Secure FTP Server (FIPS) User Guide, v3.3

Secure FTP Server (FIPS) User Guide, v3.3
Secure FTP Server (FIPS)
v3.3
User Guide
GlobalSCAPE, Inc. (GSB)
Corporate Headquarters
Address:
6000 Northwest Parkway, Suite 100
San Antonio, TX (USA) 78249
Sales: (210) 308-8267
Sales (Toll Free): (800) 290-5054
Technical Support: (210) 366-3993
Web Support: http://www.globalscape.com/support/
© 2004-2008 GlobalSCAPE, Inc. All Rights Reserved
Contents
Introduction to Secure FTP Server - FIPS ................................................................... 9
FIPS 140-2 Certification .............................................................................................. 11
FIPS-Compliant Protocols and Ciphers................................................................................................11
Approved Cryptographic Algorithms ..............................................................................................12
Non-Approved Cryptographic Algorithms ......................................................................................13
Installing and Activating the Software ...................................................................... 15
System Requirements ..........................................................................................................................15
Activating the Software.........................................................................................................................15
Activating the Modules .........................................................................................................................16
Upgrading the Software........................................................................................................................16
Upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)...........17
Remote Clients ........................................................................................................................17
SSL Authentication Error on Connection to Secure FTP Server (FIPS) .................................17
Setting Windows System Services .......................................................................................................18
Windows NT Permission Rules......................................................................................................18
Creating a User Account for the Server .........................................................................................19
Setting Windows NT Permissions for the Server...........................................................................21
Logging the Server on as a Service...............................................................................................21
Licenses, Registrations, and Trademarks ............................................................................................22
Registrations & Trademarks ..........................................................................................................22
Zlib License Agreement .................................................................................................................22
Release Notes ......................................................................................................................................23
Configuring Secure FTP Server ................................................................................. 25
Starting and Stopping the Server .........................................................................................................25
The Administrator .................................................................................................................................26
Server Groups and Servers..................................................................................................................26
Creating, Deleting, and Renaming Server Groups...............................................................................26
Defining a Server ..................................................................................................................................27
Connecting to a Server.........................................................................................................................28
Remote Administration .........................................................................................................................28
Configuring Secure Remote Administration .........................................................................................29
Starting and Stopping the Server Remotely .........................................................................................30
Importing and Exporting Configuration Files ........................................................................................30
Copying a Server Configuration to Another Computer.........................................................................31
Contents y iii
User Guide
Installation and Deployment Considerations .................................................................................31
Deploy Duplicate Configurations....................................................................................................31
Changing the Global Administration Password or Exit Prompt ............................................................32
Updating the Server's User Information from the Authentication Database.........................................32
Tweaking Logging with the Registry.....................................................................................................33
Controlling Access by IP Address ........................................................................................................33
Configuring SMTP Email Notification ...................................................................................................34
Connection Problems ...........................................................................................................................35
Server Statistics....................................................................................................................................35
Server Security Considerations ............................................................................................................36
Creating and Configuring Sites.................................................................................. 37
Authentication Types ............................................................................................................................37
ODBC ...................................................................................................................................................37
Using an ODBC Data Source for User Authentication...................................................................37
Creating Tables for your ODBC Data Source ................................................................................38
Establishing a System Data Source Name (DSN) .........................................................................39
Using a DSN-Less Connection with ODBC Authentication ...........................................................39
Creating Sites .......................................................................................................................................40
Creating a Site that uses NT Authentication ........................................................................................41
Creating a Site that uses ODBC Authentication...................................................................................42
Starting and Stopping Sites with the Server Running ..........................................................................42
Disconnecting Problem Users ..............................................................................................................43
Flooding and Denial of Service Prevention ..........................................................................................44
Modifying Messages.............................................................................................................................45
Connection Message .....................................................................................................................45
Login Message...............................................................................................................................46
Maximum Connections Message...................................................................................................46
Exit Messages................................................................................................................................46
Specifying a PASV IP or PASV Port Range.........................................................................................47
Allowing HTTP Transfers......................................................................................................................47
Multi-Part Transfers ..............................................................................................................................47
Connection Protocols ...........................................................................................................................48
Protocols and Security ...................................................................................................................48
FTP ..........................................................................................................................................48
HTTP .......................................................................................................................................48
HTTPS .....................................................................................................................................49
FTPS, SSL, and TLS ...............................................................................................................50
iv y Contents
Contents
SFTP (SSH).............................................................................................................................51
Explicit Versus Implicit SSL ...........................................................................................................52
SSL Certificates .............................................................................................................................52
SSL Certificate Chain-of-Trust.................................................................................................53
FTP Commands Supported ...........................................................................................................54
SFTP ..............................................................................................................................................56
Enabling SFTP on the Site ......................................................................................................56
SFTP Transport Layer Settings ...............................................................................................56
SFTP Algorithms .....................................................................................................................57
Assigning a Site's IP Address and Port ...................................................................................57
Creating SSH2 Public/Private Keypairs ..................................................................................57
Allowing Access Using SFTP Password Authentication .........................................................58
Viewing, Importing, Renaming, and Deleting Client Keys .......................................................59
SSL.................................................................................................................................................59
Enabling FTPS and HTTPS (SSL) at the Site Level ...............................................................59
Disabling SSL Connections .....................................................................................................60
Creating Certificates ................................................................................................................61
Selecting a Certificate..............................................................................................................62
Signing a Certificate ................................................................................................................63
Trusted Certificates .................................................................................................................63
Importing a Certificate .............................................................................................................64
Exporting a Certificate .............................................................................................................65
Importing Certificates from Microsoft IIS 5 ..............................................................................65
Site-Level Transfer and Connection Settings.......................................................................................66
Setting Maximum Concurrent Logins.............................................................................................66
Setting Maximum Connections per User (Site Level) ....................................................................66
Setting Maximum Connections per IP for a Site ............................................................................67
Banning Unwanted File Types .......................................................................................................67
Creating and Configuring Users and User Setting Levels....................................... 69
How User Setting Levels Work.............................................................................................................69
Creating User Setting Levels................................................................................................................69
Inheritance ............................................................................................................................................70
Adding Users to a Site ..........................................................................................................................71
Specifying a User's Home Folder .........................................................................................................72
Enabling or Disabling a User Setting Level or User .............................................................................73
Expiring a User Account .......................................................................................................................73
Enabling and Managing Connection Protocols ....................................................................................73
Contents y v
User Guide
HTML Listing and Upload Form............................................................................................................74
Restricting Users to a Single IP Address .............................................................................................76
Changing a User's Password ...............................................................................................................76
Accelerating Transfers with Mode Z .....................................................................................................77
Configuring User Information................................................................................................................77
Allowing Users to Change their Passwords .........................................................................................77
Allowing Users to Verify File Integrity ...................................................................................................78
User-Level Transfer and Connection Settings .....................................................................................79
Setting Maximum Transfers per Session for a User ......................................................................79
Setting Maximum Transfer Size for Users .....................................................................................79
Setting Maximum Connections per IP............................................................................................79
Setting Maximum Connections per User .......................................................................................80
Enabling Timeout ...........................................................................................................................80
Setting Maximum Transfer Speeds (User Level)...........................................................................80
Monitoring User Connections ...............................................................................................................81
Creating and Configuring Groups ............................................................................. 83
Permission Groups ...............................................................................................................................83
Creating Groups ...................................................................................................................................84
Deleting Groups....................................................................................................................................84
Adding or Removing Users in a Group.................................................................................................85
The Virtual File System............................................................................................... 87
Modifying VFS Permission ...................................................................................................................87
Disabling Inheritance in the VFS ..........................................................................................................87
Creating a New Physical Folder ...........................................................................................................87
Changing the Name of a Physical Folder .............................................................................................88
Deleting a Physical Folder....................................................................................................................88
Creating a New Virtual Folder ..............................................................................................................88
Deleting a Virtual Folder .......................................................................................................................89
Resetting VFS Folder Permissions.......................................................................................................89
Mapping a Virtual Folder to a Network Drive........................................................................................90
Automation Using Event Rules and Commands ...................................................... 91
Custom Site Commands.......................................................................................................................91
Event Rules ..........................................................................................................................................91
COM .....................................................................................................................................................91
Custom Site Commands.......................................................................................................................91
Creating a Command .....................................................................................................................91
vi y Contents
Contents
The Custom Command Wizard......................................................................................................92
Viewing and Removing Commands...............................................................................................93
Enabling and Disabling Commands...............................................................................................94
Using an Event Rule to Execute a Command (Run a Process) ....................................................94
Event Rules ..........................................................................................................................................95
Introduction to Event Rules ............................................................................................................95
Creating, Editing, and Disabling event rules ..................................................................................95
Using an Event Rule to Execute a Command (Run a Process) ....................................................96
Adding or Editing Email Notifications to Event Rules ....................................................................97
Configuring SMTP Email Notification.............................................................................................97
Managing Event Rules ...................................................................................................................98
Available Events.............................................................................................................................99
Server Events ..........................................................................................................................99
Site events ...............................................................................................................................99
Connection Events ................................................................................................................100
User Events ...........................................................................................................................100
File System Events................................................................................................................100
Available Conditions.....................................................................................................................100
Server Conditions ..................................................................................................................100
Site Conditions ......................................................................................................................100
Connection Conditions ..........................................................................................................101
User Conditions .....................................................................................................................101
File System Conditions..........................................................................................................104
Event Properties ....................................................................................................................104
Available Actions..........................................................................................................................105
COM ...................................................................................................................................................107
COM APIs ....................................................................................................................................107
The Auditing and Reporting Module (ARM) ............................................................ 109
Auditing and Reporting .......................................................................................................................109
How the Server Handles SQL data ....................................................................................................109
Configuring the Auditing and Reporting Module (ARM) .....................................................................110
Installing the Auditing and Reporting Module.....................................................................................111
Using SQL Server as the Auditing Database .....................................................................................111
SQL Script....................................................................................................................................114
Alternative Method for Creating Database Tables on SQL Server ....................................................118
Auditing Database Errors and Logging ..............................................................................................119
Logging to a Text File...................................................................................................................119
Contents y vii
User Guide
Auditing Database Recovery ..............................................................................................................119
Auditing and Reporting Result Codes ................................................................................................120
Transaction Information......................................................................................................................121
Preconfigured Reports........................................................................................................................123
Generating a Report ...........................................................................................................................125
Filtering a Report ................................................................................................................................126
Editing Reports ...................................................................................................................................127
Managing Reports ..............................................................................................................................127
Saving a Report ...........................................................................................................................127
Exporting Reports in XML Format................................................................................................127
Exporting and Publishing Reports in the Report Designer ..........................................................128
Importing Reports.........................................................................................................................128
Importing Microsoft Access Reports ............................................................................................128
Deleting a Report .........................................................................................................................129
Saving Report Outputs.................................................................................................................129
Renaming a Report ......................................................................................................................130
Custom Reports..................................................................................................................................130
Opening VSReport Designer .......................................................................................................131
Creating a Report with the Report Wizard ...................................................................................132
Creating a Report in Design Mode...............................................................................................140
Changing Field, Section, and Report Properties .........................................................................142
Changing the Data Source...........................................................................................................143
Adding, Editing, and Deleting Fields in the Report ......................................................................144
Grouping and Sorting Data ..........................................................................................................147
Getting Help............................................................................................................... 151
GlobalSCAPE® Support Center ..........................................................................................................151
Finding Information in the Help...........................................................................................................152
Using the Knowledge Base ................................................................................................................153
Server License Information.................................................................................................................153
viii y Contents
Introduction to Secure FTP Server - FIPS
GlobalSCAPE® Secure FTP Server - FIPS is a hardened file/data transfer server that provides secure
data transactions over standard Internet protocols. Secure FTP Server - FIPS supports operation with the
GlobalSCAPE Cryptographic Module (GSCM).
Secure FTP Server - FIPS extends beyond standard FTP servers by providing support for:
•
Multiple protocols: FTP, FTP/S (SSL/TLS), optionally SFTP (SSH2) and HTTP/S (SSL)
•
Post-transaction processing using highly configurable event rules
•
Data reliability and integrity guarantees
•
Automation of complex and time-consuming tasks
•
Local and remote administration of multiple servers and/or sites
•
Flexible authentication choices
•
Highly configurable user, account, and site settings
Secure FTP Server - FIPS provides:
Data Protection and Encryption - GlobalSCAPE Secure FTP Server - FIPS protects intellectual
property, trade secrets, and customer files transferred over the Internet using secure protocols including
FTPS (SSL/TLS), and optionally SFTP (SSH2) and HTTP/S (SSL).
Guaranteed Delivery and Data Integrity - Secure FTP Server - FIPS extends the industry standard FTP
with strong reliability features, including post transmission integrity verification, mid-file recovery, and
automatic restart
Tracking and Auditing - Secure data delivery requires strong audit trails for tracking and nonrepudiation. Secure FTP Server - FIPS provides industry standard logging (W3C, NCSA, Microsoft IIS
Extended), email notification of completed transactions, and digital certificates for proof of identity.
Programmatic Interface - Secure FTP Server - FIPS can be controlled through its Windows
Administrator Interface, or through its Component Object Model (COM) interface. The COM API is a
programmatic interface that lets you control the server from your own custom applications using any
COM-enabled programming language.
Accelerated Transfers - Secure FTP Server - FIPS supports multi-part (segmented) transfers for faster
delivery of large files over large geographical distances. Multi-part transfers require the use of compatible
clients such as CuteFTP Professional.
Life-Cycle Management - Secure FTP Server - FIPS lets you quickly and efficiently manage the removal
of users, manage temporary accounts, address the revocation and if necessary re-issuance of expired or
compromised public-keys or certificates.
Authentication and Authorization - Secure FTP Server - FIPS supports password, public-key, or onetime-password authentication. User profiles can be managed internally or externally through NTLM,
Active Directory (AD), or ODBC data sources.
User and Group Management - Manage system resources including bandwidth, folder access, file types
and more using granular or site-wide controls provided for user and group management. Visually manage
folder permissions via Explorer-like Virtual File System view. Inherit or override permissions, grant
administrative, guest, or anonymous permissions or deny access altogether.
FIPS-Compliant Protocols and Ciphers y 9
User Guide
10 y Introduction to Secure FTP Server - FIPS
FIPS 140-2 Certification
The Federal Information Processing Standard (FIPS) Publication 140-2 specifies the security
requirements of cryptographic modules used to protect sensitive information. Secure FTP Server - FIPS
supports operation with the FIPS 140-2 Validated GlobalSCAPE Cryptographic Module (GSCM). Secure
FTP Server - FIPS is designed to operate only with the GSCM initialized into the FIPS-approved mode;
you cannot operate the Secure FTP Server - FIPS application without the GSCM being initialized into the
FIPS-approved mode.
When the Secure FTP Server - FIPS application is started, a series of startup tests, including Known
Answer Tests (KAT) and library-integrity checks, determine whether the GSCM is initialized successfully.
If the GSCM is not initialized successfully, encryption services are disabled, an error message appears,
all Sites and protocols are disabled, and a Windows Event log is created.
If GSCM initialization fails, when you attempt to restart the Site, a message indicates that the Site cannot
be restarted, because GSCM initialization failed. After you dismiss the message, the Secure FTP Server
Administrator (client) closes. If restarting the Server service does not correct the issue, contact
GlobalSCAPE Customer Support for assistance.
FIPS-Compliant Protocols and Ciphers
The Secure FTP Server - FIPS application supports all of the file transfer protocols currently supported by
the non-FIPS version of Secure FTP Server (FTP, FTPS, SFTP, HTTP, and HTTPS). SSL protocols
(FTPS or HTTPS) are FIPS-compliant protocols. The SSL library is loaded when the Server service is
started, and a message box displays which protocols are in use and which of the protocols in use are
FIPS compliant.
The FIPS-compliant protocols (HTTPS and FTPS) use the FIPS-approved algorithms provided by the
FIPS 140-2 validated GlobalSCAPE Cryptographic Module (GSCM) for SSL/TLS and certificate
generation. Imported certificates that were signed using non-FIPS compliant algorithms will be invalid.
FIPS-approved cryptographic algorithms are listed in the table below.
The following cipher combinations are supported during SSL/TLS negotiation:
•
SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1
HMAC
•
SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1
HMAC
•
SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1
HMAC
FIPS-Compliant Protocols and Ciphers y 11
User Guide
Approved Cryptographic Algorithms
When operating in FIPS Mode, the GSCM provides the following FIPS-approved cryptographic
algorithms:
•
Triple-DES
•
Advanced Encryption Standard (AES)
•
Digital Signature Algorithm (DSA)
•
Rivest, Shamir, Adleman (RSA) for Digital Signatures
•
Secure Hashing Algorithm (SHA-1 and SHA-2)
•
Keyed-Hash Message Authentication Code (HMAC)
•
ANSI X9.31 Appendix A.2.4 pseudo-random number generation
The following table summarizes the set of FIPS approved cryptographic algorithms.
Algorithm Type
Algorithm
Standard
Algorithm
Validation
Certificate
Use
Symmetric Cipher
Triple-DES - CBC,
CFB8, CFB64, ECB,
OFB modes
SP800-67
586
Encryption, Decryption
Symmetric Cipher
AES (128, 192, 256 bit
keys) - CBC, CFB8,
FIPS 197
CFB128, ECB, OFB
modes
618
Encryption, Decryption
Asymmetric Algorithm RSA
ANSI X9.31 (Ref: 10),
RSASSAPKCS1_V1_5 (Ref:
11),
RSASSA-PSS
287
Signature Generation,
Signature Verification
Asymmetric Algorithm DSA
FIPS 186-2
240
Signature Generation,
Signature Verification
Message Digest
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
FIPS 180-2
666
Hashing
Message
Authentication
HMAC-SHA-1
HMAC-SHA-224
HMAC-SHA-256
HMAC-SHA384
HMAC-SHA-512
FIPS 198
320
Integrity
Random Number
Generation
ANSI X9.31 Appendix ANSI X9.31 Appendix
A.2.4
A.2.4
388
Random Number
Generation
12 y FIPS 140-2 Certification
FIPS 140-2 Certification
Non-Approved Cryptographic Algorithms
When the GSCM is operating in FIPS-approved mode, a small subset of additional non-FIPS approved
algorithms are allowed by the FIPS 140-2 standard and provided by the GSCM.
The following table summarizes the set of non-approved cryptographic algorithms allowed while in the
FIPS-approved mode of operation.
Algorithm Type
Algorithm
Standard
Use
Asymmetric
Algorithm
DH (provides 80 to 256 bits of equivalent encryption
strength)
ANSI X9.42-2001 (Ref: Key
13)
Agreement
Asymmetric
Algorithm
RSA (provides 80 to 150 bits of equivalent encryption
strength)
PKCS #1 (Ref: 11)
Key Wrapping
FIPS-Compliant Protocols and Ciphers y 13
User Guide
14 y FIPS 140-2 Certification
Installing and Activating the Software
System Requirements
In order for the server to run effectively, you need to have:
•
Windows 2000 or later
•
400 MHz Pentium II or higher
•
128 MB minimum (256MB+ suggested) of free memory
•
Any Windows-compatible display system
•
Internet Explorer 4.0 or higher
•
A working Internet connection for product registration and for the product trial. An internet
connection is not required to run a registered copy.
Activating the Software
You must register the software with either a serial number or a trial serial number before you can use it.
Registration must be performed through the Administrator on the server computer. You cannot register
through a remote installation of the Administrator.
You can also email the manual registration information to GlobalSCAPE Technical Support.
GlobalSCAPE will confirm your registration and send you a .reg file. You can send the email from any
computer with Internet access; just remember to transfer the .reg file to the computer on which you are
installing the software.
To register the Server
1. Start the Administrator.
2. Provide the user name and password to connect to the Server.
3. On the main menu, click Help, then click Enter Secure Server (FIPS) Serial Number.
4. In the Serial Number box, type or copy and paste your serial number, then click Next.
5. On the Personal Details page, provide your name, email address, company, and address, then
click Next. If the registration fails, choose from the following:
•
Retry online registration
•
Launch Web registration form. This takes you to the GlobalSCAPE Web site where you
can register.
•
Email a registration request to GlobalSCAPE Support. A support representative will
contact you with your registration information.
6. If you are behind a proxy, click Configure HTTP Proxy to configure the proxy settings.
Note:
If a firewall or a proxy server is in use, your network administrator should ensure that port 80 is
open during the registration process.
7. If activation is successful, a message confirming activation appears. Click OK.
Note:
The SFTP module is optional and requires purchase of an SFTP Module License.
System Requirements y 15
User Guide
Activating the Modules
If you are using one of the modules, you must activate them in the Administrator. On the main menu, the
Help submenu provides options for entering the serial number of purchased modules.
To activate the Modules
1. On the main menu, click Help, then click one of the following:
•
To activate SFTP, click Enter SFTP Module Serial Number.
•
To activate HTTP/S, click Enter HTTP/S Serial Number.
•
To activate ARM, click Enter ARM Serial Number.
The Registration Wizard appears.
2. Follow the instructions in the wizard to complete the activation process.
3. Refer to the applicable topics in the help file for configuring SFTP, HTTP/S, and ARM.
Upgrading the Software
•
If you are upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server
(FIPS), see the procedure below.
•
If you are upgrading a non-FIPS version of Secure FTP Server to a newer a non-FIPS version of
Secure FTP Server, use the following procedure. The upgrade or update process does not reset
or otherwise affect your server configuration or user settings.
Note:
If you have installed remote Administrator clients, you must run the installer on each remote
computer.
To upgrade from a non-FIPS version to a newer a non-FIPS version
1. Download the most recent release of Secure FTP Server from
http://www.globalscape.com/support/reg.asp and save it to your desktop.
2. Document the administrator account user name and password for the existing FTP server.
3. Stop the Server service.
4. Back up the existing Server installation folder. At a minimum, the following files should be saved:
•
*.aud (User database)
•
*.cfg (Site configuration and user permissions)
•
*.bak (Backup of .cfg file from previous session)
•
*.pvk (SSH key pair)
•
*.crt (Certificate)
•
*.key (Private keys)
•
Any other third-party certificate or key files you may be using.
5. Execute the file that you downloaded (gsftps.exe), click Repair, then click Next and follow the
instructions.
6. When the upgrade or update is finished, start the Server service.
16 y Installing and Activating the Software
Installing and Activating the Software
Upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)
If you are upgrading from a non-FIPS version of Secure FTP Server (versions 3.0 to 3.3) to Secure FTP
Server (FIPS), the installer determines whether an old version of Secure FTP Server exists on the
system. The installer will not upgrade versions prior to 3.0.
If a prior version is detected you will be asked if you want to keep the current configuration. If you click
Yes, then the following occurs:
•
The old configuration file is copied to the new Secure FTP Server (FIPS) installation directory.
•
The old Server service is stopped and disabled.
•
You are not prompted for an initial administrator or database username or password.
If the migration is successful, the FIPS installation attempts to use the configuration and certificate files
from the previous version of Secure FTP Server in their original location. The service or Sites will not
start if the certificates do not meet FIPS requirements.
Note:
Do not move or delete any of the files in the prior version's installation folders. The new installation of
Secure FTP Server (FIPS) will look for important files in the prior installation location. If you want to
remove the old version, ensure that the new installation is working before uninstalling the prior
version.
If an error occurs when copying over the previous configuration or if you selected not to copy the
configuration over (e.g., you installed to a different computer) then follow the steps below to manually
upgrade.
Remote Clients
A remote Secure FTP Server client (Administrator interface) cannot connect to a Secure FTP Server
(FIPS) service. Once the configuration files are copied over to the new installation folder, your remote
clients that previously connected to the Secure FTP Server service will attempt to connect to the Secure
FTP Server (FIPS) service. You must configure the remote clients to use a different port to connect to the
Server if you are not disabling or removing the non-FIPS Server service.
SSL Authentication Error on Connection to Secure FTP Server (FIPS)
After the installation has completed, if an SSL authentication error occurs when you connect to the
Server, there may be a problem with your SSL certificates due to FIPS 140-2 hashing function
requirements. If the certificates used by the Server are MD-5, not SHA-1, you will need to recreate or
import certificates that are SHA-1.
To correct the SSL authentication error
•
Certificates created in Secure FTP Server and some 3rd-party generated certificates employ an
MD5 hashing function. FIPS 140-2 requires SHA-1 hashing function instead. Do one of the
following:
o
Create new certificates in the Server. Refer to Creating Certificates for details.
o
Redirect SSL settings to the correct certificates. Refer to Selecting a Certificate for
details.
o
For 3rd-party certificates, you will need to repurchase or reacquire the certificate pair and
request that the certificates use SHA-1 instead of MD-5.
To manually upgrade from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)
1. Stop the prior version's Server service. If the service is configured to start automatically when
Windows starts, in the Windows Services dialog box, change its properties to disabled. (If you
want to keep it running in parallel, make sure the IP ports are unique for the protocols in use so
that it does not cause a port conflict.)
Upgrading the Software y 17
User Guide
a. In the Windows Services dialog box, right-click the service, then click Properties.
b. In the Properties dialog box, in the Startup type box, click Disabled.
c.
Click OK to save the changes.
2. Run the Secure FTP Server (FIPS) installer (gsftps_fips.exe).
3. Leave the non-FIPS Secure FTP Server installation as is, but copy (not move) the configuration
file (FTP.cfg) to the Secure FTP Server (FIPS) installation location.
Do not copy any user- or application-created files (.aud, .bak, .crt, key, .pvk), because FTP.cfg
references the prior Secure FTP Server installation directory for those files. If the Server cannot
locate the files, it will recreate them, and you will lose any prior configuration, user accounts,
certificates, etc.
4. Start the new Server service and open the Administrator interface.
5. In the Administrator, edit the various Server and Site settings to point to the new paths in the
FIPS installation folder for the .aud, and other user/server-created files. (You also need to do this
on each remote client computer after you run the installer to upgrade the Administrator.)
6. Copy the old files over to new installation folder.
7. Confirm that they are read in. Stop the service, rename the prior installation folder, then start the
FIPS service, with no errors.
8. You can now delete the files from the prior installation or uninstall the prior version; however, it is
not necessary. Just make sure everything is working (users, groups, VFS, settings) as you want
them before you delete or uninstall anything.
If you need additional information or help, visit the Support Center.
Setting Windows System Services
Windows NT Permission Rules
In order to secure your system, you should create a user account for the Server and grant restrictive
permissions to that user account. When you are assigning permissions to individual folders or directories
in Windows NT, you may want to reference the following rules. These rules differ somewhat from the VFS
rules that govern Server permissions.
The rules below determine the permissions that are ultimately granted to a user in Windows NT:
1. Explicit denial: All users or groups assigned "No Access"
If the user or a group that the user is in has been assigned "No Access," that user is explicitly
prohibited from using the file, folder, or drive. No other permissions will change this.
2. Cumulative permissions: Permissions are combined when a user is not explicitly denied
access
If the user is not explicitly denied access, the user's permissions are combined. For example, if
user Cal is given read and write permissions for Folder1, and Cal is also in a group that is given
execute permissions for that folder, then Cal will be able to read, write, and execute files in
Folder1.
3. Implicit denial: A user or group that has never been granted any access at all will not be
given access
If the user or a group containing the user is not granted any permissions, that user or group will
be denied access. Access must be specifically granted.
18 y Installing and Activating the Software
Installing and Activating the Software
Creating a User Account for the Server
In order to run the Server securely as a service, you need to create a user account for it in Windows.
Note:
Setting up a user account increases security, but is not required to run the Server.
To create a user account in Windows XP Professional or Windows 2000
1. After you install the Server, open the Computer Management console. (e.g., on the Desktop,
right-click My Computer, then click Manage.)
2. Expand the Local users and groups node, right-click Users, then click New User. The New
User dialog box appears.
3. Create the user account (e.g., GSFTPServer), click Create, then click Close.
4. Close the Computer Management console.
5. In Administrative Tools, click Local Security Policy. The Local Security Settings dialog box
appears.
6. Expand the Local Policies node, then click User Rights Assignment.
7. In the right pane, in the Policy column, double-click Act as part of the operating system. The
Properties dialog box appears.
8. Click Add user or Group. The Select Users or Groups dialog box appears.
9. Select the new user you just added (GSFTPServer), click Add, then click OK.
13. If necessary, assign permissions for this user account in Windows.
14. Assign the server to the new user account and log the server on as a service.
To create a user account in Windows NT
1. After you install the server, open the User Manager (Control Panel > Administrative Tools >
User Manager).
2. On the main menu, click File, then click New User to create a new user account for
"GSFTPServer". The User Properties dialog box.
