SQL statements into the database. To ensure the completeness of the audit data, the
SQL statements in the text file must be loaded into the database before executing reports over the period
SQL transactions were logged to the text file.
If you click Reconnect to resume auditing to the database, and the Server is recording auditing information to the text file, The Server continues to log file transfers and/or user sessions that are in progress to that text file. New file transfers and new user sessions will continue to be logged in the database, but any in process transfers/user sessions are logged to the text file to ensure they can be inserted and linked appropriately in the database.
Auditing Database Recovery
Note:
The SQL statements logged in the text file must be loaded into the database before any reports are run.
If the Server is disconnected from the SQL database and is configured to save auditing information to the log file, do the following:
1. Solve the connection problem.
2. Repair the database, and insert the data from the text file into the SQL database. Be sure to insert the data only once, otherwise the auditing data will be corrupted.
Auditing Database Errors and Logging y 119
User Guide
3. In the Administrator, connect to the server
, then click the Server tab.
4. In the left pane, click the Server you want to configure.
5. In the right pane, click the Server Options tab.
Database Audit Settings, click Test Connection to test the status of the database connection. (You must click Apply to apply any changes first.)
7. To reconnect to the database, click Reconnect.
Auditing and Reporting Result Codes
The ARM captures the following transaction information from the Server, which appears in the ARM database and reports:
Actions
ResultID Description
0 If the event action is successfully executed
1
2
4
If the event action fails
If STOP Processing this rule is selected as action.
Result Const
EAR_SUCCESS
EAR_FAIL
EAR_STOP_RULE
If STOP processing more rules is selected as action EAR_STOP_ALL
Note:
Stop processing this rule and Stop processing more rules can be combined, in which case the value is the sum of the two individual values, that is, 6.
SocketConnection
ResultID Description
0 When socket successfully created
8
9
Per Site socket connection limit exceeded
Max connections per IP limit exceeded
10
11
Result Const
ER_NONE
ER_CONNECT_FAILED_TOO_MANY_CONNECTIONS_PER_SITE
ER_CONNECT_FAILED_TOO_MANY_CONNECTIONS_PER_IP
The IP is restricted in the
IP access list
The IP is banned
ER_CONNECT_FAILED_RESTRICTED_IP
ER_CONNECT_FAILED_BANNED_IP
Authentications
ResultID Description
0 Authentication successful
1
2
Incorrect password
If User account is disabled
3
4
5
6
Result Const
LR_OK
LR_PASSWORD_NOT_ACCEPTED
LR_ACCOUNT_DISABLED
Max connections per Site limit exceeded
Max connections per user limit exceeded
LR_TOO_MANY_CONNECTIONS_PER_SITE
LR_TOO_MANY_CONNECTIONS_PER_USER
User level per IP connection limit exceeded
LR_TOO_MANY_CONNECTIONS_PER_IP
If given protocol is not supported LR_PROTOCOL_NOT_SUPPORTED
120 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
ResultID Description
7 Connection on restricted IP
8 If service is unavailable
Result Const
LR_RESTRICTED_IP
LR_SERVICE_UNAVAILABLE
ClientOperations
ResultID Description
1 If copy/move/download operation is successful
Result Const
TRUE
0 If copy/move/download operation fails FALSE
CustomCommands
ResultID Description
4
5
6
0
1
2
3
Command executed successfully
Access is denied
Command is not found
Result Const
CER_OK
Command executed with socket output CER_SYNC
CER_ACCESS_DENIED
CER_COMMAND_NOT_FOUND
Could not launch the selected process CER_PROCESS_FAILED
Command is disabled CER_COMMAND_DISABLED
Errors in parameters passed to the custom command
CER_ERROR_IN_PARAMS
ProtocolCommands
ProtocolCommands are the same as FTP result codes. Below is a short summary.
ResultID Description
1xx Expected another reply before proceeding with a new command
2xx
3xx
Requested action completed successfully
On hold pending receipt of further information.
4xx
5xx
Temporary failure
Permanent failure.
Transaction Information
The ARM captures the following transaction information:
Socket Connections
• Timestamp
• Result
Transaction Information y 121
User Guide
Authentication Operations
• Timestamp
• Protocol
• Settings Level Membership
• Result
Protocol Operations
• Timestamp
• Protocol
• Command / Operation
• Result
• Virtual Folder Name
• Physical Folder Name
Custom Command
• Timestamp
• Command Parameters (delimited in a single field)
• Result
Event Trigger
• Timestamp
122 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
• Event Type (file upload, monitor folder, etc.)
• Matching Condition values, if there is a condition on the event. For example, the filename that matches a virtual path mask condition, or the folder that triggers a MONITOR FOLDER event.
• Result
• Transaction ID (unique)
Event Actions
• Timestamp
• Action Types such as move, copy, OpenPGP, and send email.
• Action Parameters - these are runtime values passed to the action, not the replacement variables.
• Failed Action Flag - This is captured if this action is the result of a FAILURE sequence on a prior action.
• Action Result Code
• Result
Preconfigured Reports
The Auditing and Reporting Module comes with a number of preconfigured reports that allow you to start analyzing data right away.
The preconfigured reports described below have been selected by users as the most often needed.
Activity-All Groups(Detailed) - This is a parameterized report that searches for all deletes, creates, uploads and downloads (sent, created, mkd, rmd, dele values of the Command column in tbl_ProtocolCommands ) for all users grouped by "user group" for the specified date range.
Preconfigured Reports y 123
User Guide
Activity-ByGroups(Detailed) - A parameterized report that searches for all deletes, creates, uploads and downloads (sent, created, mkd, rmd, dele values of the Command column in tbl_ProtocolCommands ) for all users belonging to the a user-specified group for the specified date range.
Activity-AllUser(Summary) - A parameterized report for sum total of uploads and downloads for a all users for the specified date range.
Activity-AllUsers(Detailed) - Comprehensive report that displays all user activity grouped by user for the specified date range. This report make take a long time to generate.