Setting Windows System Services y 19
User Guide
3. Provide the Server's information, as shown below, then click OK.
4. On the main menu bar, click Policies, then click User Rights. The User Rights Policy dialog
box appears.
5. Select the Show Advanced User Rights check box.
6. In the Right list, click Act as part of the operating system.
7. Click Add. The Add Users and Groups dialog box appears.
8. Make sure that the drop-down list at the top of this dialog has your own computer selected. Click
the Show Users button and select GSFTPServer from the list
9. Click Add.
10. Click OK in both dialogs.
11. Assign permissions for this user account in Windows.
12. After assigning permissions, you should assign the server to the new user account you have
created and then log the server on as a service.
20 y Installing and Activating the Software
Installing and Activating the Software
Setting Windows NT Permissions for the Server
After it is installed, the Server has access to local folders and files. To run it as a service with permissions
to the network and mapped drives; however, you must create an NT account for the server, assign the
server service to the account, and log the server on as a service.
Using the Windows NT permissions, set the permissions of this user for files or drives to be as restrictive
as possible, while still allowing the Server to run. After carefully determining which files and network
folders your users will need to access, gradually increase the permissions.
Note:
Using NT Authentication, users permissions override the Server's permissions. For example, if the
server has read-only access to folder1, but user John Doe has read and write permissions to folder1,
John Doe has those same permissions when he accesses folder1 through the Server.
Windows NT permissions can be edited through the Security tab in the Properties of an object. On the
Security tab, select Permissions to display and edit the permissions for the object. The appearance of
this window is slightly different for files and directories, but in both cases, the following permissions can
be granted to users or groups:
•
•
•
•
•
R (Read)
W (Write)>
D (Delete
P (Edit permissions)
O (Take ownership)
Keep in mind that you have the option to grant or withhold read and write permissions. Read-only
permissions are the most secure, because they allow users to access a file, but not to change it. For
example, most users will need limited read access to the Windows folders (C, WinNT); however, most
FTP Servers will not need any access to these directories at all.
In addition to the individual permissions, Windows NT permissions also provide access levels that are
simply pre-built sets of the existing permissions. Typically, you assign an access level to a user rather
than granting individual permissions. One such access level is called "No Access," which does not
contain any permissions.
To view and edit the permissions for a folder or file
1. In Windows Explorer, right-click the file or folder, then click Properties.
2. On the Security tab, click Permissions. The appearance of this window is slightly different for
files and directories and for different versions of Windows (W2K, XP, etc.).
For more information about setting permissions to folders and files, refer to the Windows Help
documentation for your specific operating system. (e.g., click Start, click Help and Support, then search
on keyword permission.)
Logging the Server on as a Service
Note:
The logon as a service right is automatically granted in Windows XP Professional, 2003, and 2000.
Follow the instructions below based on your operating system, or refer to the Microsoft Help pages. (Click
Start, then click Help and Support.)
Windows XP Professional, Windows 2003, and Windows 2000
1. In Administrative Tools, click Local Security Policy. The Local Security Settings dialog box
appears.
Setting Windows System Services y 21
User Guide
2. In the left pane, expand the Local Policies node, then click User Rights Assignment. The
Policy name and Security Setting appear in the right pane.
3. In the right pane, double-click Log on as a service. The Log on as a service Properties dialog
box appears.
4. Click the user you want to add (e.g., GSFTPServer), then click OK.
Licenses, Registrations, and Trademarks
Registrations & Trademarks
© 2001 - 2008, GlobalSCAPE, Inc. All rights reserved.
GlobalSCAPE is a registered trademark of GlobalSCAPE, Inc.
The GlobalSCAPE and Secure FTP Server - FIPS logos are trademarks of GlobalSCAPE, Inc.
Zlib License Agreement
This program includes Info-Zip Software which was used by GlobalSCAPE pursuant to the following
license.
zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.1, November 17th, 2003
22 y Installing and Activating the Software
Installing and Activating the Software
Copyright (C) 1995-2003 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be
held liable for any damages arising from the use of this software. Permission is granted to anyone to use
this software for any purpose, including commercial applications, and to alter it and redistribute it freely,
subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original
software. If you use this software in a product, an acknowledgment in the product documentation would
be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the
original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly jloup@gzip.org
Mark Adler madler@alumni.caltech.edu
Release Notes
Release notes are available in the installation directory.
Version history is also available online at http://www.globalscape.com/gsftps/history.aspx.
Release Notes y 23
User Guide
24 y Installing and Activating the Software
Configuring Secure FTP Server
Starting and Stopping the Server
The Server starts automatically and runs as a Windows system service. If you close the Administrator, the
Server continues to run in the background as a system service.
To start or stop the Server with the Administrator
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Edit, then click Service Applet Settings. The Transfer Engine Service
Settings dialog box appears.
3. Click Start service (or Stop service) and close the Transfer Engine Service Settings dialog
box.
To start or stop the server using the Services option in the Control Panel
1. Open the Windows Services dialog box.
2. In the Name column, click GlobalSCAPE Secure FTP Server (FIPS), then right-click and click
Start (or Stop).
To start or stop the server from the command line
1. Click Start, then click Run.
2. Enter cmd or command.
3. Click OK.
4. To start the Server, at the prompt type:
Net start "globalscape secure ftp server"
(Include the quotation marks.)
5. To stop the Server, at the prompt type:
Net stop "globalscape secure ftp server"
(Include the quotation marks.)
6. After the service is started or stopped, type Exit.
Note:
If Install service is the only button enabled in the Transfer Engine Service Settings dialog box,
click it, then click Start service.
WARNING:
Any time you run a server, you expose your computer to outside users. There is the potential for
exposing files and programs on your computer and network to malicious outside users, particularly if
the Server is compromised.
Although you can set folder permissions from within the Server Administrator, you can add an extra
level of protection by establishing a user account for the Server and then limiting folder access
through the Server's user account permissions. This establishes a stopgap until server/system
integrity can be restored if the Server is ever compromised.
To configure the server to run securely
1. Create a user account for the server
2. Assign permissions to this user account
Starting and Stopping the Server y 25
User Guide
3. Assign the server to the account
4. Log the server on as a service
5. If necessary, configure the server's user account to map a virtual folder to a network drive.
The Administrator
The Administrator is the graphical user interface to the Server. After you install one or more Servers,
configure clustering services, if used, and configure the Server to run as a Windows service, you then
configure the connection to the Server in the Administrator.
The Server is configured by default to run when the operating system starts. The Administrator is used to
connect to the Server to create Server Groups, Servers, and Sites, manage user accounts and
permissions, set security protocols, define commands, and configure Event Rules.
The Administrator connects to the Server on either a local or remote computer. You can install the
Administrator on as many computers as you like, but the Server may only be installed on computers with
valid Server software licenses.
The Server employs an inheritance hierarchy to manage its Server, Site, and User settings, and Group
permissions. The settings on the Server are inherited at the Site level; the settings on the Site are
inherited at the User Setting Level; the settings on the User Setting Level are inherited by the users
assigned to that User Setting Level. The parent settings can be overridden at each level.
•
The left pane of the Administrator provides a tree view of Server components, which include the
Server Groups, Servers, Sites, User Setting Levels, Users, Groups, Commands, and Event Rules
that are used to connect to and communicate with the Server.
•
The right pane of the Administrator provides tabs that contain the configuration options for the
item selected in the left pane. For example, when you select a Server in the left pane, the right
pane contains the configuration options for the selected Server.
To open the Administrator
•
Launch the Administrator by clicking the shortcut on the Start menu or the desktop (cftpsai.exe).
Server Groups and Servers
Server Groups are at the top of the Server's setting hierarchy and allow you to group multiple servers.
You can add as many Server Groups as you need.
Servers control the settings for one or more Servers, either locally or remotely. Servers consist of one or
more physical file transfer servers (Secure FTP Server - FIPS) running on your local or remote system.
Creating, Deleting, and Renaming Server Groups
To create a new Server Group
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main, click File, then click Add New Group of Servers. The Create New Group dialog
box appears.
3. In the Group Name box, type a descriptive name for the Server Group. The name will appear in
the tree and in reports and log files.
4. Click OK.
To rename a Server Group
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the Server Group you want to rename.
26 y Configuring Secure FTP Server
Configuring Secure FTP Server
3. On the menu bar, click Configuration, then click Rename.
4. Next to the Server Group's icon, type a different name.
5. Press ENTER.
To delete a Server Group
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the Server Group you want to delete, then do one of the following:
•
On the main menu, click File, then click Remove Group of Servers.
•
Right-click, then click Remove Group of Servers.
Defining a Server
To define a Server
1. In the Administrator, click the Server tab.
2. On the main menu, click File, then click Add New Secure FTP Server. The Add New Server
dialog box appears.
3. In the Name box, type a descriptive name for the Server. The name will appear in the tree and in
reports and log files.
4. Do one of the following:
•
If the Server is on the computer on which you have opened the Administrator, click Local
host.
•
If the Server is on a different computer, click Remote host, then provide the Host IP
address and Port of the Server computer. Leave the port at 1100 unless you want to use
a different port to administer the Server remotely.
5. Click Save.
To remove a Server from the tree
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the Server you want to remove, then do one of the following:
•
On the main menu, click File, then click Remove Server.
•
Right-click the Server, then click Remove Server.
•
Press DELETE.
A warning appears, reminding you that your log in information will be lost.
3. Click Yes.
WARNING:
When you delete a Server, you also delete all of your login information; you must manually
recreate it.
Defining a Server y 27
User Guide
Connecting to a Server
Ensure the Server service is running. The administrator username and password are created during
installation. You can manage multiple Servers with a single Administrator.
To connect to a local server
1. Launch the Administrator.
2. In the left pane, click the Server you want to administer.
3. On the main menu, click File, then click Connect to FTP Server. The Connect to Secure FTP
Server dialog box appears.
4. Provide your administrator Username and Password.
5. Click Local Host.
6. Click Connect.
To connect to a remote server
Note:
Before you can connect to a remote Server, make sure the Server is configured for remote
administration.
1. Launch the Administrator.
2. In the left pane, click the Server to which you want to connect.
3. On the main menu, click File, then click Connect to FTP Server. The Connect to Secure FTP
Server dialog box appears..
4. Provide your administrator Username and Password.
5. Click Remote Host.
6. In Host, provide the IP address of the remote server.
7. In Port, provide the port number of the remote server.
8. Click Connect.
Remote Administration
To connect to the Server from a remote Administrator, you must first configure the Server locally on the
Server computer and then configure the remote Administrator.
To configure remote administration using SSL, refer to Configuring Secure Remote Administration.
Note:
To reconnect, start, or stop the Server service from a remote location, the remote computer must
have a user account on the Server computer with the appropriate administrative privileges.
To configure the Server for remote administration
1. Launch the Administrator on the Server computer.
2. In the left pane, connect to the Server you want to configure for remote administration.
3. In the right pane, click the Remote Administration tab.
4. In the Administrator home IP list, click the IP address or All Incoming IP addresses.
5. In the Administrator port box, specify the administrator port used for incoming connections.
•
1000 is the default port for Secure FTP Server (non-FIPS)
•
1221 is the default port for Secure FTP Server (FIPS)
28 y Configuring Secure FTP Server
Configuring Secure FTP Server
6. Select the Allow remote administration check box. A warning appears advising you to connect
over SSL for more secure administration.
7. Click Yes to configure secure administration, or No to administer the Server over a clear
connection.
8. Click Apply. If you are to use SSL, you must create or designate an SSL certificate to use for
connections.
To configure the remote Administrator
1. Launch the Administrator on the remote computer.
2. In the left pane, click the Server tab, then click the Server Group to which you will add the remote
Server.
3. On the main menu, click File, then click Add New FTP Server. The Add New Server dialog box
appears.
5. Type a name for the remote Server.
6. Click Remote host.
7. In the Host box, type the IP address of the remote Server.
8. In the Port box, type the port number of the remote Server.
9. Click Save. The Server appears in the tree under the Server Group.
Configuring Secure Remote Administration
To configure secure remote administration, first configure the server to allow remote administration.
Create or acquire an SSL certificate, and then consider whether you need implicit or explicit SSL.
Once engaged, SSL encrypts all of your remote administration sessions.
To enable SSL during remote administration
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Server you want to configure.
3. In the right pane, click the Remote Administration tab.
4. Select the Use SSL for remote administration check box.
5. In the Certificate file path and the Private key file path area, click the folder icon to choose the
certificate and key.
7. Type the Private key passphrase.
8. Click Apply.
Note:
If you do not already have a certificate and you are administering a local server, you can create a
certificate using the Certificate Creation Wizard located on the menu bar under Tools.
You cannot use the Certificate Creation Wizard to create a certificate for a remote server. If you
need to create a certificate for a remote machine, you must open the Administrator and use the
Certificate Creation Wizard locally on that machine.
If you set up secure administration over an SSL connection, you will not be able to use the COM
interface from remote machines.
Configuring Secure Remote Administration y 29
User Guide
Starting and Stopping the Server Remotely
To start or stop the Server remotely
1. In the Administrator, click Edit, then click Service Applet Settings. The Transfer Engine
Service Settings dialog box appears.
2. In the Connection area, select Administer remote machine.
3. In the text box, type or paste the IP address of the server you want to administer.
4. Click Connect to Service Manager.
Note:
The remote Administrator you are logged on to passes your user name and password to the
Windows System Services on the computer running the Server. The account you log on with must
have administrative rights on that server to make any changes to the Server service running on it.
5. Click Start service (or Stop service) and close the Transfer Engine Service Settings dialog
box.
Importing and Exporting Configuration Files
You can import or export configuration files between Servers. This is useful for load balancing or for help
with backing up configurations. You can also include user data, custom commands, and Event Rules you
have configured.
To import configuration data
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Configuration, Import/Export. The Import/Export wizard appears.
3. Click Import and then click Next.
4. Specify the path to the file you want to import, then click Finish.
To export configuration data
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Configuration, Import/Export. The Import/Export wizard appears.
3. Click Export and then select Next.
4. Click one or more the following to export:
•
Configuration Data
•
User Data
•
Custom Commands
•
Event Rules
5. Specify the path to the folder to which you are saving the file, then click Finish.
Note:
Import/Export does not import or export SSL certificate data, SSH public keys, account passwords or
Virtual File System (VFS) data. If you need to replicate a server for disaster recovery, see Copying
server configurations.
30 y Configuring Secure FTP Server
Configuring Secure FTP Server
Copying a Server Configuration to Another Computer
There are many reasons for copying or migrating server configuration:
•
Moving a Proof of Concept (PoC) in your staging environment without wanting to re-create all the
settings, and configuration data.
•
Creating a standard configuration for installation on multiple computers.
•
Updating server software with a fresh install rather than patching.
Installation and Deployment Considerations
Check the following before moving a configuration from the source to the target system:
•
Set the prototype site Administrator Home IP to All Incoming. It must not be bound to a specific
IP address unless the system you are deploying to is bound to the same IP.
•
Verify the target system’s installation paths are the same as the installation path on the source
computer. For example, if you installed the server on drive C:, then install on drive C: on the
target, too. If the drive letters are different, change the drive letter on the target before installing
the software.
•
Verify the Server root and location of the .aud file (if you are using GlobalSCAPE’s authentication
manager). The drive letters on the target system must match those on the target in order for the
Virtual File System (VFS) to find the Server root. (Otherwise, all permissions and groups will be
lost.)
•
Use the same administrator username and password when installing on the source and target
systems.
Deploy Duplicate Configurations
To set up the deployment configuration
1. Install and register the product on the source system.
2. Configure as desired. This includes sites, users, groups, file and folder permissions, event rules,
user settings, etc.
3. Exit the Administrator and stop the Server service in the Services dialog box (in the Windows
Control Panel).
4. Copy the following files from the server installation directory over to the target machine:
•
FTP.cfg
•
[YourSite].aud
•
All .bak and .update files
•
All certificates/keys/PGPkeys
5. Create the same physical folder structure on the target system as the folder structure created by
the configuration of the source machine. (Simply copy the FTP folder structure from the source to
the target.)
6. Install and register the product on the target system.
7. Cancel the automatic site setup wizard that appears the first time you run the Administrator.
8. Exit the Administrator Interface and stop the Server service in the services dialog box.
9. Paste the files gathered from the source system into the server installation folder on the target
system, overwriting existing files as necessary (which should only be the FTP.cfg file at this
point).
10. Restart the server service and log in using the Administrator.
11. Double-check server and site configuration. The target system is now configured.
Copying a Server Configuration to Another Computer y 31
User Guide
Changing the Global Administration Password or Exit Prompt
The Server Global Settings dialog box allows you to change the administrator password and exit
prompts.
To change the administrator password or prompts
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Edit, then click Server Global Settings.
•
If you want to enter your login information every time you connect the Administrator to the
server, select the Prompt for administrator interface login and password check box.
If you are within a secure environment, you can clear this check box to be logged in
automatically, with no prompt.
•
If you want to change your administrator password, click Change Administrator
Password. In the Administrator Account Settings dialog box, provide the new
password, then click OK.
•
If you want to be prompted when you exit the Administrator, select the Prompt on
administrator exit check box. You can choose to either leave the Server running or stop
the Server when you close the Administrator. Typically, you will leave the Server running
so that it can continue to service FTP requests.
Updating the Server's User Information from the Authentication Database
You can set the Server to check the user authentication database automatically at regular intervals to
ensure the Server's user information is correct and up-to-date. This feature updates the Server only. You
must manually refresh user information in the Administrator in order to see changes on-screen.
To automatically update authentication information
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Server that you want to configure.
3. In the right pane, click the Server Options tab.
4. In the Default User Database Refresh Interval list, specify how often you want the Server
Engine service to check for changes to the authentication database. If you do not want the
service to check, click Never refresh user list automatically.
Note:
When you click Refresh in the Administrator, it only checks the Server service for updated user
information. It does not check the authentication database.
32 y Configuring Secure FTP Server
Configuring Secure FTP Server
Tweaking Logging with the Registry
You can adjust logging by changing values in the registry.
WARNING
These options are for advanced users only; it is recommended that you back up the registry before
you make any changes to it.
Registry Location
HKey_Local_Machine\Software\GlobalSCAPE Inc.\GlobalSCAPE Secure FTP Server
(FIPS) 3.3
Values
LogBufferSize - DWORD
•
This value is the size of the [m_nBufferLen] member of CBaseLog.
•
The default is 255.
QueueBufferSize - DWORD
•
This is the value of the [m_nQueueBufferMaxLen] member of CBaseLog.
•
The default is 32768.
LogFlushTimer - DWORD
•
This is the value, in milliseconds, used by the QueueTimerProc to wait for flushing data to the
disk.
•
The default is 60000 (1 minute).
Note:
Do not set LogFlushTimer to 0. It will max out the server CPU. The lowest setting you should use is
1.
Note:
Be sure to stop and restart the Server service after making any changes to the registry.
Controlling Access by IP Address
By default, all IP addresses are granted access to the Server. Alternately, you can grant access to only
one specific IP address or a range of IP addresses, or deny access to one specific address or a range of
addresses.
To grant or deny access by IP address
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site, then click the IP Access tab.
The TCP/IP Access Restrictions area displays the IP addresses that are granted or denied
access. By default, all IP addresses are granted access.
Note:
If the Ban IP address after excessive invalid commands check box is selected on the Site's
Advanced tab, and a user triggers this action, their IP address will appear in this list. If the
invalid commands were not malicious and you do not want to ban the IP address, you can
remove it from the list by clicking it, then clicking Remove.
Tweaking Logging with the Registry y 33
User Guide
3. Click Granted access or Denied access, then click Add. The IP Mask dialog box appears.
4. Specify the IP address or range of IP addresses to deny or grant access to the Site. The Server
allows wildcards to select ranges of IP addresses.
•
If most IP addresses are allowed access, click Granted access, then list the exceptions
to the rule.
•
If most IP addresses are denied access, click Denied access, then list the exceptions to
the rule.
5. Click OK to close the IP Mask dialog box. The IP address/mask appears in the exceptions list.
6. Click Apply to save the changes on the Server.
Configuring SMTP Email Notification
You can configure the Server to send email alerts whenever certain events occur. You must provide the
address for an outgoing mail server, an email address for the administrator account, and other details.
To set up the server to send email notifications
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the Server you want to configure.
3. In the right pane, click the SMTP Configuration tab.
4. In the SMTP Server Address box, provide the IP address of the mail server the Server will use to
send outgoing messages.
5. In the SMTP Server Port box, provide the port number where the mail server accepts messages.
The default is 25.
6. Do one of the following:
•
If the Server can connect to the mail server without a log in, leave the Server requires
authorization check box cleared.
•
If the mail server requires a user name and password from the Server computer, select
the Server requires authorization check box, then provide the Authorization
information.
a. In the Login box, provide the user name needed to connect to the mail server.
b. In the Password box, provide the password needed to connect to the mail
server.
c.
In the Name box of the Send Messages FROM area, provide any name you
would like for the "From Name" field.
d. In the Address box of the Send Messages FROM group, provide any address
you would like for the "From Address" field.
34 y Configuring Secure FTP Server
Configuring Secure FTP Server
e. In the Name box of the Send Messages TO group, provide the name of the
server administrator, or any name you wish.
f.
In the Address box of the Send Messages TO group, provide the email address
of the person that should be notified of server events.
7. Click Apply.
Connection Problems
If you are having problems connecting, ensure that:
•
Your username and password are correct. They are case sensitive.
•
The host IP address and port are correct.
•
The Server service is running.
Note:
If the service is not running, you might be able to start the service remotely.
•
The network connection is functioning.
Server Statistics
To monitor current statistics at the server, site and user level
1. In the Administrator, connect to the server, then click the Status tab.
2. In the left pane, select the Server, Site, or connected user to view the related statistics (described
below).
Note:
After selecting a user in the left window, you can click Kick User in the right pane to disconnect a
user from a site. This does not disable the user, but stops unacceptable activities while you
reconfigure the user's access.
Server Statistics
•
Server State
•
Users Connected
•
Active Downloads
•
Active Uploads
•
Download Speed
•
Upload Speed
•
Total Speed
•
When the server was started
•
The local time for the server
•
Last Updated
Site Statistics
Current statistics shown here include:
•
Site Name
•
Authentication Method
•
Site Root Folder
•
Site IP
Connection Problems y 35
User Guide
•
Site FTP Port Number
•
SSL Enabled
•
Site State
•
Users Connected
•
Active Downloads
•
Active Uploads
•
Download Speed
•
Upload Speed
•
Total Speed
•
When the server was started
•
The local time for the server
•
Last Updated
User Connection Statistics
Current statistics shown here include:
•
Login
•
ID
•
Connection Type
•
When the connection was made
•
Total time connected
•
The IP
•
The data type, such as ASCII
•
The structure
•
The transfer mode, such as stream
•
The data connection, if applicable.
•
The last three transfers
•
The current working directory
Server Security Considerations
Storing your username and password name may be convenient, but it is not secure. The password is
available to anyone who uses the Server machine.
Changing the administrator password and port is a good option if you do encounter a security breach.
Note:
It is so easy to configure the Server that many administrators do not give careful consideration to
administrative password or port changes. If you do not remember your password and port, you will
not be able to connect to the server.
You may encounter port conflicts while attempting to run two sites with implicit SSL encryption. Keep this
in mind as you configure multiple Sites' encryption options.
Carefully consider inheritance as you begin to grant folder access to different VFS groups. Creating
virtual folders gives users access to all subfolders.
Setting VFS access with patterns of inheritance derived from parent folders in a logical manner ensures
that permission groups have predictable access to folders.
36 y Configuring Secure FTP Server
Creating and Configuring Sites
Authentication Types
The Server supports three database types for authenticating users: GlobalSCAPE Secure FTP Server
(FIPS) Authentication, NT Authentication, and ODBC Authentication. Once a Site has been configured
through the Create Site Wizard, you cannot change the authentication method.
•
GlobalSCAPE Secure FTP Server (FIPS) Authentication does not rely on outside sources for
user information (accounts protected from the OS). All information is contained within the .aud file
located in the server engine (cftpste.exe) folder. All information is encrypted and can only be
modified through the Administrator.
•
ODBC Authentication allows all users in an external ODBC database to have access to the
server. See the topics under ODBC book for more information on configuring ODBC
authentication.
•
NT (NTLM/AD) Authentication. Using this method, the Server assigns permissions to users from
the NT User Database on the system that is running the server. The Server queries the Primary
Domain Controller (PDC) for your domain and adds all domain users.
ODBC
Using an ODBC Data Source for User Authentication
The Server allows you to use any ODBC-compatible database as a source for user authentication. You
may add and remove users and set certain permissions using your existing database utility or through the
Administrator.
In order to use an external ODBC data source you must:
•
Create tables in an ODBC data source
•
Establish a System Data Source Name (DSN) in the ODBC Source administration tool
•
Configure Secure FTP Server to use the System DSN
•
Install Microsoft Data Access Components (MDAC) 2.6 or higher
If you are using the server on Windows XP, you do not need to install MDAC 2.6 or higher on your
computer. For any other Windows operating system, you can download MDAC 2.6 or 2.7 from
http://www.microsoft.com/data/download.htm
If you are using an Access database, you may also need to download a Jet driver. For information about
Jet drivers, see Article ID: 282010 on the Microsoft Support pages:
http://support.microsoft.com/kb/282010/en-us.
For information about MDAC 2.6, see Article ID: 271908 on the Microsoft Support pages:
http://support.microsoft.com/kb/271908/en-us.
Authentication Types y 37
User Guide
Creating Tables for your ODBC Data Source
You must create two tables in the database for your data source:
The ftpserver_users table lists the user accounts and permissions groups in the site. A user account
uses the information from all fields. A permissions group only uses the ID, Name, and Description fields
and is used only for organizational purposes, not as a user login.
Field Name
Data Type
Field Size
Description
ID (Primary Key)
AutoNumber
Long Integer
User ID
Name
Text
50
Login name for this user
Password
Text
200
Password for this user
Description
Text
200
Description for this user
Type
Number
Integer
0=Group, 1=User
Password_Type
Number
Integer
Standard, OTP_MD4, OTP_MD5: Differentiates
Regular vs. SKEY (OTP) password type. 0 =
standard FTP password, 1=MD4 OTP, 2=MD5
OTP.
MD_Iter
Number
Long Integer
Current MDX iteration - used by OTP accounts
only
OTP_Seed
Text
16
OTP Seed to be used for MDX Passwords - used
by OTP accounts only.
Anonymous
Number
Long Integer
0=Normal Password, 1=Any password
Anonymous_Email
Number
Long Integer
0=Any anonymous password, 1=Email password
required
Fullname
Text
200
User's full name
Email
Text
200
User's email address
Phone
Text
200
User's phone number
Pager
Text
200
User's pager number
Fax
Text
200
User's fax number
Comments
Text
200
User comments
Enabled
Number
Integer
0=Account disabled, 1=Account enabled
HomeDirectory
Text
512
Secure FTP Server use only
Note:
HomeDirectory must be created for ODBC authentication to work properly with the Server, but you
cannot use it for user account directories.
38 y Creating and Configuring Sites
Creating and Configuring Sites
The ftpserver_ids organizes users into "groups" of permission levels. For each permissions group to
which a user belongs there should be one entry in the table below.
Field Name
Data Type
Field Size
Description
ID
AutoNumber
Long Integer
Unique ID for the record (key field).
User_ID
Number
Long Integer
This value refers to a user record in the
ftpserver_users table. A corresponding (where
ftpserver_ids.User_ID = ftpserver_users.ID)
ftpserver_users record must exist with Type = 1.
Group_ID
Number
Long Integer
This value refers to the user setting level that the
User_ID user record belongs to. A corresponding
(where ftpserver_ids.Group_ID == ftpserver_users.ID)
ftpserver_users record must exist with Type = 0.
Establishing a System Data Source Name (DSN)
After you have created your database, you must associate it to your system.
To establish a system DSN
1. In Windows Control Panel, open the Data Sources (ODBC) administrative tool.
2. Click the System DSN tab.
3. Click Add.
4. Click the applicable driver.
5. Click Finish.
6. Provide the Data Source Name and Description. The default DSN is GSFTP Server.
7. Click Select, then click the database file you created when following the steps described in
Create Tables for your ODBC data source or the supplied database.
8. Click OK.
Using a DSN-Less Connection with ODBC Authentication
You can create a Site with a DSN-less connection to your authentication database. If you have several
simultaneous database connections, a DSN-less connection may be slightly faster than a DSN
connection.
To create a site with a DSN-less connection
1. In Secure FTP Server Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Configuration, then click Create New Site.
3. Give the site a name, choose the IP address and Port.
4. In the Authentication method list, choose ODBC Authentication.
5. Click Advanced. The Authentication Provider Options appear.
6. Provide the connection string, then click OK.
You must know the correct driver to use with your database. Create a connection string using the
examples below. The connection string includes the name of the driver you need for your
database, the location of your database, the name of your database, and, if necessary, a user
name and password to access the database.
7. Click Next to continue with your Site creation.
ODBC y 39
User Guide
For local databases the connection string must include:
•
Provider [Provider=]
•
Driver [DRIVER=]
•
Database path and name, including the file extension [Dbq=]
•
Username [Uid] and Password [Pwd] are required only if the database is password protected
For remote databases your connection string must include:
•
Driver [DRIVER=]
•
Server [SERVER]
•
Database [DATABASE]
•
Username [UID]
•
Password [PWD]
If you are pointing to Access 2000 database on the local machine named Example that was in the xyz
sub-folder of your c drive the connection string is:
Provider=MSDASQL;Driver={Microsoft Access
Driver(*.mdb)}Dbq=c:/xyz/Example.mdb;Uid=;Pwd=;
If you have a remote MYSQL database named Example your connection string is:
Provider=MSDASQL;DRIVER={MySQL ODBC 3.51
Driver};SERVER=10.10.10.1;DATABASE=Example;UID=myusername;PWD=mypasswor
d;
Note:
Do not put any line breaks in your connection strings.
You must have MDAC version 2.7 or higher to use a DSN-less connection.
Creating Sites
You can create and manage multiple Sites through a single Server. Each Site must connect to a separate
IP address, port, or both. When you create a new Site, FTP access is automatically enabled. After you
create the Site, you can configure the protocols the Site is to use.
To create a new Site
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the Server for which you are creating the Site.
3. On the main menu, click Configuration, then click Create New Site. The Create New Site
window appears.
4. Type a Name for the Site. This name will appear in the Server tree.
5. In the Listening IP list, specify the address for the site or click All incoming.
6. In the Port box, type or select the port number. The default port used for FTP connections is 21,
however, you can enter any value between 1 and 65,535. (If you are using the site for secure
FTP connections, you can later turn off plain FTP access on the Connection Options tab.)
Note:
Assigning port numbers under 1024 may lead to conflicts with other programs running on your
computer.
7. If you want the site to start immediately, select the Start site automatically after creation check
box.
40 y Creating and Configuring Sites
Creating and Configuring Sites
8. Specify the Authentication method. The default method is GlobalSCAPE Secure FTP Server
Authentication.
•
If you need to use NT Authentication see Creating a site that uses NT authentication.
•
If you need to use ODBC authentication, see Creating a site that uses ODBC
authentication.
9. Click Next.
10. Provide the path to store the user database. Leave the default path unless you want to store the
authentication database in a new location.
11. In the User list refresh interval list, specify how often the Server should check the database for
new users.
12. Click Next.
13. In the Default FTP Root Folder area, specify a path to the root folder for the site.
14. Select the Create standard subfolders check box to automatically create Bin, Pub, Usr and
Incoming folders with appropriate permissions under the root folder. This is selected by default,
but is only necessary if you are trying to mimic a typical default *nix Server setup.
15. Select the Enable anonymous access to the server check box to create an anonymous
account that does not require a password. The account will have limited permissions.
16. Select the Auto assign home folders to site users check box to automatically create a user
folder under \Site Root\Usr\ when a new user is added.
17. Click Finish. If the root folder has not already been created, you are prompted to do so: Click
Yes. The folder is created and the Create New Site wizard closes.
Creating a Site that uses NT Authentication
Secure FTP Server can create sites using the NT user authentication database so users can connect to
the site with their NT user name and password. Permissions are assigned to users from the NT User
Database on the domain of the system that is running the Server. Secure FTP Server queries the Primary
Domain Controller (PDC) for your domain and adds all domain users.
Users are listed as soon as you open the site you created using NT Authentication. You cannot add or
change users from Secure FTP Server, but you can change their permissions, settings and status on the
server.
Warning:
NT Authentication transmits passwords over the network without data encryption. To avoid exposing
your passwords to possible theft, use SSL connections with NT Authentication.
To create a site
1. Follow the steps in Creating Sites up to specifying an authentication method.
2. In the Authentication method list, click Windows NT Authentication, then click Next.
3. Click Yes. The Authentication Options appear.
4. Specify Active Directory (AD) Authentication, or NTLM Authentication to match what is used
on the server's domain.
5. In the Domain Context area, click Use default if you want to use the authentication database
from the machine's current domain, or Custom, and supply the domain name that has the
authentication database you want to use.
6. In the Allow access to the following group area, click Everyone to allow access to every user
in the domain's database, or Custom and supply a group name for users that will have access to
the Server.
Creating a Site that uses NT Authentication y 41
User Guide
7. If you specified Active Directory Authentication, in the Use this user attribute as logon name
list, specify the attribute based on what your database uses.
8. In the User list refresh interval list, specify how often Secure FTP Server is to check the
authentication database for new users.
9. Click Next.
10. Specify the path to the root folder for the Site.
11. If you are trying to mimic a typical default *nix Secure FTP server setup, select the Create
standard subfolders check box to automatically create Bin, Pub, Usr and Incoming folders
with appropriate permissions under the root folder.
12. Select the Auto assign home folders to site users check box to automatically create a user
folder under \Site Root\Usr\ when a new user is added.
13. Click Finish. If the root folder has not already been created, you are prompted to do so: Click
Yes. The folder is created and the Create New Site wizard closes.
Creating a Site that uses ODBC Authentication
Secure FTP Server can create sites that use an ODBC database for authentication.
To create ODBC database authenticating site
1. Follow the steps in Creating Sites up to specifying an authentication method.
2. In the Authentication method list, choose ODBC Authentication, then click Next. The
Authentication Options appear.
3. In the Please specify user database data source box, type a connection string for the ODBC
database.
4. Select the Encrypt passwords check box to encrypt passwords stored in the database.
5. In the User list refresh interval list, specify how often Secure FTP Server is to check the
database for new users.
6. Click Next.
7. Specify a path to the root folder for the Site.
8. If you are trying to mimic a typical default *nix Secure FTP server setup, select the Create
standard subfolders check box to automatically create Bin, Pub, Usr and Incoming folders
with appropriate permissions under the root folder.
9. Select the Enable anonymous access to the server check box to create an anonymous
account that does not require a password. The account will have limited permissions.
10. Select the Auto assign home folders to site users check box to automatically create a user
folder under \Site Root\Usr\ when a new user is added.
11. Click Finish. If the root folder has not already been created, you are prompted to do so: Click
Yes. The folder is created and the Create New Site wizard closes.
Starting and Stopping Sites with the Server Running
To start Sites
1. In the Administrator, connect to the server, then click the Server tab.
2. On the toolbar, click Go. A submenu appears.
3. Click the Site you want to start. To start all of them, select All Sites.
42 y Creating and Configuring Sites
Creating and Configuring Sites
To stop Sites
1. In the Administrator, connect to the server, then click the Server tab.
2. On the toolbar, click Stop. A submenu appears.
3. Click the Site you want to stop. To stop all of them, select All Sites.
Note:
If you stop a Site while users are connected, the users will be disconnected and file transfers may be
interrupted.
Disconnecting Problem Users
The Server provides the following methods to disconnect problem users:
•
Blocking anti-timeout schemes
•
Disconnecting after a defined number of invalid commands
•
Disallowing the NOOP command
•
Disabling an account after a defined number of incorrect login attempts
•
Setting a maximum idle time limit
To block anti-timeout schemes
Many FTP clients send random commands such as REST 0, PWD, TYPE A, LIST, etc., to an FTP server
to keep the session alive while the client is idle. The Server can attempt to block these schemes.
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Options tab.
4. Select the Block anti-timeout schemes check box.
5. Click Apply.
To disconnect users after a defined number of invalid commands
The server can automatically disconnect and even ban the IP addresses of users who send an excessive
number of invalid commands to the server:
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. Select Disconnect user after <n> consecutive invalid commands and type the number of
invalid commands allowed before you disconnect the user. You may permanently ban the user's
IP address from the site by selecting the Ban IP address after excessive invalid commands
check box. You may later remove the ban on the user by removing their IP address from the list
in the site's IP Access tab.
5. Click Apply.
To allow or disallow the NOOP command
Many FTP clients send a NOOP command to the server during idle times to keep the connection alive.
You can choose whether to allow the NOOP command. If you disallow the NOOP command, it will be
considered an invalid command and treated according to your settings under Disconnect after [Number
of] invalid commands.
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
Disconnecting Problem Users y 43
User Guide
3. In the right pane, select the Security tab.
4. Select the Allow NOOP command check box to allow the NOOP command or clear the Allow
NOOP command check box to treat the NOOP command as an invalid command.
Note:
If you are banning users who send excessive invalid commands and treating NOOP as an invalid
command, then you will be banning users for sending the NOOP command. You may later remove
the ban on the user by removing their IP address from the Site's list in the IP Access tab. A gray
check box in a user account indicates that the account is inheriting parameters from the User Setting
Level.
5. Click Apply.
To disable an account after a defined number of incorrect login attempts
The server can automatically disable user accounts if users try to connect with the wrong password too
many times.
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, select the Security tab.
4. Select Disable account after <n>incorrect password retries and enter the maximum number
of password retries you want to allow in the corresponding box. A gray check box in a User
account indicates that the account is inheriting parameters from the User Setting Level.
5. Click Apply.
Enabling time out
You can automatically disconnect users after a specified time of inactivity.
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, select the Quota tab.
4. In the right pane, click the tab and select the Enable time out check box. Specify the maximum
allowable seconds of inactivity allowed before the user is disconnected.
5. Click Apply.
Flooding and Denial of Service Prevention
You can configure the server to ban IP addresses automatically that may potentially be associated with a
DoS (Denial of Service) attack. The Server monitors connection patterns, tracks each user's activity
density, and then bans IP addresses with unnaturally dense activity.
To activate Auto-ban
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the IP Access tab.
44 y Creating and Configuring Sites
Creating and Configuring Sites
4. Specify a sensitivity level using the slider bar, and specify one of the following ban periods:
•
Ban IPs for time period proportional to sensitivity (higher = longer)
If you select this option, IPs are banned temporarily. The server will restrict this IP's
access to the server for a minute or two. The amount of time a user is banned from the
site depends on the server security setting you selected using the slider bar. Choosing
to ban users temporarily means that if the server makes a mistake and identifies an
ordinary, but very active user as a threat, the user will soon be able to reconnect to the
FTP site.
Banning an IP address temporarily protects the server from attacks. If the server is
correct and a temporarily banned IP was the source of an attack, the server will not be
harmed by the attempted attack. The server's resources will remain free or minimally
burdened, instead of being completely bogged down by the attacking IP.
When you ban IP addresses temporarily, the level of security you set for the slider
indicates both the number of seconds the user can attempt to occupy all of the server's
resources before being banned and the number of seconds the user will be banned.
The higher the security, the shorter the amount of time before the user is banned and
the longer the user will remain banned.
•
Ban IPs permanently (Add to TCP/IP Access restrictions list)
If you elect to ban permanently the IP addresses of users whose activity fits the pattern
of an attack, those users will be immediately banned as soon as they exceed the
number of connections allowed for your security level. If the server has banned a user,
you will need to modify the TCP/IP Access restrictions list to allow access.
5. Click Apply.
Modifying Messages
The Server can display messages to users in the following situations:
•
Successful connection
•
Login (under User settings)
•
Maximum connections exceeded
•
Exit
Connection Message
The connection message appears when a user first connects, but before a user logs on.
To modify the Connection message
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Messages tab.
4. In the Connect message box, type the text that you want to appear when a user connects.
5. Click Apply.
Modifying Messages y 45
User Guide
Login Message
Login messages may be applied at the user or User Setting Level. Users automatically inherit the
message applied to their User Setting Level. You can optionally display a message unique to a User.
To modify the login message for a User or User Setting Level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Main tab.
4. In the Login message list, click an option:
•
Use Default. You cannot add an additional message when a user connects. The default
message for a successful login is:
230-Login OK. Proceed.
•
Add to Default. This option places the default message on one line, then adds the
message you typed into Login message. For users, the message set at the User Setting
Level is the default.
•
Replace Default. The server does not display the default message, but displays the
message you type in to the Login message box. For users, the message is defaulted at
the User Setting Level.
•
None. No messages appear when a user logs in.
5. Click Apply.
Maximum Connections Message
You can configure a site to allow only a specified number of maximum simultaneous connections. If you
choose this option, you can specify a message for users when the maximum simultaneous connections
number is exceeded.
To modify the Maximum Connections message
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Messages tab.
4. In User limit message, type or paste the message to display if the maximum simultaneous
connections number is exceeded.
5. Click Apply.
Exit Messages
The Server can send an exit message when the client closes the session gracefully by using the FTP
QUIT command.
To modify the exit message
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Messages tab.
4. In the Exit message box, type or paste the exit message you to display on exit.
5. Click Apply.
46 y Creating and Configuring Sites
Creating and Configuring Sites
Specifying a PASV IP or PASV Port Range
If the is behind a firewall or NAT device, you may need to specify the Server's IP address or range of
ports the Server chooses from when issuing IP:PORT information to clients.
To specify a PASV connection through a range of ports
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Options tab.
4. Select the Assign PASV mode IP Address check box.
5. In the IP box, specify the Server's IP address as should be seen by those outside your network.
Note:
This usually applies under SSL sessions when the NAT or firewall device cannot see and therefore
properly map the internal IP address of the Server, or when the NAT or firewall device is
misconfigured. It is recommend you first try connecting to the Server with this field left as is.
6. In the Port Range boxes, specify the range of ports the Server uses for PASV connections.
Note:
This is used primarily to limit the amount of ports used for the data connection portion of the FTP
session, especially when the firewall or NAT device was configured to only allow traffic on certain
ports.
7. Click Apply.
Note:
If you specify a PASV mode port range, you must open the same range of ports on your firewall.
Allowing HTTP Transfers
To enable HTTP transfers at the Site level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. Select the Allow HTTP Transfers on Port check box, then provide the port number. The default
port number is 80.
5. Click Apply.
Note:
For a user to access the Server using HTTP, Allow access using HTTP protocol must be selected at
the user or user setting level.
Multi-Part Transfers
The Server supports multi-part transfers and can accept multi-part uploads from advanced FTP clients
such as CuteFTP Professional. The user must have appropriate privileges and be authorized to connect
multiple times concurrently. The connecting client takes care of most details, including splitting the file
apart, sending the multiple parts, and then requesting that the server to join them again upon receipt. The
COMB command joins the parts back together. The benefits of segmented (multi-part) and concurrent
delivery for accelerated transfers include:
•
Accelerate throughput and maximize available bandwidth available to the client by allowing
uploaded files to be split apart and transferred in multiple segments simultaneously.
•
Command can be toggled on or off.
Specifying a PASV IP or PASV Port Range y 47
User Guide
The COMB command is a proprietary command and is not defined nor endorsed by any FTP-related
RFC; however, the command can be integrated with other servers using the following syntax:
COMB <TF> <SF 1> … <SF n>
where
<TF> is the path to target file, which will contain the combined data from the source parts.
<SF #> are the source files (parts).
Which means "combine n source files (SF 1...n) into one file (TF)."
•
If the target file already exists, then server appends source files to it.
•
The server will delete all the source files once combined successfully.
•
All file names should be in quotation marks.
Connection Protocols
Protocols and Security
The Server supports the following protocols: FTP, FTPS, SFTP, HTTP, and HTTPS. The protocols are
configured and enabled/disabled at the Site level, at the User Setting Level, or per user.
FTP
The FTP protocol is an interactive file-transfer mechanism that enables file transfers between Internet
sites, or, more specifically, between two systems. It was created for transferring files independently of the
operating system used, for example between a Macintosh and Windows PC. FTP’s more notable features
include handling for specific error situations and ensuring that a file sent from point A to point B will get
there reliably.
The FTP protocol specification (RFC 959) was published many years ago when security was not a priority
issue. As security became a concern, secure mechanisms such as SSL and TLS were adapted to help
protect the FTP session from being intercepted or exploited. Secure FTP Server provides security with
FTPS (using SSL/TLS).
HTTP
HTTP is the communication protocol for establishing a connection with a Web server and transmitting
HTML pages to the client browser or any other files required by an HTTP client application.
HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and
server only for the immediate request, after which the connection is subsequently closed. Each time you
need something from the Server, your client (browser) makes a connection, gets that file, and then the
connection is closed. Since you do not connect and stay connected, the browser remembers your
username and password for you, so it can send the authentication hash along with every new connection
request.
For example, when you put http://www.globalscape.com/gsftps/https.asp in your browser's address bar
and press ENTER, your browser uses HTTP as specified in the URL to send a command to the Server
running at the host name www.globalscape.com with the HTTP command "GET /gsftps/https.asp
HTTP/1.1," and the Server replies with that file (the HTML that makes up the page). In that page, there
are references to a number of files (e.g., images, CSS documents, flash files), and your browser makes a
separate connection to get each one of those resources.
48 y Creating and Configuring Sites
Creating and Configuring Sites
How does HTTP support in Secure FTP Server differ from a typical Web Server?
Secure FTP Server is primarily a file transfer server, not a Web server. This means it is not meant to
"serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web
browser). However, there are provisions for transferring files in the HTTP protocol, which is a
convenience when a connecting partner, customer, or employee does not have an FTP client installed,
but does have an HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX
control or Java applet).
When the Server is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload)
or GET (download) files to the Server, provided the client supports both of these HTTP commands. Most
Web browsers only support the GET command or, if they support the PUT command, they provide no
interface for browsing to the user's local file system in order to select and upload (PUT) files onto the
Server. A few dedicated clients (such as CuteFTP Professional) and various thin clients (based on
ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to
transfer files to the Server in both directions.
HTTP Limitations in Secure FTP Server
•
The Server allows you to customize messages sent by the Server upon connection, login,
maximum connections reached, and disconnect (for FTP sessions). Due to the nature of the
HTTP protocol, custom login messages are not displayed for connecting HTTP clients.
•
Another limitation of HTTP is that after a connection is established, the browser sees the Server's
root folder instead of the user's home holder. A workaround is to setup a distinct Site for HTTP
sessions.
•
Microsoft Internet Explorer browsers that have installed MS04-004 Cumulative Security Update
for Internet Explorer (832894), no longer support URLs that contain username info, even though
they are properly formed URLs. This problem is unique to Internet Explorer, and does not affect
the other major browsers. For more information, refer to
http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp.
•
If you create an Event Rule that sends a notification email for each successful login event, an
email is sent every time a user connected through HTTP changes directories. This is a result of
HTTP being a stateless protocol and can result in a large volume of notification emails even when
performing typical directory browsing.
HTTPS
HTTPS is the protocol for accessing a secure Web server when authentication and encrypted
communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure
port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443.
The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL
(Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-themiddle attacks.
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection
from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate
and a public key for encryption. If the client trusts the Server's certificate, an SSL connection can be
established. All data passing from one side to the other will be encrypted. Only the client and the Server
will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.
The following elements work together to establish a secure HTTPS connection:
Client: The client must have SSL capabilities.
Certificate: Certificates are digital identification documents that allow both servers and clients to
authenticate each other. A certificate file has a .crt extension. Server certificates contain information
about your company and the organization that issued the certificate (such as Verisign or Thawte) while
client certificates contain information about the user and the organization that signed the certificate. You
can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by
the Server's certificate in order to establish an SSL connection.
Connection Protocols y 49
User Guide
Session Key: The client and the Server use the session key to encrypt data. It is created by the client via
the Server's public key.
Public Key: The client encrypts a session key with the Server’s public key. It does not exist as a file, but
is produced when a certificate and private key are created.
Private Key: The server's private key decrypts the client's session. The private key has a .key extension
and is part of the public-private key pair.
Certificate Signing Request: A certificate signing request is generated each time a certificate is created.
A certificate signing request has a .csr extension. This file is used when you need to have your certificate
signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to
replace the unsigned certificate.
Note
In Web pages that use HTTPS, the URL begins with https rather than http. HTTP clients should
connect using standard requests (i.e. https://domain_name). You can configure the Server to provide
connecting clients with a certificate, and even require that the client provide a certificate upon
connection (to validate the client's identity further).
FTPS, SSL, and TLS
FTPS is an enhancement to standard FTP that uses standard FTP commands (and protocol) over secure
sockets. FTPS adds SSL security in both the protocol and data channels. FTPS is also known as FTPSSL and FTP-over-SSL. You might also see the term SSL used in conjunction with TLS. SSL has been
merged with other protocols and authentication methods into a new protocol known as Transport Layer
Security (TLS). The Server employs SSL/TLS to perform FTPS to keep your data secure.
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection
from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate
and a public key for encryption. If the client trusts the Server's certificate, an SSL connection can be
established. All data passing from one side to the other will be encrypted. Only the client and the Server
will be able to decrypt the data.
The Server supports SSL for client and server authentication, message integrity, and confidentiality. You
can configure the Server's security features to verify users' identities, allows users to verify your identity,
and to encrypt file transfers. The key to understanding how SSL works is to understand the elements that
take part in the process.
Elements that Work Together to Establish a Secure SSL Connection
•
Client: The client needs to be an FTP client with SSL capabilities.
•
Certificate: Certificates are digital identification documents that allow both servers and clients to
authenticate each other. A certificate file has a .crt extension. Server certificates contain
information about your company and the organization that issued the certificate (such as Verisign
or Thawte) while client certificates contain information about the user and the organization that
signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the
client's certificate must be signed by the Server's certificate in order to open an SSL connection.
•
Session Key: The client and the Server use the session key to encrypt data. It is created by the
client via the Server’s public key.
•
Public Key: The client encrypts a session key with the Server’s public key. It does not exist as a
file, but is produced when a certificate and private key are created.
•
Private Key: The server's private key decrypts the client's session. The private key has a .key
extension and is part of the public-private key pair.
•
Certificate Signing Request: A certificate signing request is generated each time a certificate is
created. A certificate signing request has a .csr extension. This file is used when you need to
have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate
is made and can be used to replace the unsigned certificate.
50 y Creating and Configuring Sites
Creating and Configuring Sites
SSL must first be enabled at the Site and Server level, and then can be enabled per User Setting Level
and User. The Server provides administrators the ability to specify the symmetric key cipher(s) and the
ordering of those ciphers for establishing SSL sessions. The Server validates inbound SSL sessions, and
allows or denies connections based on specified or approved ciphers.
Secure FTP Server supports two levels of authentication with SSL:
•
High - The server is configured so that it contains a certificate, but does not require a certificate
from the FTP client.
•
Highest - The server is configured so that it provides a certificate and requests a certificate from
the client. The server compares the client certificate to a list contained in its Trusted Certificates
database. The server either accepts or rejects the connection based upon a match.
SFTP (SSH)
Note:
The SFTP module is optional in Secure FTP Server (FIPS) and requires purchase of an SFTP
Module License.
SFTP is an FTP-like protocol that uses SSH1 and SSH2 protocols to provide security. When clients make
an SFTP (SSH2) connection with Secure FTP Server there are two components or layers involved: the
Transport and Authentication layers.
Transport Layer
When users first attempt to connect to your SFTP site, the user's client software and the server determine
whether the transmission should be encrypted or clear, compressed or uncompressed, which Method
Authentication Code (MAC) to use, and what kind of encryption (cipher) to use.
Once the encryption method is chosen:
1. The Server sends a public key to the client.
2. The client generates a session key, and encrypts it with the server’s public key.
3. The client then sends the encrypted session key back to the server.
4. The server then decrypts the session key with its private key and from that time all transmitted
data is encrypted with the session key.
Authentication Layer
After the Transport Layer is established, the server attempts to authenticate the client.
There are two methods the Server can use for authentication.
•
Public Key Authentication Method: publickey
To use this method, the client will need a private key and public key. The public key is passed to
the Server. The Server encrypts a random number with the public key and sends it to the client.
1. The client asks the user for a passphrase to activate the private key.
2. The private key decrypts the number and sends it back to the server.
3. The server recognizes the number as correct and allows the connection.
•
Password Authentication Method: password
Using this method, the client sends its password to server. The client does not need to encrypt
the password explicitly, because it will be automatically encrypted by the Transport Layer
mentioned above. With this type of authentication, the connection will fail if the Transport Layer
cannot encrypt the data.
After the encryption method is established, and authentication is complete, the two systems are
ready to exchange secure data. The client sends a secured FTP connection along the encrypted
data tunnel, the Server responds and the user can then transfer files securely.
Connection Protocols y 51
User Guide
Explicit Versus Implicit SSL
Netscape originally developed Secure Socket Layer (SSL) for secure Web browsing. When both a client
and server support the AUTH SSL command security is accomplished through a sequence of commands
passed between the two machines. The FTP protocol definition provides at least two distinct mechanisms
by which this sequence is initiated: explicit (active) and implicit (passive) security.
Explicit Security: In order to establish the SSL link, explicit security requires that the FTP client issue a
specific command to the FTP server after establishing a connection. The default FTP server port is used.
This formal method is documented in RFC 2228.
Implicit Security: Implicit security automatically begins with an SSL connection as soon as the FTP
client connects to an FTP server. In implicit security, the FTP server defines a specific port for the client
(990) to be used for secure connections.
Note:
Implicit SSL is discussed in various SSL drafts but is not formally adopted in an RFC. For strict
compliance to standards, use the explicit method.
Because implicit SSL has a dedicated port strictly used for secure connections, implicit SSL connections
require less overhead when you establish the session. A variety of FTP servers support this mode.
You can think of implicit security as "always on" and explicit security as "turn on." The following diagram
contrasts implicit and explicit SSL connections.
SSL Certificates
The key to understanding how SSL works is to understand the elements that take part in the process. A
key element of SSL is the SSL certificate. A public-key certificate, usually just called a certificate, is a
digitally signed document that ties the value of the public-key to the identity of the Server service that
holds the corresponding private key.
Typically, a certificate contains the following information:
52 y Creating and Configuring Sites
Creating and Configuring Sites
•
The Server’s public key value, which the clients use to encrypt a session key. (The client and the
server use the session key to encrypt data.) This public-key does not exist as a file, but rather is
produced when a certificate and private key are created.
•
The Server’s identifier information, such as the name, email address, common domain name, and
other details.
•
The validity period (the length of time that the certificate is considered valid)
•
Issuer or signer identifier information
•
The digital signature of the issuer, which attests to the validity of the binding between the server
public key and the organization's identifier information.
There are many certificate types or standards, with the Server supporting the most common ones. The
Server can import into its certificate store any client-provided certificate of type PKCS 7 or 12, and the
X.509 DER encoded standard. For the certificate that the server itself provides (to the connecting client
during the SSL handshake), it supports X.509 and PKCS #12 only. Note that PKCS #12 embeds both the
certificate AND private key into a single file. The default type that is created by the Server is x.509 base64 standard DER encoded.
Before a certificate can be used for securing connections, it must be created (generated) and signed (or
vouched for). Certificates can be created directly from the Server, or by a trusted Certificate Authority
(CA), which is an independent and trustworthy entity responsible for issuing and managing digital
certificates, including revocation of certificates that are expired or are otherwise unauthorized. Once
created, a certificate should be signed. By digitally "signing" a newly issued certificate, the signer
guarantees the authenticity of the data held in the signee’s certificate. The Server can sign its own
certificates; however, it is recommended that the certificate be signed by a trusted 3rd-party CA.
When generating a new certificate, the Server creates a self-signed certificate and a certificate signing
request (or CSR) file that you can send to a CA for signing and then import into the Server.
Files created by the Server:
•
Private key file (.key) - The private key should never be distributed to anyone. It is used to
decrypt the session that is encrypted by the public key.
•
Certificate request file (.csr) - Each time you create a certificate using the Server, a Certificate
request file is also created. This file can be signed by the Server's Certificate Signing Utility or
sent to intermediate certificate authority such as GeoTrust, Verisign (www.verisign.com), or
Thawte (www.thawte.com) for signing.
•
Certificate file (.crt) - This is a self-signed certificate. To obtain a 3rd-party signed certificate, you
must send the certificate signing request file to a Certificate Authority (CA) such as Verisign,
Geotrust, or Thawte. The CA in turn will send you a new .crt file with which you can replace your
self-signed one.