Activity-ByFile - A parameterized report that searches for a particular filename (or all matching filenames if a mask provided) transferred for the specified date range. Grouped by distinct filename (in case there are multiple matches), with all transfers (upload/download) for that particular file listed in reverse chronological order.
Activity-ByGroup(Detailed) - This report displays the folder and file create and delete activity during a specified period for a specific group, grouped by group name, and sorted by date in reverse chronological order. The report displays the remote IP, protocol action, time stamp, file name, folder, bytes transferred, and result. When you click Show Report, the Report Parameters dialog box appears asking for the group name.
Activity-ByUser(Detailed) Group by Action - A parameterized report that searches for all file or folder deletes, folder creates, uploads and downloads for a particular user for the specified date range. Subgrouped by the "action" performed.
Activity-ByUser(Detailed) - A parameterized report that searches for all file or folder deletes, folder creates, uploads and downloads for a particular user for the specified date range.
Activity-ByUser(Summary) - A parameterized report for sum total of uploads and downloads for a specified user for the specified date range.
EventRulesAction(Summary) - A report summarizing all event rules with their corresponding actions
Event Rules - Activity (Summary) - This report summarizes the event rule activity by user-defined event name, grouped by Site name, sub-grouped by the event type, sorted by date in reverse chronological order.
Event Rules - Inbound-Outbound By Date - This report details all offload and download actions, grouped by Site subgrouped by action, sorted by date in reverse chronological order.
Event Rules - Inbound-Outbound By User - This report details all offload and download actions, grouped by Site name, then by remote host IP address, then by username, sorted in reverse chronological order.
Executive Summary Report - A report that summarizes the following for the date period specified: b. Total number of downloads, uploads, c. Total bytes transferred (inbound/outbound) d. Top 5 users (by # of connections) e. Top 5 users (by bytes transferred) f. Most concurrent users at any given time
Security-FailedLogins - A report of socket connections WITHOUT a corresponding authentication attempt.
Traffic-Datewise-IPwiseBytesTransferred - Shows the sum of bytes transferred per IP over the specified date range.
Traffic-IPWise Connections - A report detailing bytes transferred and unique connections per IP address per site by day for the given date range.
Traffic-Most Active IP Connections - Shows sum of connections and bytes transferred per IP for the provided date range sorted by connections in descending order.
124 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
Traffic-Most Active IP Data Transferred - Shows the sum of connections and bytes transferred per IP for the provided date range sorted by bytes in descending order.
Traffic-Most Active Users Connections - Shows the list of users with amount of connections and bytes transferred for the provided date range sorted by connections in descending order.
Traffic-Most Active Users Data Transferred - Shows the list of users with amount of connections and bytes transferred for the provided date range sorted by bytes in descending order.
Traffic - Average Transfer Rates By User - A report detailing average KB/s transfer rates by user for the specified period of time.
Traffic - Connections Summary - This report is similar to Protocolwise Connections Report except that it is not broken down by protocol. Instead this report details bytes transferred and unique connections per site by day for the specified date range
Traffic - Datewise-hourly Bytes Transferred - KB transferred each hour for the specified date range.
Traffic - Monthwise-IPWise Bytes Transferred - KB transferred by month.
Traffic - Most Active IPs - Data Transferred - KB transferred per IP sorted in descending order
Traffic - Protocolwise Connections - Bytes transferred and unique connections per protocol by date for the specified date range.
Traffic - SiteWise Hourly by User - KB transferred hourly for the specified date range.
Troubleshooting - Connection Errors - A report detailing all failed socket connections or authentication attempts from IPs other than the local IP.
Troubleshooting - IP Address Activity (Detailed) - A parameterized report for troubleshooting by remote IP. Prompt for an IP which will the produce a report showing all socket, authentication, and protocol activity for that user
Troubleshooting - Operation Errors - A report detailing all failed operations (except for list, cwd, and size) for all protocols by site for a particular date range.
Generating a Report
The ARM comes with a number of preconfigured reports to help you start analyzing data right away. The built-in reports were designed to respond to the most common data analysis requests. See
Reports for a list of available reports.
To generate a report
1. In the Administrator, connect to the server
, then click the Reports tab. You should be
connected to the reports database
.
2. In the left pane, click the desired report.
3. In the right pane, specify any filters.
4. Specify a date range from which you want pull data.
5. Type the appropriate parameters/wildcards for the search if the following reports are used:
• Activity By File - Type the file name.
• Activity By Group - Type the group name.
• Troubleshooting IP address Activity - Type the IP address.
Show Report. The ARM connects to the auditing database and displays the data in the report window.
Generating a Report y 125
User Guide
Note:
The ARM displays the first page of the report as soon as the data is ready, then continues to load additional pages. You can monitor the progress of loading by watching the current page/total pages indicator on the report filter bar.
If you want to stop a report from loading, click another report in the left-hand navigation tree. This will cancel the loading of the displayed report.
Filtering a Report
You can filter the fields in a report based on various conditions to display only the data that meet the filtering criteria.
The Report Filters area contains two sets of combo boxes, operands (AND, OR), and a text box.
Use the second set of filters to further define the report using AND or OR.
For example, suppose you want to filter an action report that shows each the files that were created by these actions. Specify the filter as follows.
1. In the first combo box, click Action.
2. In the second combo box, click = or Contains.
126 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
Editing Reports
You can use the report designer to edit reports, change a layout, or redefine the data criteria.
To edit a report
1. In the Administrator, connect to the server
, then click the Reports tab. You should be
connected to the reports database
.
2. In the left pane, click a report.
3. In the right pane, on the bottom toolbar, click Edit Report.
displays. Edit and build the report as desired, then save it and return to the Administrator.
5. Query, filter, and run the report as before. Verify that your changes appear as desired.
Managing Reports
Saving a Report
You can save reports to a file and export them in the following formats: plain HTML (.html), Report File
(.vp), Portable Document Format (.pdf), or plain text (.txt).
To export a report
1. In the Administrator, connect to the server
, then click the Reports tab. You should be
connected to the reports database
.