SSL Certificate Chain-of-Trust
Trust in a certificate is established when you have a copy of the signing certificate in your certificate store
(for example, the Server’s store or Internet Explorer's Trusted Root Certification Authority for clients). The
certificate does not necessarily have to be signed by a root CA; it can be signed by subordinate
intermediate CA, as long as there is a valid certification path from the signing certificate to a trusted root
certificate, meaning that none of the certificates in the certification path have been revoked or is expired.
Note:
The Server supports one level of trust when requiring certificates from connected SSL clients. That
is, if certificate A is trusted, then certificate B signed by certificate A is also trusted. However, if
certificate C is signed by certificate B, then certificate C is not trusted.
Connection Protocols y 53
User Guide
FTP Commands Supported
Below is the list of FTP commands that the Server supports and will give a known response to, followed
by a few commands that it recognizes, but gives an error message of "202 Command not implemented,
superfluous at this site."
For more information about these FTP commands, see RFC959 at http://faqs.org/rfcs/rfc959.html.
Command
Description
ABOR
Abort a file transfer
ALLO
Allocates sufficient storage space to receive a file
ALLO size [R max-record-size]
APPE
Append data to the end of a file on the remote host
APPE remote-filename
AUTH
Used to initiate an SSL encrypted session
CCC
(clear command channel for FTPS transfers)
CDUP
Change working directory to the parent of the current directory
COMB
Combines file segments into a single file on the server
CWD
Change working directory
CWD remote-directory
DELE
Delete remote file
FEAT
List all FTP features that the server supports
HELP
Display a list of all available FTP commands
LIST
Send list of file names and details
MDTM
Display date/time file was modified, in the format YYYYMMDDhhmmss. YYYY is the four-digit
year, MM is the month from 01 to 12, DD is the day of the month from 01 to 31, hh is the hours
from 00 to 23, mm is the minutes from 00 to 59, and ss is the seconds from 00 to 59.
MKD
Create (make) a remote directory
MLSD
Display an abbreviated list of a remote directory's files and subdirectories
MLST
Display detailed file or directory information
MODE
Sets the mode in which data is to be transferred to one of the following:
S - Stream
B - Block
C - Compressed
The default mode is Stream. (only "s" or "z" are supported)
NLST
Send list of file names (no details)
NOOP
Do nothing; often used to keep the session alive.
OPTS
Used to specify optional parameters for the command that follows the OPTS command, if that
command supports such optional parameters. (The commands "mslt" and "mode z level X,"
where x=1-9, are supported.)
PASS
Send password
PASS <password>
PASV
Enter passive mode
PBSZ
If the Server receives this command, it sets it to 0.
PORT
Specifies the host and port to which the server should connect for the next file transfer.
PROT
Used to set the protection level to be used for data transfers. PROT P is used to secure the
data channel; PROT C is used to clear the data channel.
54 y Creating and Configuring Sites
Creating and Configuring Sites
Command
Description
PWD
Display current directory (print working directory)
QUIT
Closes the connection and terminates the FTP session.
REIN
Reinitialize the connection and cancels the current user/password/account information
REST
Sets the point at which a file transfer should start
REST position
RETR
Begins transmission of a file from the remote host. Must be preceded by either a PORT
command or a PASV command to indicate where the server should send data.
RETR remote-filename
RMD
Deletes the named directory on the remote host
RMD remote-directory
RNFR
Rename from (followed by an RNTO command to specify the new name for the file)
RNFR from-filename
RNTO
Rename to (after sending an RNFR command to specify the file to rename, this command is
used to specify the new name for the file)
RNTO to-filename
SITE
Site-specific commands
SITE site-specific-command
SIZE
Display size of a file
SIZE remote-filename
SSCN
(extension for secure site-to-site transfers)
STAT
Display server status
STAT [remote-filespec]
STOR
Begins transmission of a file to the remote site. Must be preceded by either a PORT command
or a PASV command so the server knows where to accept data from.
STOR remote-filename
STOU
Begins transmission of a file to the remote site; the remote filename will be unique in the
current directory.
SYST
Displays a string of "215 UNIX Type: L8"
TYPE
Sets the type of file to be transferred.
TYPE type-character [second-type-character]
"type-character" can be A (ASCII text) or I (image, binary data)
The second-type-character specifies how the text should be interpreted. It can be N (Nonprint; not destined for printing. This is the default if second-type-character is omitted), T (Telnet
format control <CR>, <FF>, etc.), or C (ASA Carriage Control).
USER
Send username
USER username
XCUP
(same as CDUP)
XCWD
(same as CWD)
XMKD
(same as MKD)
XNOP
(same as NOOP)
XPWD
(same as PWD)
XRMD
(same as RMD)
XCRC
Compute CRC32 checksum on specified file
Connection Protocols y 55
User Guide
The following commands are recognized, but not supported:
Command
Description
ACCT
(Account) Send account information
SMNT
(Structure mount) Mount a different file system data structure without altering login or
accounting information
STRU
(File Structure) Set file transfer structure
SFTP
Enabling SFTP on the Site
To enable SFTP
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
4. Select the Enable SFTP (SSH2) access check box.
5. Click Create to create a site key pair. The Create SSH2 Public/Private Keypair dialog box
appears.
6. Type a name for the key pair, the location to store it, then click Finish. The Server generates and
stores the key pair.
7. In the Use encryption algorithms list, select the check boxes for the algorithms you want to
allow for encrypting SFTP sessions.
8. In the Use MAC algorithms list, select the check boxes for the algorithms to use for message
authentication.
9. Click Apply. A message appears telling you the site must be restarted for the changes to take
effect. Click Yes.
If you want to change the SFTP port, click the Connection Options tab and specify the port number next
to Enable SFTP (SSH2) access on port. (22 is the default port for the SFTP protocol.)
SFTP Transport Layer Settings
Message Authentication Codes (MAC) are algorithms used to confirm that data has not been altered
between the client and server.
To select Message Authentication Codes (MAC)
1. In the Administrator, connect to the server, then click the Server tab. SFTP should be enabled.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
4. In the Use MAC algorithms list, choose any or all of the four options:
•
hmac-md5
•
hmac-md5-96
•
hmac-sha1
•
hmac-sha1-96
5. Click OK. The Server tries each selected MAC with the client until an algorithm is agreed upon.
56 y Creating and Configuring Sites
Creating and Configuring Sites
SFTP Algorithms
To specify encryption algorithms (ciphers)
1. In the Administrator, connect to the server, then click the Server tab. SFTP should be enabled.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
4. In the Use encryption algorithms list, select any or all encryption methods:
•
aes128 - Advanced Encryption Standard (AES) block cipher using 128-bit keys.
•
ARCFOUR - Arcfour is intended to be compatible with the RC4 cipher trademarked by
RSA Data Security, makers of the famous OpenPGP program. It uses a 128-bit key and
provides good security.
•
cbc - Cipher Block Chaining is an encryption technique used with block ciphers where
the previous encrypted block is used as a basis for encrypting the next block, so that
every block has to be in the correct order to be decrypted properly.
•
CAST128 - This cipher is the CAST block cipher using 128-bit keys.
•
Triple DES (3DES) - This algorithm uses a 24-bit triple key to encrypt data 3 times. The
24-bit key is split into 3 8-bit segments and each is used for encryption. Triple DES is
fast, but not as strong as the other algorithms.
•
Blowfish - The Blowfish algorithm is a public-domain block cipher method using a 128bit key. Blowfish was intended to be a replacement for 3DES. It provides good security.
•
Twofish - Twofish is an improved version of Blowfish. It provides the strongest security
available in the Server and should protect your data in most transfers. Secure FTP
Server recognizes Twofish encryption using 128- and 256-bit keys.
5. Click OK. The Server tries each selected algorithm with the client until one is agreed upon.
Assigning a Site's IP Address and Port
A Site's IP address is specified when it is created. You can define a listening port number and IP address
for each Site. The default for FTP Sites is 21. You can specify any value between 1 and 65,535. You can
change the Site's IP address and port using the procedure below.
Warning:
Assigning a port number below 1024 may lead to conflicts with other programs running on your
computer.
To change the listening (incoming) IP address and/or port
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Site Options tab.
4. In the Home IP list, click the IP address for the site.
5. Click Apply.
6. Click the Connection Options tab.
7. In the FTP box, specify the port number.
8. Click Apply.
Creating SSH2 Public/Private Keypairs
When clients attempt to create an SFTP connection with the Server, the Server must send a key to the
client verifying its identity. You can create the necessary key with the Server and use the same key for
several Sites, or create separate keys for individual sites.
Connection Protocols y 57
User Guide
To create a key pair
1. In the Administrator, connect to the server, then click the Server tab.
2. Do one of the following:
•
On the main menu, click Tools, then click SSH2 Key Pair Generation Wizard.
•
On the Site's SFTP tab, next to the Site Key Pair box, click Create.
The Create SSH2 Public/Private Keypair wizard appears.
3. Specify a key pair name and location to store it, then click Next. The password page of the wizard
appears.
4. Provide and confirm the passphrase. The passphrase cannot contain more than 256 characters,
cannot contain only spaces and periods, and cannot contain the following characters:
•
/ (forward slash)
•
\ (back slash)
•
[ (left bracket)
•
] (right bracket)
•
; (semicolon)
•
: (colon)
•
| (pipe)
•
= (equal sign)
•
, (comma)
•
+ (PLUS sign)
•
? (question mark)
•
< (left angle bracket)
•
> (right angle bracket)
•
{ (left curly brace)
•
} (right curly brace
5. Click Finish. While the Server is creating the key, the Generating Key Pair message appears,
then a confirmation message appears.
6. The confirmation message displays the location and file names of the key pair files. Click Yes, to
continue or No if you do not want to add the public key to the SFTP key manager.
7. If you click Yes, the Add key to storage dialog box appears.
8. Provide a descriptive name for the public key, then click OK. The new key will now appear in the
SSH Key Manager.
Note:
To use the key for other sites, rather than click Create, in the Site key pair box of the SFTP
Settings tab enter or browse to the path where you stored the key.
Allowing Access Using SFTP Password Authentication
SFTP is configured and enabled at the Site level. You can also disable and enable SFTP access at User
Setting Level and user level.
To allow users to connect using SFTP
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Security tab.
58 y Creating and Configuring Sites
Creating and Configuring Sites
4. In the SFTP Settings area, click one of the following authentication methods:
•
Specified in Settings Level - (Only an option for users.) Requires what is specified at
the User Settings Level (the default).
•
Password only - Require the user to provide the password to authenticate their
connection.
•
Public key only - Require the user to provide the public key to authenticate their
connection. If this is selected, you must also select the public key from the respective
dropdown menu.
•
Public key & Password - Require the user to provide both the public key and the
password to authenticate their connection. If this is selected, you must also select the
public key in the Select public key list that appears.
5. Click Apply.
Note:
If the check box is grayed out, the user is inheriting the permission or requirement from the User
Settings Level.
Viewing, Importing, Renaming, and Deleting Client Keys
SFTP/SSH Keys defined for a Site appear in the SSH Key Manager. The SSH Key Manager displays
the key name, fingerprint, and username assigned.
To view, import, rename, or delete keys
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the SFTP Settings tab.
4. Click Key Manager. The SSH Key Manager appears.
•
Name - displays the name of the key. When a key is imported, no assigned usernames
are displayed.
•
Fingerprint - displays the fingerprint of the key.
•
Assigned - displays the username(s) assigned to the key. Multiple usernames are
separated by commas.
5. Do one of the following:
•
To sort keys, click the Name or the Fingerprint column.
•
To import keys, click Import, then browse for and select the key. You can import any
.pub file accessible from the computer on which the Administrator is installed.
•
To delete a key, click the key in the list, then click Delete.
•
To rename a key, click the key in the list, then click Rename, or press F2.
SSL
Enabling FTPS and HTTPS (SSL) at the Site Level
The Server has robust SSL configurations that allow you to configure SSL connections on all sites, at the
site level, at the user setting level, or at the user level. You can also configure SSL with a combination of
these four levels. SSL must first be enabled at the Site and Server level; then can be enabled per User
Settings Level and user.
To enable SSL at the site level
1. In the Administrator, connect to the server, then click the Server tab.
Connection Protocols y 59
User Guide
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. To allow both standard FTP connections and SSL connections, select the Enable FTP access
on port check box, and specify the port number. Clear the Enable FTP access on port check
box to allow only SSL connections to the Site.
Note:
If you clear Enable FTP access, you must enable one or more of the other connection options
or no one will be able to connect to the site.
5. To allow SSL connections over HTTPS, select the Allow HTTPS transfers on port check box
and specify the port number. (The default is 443.)
6. To allow FTPS (SSL), select the Allow implicit FTPS (SSL) on port check box and specify the
port number.
7. To allow FTPS (SSL/TLS), select the Allow explicit FTPS (SSL/TLS) on default FTP port
check box and specify the port number.
Note:
If the implicit Allow implicit FTPS (SSL) on port check box is selected, you can change the
implicit SSL port. The default port is 990, which is normally used by FTP clients that support
implicit SSL.
8. In the SSL Certificate Options area, specify the Certificate file path and Private Key file path.
If you used the Create SSL Certificate Wizard and selected the Set up Server to use the
generated certificate check box, then the Certificate and Private Key file paths will already be
completed. Otherwise, choose the files using the associated folder icon.
9. Specify the Private Key Passphrase. The passphrase was defined when the certificate was
created. An incorrect passphrase generates errors when you select Apply.
10. Click Require certificates from connecting clients.
11. If Require certificates from connecting clients is not selected, then clients that support SSL
can connect to the Server without supplying a certificate. If this box is selected, then FTP clients
requesting an SSL connection must present a certificate before the Server will allow them to
connect. The client certificate must be in the Trusted Certificates database or signed by a
certificate in the Trusted Certificates database. If the client has a certificate that does not meet
those conditions, the connection is denied. However, its certificate is placed in the Pending
Certificates database, where it can later be added to the Trusted Certificate Database. If the client
does not present a certificate, the connection is denied.
12. Click Apply to save the changes.
Disabling SSL Connections
You can disable SSL support for every user on the Server by disabling SSL support at the Site level, or
you can disable SSL for a specific user or User Setting Level.
To disable SSL connections for a site on the Server
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. Click Enable FTP access and specify the port to use, if different from the default.
5. Clear BOTH the Allow explicit FTPS (SSL) and Allow implicit FTPS (SSL) check boxes.
6. Click Apply.
60 y Creating and Configuring Sites
Creating and Configuring Sites
Note:
If SSL connections are disabled at the Site level, they are also disabled for all User Setting Levels
and users on the Site.
To disable SSL connections for a user or User Setting Level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right-hand pane, click the Security tab.
4. Clear the Allow access using SFTP protocol check box.
5. Clear the Allow access using SSL over FTP protocol check box.
6. Click Apply
Creating Certificates
A self-signed certificate contains a public key, information about the owner of the certificate, and the
owner's signature. It has an associated private key, but it does not verify the origin of the certificate
through a third-party certificate authority.
To achieve the highest level of authentication between critical software components, do not use selfsigned certificates, or use them selectively.
A certificate on the client must be associated with the Server in order to initiate an SSL connection. When
you are administering the Server on the local computer, you can create certificates using the Certificate
Creation Wizard (Tools, then click Certificate Creation Wizard) or import your own. There are three
types of files associated with an SSL certificate key pair:
•
Private key file (.key) - The private key should never be distributed to anyone. It is used to
decrypt the session, which is encrypted by the public key.
•
Certificate request file (.csr) - Each time you create a certificate using the Server, a Certificate
request file is also created. This file can be signed by the Server's Certificate Signing Utility or
sent to an intermediate certificate authority, such as GeoTrust, for signing.
•
Certificate file (.crt) - This is a signed certificate, whether self-signed or signed by an
intermediate certificate authority.
For maximum compliance with security standards, you should use a trusted authority-signed SSL
certificate. You can import certificates or use this wizard to create your own. The private key (.key) and
certificate request (.csr) files are created at the same time. You are prohibited from creating certificates
for the Server while remotely administering the Server because this action can create a security breach.
Any certificates you create remain on the computer on which you created them, unless you take special
steps to deliver and associate these files with another computer.
To create an SSL certificate
1. In the Administrator, connect to the server, then click the Server tab.
2. Do one of the following:
•
On the main menu, click Tools, then click Certificate Creation Wizard.
•
On the toolbar, click the New SSL Certificate icon.
The Create SSL Certificate wizard appears.
3. In the Certificate name box, specify the name of the certificate that will be generated.
4. In the Output Location box, specify the path to the folder in which the certificate is to be saved.
The wizard saves the .key, .csr, and .crt files in this folder.
Connection Protocols y 61
User Guide
Note:
If you are purchasing a signed certificate from a certificate authority (CA), you usually need to
forward the contents to the CA. Locate the .csr and open it in a text editor, then copy and paste
the contents into an email.
5. In the Expiration Date box, specify how long the certificate is to remain valid.
6. In the Passphrase and Confirm passphrase boxes, type the passphrase used to encrypt the
private key. The passphrase can be any combination of characters or spaces. Do not lose the
passphrase; the certificate is useless without it.
7. In the Key Length (in bits) box, specify the key length: 512, 1024, 2048, or 4096 bits. Smaller
keys are faster, larger keys are more secure.
8. Click Next. The Certificate Information page appears. Each of the boxes must be completed
before continuing. The information you provide is stored in the certificate.
9. In the City/Town box, provide the name of your city, town, or other locality.
10. In the State/Province box, provide the name of the state or province.
11. In Organization box, provide the name of your organization, or any other designator.
12. In the Common Name box, provide the common name or fully qualified domain name, such as
www.globalscape.com. (Typically, the name or domain name associated with the Site.)
13. In the E-Mail box, provide your email address in the format username@domain.com.
14. In the Unit box, type any other information about your organization, such as department name.
15. In the Country box, provide the 2-letter ISO country code using uppercase letters.
16. Click Next. The Certificate Options page appears.
17. If Use this certificate for server authentication is cleared, the wizard saves only the certificate
files in the folder you previously specified. If selected, the wizard associates the certificate to the
administration service or a site(s) you specify.
Note:
Associating a new certificate with a site requires a restart of the site, and any active users will
be disconnected, so it is recommended that you associate certificates when Sites are inactive
or stopped.
18. If Add this certificate to the Trusted Certificate list is selected, the wizard adds the certificate
to the Trusted Certificates database. Use this feature if you are creating certificates for user
distribution. You can limit Server access to just the users that have the certificate. You can verify
the addition to the Trusted Certificate database by clicking Tools, then Certificate Manager, or
on the toolbar, click the Certificate Manager icon
19. In the Apply certificate to list, specify the component of the Server affected.
20. Click Finish.
Selecting a Certificate
To assign a certificate you have created or obtained to a site
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. Select the Enable explicit SSL connection check box or the Enable implicit SSL connection
check box or both.
5. In the Certificate file path box, specify the certificate file to use.
6. Select the private key by clicking the browse button next to the Private Key file path.
62 y Creating and Configuring Sites
Creating and Configuring Sites
7. Enter the Private Key Passphrase. The passphrase must match the passphrase that was used
when creating the certificate.
8. Click Apply.
Signing a Certificate
The Server can sign certificate requests created by other clients. Typically, the client certificate request is
signed with the certificate created for the server. If a certificate from the Server's Trusted Certificates
database is used to sign client certificates, then all certificates you sign are automatically trusted.
To sign a certificate request
1. Obtain the Certificate Signing Request file (.csr). This can be done through email or any other file
delivery method.
2. In the Administrator, connect to the server, then click the Server tab.
3. On the main menu, click Tools, then click Certificate Signing Utility, or click the Certificate
Signing Utility icon. The Certificate Signing Utility dialog box appears.
4. In the Client certificate request box, click the folder icon to browse for and click the Certificate
Signing Request (.csr) file you want to sign.
5. In the Output path box, specify a folder in which to save the signed certificate (.crt) file, if
different.
6. In the Resulting certificate expiration date box, click the down arrow to specify an expiration
date.
7. In the Signing certificate box, specify the certificate. This certificate must be in your trusted
certificate database in order for clients submitting the signed certificate to connect to the Site.
8. In the Private key box, specify the private key file (.key) associated with the Server certificate.
9. In the Passphrase box, provide the passphrase associated with the Server certificate.
10. Click OK. The new certificate is saved in the folder you specified.
11. Return the certificate file (.crt) to the user.
Trusted Certificates
If you require certificates from connecting clients before they can connect, then their certificate must be in
the Trusted Certificates Database or signed by a certificate in the Trusted Certificate Database.
The Certificate Manager is used to manage the SSL certificates for a Site.
To open the Certificate Manager
1. In the Administrator, connect to the server, then click the Server tab.
Connection Protocols y 63
User Guide
2. On the main menu, click Tools, then click Certificate Manager, or click the Certificate Manager
icon on the toolbar. The Certificate Manager appears.
•
To view all of the certificates for a Site, click the Site down arrow to select the Site. The
certificates for the selected Site appear in the Trusted Certificates and Pending
Certificates lists.
•
To view the properties of a certificate, click the certificate in the list, then click Properties.
The Certificate Contents dialog box appears, showing the Issuer and Subject
information and the dates the certificate is valid.
•
To import certificates for a Site, see Importing a Certificate.
•
To export certificates from a Site, see Exporting a Certificate.
•
To remove a certificate from the Trusted Certificates or Pending Certificates list, click
Remove.
•
To create a new certificate, see Creating Certificates.
Importing a Certificate
To import a certificate to a Site
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Tools, then click Certificate Manager. The Certificate Manager
appears.
3. In either the Trusted Certificates or Pending Certificates list, click Import.
4. Browse to the folder that contains the client's certificate file and click the file.
Note:
The Server can import a digital certificate from the following formats: PEM, Base64 Encoded
X509, DER Encoded X509, PKCS#7, PKCS#12.
The Private Key associated with the digital certificate must be in one of the following formats:
PEM, DER, PKCS#8, PKCS#12.
64 y Creating and Configuring Sites
Creating and Configuring Sites
5. Click Open. The Server automatically detects the certificate format. If the Server is unable to
determine the format, or if the import fails, you can manually convert a digital certificate to one of
the above formats and import it. Consult the distributor/vendor of your certificate for details on this
process.
The certificate is added to the Trusted Certificates database. Clients submitting that certificate are now
able to connect to the Server.
Exporting a Certificate
To export a certificate from the database
1. In the Administrator, connect to the server, then click the Server tab.
2. Click Tools, then click Certificate Manager from the menu. The Certificate Manager dialog box
appears.
3. In either the Trusted Certificates or Pending Certificates list, click Export, and browse to the
folder where you want to save the certificate file.
4. Type a name for the certificate file, then click Save.
Importing Certificates from Microsoft IIS 5
To use a certificate that you are using in IIS 5 you must:
1. Add a Certificate Snap-in to your Microsoft Management Console.
2. Export the certificate from IIS 5.
3. Import the certificate into the Server.
To add the certificate "Snap-in"
1. On the computer containing the certificate you want, select Start, then Run, and then type mmc
to open the Microsoft Management Console.
2. On the Console menu, click File, then click Add/Remove Snap-in.
3. Click Add. The Add Standalone Snap-in dialog box appears.
4. Click Certificates, then click Add.
5. Click Computer account, then Next.
6. Click Local computer, then Finished.
7. Close the Add Standalone Snap-in dialog.
8. Click OK on the Add/Remove Snap-in dialog.
To export the certificate from IIS 5
1. Under the Tree tab in the Microsoft Management Console, expand the Certificates node.
2. Click the Personal folder and then the certificate you want to export.
3. On the Action menu click All Tasks>Export.
4. Click Next.
5. Click Yes, export the private key, then click Next.
6. Click Personal Information Exchange - PKCS #12 (.PFX) and then click Next.
7. Provide the password you used when you created the certificate, then click Next. This will create
a .pfx file.
Connection Protocols y 65
User Guide
To import the certificate into the Server
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Connection Options tab.
4. To allow FTPS (SSL), select the Allow implicit FTPS (SSL) on port check box and specify the
port number.
5. To allow FTPS (SSL/TLS), select the Allow explicit FTPS (SSL/TLS) on default FTP port
check box and specify the port number.
6. In the Certificate file path box, click the folder icon
created.
7. In the Private key file path box, click the folder icon
created.
to browse and click the .pfx file you
to browse and click the .pfx file you
8. Type the password you used when you created your certificate in Private key Passphrase.
9. Click Apply. A message appears prompting a Site restart.
Site-Level Transfer and Connection Settings
Setting Maximum Concurrent Logins
You can set the maximum number of connections to the Server at the Site level. With multiple Sites, this
means that some Sites can allow more users than other Sites.
To restrict the number of user logins
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. Select the Max concurrent logins check box, then specify the maximum number of logins you
want to allow to a user at any given time. If the box is cleared, the Server does not restrict the
number of logins.
5.
Click Apply.
Setting Maximum Connections per User (Site Level)
You can set the maximum number of simultaneous connections for a user at the Site, User Setting Level,
or per user.
Note:
The Site level sets the limit for all sub levels. For example, if the Site level Max connections per
user is 5, and a user's Max connections per user is set to 10, the user can still only connect to the
Server 5 times simultaneously.
To set maximum connections per user at the Site level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. Select the Max connections per user check box, then type or use the arrows to select a
number. If the box is cleared, a user can create an unlimited number of concurrent connections to
the Site (or according to the limits defined at the User or User Setting Level).
5. Click Apply.
66 y Creating and Configuring Sites
Creating and Configuring Sites
Setting Maximum Connections per IP for a Site
You can set the maximum number of simultaneous connections emanating from the same IP address at
the Site, User Setting Level, and per user.
Note:
The Site level sets the limits of the User and User Setting Levels.
To set maximum connections per user account at the user and User Setting level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. Select the Max connections from same IP check box and type the maximum number of
simultaneous connections you want to allow from the same IP address.
5. Click Apply.
Banning Unwanted File Types
The Server can block the upload or download of certain files. You can specify which files to block using
wildcards or exact file names.
For example, to block a file called virus.wav, you can type any of the following:
virus.wav
(blocks the specific file)
*.wav
(blocks all wav files)
*.wa?
(blocks all files whose extension starts with wa)
Note:
Take care when defining files to block using with wildcards so that you do not block files that you
want to allow.
To ban files
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. In the right pane, click the Advanced tab.
4. In the Banned File Types area, select the Exclude the following files from the site check box,
then type the filename or wildcard representation (*.mp3 or *.mp?) for the file(s) you want to
exclude from the Site. Separate multiple entries with commas.
5. Click Apply.
Site-Level Transfer and Connection Settings y 67
User Guide
68 y Creating and Configuring Sites
Creating and Configuring Users and User Setting Levels
How User Setting Levels Work
Every client account or user must be a member of a User Setting Level . User Setting Levels exist within
a Site . User Setting Levels consist of a group of security and access-control settings used as a template.
Each new user is assigned to a User Setting Level whose settings determine how the Server resources
may be used. One User Setting Level might be quite restrictive, while another might allow more access to
resources. For example, power users would be assigned to a setting level allowing greater flexibility in
using the Server resources while guest users would be assigned to a more restrictive level where use of
the Server resources is very limited. User Setting Levels allow an administrator to make changes at the
User Setting Level that affect all users within the level. The basic profile of individual users can also be
changed (overriding the template). Users can also be moved between User Setting Levels; users that are
moved inherit the properties of the new User Setting Level, but retain any modifications (overrides) made
by the administrator.
The Server installs with one User Setting Level named Default Settings. Additional User Setting Levels
can be added to define access to the Server resources for various types of users. You cannot delete the
Default Settings User Setting Level when it is the only User Setting Level.
Note:
User Setting levels apply to the Server resources. Permissions assigned to Groups control access to
folders on your system.
Creating User Setting Levels
You can create one or more user setting levels before or after creating users and subsequently assign
users to the desired user setting level. This allows you to control the server’s resources while still giving
your users the flexibility they need to transfer essential files.
To create a new User Setting Level
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu click Configuration, then click Create New User Setting Level. The Create
New User Setting Level dialog box appears.
3. In the Site box, click the down arrow to select a Site.
4. In the User setting level box, type a name for the new User Setting Level.
5. Optionally, type a Description for the User Setting Level.
6. Click OK. The new User Setting Level appears under the User Setting Levels node.
7. Click the new User Setting Level, then click the Main tab.
8. The User Setting Level is enabled by default. To disable it, clear the Enable this settings level
check box.
9. If this is to be the default settings level, click Set as default. The Site name in the tree becomes
bolded.
10. In the Description box, type a description (optional).
11. See Specifying a User's Home Folder for details about specifying the home folder for all users in
this User Setting Level.