2. With the report displayed in the right pane, click Save As on the bottom toolbar.
Exporting Reports in XML Format
You can save the reports on your computer in the XML format and can send reports to anybody who wants to see the report.
To export the report
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
2. In the left pane, click the desired report.
3. On the main menu, click Reports, then click Export Report or right-click the report and click
Export Report. The Save As dialog box appears.
4. Specify a name and a location to save the report, then click Save.
Editing Reports y 127
User Guide
Exporting and Publishing Reports in the Report Designer
Instead of printing the report, you may want to export it into a file and distribute it electronically to your clients or co-workers. VSReport Designer supports several export formats, listed below:
Format
Paged HMTL
Drill-Down
HTML
Plain HMTL
VSPrinter
Text
Description
Creates one HTML file for each page in the report. The HTML pages contain links that let the user navigate the report.
Creates a single HTML file with sections that can be collapsed and expanded by the user by clicking on them.
Creates a single, plain HTML file.
Creates a PDF file that can be viewed on any computer equipped with Adobe's Acrobat viewer or browser plug-ins.
Creates a file using the VSPrinter control's native format. The file can be loaded, viewed, and printed from a VSPrinter control within an application or Web page.
Creates a plain text file.
To create an export file
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
2. In the left pane, click the desired report.
3. In the right pane, click Edit Report. The report opens in the Report Designer.
4. In the left pane of the Report Designer, click the report that you want to export. want to create, its name, and location.
Importing Reports
You can add reports to the Server by importing the XML reports from the local drive to the Server.
To import reports
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
2. On the main menu, click Report, then click Import or right-click the Reports node and click
Import from the shortcut menu. The Open dialog box appears.
3. Click the XML file you want to import, then click Open.
4. The report is added in the left pane under Reports.
Importing Microsoft Access Reports
One of the most powerful features of the VSReport Designer is the ability to import reports created with
Microsoft Access. This feature requires Access to be installed on the computer. Once the report is imported into the designer, Access is no longer required.
To import reports from an Access file, click the Import button or in the File menu, select Import. A dialog box will prompt you for the name of an Access file (MDB). After you select the file, the Designer automatically scans it and converts all the reports into a new report definition file.
The import process works well and handles most elements of the source reports, with a few exceptions listed below. These limitations affect a relatively small number of reports, but you should preview all reports after importing them, to make sure they still work correctly.
128 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
• Event handler code - Access reports can use VBA, macros and forms to format the report dynamically. VSReport Designer can do the same things, but it only uses VBScript. Because of this, all report code needs to be translated manually.
• Form-oriented field types - Access reports may include certain fields that are not handled by the
Designer's import procedure. The field types not supported are Chart, CommandButton, ToggleButton,
OptionButton, OptionGroup, ComboBox, ListBox, TabCtl, and CustomControl.
• Reports that use VBScript reserved words - Because Access does not use VBScript, you may have designed reports that use VBScript reserved as identifiers for report objects or recordset field names.
This causes problems when the VBScript engine tries to evaluate the expression, and will prevent the report from rendering correctly. Reserved words you should not use as identifiers include Date, Day,
Hour, Length, Minute, Month, Second, Time, TimeValue, Value, Weekday, and Year. For a complete list, please refer to a VBScript reference.
• Reports that sort dates by quarter (or weekday, month of the year, etc.) - VSReport Designer uses the ADO recordset Sort property to sort groups. This property sorts recordsets according to field values only, and does not take expressions. (Note that you can group according to an arbitrary expression, but you cannot sort.) An Access report that sorts groups by quarter will sort them by date after it is imported. To fix this, you have two options. Either create a field that contains the value for the expression you want to sort on, or change the SQL statement that creates the recordset and perform the sorting that way.
Deleting a Report
You can delete any reports that you no longer use. Once deleted, you cannot recover the report unless you previously
and saved it.
To delete reports
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
2. In the left pane, click the report, then do one of the following:
• On the main menu, click Reports, then click Delete Report.
• Right-click the report and click Delete Report.
A confirmation message appears.
Saving Report Outputs
The report can be saved HTML, PDF, and XML.
To save reports in different formats
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
2. In the left pane, click the report, then do one of the following:
• On the main menu, click Reports, then click Save Report Output As.
• Right-click the report, then click Save Report Output As.
The Save As dialog box appears.
3. Navigate to the folder in which you want to save the report.
Managing Reports y 129
User Guide
Renaming a Report
You can rename the preconfigured reports and your custom reports.
To rename a report
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
3. In the left pane, click the report name to make it editable, type your changes, then press
ENTER or click away from the edit box.
4. On the toolbar, click the Save icon , then close the Report Designer.
Note:
The new name does not immediately update in the Reports tree of the Administrator. If you doubleclick the report in the tree, the name will update.
Custom Reports
Ad hoc querying, sorting, filtering, and reporting can be accomplished by editing one of the existing reports or creating a new report in the provided report editor. This tool can be launched from the Windows
Start menu or from within the Administrator.
The report editor tool bundled with ARM is a robust report designer licensed from Component One.
During the Server evaluation period, VSReport Designer is available for use as a fully functional 30-day trial. A license for VSReport Designer is included with each purchase of ARM. After the 30-day trial, ARM must be activated along with the Server in order to continue using VSReport Designer. Most of the main functions of the report designer are described in this help file; however, the VSReport Designer has its own Help file, accessed by clicking help on the main menu, or opening vsrpt8.chm in the Server installation folder.
The VSReport Designer lets you work on existing report templates, change field locations and properties, add various levels of grouping, sorting, etc. You can also create new reports and select ARM’s database tables from which to retrieve data fields or paste in SQL code for advanced queries of the data source, giving customers complete freedom in designing their report. Also styles (colors, fonts, background logo images, etc.) can all be manipulated from within the designer. You can also import report definitions from
Microsoft Access files (MDB).
Note:
Translation of Access reports requires that Microsoft Access is installed. Once the report is imported into the Designer, Access is no longer required.
The main Designer window includes the following:
130 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
• Report list - The left pane of the Report Designer lists all reports contained in the current report definition file. You can double-click a report name to preview or edit the report. You can also rightclick in the list to rename, copy, and delete reports.
• Preview/Design pane - The right pane is the main working area of VSReport Designer. In preview mode, it displays the current report. In design mode, it shows the report's sections and fields and allows you to change the report definition.
• Main Menu - The main menu is used to access submenus, load and save report definition files, import report definitions, and print reports.
• Shortcut toolbar - Shortcuts are used to access the most common menu functions: new file, open, import, save, print, undo/redo, cut/copy/paste, create/delete report, and help.
• View toolbar - The View toolbar allows you to easily switch between preview and design modes, activate the design grid, and display the property and grouping windows.
• Toolbox - The Toolbox provides tools for creating report fields. This toolbar is enabled only in design mode.
• Formatting toolbar - The Formatting toolbar provides shortcuts to tools for aligning, sizing, and spacing report fields. This toolbar is enabled only in design mode.
• Status bar - The Status bar at the bottom of the Report Designer displays information about what VSReport Designer is working on (e.g., loading, saving, printing, rendering, importing, etc).
Opening VSReport Designer
When you create a new report, you create it manually or use the Report Wizard. Both ways are accomplished in the VSReport Designer, as described below.
To open VSReport Designer
• On the toolbar, click the click New Reports icon
.
• On the main menu, click Reports, then click New Report. the on the bottom toolbar.
Custom Reports y 131
User Guide
The New Report dialog box appears.
2. Type a title for the new report, then click Create. The Report Designer appears.
3. Do one of the following to create a report:
• Manually define the report: click the Design icon
, then continue with the instructions in
Changing Field, Section, and Report Properties
,
Adding, Editing, and Deleting Fields in the Report , and
.
•
: Click File, then click New Report, or click the New Report icon on the toolbar.
Creating a Report with the Report Wizard
The easiest way to start a new report is to use the Report Wizard. The Report Wizard will help you create a basic report, specify the data source, fields to include in the report, layout of the report, and styles or labels to use in the report.
To use the Report Wizard
1. In the Administrator, connect to the server
, then click the Server tab. You should be
connected to the reports database .
2. Do one of the following:
• On the toolbar, click the click New Reports icon
.
• On the main menu, click Reports, then click New Report.
132 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM) the on the bottom toolbar.
The New Report dialog box appears.
3. Type a title for the new report, then click Create. The Report Designer appears.
Custom Reports y 133
User Guide
4. Click icon on the toolbar. The New
Report Wizard opens.
5. Do one of the following:
134 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
• Click to define the connection string. The Data Link Properties dialog box appears.
Custom Reports y 135
User Guide provider to connect to the SQL server database, then click Next.
Select or enter a server name, click the arrow to select a name or type the name of the Server.
Enter information to log on to the Server, click an authentication option to log on to the Server:
• Use Windows NT Integrated security - Your computer automatically picks up the credentials from your computer and connects you to the database.
• Use a specific user name and password - Specify the user name and the password to be used to log on to the Server. Select the Allow saving
password check box to save the password in the connection string.
Note:
Select the Blank password check box if the Server requires a blank password to log on the database server. Even if you do not type any password when you create a user account on a database server, you can select the Allow saving password check box. In this case, the Server takes a dummy password value and saves that value in the connection string. Selecting the Blank
password check box disables the password field.
d. Click one of the following:
• Select the database on the Server, and then click a database in the list.
136 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
• Attach a database file as a database name - Click the ellipsis icon
to browse for the SQL server database file (*.mdf). The Select SQL Server
Database File dialog box appears. Select a file, then click Open. The path to the file appears in the Using the filename box.
7. Click one of the following:
• Table to select a database table, such as tbl_EventRules.
• SQL Statement to write SQL queries, that is, SELECT Statements. For example,
SELECT * FROM tbl_actions. previous step. For example, if you selected tbl_EventRules, the fields for Event Rules appear.
9. Double-click a field or click it and use the arrows to move it to the Groups list. You can move more than one field to the Groups list. Group fields define how the data is sorted and summarized. The information in the Detail list is grouped according to the group name. The
Detail list displays the details for each group. Detail fields define the information you want to appear in the report. For example, if you move SiteName to the Groups list and Time_stamp,
EventName, and so on to the Detail list, then the report displays the time stamp and events under the respective Sites, considering different Sites as different groups.
Note:
You can also drag and drop the available fields into the Groups or Detail section.
Custom Reports y 137
User Guide
10. Click Next. The layout options appear.
11. Click a layout for the report. When you select a layout, a thumbnail preview appears on the left to give you an idea of how the layout will appear on the page. There are two groups of layouts. The first is for the reports with no groups defined and other is for the reports with group fields defined.
• If you did not define the Group field, the following options are available: o Columnar o Tabular o Justified
The a variety of sizes, blank or preprinted. If you select this option, the next page offers options for the type of label for your report.
• If you defined the Group field, the following options are available: o Stepped o Outline o Aligned
12. If you selected any option other than Labels, click the report orientation from the following options. If you select the Labels option, the Orientation options are disabled.
• Portrait
• Landscape
13. Select the Adjust fields to fit page check box to adjust fields in a way that they fit the page.
14. Click Next.
138 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
15. Do one of the following:
• If you specified Labels, click a type of label in the Labels list, then specify the Units
(Metric or English) and the paper type (Sheet Feed (single sheet), or Continuous
(continuous paper).
• If you specified anything other than Labels, specify a style for the report title.
Custom Reports y 139
User Guide
16. Click Next.
17. Type a title for the report.
18. Do one of the following:
• To view the report, click the Preview the report.
• To modify the report in Design view, click the Modify the report's design.
19. Click Finish. Your new report name appears in the left pane of the Report Designer. The right pane displays a preview of the report or the design view, depending on your selection in the previous step.
20. Click Save to save the report.
21. Click File, then click Close to close VSReport Designer. The report appears on the Reports tab.
22.
to add/remove fields, resize fields, add graphics, and so on.