12. In the Login message box, click the appropriate action from the drop-down menu above the text
box, then, if necessary, edit the Login Message in the text box. The available actions include:
•
Use default - Use the default login message (specified in the Default Settings node of
the User Setting Levels).
•
Add to default - Add the message in the text box to the default login message.
How User Setting Levels Work y 69
User Guide
•
Replace default - Replace the default login message with the message in the text box.
•
None - Do not display a login message.
13. Select the Restrict IP Access check box if you want to use the TCP/IP Access Restrictions
area to restrict access to the Server by IP address. See Controlling Access by IP Address for
details of using this feature.
14. Click the Security tab. For information about the settings on this tab, see:
•
•
Security Options
o
Disconnecting problem users
o
Allowing users to change their passwords
o
Allowing users to verify file integrity
o
Restricting User to a Single IP Address
Protocol permissions:
o
Enabling and Managing Connection Protocols
15. Select the Quota tab. For information about the settings on this tab, see:
•
•
•
Transfer Limits:
o
Setting maximum transfers per session
o
Setting maximum transfer size
Connection:
o
Enable Time Out
o
Setting maximum transfer speeds
o
Setting maximum connections per IP
o
Setting maximum connections per User
Disks Quota:
o
Configure user disk quotas
16. Click Apply to save the changes.
Inheritance
A user initially shares the settings of the User Setting Level in which the account was created. When you
view user properties, inherited settings are marked by gray check boxes. You can override inherited
settings by clearing or selecting the check box.
The check boxes toggle through three settings:
•
Inherited - A gray check box
means no changes have been made by the administrator to the
settings inherited from the User Setting level. This is a neutral indicator and simply means the
user's setting is the same as the User Setting Level for that option.
•
Overridden, allowed- A black check mark
indicates that the administrator has overridden this
inherited setting. This setting is enabled for the user even if it is disabled in the User Setting
Level.
•
Overridden, not allowed- A blank check box
means the administrator has overridden this
inherited option. This setting does not apply to the user, even if it is enabled in the User Setting
Level.
70 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
You can change a user’s User Setting Level by dragging and dropping the user into a different level. The
account's inherited settings change to reflect the settings of its new User Setting Level; however, if an
account contains modified (overridden) settings and is moved to a new User Setting Level, those
modifications remain in effect at the new User Setting Level.
Adding Users to a Site
To add a new user to a site
1. In the Administrator, connect to the server, then click the Server tab.
2. On the main menu, click Configuration, then click Create New User. The New User Account
Setup dialog box appears.
3. In the Site list, click the Site to which you want to add a user.
4. Provide the new user's First Name and Last Name. The Server creates a Username in the
format of [First_Initial_Last_Name]. You can overwrite this.
5. Provide and confirm the User password.
6. In the Password Type drop-down list, click one of the following:
•
Standard - A plain text password is required.
•
Anonymous - Any password, including nothing, allows an anonymous connection.
•
Anonymous (Force Email) - Any well formed email address is the password.
•
OTP S/KEY MD4 - Used for logging in to an OTP-enabled server.
•
OTP S/KEY MD5 - Used for logging in to an OTP-enabled server.
7. (Optional) In the Description box, type descriptive details of the user (e.g., Paris Office).
8. Click Next.
9. In the Place user in the following User Setting Level list, specify which User Setting Level to
assign the user.
10. Select both Create user home folder and Grant FULL permissions check boxes to create a
user folder located in the Site root folder and to give the user full permissions to that folder.
Adding Users to a Site y 71
User Guide
11. Click Next.
12. By default, all new Users are members of the All Users group. On the Setup user groups page,
double-click the left- or right-facing arrows to add/remove the new user to/from Groups.
13. Click Finish to create the new user account.
Specifying a User's Home Folder
You can specify the user's login folder at User Setting Level or per user. This is typically set at the user
level, but the User Setting Level can override the user setting.
When you create a Site and select the Auto assign home folders to newly created users check box,
each user account that is created will have a home folder added as a subfolder of the home folder for the
User Setting Level to which the user is added. So, for example, if you add a user jsmith to the User
Setting Level "Power Users," and that User Setting Level's home folder has a path of /Usr/Power Users/
in the VFS, then this new jsmith account will be generated with a home folder in the Server's VFS of
/Usr/Power Users/jsmith. This is the default behavior when creating a user within the Administrator,
however, you can override/change that behavior when the Site is created. If the user is created using the
COM interface, or the user appears in the Server list as a result of Active Directory, LDAP, or ODBC
querying the user account list in real time and finding out that it IS a valid user but not yet added to the
Server, then a home folder is added as a subfolder of the home folder for the User Setting Level to which
the user is added.
For Sites that use NTLM/AD authentication, if the user account has a Home Folder defined by the AD
administrator, then the Server's VFS will not create a physical folder for the new user, but instead creates
a virtual folder that points to the path specified in Active Directory for the home folder for that user
(sometimes called a roaming profile). Therefore, if jsmith exists on the AD controller as a valid user with a
home folder mapped to \\192.168.20.19\common_file_share\jsmith, then when jsmith becomes a new
user on the Server (using the same path/User Setting Level from the above example), then jsmith will be
assigned the home folder /usr/Power Users/jsmith which is a virtual folder pointing to
\\192.168.20.19\common_file_share\jsmith.
To set a user's home folder
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user you want to configure.
3. In the right pane, click the Main tab.
4. Select the Home folder check box. The Home folder box becomes editable.
Note:
If you want to ensure that the User Setting Level is not controlling the user's home folder, clear
the Home folder check box at the User Setting Level.
5. Click the folder icon
next to the Home folder box. The Browse dialog box appears.
6. Click the folder in which you want the user's folder placed, then click OK.
Note:
If you type or paste a path in the Home folder box, the Server does not verify that the folder
exists.
7. To make the home folder the user's root folder, click the Treat home folder as default root
folder check box.
Note:
When the Treat home folder as default root folder check box is cleared, if you built the Site
with the defaults, the user's root folder is /Usr/<username>. If the check box is selected, the
user cannot browse above their home directory.
8. Click Apply to save the changes on the Server.
72 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
Enabling or Disabling a User Setting Level or User
When you disable a User Setting Level, you disable any users in that User Setting Level that are not
enabled independently of the User Setting Level.
When you disable users, their accounts and user folders are not removed, allowing you to easily enable
or disable the account as needed.
To enable or disable an user setting level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the User Setting Level or user that you want to enable/disable.
3. In the right pane, select the Main tab.
4. Do one of the following:
•
To disable the user account, clear the Enable this user account check box.
•
To enable the user account, select the Enable this user account check box.
5. Click Apply. In the left pane, a red "X" appears over the User Setting Level or user icon that is
disabled.
Expiring a User Account
You can specify a user account to expire on a specific date. Expired accounts are not removed from the
Server; they can be enabled at any time.
To disable a user on a specific date (account expiration)
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the User account for which you want to set an expiration date.
3. In the right pane, click the Main tab.
4. Select the Expire this account after check box, then click the down arrow to select an expiration
date.
5. Click Apply to save the changes on the Server. On the specified date, a red "X" appears over the
user icon in the left pane, and the User account is disabled.
To enable an expired account
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user account that you want to enable.
3. In the right pane, click the Main tab.
4. Clear the Expire this account after check box and select the Enable this user account check
box.
5. Click Apply to save the changes on the Server. The red "X" disappears over the user icon in the
left pane.
Enabling and Managing Connection Protocols
FTP, HTTP, SFTP, and SSL connections are configured at the Site level and can be enabled at the Site
or User Setting Level, or per user.
To enable a connection protocol for a User Setting Level or a user
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the User Setting Level or user that you want to configure.
Enabling or Disabling a User Setting Level or User y 73
User Guide
3. In the right pane, click the Security tab.
Note:
If the check box contains a gray check mark, the user or User Setting Level is inheriting permission
from the parent level.
4. Do one or more of the following:
•
To allow/disable FTP access, select/clear the Enable FTP check box.
•
To allow/disable HTTP access, select/clear the Enable HTTP check box.
•
To allow/disable the SSL access, select/clear the Enable SSL over FTP and HTTP
protocols check box, then do the following:
a. In the Authentication mode list, specify whether users are to connect using
Public key only or Password only.
b. If you chose Public key only, in the User Certificate list, click the certificate.
•
To allow/disable the SFTP access, select/clear the Enable SFTP protocol check box,
then do the following:
a. In the Authentication mode list, specify whether users are to connect using
Password only, Public key only, or Public Key & Password.
b. If you chose Public key only or Public Key & Password, in the Authentication
key list, click Edit List. The SFTP Public Key Select dialog box appears.
The SFTP Public Keys that are defined for this Site appear in the dialog box. If
no keys appear, see SFTP.
c.
In the List of keys box, double-click the key(s) to use, or click each key, then
click Add. The selected key(s) appear in the Keys valid for client list.
d. Click OK to close the SFTP Public Key Select dialog box. The selected key(s)
appear in the Authentication key list.
5. Click Apply to save the changes.
HTML Listing and Upload Form
The Server provides a built-in upload form, which uses the POST method, that automatically displays in
the browser when the user access a directory (folder) to which they have upload permission.
To upload a file, users click Browse to find the file on their computer, then click Upload. The file is placed
in the folder they are currently browsing. Limitations of the upload form include:
•
Inability to mass transfer files
•
Inability to rename or delete files
•
Inability to create folders
•
Minimum customization
When HTTP transfers are enabled, a user has permissions to upload using HTTP, and that user
navigates with a browser to the specified address, the HTML Listing and Upload form appears. This form
allows the user to upload and download files from the Server. Typically, the user is only given access to
his or her home directory. Users can enter a direct path (UNC is supported if the operating system the
user is using also supports it) or they can select Browse and locate the file with the browser's standard
file dialog. Note that this upload form limits the user to uploading one file at a time.
Note:
This feature is available if you have the HTTP/S module.
74 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
The look and feel of the HTML Listing and Upload Form can be customized by modifying the cascading
style sheet (CSS) used to format the Web page. You can change options such as the background color
(and/or image), fonts used (including specifying font sizes and styles, etc), link colors and decoration, and
more.
To customize the HTML Listing and Upload Form
1. On the Server computer, create a CSS file using your favorite text editor and name it
"htmllisting.css."
Note:
You can copy and paste the example script below into a text editor, then edit the formatting as
needed. The BODY tag defines the background color, H1 defines the size and color of the URL (in
this example, 127.0.0.1), and so on.
2. Save the file in a location where the browser can find it. If Treat home folder as default is selected
for the user accessing the form upload, the home folder is set as the default root folder, and
htmllisting.css should be placed in the folder designated as home folder.
HTML Listing and Upload Form y 75
User Guide
The example style sheet script below changes the background and font style/color of the Upload Form.
BODY
{ background-color:#9bb2c9;
background-image:url(logo.gif);
background-repeat:no-repeat;
background-position: 14px 10px;}
H1
{ font:18px arial;
font-weight:bold;
line-height:20px;
color:#295d97;
text-align: center;}
PRE
{ font: 14px arial;
font-weight:normal;
line-height:20px;
color: #295d97;}
FORM
{ font:12px arial;
font-weight:normal;
line-height:20px;
color:#295d97;
text-align: center;}
EM
{ font:10px arial;
font-weight:bold;
line-height:20px;
color:#295d97;
text-align: center;}
A {color: #0a4966; text-decoration: none; }
A:HOVER {color : #ffffff; text-decoration: none;}
A:ACTIVE {color : #0066cc;}
Restricting Users to a Single IP Address
You can configure a User Setting Level or user to allow connection to a specific IP address. (Wildcards
and ranges are not accepted.)
To restrict users to a single IP address
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the User Setting Level or user that you want to configure.
3. In the right pane, click the Security tab.
4. Select the Restrict to this IP check box and enter the IP address.
5. Click Apply.
Changing a User's Password
You can change a user's password from within the Administrator.
To change a user's password
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the account that you want to configure.
3. In the right pane, click the Main tab.
76 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
4. Click Change Password. The Change User Password dialog appears.
5. Enter and confirm the password.
6. In the Password Type list, click one of the following:
•
Standard - A plain text password is required.
•
Anonymous - Any password, including nothing, allows an anonymous connection.
•
Anonymous (Force Email) - Any well formed email address is the password
7. Click OK.
8. Click Apply to save the changes on the Server.
Accelerating Transfers with Mode Z
Mode Z compression compresses files on the fly for file transfers, saving bandwidth and improving
transfer times. The client must also support MODE Z to take advantage of this feature. If MODE Z is
enabled, the server will listen for MODE Z requests, then enable it for subsequent transfers from the client
that requested it.
To allow a client to use Mode Z compression
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level that you want to configure.
3. In the right pane, click the Security tab.
4. Select the Allow MODE Z Compression check box.
5. Click Apply.
Configuring User Information
The account-specific details associated with a particular user, such as phone number, pager, and email
address, are configured on the Details tab of a selected user. Some of these fields (such as the email
address) can be used in other areas (such as the Event Rules) to notify the user of a completed
transaction.
To configure User information
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user you want to configure.
3. In the right pane, click the Details tab.
4. Complete each box as needed. (All boxes are optional, and there are no checks for formatting or
characters.)
5. Click Apply.
Allowing Users to Change their Passwords
You can allow users who connect to the Server to change their passwords. This can be configured at the
User Setting Level or the User level.
To allow or prohibit a user to change the password
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Security tab.
4. Do one of the following:
Accelerating Transfers with Mode Z y 77
User Guide
5. To allow users to change their passwords, select the User can change password check box.
6. To prohibit users from changing their passwords, clear the User can change password check
box.
7. Click Apply.
Allowing Users to Verify File Integrity
Although TCP/IP checks that all packets are received, malformed packets or other mishaps can occur,
leading the FTP client to believe that a transfer was successful when it was not.
The Server's file integrity command is defined as XCRC. Once an XCRC enabled client performs a
transfer, it can request the server to do a checksum calculation on the file. If it matches the checksum on
the client, then the transfer is deemed successful. Performing XCRC checksum calculations is processor
intensive; enable or disable the feature accordingly.
XCRC is a proprietary command and is not defined nor endorsed by any FTP-related RFC. Competing
servers who want to implement this command may do so using the syntax described below.
XCRC <File Name>
XCRC <File Name>, <EP>
XCRC <File Name>, <SP>, <EP>
SP = Starting Point in bytes (from where to start CRC calculating)
EP = Ending Point in bytes (where to stop CRC calculating)
FTP Client Log Example
COMMAND:> XCRC "/Program Files/MSN Gaming Zone/Windows/chkrzm.exe" 0 42575
•
SP and EP are optional parameters. If not specified then it calculates the CRC for the whole file.
If only EP is specified, then the CRC calculation starts from the beginning of the file to the EP.
•
This command can be used for a single file at a time. It does not allow file lists as parameters.
•
The standard CRC32 algorithm is used (for speed and efficiency).
•
A client can invoke this command for uploads, downloads, and single and Multi-Part Transfers.
Server Reply
Indicates
250 <XCRC>
calculated CRC value
450 Requested file action not taken
file is busy
550 Requested action not taken
file is not found or has no read
permission; or the SP or EP are not
correct
To enable file integrity (XCRC) checking
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level that you want to configure.
3. In the right pane, click the Security tab.
4. Select the Allow XCRC command check box to enable XCRC file integrity checking.
5. Click Apply.
78 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
User-Level Transfer and Connection Settings
Setting Maximum Transfers per Session for a User
You can set a limit on the number of file transfers allowed per login session at the User Setting Level or
per user.
To set the maximum allowed transfers per session
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Quota tab.
4. Select the Uploads or Downloads per session check box and type a number. This number will
be the maximum allowed during the user's session.
5. Click Apply.
Setting Maximum Transfer Size for Users
The maximum transfer size limits the user to a specified number of upload or download kilobytes per
session. FTP does not send information to the Server regarding the number of bytes that a user sends.
A user can start a transfer of virtually any size; however, once the limit is reached, the Server will not
transfer the rest of the file.
To set the maximum upload size
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Quota tab.
4. Select the Max Upload/Download Size check box and specify the maximum amount of data (in
kilobytes) the user may transfer during a session.
5. Click Apply.
Setting Maximum Connections per IP
You can set the maximum number of simultaneous connections emanating from a same IP address at the
Site, User Setting Level, and User level.
Note:
The Site level sets the limits of the user and User Setting Levels.
To set maximum connections per user account at the user and User Setting level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the User or User Setting Level you want to configure.
3. In the right pane, click the Quota tab.
4. Select the Max connections from same IP check box, then specify the maximum number of
simultaneous connections to the Site from the same IP address. A gray check mark indicates the
selection is enabled at the parent level (User Setting Level or Site).
5. Click Apply.
User-Level Transfer and Connection Settings y 79
User Guide
Setting Maximum Connections per User
The maximum number of simultaneous connections for a User can be set at the Site, User Setting Level,
and User level.
Note:
The Site level sets the limits of the User and User Setting Levels. For example, if the Site level Max
connections per user is set to five, and a user's User level Max connections per user is set to
ten, the user can have a maximum of five simultaneous connections.
To set maximum connections per user account at the user and User Setting Level
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level you want to configure.
3. In the right pane, click the Quota tab.
4. Select the Max connections per user check box, then specify the maximum number of
simultaneous connections to the Site for this user. A gray check mark indicates the selection is
enabled at the parent level (User Setting Level or Site).
5. Click Apply.
Enabling Timeout
You can automatically disconnect users after a specified time of inactivity, set per user or at the User
Setting Level. The idle timeout setting applies across all connection protocols supported by the Server. If
a session has been idle for more than the specified timeout, the user has to log back in.
To set a maximum idle limit for a user or User Setting Level
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the User or User Setting Level you want to configure.
3. In the right pane, click the Quota tab.
4. Select the Enable time out check box, then type or select the maximum allowable seconds of
inactivity allowed before the user is disconnected. (A gray check on a User account indicates the
account is inheriting parameters from the User Setting or Site level.)
5. Click Apply.
Note:
Many popular FTP clients have keep-alive functionality that attempts to issue do-nothing commands
such as NOOP in order to simulate user activity and prevent a time-out. If Block anti-timeout
schemes is enabled for the Server, such do-nothing commands are ignored and will not reset the
counter for the timeout limit.
Setting Maximum Transfer Speeds (User Level)
You can control a user's maximum transfer speeds at the Site, User Setting Level, or per user.
Note:
The Site level sets the limits of the User and User Setting Levels.
To configure maximum transfer speeds at the User and User Setting levels
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the user or User Setting Level that you want to configure.
3. In the right pane, click the Quota tab.
80 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Users and User Setting Levels
4. Select the Max transfer speed check box, then specify the maximum transfer speed (in Kilobytes
per second) the user is allowed.
5. Click Apply.
Monitoring User Connections
The Server can monitor user connections in real time, and record activity to a log.
To monitor a user connection
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the user connection that you want to monitor.
3. In the right pane, on the bottom toolbar, click Monitor User.
•
In the left pane, the icon next to the user changes from a head to an eye.
•
In the right pane, the connection activities are displayed.
4. Click Log Scrollback (lines) to specify the number of lines the log records; click Auto Scroll to
toggle automatic scrolling on or off.
5. To stop logging the user's activities, click Stop Monitor.
Monitoring User Connections y 81
User Guide
82 y Creating and Configuring Users and User Setting Levels
Creating and Configuring Groups
Permission Groups
Permission Groups set users' Virtual File System (VFS) permissions to files and folders. Just as User
Setting Levels control access to Server resources, such as bandwidth allowances and connectivity
privileges, the permission Groups control access to files and folders. The Server creates the following
default Groups for every Site: Administrative, All Users, and Guests. You can create new Groups
and/or modify the settings for the default Groups. Consider your security and access needs, configure
Groups according to those needs, then add users to the Groups based on the permissions that you want
to allow. The Groups node appears in the left pane under the Site node. You cannot move Groups
between Sites.
To view Group permissions
•
In the Administrator, connect to the server, then click the VFS tab.
The Permissions pane appears in the right pane.
Groups can provide the permissions shown below as implied by their name (i.e., the Upload File
Permission allows users in the Group to upload files; the Delete Folder Permission allows users
in the Group to delete files).
The Inherit permissions from parent folder check box is not available when the parent folder
is selected.
By default, the Administrative Group has every permission, the All Users Group has List file permission
and Show in List folder permission, and the Guests Group has Download and List file permission, and
Show in List folder permission.
Permission Groups y 83
User Guide
Users' permissions are inherited from the Groups to which they belong. For example, if user jsmith is a
member of the Accounting, All Users, and HR Groups, their permissions are combined, giving jsmith
Delete, Append, Show in List, List, and Create permission.
For details of how permissions work, see The Virtual File System (VFS).
Creating Groups
You can create a permission group and add any users from the Site to a group. You can then grant
permission to folders by groups rather than granting permissions to each individual user.
To create a permission group
1. In the Administrator, connect to the server, then click the Server tab.
2. Do one of the following:
•
On the main menu, click Configuration, then click Create New Group.
•
In the left pane, click Groups.
•
In the right pane, click New. The Create New Group dialog box appears.
3. In the Site box, click the down arrow to select the Site for which you want to create the new
Group.
4. Type a name for the Group in the Group Name box. For example, type Password Admins.
5. Click OK. The new group appears under the specified Site in the Groups node.
Deleting Groups
Deleting permission groups does not delete individual users.
To delete a group
1. In the Administrator, connect to the server, then click the Server tab.
2. Select the Group you want to configure from the left-hand navigation tree.
3. In the left pane, right-click the Group you want to delete, then click Delete. A confirmation
message appears.
4. Click Yes. The users in the deleted Group retain membership in any other of their assigned
Groups and the All Users Group.
84 y Creating and Configuring Groups
Creating and Configuring Groups
Adding or Removing Users in a Group
You can add any user on a Site to any Group on the same Site. You cannot add users from one Site to
another Site.
Note:
If a user does not have individual permissions for a folder and is a member of more than one Group,
the Server gives the user the least-restrictive access for the folder. You can individually modify user
permissions and those modified permissions will outweigh all Group permissions. For example, if a
user is a member of three Groups that all have upload permissions to a particular folder, but you
have denied that specific user permission to upload to the folder, then the user cannot upload to the
folder.
To move users into or out of a group
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Group you want to configure. The Group Membership tab appears.
3. In the right pane, double-click the user or use the arrows to move the user into or out of the
Group. (You can multi-select using SHIFT and CTRL.)
4. Click Apply.
Adding or Removing Users in a Group y 85
User Guide
86 y Creating and Configuring Groups
The Virtual File System
Modifying VFS Permission
Any time a new folder is created, it inherits permissions from its parent folder. Using permission
inheritance, administrators can make global access changes by simply changing group access in a parent
folder.
You can modify a folder's permissions even while it is inheriting permissions from a parent folder.
To modify a permission
1. In the Administrator, connect to the server, then click the VFS tab.
2. Click a folder in the VFS structure.
3. Highlight an existing group or user or click Add to add a User or Group to the selected folder.
4. Click the user or group you for which you want to modify permissions.
5. Leave Inherit permissions from parent folder selected and then select any other additional
permissions.
Note:
Modifying a permission affects all sub-folders containing the user or Group for which the Inherit
permissions from parent folder check box is selected.
Disabling Inheritance in the VFS
You can override a user’s inherited settings by clearing the Inherit permissions from parent folder
check box. If you later decide you want the folder to inherit permissions again, simply select the Inherit
permissions from parent folder check box.
The following procedure describes how to prevent a folder from inheriting its parent folder’s permissions
and force a single modified folder to begin inheriting permissions to sub-folders.
To reset all subfolders of a particular parent folder to inherit permissions from that parent, see Resetting
VFS Folder Permissions.
To stop or force a folder from inheriting permissions
1. In the Administrator, connect to the server, then click the VFS tab.
2. In the left pane, click the folder you want to configure.
3. In the right pane, the Inherit permissions from parent folder check box is selected by default.
Do one of the following:
•
To force the folder to inherit permissions from a parent folder, leave the Inherit
permissions from parent folder check box selected.
•
To stop the folder from inheriting permissions from a parent folder, clear the Inherit
permissions from parent folder check box. A message appears.
4. On the message that appears, click one of the following:
•
Copy - duplicates the permissions of the parent level. You may later edit the permissions.
•
Remove - deletes all inherited permissions.
•
Cancel - aborts the changes and closes the message.
Creating a New Physical Folder
You can create a physical folder in the Virtual File System (VFS).
Modifying VFS Permission y 87
User Guide
To create a new physical folder
1. In the Administrator, connect to the server, then click the VFS tab.
2. In the left pane, click the folder in which you want to create a subfolder, then do one of the
following:
•
Right-click the folder, then click New Physical Folder.
•
On the toolbar, click the New Folder icon.
•
On the main menu, click Configuration, then click New Physical Folder.
The Create Folder dialog box appears.
3. Type a name for the new folder, then click OK. The new folder appears in the tree.
Changing the Name of a Physical Folder
You can change the name of a physical folder on the Server but you cannot change the name of a virtual
folder.
To rename a physical folder
1. In the Administrator, connect to the server, then click the VFS tab.
2. In the left pane, right-click the folder you want to configure, then click Rename Folder. The folder
name becomes selectable.
3. Type the new name and press ENTER.
Deleting a Physical Folder
When you delete a physical folder from within the server, the folder is deleted from the Server and your
computer's hard drive.
To delete a physical folder
1. In the Administrator, connect to the server, then click the VFS tab.
2. In the left pane, right-click the folder you want to delete, then click Delete Folder. A confirmation
message appears.
3. Click Yes.
Creating a New Virtual Folder
Virtual folders reference currently existing folders on your computer's hard drive. A virtual folder name is
only an alias for the real folder. When you create a virtual folder, you do not have to give it the same
name as the folder it references.
1. In the Administrator, connect to the server, then click the VFS tab.
2. In the left pane, click the folder in which you want to add a virtual subfolder, then do one of the
following:
•
Right-click the folder, then click New Virtual Folder.
•
On the toolbar, click the New Virtual Folder icon.
•
On the main menu, click Configuration, then click New Virtual Folder.
The New Virtual Folder dialog box appears.
3. In the Alias box, type a name for the folder.
4. In the Target box, specify the target folder by typing the path or click the folder icon
browse to the target folder.
88 y The Virtual File System
and
The Virtual File System
5. Click OK. The new virtual folder appears in the tree with the name that you typed in the Alias
box, plus "Virtual" and the full path.
Deleting a Virtual Folder
When you delete a virtual folder, you merely delete a pointer, not the actual folder it references.
To delete a virtual folder
1. In the Administrator, connect to the server, then click the VFS tab.
2. In the left pane, right-click the folder you want to delete, then click Delete Folder. A confirmation
message appears.
3. Click Yes.
Resetting VFS Folder Permissions
Resetting VFS folder permissions on a parent folder forces subfolders to exactly mirror those
permissions. This simplifies the permissions status of these folders, making them more predictable
Note:
Resetting folder permissions from a parent folder differs from manually changing the inheritance
values of subfolders because in a subfolder you have the option to either mirror the parent folder's
permissions or to keep permissions for any new Users and Groups you have added while also
mirroring the permissions for all Groups in the parent folder.
To reset folder permissions from a parent folder
1. In the Administrator, connect to the server, then click the VFS tab.
2. Select the parent folder you want to configure from the left-hand navigation tree.
3. In the left pane, right-click the parent folder you want to configure, then click Reset Subfolders.
4. Click OK.
Deleting a Virtual Folder y 89
User Guide
Mapping a Virtual Folder to a Network Drive
If you want to map a virtual folder to a network drive, you need to establish a separate Windows account
for the GlobalSCAPE Secure FTP Server (FIPS) service, with full access to any folder you want to make
available on the Server, and your account on the computer on which the Server is running must have full
access to any folder you want to make available on the Server.
To map to a network drive
1. Through the Windows Services control panel, create and assign an NT account on the computer
where the service is installed.
Note:
This should not be the default (system) account.
2. Assign restrictive file and folder permissions for this account.
3. If you are mapping to a network drive in a workgroup, create a matching account on the target
remote computer. Make certain it uses the SAME user name and password. Restrict permissions
to this account to allow users access to only the folders they need.
4. In the Administrator, connect to the server, then click the Server tab.
5. Create a virtual folder for a folder on your networked drive. If you are remotely administering, or
the drive is not mapped to your computer, make sure that you use a UNC path name
6. Assign permissions for users by selecting the VFS tab within the Administrator, selecting the
folder in question, and then selecting or clearing the appropriate permission boxes.
Note:
You need to have administrative rights on the system the service is running on in order to create
accounts.
90 y The Virtual File System
Automation Using Event Rules and Commands
The Server provides extensive automation functionality through commands, Event Rules, and a
programmatic interface using COM APIs.