Creating a Report in Design Mode
is used to specify a data source and basic framework for the report. To get exactly the report you want, you can adjust and enhance the data fields and layout. The Report Designer provides the options to modify the report to fit your needs.
To use the Report Designer design mode
1. In the Administrator, connect to the server
, then click the Reports tab. You should be
connected to the reports database
.
2. Do one of the following:
• Click the report that you want to modify, then click Edit Report.
• Create a new report. (See
Creating a Report with the Report Wizard
for instructions.)
The report appears in the Report Designer.
140 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
3. The left pane of the Report Designer lists all reports contained in the current report definition file.
Click the report that you want to modify, then click the Design icon on the View toolbar, or on the main menu, click View, then click Design. The right pane switches from Review mode to
Design mode, and displays the controls and fields that make up the report.
The Report Sections
The report is divided into sections labeled Header, Page Header, Detail, and Page Footer that contain fields that hold the labels, variables, and expressions that you want in the generated report. The sections determine the appearance of the beginning and end of the report, and each page and group. The table below describes where each section appears in the report and the sort of data that typically appears in each section.
Section
Page
Header
Page
Header
Group
Header
Detail
Group
Footer
Page
Footer
Report
Footer
Appears Typically Contains
Once per report The report title and summary information for the whole report
Once per page
Once per group Fields that identify the current group and possibly aggregate values for the group (e.g. total, percentage of the grand total)
Once per record Fields containing data from the source record set
Once per group Aggregate values for the group
Once per page
Once per report
Labels that describe detail fields and/or page numbers
Page number, page count, date printed, report name
Summary information for the entire report
You cannot directly add and delete sections - the number of sections in a report determines the number of groups. Every report has exactly five fixed sections (Report Header/Footer, Page Header/Footer, and
Detail) plus two sections per
group
(a Header and a Footer).
Custom Reports y 141
User Guide
To hide sections that you do not want to display
1. Right-click the field, click Properties. The Field Properties dialog box appears.
2. Change the property of Visible to False.
To resize a section
• Click and hold the border of the section and drag it to the position where you want it.
The rulers on the left and on top of the design window show the size of each section (excluding the page margins). You cannot make the section smaller than the height and width required to contain the fields in it. To reduce the size of a section beyond that, move or resize the fields in the section first, then resize the section.
• Press and hold SHIFT, then click fields to toggle their selection status.
• Press and hold CTRL, then drag the cursor to copy a selection.
• Click on the corners of a field to resize it.
• Press TAB to move the selection to the next field (which is handy when fields are close together).
• Press the arrow keys to move selected fields.
• Press DELETE to remove selected fields.
Note:
If you make any mistakes while moving or editing the fields, click the Undo and Redo icons.
When multiple fields are selected, you can use the buttons on the Format toolbar to align, resize, and space them.
You can control the design grid using the Show Grid and Snap To Grid icons.
Changing Field, Section, and Report Properties
You can view and edit the properties of the objects inserted in a report.
When one or more fields are selected, the Field Properties dialog box displays only the properties and values that all selected fields have in common, and leaves the other properties blank.
If no fields are selected and you click a section (or on the bar above a section), the selected section's properties are displayed.
If you click the gray area in the background, the Report properties are displayed.
To view and edit an object's properties
• Double-click the object or select the object, then do one of the following: o Right-click, then click Properties.
The Field Properties dialog box appears.
In the example below, the label in the Header section, Activity - All Group (Detailed), is selected. The
Field Properties dialog box displays the properties of the selected field.
142 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
In the Field Properties dialog box, you can change a property by changing the value of the property. For example, you change the text color by changing the ForeColor property. You can change the field's position and dimensions by typing new values for the Left, Top, Width, and Height properties.
The property window expresses all measurements in twips (the native unit used by the ComponentOne report designer), but you can type in values in other units and they will be automatically converted into twips. For example, if you set the field's Height property to "0.5in", the property window will convert it into
720 twips.
Changing the Data Source
The data source is defined by the ConnectionString, RecordSource, and Filter properties. These regular report properties are set in the Property Window by clicking on the background area where there
are no sections. The data source is defined when you use the New Report Wizard to create the report
.
To change the data source for a report
1. In the Administrator, connect to the server
, then click the Reports tab. You should be
connected to the reports database
.
2. Do one of the following:
• Click the report that you want to modify, then click Edit Report.
• Create a new report. (See
Creating a Report with the Report Wizard
for instructions.)
The report appears in the Report Designer.
3. View the report in Design mode .
Custom Reports y 143
User Guide
4. Click
Adding, Editing, and Deleting Fields in the Report
VSReport Designer only has one type of field object; the icons in the Toolbox simply set the properties of the field to make it look and act in a certain way.
Use the ToolBox creates a field and initializes the field's properties as follows:
Icon Name
Label field
Description
Creates a field that displays static text.
to add fields to your report. Each icon
Bound field
Expression
Field
Checkbox Field
Unbound
Picture field
Creates a field that is bound to the source recordset. When you click this button, a menu appears and you can select the recordset field. Bound Fields are not limited to displaying raw data from the database. You can edit their Text property and use any VBScript expression.
Creates a calculated field. When you click this button, the code editor dialog will appear so you can enter the VBScript expression whose value you want to display.
Creates a bound field that displays a Boolean value as a check box. By default, the checkbox displays a regular checkmark. You can change it into a radio button or crossmark by changing the value of the field's Checkbox property after it has been created.
Creates a field that displays a static picture, such as a logo. When you click this button, a dialog box will appear to prompt you for a picture file to insert in the report. A copy will be made of the picture you select and placed in the same directory as the report file. You must distribute this file with the application unless you embed the report file in the application. When you embed a report file in your application, any unbound picture files are embedded too.
144 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
Icon Name
Bound Picture field
Description
Creates a field that displays a picture (or object) stored in the recordset. When you click this button, a menu appears so you can select a picture field in the source recordset (if there is one; not all recordsets contain this type of field).