Custom Site Commands
Command-line executables can be configured to execute any program that the server has access from its
filesystem. Open a program and provide a specific script or program to execute. You can give users
permissions to execute the Command or you can configure an Event Rule to trigger a Command.
Event Rules
Event Rules enable task management automation. Event Rules allow the Server to carry out actions
based on predetermined criteria. You can schedule routine tasks after a transfer. Event rules consist of
an event trigger, optional Conditions, and Actions.
COM
The Server's COM APIs allow you to program a unique or solution-specific interface and integrate it with
the Server's functionality.
Custom Site Commands
Creating a Command
Commands allow connecting users to execute programs with command line arguments on the Server.
The connecting user would issue the command directly from their FTP client.
Note:
Alternately, you can create a Command using the Custom Command wizard.
To create a command
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Commands.
3. In the right pane, click New. The Commands appear under the Commands node.
The Commands List tab appears in the right pane.
On the Commands List tab, you can view and remove Commands, and add new Commands.
HTUCustom Site CommandsUTH y 91
User Guide
4. In the Command Name box, type the name of the command. You will reference the Command
Name in the Event Rule pane and Custom Command dialog box (in the Select Command dropdown menu), so you should give the Command an intuitive name. For example, instead of
Command 1, you might call it Run CScript.
5. Type a Description that will help you identify the command.
6. In the Executable box, browse to or type the path to the executable. For example, you can
specify a program, a batch file, or a Windows scripting executable (cscript.exe or wscript.exe).
7. Select the Redirect output to system log check box. This creates a log in the Server installation
folder that you can use to troubleshoot the command in case of failure. Redirect output to client
is used in the extremely rare case in which the command will be launched by a connecting FTP
client (if configured to do so).
8. Leave all fields in the Advanced tab as is if you will be running a command from the
Server’s Event Rule system (most common scenario). In the rare case this command will be
launched from a connecting FTP client, type the parameters (if any) that will be passed to the
command line. The variable format used is %N%. You may specify multiple variables or hardcoded values. (For example: -c %1% %2%).
9. If you want to force the FTP client to send a minimum number of parameters, select the Require
parameters check box and specify the minimum number of parameters required. You can also
write a message in the Invalid parameter count message text box that users will receive when
the parameter number is not met.
10. If you want the Server to return an error if the launched process fails to respond, select the
Enable process timeout check box and specify the number of seconds the Server should wait
before terminating the command.
11. If you want a connecting FTP client to execute the command, click the Permissions tab and
verify that the appropriate users have permissions to run the newly created command. If you only
want to allow the Server to run the command (from the Event Rule system), leave the
Permission tab as is.
12. Click Apply.
The Custom Command Wizard
The Custom Command wizard steps you through the process of creating a Command to tell the Server
to execute programs, scripts, or batch files.
The procedure below describes how to create a Command using the Custom Command Wizard. You
can also create Commands manually and edit existing Commands using the instructions in Creating a
Command.
To create a command with the Custom Command wizard
1. In the Administrator, connect to the server, then click the Server tab.
2. Do one of the following:
•
On the toolbar, click the New Command icon.
•
On the main menu, click Configuration, then click Create New Command.
The Custom Command Wizard appears.
3. In the Site box, specify to which Site the Command applies.
4. In the Command name box, type a descriptive name for the command. You will reference the
Command name in Event Rules, so you should give the Command an intuitive name. For
example, instead of Command 1, you might call it Run CScript.
5. Type a Description that will help you identify the command.
92 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
6. In the Path to executable box, browse to or type the path to the executable. For example, you
can specify a program, a batch file, or a Windows scripting executable (e.g., cscript.exe or
wscript.exe).
7. Click Next. Step 2 of the wizard appears.
8. If you want to force the client to send a minimum number of parameters, select the Use
parameters with this command check box and specify the minimum number of parameters
required.
9. Select the Send command output to check box. Select the System Log check box to create a
log in the Server installation folder that you can use to troubleshoot the command in case of
failure. The Client check box is used in the extremely rare case in which the command will be
launched by a connecting client (if configured to do so).
10. If you want the Server to return an error if the launched process fails to respond, select the
Terminate process if it exceeds time limit check box and specify the number of seconds the
Server should wait before terminating the command.
11. Click Next. The final step of the wizard appears.
12. If you want a connecting FTP client to execute the command, provide permissions to the
applicable users. If you want to allow only the Server to run the command (from the Event Rule
system), leave the Permit execution list blank.
13. Click Finish. The Command is added to the Commands node for the Site.
See Creating a Command for the procedure for editing the Command, including defining
parameters to pass to the Command and an invalid parameter count message.
Viewing and Removing Commands
To view the Commands defined on a Site
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Commands.
•
The Commands appear under the Commands node.
•
The Commands List tab appears in the right pane.
On the Commands List tab, you can view and remove Commands, and add new
Commands.
To remove a command
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Commands.
3. Do one of the following:
Custom Site Commands y 93
User Guide
•
Click the Command in the Commands List, then click Remove.
•
In the left pane, click the Command, then press DELETE.
•
In the left pane, right-click the Command, then click Delete.
Enabling and Disabling Commands
You can enable and disable Commands as needed, without deleting them.
To enable or disable a Command
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the Site node for the Site that you want to configure, click Commands,
then click a Command in the tree.
3. When you create a new Command, the Enable this command check box is selected. To disable
the Command, clear the Enable this command check box.
4. When the Command is disabled, an x within a red circle appears over the Command icon
.
Using an Event Rule to Execute a Command (Run a Process)
You can configure the Server to run executables, batch files, and scripts automatically when specific
events occur. When the Event Rule is triggered, the Server executes the specified custom Command and
attributes.
First create the command, then add the command to an Event Rule, as described below.
To execute a Command from the Server’s Event Rule system
1. In the Administrator, connect to the server, then click the Server tab.
2. Follow the procedure in Creating Event Rules to create a new rule.
3. If you need to apply any conditional behavior, click it in the Conditions list.
4. In the Specify rule actions box, select the Execute command in folder pane. The Action is
added to the Event in the Specify rule condition and action parameters pane.
5. In the Specify rule condition and action parameters pane, click 'select'. The Custom
Command dialog box appears.
5. In the Select command list, click the down arrow and click the command.
6. (Optional) In the Specify command parameters box, include any parameters for the command.
For example, type the script name (argument 0) if running a script. You can also select the items
in the Available Tags list to add them as parameters. For example:
dosomethingwithfile.vbs -file %FS.FILE_NAME%
7. In Specify command working folder type the path or click the folder icon
folder in which the script or custom command executable resides.
8. Click OK to save the command.
9. Click Apply to save the Event Rule.
94 y Automation Using Event Rules and Commands
to specify the
Automation Using Event Rules and Commands
Event Rules
Introduction to Event Rules
Event Rules automate management tasks. Define an Event Rule to trigger an Action, or several Actions,
when specified criteria are met. For example, event triggers (Conditions) can be used to initiate additional
activities after a file has been uploaded/downloaded. You can synchronize content across systems,
provide an automatic response, or you can trigger a custom command to run a custom application or
script. You can specify Event Rules in the Server consist of Events, any optional Conditions affecting the
Event Rule, and the Resulting Actions that are carried out.
When multiple Actions are defined for a single Event Rule, the Server carries out the actions in the
following order:
1. Execute Custom Command
2. Email Notification
3. Stop Processing Rules
Warning:
It is possible to configure Event Rules that create infinitely recursive cycles. Since all Event Rules
operate synchronously, a file upload event cannot be completed until all corresponding event actions
are finished. This could lead to unpredictable server behavior due to conflicts with shared access to
the same files or deleting open files. Be careful not to create circumstances where such recursive
cycles might occur. For file upload events, recursive cycles are not typical. It is recommended that
you move files on the same server using the filesystem - not FTP.
Creating, Editing, and Disabling event rules
To create an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Site you want to configure.
3. Select Configuration > Create New Event Rule from the menu. The Create New Rule window
appears.
4. Enter a name for the rule.
5. In Should be applied when, select the event you want as a trigger.
6. Select OK. The Create New Rule window closes and the conditions and actions available for
your rule are displayed in the right-hand pane.
7. Optionally select any conditions for the event rule.
8. Specify the action(s) the event rule triggers.
•
Choose Execute command in folder to run any custom command you have created for the
site.
•
Choose Send email notification to send an email message to the address you entered in
the server SMTP Configuration tab, and optionally send a message to a user.
•
If you want other rules for the event to be ignored if this rule is met, select Stop
processing more rules.
9. In Specify rule condition and action parameters, select the blue and red text links to toggle
behavior and select executables, email addresses or define file paths used in definition of the
event rule. The Server does not save the rule unless it is adequately defined.
10. Click Apply to enable the rule.
Event Rules y 95
User Guide
Note:
Red links in Specify rule condition and action parameters indicate parameters that have not yet
been defined. They must be defined to save the rule.
To edit an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site
display in the right-hand pane.
3. Click the Event Rule you want to change, then click Edit.
4. Make any desired changes to the Event Rule, then click Apply.
To disable an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site
display in the right-hand pane.
3. Clear the check box next to the event rule you want to disable.
4. Click Apply.
To re-enable an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site
display in the right-hand pane.
3. Select the check box next to the Event Rule you want to re-enable.
4. Click Apply.
To delete an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the Site node, then click Event Rules. The Event Rules for that Site
display in the right-hand pane.
3. Click Event Rule you want to delete, then click Delete. A confirmation message appears.
4. Click Yes. The Rule is deleted from the Site.
Using an Event Rule to Execute a Command (Run a Process)
You can configure the Server to run executables, batch files, and scripts automatically when specific
events occur. When the Event Rule is triggered, the Server executes the specified custom Command and
attributes.
First create the command, then add the command to an Event Rule, as described below.
To execute a Command from the Server’s Event Rule system
1. In the Administrator, connect to the server, then click the Server tab.
2. Follow the procedure in Creating Event Rules to create a new rule.
3. If you need to apply any conditional behavior, click it in the Conditions list.
4. In the Specify rule actions box, select the Execute command in folder pane. The Action is
added to the Event in the Specify rule condition and action parameters pane.
5. In the Specify rule condition and action parameters pane, click 'select'. The Custom
Command dialog box appears.
96 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
6. In the Select command list, click the down arrow and click the command.
7. (Optional) In the Specify command parameters box, include any parameters for the command.
For example, type the script name (argument 0) if running a script. You can also select the items
in the Available Tags list to add them as parameters. For example:
dosomethingwithfile.vbs -file %FS.FILE_NAME%
8. In Specify command working folder type the path or click the folder icon
folder in which the script or custom command executable resides.
to specify the
9. Click OK to save the command.
10. Click Apply to save the Event Rule.
Adding or Editing Email Notifications to Event Rules
You can configure Event Rules to send an email when a rule is triggered. The email is sent to the address
defined on the SMTP Configuration tab of the Server.
To add (or edit) email notifications
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Event Rules.
3. Click the Event Rule to which you want to add (or edit) the email notification.
4. In the pane, in the Specify rule actions pane, select the Send notification email check box.
The Action is added to the rule.
5. In the Specify rule condition and action parameters pane, click notification email. The Edit
Mail Template dialog box appears.
6. In the Subject box, type the text you want to appear in the Subject line of the email, or keep the
default text, which contains the event name (GlobalSCAPE Secure FTP Server
Notification: %EVENT.NAME%).
7. In the Body box, the default HTML code appears for the selected event. You can replace the
default text with the text that you want to appear in the body of the email, or add context variables
(Available Tags) as described in the next step. If you delete all of the HTML tags the message is
sent as a plain text message.
8. In the Available Tags box, click any property you want to insert in the email message. The text
surrounded by per cent signs (%text%) will be replaced by the Server with specific information
about the event, the user, or the connection.
•
If you just want the specific text in your email message, click the text surrounded by the
percent sign in the right column of the Available Tags box.
•
If you want the specific text and the explanatory text before it, click the text in the left column
of the Available Tags box.
9. In order for the CC Mail Notification to user check box to be available, your rule must be based
on a User Event. If you want to send a copy of the message to the involved user, select the CC
Mail Notification to user check box. To base a rule on a User Event, create a new rule and
select an option from the User Event list.
10. Click OK to save the email settings, then click Apply to save the Event Rule.
Configuring SMTP Email Notification
You can configure the Server to send email alerts whenever certain events occur. You must provide the
address for an outgoing mail server, an email address for the administrator account, and other details.
Event Rules y 97
User Guide
To set up the server to send email notifications
1. In the Administrator, connect to the server, then click the Server tab.
2. Click the Server you want to configure.
3. In the right pane, click the SMTP Configuration tab.
4. In the SMTP Server Address box, provide the IP address of the mail server the Server will use to
send outgoing messages.
5. In the SMTP Server Port box, provide the port number where the mail server accepts messages.
The default is 25.
6. Do one of the following:
•
If the Server can connect to the mail server without a log in, leave the Server requires
authorization check box cleared.
•
If the mail server requires a user name and password from the Server computer, select
the Server requires authorization check box, then provide the Authorization
information.
a. In the Login box, provide the user name needed to connect to the mail server.
b. In the Password box, provide the password needed to connect to the mail
server.
c.
In the Name box of the Send Messages FROM area, provide any name you
would like for the "From Name" field.
d. In the Address box of the Send Messages FROM group, provide any address
you would like for the "From Address" field.
e. In the Name box of the Send Messages TO group, provide the name of the
server administrator, or any name you wish.
f.
In the Address box of the Send Messages TO group, provide the email address
of the person that should be notified of server events.
7. Click Apply.
Managing Event Rules
When you click the Event Rules node for a Site, the right pane provides controls for managing the Event
Rules defined for that Site. Using this interface, you can do the following:
Edit - You can fine tune your Rules by adding, editing, deleting, and rearranging Conditions and Actions.
Delete - If an Event Rule is no longer needed and you are sure you will not need it again in the future, you
can delete it. However, you can also disable the Rule so that, if you do need the Rule again, you can
simply enable it.
Prioritize - If you create more than one Rule for a single type of event, the Server prioritizes the rules in
the order they appear on the Event Rules list. You can rearrange them using the Rule Priority buttons.
Disable - If you want to disable a Rule temporarily without deleting it, you can disable it by clearing the
Enable this rule check box.
To manage the Event Rules
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the node of the Site you want to configure, then click Event Rules. The
list of configured Event Rules appears in the Event Rules node and in the right pane.
3. Click the Event Rule you want to change.
98 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
To edit an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, expand the Event Rules node, then click the rule.
3. To add a Condition to the Rule, select the check box for the Condition. The Condition appears in
the rule pane.
4. To add an Action to a selected Condition, select its check box. The Action appears in the rule
pane.
5. Configure the Condition or Action by clicking the underlined variables (red or blue underlined text)
6. Click Apply to save the changes on the Server.
To delete an Event Rule
Note:
You can disable a rule and keep its definition for later use.
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. Right-click the Event Rule, then click Delete. A confirmation message appears.
4. Click Yes. The rule is deleted from the Site.
To change the priority of a Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. In the right pane, under Rule Priority, click Higher and Lower.
To disable an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. In the right pane, clear the Enable this rule check box.
4. Click Apply to save the changes on the Server.
To re-enable an Event Rule
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Event Rules node, then click the rule.
3. In the right pane, click the Enable this rule check box.
4. Click Apply to save the changes on the Server.
Available Events
The following events can trigger actions:
Server Events
•
Rotate Log - When the current activity log closes and opens a new one.
•
Service Stop - When the Secure FTP Server service stops.
•
Service Start - When the Secure FTP Server service starts.
Site events
•
Site Start - When the site starts.
Event Rules y 99
User Guide
•
Site Stop - When the site stops.
Connection Events
•
User connect - When a user connects to the site (this occurs before log in).
•
User connect failed - When a user attempts to connect and fails (this can occur before log in).
•
User disconnect - When a user disconnects from the site (this can occur before log in).
User Events
•
User account disable - If the user account is disabled by the administrator or by the server.
•
User quota exceeded - If the user has taken too much disk space on the server.
•
User logout - If the user closes a session gracefully.
•
User login - If the user logs in to the server.
•
User login failed - If the user attempts an incorrect username or password.
•
User password change - If the user or administrator changes a user's password.
File System Events
•
File delete - If a file is deleted from the site.
•
File upload - If a file is uploaded to the site.
•
File download - If a file is downloaded from the site.
•
File rename - If a file on the site is renamed.
•
Folder create - If a folder is created on the site.
•
Folder delete - If a folder is deleted from the site.
•
Upload Fail - If an upload does not occur.
•
Download Fail - If a download does not occur.
•
Folder change - If a user navigates to a new folder on the site.
•
File move - If a file is transferred to another location.
Available Conditions
Conditions allow you narrow the trigger definition an event rule. Conditions are optional: you do not have
to define a condition on an event rule to make it trigger an action, but they do allow fine control over when
an action may take place.
Server Conditions
You can only apply these conditions to Server events.
•
If service is running - The Server service is currently running.
•
If log type - The log type is a specific type.
•
If log location - The log location matches a specific path.
•
If old log file path - The log file path matches a specific path.
•
If new log file path - The log file path matches a specific path.
•
If old log file name - The log file path matches a specific path.
•
If new log file name - The log file path matches a specific path.
Site Conditions
You can only apply this condition to Site events.
•
If site is running - The site has already started and is currently running.
100 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
Connection Conditions
You can apply these conditions to Connection events, User events, and File system events.
If Remote IP
•
a connection is made from a remote IP address that matches a predefined IP address or IP
mask.
•
a connection is made from a remote IP address that does NOT match a predefined IP address or
IP mask.
If Local IP
•
a connection is made to a local IP address that matches a predefined IP address or IP mask.
•
a connection is made to a local IP address that does not match a predefined IP address or IP
mask.
If Local Port
•
a connection is made on a predefined port.
•
a connection is made NOT on the predefined port.
•
a connection is made on one of a predefined range of ports.
•
a connection is made NOT on one of a predefined range of ports.
If Protocol
•
an FTP/SSL/SFTP connection has been made or is being used.
•
a connection has been made or is being used that is NOT an FTP/SSL/SFTP connection.
User Conditions
You can apply user conditions to User events and File system events.
If User
•
the user account belongs to a specific group or set of groups.
•
the user account does not belong to a specific group or set of groups.
If Login
•
a user name matches a specific word.
•
a user name does not match a specific word.
•
a user name contains a specific string of characters.
•
a user name does not contain a specific string of characters.
If Account Enabled
•
a user account is enabled.
•
a user account is disabled.
If Settings Level
•
the user belongs to a predefined Setting Level.
•
the user does NOT belong to the predefined Settings Level.
Event Rules y 101
User Guide
If Full Name
•
a user's name matches a predefined name.
•
a user's full name does not match a predefined name.
•
a user's full name contains a predefined string of characters.
•
a user's full name does not contain a predefined string of characters.
If Description
•
the user's description matches a predefined description.
•
the user's description does NOT match a predefined description.
•
the user's description contains a predefined string of characters.
•
the user's description does NOT contain a predefined string of characters.
If Comment
•
the user's comment matches a predefined comment.
•
the user's comment does NOT match a predefined comment.
•
the user's comment contains a predefined string of characters.
•
the user's comment does NOT contain a predefined string of characters.
If Email Address
•
the user's email address matches a predefined address.
•
the user's email address does NOT match a predefined address.
•
the user's email address contains a predefined string of characters.
•
the user's email address does NOT contain a predefined string of characters.
If Phone Number
•
the user's phone number matches a predefined phone number.
•
the user's phone number does NOT match a predefined phone number.
•
the user's phone number contains a predefined string of characters.
•
the user's phone number does NOT contain a predefined string of characters.
If Pager Number
•
the user's pager number matches a predefined number.
•
the user's pager number does NOT match a predefined number.
•
the user's pager number contains a predefined string of characters.
•
the user's pager number does NOT contain a predefined string of characters.
If Fax Number
•
the user's fax number matches a predefined number.
•
the user's fax number does NOT match a predefined number.
•
the user's fax number contains a predefined string of characters.
•
the user's fax number does NOT contain a predefined string of characters.
102 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
If Home Folder
•
the location of a user's home folder matches a predefined physical location.
•
the location of a user's home folder does NOT match a predefined physical location.
If Home Folder is root
•
the user's home folder is their root directory.
•
the user's home folder is NOT their root directory.
If Quota Max
•
the user's account has a size limit equal to a predefined size in Kilobytes.
•
the user's account has a size limit less than or equal to a predefined size in Kilobytes.
•
the user's account has a size limit less than a predefined size in Kilobytes.
•
the user's account has a size limit NOT equal to a predefined size in Kilobytes.
•
the user's account has a size limit NOT less than or equal to a predefined size in Kilobytes.
•
the user's account has a size limit NOT less than a predefined size in Kilobytes.
If Quota Used
•
the user has used a predefined amount (in kb) of allowed disk space.
•
the user's filled disk space is less than or equal to a predefined amount (in kb) of allowed disk
space.
•
the user has used less than a predefined amount (in kb) of allowed disk space.
•
the user has NOT used a predefined amount (in kb) of allowed disk space.
•
the user's filled disk space is NOT less than or equal to a predefined amount (in kb) of allowed
disk space.
•
the user has NOT used less than a predefined amount (in kb) of allowed disk space.
If Invalid login attempts
•
the user has attempted and failed to login a predefined number of times.
•
the user's failed login attempts are less than or equal to a predefined number.
•
the user's failed login attempts are less than a predefined number.
•
the user has NOT attempted and failed to login a predefined number of times.
•
the user's failed login attempts are NOT less than or equal to a predefined number.
•
the user's failed login attempts are NOT less than a predefined number.
If User can change password
•
the user has permission to change their own password.
•
the user does not have permission to change their own password.
If Home IP
•
the user's allowed IP address matches a predefined IP address or set of IP addresses.
•
the user's allowed IP address does not match a predefined IP address or set of IP addresses.
Event Rules y 103
User Guide
If User can connect using SSL
•
the user has SSL capability enabled.
•
the user does not have SSL enabled.
If User can connect using FTP
•
the user has configured a site and has an FTP account.
•
the user does not an FTP site with an account configured.
If User can connect using SFTP
•
the user has SFTP capability enabled.
•
the user does not have SFTP enabled.
File System Conditions
You can apply file system conditions only to File system events.
If Virtual Path
•
the file or folder exists at a predefined virtual location.
•
the file or folder does NOT exist at a predefined virtual location.
If Physical Path
•
the file or folder exists at a predefined physical location (the full folder path including the file
name).
•
the file or folder does NOT exist at a predefined physical location (the full folder path including the
file name).
If Physical Folder Name
•
the file or folder exists in a predefined physical folder (the folder path without a file name).
•
the file or folder does NOT exist in a predefined physical folder (the folder path without a file
name).
If File Name
•
the file name matches a predefined string of characters.
•
the file name does not match a predefined string of characters.
Event Properties
You can apply particular properties to specific conditions for Upload Fail and Download Fail only in File
system events, for User Login Failure and User Logout in User events, and for User Connect Failure
in Connection events.
These are special conditions are defined by using the specific reason parameters found in the drop
down menu in the specify rule condition and action parameters section.
104 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
File System Events
If Upload Fail (or Download Fail)
•
the upload/download was aborted by User.
•
access was denied.
•
connection was closed.
•
file was banned type.
•
bandwidth quota was exceeded.
User Events
If User Login Failure
•
the user account was disabled.
•
an invalid password was used.
•
the protocol used was not supported.
•
the IP was restricted.
•
there were too many connections per IP
•
there were too many connections per site.
•
there were too many connections per user.
If User Logout
•
the FTP session was closed due to error.
•
the FTP session was closed by a timeout.
•
the FTP session was closed by the user.
•
the IP address was banned.
•
the maximum number of incorrect logins was reached.
•
the TCP/IP connection was closed by a peer.
•
the User was kicked by the administrator.
Connection Event
If User Connect Failure
•
the IP address was rejected.
•
the IP address was rejected and banned.
•
there were too many connections per IP.
•
there were too many connections per site.
Available Actions
Actions are the results of event triggers. You can specify multiple actions to occur from a single trigger.
•
Execute command - The custom command in a specific location is triggered.
•
Send Notification Email - An email message is sent to the address specified.
•
Stop processing more rules - No further rules are processed.
Event Rules y 105
User Guide
ACTIONS
EXECUTE
COMMAND
IN
FOLDER
SEND
NOTICE
EMAIL
STOP
PROCESSING
MORE FILES
Service Start
X
X
X
Service Stop
X
X
X
Timer
X
X
X
Rotate Log
X
X
X
Site Start
X
X
X
Site Stop
X
X
X
User Connect
X
X
X
User Disconnect
X
X
X
User Connect Fail
X
X
X
Account Disabled
X
X
X
Quota Exceeded
X
X
X
Password Changed
X
X
X
User Login
X
X
X
User Logout
X
X
X
User Login Failure
X
X
X
File Delete
X
X
X
File Upload
X
X
X
Before Download
X
X
X
File Download
X
X
X
File Rename
X
X
X
Folder Create
X
X
X
Folder Delete
X
X
X
EVENTS
SERVER EVENTS
SITE EVENTS
CONNECTION EVENTS
USER EVENTS
FILE SYSTEM EVENTS
106 y Automation Using Event Rules and Commands
Automation Using Event Rules and Commands
ACTIONS
EXECUTE
COMMAND
IN
FOLDER
SEND
NOTICE
EMAIL
STOP
PROCESSING
MORE FILES
Folder Change
X
X
X
File Move
X
X
X
Upload Fail
X
X
X
Download Fail
X
X
X
EVENTS
COM
COM APIs
You can interact directly with the Server from your own custom applications using any COM-enabled
programming language such as Visual Basic (VB), Java, or C++. You can create a script with the
development IDE of your choice.
To create a new script file, you must be familiar with programming concepts and should have experience
with COM-enabled programming languages.
For details of using the COM methods and properties, see GlobalSCAPE's COM API Reference.
COM y 107
User Guide
108 y Automation Using Event Rules and Commands
The Auditing and Reporting Module (ARM)
Auditing and Reporting
The Auditing and Reporting Module (ARM) captures the transactions passing through the Server and
provides an interface in the Administrator where you can use preconfigured or create your own custom
reports to query, filter, and view transaction data. Data is stored in a fully relational database, and can be
analyzed in real time.
The ARM comes with a number of preconfigured reports to help you start analyzing data right away. The
built-in reports were designed to respond to the most common data analysis requests.
If you have needs outside the included preconfigured reports, you can build your own with the report
designer.
See the Descriptions of Preconfigured Reports for a list and description of preconfigured reports.
See Auditing for a list of the information available in reports.
How the Server Handles SQL data
The Server truncates data values within each audited event SQL transaction to ensure the data value fits
within the corresponding database field. The following table lists selected field length values:
Tablename
Fieldname
Datatype/Field-length
tbl_socketconnections SiteName
Varchar (50)
tbl_protocolcommands VirtualFolderName
Varchar (500)
PhysicalFolderName Varchar (500)
Auditing and Reporting y 109
User Guide
Tablename
Fieldname
Datatype/Field-length
SiteName
Varchar (50)
tbl_customCommands CommandParameters Varchar (1000)
tbl_ClientOperations
tbl_Actions
tbl_EventRules
tbl_Authentications
SiteName
Varchar (50)
RemotePath
Varchar (500)
LocalPath
Varchar (500)
UserName
Varchar (50)
Parameters
Varchar (1000)
SiteName
Varchar (50)
SiteName
Varchar (50)
EventName
Varchar (50)
SiteName
Varchar (50)
UserName
Varchar (50)
Special Characters
The special characters (as defined by the SQL interpreter) within each data value of an audit SQL event
are escaped to ensure the data value is stored and retrieved properly from the database. The following
special characters are escaped by the Server during generation of SQL statements prior to submission to
the database engine:
•
Single quote - %
•
Open brace - [
•
Percent - %
•
Underscore - _
Configuring the Auditing and Reporting Module (ARM)
To use Auditing and Reporting with the Server, you have to enable the Auditing and Reporting Module
(ARM), specify the Host/Instance Name, Database Name, and login information, then specify the action
to take in case of database error. The procedure below describes how to configure ARM.
To configure ARM:
1. In the Administrator, connect to the server, then click the Server tab.
2. In the left pane, click the Server you want to configure.
3. In the right pane, click the Server Options tab.
4. In the Database Audit Settings area, select the Enable Auditing and Reporting check box.
5. In the Host(\Instance Name) box, specify the Server name or IP address, or provide a DSN or
DSN-less connection string.