Creates a line. Lines are often used as separators. Line field:
Rectangle field
Subreport field
Creates a rectangle. Rectangles are often used to highlight groups of fields or to create tables and grids.
Creates a field that displays another report. When you click this button, a menu appears and you can select other reports that are contained in the same report definition file.
Creates a field that inserts a page break. Page Break field
After you click any of these icons, drag the mouse over the report and the cursor will change into a crosshair. Click and drag to define a space that the new field will occupy, and then release the button to create the new field. If you change your mind, press ESC or click the arrow button to cancel the operation.
You can also add fields by copying and pasting existing fields, or by holding down the control key and dragging a field or group of fields to a new position to create a copy.
To add, edit, or delete fields in a report
1. In the Report Designer, click View, then click Design or click the Design on the toolbar. The report opens in the design mode.
2. Follow the procedures below depending on the fields that you want to add, edit, or delete.
To draw a line
• Click
, then drag the cursor where you want to draw a line.
To draw a rectangle
• Click
, then drag the cursor where you want to draw a rectangle.
Custom Reports y 145
User Guide
To add or edit text
1. Insert a rectangle, or double-click or right-click an existing rectangle, then click Properties. The
Field Properties dialog box appears.
To add labels
• Click
, then drag the pointer to draw a box in the report at the place you want to add a label. Name the label, then specify its font, color, and other properties. You can click and drag the label to adjust its placement in the report.
146 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
To add data fields
• Click
, then draw a box on the report. Change the properties of the data field by right-clicking it, then clicking Properties.
To create a VBScript expression
1. Click on the toolbar. The VBScript Editor appears.
2. Type the VBScript expression. For example, type:
=count (Transaction ID)
4. Drag the pointer and place it under the respective field where you want the result to display.
To insert images
1. Click . The Open dialog box appears.
2. Click an image, then click Open.
3. Drag the cursor to draw a box where you want the image to appear.
To delete fields
• Click the field, then press DELETE.
Grouping and Sorting Data
After designing the basic layout, you may decide that grouping the records by certain fields or other criteria would make the report easier to read. Grouping allows you to separate groups of records visually and display introductory and summary data for each group. The group break is based on a grouping expression. This expression is usually based on one or more recordset fields, but it can be as complex as you like.
Groups are also used for sorting the data, even if you do not plan to show the Group Header and Footer sections.
Custom Reports y 147
User Guide
The bar across the top of each section contains some useful tools and information about the section:
The indented box with a minus sign or a plus sign to the left of the section is used to collapse and expand the section. This feature is useful when you are designing the report to allow you to see a group's header and footer on the same screen without scrolling. Collapsing or expanding a section has no effect on how it is rendered in the report.
In the picture above, to the left of Group Header, an indented circle indicates that the section currently has zero height. You can drag the divider line down to increase the section's Height property.
The triangle to the left of Group Header indicates the group's sorting order. You can click this icon to open the Sorting and Grouping dialog box. The labels to the right of the icons are the section name and, for group headers, the value of the group's GroupBy property (in this example, Country).
To add, edit, reorder, or delete groups in the report
triangle to the left of the group header. The Sorting and Grouping dialog box appears.
2. Use this dialog box to create, edit, reorder, and delete groups.
148 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
To create a new grouping condition
the expression instead of a simple field name. For example, you could use "Country" to group by country or "Left(Country, 1)" to group by country initial. grouping the data (Ascending, Descending, or None). the visible Header and Footer sections, and whether the group should be rendered together (No,
With first detail, or Whole Group) on a page.
Note:
You cannot use memo or binary (object) fields for grouping and sorting. This is a limitation imposed by OLEDB.
4. After you enter some data for the first group, a new blank row is appended to the list, so you can keep creating new groups. If you add more groups, you can change their order by clicking on the leftmost gray cell in the row and dragging the row to a new position. This will automatically adjust the position of the Group Header and Footer sections in the report.
5. To delete a field in the group, select it, then press DELETE.
Custom Reports y 149
User Guide
150 y The Auditing and Reporting Module (ARM)
Getting Help
GlobalSCAPE
®
Support Center
For fast answers to most questions, please visit the GlobalSCAPE Help Center . Our Customer Service team can answer your questions about software activation and registration or help with order problems. If you need technical assistance with your software, please submit your question to the Technical Support team.
GlobalSCAPE is a great place to find information or seek help from the global community of GlobalSCAPE customers and product experts.
GlobalSCAPE (KB) is a dynamic compendium of information on our
products.
•
Subscribe to the RSS feed to keep abreast of the latest KB articles. Copy and paste this URL http://kb.globalscape.com/rssfeed.aspx into your RSS feed reader. (See below for examples.)
•
Subscribe to GlobalSCAPE Email Announcements Sign up for the GlobalSCAPE Newsletter, press releases, product announcements, and other GlobalSCAPE news.
•
Recover a Lost Serial Number - If you know the email address you used when you activated the software, we can send it to you at your new address.
•
Contact Customer Service by phone or email.
•
Contact Sales by calling 1-800-290-5054 or 1-210-308-8267, or use the online submission form.
Sales representatives are available 8:00 a.m. to 6:00 p.m. (US Central Time) Monday through
Friday, excluding major US holidays .
•
Order Status - Complete the online email form to request information about your order.
•
Support pages provide downloads, documentation, activation instructions, and the latest news regarding GlobalSCAPE products.
To add the GlobalSCAPE Knowledge Base RSS feed to your Google home page
Note:
The procedures below are provided as an example; see your feed reader's online help for specific instructions.
1. Sign in to your Google home page, then, in the upper right area of the page, click Add Stuff.
2. At the top center of the page, to the right of Search Homepage Content, click Add by URL. The
Add by URL form appears.
3. In the text box, provide the URL of the RSS feed, http://kb.globalscape.com/rssfeed.aspx, then click Add.
4. In the upper left corner, click Back to Homepage. The GlobalSCAPE RSS feed appears on your home page.
To add the RSS feed to Microsoft Outlook 2007
the http://kb.globalscape.com/rssfeed.aspx.
GlobalSCAPEP® PSupport Center y 151
User Guide
Note:
Microsoft Office Online provides a tutorial on RSS feeds.
Finding Information in the Help
You can find information in the Help in several ways:
• Hyperlinks - Clickable text that opens another topic or a Web page
• Related Topics - Listed at the bottom of many topics, lists other topics relevant to the current
topic
• Expanding text - When you click an expanding hotspot, more information is displayed
immediately to the right of the hotspot (like this). To hide the text, click the hotspot again.
Note:
Expanding glossary hotspots are Dynamic HTML effects and require Internet Explorer 5.0 or later.
Dynamic HTML effects are not supported by Netscape Navigator.
Click:
Contents
Search
Index
Favorites
To:
View the table of contents, click a main heading (represented by a book icon) to display pages that link to topics, and click each sub heading (represented by a page icon) to display the corresponding topic in the right pane.
Locate words or phrases within the content of the topics. Type the word or phrase in the text box, press ENTER, then click the topic you want from the list of topics.
View an alphabetical listing of every topic in the help file.
Add a frequently viewed topic to the Favorites tab in the application's help. (This option is only available in the application's help, not online help.) Click Add to add the topic you are viewing to the Favorites tab. To remove a topic, click the topic then click
Remove. To display a topic, double-click it or click the topic, then click Display.
To print a Help topic:
1. Do one of the following:
• On the toolbar, click the Printer icon.
• Right-click in the topic (in the right pane), then click Print.
The Print dialog box for your operating system appears.
152 y Getting Help
Getting Help
Using the Knowledge Base
GlobalSCAPE's Knowledge Base, http://kb.globalscape.com
, provides information in HOW TOs, FAQs, and other types of articles. Many of the articles are created as a result of assisting customers with configuration and troubleshooting.
Search Tips:
• For the most comprehensive search for articles specific to Secure Server, type secure server, then click Go.
• To narrow your search, in the Within drop-down menu, click Secure FTP Server.
• To only find certain types of articles (FAQ, HOWTO, INFO, etc.), in the Type drop-down menu, click an article type. you search for secure ftp server and then click Article ID, no results are returned, since
Article IDs are numbers. So, if you wanted to search for an article ID 10070, in the For solutions
containing box type 10070, click Article ID, then click Go.
• To search for your keyword only in article titles, click Article Title Only.
• To search only for articles going back a certain length of time (e.g., 3 days ago, last year), click the Maximum Age drop-down menu, then click the interval.
• After your search results display, at the bottom left of the page, you can click a drop-down menu to choose to display from 10 to 100 results per page, then click Update.
Server License Information
When you contact GlobalSCAPE Customer Support for assistance, you might be asked to provide your
Server License Information. The Server License Information is available in the About dialog box:
• On the main menu, click Help, then click About GlobalSCAPE Secure FTP Server (FIPS). The
About dialog box appears.
To copy the license information to the clipboard, click anywhere within the Server License Information box, then click Copy. You can then paste that information into a text document or email to send to support.
Using the Knowledge Base y 153
User Guide
154 y Getting Help
advertisement
Key Features
- Data Protection and Encryption
- Guaranteed Delivery and Data Integrity
- Tracking and Auditing
- Programmatic Interface
- Accelerated Transfers
- Life-Cycle Management
- Authentication and Authorization
- User and Group Management
Frequently Answers and Questions
What is the difference between Secure FTP Server (FIPS) and the non-FIPS version?
What are the FIPS-compliant protocols supported by Secure FTP Server (FIPS)?
How do I activate the Secure FTP Server (FIPS) software?
Related manuals
advertisement
Table of contents
- 9 Introduction to Secure FTP Server - FIPS
- 11 FIPS 140-2 Certification
- 11 FIPS-Compliant Protocols and Ciphers
- 12 Approved Cryptographic Algorithms
- 13 Non-Approved Cryptographic Algorithms
- 15 Installing and Activating the Software
- 15 System Requirements
- 15 Activating the Software
- 16 Activating the Modules
- 16 Upgrading the Software
- 17 Upgrading from a non-FIPS version of Secure FTP Server to Se
- 17 Remote Clients
- 17 SSL Authentication Error on Connection to Secure FTP Server
- 18 Setting Windows System Services
- 18 Windows NT Permission Rules
- 19 Creating a User Account for the Server
- 21 Setting Windows NT Permissions for the Server
- 21 Logging the Server on as a Service
- 22 Licenses, Registrations, and Trademarks
- 22 Registrations & Trademarks
- 22 Zlib License Agreement
- 23 Release Notes
- 25 Configuring Secure FTP Server
- 25 Starting and Stopping the Server
- 26 The Administrator
- 26 Server Groups and Servers
- 26 Creating, Deleting, and Renaming Server Groups
- 27 Defining a Server
- 28 Connecting to a Server
- 28 Remote Administration
- 29 Configuring Secure Remote Administration
- 30 Starting and Stopping the Server Remotely
- 30 Importing and Exporting Configuration Files
- 31 Copying a Server Configuration to Another Computer
- 31 Installation and Deployment Considerations
- 31 Deploy Duplicate Configurations
- 32 Changing the Global Administration Password or Exit Prompt
- 32 Updating the Server's User Information from the Authenticati
- 33 Tweaking Logging with the Registry