6. Provide the Username and Password for connecting to the database. (You provided these when
you installed the module.)
7. Provide the Database Name.
8. Optionally, click Test Connection to verify that you can connect to the database.
110 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
9. Select an action for the Server to take if there is an error with the database.
•
To stop recording data, select Stop auditing.
•
To continue recording data to a file, select Audit to folder, and specify the location of the
file.
10. In the Failure notification email address box, specify the email address to which the Server is
to send connection error notification. To provide more than one email address, separate the
addresses with a comma or semicolon. The Server uses its global SMTP email settings for SMTP
Configuration to send the emails, so make sure that those settings are correct.
Database error emails contain the following information:
•
The time the Server detected the database error
•
Error code - an indicator of any specific connection error or database engine transaction
error codes
•
Error description - textual description provided by the database engine for the specific
error
•
The database instance name and database name
•
Secure FTP Server IP address and/or DNS name
•
The location of the text file if text file logging was selected
•
Instructions for use of RECONNECT to reestablish database communications and
instructions for insertion of the SQL transactions using osql
Note:
If you are using Windows 2000 for your server installation, you must update MDAC prior to install.
You can find the latest update at: http://msdn.microsoft.com/data/ref/mdac/downloads/ This does not
apply to Windows XP, Windows 2003, or later versions, because they come with a newer version of
MDAC that is compliant.
Installing the Auditing and Reporting Module
Installation and configuration of the Auditing and Reporting module consists of installing the Server with
ARM, selecting the default database, or setting up another database and pointing the Server to it, and
then enabling the Server to record data.
Refer to Installing the Software for the procedure for installing the Microsoft SQL Server 2000 Desktop
Engine (MSDE) for ARM.
If you are using your own SQL database to capture the auditing data, see Using SQL Server as the
Auditing Database.
Using SQL Server as the Auditing Database
Microsoft Desktop Engine MSDE is bundled with the Server as a default database for auditing
transactions. MSDE has a built-in size limit of 2GB, limiting it to about a million transactions before the
database fills up. MSDE is not supported on the Microsoft Vista operating system, performance throttling
occurs when there are more than five (5) concurrent workload batches in progress, and MSDE does not
offer OLAP / data warehousing capabilities. Choosing SQL Server over MSDE overcomes these
limitations, and provides centralization of data for federation, redundancy, and performance. The
procedure below describes how to setup the ARM database in SQL 2005. The process is similar for
earlier versions of SQL Server.
To use SQL Server as the auditing database
1. Install Secure FTP Server (FIPS) without the MSDE component, unless you want to perform
auditing on the local system for testing purposes.
2. Point the Server to the SQL Server of your choice.
Installing the Auditing and Reporting Module y 111
User Guide
To configure SQL Server for use with the Server
1. On SQL Server, launch Microsoft SQL Server Management Studio or equivalent and provide
your administrator login credentials when prompted.
2. In the left pane, expand the Security node, then click the Logins node.
3. Right-click the Logins node, then click New Login. The New Login dialog box appears.
4. Create a new user called gsftpuser and click SQL Sever Authentication.
Note:
If SQL Sever Authentication is not available as a choice, verify that SQL Server has been set
up to support Mixed-mode.
5. In the Password and Confirm password boxes, provide a complex password consisting of an
alphanumeric and symbol mix at least 8 characters long.
6. Select the Enforce Password Policy check box.
7. Leave the Default database as master.
8. In Default language, click the down arrow to select your language, if other than English, then
click OK.
112 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
9. In the left pane, right-click the Databases node, then click New Database.
10. In the dialog box that appears, name the database gsftpdb.
11. In the Owner field, provide the login name you just created (gsftpuser).
12. In the Database files table, change the Initial size value to 10MB for the gsftpdb logical name
(first row). Leave the gsftpdb_log row alone and click OK.
13. In the left pane under Databases, click the newly created gsftpdb database, then on the Query
menu, click New Query. A blank screen appears in the right pane in which you can type in a SQL
query.
14. Paste the SQL Script below into the Query text box. Make sure the query begins with the words if
exists and ends with a parenthesis. Include everything between the sections labeled begin SQL
query and end SQL query.
15. To run the query you just entered, click Execute on the toolbar. A message appears indicating
whether the query was able to complete successfully.
16. Expand Databases, then gsftpdb, then Tables. Verify that the database has populated
correctly. (The tables defined in the script should have been created.)
Test your connection
1. Create a test connection with your FTP client to the Server and upload and download a few files.
2. Switch back to SQL Server and select the dbo.tbl_ProtocolCommands table under the gsftpdb
database icon. It should return several rows with the commands issued by your FTP client from
the test connection.
3. You can now pull reports directory from the Server against data audited to the SQL Server.
Using SQL Server as the Auditing Database y 113
User Guide
Note:
If you are running the Administrator you must have an entry in the Administrator computer's DNS for
the name of the SQL (or MSDE) server, otherwise the Administrator will not be able to connect to the
SQL Server when attempting to pull reports.
SQL Script
****BEGIN SQL QUERY***
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_Actions') and OBJECTPROPERTY(id, N'IsUserTable') = 1)
drop table dbo.tbl_Actions
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_Authentications') and OBJECTPROPERTY(id, N'IsUserTable')
= 1)
drop table dbo.tbl_Authentications
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_Groups') and OBJECTPROPERTY(id, N'IsUserTable') = 1)
drop table dbo.tbl_Groups
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_CustomCommands') and OBJECTPROPERTY(id, N'IsUserTable') =
1)
drop table dbo.tbl_CustomCommands
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_EventRules') and OBJECTPROPERTY(id, N'IsUserTable') = 1)
drop table dbo.tbl_EventRules
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_ProtocolCommands') and OBJECTPROPERTY(id, N'IsUserTable')
= 1)
drop table dbo.tbl_ProtocolCommands
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_ResultCodes') and OBJECTPROPERTY(id, N'IsUserTable') = 1)
drop table dbo.tbl_ResultCodes
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_SocketConnections') and OBJECTPROPERTY(id,
N'IsUserTable') = 1)
drop table dbo.tbl_SocketConnections
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_Transactions') and OBJECTPROPERTY(id, N'IsUserTable') =
1)
114 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
drop table dbo.tbl_Transactions
GO
if exists (select * from dbo.sysobjects where id =
object_id(N'dbo.tbl_ClientOperations') and OBJECTPROPERTY(id, N'IsUserTable')
= 1)
drop table dbo.tbl_ClientOperations
GO
CREATE TABLE dbo.tbl_Transactions (
TransactionID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_Transactions PRIMARY KEY CLUSTERED ,
ParentTransactionID numeric(18, 0) NULL REFERENCES
tbl_Transactions(TransactionID),
TransactionObject varchar (50)
NOT NULL
)
GO
CREATE TABLE dbo.tbl_EventRules (
EventID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT PK_tbl_EventRules
PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
SiteName varchar (50)
NULL ,
EventName varchar (50)
NULL ,
EventType varchar (50)
NULL ,
ConditionValues varchar (1000)
NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_Actions (
ActionID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT PK_tbl_Actions
PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
SiteName varchar (50)
NULL ,
EventName varchar (50)
ActionType varchar (50)
NULL ,
NULL ,
Parameters varchar (1000)
NULL ,
IsFailedAction bit NULL ,
ResultID numeric(18, 0) NOT NULL ,
EventID numeric(18, 0) NOT NULL REFERENCES tbl_EventRules(EventID),
TransactionID numeric(18, 0) NOT NULL REFERENCES
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_Authentications (
Using SQL Server as the Auditing Database y 115
User Guide
AuthenticationID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_Authentications PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
RemoteIP varchar (15)
NOT NULL ,
RemotePort numeric(18, 0) NULL ,
LocalIP varchar (15)
NOT NULL ,
LocalPort numeric(18, 0) NULL ,
Protocol varchar (50)
NULL ,
SiteName varchar (50)
NULL ,
UserName varchar (50)
NULL ,
PasswordHash varchar (500)
NULL ,
SettingsLevels varchar (500)
NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL References
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_Groups (
GroupID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT PK_tbl_Groups
PRIMARY KEY CLUSTERED,
GroupName varchar (50)
NULL ,
AuthenticationID numeric(18, 0) NOT NULL REFERENCES
tbl_Authentications(AuthenticationID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_CustomCommands (
CustomCommandID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_CustomCommands PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
SiteName varchar (50)
Command varchar (50)
NULL ,
NULL ,
CommandParameters varchar (1000)
NULL ,
ExecutionTime numeric(18, 0) NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_ProtocolCommands (
ProtocolCommandID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_ProtocolCommands PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
RemoteIP varchar (15)
NULL ,
RemotePort numeric (18,0)
NULL ,
116 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
LocalIP varchar (15)
NULL ,
LocalPort numeric (18,0)
NULL ,
Protocol varchar (50)
NULL ,
SiteName varchar (50)
NULL ,
Command varchar (10)
NULL ,
CommandParameters varchar (1000)
FileName varchar (500)
NULL ,
NULL ,
VirtualFolderName varchar (500)
NULL ,
PhysicalFolderName varchar (500)
NULL ,
IsInternal numeric(18, 0) NULL ,
FileSize numeric(18, 0) NULL ,
TransferTime numeric(18, 0) NULL,
BytesTransferred numeric(18, 0) NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_ResultCodes (
ResultID numeric(18, 0) NOT NULL CONSTRAINT PK_tbl_ResultCodes PRIMARY KEY
CLUSTERED,
Description varchar (100)
Category varchar (10)
NULL ,
NULL
)
GO
CREATE TABLE dbo.tbl_SocketConnections (
SocketID numeric(18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_SocketConnections PRIMARY KEY CLUSTERED,
Time_stamp datetime NOT NULL ,
RemoteIP varchar (15)
NULL ,
RemotePort numeric (18,0)
LocalIP varchar (15)
NULL ,
NULL ,
LocalPort numeric(18, 0) NULL ,
SiteName varchar (50)
NULL ,
ResultID numeric(18, 0) NOT NULL ,
TransactionID numeric(18, 0) NOT NULL REFERENCES
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
GO
CREATE TABLE dbo.tbl_ClientOperations (
ClientOperationID numeric (18, 0) IDENTITY (1, 1) NOT NULL CONSTRAINT
PK_tbl_ClientOperations PRIMARY KEY CLUSTERED ,
Time_stamp datetime NOT NULL ,
Using SQL Server as the Auditing Database y 117
User Guide
Protocol varchar (50) NULL ,
RemoteAddress varchar (50) NULL ,
RemotePort numeric (18, 0) NULL ,
Username varchar (50) NULL ,
RemotePath varchar (500) NULL ,
LocalPath varchar (500) NULL ,
Operation varchar (50) NULL ,
BytesTransferred numeric (18, 0) NULL ,
TransferTime numeric (18, 0) NULL ,
ResultID numeric (18, 0) NOT NULL ,
TransactionID numeric (18, 0) NOT NULL REFERENCES
tbl_Transactions(TransactionID) ON DELETE CASCADE
)
****END SQL QUERY***
Alternative Method for Creating Database Tables on SQL Server
Administrators that prefer using command driven tools can use oSQL to create the necessary database
and tables. A brief overview is provided below; detailed step-by-step instructions are outside the scope of
this documentation.
Gather the following information prior to calling the oSQL command line tool:
1. The SQL Server Host Name or address.
2. The authentication scheme. You will need to know the authentication mechanism allowed on
that SQL Server. It may be Windows Authentication only, or Windows Authentication or SQL
Server Authentication.
3. The allowed connection protocols. This can be Named Pipes, which is required for Windows
Authentication, or TCP/IP, which is used by the SQL Server Authentication.
4. The PORT, if TCP/IP. If TCP/IP is the connection of choice, you need to know the PORT on
which the SQL Server is listening for connections. The default PORT is 1433. It also supports a
way that a client can dynamically determine the port, but this requires that the SQL Server have
UDP port 1434 accessible by remote machines. If this port is blocked by a firewall, you will NOT
be able to use the dynamically determine port feature. Typically, SQL Server installations use the
default port 1433 (TCP) for connections.
Once you have acquired all of the above information, then you can craft the proper command line
for "oSQL" to connect to the database:
1. Open a command prompt. (Select Start, then click Run. Type cmd, then press ENTER.)
2. Type the following to place the sql file ARM_DBScript_1_1.sql in the Reports folder under the
Server’s installation folder:
[path to oSQL]\oSQL.exe -S [server address] -U [username] -P [password]
-i "[c:\path\to\ARM_DBScript_1_1.sql]\ARM_DBScript_1_1.sql"
For example, type:
”C:\Program Files\Microsoft SQL Server\80\Tools\Binn\oSQL.exe” -S
192.169.19.17 -U jbond -P asd123!f$s1 -i ”C:\Program
Files\GlobalSCAPE\Secure FTP Server\Reports\ ARM_DBScript_1_1.sql"
3. In the Administrator, click the Server tab. You should be connected to the server.
4. In the left pane, click the Server you want to configure.
5. In the right pane, click the Server Options tab.
118 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
6. Under Database Audit Settings, select the Enable Auditing and Reporting check box.
7. In the Host(\Instance Name) box, type the Server name or IP address.
8. Type the Database Name, a valid user name, and a password.
9. To test the connection to the database, click Test Connection.
Note:
Both the auditing component and the reporting component of the Server's ARM use ADO to
communicate with the data source. The connection string (automatically configured if MSDE is
chosen during install) used to connect to that data source can be anything that ADO supports to
open a connection. This can be a DSN, or a DSN-less connection string. For more information on
ADO connection strings, search the MSDN library at http://msdn2.microsoft.com/enus/library/default.aspx; also see Microsoft support article 193332:
http://support.microsoft.com/?kbid=193332.
Auditing Database Errors and Logging
The Server detects errors that occur while trying to connect to the ARM database and can detect errors
returned from the database while attempting to perform transactions, including SQL INSERT and
UPDATE statements. If an error is detected while connecting to the database or when performing a
transaction on the database (SQL INSERT, UPDATE, etc.) you can configure the Server to send a
notification to a specified email address.
The Server also generates a Windows Event Log notification when there is an ARM database error. The
log entry indicates whether auditing stopped or if the auditing data is being stored to a log file.
Once the database access is lost, either due to a connection error or transaction (INSERT or UPDATE)
error, resumption of auditing to the database requires a restart of the Server or a RECONNECT request
by the administrator. If the Server is configured to stop auditing, the administrator must repair the
database, and then restart Secure FTP Server or use RECONNECT to resume auditing to the database.
Logging to a Text File
If the Server has been configured to log the SQL statements to a text file, the Server continues to use the
text file until either the Server is restarted or until a RECONNECT request is made by the administrator.
The administrator is notified by email that the logging has been switched to the text file. The Secure FTP
Server administrator can then repair the database, resume auditing to the database, and load the
recorded text file SQL statements into the database. To ensure the completeness of the audit data, the
SQL statements in the text file must be loaded into the database before executing reports over the period
SQL transactions were logged to the text file.
If you click Reconnect to resume auditing to the database, and the Server is recording auditing
information to the text file, The Server continues to log file transfers and/or user sessions that are in
progress to that text file. New file transfers and new user sessions will continue to be logged in the
database, but any in process transfers/user sessions are logged to the text file to ensure they can be
inserted and linked appropriately in the database.
Auditing Database Recovery
Note:
The SQL statements logged in the text file must be loaded into the database before any reports are
run.
If the Server is disconnected from the SQL database and is configured to save auditing
information to the log file, do the following:
1. Solve the connection problem.
2. Repair the database, and insert the data from the text file into the SQL database. Be sure to
insert the data only once, otherwise the auditing data will be corrupted.
Auditing Database Errors and Logging y 119
User Guide
3. In the Administrator, connect to the server, then click the Server tab.
4. In the left pane, click the Server you want to configure.
5. In the right pane, click the Server Options tab.
6. Under Database Audit Settings, click Test Connection to test the status of the database
connection. (You must click Apply to apply any changes first.)
7. To reconnect to the database, click Reconnect.
Auditing and Reporting Result Codes
The ARM captures the following transaction information from the Server, which appears in the ARM
database and reports:
Actions
ResultID
Description
Result Const
0
If the event action is successfully executed
EAR_SUCCESS
1
If the event action fails
EAR_FAIL
2
If STOP Processing this rule is selected as action.
EAR_STOP_RULE
4
If STOP processing more rules is selected as action
EAR_STOP_ALL
Note:
Stop processing this rule and Stop processing more rules can be combined, in which case the
value is the sum of the two individual values, that is, 6.
SocketConnection
ResultID
Description
Result Const
0
When socket
successfully created
ER_NONE
8
Per Site socket
connection limit
exceeded
ER_CONNECT_FAILED_TOO_MANY_CONNECTIONS_PER_SITE
9
Max connections per IP
limit exceeded
ER_CONNECT_FAILED_TOO_MANY_CONNECTIONS_PER_IP
10
The IP is restricted in the ER_CONNECT_FAILED_RESTRICTED_IP
IP access list
11
The IP is banned
ER_CONNECT_FAILED_BANNED_IP
Authentications
ResultID
0
Description
Result Const
Authentication successful
LR_OK
1
Incorrect password
LR_PASSWORD_NOT_ACCEPTED
2
If User account is disabled
LR_ACCOUNT_DISABLED
3
Max connections per Site limit
exceeded
LR_TOO_MANY_CONNECTIONS_PER_SITE
4
Max connections per user limit
exceeded
LR_TOO_MANY_CONNECTIONS_PER_USER
5
User level per IP connection limit
exceeded
LR_TOO_MANY_CONNECTIONS_PER_IP
6
If given protocol is not supported
LR_PROTOCOL_NOT_SUPPORTED
120 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
ResultID
Description
7
Connection on restricted IP
8
If service is unavailable
Result Const
LR_RESTRICTED_IP
LR_SERVICE_UNAVAILABLE
ClientOperations
ResultID
1
Description
Result Const
If copy/move/download operation is successful
0
If copy/move/download operation fails
TRUE
FALSE
CustomCommands
ResultID
Description
Result Const
0
Command executed successfully
1
Command executed with socket output CER_SYNC
2
Access is denied
CER_ACCESS_DENIED
3
Command is not found
CER_COMMAND_NOT_FOUND
4
Could not launch the selected process
CER_PROCESS_FAILED
5
Command is disabled
CER_COMMAND_DISABLED
Errors in parameters passed to the
custom command
6
CER_OK
CER_ERROR_IN_PARAMS
ProtocolCommands
ProtocolCommands are the same as FTP result codes. Below is a short summary.
ResultID
Description
1xx
Expected another reply before proceeding with a new command
2xx
Requested action completed successfully
3xx
On hold pending receipt of further information.
4xx
Temporary failure
5xx
Permanent failure.
Transaction Information
The ARM captures the following transaction information:
Socket Connections
•
Timestamp
•
Remote IP
•
Remote Port
•
Local IP
•
Local Port
•
Site Name
•
Result
Transaction Information y 121
User Guide
Authentication Operations
•
Timestamp
•
Remote IP
•
Remote Port
•
Local IP
•
Local Port
•
Protocol
•
Site Name
•
User name
•
Password Hash
•
Settings Level Membership
•
Group Membership
•
Result
Protocol Operations
•
Timestamp
•
Remote IP
•
Remote Port
•
Local IP
•
Local Port
•
Protocol
•
Site Name
•
Command / Operation
•
Result
•
File Name
•
Virtual Folder Name
•
Physical Folder Name
•
Bytes Transferred
Custom Command
•
Timestamp
•
Site Name
•
Command Name
•
Command Parameters (delimited in a single field)
•
Execution time
•
Result
Event Trigger
•
Timestamp
•
Site Name
•
Event Name
122 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
•
Event Type (file upload, monitor folder, etc.)
•
Matching Condition values, if there is a condition on the event. For example, the filename that
matches a virtual path mask condition, or the folder that triggers a MONITOR FOLDER event.
•
Result
•
Transaction ID (unique)
Event Actions
•
Timestamp
•
Site Name
•
Event Name
•
Action Types such as move, copy, OpenPGP, and send email.
•
Action Parameters - these are runtime values passed to the action, not the replacement
variables.
•
Failed Action Flag - This is captured if this action is the result of a FAILURE sequence on a prior
action.
•
Action Result Code
•
Result
Preconfigured Reports
The Auditing and Reporting Module comes with a number of preconfigured reports that allow you to start
analyzing data right away.
The preconfigured reports described below have been selected by users as the most often needed.
Activity-All Groups(Detailed) - This is a parameterized report that searches for all deletes, creates,
uploads and downloads (sent, created, mkd, rmd, dele values of the Command column in
tbl_ProtocolCommands ) for all users grouped by "user group" for the specified date range.
Preconfigured Reports y 123
User Guide
Activity-ByGroups(Detailed) - A parameterized report that searches for all deletes, creates, uploads and
downloads (sent, created, mkd, rmd, dele values of the Command column in tbl_ProtocolCommands ) for
all users belonging to the a user-specified group for the specified date range.
Activity-AllUser(Summary) - A parameterized report for sum total of uploads and downloads for a all
users for the specified date range.
Activity-AllUsers(Detailed) - Comprehensive report that displays all user activity grouped by user for
the specified date range. This report make take a long time to generate.
Activity-ByFile - A parameterized report that searches for a particular filename (or all matching filenames
if a mask provided) transferred for the specified date range. Grouped by distinct filename (in case there
are multiple matches), with all transfers (upload/download) for that particular file listed in reverse
chronological order.
Activity-ByGroup(Detailed) - This report displays the folder and file create and delete activity during a
specified period for a specific group, grouped by group name, and sorted by date in reverse chronological
order. The report displays the remote IP, protocol action, time stamp, file name, folder, bytes transferred,
and result. When you click Show Report, the Report Parameters dialog box appears asking for the group
name.
Activity-ByUser(Detailed) Group by Action - A parameterized report that searches for all file or folder
deletes, folder creates, uploads and downloads for a particular user for the specified date range. Subgrouped by the "action" performed.
Activity-ByUser(Detailed) - A parameterized report that searches for all file or folder deletes, folder
creates, uploads and downloads for a particular user for the specified date range.
Activity-ByUser(Summary) - A parameterized report for sum total of uploads and downloads for a
specified user for the specified date range.
EventRulesAction(Summary) - A report summarizing all event rules with their corresponding actions
Event Rules - Activity (Summary) - This report summarizes the event rule activity by user-defined event
name, grouped by Site name, sub-grouped by the event type, sorted by date in reverse chronological
order.
Event Rules - Inbound-Outbound By Date - This report details all offload and download actions,
grouped by Site subgrouped by action, sorted by date in reverse chronological order.
Event Rules - Inbound-Outbound By User - This report details all offload and download actions,
grouped by Site name, then by remote host IP address, then by username, sorted in reverse
chronological order.
Executive Summary Report - A report that summarizes the following for the date period specified:
a. Average transfer speed
b. Total number of downloads, uploads,
c.
Total bytes transferred (inbound/outbound)
d. Top 5 users (by # of connections)
e. Top 5 users (by bytes transferred)
f.
Most concurrent users at any given time
Security-FailedLogins - A report of socket connections WITHOUT a corresponding authentication
attempt.
Traffic-Datewise-IPwiseBytesTransferred - Shows the sum of bytes transferred per IP over the
specified date range.
Traffic-IPWise Connections - A report detailing bytes transferred and unique connections per IP
address per site by day for the given date range.
Traffic-Most Active IP Connections - Shows sum of connections and bytes transferred per IP for the
provided date range sorted by connections in descending order.
124 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
Traffic-Most Active IP Data Transferred - Shows the sum of connections and bytes transferred per IP
for the provided date range sorted by bytes in descending order.
Traffic-Most Active Users Connections - Shows the list of users with amount of connections and bytes
transferred for the provided date range sorted by connections in descending order.
Traffic-Most Active Users Data Transferred - Shows the list of users with amount of connections and
bytes transferred for the provided date range sorted by bytes in descending order.
Traffic - Average Transfer Rates By User - A report detailing average KB/s transfer rates by user for the
specified period of time.
Traffic - Connections Summary - This report is similar to Protocolwise Connections Report except that it
is not broken down by protocol. Instead this report details bytes transferred and unique connections per
site by day for the specified date range
Traffic - Datewise-hourly Bytes Transferred - KB transferred each hour for the specified date range.
Traffic - Monthwise-IPWise Bytes Transferred - KB transferred by month.
Traffic - Most Active IPs - Data Transferred - KB transferred per IP sorted in descending order
Traffic - Protocolwise Connections - Bytes transferred and unique connections per protocol by date for
the specified date range.
Traffic - SiteWise Hourly by User - KB transferred hourly for the specified date range.
Troubleshooting - Connection Errors - A report detailing all failed socket connections or authentication
attempts from IPs other than the local IP.
Troubleshooting - IP Address Activity (Detailed) - A parameterized report for troubleshooting by
remote IP. Prompt for an IP which will the produce a report showing all socket, authentication, and
protocol activity for that user
Troubleshooting - Operation Errors - A report detailing all failed operations (except for list, cwd, and
size) for all protocols by site for a particular date range.
Generating a Report
The ARM comes with a number of preconfigured reports to help you start analyzing data right away. The
built-in reports were designed to respond to the most common data analysis requests. See Preconfigured
Reports for a list of available reports.
To generate a report
1. In the Administrator, connect to the server, then click the Reports tab. You should be connected
to the reports database.
2. In the left pane, click the desired report.
3. In the right pane, specify any filters.
4. Specify a date range from which you want pull data.
5. Type the appropriate parameters/wildcards for the search if the following reports are used:
•
Activity By File - Type the file name.
•
Activity By Group - Type the group name.
•
Troubleshooting IP address Activity - Type the IP address.
6. Click Show Report. The ARM connects to the auditing database and displays the data in the
report window.
Generating a Report y 125
User Guide
Note:
The ARM displays the first page of the report as soon as the data is ready, then continues to load
additional pages. You can monitor the progress of loading by watching the current page/total pages
indicator on the report filter bar.
If you want to stop a report from loading, click another report in the left-hand navigation tree. This will
cancel the loading of the displayed report.
Filtering a Report
You can filter the fields in a report based on various conditions to display only the data that meet the
filtering criteria.
The Report Filters area contains two sets of combo boxes, operands (AND, OR), and a text box.
Use the second set of filters to further define the report using AND or OR.
For example, suppose you want to filter an action report that shows each the files that were created by
these actions. Specify the filter as follows.
1. In the first combo box, click Action.
2. In the second combo box, click = or Contains.
3. Type created in the value text box.
4. Click Show Report.
126 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
Editing Reports
You can use the report designer to edit reports, change a layout, or redefine the data criteria.
To edit a report
1. In the Administrator, connect to the server, then click the Reports tab. You should be connected
to the reports database.
2. In the left pane, click a report.
3. In the right pane, on the bottom toolbar, click Edit Report.
4. The ComponentOne custom report designer displays. Edit and build the report as desired, then
save it and return to the Administrator.
5. Query, filter, and run the report as before. Verify that your changes appear as desired.
Managing Reports
Saving a Report
You can save reports to a file and export them in the following formats: plain HTML (.html), Report File
(.vp), Portable Document Format (.pdf), or plain text (.txt).
To export a report
1. In the Administrator, connect to the server, then click the Reports tab. You should be connected
to the reports database.
2. With the report displayed in the right pane, click Save As on the bottom toolbar.
3. In the Save as dialog box, specify the format and location to save the report.
Exporting Reports in XML Format
You can save the reports on your computer in the XML format and can send reports to anybody who
wants to see the report.
To export the report
1. In the Administrator, connect to the server, then click the Server tab. You should be connected to
the reports database.
2. In the left pane, click the desired report.
3. On the main menu, click Reports, then click Export Report or right-click the report and click
Export Report. The Save As dialog box appears.
4. Specify a name and a location to save the report, then click Save.
Editing Reports y 127
User Guide
Exporting and Publishing Reports in the Report Designer
Instead of printing the report, you may want to export it into a file and distribute it electronically to your
clients or co-workers. VSReport Designer supports several export formats, listed below:
Format
Description
Paged HMTL
Creates one HTML file for each page in the report. The HTML pages contain links that let
the user navigate the report.
Drill-Down
HTML
Creates a single HTML file with sections that can be collapsed and expanded by the user by
clicking on them.
Plain HMTL
Creates a single, plain HTML file.
PDF
Creates a PDF file that can be viewed on any computer equipped with Adobe's Acrobat
viewer or browser plug-ins.
VSPrinter
Creates a file using the VSPrinter control's native format. The file can be loaded, viewed,
and printed from a VSPrinter control within an application or Web page.
Text
Creates a plain text file.