- 33 Controlling Access by IP Address
- 34 Configuring SMTP Email Notification
- 35 Connection Problems
- 35 Server Statistics
- 36 Server Security Considerations
- 37 Creating and Configuring Sites
- 37 Authentication Types
- 37 ODBC
- 37 Using an ODBC Data Source for User Authentication
- 38 Creating Tables for your ODBC Data Source
- 39 Establishing a System Data Source Name (DSN)
- 39 Using a DSN-Less Connection with ODBC Authentication
- 40 Creating Sites
- 41 Creating a Site that uses NT Authentication
- 42 Creating a Site that uses ODBC Authentication
- 42 Starting and Stopping Sites with the Server Running
- 43 Disconnecting Problem Users
- 44 Flooding and Denial of Service Prevention
- 45 Modifying Messages
- 45 Connection Message
- 46 Login Message
- 46 Maximum Connections Message
- 46 Exit Messages
- 47 Specifying a PASV IP or PASV Port Range
- 47 Allowing HTTP Transfers
- 47 Multi-Part Transfers
- 48 Connection Protocols
- 48 Protocols and Security
- 48 FTP
- 48 HTTP
- 49 HTTPS
- 50 FTPS, SSL, and TLS
- 51 SFTP (SSH)
- 52 Explicit Versus Implicit SSL
- 52 SSL Certificates
- 53 SSL Certificate Chain-of-Trust
- 54 FTP Commands Supported
- 56 SFTP
- 56 Enabling SFTP on the Site
- 56 SFTP Transport Layer Settings
- 57 SFTP Algorithms
- 57 Assigning a Site's IP Address and Port
- 57 Creating SSH2 Public/Private Keypairs
- 58 Allowing Access Using SFTP Password Authentication
- 59 Viewing, Importing, Renaming, and Deleting Client Keys
- 59 SSL
- 59 Enabling FTPS and HTTPS (SSL) at the Site Level
- 60 Disabling SSL Connections
- 61 Creating Certificates
- 62 Selecting a Certificate
- 63 Signing a Certificate
- 63 Trusted Certificates
- 64 Importing a Certificate
- 65 Exporting a Certificate
- 65 Importing Certificates from Microsoft IIS 5
- 66 Site-Level Transfer and Connection Settings
- 66 Setting Maximum Concurrent Logins
- 66 Setting Maximum Connections per User (Site Level)
- 67 Setting Maximum Connections per IP for a Site
- 67 Banning Unwanted File Types
- 69 Creating and Configuring Users and User Setting Levels
- 69 How User Setting Levels Work
- 69 Creating User Setting Levels
- 70 Inheritance
- 71 Adding Users to a Site
- 72 Specifying a User's Home Folder
- 73 Enabling or Disabling a User Setting Level or User
- 73 Expiring a User Account
- 73 Enabling and Managing Connection Protocols
- 74 HTML Listing and Upload Form
- 76 Restricting Users to a Single IP Address
- 76 Changing a User's Password
- 77 Accelerating Transfers with Mode Z
- 77 Configuring User Information
- 77 Allowing Users to Change their Passwords
- 78 Allowing Users to Verify File Integrity
- 79 User-Level Transfer and Connection Settings
- 79 Setting Maximum Transfers per Session for a User
- 79 Setting Maximum Transfer Size for Users
- 79 Setting Maximum Connections per IP
- 80 Setting Maximum Connections per User
- 80 Enabling Timeout
- 80 Setting Maximum Transfer Speeds (User Level)
- 81 Monitoring User Connections
- 83 Creating and Configuring Groups
- 83 Permission Groups
- 84 Creating Groups
- 84 Deleting Groups
- 85 Adding or Removing Users in a Group
- 87 The Virtual File System
- 87 Modifying VFS Permission
- 87 Disabling Inheritance in the VFS
- 87 Creating a New Physical Folder
- 88 Changing the Name of a Physical Folder
- 88 Deleting a Physical Folder
- 88 Creating a New Virtual Folder
- 89 Deleting a Virtual Folder
- 89 Resetting VFS Folder Permissions
- 90 Mapping a Virtual Folder to a Network Drive
- 91 Automation Using Event Rules and Commands
- 91 Custom Site Commands
- 91 Event Rules
- 91 COM
- 91 Custom Site Commands
- 91 Creating a Command
- 92 The Custom Command Wizard
- 93 Viewing and Removing Commands
- 94 Enabling and Disabling Commands
- 94 Using an Event Rule to Execute a Command (Run a Process)
- 95 Event Rules
- 95 Introduction to Event Rules
- 95 Creating, Editing, and Disabling event rules
- 96 Using an Event Rule to Execute a Command (Run a Process)
- 97 Adding or Editing Email Notifications to Event Rules
- 97 Configuring SMTP Email Notification
- 98 Managing Event Rules
- 99 Available Events
- 99 Server Events
- 99 Site events
- 100 Connection Events
- 100 User Events
- 100 File System Events
- 100 Available Conditions
- 100 Server Conditions
- 100 Site Conditions
- 101 Connection Conditions
- 101 User Conditions
- 104 File System Conditions
- 104 Event Properties
- 105 Available Actions
- 107 COM
- 107 COM APIs
- 109 The Auditing and Reporting Module (ARM)
- 109 Auditing and Reporting
- 109 How the Server Handles SQL data
- 110 Configuring the Auditing and Reporting Module (ARM)
- 111 Installing the Auditing and Reporting Module
- 111 Using SQL Server as the Auditing Database
- 114 SQL Script
- 118 Alternative Method for Creating Database Tables on SQL Serve
- 119 Auditing Database Errors and Logging
- 119 Logging to a Text File
- 119 Auditing Database Recovery
- 120 Auditing and Reporting Result Codes
- 121 Transaction Information
- 123 Preconfigured Reports
- 125 Generating a Report
- 126 Filtering a Report
- 127 Editing Reports
- 127 Managing Reports
- 127 Saving a Report
- 127 Exporting Reports in XML Format
- 128 Exporting and Publishing Reports in the Report Designer
- 128 Importing Reports
- 128 Importing Microsoft Access Reports
- 129 Deleting a Report
- 129 Saving Report Outputs
- 130 Renaming a Report
- 130 Custom Reports
- 131 Opening VSReport Designer
- 132 Creating a Report with the Report Wizard
- 140 Creating a Report in Design Mode
- 142 Changing Field, Section, and Report Properties
- 143 Changing the Data Source
- 144 Adding, Editing, and Deleting Fields in the Report
- 147 Grouping and Sorting Data
- 151 Getting Help
- 151 GlobalSCAPE® Support Center
- 152 Finding Information in the Help
- 153 Using the Knowledge Base
- 153 Server License Information