To create an export file
1. In the Administrator, connect to the server, then click the Server tab. You should be connected to
the reports database.
2. In the left pane, click the desired report.
3. In the right pane, click Edit Report. The report opens in the Report Designer.
4. In the left pane of the Report Designer, click the report that you want to export.
5. On the File menu, click Export and use the File Save dialog box to select the type of file you
want to create, its name, and location.
Importing Reports
You can add reports to the Server by importing the XML reports from the local drive to the Server.
To import reports
1. In the Administrator, connect to the server, then click the Server tab. You should be connected to
the reports database.
2. On the main menu, click Report, then click Import or right-click the Reports node and click
Import from the shortcut menu. The Open dialog box appears.
3. Click the XML file you want to import, then click Open.
4. The report is added in the left pane under Reports.
Importing Microsoft Access Reports
One of the most powerful features of the VSReport Designer is the ability to import reports created with
Microsoft Access. This feature requires Access to be installed on the computer. Once the report is
imported into the designer, Access is no longer required.
To import reports from an Access file, click the Import button or in the File menu, select Import. A dialog
box will prompt you for the name of an Access file (MDB). After you select the file, the Designer
automatically scans it and converts all the reports into a new report definition file.
The import process works well and handles most elements of the source reports, with a few exceptions
listed below. These limitations affect a relatively small number of reports, but you should preview all
reports after importing them, to make sure they still work correctly.
128 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
•
Event handler code - Access reports can use VBA, macros and forms to format the report
dynamically. VSReport Designer can do the same things, but it only uses VBScript. Because of this,
all report code needs to be translated manually.
•
Form-oriented field types - Access reports may include certain fields that are not handled by the
Designer's import procedure. The field types not supported are Chart, CommandButton, ToggleButton,
OptionButton, OptionGroup, ComboBox, ListBox, TabCtl, and CustomControl.
•
Reports that use VBScript reserved words - Because Access does not use VBScript, you may have
designed reports that use VBScript reserved as identifiers for report objects or recordset field names.
This causes problems when the VBScript engine tries to evaluate the expression, and will prevent the
report from rendering correctly. Reserved words you should not use as identifiers include Date, Day,
Hour, Length, Minute, Month, Second, Time, TimeValue, Value, Weekday, and Year. For a complete
list, please refer to a VBScript reference.
•
Reports that sort dates by quarter (or weekday, month of the year, etc.) - VSReport Designer
uses the ADO recordset Sort property to sort groups. This property sorts recordsets according to field
values only, and does not take expressions. (Note that you can group according to an arbitrary
expression, but you cannot sort.) An Access report that sorts groups by quarter will sort them by date
after it is imported. To fix this, you have two options. Either create a field that contains the value for
the expression you want to sort on, or change the SQL statement that creates the recordset and
perform the sorting that way.
Deleting a Report
You can delete any reports that you no longer use. Once deleted, you cannot recover the report unless
you previously exported and saved it.
To delete reports
1. In the Administrator, connect to the server, then click the Server tab. You should be connected to
the reports database.
2. In the left pane, click the report, then do one of the following:
•
On the main menu, click Reports, then click Delete Report.
•
Right-click the report and click Delete Report.
•
Click Remove.
A confirmation message appears.
3. Click Yes to delete the report. The selected report is deleted.
Saving Report Outputs
The report can be saved HTML, PDF, and XML.
To save reports in different formats
1. In the Administrator, connect to the server, then click the Server tab. You should be connected to
the reports database.
2. In the left pane, click the report, then do one of the following:
•
•
On the main menu, click Reports, then click Save Report Output As.
Right-click the report, then click Save Report Output As.
The Save As dialog box appears.
3. Navigate to the folder in which you want to save the report.
4. In the File name box, type a name for the report.
5. In the Save as type box, click the down arrow to select a format, then click Save.
Managing Reports y 129
User Guide
Renaming a Report
You can rename the preconfigured reports and your custom reports.
To rename a report
1. In the Administrator, connect to the server, then click the Server tab. You should be connected
to the reports database.
2. Click Edit Report from the bottom toolbar. The report designer appears.
3. In the left pane, click the report name to make it editable, type your changes, then press
ENTER or click away from the edit box.
4. On the toolbar, click the Save icon
, then close the Report Designer.
Note:
The new name does not immediately update in the Reports tree of the Administrator. If you doubleclick the report in the tree, the name will update.
Custom Reports
Ad hoc querying, sorting, filtering, and reporting can be accomplished by editing one of the existing
reports or creating a new report in the provided report editor. This tool can be launched from the Windows
Start menu or from within the Administrator.
The report editor tool bundled with ARM is a robust report designer licensed from Component One.
During the Server evaluation period, VSReport Designer is available for use as a fully functional 30-day
trial. A license for VSReport Designer is included with each purchase of ARM. After the 30-day trial, ARM
must be activated along with the Server in order to continue using VSReport Designer. Most of the main
functions of the report designer are described in this help file; however, the VSReport Designer has its
own Help file, accessed by clicking help on the main menu, or opening vsrpt8.chm in the Server
installation folder.
The VSReport Designer lets you work on existing report templates, change field locations and properties,
add various levels of grouping, sorting, etc. You can also create new reports and select ARM’s database
tables from which to retrieve data fields or paste in SQL code for advanced queries of the data source,
giving customers complete freedom in designing their report. Also styles (colors, fonts, background logo
images, etc.) can all be manipulated from within the designer. You can also import report definitions from
Microsoft Access files (MDB).
Note:
Translation of Access reports requires that Microsoft Access is installed. Once the report is imported
into the Designer, Access is no longer required.
The main Designer window includes the following:
130 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
•
Report list - The left pane of the Report Designer lists all reports contained in the current report
definition file. You can double-click a report name to preview or edit the report. You can also rightclick in the list to rename, copy, and delete reports.
•
Preview/Design pane - The right pane is the main working area of VSReport Designer. In
preview mode, it displays the current report. In design mode, it shows the report's sections and
fields and allows you to change the report definition.
•
Main Menu - The main menu is used to access submenus, load and save report definition files,
import report definitions, and print reports.
•
Shortcut toolbar - Shortcuts are used to access the most common menu functions: new file,
open, import, save, print, undo/redo, cut/copy/paste, create/delete report, and help.
•
View toolbar - The View toolbar allows you to easily switch between preview and design modes,
activate the design grid, and display the property and grouping windows.
•
Toolbox - The Toolbox provides tools for creating report fields. This toolbar is enabled only in
design mode.
•
Formatting toolbar - The Formatting toolbar provides shortcuts to tools for aligning, sizing, and
spacing report fields. This toolbar is enabled only in design mode.
•
Status bar - The Status bar at the bottom of the Report Designer displays information about
what VSReport Designer is working on (e.g., loading, saving, printing, rendering, importing, etc).
Opening VSReport Designer
When you create a new report, you create it manually or use the Report Wizard. Both ways are
accomplished in the VSReport Designer, as described below.
To open VSReport Designer
1. In the Administrator, connect to the Server, click the Reports tab, then do one of the following:
•
On the toolbar, click the click New Reports icon
•
On the main menu, click Reports, then click New Report.
•
Click the Reports tab, then click the New Reports icon
.
on the bottom toolbar.
Custom Reports y 131
User Guide
The New Report dialog box appears.
2. Type a title for the new report, then click Create. The Report Designer appears.
3. Do one of the following to create a report:
•
Manually define the report: click the Design icon
, then continue with the
instructions in Using Design Mode, Changing Field, Section, and Report Properties,
Changing the Data Source, Adding, Editing, and Deleting Fields in the Report, and
Grouping and Sorting Data.
•
Use the Report Wizard: Click File, then click New Report, or click the New Report
icon on the toolbar.
Creating a Report with the Report Wizard
The easiest way to start a new report is to use the Report Wizard. The Report Wizard will help you create
a basic report, specify the data source, fields to include in the report, layout of the report, and styles or
labels to use in the report.
To use the Report Wizard
1. In the Administrator, connect to the server, then click the Server tab. You should be connected to
the reports database.
2. Do one of the following:
•
On the toolbar, click the click New Reports icon
•
On the main menu, click Reports, then click New Report.
132 y The Auditing and Reporting Module (ARM)
.
The Auditing and Reporting Module (ARM)
•
Click the Reports tab, then click the New Reports icon
on the bottom toolbar.
The New Report dialog box appears.
3. Type a title for the new report, then click Create. The Report Designer appears.
Custom Reports y 133
User Guide
4. Click File, then click New Report, or click the New Report
Report Wizard opens.
icon on the toolbar. The New
5. Do one of the following:
•
In the ConnectionString box, type the string used to connect to the data source.
134 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
•
Click
to define the connection string. The Data Link Properties dialog box
appears.
Custom Reports y 135
User Guide
a. On the Provider tab, click Microsoft OLE DB Provider for SQL Server as the
provider to connect to the SQL server database, then click Next.
b. In Select or enter a server name, click the arrow to select a name or type the
name of the Server.
c.
In Enter information to log on to the Server, click an authentication option to
log on to the Server:
•
Use Windows NT Integrated security - Your computer automatically picks
up the credentials from your computer and connects you to the database.
•
Use a specific user name and password - Specify the user name and the
password to be used to log on to the Server. Select the Allow saving
password check box to save the password in the connection string.
Note:
Select the Blank password check box if the Server requires a blank password to log on the
database server. Even if you do not type any password when you create a user account on a
database server, you can select the Allow saving password check box. In this case, the Server
takes a dummy password value and saves that value in the connection string. Selecting the Blank
password check box disables the password field.
d. Click one of the following:
•
Select the database on the Server, and then click a database in the list.
136 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
•
Attach a database file as a database name - Click the ellipsis icon
to
browse for the SQL server database file (*.mdf). The Select SQL Server
Database File dialog box appears. Select a file, then click Open. The path
to the file appears in the Using the filename box.
6. Click OK in the Data Link Properties dialog box to return to the New Report Wizard.
7. Click one of the following:
•
Table to select a database table, such as tbl_EventRules.
•
SQL Statement to write SQL queries, that is, SELECT Statements. For example,
SELECT * FROM tbl_actions.
8. Click Next. The fields that appear in the Available fields list depend on your selection in the
previous step. For example, if you selected tbl_EventRules, the fields for Event Rules appear.
9. Double-click a field or click it and use the arrows to move it to the Groups list. You can move
more than one field to the Groups list. Group fields define how the data is sorted and
summarized. The information in the Detail list is grouped according to the group name. The
Detail list displays the details for each group. Detail fields define the information you want to
appear in the report. For example, if you move SiteName to the Groups list and Time_stamp,
EventName, and so on to the Detail list, then the report displays the time stamp and events
under the respective Sites, considering different Sites as different groups.
Note:
You can also drag and drop the available fields into the Groups or Detail section.
Custom Reports y 137
User Guide
10. Click Next. The layout options appear.
11. Click a layout for the report. When you select a layout, a thumbnail preview appears on the left to
give you an idea of how the layout will appear on the page. There are two groups of layouts. The
first is for the reports with no groups defined and other is for the reports with group fields defined.
•
•
If you did not define the Group field, the following options are available:
o
Columnar
o
Tabular
o
Justified
o
Labels. The Labels layout option is used to print Avery-style labels, available in
a variety of sizes, blank or preprinted. If you select this option, the next page
offers options for the type of label for your report.
If you defined the Group field, the following options are available:
o
Stepped
o
Outline
o
Aligned
12. If you selected any option other than Labels, click the report orientation from the following
options. If you select the Labels option, the Orientation options are disabled.
•
Portrait
•
Landscape
13. Select the Adjust fields to fit page check box to adjust fields in a way that they fit the page.
14. Click Next.
138 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
15. Do one of the following:
•
If you specified Labels, click a type of label in the Labels list, then specify the Units
(Metric or English) and the paper type (Sheet Feed (single sheet), or Continuous
(continuous paper).
•
If you specified anything other than Labels, specify a style for the report title.
Custom Reports y 139
User Guide
16. Click Next.
17. Type a title for the report.
18. Do one of the following:
•
To view the report, click the Preview the report.
•
To modify the report in Design view, click the Modify the report's design.
19. Click Finish. Your new report name appears in the left pane of the Report Designer. The right
pane displays a preview of the report or the design view, depending on your selection in the
previous step.
20. Click Save to save the report.
21. Click File, then click Close to close VSReport Designer. The report appears on the Reports tab.
22. Use Design mode to add/remove fields, resize fields, add graphics, and so on.
Creating a Report in Design Mode
The New Report Wizard is used to specify a data source and basic framework for the report. To get
exactly the report you want, you can adjust and enhance the data fields and layout. The Report Designer
provides the options to modify the report to fit your needs.
To use the Report Designer design mode
1. In the Administrator, connect to the server, then click the Reports tab. You should be connected
to the reports database.
2. Do one of the following:
•
Click the report that you want to modify, then click Edit Report.
•
Create a new report. (See Creating a Report with the Report Wizard for instructions.)
The report appears in the Report Designer.
140 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
3. The left pane of the Report Designer lists all reports contained in the current report definition file.
Click the report that you want to modify, then click the Design
icon on the View toolbar, or on
the main menu, click View, then click Design. The right pane switches from Review mode to
Design mode, and displays the controls and fields that make up the report.
The Report Sections
The report is divided into sections labeled Header, Page Header, Detail, and Page Footer that contain
fields that hold the labels, variables, and expressions that you want in the generated report. The sections
determine the appearance of the beginning and end of the report, and each page and group. The table
below describes where each section appears in the report and the sort of data that typically appears in
each section.
Section
Appears
Typically Contains
Page
Header
Once per report
The report title and summary information for the whole report
Page
Header
Once per page
Labels that describe detail fields and/or page numbers
Group
Header
Once per group
Fields that identify the current group and possibly aggregate values for the
group (e.g. total, percentage of the grand total)
Detail
Once per record
Fields containing data from the source record set
Group
Footer
Once per group
Aggregate values for the group
Page
Footer
Once per page
Page number, page count, date printed, report name
Report
Footer
Once per
report
Summary information for the entire report
You cannot directly add and delete sections - the number of sections in a report determines the number
of groups. Every report has exactly five fixed sections (Report Header/Footer, Page Header/Footer, and
Detail) plus two sections per group (a Header and a Footer).
Custom Reports y 141
User Guide
To hide sections that you do not want to display
1. Right-click the field, click Properties. The Field Properties dialog box appears.
2. Change the property of Visible to False.
To resize a section
•
Click and hold the border of the section and drag it to the position where you want it.
The rulers on the left and on top of the design window show the size of each section (excluding
the page margins). You cannot make the section smaller than the height and width required to
contain the fields in it. To reduce the size of a section beyond that, move or resize the fields in the
section first, then resize the section.
•
Press and hold SHIFT, then click fields to toggle their selection status.
•
Press and hold CTRL, then drag the cursor to copy a selection.
•
Click on the corners of a field to resize it.
•
Press TAB to move the selection to the next field (which is handy when fields are close together).
•
Press the arrow keys to move selected fields.
•
Press DELETE to remove selected fields.
Note:
If you make any mistakes while moving or editing the fields, click the Undo
and Redo
icons.
When multiple fields are selected, you can use the buttons on the Format toolbar to align, resize, and
space them.
You can control the design grid using the Show Grid
and Snap To Grid
icons.
Changing Field, Section, and Report Properties
You can view and edit the properties of the objects inserted in a report.
When one or more fields are selected, the Field Properties dialog box displays only the properties and
values that all selected fields have in common, and leaves the other properties blank.
If no fields are selected and you click a section (or on the bar above a section), the selected section's
properties are displayed.
If you click the gray area in the background, the Report properties are displayed.
To view and edit an object's properties
•
Double-click the object or select the object, then do one of the following:
o
Click Property Window.
o
Press F4
o
Right-click, then click Properties.
The Field Properties dialog box appears.
In the example below, the label in the Header section, Activity - All Group (Detailed), is selected. The
Field Properties dialog box displays the properties of the selected field.
142 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
In the Field Properties dialog box, you can change a property by changing the value of the property. For
example, you change the text color by changing the ForeColor property. You can change the field's
position and dimensions by typing new values for the Left, Top, Width, and Height properties.
The property window expresses all measurements in twips (the native unit used by the ComponentOne
report designer), but you can type in values in other units and they will be automatically converted into
twips. For example, if you set the field's Height property to "0.5in", the property window will convert it into
720 twips.
Changing the Data Source
The data source is defined by the ConnectionString, RecordSource, and Filter properties. These
regular report properties are set in the Property Window by clicking on the background area where there
are no sections. The data source is defined when you use the New Report Wizard to create the report.
To change the data source for a report
1. In the Administrator, connect to the server, then click the Reports tab. You should be connected
to the reports database.
2. Do one of the following:
•
Click the report that you want to modify, then click Edit Report.
•
Create a new report. (See Creating a Report with the Report Wizard for instructions.)
The report appears in the Report Designer.
3. View the report in Design mode
.
Custom Reports y 143
User Guide
4. Click the DataSource icon
. The Data Source tab of the New Report dialog box appears.
5. Specify the ConnectionString and RecordSource properties, then click OK.
Adding, Editing, and Deleting Fields in the Report
VSReport Designer only has one type of field object; the icons in the Toolbox simply set the properties of
the field to make it look and act in a certain way.
Use the ToolBox
creates a field and initializes the field's properties as follows:
Icon
to add fields to your report. Each icon
Name
Description
Label field
Creates a field that displays static text.
Bound field
Creates a field that is bound to the source recordset. When you click this button, a
menu appears and you can select the recordset field. Bound Fields are not
limited to displaying raw data from the database. You can edit their Text property
and use any VBScript expression.
Expression
Field
Creates a calculated field. When you click this button, the code editor dialog will
appear so you can enter the VBScript expression whose value you want to
display.
Checkbox Field
Creates a bound field that displays a Boolean value as a check box. By default,
the checkbox displays a regular checkmark. You can change it into a radio button
or crossmark by changing the value of the field's Checkbox property after it has
been created.
Unbound
Picture field
Creates a field that displays a static picture, such as a logo. When you click this
button, a dialog box will appear to prompt you for a picture file to insert in the
report. A copy will be made of the picture you select and placed in the same
directory as the report file. You must distribute this file with the application unless
you embed the report file in the application. When you embed a report file in your
application, any unbound picture files are embedded too.
144 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
Icon
Name
Description
Bound Picture
field
Creates a field that displays a picture (or object) stored in the recordset. When
you click this button, a menu appears so you can select a picture field in the
source recordset (if there is one; not all recordsets contain this type of field).
Line field:
Creates a line. Lines are often used as separators.
Rectangle field
Creates a rectangle. Rectangles are often used to highlight groups of fields or to
create tables and grids.
Subreport field
Creates a field that displays another report. When you click this button, a menu
appears and you can select other reports that are contained in the same report
definition file.
Page Break
field
Creates a field that inserts a page break.
After you click any of these icons, drag the mouse over the report and the cursor will change into a
crosshair. Click and drag to define a space that the new field will occupy, and then release the button to
create the new field. If you change your mind, press ESC or click the arrow button to cancel the
operation.
You can also add fields by copying and pasting existing fields, or by holding down the control key and
dragging a field or group of fields to a new position to create a copy.
To add, edit, or delete fields in a report
1. In the Report Designer, click View, then click Design or click the Design
report opens in the design mode.
on the toolbar. The
2. Follow the procedures below depending on the fields that you want to add, edit, or delete.
To draw a line
•
Click Line
, then drag the cursor where you want to draw a line.
To draw a rectangle
•
Click Rectangle
, then drag the cursor where you want to draw a rectangle.
Custom Reports y 145
User Guide
To add or edit text
1. Insert a rectangle, or double-click or right-click an existing rectangle, then click Properties. The
Field Properties dialog box appears.
2. Scroll to Text in the Property column, click the Value column, then type the text; press ENTER.
To add labels
•
, then drag the pointer to draw a box in the report at the place you want to add a
Click Label
label. Name the label, then specify its font, color, and other properties. You can click and drag the
label to adjust its placement in the report.
146 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
To add data fields
•
Click Data field
, then draw a box on the report. Change the properties of the data field by
right-clicking it, then clicking Properties.
To create a VBScript expression
1. Click Calculated field
on the toolbar. The VBScript Editor appears.
2. Type the VBScript expression. For example, type:
=count (Transaction ID)
3. Click OK.
4. Drag the pointer and place it under the respective field where you want the result to display.
5. Click the Preview icon on the toolbar to view the result.
To insert images
1. Click Picture
. The Open dialog box appears.
2. Click an image, then click Open.
3. Drag the cursor to draw a box where you want the image to appear.
To delete fields
•
Click the field, then press DELETE.
Grouping and Sorting Data
After designing the basic layout, you may decide that grouping the records by certain fields or other
criteria would make the report easier to read. Grouping allows you to separate groups of records visually
and display introductory and summary data for each group. The group break is based on a grouping
expression. This expression is usually based on one or more recordset fields, but it can be as complex as
you like.
Groups are also used for sorting the data, even if you do not plan to show the Group Header and Footer
sections.
Custom Reports y 147
User Guide
The bar across the top of each section contains some useful tools and information about the section:
or a plus sign
to the left of the section is used to collapse and
The indented box with a minus sign
expand the section. This feature is useful when you are designing the report to allow you to see a group's
header and footer on the same screen without scrolling. Collapsing or expanding a section has no effect
on how it is rendered in the report.
indicates that the section
In the picture above, to the left of Group Header, an indented circle
currently has zero height. You can drag the divider line down to increase the section's Height property.
The triangle
to the left of Group Header indicates the group's sorting order. You can click this icon to
open the Sorting and Grouping dialog box. The labels to the right of the icons are the section name and,
for group headers, the value of the group's GroupBy property (in this example, Country).
To add, edit, reorder, or delete groups in the report
1. Click the Sorting and Grouping icon , click View, then click Grouping Window, or click the
triangle to the left of the group header. The Sorting and Grouping dialog box appears.
2. Use this dialog box to create, edit, reorder, and delete groups.
148 y The Auditing and Reporting Module (ARM)
The Auditing and Reporting Module (ARM)
To create a new grouping condition
1. In the Group On column, click an empty row and type a name. For complex grouping, type an
expression instead of a simple field name. For example, you could use "Country" to group by
country or "Left(Country, 1)" to group by country initial.
2. In the Sort column, click the drop-down arrow to select the sort order you want to use for
grouping the data (Ascending, Descending, or None).
3. In the Header, Footer, and Keep Together columns, specify whether the new group will have
visible Header and Footer sections, and whether the group should be rendered together (No,
With first detail, or Whole Group) on a page.
Note:
You cannot use memo or binary (object) fields for grouping and sorting. This is a limitation imposed
by OLEDB.
4. After you enter some data for the first group, a new blank row is appended to the list, so you can
keep creating new groups. If you add more groups, you can change their order by clicking on the
leftmost gray cell in the row and dragging the row to a new position. This will automatically adjust
the position of the Group Header and Footer sections in the report.
5. To delete a field in the group, select it, then press DELETE.
6. Click OK. The changes appear in the Designer.
Custom Reports y 149
User Guide
150 y The Auditing and Reporting Module (ARM)
Getting Help
GlobalSCAPE® Support Center
For fast answers to most questions, please visit the GlobalSCAPE Help Center. Our Customer Service
team can answer your questions about software activation and registration or help with order problems. If
you need technical assistance with your software, please submit your question to the Technical Support
team.
•
The GlobalSCAPE User Forum is a great place to find information or seek help from the global
community of GlobalSCAPE customers and product experts.
•
The GlobalSCAPE Knowledge Base (KB) is a dynamic compendium of information on our
products.
•
Subscribe to the RSS feed to keep abreast of the latest KB articles. Copy and paste this URL
http://kb.globalscape.com/rssfeed.aspx into your RSS feed reader. (See below for examples.)
•
Subscribe to GlobalSCAPE Email Announcements Sign up for the GlobalSCAPE Newsletter,
press releases, product announcements, and other GlobalSCAPE news.
•
Recover a Lost Serial Number - If you know the email address you used when you activated the
software, we can send it to you at your new address.
•
Contact Customer Service by phone or email.
•
Contact Sales by calling 1-800-290-5054 or 1-210-308-8267, or use the online submission form.
Sales representatives are available 8:00 a.m. to 6:00 p.m. (US Central Time) Monday through
Friday, excluding major US holidays.
•
Order Status - Complete the online email form to request information about your order.
•
Support pages provide downloads, documentation, activation instructions, and the latest news
regarding GlobalSCAPE products.
To add the GlobalSCAPE Knowledge Base RSS feed to your Google home page
Note:
The procedures below are provided as an example; see your feed reader's online help for specific
instructions.
1. Sign in to your Google home page, then, in the upper right area of the page, click Add Stuff.
2. At the top center of the page, to the right of Search Homepage Content, click Add by URL. The
Add by URL form appears.
3. In the text box, provide the URL of the RSS feed, http://kb.globalscape.com/rssfeed.aspx, then
click Add.
4. In the upper left corner, click Back to Homepage. The GlobalSCAPE RSS feed appears on your
home page.
To add the RSS feed to Microsoft Outlook 2007
1. On the Tools menu, click Account Settings.
2. On the RSS Feeds tab, click New.
3. In the New RSS Feed dialog box, type or paste the URL of the RSS Feed. For example,
http://kb.globalscape.com/rssfeed.aspx.
4. Click Add.
5. Click OK.
GlobalSCAPEP® PSupport Center y 151
User Guide
Note:
Microsoft Office Online provides a tutorial on RSS feeds.
Finding Information in the Help
You can find information in the Help in several ways:
•
Hyperlinks - Clickable text that opens another topic or a Web page
•
Related Topics - Listed at the bottom of many topics, lists other topics relevant to the current
topic
•
Expanding text - When you click an expanding hotspot, more information is displayed
immediately to the right of the hotspot (like this). To hide the text, click the hotspot again.
Note:
Expanding glossary hotspots are Dynamic HTML effects and require Internet Explorer 5.0 or later.
Dynamic HTML effects are not supported by Netscape Navigator.
•
Using the Contents, Search, Index, or Favorites tabs:
Click:
To:
Contents
View the table of contents, click a main heading (represented by a book icon) to
display pages that link to topics, and click each sub heading (represented by a page
icon) to display the corresponding topic in the right pane.
Search
Locate words or phrases within the content of the topics. Type the word or phrase in
the text box, press ENTER, then click the topic you want from the list of topics.
Index
View an alphabetical listing of every topic in the help file.
Favorites
Add a frequently viewed topic to the Favorites tab in the application's help. (This
option is only available in the application's help, not online help.) Click Add to add the
topic you are viewing to the Favorites tab. To remove a topic, click the topic then click
Remove. To display a topic, double-click it or click the topic, then click Display.
To print a Help topic:
1. Do one of the following:
•
On the toolbar, click the Printer icon.
•
Right-click in the topic (in the right pane), then click Print.
The Print dialog box for your operating system appears.
2. Click Print. The topic is printed to the specified printer.
152 y Getting Help
Getting Help
Using the Knowledge Base
GlobalSCAPE's Knowledge Base, http://kb.globalscape.com, provides information in HOW TOs, FAQs,
and other types of articles. Many of the articles are created as a result of assisting customers with
configuration and troubleshooting.
Search Tips:
•
For the most comprehensive search for articles specific to Secure Server, type secure server,
then click Go.
•
To narrow your search, in the Within drop-down menu, click Secure FTP Server.
•
To only find certain types of articles (FAQ, HOWTO, INFO, etc.), in the Type drop-down menu,
click an article type.
•
In the Search area, the options apply to where it searches, not the display of results. That is, if
you search for secure ftp server and then click Article ID, no results are returned, since
Article IDs are numbers. So, if you wanted to search for an article ID 10070, in the For solutions
containing box type 10070, click Article ID, then click Go.
•
To search for your keyword only in article titles, click Article Title Only.
•
To search only for articles going back a certain length of time (e.g., 3 days ago, last year), click
the Maximum Age drop-down menu, then click the interval.
•
After your search results display, at the bottom left of the page, you can click a drop-down menu
to choose to display from 10 to 100 results per page, then click Update.
Server License Information
When you contact GlobalSCAPE Customer Support for assistance, you might be asked to provide your
Server License Information. The Server License Information is available in the About dialog box:
•
On the main menu, click Help, then click About GlobalSCAPE Secure FTP Server (FIPS). The
About dialog box appears.
To copy the license information to the clipboard, click anywhere within the Server License Information
box, then click Copy. You can then paste that information into a text document or email to send to
support.
Using the Knowledge Base y 153
User Guide
154 y Getting Help
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising