advertisement
ENHANCED FILE TRANSFER™ v7.2
INSTALLATION, ADMINISTRATION, & USER GUIDE
GlobalSCAPE, Inc. (GSB)
Corporate Headquarters
Address: 4500 Lockhill-Selma Road, Suite 150, San Antonio, TX (USA) 78249
Sales: (210) 308-8267
Sales (Toll Free): (800) 290-5054
Technical Support: (210) 366-3993
Web Support: http://www.globalscape.com/support/
© 2008-2015 GlobalSCAPE, Inc. All Rights Reserved
December
21, 2015
Table of Contents
EFT HA (Active-Active) Deployment ...................................................... Error! Bookmark not defined.
Consider the facts below when creating an HA cluster ................... Error! Bookmark not defined.
Non-High Availability mode vs. High Availability mode EFT ............ Error! Bookmark not defined.
iii
EFT v7.2 User Guide
iv
Table of Contents
v
EFT v7.2 User Guide
vi
Table of Contents
Changing Windows Authentication Options ........................................... Error! Bookmark not defined.
vii
EFT v7.2 User Guide
viii
Table of Contents
ix
EFT v7.2 User Guide
x
Table of Contents
xi
EFT v7.2 User Guide
xii
Table of Contents
xiii
EFT v7.2 User Guide
xiv
Table of Contents
xv
EFT v7.2 User Guide
xvi
Table of Contents
EFT Web Service.................................................................................... Error! Bookmark not defined.
How EFT Supports Web Service ..................................................... Error! Bookmark not defined.
Web Service Timeout ....................................................................... Error! Bookmark not defined.
Executing Event Rules Using Web Service ..................................... Error! Bookmark not defined.
Using Web Services ......................................................................... Error! Bookmark not defined.
xvii
EFT v7.2 User Guide
xviii
Table of Contents
xix
EFT v7.2 User Guide
xx
Table of Contents
xxi
EFT v7.2 User Guide xxii
Introduction to EFT™ Managed File Transfer
More than just a managed file transfer (MFT) solution, Globalscape's Enhanced File Transfer™ (EFT™) extends beyond standard MFT to allow you to connect with any industry-standard file-transfer client with a robust security architecture for meeting business and regulatory requirements, ensuring that encrypted transactions occur only with the appropriate entities, and that data confidentiality and integrity are preserved during transport and storage. EFT's modular form makes it affordable by allowing you to purchase just the functionality you need. You can add advanced features as your business needs change.
EFT is offered in a small-to-medium business SMB edition and EFT Enterprise edition. EFT SMB edition is built on the same code as EFT Enterprise edition, with Enterprise-specific features disabled, but visible so that you can see features that you might want to add later. That is, all module features are available during the trial period for both SMB and Enterprise editions. Module features that require licensing and activation separate from the SMB edition are identified in the user interface and in this user guide.
EFT™ SMB and EFT Enterprise™ each provide the following features:
• Data Protection and Encryption - EFT protects intellectual property, trade secrets, and
customer files transferred over the Internet using secure protocols including FTPS ( SSL /TLS),
• Guaranteed Delivery and Data Integrity - EFT extends the industry-standard FTP protocol with strong reliability features, including post transmission integrity verification, mid-file recovery, and automatic restart.
• Tracking and Auditing - Secure data delivery requires strong audit trails for tracking and nonrepudiation. EFT provides industry-standard logging (W3C, NCSA, Microsoft IIS Extended), email notification of completed transactions, and digital certificates for proof of identity.
• Programmatic Interface - EFT can be controlled through its administration interface or through its Component Object Model (COM) interface. The COM API is a programmatic interface that lets you control EFT from your own custom applications using any COM-enabled programming language.
• Accelerated Transfers - EFT supports multi-part (segmented) transfers for faster delivery of large files over large geographical distances. Multi-part transfers require the use of compatible clients such as CuteFTP .
• Life-Cycle Management - EFT helps you quickly and efficiently manage users, temporary accounts, and expired or compromised public-keys or certificates.
• Authentication and Authorization - EFT supports password, public-key, or one-time-password authentication. User profiles can be managed internally or externally through NTLM, Active
Directory (AD), or ODBC data sources.
• User and Group Management - Manage system resources including bandwidth, folder access, file types, and more using granular or Site-wide controls provided for user and group management. Visually manage folder permissions via the Windows Explorer-like Virtual File
System (VFS). Inherit or override permissions, grant administrative, guest, or anonymous permissions, or deny access altogether. Manage client connections with real-time monitoring and on-the-spot disconnection of users. Administrators can force users to reset their passwords upon initial login, require complex passwords, remove/disable inactive accounts automatically.
• Specify SSL ciphers and version levels - EFT provides administrators the ability to specify symmetric key cipher(s) and the ordering of those ciphers for establishing SSL sessions. EFT validates inbound SSL sessions and allows or denies connections based on specified or approved ciphers.
23
EFT v7.2 User Guide
EFT Enterprise™ provides each of the features of EFT™ SMB, plus:
•
and HTTPS modules are included
•
LDAP authentication functionality
•
SSL certificate-only authentication
•
Delegated administration for user-only, Site-only, or Server-only management
•
Auditing and Reporting Module support for Oracle database (with optional ARM module)
•
DMZ Gateway multi-site configuration (with optional DMZ Gateway)
The available modules include:
HTTPS (Included in the Enterprise edition) - The HTTPS add-on module allows you to set up a secure
connection to anyone in minutes using any Web browser. The HTTPS module adds the HTTPS protocol to EFT, enabling you to support secure browser-based transfers without having to install a Web server.
HTTPS encrypts the session data using the SSL (Secure Socket Layer) protocol, which provides protection from eavesdroppers and man-in-the-middle attacks.
SFTP (Included in the Enterprise edition) - SFTP is a subset of the popular SSH protocol and is a
platform independent, secure transfer protocol. SFTP provides a single connection port for easy firewall navigation, password and public key authentication, and strong data encryption, to prevent login, data, and session information from being intercepted and/or modified in transit. The SFTP module enables EFT to authenticate and transfer data securely with SFTP-ready FTP clients, such as CuteFTP Professional .
exchange of structured business data securely on top of the HTTP or HTTP/S protocol.
Content Integrity Control - The Content Integrity Control module is integrated with EFT's Event Rule
system to send files for processing automatically by an antivirus or data loss prevention (DLP) server for processing. The Content Integrity Control Action uses profiles that contain the antivirus or DLP server
OpenPGP - EFT employs industry-standard OpenPGP (based on the open source implementation of
Pretty Good Privacy) technology to safeguard data at rest. The OpenPGP data encryption or decryption process is directed by Event Rules that specify how data files are treated in a particular context. EFT uses OpenPGP to encrypt uploaded data and the off-load capabilities of EFT to move the file to another location.
High Security Module (HSM) - The High Security module (HSM) achieves or exceeds security practices
mandated by PCI DSS, HIPAA, and Sarbanes-Oxley for data transfer, access, and storage. The HSM protects data in transit by enforcing the use of secure protocols, strong ciphers and encryption keys, and
Auditing and Reporting Module (ARM) - The Auditing and Reporting module captures all of the
transactions passing through EFT. You can query the data and create/view reports from within EFT's administration interface. A new database is created when upgrading to version 6. (The SMB edition does not offer support for Oracle databases.)
Web Transfer Client (WTC) - The Web Transfer Client (WTC) can deploy automatically upon client
connection to EFT and can be used by any trading partner using virtually any Web browser. (Limited to 5 concurrent users in the SMB edition.)
for your iOS and Android phone and tablet users to securely connect to EFT and upload and download files while providing a number of centrally managed security controls for safeguarding your corporate data.
24
What's New?
Advanced Workflow Engine (Available in EFT Enterprise only) - Similar to EFT's Commands, EFT's
Advanced Workflows add additional automation capabilities, allowing you to add scripting and variables to
Workflow Tasks, then add these reusable Workflows to Event Rules. A Workflow is a series of steps that can perform file transfers, batch data processing, application testing, and so on, and are defined to run automatically when started by some event.
DMZ Gateway - DMZ Gateway is used in combination with EFT to create a multi-tier security solution for data storage and retrieval. The DMZ Gateway resides at the edge of the network, brokering data between
EFT residing behind your corporate firewall and your clients in the outside world. (Multiple-Site configuration is only available in Enterprise edition.)
Mail Express module - Mail Express allows you to send large email file attachments to recipients inside or outside of your organization quickly, reliably, and securely, while reducing the load on your mail server.
COM API - Using the COM API, you can interact directly with EFT from your own custom applications using any COM-enabled programming language such as Visual Basic (VB), Java, or C++. You can create a script with the development IDE of your choice.
What's New?
Release notes (version history) for all versions of EFT are available in the installation folder and online at http://www.globalscape.com/support/eft-enterprise .
EFT Enterprise v7.2 includes the following changes.
o
Perform folder operation o
Perform file operation o
De/Compress file to/from target file o
Invoke Web Service from URL o
The Copy/Move (offload) Action now provides for pre- and post commands .
o
HTTP Query String o
HTTP Headers List o
Compressed File Physical Path o
Compressed File Name o
Compressed File Base Name
• New
Context Variable Condition allows you to add context variables to Event Rules as
Conditions.
Connection Profiles that can be used in Event Rules
• The ability to organize Event Rules in
Change Log to view a history of changes to Event Rules.
• A new "Event Rule Admin" administrator role
•
Backup/Restore Wizard now provides cluster-shared and node-specific data restore options.
25
EFT v7.2 User Guide
The Web Transfer Client (non-Java version) was updated with the following changes:
• Complete user interface redesign to enhance usability and aesthetics.
• All file and folder operations are now displayed in the new toolbar.
• Renamed the Joined Workspaces folder tree to Shared with Me to facilitate easier user recognition.
• Added support for navigating directories via the browser’s back and forward buttons.
• Added the ability to navigate directly to a specific directory via a link.
• Added support for viewing Workspace invitation status in the Edit Workspace Participants dialog.
• Added the ability to resend pending Workspace invitations from the Edit Workspace
Participants dialog.
• Added an animation to the sharing banner upon initial Workspace creation to focus the user’s attention on the folder’s shared status.
• Added text in the Edit Workspace Participants dialog to convey the fact that no users are collaborating in the Workspace for shared folders in which all collaborators have been removed.
• Extra spaces included at the end of a username when copying and pasting the username into the login page username field are automatically removed to avoid login errors.
• Added German and Dutch translations
• Added localization mechanisms to facilitate the custom addition of additional languages (including a drop-down language selector when multiple languages are specified).
• Added support for Web Content Accessibility Guidelines (WCAG) v1.1: "Provide text alternatives for any non-text content so that it can be changed into other forms people need, such as large print, braille, speech, symbols, or simpler language."
• Added configuration file variable to disable CRC in the event upload verifications are not required
• Added configuration file variables to specify custom default Workspace sharing permissions for user-initiated folder sharing
26
EFT™ SMB and Enterprise Feature Comparison
Globalscape EFT™ is available in a small-to-medium business Standard Edition and an Enterprise
Edition. Each edition is built on the same foundation and offers similar core functionality to enable organizations to receive files from business partners or end users over a variety of Internet standard protocols, such as FTP/S, SFTP, and HTTP/S. Add-on modules are available to both products that extend auditing from simple flat-file logging to database driven auditing and customizable reports; provide advanced security controls typically needed by organizations that must comply with security standards such as PCI DSS, HIPAA, or SoX; facilitate ad hoc provisioning of users; and provide a richer experience when transferring data over a web browser.
During the evaluation period, all functionality is enabled and visible in the EFT administration interface.
After the trial expires, the functions and modules that are enabled and visible depend on the license purchased. (EFT's Web Services interface, Oracle support, AWE, and AS2 are available only in the
Enterprise edition.)
The tables below compare the features available in each edition. Certain features require the activation of one or more of the following modules, as indicated by one or more superscript numbers after "Optional."
For example, "Optional, 6,7" indicates that the feature requires the High Security module (6) and the
Auditing and Reporting module (7).
1.
SFTP module (included in EFT Enterprise)
2.
HTTP/S module (included in EFT Enterprise)
3. OpenPGP Encryption/Decryption module
4.
5.
Web Transfer Client (Requires HTTP/S module; the basic edition is limited to maximum of 5
concurrent users)
6.
High Security module (Requires ARM to run PCI DSS reports)
7.
Auditing and Reporting (ARM) (Oracle support available in EFT Enterprise only)
8.
DMZ Gateway (Outbound proxy support in EFT Enterprise only)
9.
AS2 Module (Available in EFT Enterprise only; requires ARM module)
10. Advanced Workflow Engine (AWE module) (Available in EFT Enterprise only)
11. Business Activity Monitoring (BAM) dashboard
12. Mobile Transfer Client (MTC) module
13. Content Integrity Control (CIC) (Available in EFT Enterprise only)
Feature
FTP /S (File Transfer Protocol / Secure) - still used for
communications with legacy systems.
SMB
Included
SSL/TLS - secure FTP communications
SSL key manager - manage, import, export, and create SSL certificates
SSL Config - specify ciphers and versions allowed (SSL v2, v3, and
TLS v1)
Checkpoint restart - resume interrupted transfers
Compression - inline compression of ASCII files
Included
Included
Included
Included
Included
Enterprise
Included
Included
Included
Included
Included
Included
27
EFT v7.2 User Guide
Feature
Acceleration - reduce transfer time over poor connections by
allowing uploaded files to be split apart and transferred in multiple segments simultaneously
Verification - guarantee integrity by comparing checksums
Command blocking - prevent unwanted behavior
S-key OTP - One-time-password scheme for plain-text FTP
PASV port range - facilitate FTP connections behind network
firewalls
EBCDIC - Used for communicating with legacy systems
UTF-8 - Transfer Unicode filenames over FTP
SMB
Included
Included
Included
Included
Included
Enterprise
Included
Included
Included
Included
Included
Included
Included
Included
Session tools - Real-time session monitoring
Customizable - Modify various FTP banners to suit your specific
needs
FIPS - FIPS 140-2 certified SSH cryptographic module
SFTP (SSH2). The secure alternative to FTP, especially for
system-to-system transfers.
Included
Optional, 6
Optional, 1
Key manager - manage, import, export, and create SSH key pairs Optional, 1
Key types - OpenSSH and SSH.COM (SECSH format) supported
Optional, 1
Authentication - Any combination of password and/or public key Optional, 1
Strong ciphers - 256-bit Twofish, 256-bit AES CBC, and 256-bit AES
CTR mode
Optional, 1
Configurable SSH-protoversion-softwareversion - lower attack
footprint
FIPS - FIPS 140-2 certified SSH cryptographic module
HTTP /S (Hyper Text Transfer Protocol / Secure) - Ideal for
interactive person-to-system transfers
Customizable landing portal - Login page can be branded
Optional, 1
Optional, 1, 6
Optional, 2
Optional, 2
Optional, 2
Included
Included
Included
Included
Included
Included
Included
Included
Included
Included
Included
Included
Form-based auth - sessions are managed securely by the server
Basic-auth - standard browser authentication (fallback auth
mechanism)
Session management in accordance with OWASP guidelines
Password reset in accordance with OWASP guidelines
Lost username retrieval in accordance with OWASP guidelines
SSO - using Integrated Windows Authentication (IWA)
HTTP->HTTPS auto-redirect - increased security through implicit
redirection of non-secure connections
Optional, 2
Optional, 2
Optional, 2
Optional, 2
Optional, 2
Optional, 2, 6
Included
Included
Included
Included
Included
Included
Included
Included
Optional, 6
Web client - Optional Java applet adds a rich set of features
compared to script-driven HTTP/S transfers
Mobile client - provides secure, remote access to your EFT files
through HTTPS
AS2 (Applicability Statement 2) - used for transmission of EDI
documents
Multi-directional - service inbound and initiate outbound AS2 transactions
Drummond certified - 3rd-party certified equals superior interoperability.
Message Level Security (MLS) - certificate-based authentication
Optional, 2, 5 Optional, 5
Optional, 2, 12 Optional, 12
N/A
N/A
N/A
N/A
Optional, 9
Optional, 9
Optional, 9
Optional, 9
28
Getting Help
Feature
Reliability Profile - AS2 extension that increases interoperability
Multiple Attachments (MA) Profile - AS2 extension that facilitates multiple concurrent transactions
Authentication (Access Controls)
Native - (proprietary) authentication (EFT-managed authentication)
Active Directory (AD) authentication
ODBC - leverage any ODBC data source for user authentication
NTLM - authenticate local system accounts (Choose "Windows AD
Authentication" when creating the Site.)
LDAP - authenticate against LDAP sources, including AD
RADIUS - often used as a two-factor authentication source
SMB
N/A
N/A
Included
Included
Included
Included
N/A
N/A
SMS authentication - two-factor authentication using a mobile device
to receive a login code (must have SMS software such as SMS
PASSCODE
®
)
- 3rd-party access manager that provides two-factor authentication
CAC - Common Access Card authentication
Authorization (Resource Controls)
AD Impersonation - leverage Active Directory ACLs
N/A
N/A
N/A
Included
Permissions - set folder level permissions or inherit from parent
Included
Permission groups - assign users to permission groups or templates
Included
Virtual folders - map virtual to physical folders including network
shares
Home folders - designate a home folder and optionally make it the
user's root folder
Included
Included
Set limits - number of logins ,
Security
Included
Invalid passwords - controls to auto-lockout, disable, or ban IP
Invalid account names - controls to auto-ban offender IP
DoS detection - controls to temporarily or permanently ban suspect
IPs
IP access rules - full featured IP access rule manager
Banned file types - prevent upload of unwanted file types
Included
Included
Included
Included
Included
Monitor and kick offending users from the server
Included
Password complexity - configure a large number of complexity options Included
Password reset - user-initiated or on initial login
Included
Password reuse - disallow historical (previously used) passwords
Expire accounts - disable account on a given date
Expire inactive accounts - disable or remove account after N days of
inactivity
Included
Included
Optional, 6
Expire passwords - expire passwords after N days Optional, 6
Expiration reminder - email user reminder to change their password Optional, 6
Data sanitization - securely clean deleted data using military grade wiping
Optional, 6
Enterprise
Optional, 9
Optional, 9
Included
Included
Included
Included
Included
Included
Included
Included
Included
Included
Included
Optional, 6
Optional, 6
Optional, 6
Included
Included
Included
Included
Included
Included
Requires SMSPasscode
®
Requires
RSA SecurID
®
Optional, 6
Included
Included
Included
Included
Included
Included
29
EFT v7.2 User Guide
Feature
EFS - encrypt data at rest using Windows' Streaming repository
encryption (EFS)
PGP - use OpenPGP to encrypt, sign, and decrypt data
PCI DSS monitor - actively monitor and alert on violations
PCI DSS report - generate a compliance with a single mouse click
PCI DSS compensating controls (CCs) - capture and report admin-
provided CCs
PCI DSS setup wizard - walkthrough configuration with PCI DSS in
mind
DMZ Gateway - securely proxy transfers through the DMZ
Administration
SMB
Optional, 6
Optional, 3
Optional, 6,7
Optional, 6,7
Optional, 6,7
Optional, 6,7
Optional, 8
Enterprise
Optional, 6
Optional, 3
Optional, 6,7
Optional, 6,7
Optional, 6,7
Optional, 6,7
Optional, 8
Silent installation - unattended setup
Included
Administrator GUI - Windows based Graphical User Interface (GUI)
Included
Remote administration - administer from other systems in the network Included
Secure remote administration - SSL encrypted administration communications
Multiple administrators - allow concurrent administration
Secure administration - same password complexity options available for admins
Included
Included
Included
Included
Included
Included
Included
Included
Included
Flexible authentication - leverage native, NTLM, or AD to authenticate administrators
Optional, 6
COM API - programmatic administration
granular permissions
- role based administrator accounts with
Optional, 6
Limited
Included
Server and Site admin only
Included
Backup and Restore - one-click backup and easy restore of entire configuration
N/A Included
Batch account management - perform actions to multiple accounts
simultaneously
N/A Included
Forensics - audit and report on all administrator activity and changes
Optional, 6,7
Optional, 6,7
Auditing and Visibility
Logging - flat file log in W3C and other formats
Monitor inbound transfers in real time
Audit to SQL - audit transactions to a SQL database
View reports - choose from pre-built or build your own
Included
Optional, 7
Optional, 7
Optional, 7
Included
Included
Optional, 7
Optional, 7
Optional, 7
Included
Audit to Oracle - audit transactions to an Oracle database
Monitor outbound transfers in real time
N/A
N/A
Business Activity Monitoring (BAM) - real-time visibility, dashboarding, and analytics
N/A
Automation (Integration with Back End Systems)
React to stimuli - trigger workflows based on file uploads and other
server events
Send email to users or administrators as part of a workflow
Execute a process including scripts as part of a workflow
Included
Included
Included
Hot folders
- use transaction values inside of workflows
- trigger workflows when files arrive in a monitored folder
Included
N/A
Optional, 11
Included
Included
Included
Included
Included
30
Feature
Scheduled events - trigger workflows on a recurring basis
SMB
N/A
Web Services - trigger workflows using WS calls; Invoke Web Service
from URL
N/A
Conditional logic - build fine-grained business logic into workflows
Clean up - securely clean target folders from within a workflow
N/A
N/A
Offload and download - push or pull files to remote servers as part of a workflow
N/A
Send pre- and post- commands to mainframe during copy/move actions
Perform folder and file operations
Integration with antivirus and DLP (Data Loss Prevention) tools to permit or prevent transfers based on policies.
Ad Hoc (person-to-person file transfer)
N/A
N/A
Compress/Decompress files N/A
Advanced workflows - tap into the Advanced Workflow Engine to build sophisticated workflows
N/A
N/A
Ad hoc file transfer - secure file transfer available either via Outlook
Add-in or web interface
Optional, 4
Two-way file sharing - recipients provided with multiple methods to send files back
Optional, 4
Receipt notification - email notification when files are picked up by the recipient
Optional, 4
Pick-up authentication - recipients can be required to verify their identity before downloading files
Full file tracking - Users and administrators can view complete history of files sent and received
Optional, 4
Optional, 4
Centralized policy controls - administrator can enforce varying levels of required usage policies
Optional, 4
Active directory authentication - authentication internal users using AD Optional, 4
Integration with EFT - monitor all Mail Express file transfer activity from EFT
Optional, 4
Complete customization - easily customize all Mail Express web interface
Share folders/files with others; invite others to share folders
Architecture
IPv6 - Full dual stack (IPv4/6 mixed) support
Virtual - Run on virtual machines, e.g. VMware and Hyper-V
Unicode - UTF-8 encoding of filenames and other fields where
applicable
IDN - Internationalized domain name support
I/O Completion Ports - Technology that allows for tremendous performance on Windows systems
Active-passive clustering - Failover for high availability
SaaS - Managed and hosted versions available
Logo certified - Windows Server 2008 and 2012 Logo Certified
Optional, 4
Optional, 14
Included
Included
Included
Included
Included
N/A
N/A
N/A
Included
Included
Included
Included
Included
Included
Included
Included
Enterprise
Included
Included
Included
Included
Included
Included
Included
Included
Optional, 10
Optional, 13
Optional, 4
Optional, 4
Optional, 4
Optional, 4
Optional, 4
Optional, 4
Optional, 4
Optional, 4
Optional, 4
Optional, 14
Getting Help
31
EFT v7.2 User Guide
System Requirements and Specifications
can be found in the Installing, Upgrading, and Activating
section of this help documentation.
See also:
•
Getting Started with EFT Administration for details of how this help documentation is organized
•
Configuration and Security Best Practices for a printable configuration checklist and security best
practices
Getting Started with EFT™ Administration
When you first install EFT, wizards step you through creating a Server object, creating a Site (the connection to EFT), and creating your first user.
Refer to the following topics to get started:
• For details of how to use this help file and the self-help resources available online, refer to
• For a detailed description of EFT, refer to
• For details of what is new in this version of EFT, refer to
• For a detailed comparison of EFT SMB and EFT Enterprise, refer to
To become familiar with EFT and its add-on modules, read each of the topics in this user guide, then
follow the procedures in Installing, Upgrading, and Activating .
After release of the product, the online help may be updated as errors and omissions are identified.
To get help:
to use the help file.
2. Use the Search box in the online help file, not at globalscape.com. When you search globalscape.com, you are searching across all Globalscape products, not just EFT.
3. Search the knowledgebase, http://kb.globalscape.com
.
4. Search the user forum, http://forums.globalscape.com/tt.aspx?forumid=6 .
5. If you still cannot find the answer to your question, contact Globalscape Technical Support .
(Personal assistance is available to licensed users that have an existing, unexpired maintenance and support plan. To purchase or renew a Priority Support plan, call our support team at 1-210-366-
3993.)
32
Getting Help
Refer to these topics for details of getting help in the application and online.
•
•
Finding Information in the Help
•
•
For the most up-to-date information regarding this version of EFT and its modules; to view version history, updates, and activation instructions; and for other self-help resources, visit the Support Center .
After release of the product, the online help is updated as errors and omissions are identified; therefore, you should visit the Support Center when the help file in the application does not answer your question.
Finding Information in the Help
You can find information in the online/application Help in several ways. (This PDF is also searchable and contains working hyperlinks.)
• Hyperlinks
• Related Topics
• Using Contents, Index, Search, Favorites, Glossary, and Print:
• Contents - Displays a logical organization of the help topics, similar to chapters in a book. Click a main heading (represented by a book icon) to display pages that link to topics, and click each sub heading (represented by a page icon) to display the corresponding topic in the right pane.
Index - Displays an alphabetical listing of all of the topics as well as numerous keywords.
Search - Allows you to locate words or phrases within the content of the topics. Type the word or phrase in the text box, press ENTER, then click the topic you want from the list of topics that appears. In the application's help, you can search using Boolean (OR, AND, and NOT) and wildcard expressions (*, ?). Wildcard searches are not available in Web Help. You can sort the search results by Rank, Title, or the Location column. The Location column displays the name of the helpset.
33
EFT v7.2 User Guide
Favorites - (This option is only available in the application's help, not WebHelp.) Allows you to save a frequently viewed topic to the Favorites tab in the application's help. Click Add to add the topic you are viewing to the Favorites tab. To remove a topic, click the topic then click Remove.
To display a topic, double-click it or click the topic, and then click Display.
Glossary - Displays a list of words, short phrases, and their definitions. When you select a term from the Term list, its corresponding definition is displayed in Definition.
Print - Opens your computer's Print dialog box from which you can specify a printer to print the topic that is displayed in the right pane. In the application help, you have the option of printing the topic only, or the main heading topic and all subtopics in that heading. (Alternatively, see the
The following conventions are used in this user guide:
• boldface text: Boldface type in text refers to interface buttons, hyperlinks, and filenames/paths.
Boldface type also serves as emphasis to set apart main ideas.
• italicized text: Italicized text applies to new terms introduced for the first time. Italicized text can also serve as emphasis for key concepts.
• monospaced text: Monospaced text denotes exact code, literal commands, and user input.
• Notes
• Warnings
are "asides," tips, shortcuts, or alternative methods.
highlight information that should not be ignored.
Searching the Help File or globalscape.com
When searching, try several different words for the same concept. For example, if you want help with using a script in an Event Rule, search for command, script, vb, batch, and so on. Also, we have attempted to provide intuitive names for the topic titles. The Contents and the Index contain the topic titles of every topic in the user guide. So, in this example, if you are looking for a procedure on how to create a command, look for the topic "Creating a Command."
Printing a Help Topic
To print a Help topic
1. Click Print Topic in the Navigation pane, or right-click in the topic (in the right pane), and then click Print. The Print dialog box for your operating system appears.
34
Getting Help
2. In the Print dialog box, click Print. The topic is printed to the specified printer.
Sharing Topic Links
In the online (HTML) help, the address bar displays the IP address (URL) of the help file, not the URL of the specific topic. If you right-click in the topic, and then click Properties, you can copy the URL of the topic. The URL displays only the topic, without the table of contents, which might be sufficient. The procedure below describes how to send a topic's URL with the table of contents displayed.
To copy a topic URL that includes the table of contents (Internet Explorer only)
1. Open the topic, then do one of the following:
• In Firefox, right-click in the frame, and then click This Frame > Open Frame in New Tab.
• In Safari, right-click in the frame, and then click Open Frame in New Tab.
• In Internet Explorer: a. Right-click within the topic (the right frame), then click Properties to open the
Properties dialog box. b. Highlight the URL for the topic, right-click the selection, click Copy, and then close the Properties dialog box. c. Right-click in the address bar of your browser, click Paste, and then press
ENTER.
The topic displays, but not the table of contents (TOC).
2. To display the Contents pane, click Show. The URL will update in the address bar and the
Contents pane will appear to the left of the topic.
35
EFT v7.2 User Guide
3. Copy the URL from the address bar to paste into an e-mail or document.
Using the Knowledgebase
Globalscape's Knowledgebase (KB), provides various types of articles, such as HOW TO, FAQ,
ERRMSG, FIX, and so on. Many articles are created after assisting customers with their specific configuration and troubleshooting issues.
• The Resources link provides links to online help and PDFs.
• The Search link opens a search utility.
• The Tags link list all tags defined on all articles in the KB. You can click a tag to view articles that have been tagged with that keyword. (If there is a keyword that you think should be added to the tags, let us know in the comments of the articles!)
To search the KB
1. Open a web browser and go to http://kb.globalscape.com/
2. On left side in the middle of the page, click Knowledgebase. A navigation tree and the latest articles list appear.
3. To view the latest articles just for EFT, click the EFT node.
The articles are sorted by Last Modified date. You can sort the list by Title or Last Modified date by clicking the column header. (With more than 300 articles in the EFT category, searching by title is not usually very efficient. Using the search feature would be more expedient.)
4. To search the KB, click the Search link at the top of the page or use the search box at the bottom of the page. When searching, try several different words for the same concept. For example, if you want help with using a script in an Event Rule, search for command, script, vb, batch, and so on.
If the keyword you are using for your search does not find the article you want, but you do eventually find the correct article, please add a comment to let us know that we should add that tag to the article to improve future searches.
Server License Information
When you contact Globalscape Customer Support for assistance, you might be asked to provide your license Information. EFT License Information is displayed in the About dialog box. To avoid errors, you can copy and paste the license information into the e-mail that you send to Support . (Personal assistance is available to licensed users that have an existing, unexpired maintenance and support plan.)
36
Getting Help
You have to be logged in to the server to view or copy the license information.
To copy the license information to the clipboard
1. On the main menu, click Help > About Globalscape EFT. The About dialog box appears.
2. Click anywhere within the Server License Information box to select the text, and then click
Copy. A message appears, stating that the registration information was copied to the clipboard.
3. Click OK. You can then paste that information into a text document or e-mail to send to support.
37
EFT v7.2 User Guide
38
Installing, Upgrading, and Activating
These topics provide information regarding installing and activating EFT, and configuring EFT on your network.
Before you run the installer, review the Deployment Scenarios ,
, and Configuration and Best Practices .
EFT Deployment Scenarios
You have several options for how you configure EFT in your network architecture. Some common (but not all) deployment scenarios are described below.
Traditional File Transfer Server Deployment
This is the least expensive deployment option but also the lease secure. This scenario requires inbound ports to backend databases and directories for account authentication. Files deposited into the DMZ will reside there until picked up by back-end systems, resulting in delayed processing. Pushing (rather than polling for) files to back-end systems is also an option, but presents even more security problems.
Secure File Transfer Server Deployment
39
EFT v7.2 User Guide
This scenario has a higher upfront cost, but vastly improves security. No inbound holes are required in the trusted zone firewall, because connections are only initiated by EFT Server to the DMZ Gateway proxy. The DMZ Gateway proxy effectively terminates inbound client connections at the gateway, transmitting only the payload of the connection over an independently established connection made by
EFT to the gateway. This architecture is fully compliant with security mandates such as those imposed by the PCI DSS regarding where data is stored, since the tier where the FTP server resides is not physically accessible from external sources (because no inbound holes are required in the firewall in front of EFT
Server). This architecture can also be used in reverse for transfers initiated by EFT Server, with all outgoing transactions brokered by the gateway over the same single outbound port used for EFT and
DMZ Gateway communications. (Refer to the DMZ Gateway documentation for information.)
Advanced Deployment Scenario
Some organizations require further separation of roles between network zones. One way to accomplish this is to place EFT Server its own subnet outside of the trusted zone. However, this creates the problem of where to write files and how to access data sources. A common solution is to open ports to each of those services in the next zone or, to reduce the number of ports and increase security, deploy an IPsec
VPN tunnel into the next zone (as shown), or even into the trusted zone (not shown).
If none of these scenarios exactly meets your needs, Globalscape's Professional Services team can work with you to design a custom architecture.
EFT HA (Active-Active) Deployment
EFT Enterprise can be configured in an active-active cluster configuration, known as EFT High Availability
(HA). In an HA deployment, two or more EFT boxes can be configured in an active-active cluster with a shared configuration. EFT acts as its own cluster manager and requires a network load balancer (NLB) for distribute incoming protocol traffic. EFT HA nodes process file transfers at the network level as the
NLB directs traffic to it, and can process Folder Monitor and Timer Event Rules in a round-robin fashion
(i.e., executing the event actions on the first node, then the second, and so on until it comes back to the first node in the list).
For true business continuity, you should have a minimum of three nodes, which allows you to bring down one node for maintenance without losing fault tolerance. The other two nodes can continue to process files while the inactive node is updated/repaired.
Consider the facts below when creating an HA cluster
Configuration:
• HA can only be installed as a new installation; upgrades from 6.4.x and 6.5.x to an HA installation are not allowed. A stand-alone server cannot be converted to an HA node.
• During backup/restore, you cannot backup in standby and restore in HA or vice versa. You can run restore on any node in the HA cluster. You can restore shared data, node-specific data
(listening IP address, DMZ Gateway settings, registration) or both. When the restore process
40
Server Configuration and Administration begins, other nodes stop with -1 error. This triggers them to be restarted by Windows Service
Manager, at which point those other nodes will wait for restore operation to complete. Once the restore has completed on one of the nodes, the other nodes that had been waiting will proceed with loading configuration. After the restore completes, the node that did restore also restarts in the same way. Thus, all nodes in the cluster have restarted with restored configuration up and running.
• The FTP.cfg file for the clustered EFT nodes and users' files must be stored on a network share
(e.g., Samba, SAN). HA shared storage was tested with Samba v1.2.63 and Windows File Share
(Windows 2008, 2012).
• The shared configuration file PATH cannot be changed unless you uninstall and then reinstall the node.
• HA nodes must listen on all IP addresses, rather than each listening on a specific IP address. Do not change the Listening IP address for an HA node. A registry setting can be defined to have a different IP address for each node. Refer to Knowledgebase article #11225
for details.
• Usr folders on an HA clustered Site are stored in the shared configuration path (e.g.,
\\x.x.x.x\inetpub\EFTRoot\mySite\Usr\username ).
• On HA installations, the EFT server service is configured to restart upon failure on the Recovery tab of the service's properties. (Non-HA installations are configured to “take no action” upon failure.)
• Nodes should be brought online one at a time to avoid getting the nodes out of sync. A node can get out of sync if 1) on administrator login, if the configuration in memory does not match the configuration file on the shared drive; or 2) when the node fails to receive a configuration change message. In either case, the EFT server service will restart and load the latest configuration.
• Only Globalscape authentication is allowed on EFT HA nodes in version 7.0.0. (Version 7.0.2 and later also allows AD and LDAP authentication.) However, you can configure Sites on non-HA nodes with other authentication to cooperate with the HA clustered Sites. For example, you could use an AD-authenticated Site on a non-HA node for domain user uploads and downloads, but use the Globalscape-authenticated Sites in the HA cluster for load balancing Event Rules that take place on the files transferred. The non-clustered AD Site would transfer files using the HA shared configuration path (e.g., \\x.x.x.x\inetpub\EFTRoot\mySite\Usr\username ) as the site root folder, or using virtual folders; the Event Rule Actions would take place on the files on the
Globalscape-authenticated Site. If you attempt to create a new Site on an HA node, in the User
Authentication Provider Settings page of the Site Setup Wizard , Globalscape EFT Server
Authentication is selected and no other options are available.
• To make an HA node a stand-alone server, you must uninstall EFT and then reinstall as a standalone server. Please contact Sales, Support, or Professional Services for assistance in migrating any existing non-HA deployments to a corresponding HA configuration.
ARM reports identify nodes based on computer name. If the node's computer name
changes, ARM will see it as a new node and not associate it with the old computer name. ARM will now install an additional set of reports in a "High Availability" folder. These reports are a duplicate of the existing reports, except they report based on Node name.
• If you are using DMZ Gateway, each EFT must have its own DMZ Gateway; the DMZ Gateway cannot be shared among nodes.
• When configuring RSA in an HA environment be sure to have the sdconf.rec file store locally for each node. Each node MUST have its own copy of sdconf.rec.
41
EFT v7.2 User Guide
MSMQ:
•
To support High Availability mode of operation, EFT depends upon the Microsoft Message
Queueing (MSMQ) service. HA mode uses MSMQ to distribute messages among nodes in the cluster. Proper communication among nodes requires: o
Network adapters on all HA nodes that enable Reliable Multicast Protocol (for the adapters that provide the route between EFT HA nodes) o
All nodes must be able to send and receive multicast messages, which requires they
been on the same LAN subnet o
L2 Switch between physical computers that host an EFT HA node (physically or virtually) must enable Multicast traffic on the LAN segment between HA nodes Typically, this means enabling IGMP Snoop and IGMP Querier; however, complex deployments
(including VPN or MPLS networks between nodes) might require packet encapsulation, such as GRE, to allow multicast packets to operate properly between nodes.
o
Firewalls between HA nodes, and on the machines hosting EFT, must allow the MSMQ traffic (both multicast and unicast) to pass traffic in and out of the computers (Windows
Firewall will automatically enable the proper ports when enabling the MSMQ feature.).
For physical switches, be sure there are no packet filtering rules that prevent packets of
type
113 (PGM) to flow between nodes.
•
•
HA mode of operation for EFT v7 supports IPv6 addressing for inbound and outbound
connections. The message queue addressing of nodes within the cluster is not supported on IPv6 addresses. Message queue addressing uses NetBIOS names, not IP addresses, and could be
tied to IPv4 on the local LAN subnet that all nodes share.
When configuration changes are made to SSH, trusted SSL certificates, OpenPGP key materials, and AML files (Advanced Workflow Engine workflows), those files are cached locally, then MSMQ uploads are safely synchronized to the network share. The other nodes then update their local cache from the central location. Thus, the central share always contains the current version of those files.
Event Rules:
•
Folder Sweep and archive should be enabled on load balanced Folder Monitor rules to clean up and notify on any events that occur when the primary Event Rule monitor goes down. It is possible to lose some events between when the primary goes down and the next node takes over.
•
The "Run On One of" feature in Event Rules currently only supports computer (NetBIOS) names.
Refer to Event Rule Load Balancing for more information about the "Run On One of" feature.
•
Do not start or provision a new node immediately after making changes to the Event Rule configuration. Give the system at least 30 seconds to process and synchronize the configuration changes.
•
When operating in HA mode, Timer and Folder Monitor Event Rules will execute on all of the nodes of the cluster unless you specify at least one High Availability node on which to operate.
•
In every HA cluster there will be a "Master" node that performs the Event Rule load balancing assignments.
o
Any node may be master; if a master node goes offline, another node will take over as master. Whichever node declares master first becomes master. A node doesn’t take over as master until at least one load-balanced Event Rule exists on the system. Prior to a load-balanced Event Rule’s existence, all nodes will claim to be master. A master can go down if for example the MSMQ is stopped, or the network can no longer communicate with the master or the EFT Service for some reason goes down.
42
Server Configuration and Administration o
Every 10 seconds each node broadcasts a heartbeat using the MSMQ system to communicate that they are alive and online. This serves two purposes: 1) Notifies that the master node is up, if the master goes down, then a new node will resume master responsibilities and broadcast that they are now master; 2) Notifies the cluster that the node is online and should be included to handle load balanced Event Rules.
COM API:
• The
API was updated to include HA-specific calls.
• Only one node at a time is allowed to use the administration interface or COM connection. That is, you cannot administer more than one node at a time. (However, more than one administrator can administer the SAME node at the same time, just as in non-HA configurations.) Attempts to administer more than one HA node at a time will prompt an error on nodes other than the first.
General:
• For visibility into node status, enable cluster logging.
specifically for HA.
Non-High Availability mode vs. High Availability mode EFT
Function Non-High Availability mode
Startup
Shutdown
Authentication managers
User database refresh
PCI cleanup
(administrator/user remove/disable for inactivity and send Password
Expiration Notifications)
Client Expiration
Turning off Autosave and using ApplyChanges via
COM
GUI/COM connection
Searches for FTP.CFG’s in different folders, tries FTP.BAK’s to handle broken configuration, etc. Always creates "clean" configuration if no
FTP.CFG/FTP.BAK is loaded.
Updated FTP.CFG with latest settings
GS, NTAD, ODBC, LDAP
Allowed
Nightly timer
+ Every time server deals with user/administrator
(user/administrator connection, exposing user/administrator to
GUI/COM etc.)
Every time when server deals with user (user connection, exposing user to GUI/COM etc.)
Allowed
Always allowed
High Availability mode
Loads only <PATH>\FTP.CFG.
Creates "clean" configuration only if no FTP.CFG present in the <PATH> folder. Fails to start if cannot load existing <PATH>\FTP.CFG.
Does not update FTP.CFG
Globalscape, NTAD, and LDAP
Not allowed
Nightly timer
Nightly timer
Not allowed
Only one node at a time is allowed to serve GUI/COM connection
Always synchronously Saving changes made by administrator to FTP.CFG
Server restore from backup
Trial state
OTP passwords for clients
Legacy password hashes
User lock state
Invalid login history
Background task accumulating changes and saving settings
Allowed
FTP.CFG + registry (duplicated)
Allowed
Allowed
Continues after service restart
Continues after service restart
Not allowed
Registry
Not allowed
Not allowed
Breaks after service restart
Resets on service restart
43
EFT v7.2 User Guide
System Requirements
The Globalscape Quality Assurance (QA) team tested EFT SMB and EFT Enterprise with a variety of operating systems, software, and hardware. It is possible for EFT to function with other software and hardware than those listed below, but Globalscape only offers support for EFT with the software/hardware listed below.
EFT (Server Service) Requirements
• Operating systems:
• Windows Server 2012 R2, all editions
• Windows Server 2012
• Windows Server 2008 R2, all editions
• RAM:
• Minimum: 2 GB free RAM
• Recommended: 4GB free RAM
• High Performance: 4GB free RAM + 4GB (if
AWE is extensively used)
• More RAM could be required for large file transfers over the
can use up to 40% of the Server's RAM.
• CPU:
• Minimum: Dual-core CPU of at least 2.5GHz (for minimal processing/automation)
• Recommended: Quad-core, at least 2.5 GHz (for moderate processing/automation)
• High Performance: 8+ cores, at 2.5 GHz (for high amount of processing/automation)
• Microsoft .NET Framework 4.0 (all components, including AWE and AS2)
• Microsoft Windows Installer 4.5
• For HA (active-active) installations, Microsoft Message Queuing (MSMQ) must be installed (for multicasting).
• If accessing or monitoring
Samba network shares, version 3.0.25 or later of Samba
• The EFT service must have full administrative rights to the folder in which you install EFT.
EFT Administration Interface Requirements
The administration interface must be installed on the same computer as EFT, but also can be installed on other computers for remote administration . (Refer to the ARM, AWE, and AS2 requirements below if you plan to use those modules remotely.)
• Windows 7, Windows 8.1, Windows Server 2008 R2 (Standard, Enterprise, and Datacenter editions), and Windows 2012 (requires GUI component).
• 1 GB of free RAM
• 1024x768 resolution or higher display
• Microsoft Windows Installer 4.5
• Microsoft .NET Framework 4.0
44
Server Configuration and Administration
Auditing and Reporting Module (ARM) Requirements
• Microsoft
®
ActiveX Data Objects (ADO)
• Microsoft SQL Server 2008 R2 Native Client is installed automatically, regardless of whether SQL
Server will be used (so that ADO will work with IPv6).
• 3GB minimum hard drive space for the initial database size. Space requirements for transactions depend on estimated Event Rule activity, number of connections, and types of transactions. A general estimate is 3MB to 5 MB per 1000 files uploaded.
• PDF-viewing software (such as Adobe Reader) to view PDF reports .
• Access to a SQL Server or an Oracle database.
• The installer includes SQL Server 2008 R2 Express for both 32- and 64-bit operating systems (intended for evaluation purposes only). For SQL Server system requirements, refer to http://www.microsoft.com/sqlserver/en/us/learning-center/resources.aspx
. EFT is supported with the following SQL Server versions:
• SQL Server 2008 R2 Express
• SQL Server 2008 R2
• SQL Server 2012 (11.0.2100.60)
• SQL Server 2014 (12.0.2000.8)
• Oracle requires EFT Enterprise; refer to Oracle's documentation regarding
Oracle system requirements . Be sure to reboot after you install the Oracle Data Access Components
(ODAC). You need to use the 32-bit ODAC, even if EFT Enterprise is installed on a 64-bit operating system. EFT Enterprise is supported with the following Oracle versions:
• Oracle Database 12c Release 1: 12.1.0.2.0
• A good database maintenance plan is important to keeping space requirements to a
minimum (aging/archiving/warehousing/truncating old data).
• For better database performance, follow the standard SQL/Oracle tuning guidelines in
their user documentation. See also Purging Data from the Database .
• If you are using SQL Server 2008 Developer and Enterprise editions for your EFT database, refer to the MSDN article Creating Compressed Tables and Indexes .
• For ARM upgrades, Microsoft .NET Framework 4.0
AS2 Module Requirements
• More RAM could be required for large, non-EDI file transfers.
AS2 transfers can use up to 40% of
the Server's RAM for file transfers.
Installing and Activating the AS2 Module for detailed prerequisites.
DMZ Gateway Requirements
Refer to the System Requirements in the DMZ Gateway documentation.
Web Transfer Client (WTC) Requirements
Mobile Transfer Client (MTC) System Requirements
For information regarding system requirements for the Mobile Transfer Client, refer to MTC System
45
EFT v7.2 User Guide
Mail Express Requirements
The EFT installer is bundled with a compatible version of Mail Express. For example, EFT version 7.0 is compatible with Mail Express version 4.0.4; Mail Express version 4.0.4 is not compatible with previous versions of EFT. Compatibility depends on the COM API version in EFT. Mail Express must be using the same DLL. Please refer to the Mail Express system requirements
for more information.
EFT Specifications
This topic is intended as a quick reference of EFT specifications. The information is provided in detail in the applicable procedures.
Item
Description
The EFT service runs under a user account, which must have full administrative rights to the folder in which you install EFT. With administrative rights, the service can save all of your settings. If the service does not have administrative rights, you will lose settings and user accounts whenever you restart the EFT service, and you will need to reset permissions on the computer on which the EFT service is running. If you are using Active Directory, there are other considerations regarding permissions.
, and AS2 (Certain protocols require
optional modules and/or EFT Enterprise.)
Globalscape , AD/NTLM
W3C, Microsoft IIS, and NCSA
Key lengths supported: 1024, 2048, 3072, and 4096 bits
Authentication types
SSL Certificate Key lengths supported
Server-created SSL certificates
Allowed OpenSSL ciphers for inbound transfers (HTTPS and
FTPS)
x.509 base-64 standard DER encoded
Refer to Using Ciphers for Inbound SSL Connections for details.
EFT version 7.1.1 uses OpenSSL1.0.2a; FIPS SSL is based on OpenSSL 1.0.2a-fips
EFT version 7.0.3 uses OpenSSL 0.9.8zc; FIPS SSL is based on OpenSSL 0.9.7m
MD2, MD4, MD5, Haval, RIPE-MD, SHA-1, SHA-Double, Tiger SFTP hashing
OpenPGP version
OpenPGP is a standard and has no version. EFT adheres to the OpenPGP standard and is RFC 2440 compliant.
EFT supports public key lengths for RSA in FIPS SSL from 1024 to 4096 bits. The
FIPS library used by EFT is certified with DSA (1024 bits only) or RSA (1024, 2048, and 4096) keys.
EFT facilitates compliance with PCI DSS 2.0.
EFT supports SFTP versions 2, 3, 4, and 6. The outbound client defaults to version 4, and it is not configurable through the GUI, but can be configured in the registry . The
EFT outbound client negotiates the SFTP version with the receiving server during session establishment. That is, if the receiving server only supports version 2, EFT
Server will negotiate down and operate at version 2.
EFT uses /n software's IP*Works EDI Engine, in compliance with RFC4130. The maximum file size for AS2 transfers is 20GB.
46
Server Configuration and Administration
Maximum Capacity for EFT
Listed below are several EFT object types and the maximum number of each type (both theoretical maximum and tested maximum) that can be defined in EFT. Keep in mind that an excessive number of total objects displayed in the administration interface can affect the responsiveness of the interface.
EFT Object
Maximum number of Server Groups
Maximum number of Servers (EFTs)
Maximum number of Sites
Maximum number of Settings Templates
Maximum number of users per Server
Maximum number of users per Site
Maximum number of users per Settings Template
Maximum number of users per Permission Group
Maximum number of administration accounts
Maximum number of Permissions (on VFS tab)
Maximum number of VFS entries
Maximum number of Permission Groups
Maximum number of Folders
Maximum number of Event Rules
Maximum number of Commands
Maximum number of AWE tasks
Maximum number of Custom Reports
Maximum number of pages in a report
Maximum number of simultaneous connections
Theoretical Maximum
32,768
32,768
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
2,147,483,647
65,536
65,536
65,536
65,536
2,500
65,536
Tested Maximum
maximum not tested
10
40 maximum not tested maximum is set per Site
150,000 maximum is set per Site maximum is set per Site
1,000 maximum not tested
150,000 maximum not tested
See VFS entries maximum
4,000 Folder Monitor Event
Rules maximum not tested maximum not tested maximum not tested
2,000
1,000
Note: Object type distribution for baseline and testing purposes was roughly 80% users, 10% Folder
Monitor Event Rules, 5% other Event Rules, 2.5% AWE tasks, 2.5% other.
Configuration and Security Best Practices
Below is a collection of suggestions and guidelines for installing, configuring, and deploying EFT in a
production environment, including best practices for security .
Development Lab Environment
As with any mission-critical software or hardware, it is recommended that a testing, validation, development, or usability lab be established to provide a "sandbox" into which EFT and DMZ Gateway
Server software can be deployed. This initial deployment allows for validation of the interoperability with other dependent components as well the validation of expected usage scenarios.
The lab environment should emulate (if not duplicate) the production environment at a network topography and application level. To do this, a clear vision of the production network and the proposed deployment of EFT and DMZ Gateway must exist. Typical deployments of EFT and DMZ Gateway consist of many other components from the enterprise, including Active Directory Server, SQL Server, SMTP
Server, and a storage system such as a SAN. For DMZ Gateway, a firewall such as Microsoft ISA might be applicable. Finally, some deployments also include Clustering , in which case various components are replicated to provide clustered resources.
For increased business continuity and risk mitigation, you should use the development lab environment as the starting point for any configuration changes in the system. That is, make the change in development and validate it prior to making the change in production. A good testing tool is CuteFTP .
47
EFT v7.2 User Guide
Configuration Checklist
The installation and configuration of EFT in either a lab or a production environment should be validated by EFT administrators/operators to ensure that the functions are working as expected. Use the checklist below to validate key items for an EFT and DMZ Gateway deployment. Print this topic to check off items
as you test. Also refer to the section below this table for Security Best Practices
Service
Make sure that the EFT Server service is started on the computer.
Make sure that the service is listening on the expected IP:PORT socket addresses on EFT. (To view the listening sockets, use "netstat -ona" from a command line or an application such as PrcView or TcpView .)
Check the Event Viewer log to ensure that there are no errors in the Application log related to EFT or DMZ
Gateway.
Confirm that the administration interface shows the status of the system when it is launched and
connected to EFT .
Server User Management
For each Site on EFT, ensure that the expected user accounts exist.
To ensure that authentication is working as expected, attempt to log in to EFT as a user account on the system (using any protocol).
To confirm that permissions for the user account are working as expected, attempt a file transfer.
Protocol/Network
For each protocol enabled on EFT, attempt a connection directly to EFT using a client that supports that protocol.
For each protocol enabled through DMZ Gateway, attempt a connection to the appropriate DMZ Gateway
IP:PORT and confirm that this route works as expected.
Auditing/Logging
View the audit traces generated by the validation steps above.
either EFT Reporting interface or direct access to the SQL Server being used).
Confirm that the text log files generated by EFT have been populated with the appropriate data.
Event Rules/Workflow
Each customer has a unique set of Event Rule/workflow requirements, but these are the general validation steps.
Confirm the following are working as expected:
E-mail notifications. Test e-mail notifications by triggering an Event Rule that has an e-mail notification
Action to confirm that Event Rules fire and that the SMTP configuration is correct.
PGP operations. Confirm that OpenPGP keys are configured properly.
Move/Copy/Download actions. Initiate Event Rules that perform remote file uploads/copies / download so that connectivity originating from EFT to a remote system is properly configured. In this step, also confirm that a log file is generated that audits outbound connection information (a "cl*.log" file in the designated
Server Log File location).
Custom Commands. EFT is responsible for triggering those external commands, so that is what should be validated with respect to EFT. Any actions carried out by those external tools should be validated
independently. Confirm that a "CMDOUT.LOG" file is generated as the result of an invoked Custom
Folder Monitor Rules. Ensure that the Event Rules are properly enabled and responsive to files added to the folder being monitored .
48
Server Configuration and Administration
Failover Testing
For failover cluster deployments, the failover and failback operations of the cluster should be confirmed. After a failover/failback, confirm that the newly active server behaves properly; that is, the failover is transparent and the configuration/operation is as expected. This can be summarized by the prior set of tests operating against the newly active node in the cluster.
Load Testing
If you expect high volumes of traffic or back-end processing within EFT, you should verify that the resource utilization levels on the Server are within acceptable tolerances. There are numerous load-testing tools available, ranging from simple batch files running command-line FTP to highly complex synthetic transaction generators. Globalscape's Quality Assurance team performs load testing of our servers as part of our standard validation process for releasing software.
Numerous other features can be validated within EFT. The above set represents the key elements that are most often used and are the most critical to successful operation in a production environment.
Security Best Practices Checklist
The following settings are recommended for increased security.
Administration Security
Create an Event Rule to back up the entire Server configuration to a separate drive at least daily.
Do not use any default administrator names (e.g., "admin").
Do not use the default administration port (1100).
Only turn on remote administration if necessary. If remote administration is needed, then ban all IPs except those trusted IPs necessary to access the server for administration.
Turn on SSL if using remote administration.
Create sub-administrator accounts with the least amount of privileges necessary for help desk or
operational administrators.
Do not give sub-administrators access to COM or the ARM (report) module unless absolutely necessary
If giving ARM (report) access to a sub-administrator, use the ReportsConnectionString registry override to define an alternate (least privileged) database connection string for database queries.
Set a complex security scheme for administrator passwords .
Lockout administrators for an extended period after multiple failed login attempts .
Run a PCI DSS report to detect any lax security configuration settings (either manually or on a
schedule with an Event Rule ).
Periodically check the Globalscape support site for the latest version and upgrade accordingly. One more high priority bug fixes or fixes for security vulnerabilities are often included.
User/Password Security
Expire accounts that are non-active for a specified period.
Set user passwords to expire every 60 or 90 days.
Define complex password security scheme for users.
Prohibit password reuse/history .
49
EFT v7.2 User Guide
User/Password Security (cont'd)
When using HTTP/S and/or SFTP protocols, require that the user reset their password upon initial use
(requires KIA support by the SFTP client. FTP/S protocol does not support password reset upon initial login).
Briefly lockout users after repeated failed logins.
Automatically ban IP addresses with repeated failed username attempts.
E-mail user login credentials separately or only send username and communicate password via phone or
other means (i.e., out-of-band delivery).
File System Security
Segregate user’s folders . (Do not share folders/resources across users when possible.)
Restrict users to their home folders and set the home folder as ROOT for that user.
Use Settings Templates to inherit user permissions rather than modifying them for each user.
Use Groups to simplify control over user access to resources.
Limit resource permissions to the minimum necessary.
Specify a maximum disk space (quota) for each user (or Settings Template).
Auditing Security
Enable verbose logging (Log Type).
encrypt+sign using an Event Rule .
Always use extended auditing ( ARM ).
Examine audit logs at least weekly for anomalous behavior
Data Security
Encrypt data at rest using EFS encryption, OpenPGP, or 3rd-party encryption.
Keep data separate (DAS/SAN/NAS).
Define data recovery procedures in case of data corruption/loss/theft.
Scan uploaded files for viruses (3rd-party tool required).
, even temporarily. (Use DMZ Gateway instead.)
Create a legacy data clean-up rule according to your company policy.
Enable data wiping for sanitizing deleted data.
Add a banned file type rule and disallow all extensions except those required by the business.
50
Server Configuration and Administration
Protocols Security
Be extremely selective when choosing which IPv4 or IPv6 addresses to bind to for a specific Site (listener).
Only bind to IPv6 addresses if your organization is aware of and mitigating against IPv6-specific attacks at the edge of your network.
If possible, allow only secure protocols ( SSL ,
move RC4 (a lesser strength but non-CBC cipher) to the top of the SSL cipher priority list, followed by AES
256, then AES128, etc.
enable Clear Command Channel (CCC) nor unprotected data channel (PROT C).
Disallow site-to-site (FXP) support
for FTP/S protocol listeners, and block client anti-timeout attempts .
Have your server’s SSL certificate signed by Certificate Authority (CA) .
authentication credentials.
Mask the server's identity by using generic banner messages .
Specify a maximum limit for connections and transfers for each user/template.
Enable EFT’s Denial of service settings , disconnecting and banning users that issue an excessive numbers of invalid commands (weighted over a given period) and permanently banning IP addresses that exceed the server's Flood/hammer value. Non HTTP/S setups should set the Flood/hammer slider to Very High, vs. the default Medium setting.
Specify allowed IP address ranges for user/partner connections when possible, denying connections from all other IP addresses.
Prescriptive Guidance for Maintenance
The following are guidelines for maintaining the good health of an EFT and DMZ Gateway deployment, and reducing long-term costs of maintenance and operation.
• Configuration Backup - For disaster recovery and business continuity, it is important to keep backups of the Server and DMZ Gateway configuration. Backing up the configuration can be accomplished with a variety of tools such as Symantec Backup Exec, Ghost / VMWare to make images of the system, Globalscape Continuous Data Protection (CDP), or even a simple script file.
• Database Backup and Truncation - If you are using the Auditing and Reporting module (ARM), the database to which the audit records are stored should include EFT ARM tables as part of the typical database maintenance plan. This includes proper monitoring of the tables and transaction logs, backing up the data and having a retention policy to archive (or purge) old data.
• Data Archival and Retention - You should put into place and enforce a policy by which old data is periodically archived and/or purged, because no disk is limitless and performance can degenerate as more files are added to EFT. Therefore, a storage management policy should include regular inspection of available hard disk space and health (error count, fragmentation, etc.) as well as archiving and/or purging user data and Server Log Files (CMDOUT.log found in the application folder, and all other logs found in the Log folder specified on the Server).
51
EFT v7.2 User Guide
• Restarting Services - Given the facility of the Microsoft Cluster in failing over and failing back while providing high resource availability, it is recommended that you design a maintenance schedule in which the EFT service is cycled at least once per quarter to once per month. Failing over to the backup node, restarting the service, then failing back and restarting the other node would suffice in re-establishing a baseline state of the EFT service to ensure optimal health.
• Event Log Alerting - EFT will log error conditions to the standard Windows Event Viewer. It is recommended that the operations team for an enterprise include EFT error checks in their monitoring techniques, looking for an ERROR event generated with a source of "EFT," "EFT
Enterprise," or "Globalscape."
Procedure for Cold Standby Setup
Below are few recommendations for achieving a backup server image that is ready to be turned on quickly and accept "real" traffic.
In all situations, if you are copying a configuration file from one system to another, care must be taken with hardware-specific resources, such as IP addresses, physical paths/partitions, and so on. If possible, it is recommended that the EFT configuration use the generic "All Incoming" IP Address for incoming socket connections so that differences in computer IP addresses do not prevent proper operation of the system if the Cold Standby comes online.
Furthermore, you must take care with the connections and IP-access restriction lists between EFT and DMZ
Gateway. If DMZ Gateway is configured to allow only one EFT IP address to connect to it, then the Cold
Standby server must have the same IP address to connect; alternately, the DMZ Gateway IP access list must include all possible IP addresses (possibly a Class C subnet) so that multiple servers from the approved network segment may connect.
• Virtualization Software - A great solution from a cost- and resource-saving standpoint, virtualization software is also quite easy to manage due to the "software" nature of the solution.
The approach would be to create an image within a virtual system (using a tool such as VMWare or Microsoft Virtual PC) by installing and activating the EFT or DMZ Gateway software. Once this is done, the steps required to bring the system online include first copying the configuration files
(which were backed up using a process described above), then bringing the virtual image online and starting the service.
• System Backup Software - Another quick and easy option is to create a disk or system image of a configured EFT or DMZ Gateway (using a product such as Norton Ghost); when a Cold standby needs to be "stood up" and made hot, the image can be installed on a computer, backup configuration copied, and the service started.
• Periodic Backup to Cold Standby Machine - If resources permit, the quickest way to get a
"Cold" computer to become "Hot" is to have a computer dedicated to this function. It should have
EFT and/or DMZ Gateway installed and activated, but the service should be stopped. A process to copy the configuration periodically from the "Hot" server to the "Cold" server would keep the two in synch, and if the "Hot" system goes down, the "Cold" system can simply start the service.
52
Server Configuration and Administration
Installing EFT, Administration Interface, and Modules
The EFT installer is used to install EFT and its modules: Auditing and Reporting Module (ARM) ,
OpenPGP module,
Transfer Client , and each is available during the 30-day trial.
Important Pre-Installation Information:
•
Before installing the software, refer to System Requirements , and read the entire installation
procedure below.
• If you are upgrading from a previous version of EFT, refer to
Upgrading the Software .
• Install EFT before installing the Secure Ad Hoc Transfer (SAT) module. The SAT module setup references the EFT name/IP address, port, and username/password. EFT must have remote administration enabled if the SAT module is installed on a separate computer.
• After you have installed the system on a test computer and are now ready to move it to a production environment, refer to Backing Up or Restoring Server Configuration (Enterprise)
or Copying Server Configuration to Several Computers if you want to keep the test
environment's Server, Site, and user configuration settings. Otherwise, install as usual on the production system.
• If you are installing in a cluster configuration, refer to
Installing or Upgrading the Server in a
Cluster .
• If you are connecting to an existing database, ensure the database is installed and configured before starting the EFT installer. The installer will attempt to connect to the database. Or you can skip ARM installation and rerun the installer later in Modify mode. If
you are using an Oracle database, ensure the ODAC client suitable for your database
version is installed. For details of installing SQL Server 2008 R2, refer to the SQL Server
Install pages on technet.microsoft.com.
• The installer does not support Unicode characters. Refer to
Unicode Exceptions for details.
• The EFT installer includes the ARM database installation/upgrade. If you want to
install/upgrade the database later, refer to Installing and Configuring the Auditing and
The EFT has four different installers; each of them installs as a 32-bit application, even on a 64-bit
OS. Silent installation is also available.
• eftserver.exe—EFT SMB with a SQL Express installer bundled
• eftserver-nodb.exe—EFT SMB without bundled database installer
• eftserver-ent.exe—EFT Enterprise with a SQL Express installer bundled
• eftserver-ent-nodb.exe—EFT Enterprise without bundled database installer
The EFT installer also provides the 32-bit Mail Express installer. Mail Express integration with EFT only works with the 32-bit version of Mail Express.
The installer verifies that the following items before continuing:
• OS compatibility
• Is the user an admin?
• DMZ Gateway is not installed?
• .NET 4.0 Full installed?
• MSI 4.5 installed?
• MSMQ installed? (HA installations only)
53
EFT v7.2 User Guide
1. Close all unnecessary applications so that the installer can update system files without rebooting the computer.
2. Start the installer, and then click Next. The Choose an installer page appears. (Illustrations below show EFT Enterprise installation; the procedure is the same for EFT (SMB) edition.)
3. Click the list and then, depending on which edition of EFT you downloaded, click Globalscape
EFT or Globalscape EFT Enterprise.
4. Click Next. The installer will verify the prerequisites.
• If the prerequisites are not installed, you are asked to cancel so that you can install the prerequisites. For example, if you are missing the correct version of .NET Framework and have Internet access, you are redirected to the .NET download page after you click
Cancel.
5. Click Next. After installation components are loaded, the Welcome page appears.
54
Server Configuration and Administration
6. Read the Welcome page, and then click Next. The License Agreement page appears.
7. Read the license agreement, and then click I agree to accept it. The license agreement is also saved in the EFT installation folder as "license.txt" if you want to read or print it later. Clicking
Cancel aborts the installation. o
If you are upgrading or reinstalling, the version detected page appears. Refer to
Upgrading the Software for the procedure.
The Choose Components page appears.
55
EFT v7.2 User Guide
When you install EFT, the EFT Admin Interface check box must also be selected. After you have installed EFT and the administration interface on one computer, you can install the administration interface on other computers for remote administration. (To install the administration interface on
a remote computer, refer to Installing the Administration Interface Remotely .)
8. Click Next. The Installation type page appears.
56
9. Specify the installation type, and then click Next.
• Single server is the default installation type.
• To install EFT as part of a failover cluster, review the cluster documentation, and then click Part of a failover cluster. A message appears cautioning that it is important to read and understand the cluster documentation if you are installing EFT in a cluster. Refer to
Installing or Upgrading the Server in a Cluster for the procedure for installing EFT in a cluster setup.
• To install EFT as part of a high availability cluster, refer to
Installing or Upgrading the
Server in a Cluster .
The Choose Install Location page appears.
Server Configuration and Administration
10. The default installation location appears in the Destination Folder box. Leave the default or click
Browse to specify a different folder, and then click Next. The Configuration File Location page
appears. (The installer does not support Unicode characters in the path. Refer to Unicode
11. Specify where you want to save EFT's configuration settings. For example, if you are installing in a cluster, you should specify a shared resource drive to synchronize settings across nodes. The
EFT service must have permission to access the specified path. The default location is
%systemroot%\ProgramData. The installer does not support Unicode characters in the path.
Refer to Unicode Exceptions for details.)
12. Click Next. The Choose Start Menu Folder page appears.
57
EFT v7.2 User Guide
13. Keep the default shortcuts, specify an existing folder, or type a name for a new folder.
14. Click Next. The Administrator Account Configuration page appears.
58
15. Create a user name and password for the administrator account for connecting to EFT from the administration interface. Both the username and password are case sensitive. The installer does
not support Unicode characters in the username or password.
The administrator account password cannot be blank, can be up to 99 characters, and cannot be any of the following keywords: password, admin, administrator, sa, or sysadmin. The administrator account password must also comply with the computer's Windows account password policy (local or domain policy) "Minimum password length" and "Password must meet complexity" items. To view the policy, click Start > Run, then type secpol.msc. The Local Security Policy snap-in appears. Under Security Settings, expand Account Policies, and then click Password
Policy. Right click the policy, and then click Properties to view the details and to enable, edit, or disable the policy.
16. Click Next. The ARM selection page appears.
Server Configuration and Administration
• If you want to configure auditing and reporting, click Next.
• If you do not want to configure auditing and reporting, click Skip auditing and reporting
configuration, and then click Next to skip the database configuration pages. You can
still configure the database later, if you want. (Skip to step 18 .)
• If you want to manually create the database later, click Skip auditing and reporting
configuration, and then refer to Manually Creating the ARM Database in SQL Server or
Manually Creating the ARM Database in Oracle when you're ready to create the
17. Specify the type of database to which EFT is to connect.
• If you click Use existing SQL Server, the upgrade or create new page appears.
59
EFT v7.2 User Guide a. Click Create a new EFT ARM database. The configuration page appears.
60 b. Specify Windows or SQL Authentication. (Windows mode allows you to connect through a Microsoft Windows NT or Windows 2000 user account. SQL allows you to connect using either Windows Authentication or SQL Server
Authentication.) c. Specify the host address or instance name. d. Specify the database server SA or privileged user account name. e. Specify the database server SA or privileged user account password f. (Optional) Click Next or Test to test the connection to the database. If the test fails, click Yes to verify database connection details or No to continue without configuring the database.
Server Configuration and Administration
• If you click Use existing Oracle database (available in EFT Enterprise), the upgrade or create new page appears. a. Click Create a new schema. The configuration page appears. b. Specify the database host address and the EFT-specific schema name and database administrator credentials, and then click Test or Next to test the connection to the database. (If you have installed Oracle Database Express
Edition (XE) for testing/demo purposes, the instance name is XE and the User
Name is SYSTEM.)
• If the test fails, click Back to verify the configuration or click Next and then Next again to open the Oracle Technology Network download page and download "Oracle Data Access Components for Windows" driver, if necessary. c. After the test is successful, click Next. The ARM schema owner credentials page appears.
61
EFT v7.2 User Guide d. Specify/create the ARM schema owner credentials, then click Next.
• Click Install SQL Server 2008 R2 Express if you are installing on a test/demo system.
When you click Next, a message appears explaining that the EFT administrator account will be used as the SQL Server "sa" account. You will use these credentials for database diagnostics and maintenance. These credentials are required if you use the trial database with the Mail Express module. After you click OK, the database is installed.
18. After you've defined the database, the installer installs the options that you've selected, then the
Installation Complete page appears.
62
19. Click Next. A page appears allowing you to start EFT, create a shortcut to the administration interface on the desktop, open the administration interface, and/or view the EFT version history.
Server Configuration and Administration
• Start the administration interface - If you do not want to open the interface, clear the check box. You can also open the interface from the Start menu.
• Create a desktop shortcut - An administration interface shortcut is created on the desktop by default. If you do not want to create a shortcut, clear the check box.
• Show version history - If you want to read the release notes, select the Show Version
History check box. If you want to read it later, the file, notes.txt, is stored in the EFT installation directory.
• Show installation log - If you want to review the installation log now, select the check box. If you want to review it later, it is stored in a temporary folder, C:\Program
Files\GlobalSCAPE\EFT Enterprise (or EFT Server)\Installer.log.
• Start the EFT Server Enterprise Service - Clear the check box if you do not want to start the Service yet. Select the check box if you want to start the service when you click
Finish. The service is configured to start automatically when the computer starts. If you do not want the service to start automatically, you will have to configure it in Windows to start manually. The EFT service Log On Account is set to "Local System account."
20. Click Finish. If the administration interface check box was selected and the EFT service was started, the Login Wizard appears.
63
EFT v7.2 User Guide
21. With This computer selected, click Next. (You must create a local connection first. Then later you can create remote connections, if you want.) The EFT Server Administrator Login page appears.
64
Server Configuration and Administration
22. Click in the Authentication box and specify the type of authentication to use for this login. Future connections will default to the authentication type that you specify during this initial login, but you can choose a different type. Authentication types include:
• EFT Authentication - Choose this option to log in with an EFT-specified administrator account, such as the one you created during installation.
• Integrated Windows Authentication - Choose this option to log in with an Active
Directory or local Windows account.
• Windows NET logon - Choose this option to log in with a local Windows account.
23. In the Username and Password boxes, provide the login credentials that you created during installation, and then click Connect. The Welcome page appears. Since you have not yet activated the software, the "Free Trial" reminders appear. After you activate, you will not see the reminder prompt.
Next Steps:
• If you are evaluating the software or just do not want to activate yet, click Start Trial, then follow the prompts to Configure EFT .
• If you want to restore EFT configuration from a backup, refer to
Backing Up or Restoring Server
Configuration .
Secure Ad Hoc Transfer (SAT) module, in the EFT administration
interface, you should configure the Server , define at least one Site , and enable remote administration before installing the SAT module.
65
EFT v7.2 User Guide
DMZ Gateway , Mail Express , and the Secure Ad Hoc Transfer module are installed separately and
also have a 30-day trial period. Refer to their documentation for details.
Windows System Services (You do not have to activate the software before you do this. All
features and modules are available during the 30-day trial.)
The EFT service runs under a user account, which must have full administrative rights to the folder in which you install EFT. With administrative rights, the EFT service can save all of your settings.
If the service does not have administrative rights, you will lose settings and user accounts whenever you restart the EFT service and you will need to reset permissions on the computer on which the EFT service is running.
66
Server Configuration and Administration
Installing the Administration Interface Remotely
When you install EFT, you also install the administration interface. After you have installed EFT and the administration interface on one computer, you can also install the administration interface on remote desktops. You do not need a separate license for each installation of the administration interface.
• The necessary DLL files are also installed and registered when you install the interface remotely, in case you plan to use the COM API remotely. Refer to Can you remotely administer EFT without the administration interface?
for details.
• If you do NOT want to install the administration interface, but want to use the COM API remotely, refer to Can you remotely administer EFT without the administration interface?
for details.
This procedure is for installing only the administration interface on a computer that is remote
from EFT. To install EFT and the administration interface on the same computer, refer to
Installing the Server, Interface, and Modules
To install the administration interface remotely
1. Close all unnecessary applications so that the installer can update system files without rebooting the computer.
2. Start the installer, and then click Next. If this is a fresh installation, the Choose an installer page appears. (Illustrations below show EFT Enterprise installation; the procedure is the same for EFT
SMB.)
3. Click the list and then click EFT SMB or EFT Enterprise.
4. Click Next. After installation components are loaded, the Welcome page appears.
67
EFT v7.2 User Guide
5. Read the Welcome page, and then click Next. The License Agreement page appears.
68
6. Read the license agreement, and then click I agree to accept it. (Clicking Cancel aborts the installation.) The Choose Components page appears.
Server Configuration and Administration
7. To install only the administration Interface, clear the EFT Server check box, and then click Next.
The Choose Install Location page appears.
8. The default installation location appears in the Destination Folder box. Leave the default or click
Browse to specify a different folder, and then click Next. The Configuration data path page appears.
69
EFT v7.2 User Guide
9. Leave the default or click Browse to specify a different folder, and then click Next. The Choose
Start Menu Folder page appears.
70
10. Keep the default shortcuts, specify an existing folder, or type a name for a new folder, and then click Next. The administration interface installs.
Server Configuration and Administration
11. When installation is complete, click Next.
• Leave the Start the administration interface check box selected so that you can configure a connection to the remote EFT next.
• If you want to create a desktop shortcut for the administration interface leave the Create
a desktop shortcut check box selected.
• If you want to review the version history in your default text editor, select the Show
version history check box.
• If you want to display the installation log, select the Show installation log check box.
12. Click Finish. The administration interface appears and the EFT Server Administrator Login wizard appears.
71
EFT v7.2 User Guide
72
13. Click A remote computer, then ensure the remote EFT's IP address appears in the drop-down list. If the remote EFT's IP address does not appear in the list, ensure you can connect to it from this computer and that remote administration is allowed on EFT. Otherwise, click New and configure the remote connection.
Server Configuration and Administration
• In the Label box, provide a name for the EFT to which you want to connect. You can call it anything you want; it has nothing to do with EFT's computer name. This name will appear in logs and reports.
• In the Host address box, type the IP address of EFT computer.
• In the Port box, type the port number used by EFT for remote connections.
14. Click Next. The EFT Administrator Login page appears.
73
EFT v7.2 User Guide
74
15. Click the Authentication box and specify the type of authentication to use for this login. Future connections will default to the authentication type that you specify during this initial login, but you can choose a different type. Authentication types include:
• EFT Authentication - Choose this option to log in with an EFT-specified administrator account.
• Integrated Windows Authentication - Choose this option to log in with an Active
Directory or local Windows account.
• Windows NET logon - Choose this option to log in with a local Windows account.
16. In the Username and Password boxes, provide the login credentials that you created during installation, and then click Connect. The Welcome page appears.
• If connection was not successful, verify the IP address and port on which EFT listens for connections, that remote administration is enabled on the server, and that SSL is properly configured, if used, on EFT.
• If connection was successful, the remote Server appears in the tree.
Server Configuration and Administration
File Locations
EFT installs/stores its files in the following locations:
• Main program files are installed in: o
C:\Program Files\Globalscape\EFT Server or o
C:\Program Files\Globalscape\EFT Server Enterprise
• Application data. EFT stores its data in a hidden folder named %systemroot%\ProgramData.
(To show it in Windows Explorer, click Tools > Folder Options > View tab, click Show hidden
files and folders, and then click Apply.) o
C:\ProgramData\Globalscape\EFT or o
C:\ProgramData\Globalscape\EFT Enterprise
• EFT web files are stored in the following locations: o
Resource files used to create the Web pages are stored in \contrib\EFTClient o
Everything necessary for the Web site that is not contained in the resource folder is stored in \public\EFTClient o
Files used by Web Services are stored in \public\EFTClient\WebServices. o
When upgrading, previous files are backed up to web/backup/EFTClient o
Custom files are stored in \custom\EFTClient (empty by default). The EFTClient folder in this directory contains customizations that apply to all Sites on a server. To customize files for the Site, create a directory structure in the form [SiteName]/EFTClient/ in this folder. The Site folder should hold just those files that contain customizations for that Site.
The best practice is to have only customized files in this folder and to leave the original files as they were when installed in the \web\public\EFTClient folder. WTC and PTC files can be modified independently.
• The WTC user folders and files are stored: o
On nonHA installations, on the EFT computer (e.g.,
C:\InetPub\EFTRoot\MyGSSite\Usr\). o
On HA installations, in the shared HA configuration location (e.g., <NAS_drive>\<HA config folder>\InetPub\EFTRoot\MyGSSite\Usr\).
Activating the Software (EFT and Add-On Modules)
When the trial period has expired, all remote connections are disallowed. The Continue Trial button changes to Developer Mode and remains in this state until EFT is activated or uninstalled. To allow you to continue evaluating EFT functionality after trial expiration, EFT blocks all incoming client IP addresses other than the localhost from connecting to EFT, either as an administrator or as a client (using FTP/S,
SFTP, or HTTP/S protocols). All outgoing (offload/download) requests from EFT's Event Rules are also blocked to any IP address other than localhost. Therefore, when the trial period is over, no external IP addresses can connect to EFT, nor can EFT connect to any external IP addresses.
You must activate the software with a serial number. Each module is available during the EFT trial and must be activated separately.
75
EFT v7.2 User Guide
When the trial period ends for modules for which you did not purchase a license, an information error appears
eligible to extend your trial.
Contact your Globalscape account representative for more information.
To activate online, you must be connected to the Internet, and activation must be performed through the administration interface on the EFT computer. You cannot activate through a remote installation of the administration interface.
You can also e-mail the manual activation information to Globalscape Technical Support. Globalscape will confirm your activation and send you a .reg file. You can send the e-mail from any computer with
Internet access, and then transfer the .reg file to the computer on which you are installing the software.
• If you are moving an EFT from one computer to another, contact the Globalscape customer service team or your account manager so that we can adjust your account on our activation server. Activation on the new computer will not be possible until the adjustment is made .
• If you are upgrading EFT residing in a clustered environment, refer to
Installing EFT in a Cluster and contact Globalscape technical support for assistance, if necessary.
• If EFT is installed on Windows 2003, log in to EFT as a user with an account having administrator privileges instead of "Local System" privileges to write the .reg file to the registry.
To activate EFT and/or add-on modules via the Internet
1. Start the administration interface and provide your EFT administrator credentials (created at installation). The Welcome message appears.
2. Click Enter Serial Number. The Registration Wizard appears.
3. On the main menu click Help, and then click the product you want to activate.
• Activate EFT (or EFT Enterprise)
• Activate Web Transfer Client
• Activate HTTP/S Module (Necessary in EFT SMB only)
• Activate Mobile Transfer Client
• Activate High Security Module
• Activate Content Integrity Control Module (Available in EFT Enterprise only)
• Activate AWE Module (Available in EFT Enterprise only)
• Activate Auditing & Reporting Module
• Activate SFTP Module (Necessary in EFT SMB only)
• Activate OpenPGP Module
• Activate AS2 Module (Available in EFT Enterprise only)
• Activate DMZ Gateway Module For information regarding DMZ Gateway activation,
refer to Activating DMZ Gateway .
• Activate Workspaces Module
After you activate a product, the "Activate" text for that product on the Help menu is dimmed/unavailable, with the exception of the Web Transfer Client (WTC). Leaving Activate Web
Transfer Client available allows you to enter a new serial number if you first activate the WTC with a
5-seat license, then later purchase a license for more seats.
The Registration Wizard appears. (A portion of the wizard for EFT Enterprise is shown below, but the process is the same for each of the modules.)
76
Server Configuration and Administration
4. In the Serial Number box, provide your serial number, and then click Next. The Personal details page appears.
5. In the Name box, provide your name and/or your company name, and then click Next. Only the
Name box of personal details is required; all others are optional. Your information is used for account verification for support, upgrades, and so on, so the more information you provide here, the easier it is to locate your account.
If a firewall or a proxy server is in use, your network administrator should ensure that outbound port
80 is open during the registration process.
6. You should receive a message confirming online activation. Click OK. Activation is complete. (If registration fails, try entering your serial number again or you might need to configure an HTTP proxy.)
If you have problems with online registration, visit Globalscape Customer Support, at http://www.globalscape.com/support/customerservice.aspx
.
Activating DMZ Gateway
®
in EFT™
After the 30-day trial has expired, you must activate DMZ Gateway by activating the serial number in EFT.
To activate online, you must be connected to the Internet, and registration must be performed through the
EFT administration interface on the EFT computer. You cannot activate through a remote installation.
Refer to Activating EFT and Modules for details.
77
EFT v7.2 User Guide
DMZ Gateway and EFT Trial and Activation Interaction
• When both EFT and DMZ Gateway are in trial mode, all DMZ Gateway features are enabled.
• If the EFT trial period expires (has not been activated) and the DMZ Gateway module has not been activated, EFT will: o
Halt all outbound Peer Notification Channel (PNC) communication to the DMZ Gateway. o
Disable all controls on EFT's DMZ Gateway configuration pages. o
Disable the Use EFT Server's DMZ Gateway as the proxy check box in the Event Rule
Copy/Move or Download Action wizards' Proxy Settings dialog box, which will cause any Event Rule to fail that uses DMZ Gateway as an outbound proxy. o
Hide the Perimeter Network Security page of the Site Setup wizard in EFT. o
Write a warning to the Windows Event Log: “EFT Server’s DMZ Gateway module evaluation period has expired.”
• If EFT is activated, but DMZ Gateway is in trial mode, the DMZ Gateway is fully functional until the DMZ Gateway trial expires. Once DMZ Gateway expires, all functionality and controls in EFT are disabled (unless you activate DMZ Gateway).
• If DMZ Gateway is activated using a single-Site serial number: o
EFT allows only one DMZ Gateway site to be enabled. o
If more than one DMZ Gateway node was enabled prior to activation, all but one node will be disabled, the PNC of each of the disabled Sites is disconnected, and an error is written to the Windows Event Log: "EFT – One or more DMZ Gateway connections were disabled due to licensing restrictions. Make sure your DMZ Gateway module license matches the number of DMZ Gateway ‘Sites’ enabled. Contact your Globalscape account representative for further assistance.” o
EFT's COM engine will return an error if you attempt to start a DMZ Gateway when one is already enabled.
• If DMZ Gateway is activated using a multiple-Site serial number: o
EFT allows up to 15 DMZ Gateways to be enabled (one per EFT Site).
Release Notes/Version History
Release notes/version history for EFT are available in the installation directory (by default, C:\Program
Files\Globalscape\EFT\notes.txt).
• Version history for EFT is available online at http://www.globalscape.com/eft/history.aspx
. (The
notes.txt file is available in the installation directory.)
• Version history for Secure FTP Server is available online at http://www.globalscape.com/gsftps/history.aspx
.
Please visit our Knowledge Base for updates and self-help support: http://kb.globalscape.com
.
Modifying or Repairing the Installation
After you have installed EFT, you might later want to install other features, such as the administration interface or the Auditing and Reporting module. Or, if you accidentally deleted or edited necessary program files, you can repair the installation.
78
Server Configuration and Administration
To modify or repair the software
1. Launch the installer. The installer will detect an existing installation.
2. Do one of the following:
• To upgrade the existing installation, click Repair. (Repair overwrites changed files and reinstalls missing files.)
• To install or uninstall specific components, click Modify. (Modify installs selected components; removes unselected components.)
• To install a fresh installation, including a new configuration file, click New Install.
3. Click Next and follow the instructions in the wizard. Refer to Installing EFT, Administrator, and
4. If you chose Modify in step 2, on the Components page, select the check boxes of components you want to install and clear the check boxes of components you want to remove. If you clear
the check box of an installed component, it will be uninstalled!
79
EFT v7.2 User Guide
5. When the wizard is finished, restart the Server services .
The EFT service
Log On as
account will be set to
Local System account
by default.
You can edit this in the service's Properties dialog box, on the Log on tab. (Start > Run > services.msc.)
Repair/modify activities are logged in the installer log file (e.g., C:\Program Files\GlobalSCAPE\EFT
Enterprise). If you need additional information or help, visit Globalscape's Support Center at http://www.globalscape.com/support .
Uninstalling the Software
Uninstalling EFT removes everything installed in the Program Files/Globalscape folder. It does not uninstall configuration files, Oracle or SQL Server tables, Reports, or Backup files in
C:\ProgramData\Globalscape\EFT Enterprise.
When you are upgrading from EFT 5 to EFT 6 or from Secure FTP Server 3 to EFT 6, uninstalling is not necessary.
To remove EFT
1. Click Start > Programs > Globalscape > EFT (or EFT Server Enterprise) > Uninstall EFT (or
EFT Enterprise). The Uninstall wizard appears.
80
2. Click Uninstall. The uninstalling progress page appears.
Server Configuration and Administration
3. After the program files are removed, the Uninstallation Complete page appears. Your license information remains in the Windows Registry, in case you decide to reinstall. Click Close.
Windows Account for the EFT Service
The EFT service must have full administrative rights to the folder in which you install EFT and to the location in which the users' home folders are stored. The EFT service must also have administrative
settings. If the service does not have administrative rights, you will lose settings and user accounts whenever you restart the EFT service, and you will need to reset permissions on the computer on which the EFT service is running. After it is installed, EFT has access to local folders and files. To run EFT as a service with permissions to the network and mapped drives, you must create an NT account, assign the
EFT service to the account, and log EFT on as a service. Security policies should allow user accounts to log in locally.
configuring EFT on an AD network. Consult with your AD network administrator for assistance, if necessary.
After you have installed EFT ,
created a Windows account for EFT
, and assigned permissions to the account
, you should edit the service itself so that it will not run as a "System Account" (the default
account choice). Running the service as System Account poses the potential hazard of giving users complete access to your system.
Creating a Windows User Account for EFT
To create a user account in Windows
1. After you install EFT, open the Computer Management console.
2. Expand the Local users and Groups node, right-click Users, then click New User. The New
User dialog box appears.
3. Create a user account for EFT (e.g., EFTUser), clear the User must change password at next
logon check box, and then click Create, and then click Close.
4. Close the Computer Management console.
5. In Administrative Tools, click Local Security Policy. The Local Security Policy dialog box appears.
81
EFT v7.2 User Guide
6. Expand the Local Policies node, and then click User Rights Assignment.
7. In the right pane, in the Policy column, double-click Act as part of the operating system. The
Properties dialog box appears.
8. Click Add user or Group. The Select Users or Groups dialog box appears.
9. Select the new user you just added (e.g., EFTServer), click Add, then click OK.
10. If necessary, assign permissions for this user account in Windows.
11. Assign EFT to the new user account and log EFT on as a service.
Set Windows NT Permissions for EFT
After you have created a new Windows user account for EFT , use Windows' permissions to set the
permissions for folders, files, or drives for the account. Permissions should be as restrictive as possible while still allowing EFT enough permission to run.
Using Windows NT’s permissions, set the permissions for files or drives of this user to be as restrictive as possible, while still allowing EFT to run. After carefully determining which files and network folders your users will need to access, gradually increase the permissions.
Make sure that full permissions are granted to the EFT service domain user account for the following locations:
• Installation folder
• Application data folder
• Windows Temp folder
• Any shared drive paths required by EFT
• Any output directories that EFT may need to read/write files to
If you run into permissions issues, run Process Monitor or similar tools and isolate non-success results caused by cftpsai.exe, cftpstes.exe, gsawe.exe, and any other EFT-related processes.
Using NT Authentication, user permissions override EFT's permissions. For example, if EFT has read-only access to folder1, but user John Doe has read and write permission to folder1, John Doe has the same permission when he accesses folder1 through EFT.
Windows NT permissions can be edited through the Security tab in the Properties of a file or folder. On the Security tab, select Permissions to display and edit the permissions for the object. The appearance of this dialog box is slightly different for files and directories, but in both cases, the following permissions can be granted to users or groups:
• R (Read)
• W (Write)
• D (Delete)
• P (Edit permissions)
• O (Take ownership)
Keep in mind that you have the option to grant or withhold read and write permissions. Read-only permissions are the most secure, because they allow users to access a file, but not to change it. For example, most users will need limited read access to the Windows folders (C, WinNT); however, most
FTP Servers will not need any access to these directories at all.
82
Server Configuration and Administration
In addition to the individual permissions, Windows NT permissions also provide access levels that are simply pre-built sets of the existing permissions. Typically, you assign an access level to a user rather than granting individual permissions. One such access level is called "No Access," which does not contain any permissions.
To view and edit the permissions for a folder or file
1. In Windows Explorer, right-click the file or folder, then click Properties.
2. On the Security tab, click Permissions. The appearance of this dialog box is slightly different for files and directories and for different versions of Windows (W2K, XP, etc.).
For more information about setting permissions to folders and files, refer to the Windows Help documentation for your specific operating system. (e.g., click Start > Help and Support, then search on keyword permission.)
Assigning the Service to a Windows User Account
To assign the service to a Windows user account
1. Click Start > Run, type services.msc, then press ENTER.
2. Right-click EFT or EFT Enterprise, and then click Properties.
3. Follow the Windows Operating System procedures for selecting an account under which the service will run.
Registry Settings
EFT stores some of its configuration information in the Windows Registry. EFT modifies the system registry as needed, and continually references this information during operation.
Refer to the topics listed below for details of these commonly configured registry settings. To view details of other registry settings, please see the Globalscape Knowledge Base article http://kb.globalscape.com/article.aspx?id=10411 .
In many of the older registry entries, a version of EFT is listed in the path. DO NOT change the version number, regardless of which version of EFT you are using. For example,
HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 3.0\UseMD5PasswordHash should be created exactly like that (on 32-bit systems).
•
Upgrading the Software —If a Site uses the LDAP Authentication Manager, and if the users are allowed to change their passwords, LDAP calls are used to make the password changes. In v6.2,
Active Directory calls were used to make the password changes. With the switch to LDAP in v6.3 and later, LDAP over SSL should be used to protect the password changes. LDAP over SSL can be difficult to configure, so setting the ChangePassByAD DWORD value to 1 allows you to continue using the Active Directory API for the password changes, which also provides security for the communication path.
•
Allowing Multipart Transfers (COMB Command) —Enable client offload/download multipart transfers over FTP/FTPS with the DWORDs MultipartValue and EnableMultipart.
•
Changing the Number of Concurrent Threads Used by Event Rules : o
Override the initial worker thread count in Folder Monitor rules with the DWORD
FolderMonitorWorkerThreadCount. o
Specify the global maximum number of connections for EFT's transfer engine (the default is 100) with the DWORD MaxNumberConnections.
83
EFT v7.2 User Guide
•
Accessing EFT Through a Proxy —The default HTTP client for the WTC is based on the Apache library, but if the proxy you are trying to connect through requires NTLM v2 authentication, the
WTC will need to use an alternate HTTP client based on the JSE 6 application library. You can force the WTC to use the JSE HTTP client by configuring the DWORD use_JSE_HTTP_Client.
For CAC-enabled Sites the JSE client is automatically used regardless of the registry setting.
•
AD Password Expiration —On NTAD/LDAP Sites, you can configure EFT to send an e-mail notifying users that their password is about to expire in <n> days by setting the DWORD
PasswordChg_EmailInterval.
•
Changing an AD Password via the WTC —The WTC NTAD/LDAP change password capability can be turned on/off through the DWORD PasswordChg_NTADLDAP. On AD/LDAP Sites, if you have enabled the "User must change password at next logon" feature in AD, you must enable (set to "on") the registry setting. If you have enabled the "User cannot change password" feature in AD, users will not be able to change their passwords.
•
Allow Server to Accept ODBC Database Passwords that are MD5 Hashed —When you create user accounts within EFT, the ODBC database is populated with the username and a SHA-256 hash of the account password. The DWORD UseMD5PasswordHash will cause ODBC to use
MD5 instead.
•
Session Timeout —The DWORD WTCTimeout specifies the number of minutes that you want the
WTC session to be active, but idle, before the session is released.
•
Specifying the Value Returned by the FTP SYST Command —If your server requires a particular response, EFT provides a registry setting with which you can specify the value returned by the
FTP SYST command (DWORD FTPSYSTResponse).
•
Integrated Windows Authentication for Single Sign On (SSO) —Enabled for AD users using
Internet Explorer with DWORD use_registry and enable_iwa.
•
The Client Log (Event Rule Logging) —A tenth column can be added to the CL log by defining a registry entry, DWORD Enable10ColumnInClientLog.
•
The EFT.log File —EFT can be instructed to log specific or all HTTP request headers when
DWORD log_request is set to 1.
•
EFT Server Web Services —The Web Services timeout is set to 60 seconds. You can change the timeout value in DWORD WebServiceTimeout.
Running EFT and Microsoft IIS on the Same Computer
By default, the FTP server in Microsoft IIS binds to port 21 on all IP addresses. If you are running IIS FTP server and EFT on the same computer, you must disable socket pooling for the IIS FTP server.
To disable socket pooling in IIS FTP server
In Microsoft IIS, stop the FTP site as described below:
1. Open a command prompt.
2. Change directory to C:\InetPub\Adminscripts: cd C:\InetPub\Adminscripts
3. Type:
CSCRIPT ADSUTIL.VBS SET MSFTPSVC/DisableSocketPooling TRUE
4. Then press ENTER. You should get the following response: disablesocketpooling : (BOOLEAN) True
5. Exit the command prompt and restart the FTP site. This should prevent IIS from binding to all IP addresses on port 21, freeing up an IP address on port 21 (the default FTP port).
84
Server Configuration and Administration
For more information on Microsoft IIS socket pooling, refer to the following articles:
http://support.microsoft.com/default.aspx?scid=kb;en-us;259349 http://support.microsoft.com/default.aspx?scid=kb;EN-US;238131
The articles linked above discuss the IIS Web server, but the same information applies to the IIS FTP server.
"Unexpected Error 0x8ffe2740 Occurred" Message When You Try to Start EFT
Microsoft IIS uses port 80 for HTTP communication. If you are running the IIS FTP server and EFT on the same computer, you can do either of the following:
• In IIS Manager, change the port bindings for the website to a port other than port 80.
• Stop the application that is using port 80, and then start the website from IIS Manager.
For more information, refer to the Microsoft Knowledge Base article #816944. http://support.microsoft.com/kb/816944/en-us
Running a Microsoft .NET Web Application in 32-bit Mode in IIS 6.0 on a 64-bit Server
First, you need to configure IIS to run 32-bit Web applications on 64-bit Windows, then you need to register the ASP.NET application, then restart the Web publishing service.
1. Enable IIS 6.0 to run 32-bit Web applications on 64-bit Windows a. Open a command prompt and navigate to the \Inetpub\AdminScripts directory. b. Type the following: cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64
"true" c. Press ENTER.
2. Register the ASP.NET application a. Open a command prompt and navigate to the directory that contains the ASP.NET executable. For example, type cd WINDOWS\Microsoft.NET\Framework\v2.0.50727 b. Type the following, then press ENTER: aspnet_regiis.exe -i
For more information about the ASP.NET IIS Registration Tool (aspnet_regiis.exe), refer to http://msdn2.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx
3. Start the World Wide Web Publishing Service a. Click Start > Run, type services.msc, then press ENTER. b. In the list of services, right-click World Wide Web Publishing Service, and then click
Start (or Restart).
Error in ASP.NET Registration
Microsoft .NET Framework is required
Advanced Workflows Engine , and for the
Secure Ad Hoc Transfer (SAT) module.
• If you do NOT have the .NET framework installed on your system, you can download and install it from the Microsoft Developer Network .
85
EFT v7.2 User Guide
• If you have the framework installed, but IIS still does not show any .NET-related information (such as the ASP.NET tab), run the ASP.NET IIS Registration Tool, found in the .NET installation folder
(e.g., C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727). The file is called
aspnet_regiis.exe and you must pass in the "-i" parameter.
To run the ASP.NET Registration Tool
1. At a command prompt, change to the directory that contains the executable. For example, type cd WINDOWS\Microsoft.NET\Framework\v2.0.50727
2. Type the following, then press ENTER: aspnet_regiis.exe -i
ASP.NET is installed and registered.
For more information about the ASP.NET IIS Registration Tool (aspnet_regiis.exe), refer to http://msdn2.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx
.
Extending the Trial
After the 30-day trial has expired, EFT switches to "Developer Mode" during which you can continue evaluating EFT functionality. After trial expiration, EFT blocks all incoming client IP addresses other than the localhost from connecting to EFT, either as an administrator or as a client (using FTP/S, SFTP, or
HTTP/S protocols). All outgoing (offload/download) requests from EFT's Event Rules are also blocked to any IP address other than localhost. Therefore, when the trial period is over, no external IP addresses can connect to EFT, nor can EFT connect to any external IP addresses.
EFT and EFT Enterprise have many complex features that you will want to take time to evaluate thoroughly. Therefore, 30 days might not be enough time for busy IT professionals to make a buying decision. For this reason, you can request a trial extension that, if approved, provides an additional 30 days of full functionality, including add-on modules.
To request a trial extension
1. Open the administration interface.
2. On the main menu, click Help > Request Trial Extension. The Trial Extension Request dialog box appears.
86
3. Provide your Name, Company, Email address, and Phone. This information is used to find your account in our database.
Server Configuration and Administration a. If you would like to review the request before sending it, click Preview Request. The
Trial Extension Request Details dialog box appears. b. Click Close to close the dialog box and return to the request.
4. Click Send. Your request is sent to the Globalscape server, which will forward your request to an account executive. If your computer does not have access to the Internet, copy the trial extension request to a computer that has internet access and e-mail the request to your account representative, or if you don’t have one, use the Contact Sales form online at http://www.globalscape.com/support/sales.aspx
. After your request is processed, an account executive will send you an e-mail with a response string.
• If you do not have Internet access, an error message appears. You can copy the contents of the Trial Extension Request to the clipboard and then e-mail to Globalscape
Sales using the form at http://www.globalscape.com/support/sales.aspx
.
To provide the Trial Extension Response
1. Log in to the administration interface. (You must be logged in to EFT on the computer from which the trial request originated.)
2. On the main menu, click Help > Enter Trial Extension Response. The Trial Extension
Response dialog box appears.
Copy the string from the e-mail and then paste it into the Trial Extension Response dialog box.
• If the string is not valid, an error message appears. Verify this is the same computer from which the trial extension request originated and that you have copied the exact response from the approval message.
• If the string is validated, click OK.
3. If the string is accepted, the trial is extended.
Silent Command-Line Installation
Let's suppose you have several computers around the world on which you want to install EFT. You can provide to each of the remote sites an installation file with a batch file, then ask a local administrator to execute the batch file, which will install EFT. The script silently installs/upgrades EFT without any interaction on the part of the administrator. The installer logging functionality can be used to verify the outcome and diagnose potential issues. You can also upgrade silently from the command line and install the administration interface from a command line.
Refer to the attached PDF for details.
87
EFT v7.2 User Guide
Installation Logging
The installation log file is intended for debugging purposes and contains messages that may help resolve issues that arise during installation.
• During installation and maintenance, the installer creates an Installer.log file in the
%TEMP%\<Product Name> directory. For example: o
C:\Users\Administrator\AppData\Local\Temp\EFT Server\Installer.log
o
C:\Users\Administrator\AppData\Local\Temp\EFT Server Enterprise\Installer.log
• At the completion of the installation, either due to success or failure, the installer copies the final log to the <InstallDir>\logs directory, if it exists. If the installer fails during an initial clean installation, the <InstallDir>\logs directory may not exist. In this case, the final log file remains in the %TEMP%\<Product Name> directory.
• The installer attempts to append to the existing log file on subsequent runs of the installer (e.g., if the user performs a Reinstall). It does this by copying any existing Installer.log file from the installation directory into the Temp directory, writing to it during installation, and then copying it back to the <InstallDir>\logs directory when the installation is finished.
• You can write out the same log messages to another log file of your choosing using the
/logfile=<Log file> command line switch to the installer.
Debug Logging
The installer is capable of writing the same messages that go to the Main Installer Log using the Windows debug logging infrastructure. These messages may be viewed using a utility such as SysInternal’s
DebugView application. To enable this logging, the installer must be run from the command line with the
/debug switch.
88
Server Configuration and Administration
EFT Administration Interface (AI)
EFT’s administrator login dialog allows you to login as an administrator using preconfigured accounts created in EFT’s internal authentication database, Windows local administrator accounts, or Active
Directory-based accounts. A drop-down list is provided from which you can choose EFT Authentication,
Currently Logged On User, or Windows Authentication. (The use of Active Directory accounts for
selected is saved locally and recalled the next time the administrator logs in.
computer's local administrator credentials from a command line or a Windows shortcut, using the EFT
administrator listening IP address and port.
• EFT allows you to specify Active Directory accounts and local computer administrator s as EFT
administrators.
• For more information about EFT administrators, refer to
Configuring Server Administrators .
• For more information about Active Directory authentication in EFT, refer to
•
Changing and administrator password ,
locking out an administrator account ,
removing an administrator account ,
, and password reset on an administrator account
, and expiring passwords on administrator accounts apply to EFT-
managed accounts only.
• For details of monitoring EFT, refer to
Monitoring User Connections to
, and Auditing and Reporting Module (ARM) .
Introduction to the Administration Interface
The graphical user interface to EFT is used to configure one or more physical servers. Each physical server can have one or more virtual hosts called "Sites" listening on one or more IP addresses. User accounts are attached to a Site, along with settings that can be configured via the administration interface. After you install EFT and you launch the administration interface, you are prompted to connect to EFT on either a local or a remote computer. You can install the interface on as many computers as you like, but the server service may only be installed on a computer with a valid EFT software license.
To open the administration interface
• Click the EFT shortcut on the Start menu or desktop
(cftpsai.exe).
• The left pane of the administration interface displays the Server tab by default. EFT tab provides a tree view of the administration interface components that are used to connect to and
communicate with EFT (Server Groups, Servers ,
Sites , Settings Templates , Users
, and Gateway ). The Report tab, Status tab, and VFS tab
provide other views. Click the tabs in the illustration above or the links in Related Topics, below, for more information about each tab. Items within each sub node of the Site are sorted alphabetically. That is, the User Settings Templates are sorted alphabetically, the user accounts in each Settings Template are sorted alphabetically, the Groups are sorted alphabetically, and so on.
• The right pane provides the tabs that contain the configuration options for the item selected in the left pane. For example, when you select a Server in the tree on the Server tab, the right pane contains the configuration options for that Server.
• When any node under the Server Group is selected, the Title bar displays the IP address and the connected username.
89
EFT v7.2 User Guide
• Unless otherwise indicated, the standard Windows keyboard shortcuts apply.
• For details of each tab, the main menu, and the toolbar, refer to the topics below.
Main Menu and Toolbar
The main menu and toolbar of the administration interface provide options for configuring and managing
Sites, Settings Templates, Groups, Commands, Folders, Certificates, and Reports.
Below is a description of each of the main menu options and toolbar icons. (Certain options are available only in EFT Enterprise.)
Menu Option Toolbar Shortcut Description
File
Sub Menu
Option
Connect to
EFT
Disconnect from Server
Start Server
Service
Stop Server
Service
Backup Server
Configuration
(Available only in EFT
Enterprise.)
Restore
Server
Configuration
(Available only in EFT
Enterprise.)
Start All Sites
Stop All Sites
Start Site
Stop Site
New User
New Site
New Server
-
-
-
-
-
-
-
-
ALT+F+C
ALT+F+D
ALT+F+I
ALT+F+P
-
ALT+F+F
ALT+F+A
ALT+F+L
ALT+F+T
ALT+F+O
CTRL+U
CTRL+N
ALT+F+S
Opens the Connect to EFT dialog box in which you can log in to the selected the Server.
Disconnects from EFT, but leaves the administration interface open.
Starts the EFT service.
Stops the EFT service.
Opens a Save As dialog box in which you can specify a location to save a *.bak file of the current configuration.
Opens the EFT Migration Wizard in which you specify the *.bak file to restore EFT configuration.
Starts all Sites on a selected EFT. Only available if one or more Sites are stopped.
Stops all Sites on a selected EFT. Only available if one or more Sites are running.
Starts the selected Site. Only available if the Site is stopped.
Stops the selected Site. Only available if the Site is running.
Opens the New User Creation wizard in which you can define a new user.
Opens the Site Setup wizard in which you can define a new Site. The first page of the wizard provides the option of creating a standard Site or a
Site created using the "strict security settings" option.
Opens the New Administrator Connection wizard in which you can create a new Server .
90
Server Configuration and Administration
Edit
Menu Option
View
Sub Menu
Option
New Server
Group
Kick Selected
User
Remove User
Remove Site
Remove
Server
Remove
Server Group
Exit
Administrator
Cut
Copy
Paste
Server Service
Settings
Global
Settings
Toolbar
Status Bar
Refresh User
Database
Refresh
Configuration
New User
New Site
Toolbar Shortcut
-
ALT+F+G
ALT+F+K
ALT+F+U -
-
-
-
-
-
-
-
-
-
-
-
Description
Opens the Create New Group dialog box in which you can define a new Server Group .
Forcibly logs off a selected user.
Deletes selected user.
ALT+F+R
ALT+F+V
ALT+F+M
ALT+F+E
ALT+E+T
ALT+E+C
ALT+E+P
ALT+E+S
ALT+E+G or ALT+F7
ALT+V+T
ALT+V+S
ALT+V+D
ALT+V+H
(or F5)
ALT+C+U
(or CTRL+U)
ALT+C+I
(or CTRL+N)
Opens a confirmation dialog box asking if you want to remove the selected Site. Also available when right-clicking a Site.
Opens a confirmation dialog box asking if you want to remove the selected EFT. Also available when right-clicking the object in the tree.
Removes selected Server Group; only available if you have more than one Server Group defined.
(WARNING: No confirmation message appears!)
Also available when right-clicking a Server.
Closes the administration interface. (No confirmation appears.)
Deletes selected text and copies it to the Clipboard.
Copies selected text to the Clipboard.
Pastes text from the Clipboard to a selected editable text area in the EFT administration interface.
Opens the Server Service Settings dialog box, in
which you can view the status of, start, and stop the
EFT service or connect to a remote the Server
service.
Opens the Server Global Settings dialog box in which you can specify prompts and change your administrator password.
Displays or hides the toolbar.
Displays or hides the Status bar on the bottom of
the administration interface.
Connects to the user database and updates EFT.
For more details, refer to Configuring EFT to
Automatically Update the Authentication
and Changing the User Database
Refresh Rate for a Site . The user list is not
refreshed automatically when a Site is stopped for
Server startup; user database synchronization timer; or administrator changes related to the user database.
Refreshes the display to the last saved state.
Opens the New User Creation can define a new user.
wizard in which you
Opens the Site Setup wizard in which you can define a new Site. The first page of the wizard provides the option of creating a standard Site or a
Site created using the "strict security settings"
91
Tools
EFT v7.2 User Guide
Menu Option Sub Menu
Option
Toolbar Shortcut Description
option.
New Server
New Settings
Template
New
Permissions
Group
New Server
Group
New
Command
New Workflow
(Available only in EFT
Enterprise.)
New
Connection
Profile
New Event
Rule Folder
New Event
Rule
New Virtual
Folder
New Physical
Folder
Reset
Subfolders
Rename
Selected
Delete
Selected
Set Settings
Template
Apply
Changes
Undo Changes
Create SSL
Certificate
-
-
-
-
-
-
ALT+C+S
ALT+C+L
(or CTRL+L)
ALT+C+G
(or
CTRL+G)
ALT+C+O
ALT+C+C
(or
CTRL+M)
ALT+C+A
Opens the New Administrator Connection wizard in which you can create a new Server.
Opens the Create New Settings Template dialog box in which you can define a new Settings
Template .
Opens the Create New Group dialog box in which
can define a new Permission Group .
Opens the Create New Group dialog box in which you can define a new Server Group .
Opens the Custom Command wizard in which you
can create a custom Command for use in Event
Rules.
Opens the Create a Workflow dialog box.
- Opens New Connection Profile dialog box
-
ALT+C+R
ALT+C+V
ALT+C+W
ALT+C+S
ALT+C+M
(or F2)
ALT+C+D
(or Delete)
ALT+C+T
ALT+C+A
(or F9 or F5)
ALT+C+U
ALT+T+C
Opens New Event Rule Folder dialog box
Opens the Create New Event Rule dialog box in which you can select an Event trigger.
Opens the New Virtual Folder dialog box in which you can provide a name for and create a new virtual folder.
Opens the Create Folder dialog box in which you can provide a name for and create a new physical folder.
Available only on the VFS tab, used to reset all subfolders of a particular parent folder to inherit
permissions from that parent.
Enables a selected object for renaming.
A confirmation message appears asking if you want to delete the selected object.
Assigns the selected user to a Settings Template.
Updates EFT with any changes. (Same as clicking
Apply.)
Reverts to the last applied change.
Opens the Create SSL Certificate wizard in which you can create a self-signed certificate, private key, and certificate request file (.csr).
92
Server Configuration and Administration
Run PCI DSS
Compliance
Report
Report
Status
VFS
-
-
-
93
EFT v7.2 User Guide
Menu Option
Help
Sub Menu
Option
Server
Help Contents
Online
Knowledge
Base
Online Support
Toolbar Shortcut
-
-
-
ALT+W+E
(or ALT+4)
ALT+H+C
ALT+H+K
- ALT+H+S
- ALT+H+P Provide
Feedback
Activate EFT
Activate EFT
Enterprise
Activate
HTTP/S
Module
(Add-on in
EFT SMB; included in
EFT
Enterprise.)
Activate Web
Transfer Client
Activate
Mobile
Transfer Client
Activate High
Security
Module
Activate
Content
Integrity
Control
Module
Activate AWE
Module
(Available only in EFT
Enterprise.)
Activate
Auditing and
Reporting
Module
Activate SFTP
Module
(Add-on in
EFT SMB; included in
EFT
Enterprise.)
-
-
-
-
-
-
-
-
ALT+H+S
ALT+H+I
ALT+H+W
ALT+H+I
ALT+H+M
ALT+H+D
ALT+H+F
Description
Opens this Help file.
Opens the Globalscape Knowledge Base, http://kb.globalscape.com
/.
Opens the Globalscape Help Center Web page, http://www.globalscape.com/company/contact.aspx
.
Opens the Globalscape Customer Support Contact
Us page, http://www.globalscape.com/company/contact.aspx
.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
Opens the EFT Registration Wizard.
94
Server Configuration and Administration
Menu Option Sub Menu
Option
Activate
OpenPGP
Module
Activate AS2
Module
Activate DMZ
Gateway
Module
Request Trial
Extension
Enter Trial
Extension
Response
About
Globalscape
EFT
Toolbar Shortcut
- ALT+H+O
-
-
-
-
-
ALT+H+M
Opens the EFT Registration Wizard.
ALT+H+D+D
Opens the EFT Registration Wizard.
ALT+H+R
ALT+H+E
ALT+H+A
Description
Opens the EFT Registration Wizard.
Opens the Trial Extension Request dialog box.
Opens the Trial Extension Response dialog box.
Server Tab
The topics below describe the Server tab of the EFT administration interface.
Server Tab of the of the Administration Interface
EFT employs an inheritance hierarchy to manage the Server, Site, and user settings, and Group permissions. The administration interface displays this hierarchy as a navigation tree in the left pane on the Server tab.
The tree displays each of the EFT components that you configure in the administration interface. When you click an item in the tree, the available tabs in the right pane change based on your selection. For example, when you click a Server (e.g., Local Server) on the Server tab, the tabs appear in the right pane for configuring that Server. When you click a user on the Server tab, the tabs appear in the right pane for configuring that user.
You can create new items and manage items in the tree by right-clicking the tree, or clicking
Configuration on the main menu. The illustration below shows the nodes expanded and labeled.
Descriptions are below the illustration.
95
EFT v7.2 User Guide
The Server Group node is the topmost level and is an organizational function for multiple groups of
Servers; you can add additional Server Groups . (Do not confuse with Permission Groups, below.)
The Server node represents one or more physical EFT services running on the local computer or a remote system. Refer to Server Setup Wizard for more information.
The Site node is similar to a virtual host bound to one or more IP addresses. Multiple Sites (or hosts) are allowed within each Server. Configuration of Site-wide settings can be inherited at lower levels (in the
Settings Template or per user). Each Site contains its own Settings Templates, Users, Groups,
Commands, Advanced Workflows, Event Rules, Gateway node, Activity node, and Search node. Refer to
Defining Connections (Sites) for more information.
96
Server Configuration and Administration
The User Settings Templates node allows you to apply a setting configuration to an entire group of
users. Similar to templates or profiles, Settings Templates are a powerful way of organizing users into groupings with predefined settings. The Settings Template specified as the default appears in the tree with bold text.
Users are individual accounts or partners assigned to a Settings Template. Each user can be configured to inherit settings from the Settings Template or have specific settings defined for that particular user. When a user account is disabled, the user icon and a red circle with an X on it . A user account without a defined e-mail address has a blue circle with an i on it .
The Groups node allows you to define user access permissions to files and folders. Groups are assigned
on the Site. Users' access to folders and files are defined by their assigned Group's permissions .
The Commands node allows you to configure Commands that launch external executables, batch files, or scripts. Once configured, these Commands can be called from within an Event Rule.
The Advanced Workflows node allows you to design programmatic workflows visually, without prior
programming experience. You can "drag-and-drop" from a list of hundreds of predefined actions to create sequenced workflows according to your business logic. Once configured, these workflows can be called as individual actions from within an Event Rule
The Event Rules node consists of triggering Events
, optional Conditions affecting the Event Rule, and
that are carried out. For details, refer to Introduction to Event Rules .
The Gateway node allows you to configure the IP address, port, and protocols used to communicate with
The Activity node allows you to view transfer activity to and from the Site.
97
EFT v7.2 User Guide
General Tab of a Server
The General tab of the Server node displays EFT statistics and is used to specify defaults that are
default directory listing date stamp setting
(local server time or UTC/GMT time), e-mail template ,
and user database refresh interval . You can also stop the EFT service on
this tab.
Refer to the topics below for details of this tab
•
•
•
•
Specifying the Default Time Stamp
•
Editing the Password Reset Messages
•
Editing the User Login Credentials Message
•
Automatically Updating the User Authentication Database
•
98
Server Configuration and Administration
Administration Tab of a Server
The Administration tab of the Server node is used to configure remote connections to EFT, including the administration interface's IP address and port, SSL certificates, and granting/denying access by IP address, and adding, modifying, and removing Server administrator accounts.
• To view the properties of an administrator account, in the Administrator account names area, click the account.
• To create a new administrator account , click Add.
• To delete an administrator account manually, click the account, and then click Remove.
• To remove inactive accounts automatically, refer to
Removing Inactive Administrator Accounts .
• For details of the Event Rule Change Log, refer to
For EFT-managed administrator accounts only ("EFT only"):
• To change the password of an administrator account , click the account, then click Change
Password.
• To change the account security settings, click Account Policy and refer to
• To change the password settings, click Password Policy and refer to
Passwords for Administrator Accounts ,
Enforcing Password Reset for Administrator Accounts ,
and Expiring Administrator Passwords .
Refer to the topics below for details of this tab
•
Server Administration Connectivity
•
Configuring Server Administrators
99
EFT v7.2 User Guide
Security Tab of the Server
to enable FTPS protocol specific settings, and to enable FIPS for SSL and/or SSH.
Refer to the topics below for details.
•
Creating Certificates
•
•
•
Using Ciphers for SSL Connections with EFT
•
SSL Compatibility (Enabling SSL on the Server; includes FTPS Protocol Specific settings)
•
•
•
100
Server Configuration and Administration
Logs Tab of a Server
The Logs tab of the Server node is used to configure the type and location for the Server logs and
Auditing and Reporting settings .
Refer to the topics below for details.
•
•
•
Auditing Database Errors and Logging
101
EFT v7.2 User Guide
SMTP Tab of a Server
The SMTP tab of the Server node is used to specify the SMTP settings that EFT is to use to send e-mail
notifications. When you create EFT in the Server Setup Wizard, the SMTP Server settings on this tab
are automatically populated.
If you add names and e-mail addresses to the address book, they are automatically added to e-mail notifications in Event Rules . The name and address in the first row appear in the To box of the Edit Mail
Template dialog box; names and addresses in the other rows are added to the CC box of the Edit Mail
Template dialog box.
Refer to the topics below for details.
•
•
Configuring SMTP Server Settings
Send Notification Email Action
102
Server Configuration and Administration
High Availability Tab of a Server
The High Availability tab of the Server is a read-only tab that displays the configuration for high availability (active-active) clustering of EFT. The tab contains the multicast address, port, and listening queues.
Multicast Address—The address for the group of nodes in the cluster.
Multicast Port—The port used by the multicast address.
Coherence Queue—Repository for the message queuing (MSMQ) cache that broadcasts messages across the HA cluster to keep all nodes in synch.
Event Queue—Repository where events are held prior to processing.
Config Path—Path at which the cluster's shared configuration is stored.
Default Event Rule Load Balancing Nodes—Here you can click Edit to specify the default node(s) to
you click Edit, the Run on Node dialog box appears. Specify the node, click Add, then click OK.
If HA is disabled, instead of the fields displayed above, a message appears explaining that HA is disabled.
103
EFT v7.2 User Guide
DMZ Gateway Tab
If you have installed the DMZ Gateway module , you must configure EFT's connection to DMZ Gateway.
You can enable DMZ Gateway when you create the Site or enable it later in the EFT administration interface. In the Site Setup
wizard for both standard and high security-enabled Sites, EFT displays the
Perimeter Security configuration page that asks whether you will be using DMZ Gateway, and allows you to enter the DMZ Gateway IP address and port number. If Connect this site to EFT's DMZ Gateway is selected when you are creating a Site in the Site Setup wizard, EFT attempts to establish a socket connection to DMZ Gateway when you click Next.
• If the socket connection fails, a message appears in which you are allowed to provide the DMZ
Gateway information again or disable DMZ Gateway and continue without it. (You can attempt to configure it again later.)
• If the socket connection is successful, EFT applies the settings and continues with Site setup.
To enable DMZ Gateway in EFT
1. In EFT, connect to EFT and click the Server tab.
2. Click the node of the Site you want to connect with the DMZ Gateway, and then click the
Gateway node.
3. In the right pane, the DMZ Gateway tab appears.
4. Select the Enable the DMZ Gateway as a proxy check box.
5. Specify the IP address and the port number of the DMZ Gateway to which you are connecting.
The default port is 44500. The connection will be refused if the port is being used by another DMZ
Gateway/Site or if the IP address is on the IP address ban list .)
6. In the Protocols area, select the check boxes for the protocols and the ports that DMZ Gateway will use. This is a separate configuration from the ports that EFT uses. For example, you could use port 21 for FTP traffic for EFT, but port 14421 for FTP traffic through the DMZ Gateway.
7. If you are using DMZ Gateway with a PASV mode IP address, click PASV settings. The
Firewall/NAT Routing dialog box appears.
104
Server Configuration and Administration a. Select the Assign PASV mode IP address check box, then specify the IP address and port range. b. Click OK.
8. Click Apply to save the changes on EFT.
9. Establish a new connection with EFT by stopping and restarting connected Sites. a. On the Server tab, click the Site node. b. In the right pane, click the General tab. c. Click Stop. The Site Status area displays "Stopped" with a red ball icon. d. Click Start. The Site Status area displays "Running" with a green ball icon.
Content Integrity Control Tab of a Server
(Available in EFT Enterprise) The Content Integrity Control Action is used to send a file to an antivirus scanner or data loss prevention solution for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for processing. When the file passes, other Actions can occur, such as moving the file to another location. If the file fails, processing can stop, or other Actions can occur, such as sending an email notification.
To create a profile to be used in the Content Integrity Control Action
1. Click Add. The tab becomes editable.
2. Profile name - Provide a descriptive name for the profile
105
EFT v7.2 User Guide
3. Host, Path, Port - These settings depend on settings in the antivirus or DLP (ICAP) server.
• The Host field cannot be blank.
• By default, the port is set to 1344.
4. Mode - Specify one of the following:
• Request modification (REQMOD) - Request modification mode: Embeds file contents in an HTTP PUT request body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded request, or a new HTTP response. The ICAP response will depend on your ICAP server’s implementation.
• Response modification (RESPMOD) - Response modification mode: Embeds file contents in an HTTP 200 OK response body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded response. The ICAP response will depend on your ICAP server’s implementation.
5. Test Connection - After you specify the connection to the ICAP server, test the connection. If connection fails, verify these settings match the settings defined in the antivirus or DLP solution.
6. Limit scans to first - (Optional) Specify the number of bytes to scan. Some antivirus solutions only require a subset of a file's contents to test against their database of malware signatures. To keep from transferring large files in their entirety when we only need the first X bytes, you can specify how many bytes are sent to the ICAP server. When this check box is cleared, the entire file is transferred to the ICAP server. If the file is smaller than the size you've specified, the entire file will be transferred for processing.
7. Text in ICAP response headers - (Optional) Specify text to search for in the ICAP response header.
8. Text in ICAP body - (Optional) Specify text to search for in the ICAP response body text.
9. Treat any violation as non-blocking (audit and continue) - Leave this check box cleared if you want violations to stop processing.
10. Always audit these ICAP response "X-" headers - (Optional) Specify “X-“ headers for auditing using ARM. If this option is enabled and no “X-“ headers are specified, all “X-“ headers will be audited. Use semicolons between multiple items. Note this check box only affects whether the specified headers are audited by ARM, regardless of success or failure.
11. Click Apply to save the new profile. The new profile name appears in the Profiles list and is now available in the Content Integrity Control dialog box in Content Integrity Control Action .
To remove a profile
• To remove a profile, select its name in the list, and then click Remove.
Related Topics
•
Content Integrity Control Action
106
Server Configuration and Administration
Report Tab of the Administration Interface
pane lists the predefined Globalscape Reports and your custom reports. When you select a report in the left pane, the right pane updates for you to specify filters and a date range and generate the report.
Refer to the topics below for details of using reports.
•
Descriptions of Preconfigured Reports
•
•
•
•
107
EFT v7.2 User Guide
VFS Tab of the Administration Interface
on your system.
108
• The left pane displays the physical folders for the Site and any virtual folders that you have defined.
• In the folder tree in the left pane, a right-click menu provides VFS-specific options:
•
Explore - Opens Windows Explorer to
view the contents of the selected folder.
•
New Physical Folder - Creates a new physical folder
•
New Virtual Folder virtual folder
- Creates a new
•
Rename Folder - Allows you to edit the
selected folder name
•
folder
•
permissions on the subfolders of the selected folder
•
Encrypt Contents - Encrypts the
contents of the selected folder (and allows you to specify whether to also encrypt subfolders)
Server Configuration and Administration
• In the right pane, you add and remove users and permissions groups and set their permissions.
(The default groups are displayed automatically.)
• The bottom toolbar provides options to create a new virtual or physical folder, and to remove a selected folder.
For details of using the Virtual File System, see the topics below.
•
•
Introduction to the Virtual File System (VFS)
•
•
•
Setting VFS Folder Permissions
•
Resetting VFS Folder Permissions
•
Streaming Repository Encryption
Status Tab of the Administration Interface
The Status tab contains nodes for each Server Group, Server, Site, AS2 transactions, and each loggedin user. If you expand the Site node, you can view the connection status for the Site, users, and for AS2
transactions. You can also view transfers to and from an EFT Site. Refer to Viewing Transfers To and
• The Server node on the Status tab of the administration interface is used to view the status of the selected server, and the status of the node.
109
EFT v7.2 User Guide
• The Site node on the Status tab of the administration interface is used to view the status of the
Site and logged-in users, including transfers, when EFT was started, number of users connected,
and so on. You can also forcibly disconnect FTP/SFTP users from the Site on this tab.
110
• The Transfers - AS2 node is used to view the status of attempted AS2 transactions . For details
of viewing AS2 transaction history, refer to AS2 Transaction Auditing and Monitoring .
Server Configuration and Administration
• The Transfers - as Server and Transfers - as Client nodes are used to view transfers on the
Site . (Client transfers available on Enterprise only.)
Related Topics
•
•
•
Forcibly Logging a User Off of EFT
•
AS2 Transaction Auditing and Monitoring
•
Resubmitting AS2 Transmissions
•
Viewing Transfers To and From the Site
Site Tabs
When you click a Site node on the Server tab, tabs appear in the right pane on which you can configure connections to the Sites.
General Tab of a Site
The General tab is used to change the Site's user authentication settings, view Site statistics, and stop/start the Site.
111
EFT v7.2 User Guide
Refer to the topics below for details.
•
•
Changing the User Database Refresh Rate for a Site
•
Configuring Windows NT Authentication Options
•
Changing and Testing LDAP Authentication Options
•
Configuring ODBC Authentication Options
•
•
Configuring RSA SecurID or RADIUS Support on an Existing Site
RADIUS for User Authentication (Available in EFT Enterprise only)
•
•
•
112
Server Configuration and Administration
Connections Tab of a Site
The Connections tab of a Site is used to specify listener settings, transport protocols, the SSL certificate for the Site, connection limits, the IP address access/ban list, Denial of Service (DoS) settings, and for enabling Web Services and/or the account management page.
Refer to the topics below for more information.
•
•
•
Configuring FTP Transfers on the Site
•
Site-Level Blocking and Timeout Settings
•
Modifying Site Messages
•
•
•
Configuring HTTP or HTTPS Transfers on the Site
•
•
•
•
Network Usage and Security Settings
113
EFT v7.2 User Guide
•
Enabling the Mobile Transfer Client
•
Enabling and Using Web Services
•
Enabling User Access to the Web Transfer Client
Security Tab of a Site
The Security tab of the Site node is used to specify password security, account security, and data security settings.
Refer to the topics below for details.
•
Disabling or Locking out an Account after Invalid Password Use
•
Banning an IP Address that Uses an Invalid Account
•
E-mailing Users' Login Credentials
•
•
•
Using Login Credentials in Event Rules
114
Server Configuration and Administration
Workspaces Tab of a Site
The Workspaces tab of a Site is used to enable and configure the Workspaces in EFT.
Workspaces does not support third-party invites on AD/LDAP sites. For AD-authenticated
Sites, the "allow sharing with existing users only" option is unavailable.
Related Topics
•
•
•
•
Settings Templates Tabs
The Settings Template tabs are used to specify connection settings that apply to all user accounts in the
115
EFT v7.2 User Guide
General Tab of the Settings Template
The General tab of a Settings Template node is used to enable the Settings Template, set the Settings
Template as the default, specify the home folder and home folder options, and set a disk quota for each user's home folder. The settings apply to all users assigned to the Settings Template. To apply settings to
a specific user, refer to General Tab of a User Node
Refer to the topics below for details of this tab.
•
Enabling or Disabling a Settings Template or User
•
Specifying a User's Home Folder
•
116
Server Configuration and Administration
Connections Tab of the Settings Template
The Connections tab of a Settings Template is used to enable the users in the Settings Template to connect over certain protocols, including using the Web Transfer Client for HTTP/S connections. These settings apply to all user accounts assigned to the selected Settings Template. To apply these settings to
a specific user, refer to Connections Tab of a User Node
Refer to the topics below for details of this tab.
•
•
Enabling User Access to the Web Transfer Client
•
File Integrity Checking (XCRC)
•
Accelerating Transfers with MODE Z
•
Allowing or Disallowing the NOOP Command
•
Configuring the FTP Connection Banner
•
Configuring SFTP Authentication Options for Settings Templates and Users
•
•
•
Setting Maximum Transfers per Session
•
•
Disconnecting Users on Timeout
•
Setting Maximum Transfer Speeds
•
•
Setting Maximum Connections per IP
•
117
EFT v7.2 User Guide
Security Tab of the Settings Template
The Security tab is used to specify password and account security settings for all users assigned to the
Settings Template. The "link" icons next to the check boxes indicate that the setting is inherited from the
Site.
Refer to the topics below for details of this tab.
•
Disabling or Locking out an Account after Invalid Password Use
•
Enforcing Strong (Complex) Passwords
•
•
•
•
Reminding Users when Password is About to Expire
•
•
Deleting or Disabling Inactive User Accounts
•
Enabling or Disabling a Settings Template
User Tabs
The tabs for a user account are used to specify connection settings that apply only to the selected user account. Settings on these tabs are inherited from the Settings Template, which inherits its settings from the Site; however, you can override these settings on the user tabs.
General Tab of a User Node
The General tab of a user node is used to enable the user account, expire the account on a specific date, specify the home folder and home folder options, set a disk quota for the user's home folder, and viewing the user's statistics. The "link" icons next to the check boxes indicate that the setting is inherited from the
Settings Template. The settings apply only to the selected user. To apply the settings to multiple users,
refer to General Tab of a Settings Template .
118
Server Configuration and Administration
Related Topics
•
Enabling or Disabling a User Account
•
•
Specifying a User's Home Folder
•
Configuring User Account Details
•
Changing a User's Password
•
•
Setting the Home Folder for AD-Authenticated Users
•
Viewing Statistics of a User Account
•
Forcibly Logging a User Off EFT
•
If Users are Unable to Upload or Download to Home Directory
119
EFT v7.2 User Guide
Connections Tab (User Node)
The Connections tab of a user node is used to override the settings in the Settings Template, to connect over certain protocols, including using the Web Transfer Client for HTTP/S connections. You can also configure the user's settings for an AS2 partner account. You can configure the partner manually on this tab or using the AS2 Configuration Wizard
.
These settings apply to the selected user. The "link" icons next to the check boxes indicate that the setting is inherited from its Settings Template. The grayed/dimmed settings indicate that the setting is disabled in the Settings Template or Site.
Refer to the topics below for details of this tab.
•
•
Enabling User Access to the Web Transfer Client
•
File Integrity Checking (XCRC)
•
Accelerating Transfers with MODE Z
•
Allowing or Disallowing the NOOP Command
•
•
Configuring SFTP Authentication Options for Settings Templates and Users
•
•
•
Setting Maximum Transfers per Session
•
•
Disconnecting Users on Timeout
•
Setting Maximum Transfer Speeds
•
•
Setting Maximum Connections per IP
120
Server Configuration and Administration
•
•
Configuring AS2 Inbound Parameters
•
Configuring AS2 Outbound Parameters
Security Tab (User)
The Security tab for a user account is used to specify password and account security settings and specify the user's Group memberships. These settings apply only to the selected user account. To apply
icons next to the check boxes indicate that the setting is inherited from the Settings Template. The grayed/dimmed settings indicate that the setting is disabled in the Settings Template or Site.
Refer to the topics below for details of this tab.
•
Disabling or Locking out an Account after Invalid Password Use
•
Enforcing Complex Passwords
•
Allowing or Forcing Password Reset
•
•
Deleting or Disabling Inactive User Accounts
•
•
Removing or Disabling Inactive User Accounts
121
EFT v7.2 User Guide
User Icons
The user accounts defined on a Site are displayed in the Server pane > Site tree > Settings Template node, under the assigned Settings Template. The icon displayed for each account provides some indication of the status of the account, as described in the table below.
Icon Description
Settings Template without RSA SecurID or RADIUS
Settings Template with RSA SecurID or RADIUS (small gold key next to blue wheel)
Enabled user account without RSA SecurID or RADIUS, e-mail address defined
Enabled user account with RSA SecurID or RADIUS (small gold key next to user icon)
Enabled user account without RSA SecurID or RADIUS, but missing an e-mail address (blue circle with white letter i on top of the user icon)
Disabled user account with RSA SecurID or RADIUS (small red circle with white x on top of user icon and gray key next to user icon)
Disabled user account without RSA SecurID or RADIUS (small red circle with white x on top of user icon)
(RADIUS/RSA available in EFT Enterprise only.)
Status Bar
The Status bar is displayed across the bottom of the administration interface to indicate whether you are connected to EFT, the date and time EFT started, and how many clients (users) are connected to EFT via
FTP.
"Ready" appears in the lower left area of the Status bar when the application is idle (i.e., no Windows messages are being processed at the time). If the interface is busy processing information, the "Ready" area of the Status bar can be blank.
Keyboard Shortcuts
You can use the common Windows keyboard shortcuts in the EFT administration interface (e.g., CTRL+C to copy, CTRL+V to paste, ALT+underlined letter in menu to open the submenu). Microsoft Knowledge
Base article #126449, http://support.microsoft.com/kb/126449 , describes each of the keyboard shortcuts that are available in Windows. As in any Windows-compatible application, a button or menu text with an underlined letter has a shortcut key associated with that letter. In addition to the standard Windows keyboard shortcuts, there are several keyboard shortcuts available in the administration interface. Refer
to Main Menu and Toolbar for a table of shortcuts.
Administration Interface Session Timeout
EFT incorporates an internal 15-minute timeout for administrator connections via the administration interface connections with high security-enabled Sites. On Sites defined using "strict security settings," if no activity (such as OnMouseClick) occurs after 10 minutes of inactivity, a warning message and countdown timer appear; after 15 minutes, the administrator account is disconnected from EFT. The timer resets if you click Continue; if no activity occurs, the timer expires, and the administration interface disconnects from EFT. Any non-committed changes are discarded.
The timer resets if you click Cancel; otherwise, if no activity occurs, the timer expires, and the interface disconnects from EFT. Any non-committed changes are discarded.
This is different from the Enable Timeout value set for the user and Settings Template.
122
Server Configuration and Administration
To change the timeout
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure, and then click the
Administration tab.
3. Click an EFT-managed administrator account, and then click Account Policy. The Account
Security Settings dialog box appears.
4. Select the Disconnect admin accounts after check box, then specify the minutes of inactivity you need. The timeout is off by default for non-high security enabled Sites. Changing the timeout
to more than 15 minutes violates PCI DSS , so you will need to document the
reason/compensating control if you have a high-security-enabled Site.
Closing the Administration Interface
The administration interface will automatically close your connection after 15 minutes of inactivity, but the
EFT service continues to run in the background. A warning message and countdown timer appear 5 minutes before the connection times out.
When you manually close the administration interface, you can configure an Exit
Administrator confirmation prompt. You can turn this prompt off for future exits from within the prompt or in the Server Global Settings dialog box.
123
EFT v7.2 User Guide
To close the administration interface
1. Do one of the following:
• In the upper right corner of the administration interface, click the X.
• On the main menu, click File > Exit Administrator.
The Exit Administrator dialog box appears.
2. If you do not want the Exit Administrator dialog box to appear when you close the interface, select the Don't show this prompt again check box; otherwise, leave it selected.
3. Click OK. The administration interface closes.
4. To turn the prompt back on, refer to the procedure below.
Configuring Exit Prompts
In the Server Global Settings dialog box, you can specify whether you are prompted when you close the administration interface.
To configure login or exit prompts
1. On the main menu, click Edit > Global Settings. The Server Global Settings dialog box appears.
2. The Prompt on administrator exit check box is cleared by default. If you want a message to appear when you close the interface explaining that the EFT service does not stop after the administration interface is closed, select the Prompt on administrator exit check box.
3. Click OK.
124
Server Configuration and Administration
Server Configuration and Administration
The topics below describe creating Server Groups, configuring the Server, preparing the Server for connections, creating administrators, and administering the server.
Configuring Server Administrators
These topics provide information regarding creating and managing EFT administrators in the administration interface.
Delegated Administration
EFT allows you to assign sub administrator accounts that have a very specific subset of permissions for managing EFT, COM, Site(s), Settings Templates, user accounts, user passwords, and reports.
Permissions are assigned to sub-administrators via a series of controls on the server's Administration tab. For example, suppose you want to give your help-desk people the ability to create user accounts on
EFT, but you are worried that the help-desk might accidentally make changes to EFT in the process of creating these accounts. Furthermore, you do not want the help desk people to manage user accounts that belong to the engineering and marketing groups. Delegated administration allows you to create one or more sub-administrator accounts that have access ONLY to user accounts management. Using templates to house marketing, engineering, and other department accounts, you can further limit the subadministrators to only those accounts for departments that they are authorized to manage. Also, each of the sub accounts can be allowed or denied access to COM and/or Auditing and Reporting.
125
EFT v7.2 User Guide
The available sub administrator account types include:
• Server Admin - Can create, modify, or remove administrator accounts, and can manage Sites,
Settings Templates, and user accounts.
• Site Admin - Can manage everything for a specific Site and the Settings Templates on the Site, and can change user passwords, but does not have control over EFT. The Site administrator cannot click the Server node nor access any of the node's tabs; stop/start the Globalscape
Server service from within the administration interface; create, remove, or rename Sites, Servers, or Server Groups; access or modify EFT global or applet settings; close the Server engine; or stop/start any Site other than those assigned to the Site administrator.
• Event Rule Admin - (EFT Enterprise only) Similar to Site Admin, but more restrictive. Cannot manage Groups, Settings Templates, Transfer Activity, or Gateway tab. The Event Rule Admin can view and manipulate within Event Rules the VFS, HA nodes for load balancing, address book, OpenPGP keys, Report names, users, Settings Template names, Group names, Backup,
Content Integrity profile names, AS2 profile names, calendar names, Email Actions, context variables. The Event Rule admin must be given explicit permission to manage Event Rules and
Connection Profiles; the default is all permissions.
• Template Settings Admin - (EFT Enterprise only) Has full control over the accounts assigned to that Settings Template, including the ability to view, add, remove, and modify user accounts, and group assignment; can change all Settings Template settings, except for the VFS root path for assigned Settings Templates; can see the entire VFS tree, but can only modify the parts of the
VFS that belong to root folders that belong to the Settings Template to which the account is assigned; can access the General tab on EFT to view statistics; can kick and monitor users. They cannot access the Reports tab unless specifically allowed; cannot select the Site, Server, or
Server Group nodes, nor view the corresponding tabs; cannot access Server settings, nor any
Settings Template not assigned to their account. They can access the OpenPGP, SFTP, and SSL key manager, and create, import, export, and add keys and certificates. They cannot delete keys or certificates. o
A Template Settings administrator is not permitted to change the Settings Template home (root) folder that was assigned by the Site or Server administrator. o
A Template Settings administrator is not permitted to change the value of the "Treat home folder as user's default root folder" setting. o
When creating or modifying users, the Template Settings administrator cannot browse or manually designate paths relative to the Settings Template root folder. o
A Template Settings administrator can delete users and, consequently, the user’s home and sub-folders, as long as the user belongs to a template assigned to that administrator, and that user’s root folder is subordinate to the Settings Template root folder.
• User Admin - (EFT Enterprise only) Has all the privileges of the Change Password administrator, but can also create new users. The User administrator is not allowed to see or edit users' settings or Template settings, and is limited to change password, disable user, or create more users. User Admins can unlock user accounts.
126
Server Configuration and Administration
• Change Passwords Admin - (EFT Enterprise only) Can enable/disable users and change passwords for users in their specified Settings Template(s), but cannot add nor remove users, manage other Settings Template(s), manage Sites, nor control EFT. When a Change User
Password administrator logs in to EFT, only the view below is available.
All administrator accounts are treated equally with respect to password expiration ,
, and removal of inactive accounts .
127
EFT v7.2 User Guide
delete/edit
Servers
View Server statistics (General
tab)
Access the PGP ,
key manager, and create, import, export, and add keys and certificate
Administrator Permission Matrix
The table below provides details of available permissions for each delegated administrator account.
The Reports and COM check boxes are selected by default. Clear the check boxes if you do want to allow that access to an account.
Feature
Available in EFT and EFT Enterprise
Server Admin Site Admin Event Rules
Admin
Available in EFT Enterprise Only
Template
Settings
Admin
User Admin Change
Passwords
Admin
Yes, if Reports Yes, if Reports Yes, if Reports reports and view check box is check box is check box is
Yes, if Reports Yes, if Reports Yes, if Reports check box is check box is check box is
Reports tab selected selected selected selected selected selected
Programmatic
Yes, if COM check box is selected
Yes, if COM check box is selected
Yes, if COM check box is selected
Yes, if COM check box is selected
Yes, if COM check box is selected
Yes, if COM check box is selected
Add/delete/edit
Server Groups
Yes No No No No No
Yes
Yes
No
No
No
No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
No
Yes
No
Yes
Yes, for the assigned
Site(s)
No
No
Yes, within
Event Rules
Yes, within
Event Rules
Yes
No
Yes
No
No
No
Yes
No
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
128
Server Configuration and Administration
Feature
Add/delete/edit
(including change passwords)
Available in EFT and EFT Enterprise
Server Admin Site Admin Event Rules
Admin
Yes No No
Yes Yes No Add/delete/edit
Yes Yes Yes
Unlock a user account that was
locked from too many incorrect login attempts
Change user passwords
Yes
Yes
Yes
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
No
No
No
Available in EFT Enterprise Only
Template
Settings
Admin
No
No
No, just the assigned
Settings
Template
Yes, for the assigned
Settings
Template(s)
Yes, for the assigned
Settings
Template(s)
User Admin
No
No
No
Yes
Yes
Yes
Change
Passwords
Admin
No
No
No
Yes
Yes
Yes
Add users
Delete users
users
Yes
Yes
Yes
Yes
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
No
No
No
No
Yes, for the assigned
Settings
Template(s)
Yes, for the assigned
Settings
Template(s)
Yes, for the assigned
Settings
Template(s)
Yes, for the assigned
Settings
Template(s)
Yes, for the assigned
Settings
Template(s)
Yes
No
No
No
No
No
No
No
129
EFT v7.2 User Guide
Feature
Change VFS root path for assigned
Available in EFT and EFT Enterprise
Server Admin Site Admin Event Rules
Admin
Yes Yes
Available in EFT Enterprise Only
Template
Settings
Admin
User Admin Change
Passwords
Admin
Yes No No
Yes
Yes
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
No
No
No
Yes, for the assigned
Settings
Template(s)
No
No
No
No
No
Yes Yes No No No
View/modify
assignments
node
Yes
Yes
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes
Yes
Yes, for the assigned
Settings
Template(s)
No
No
No
No
No
node
node
Yes
Yes
Yes
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes, for the assigned
Site(s)
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
130
Server Configuration and Administration
Active Directory-Based Administration
(Requires the High Security Module) In addition to or instead of EFT-managed administrator accounts, if using the High Security Module, administrator users can authenticate via Active Directory (AD). For remote connections, the connecting account must have access to the computer on which EFT is installed.
Password complexity, expiration, and so on for AD accounts are managed by the AD server rather than
EFT.
You can add Active Directory users and groups as administrator accounts and the user or group appears in the Admin account names list on the Server's Administration tab. If a user account is added to EFT only as a part of a group, the user assumes the permissions of its group. If the user is a member of multiple defined groups, the permission (role) and assignment(s) allocated to the group that provides the most privileges are assigned to that user.
Once you have registered the High Security Module, you are allowed to delete EFT-managed administrator accounts and use AD-provisioned administrator accounts exclusively, if desired.
Local Computer Administrators Group for more information about accessing EFT using
the administrator credentials for the local computer.
• Refer to
Adding Server Administrators for details of creating an EFT administrator account that uses AD-based authentication.
Local Computer Administrators Group
For new installations (not upgrades) EFT (both editions) queries the computer’s local administrators group and adds that group to EFT’s administrator account name list with the one local administrator group
object, and assigns the administrator group object Server-level permissions . The Local
computer\Administrators group object allows you to log in to EFT using the administrator credentials for the local computer. You cannot change the group's permissions when you are logged in as a user in that group.
131
EFT v7.2 User Guide
Active Directory-Based Administration for more information about accessing EFT using
the Active Directory accounts.
• Refer to
Adding Server Administrators for details of creating an EFT administrator account that uses AD-based authentication.
Adding Server Administrators
The main EFT administrator account is created when you install EFT. That account can log in and create
permissions.) You can give other users and groups access to the administrative functions of EFT by creating an administration account for them in the EFT administration interface. For security and for compliance with the PCI DSS, you should not create more than one administrator with full control over
EFT. (You cannot edit the settings for your own account.)
To create an administrator account
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node to which you want to add an administrator account.
3. In the right pane, click the Administration tab.
4. In the Administrator Access and Permissions area, click Add. The Create Administrator
Account dialog box appears.
132
Server Configuration and Administration
5. Specify either Windows Authentication or EFT Authentication. (Windows Authentication is available in EFT Enterprise.)
• If you choose EFT Authentication, specify the account details: a. Define a user name for the account. b. Define and confirm a password for the account or click Generate to generate a strong password.
Passwords are case-sensitive; the username and password fields each cannot exceed
1024 characters. If the Password and Confirm boxes do not match, the OK button is disabled. Retype the passwords.
6. If you choose Windows Authentication, click Browse to specify the User or group. The Select
User or Group dialog box appears. a. To expand the dialog box, click Advanced. b. To specify the type of object to search for (User or Group), click Object Types. The
Object Types dialog box appears. c. By default, both groups and users are searched. To search only groups, clear the Users check box; to search only users, clear the Group check box, and then click OK. d. Click Locations to specify a network address to search. The Locations dialog box appears with available locations displayed. Click a location, and then click OK. e. In the Select User or Group dialog box, use the Common Queries area to search for a specific user or group. f. After you have specified your search criteria, click Find Now. The search results appear. g. Click the user or group that you want to use for this account, and then click OK. The user or group appears in the Create Administrator Account dialog box. h. Click OK.
AD accounts that are part of the local computer’s Administrator’s group will not appear when browsing the “local computer” because these accounts are AD accounts, not local. AD accounts will appear when browsing the "AD" scope.
You can select AD accounts when performing remote administration as long as the administration interface and EFT are in the same domain or working across trusted domains.
The new user appears in the Admin account names box.
7. Click the Selected account permissions policy box, then specify the functions this account can
control. (Refer to Delegated Administration for details of each type.)
8. If you specified that the account is a Site Admin, Template Settings Admin, Change Password
Admin, or User Admin, the assignment dialog box appears.
133
EFT v7.2 User Guide
9. Specify one or more items in the Available box, then double-click the selection or click Add, then click OK. The assignment appears in the Assigned to list.
Password Policy and Account Policy options apply to all EFT-managed administrator accounts defined on this Server. The Selected account permissions policy (Site Admin, User Admin, etc.) and Optional permissions (Reports and COM) apply only to the account selected.
10. Click Apply to save the changes on the Server.
Enforcing Complex Passwords for Administrator Accounts
When you create or edit EFT-managed administrator accounts, you can specify that all administrator accounts be required to adhere to certain password complexity rules.
To set complexity settings for administrator accounts
1. Refer to Adding EFT Administrators
or Changing an Administrator Password or Access Rights for
the procedures for creating or changing an administrator account.
2. In the administration interface, connect to EFT and click the Server tab.
3. On the Server tab, click the Server node to which you want to add an administrator account.
4. In the right pane, click the Administration tab.
5. Click an EFT-managed administrator account, then click Password Policy. The Password
Security Settings dialog box appears.
134
6. Select the Enforce strong (complex) passwords check box to ensure that when any administrator creates or changes a password for any administrator account, password complexity is enforced.
Server Configuration and Administration
7. To specify password complexity settings, click Advanced. The Password Complexity
Settings dialog box appears.
Field
Minimum password length - Specify the minimum number of characters that must be in the password
In the Character categories area, specify the type of characters that must be in the password:
The password must contain characters from at least N of the following categories:
•
Uppercase
•
Lowercase
•
Numeric (0-9)
•
Non alpha-numeric (e.g., !, #, $, %)
•
Unicode (UTF-8)
Must not contain N or more characters from the user name
Default Min/Max Values
8 6 - 99
3 2 categories, up to the categories maximum password length
Must not contain N or more repeating characters.
3
3
2 characters, up to maximum password length
2 characters, up to maximum password length n/a Must not consist solely of a word in the following Dictionary file.
(Click the ellipse icon to select a file.)
Must not be a dictionary word backwards on off n/a
9. In the Minimum password length box, specify the minimum number of characters the password must contain. The default is 8 characters.
10. In the Must contain at least box, specify the number of characters from the following categories:
Uppercase, Lowercase, Numeric (0-9), Non-alphanumeric (e.g., !, #, $, %), and Unicode.
Select the check boxes for the applicable characters. (Certain non-alphanumeric characters might not be available when using a mix of English and non-English language settings and keyboards.)
11. In the Must not contain boxes, select the check boxes and specify the number of characters from the user name and/or number of repeating characters the password must not contain.
135
EFT v7.2 User Guide
12. In the Dictionary area, select the Must not solely consist of a word in the following
dictionary, then specify the dictionary file. A default dictionary file is provided in EFT installation directory.
13. Select the Must not be dictionary word backwards to ensure the password is not a word in the dictionary file spelled backward.
14. Click OK to close the Password Complexity Settings dialog box.
15. Click OK to close the Password Security Settings dialog box.
16. Click Apply to save the changes on EFT.
If anyone tries to change a strong administrator password to a password that does not meet the specifications in the Password Complexity Settings dialog box, an error message appears.
Changing an Administrator Password
Anyone with Server Admin rights can modify administrator accounts.
To modify an administrator account
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node on which the administrator account is defined.
3. In the right pane, click the Administration tab.
4. In the Admin Account Names list, click the account that you want to change.
5. Click Change Password. The Change Administrator Password Account dialog box appears.
6. Define and confirm a password for the account or click Generate to generate a strong password.
(If you click Generate, the password is visible in this dialog box.)
136
Passwords are case-sensitive and can contain up to 1024 characters.
7. Click Apply to save the changes on EFT.
• To change the delegate options , refer to
Adding Server Administrators .
• To change password security settings, refer to
Enforcing Complex Passwords for
Enforcing Password Reset for Administrator Accounts , and
Expiring Administrator Passwords .
• To change account security settings, refer to
Removing Inactive Administrator Accounts
and Locking Out an Administrator Account .
Server Configuration and Administration
Administrator Account's Access Rights
Anyone with Server Admin rights can modify other administrator accounts.
To modify an administrator account
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node on which the administrator account is defined.
3. In the right pane, click the Administration tab.
4. In the Admin Account Names list, click the account that you want to change.
• To change the delegate options , refer to
Adding Server Administrators .
• To change account security settings, refer to
Deleting Inactive Administrator Accounts
and Locking Out an Administrator Account .
5. Click Apply to save the changes on EFT.
Enforcing Password History for Administrators
You can enable EFT to remember the previous passwords of administrator accounts so that administrators must create unique passwords.
To configure administrator accounts to enforce password history
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure.
3. In the right pane, click the Administration tab.
4. Click an EFT-managed administrator account, and then click Password Policy. The Password
Security Settings dialog box appears.
5. Select the Enforce password history check box, then specify the number of passwords to remember. The default is 4.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
137
EFT v7.2 User Guide
Enforcing Password Reset for Administrator Accounts
EFT provides the option to force administrators to change their password on log in. On Sites defined using the "strict security settings," users are forced to change their passwords on first use.
You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the reset page.
After the user creates a new password, they are returned to the index page.
To configure administrator accounts to enforce password reset
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure.
3. In the right pane, click the Administration tab.
4. Click an EFT-managed administrator account, then click Password Policy. The Password
Security Settings dialog box appears.
5. Select the Admin must reset their password after first login check box. Administrators are prompted to change their password when they log in to the Site.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
password is created and accepted by the system. If the password is not accepted by the system:
• In HTTPS and SFTP, the authentication request will be denied.
• In FTP, no further FTP commands will be accepted until the new password is provided and meets
complexity and password history requirements, if those features are enabled.
For high security-enabled ( strict security ) Sites:
• PCI DSS requirements state that you should set first-time passwords to a unique value for each user and force users to change their password immediately after the first use.
• A warning appears if you clear the Admin must reset their password after first login check box. If an administrator logs in using a temporary password, a warning appears to prompt the administrator to supply a new password.
EFT cannot ask FTP users to change their password prior to logging in and identifying themselves. EFT allows them to login (authenticate), but then prevents any further interaction until they change their password.
security-enabled Site.
138
Server Configuration and Administration
Expiring Administrator Passwords
allows you to expire administrator passwords. If you do not activate the module , this feature is
disabled after the 30-day trial expires.
If Expire Passwords is enabled and a user logs in with an administrator account with a temporary password, EFT prompts the user to supply a new password. Each day it also checks whether passwords are <n> days from expiration, and those passwords are flagged for reminders, if reminders are enabled.
All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.
To expire administrator account passwords
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure.
3. In the right pane, click the Administration tab.
4. Click an EFT-managed administrator account, then click Password Policy. The Password
Security Settings dialog box appears.
5. To specify the number of days after which to disable or remove administrator accounts, select the
Expire passwords check box, then type or use the arrows to specify the number of days. The default is 90 days.
If you make any changes to the password settings, when you click Apply to push the changes to
EFT, the counter is reset. For example, if you set it for 90 days, then go back 89 days later and specify a different dictionary file, when you click OK then Apply, the administrator accounts will not expire for 90 days.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Locking Out an Administrator Account
EFT can automatically lock out an administrator account after a specified number of incorrect login attempts over a specified time.
On a high security-enabled Site, if you clear the Lockout check box, increase the number of incorrect login attempts to more than 6 or set the attempt period to more than 5 minutes, a warning message appears.
Instruct administrators regarding the timeout setting, after which they can try to log in again. If they are
unable to wait for the lockout to timeout, use the procedure below to enable the account.
139
EFT v7.2 User Guide
To disable or remove an account after a defined number of incorrect login attempts
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure, and then click the
Administration tab.
3. Click an EFT-managed administrator account, then click Account Policy. The Account Security
Settings dialog box appears.
4. Select the Lockout admin accounts check box, then specify the length of time the account is to be locked out, the number of incorrect login attempts to count, and the period during which to count the attempts.
5. Click OK to close the dialog box.
6. Click Apply to save the changes on EFT.
To enable an account that has been locked out
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure, and then click the
Administration tab.
3. Click the EFT-managed administrator account that is locked, and then click Account Policy. The
Administrator Account Security dialog box appears.
4. Clear the Lockout check box.
5. Click OK to close the dialog box.
6. Click Apply to save the changes and enable the locked out account.
7. To resume account security, click Account Policy. The Administrator Account Security dialog box appears.
8. Select the Lockout check box.
9. Click OK to close the dialog box.
10. Click Apply to save the changes.
Removing Inactive Administrator Accounts
The HSM allows you to disable or remove user accounts; however, administrator accounts can only be
expires.
EFT executes cleanup procedures every day at 00:00:00 UTC and at service startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.
140
Server Configuration and Administration
For Sites defined using the "strict security settings," EFT enables the option to disable or remove inactive accounts automatically, and warn if you attempt to disable that setting. The option to remove administrator accounts will be enabled by default, unless during the setup process you choose not to enable this option. EFT prompts administrators when they login advising them of the potential removal of their account if their login failed due to unknown login name. The removal of accounts is captured in the
Auditing and Reporting database for reporting.
If a user attempts to log in remotely to EFT with an administrator username that does not exist or an incorrect password, a warning message appears in the administration interface.
To specify automatic deletion of inactive administrator accounts
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure, and then click the
Administration tab.
3. Click an EFT-managed administrator account, then click Account Policy. The Account Security
Settings dialog box appears.
4. Select the Remove admin accounts after check box, then specify the number of days of inactivity after which to delete the account.
5. Click OK to close the dialog box.
6. Click Apply to save the changes on EFT.
A change in any date-sensitive value resets the calculations. For example, if this feature was configured for
60 days, and you change it to 90 days, the count resets to zero, so that any inactive account that has been inactive for 59 days and was set to be deleted tomorrow, will now not be considered inactive until 90 days from today.
Resetting the EFT Administrator Password
You can define multiple EFT administrator accounts in EFT, and any server administrator account can edit another. What do you do if you have only one server administrator account and you forget the password? You can reset it using the procedure below. However, you will lose all user- and groupspecific settings. The user accounts and their folder structures will remain, but permissions and settings will be lost.
Be sure to back up any other files in EFT installation folder that you will need, such as certificates. In EFT
Enterprise, refer to Backing Up or Restoring Server Configuration
. In EFT SMB, refer to Copying Server
Configuration to Several Computers to backup EFT configuration manually.
141
EFT v7.2 User Guide
To reset the administrator username and password (if there are no other admin accounts from which to access EFT)
1. Stop the EFT service.
2. Navigate to the EFT installation folder (e.g., C:\ProgramData\Globalscape\EFT Enterprise).
3. The user accounts and folder structures are stored in one or more files with an .aud extension
(e.g., MySite.aud). Copy these configuration files to a safe place for backup.
4. Using the Windows Add/Remove Programs utility, uninstall EFT.
5. Reinstall EFT.
6. Create a new administrator username and password.
7. Open the administration interface and login with your new username and password.
8. Recreate your Site(s) with the EXACT same name(s) as you previously used. The Site name must match character for character.
9. Stop the EFT service.
10. Copy the .aud files that you saved in step 3 and paste them into the folder where you have installed EFT. Click Yes when asked if you want to overwrite the existing .aud files.
11. Restart the EFT service and log in. The individual groups and user accounts should be preserved; however, you must reassign permissions and settings.
Erasing EFT Configuration
If you want to completely remove EFT configuration (Servers, Sites, Settings Templates, and users), you can do so with the procedure below.
To erase EFT configuration
1. Stop the Server service.
2. Delete ftp.cfg and any ftp.bak files in the EFT installation directory (e.g.,
C:\ProgramData\Globalscape\EFT Enterprise).
3. Start the Server service.
4. Launch the administration interface and log in with the username and password used during installation of EFT.
5. Recreate your Sites, Settings Templates, and users (all are removed when you delete the ftp.cfg files).
Account Security Settings Dialog Box
delete an inactive administrator account
automatically (requires the HSM ), and
change the administration interface session timeout for a specific administrator account.
To open the Account Security Settings dialog box
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure, then click the Administration tab.
3. Click the administrator account name (except Local computer\Administrators), and then click
Account Policy. The Account Security Settings dialog box appears.
142
Server Configuration and Administration
4. Do one of the following:
•
To lock out an account , select the Lockout admin accounts check box, then specify the
length of time the account is to be locked out, the number of incorrect login attempts to count, and the period during which to count the attempts. To enable an account that has been locked out, clear the Lockout check box.
•
To remove an inactive account automatically , select the Remove admin accounts after
check box, then specify the number of days of inactivity after which to delete the account.
•
To change the default administration interface session timeout for this administrator,
select the Disconnect admin accounts after check box, then specify the minutes of inactivity that you need.
5. Click OK to close the dialog box.
6. Click Apply to save the changes on EFT.
A change in any date-sensitive value resets the calculations. For example, if this feature was configured for
60 days, and you change it to 90 days, the count resets to zero, so that any inactive account that has been inactive for 59 days and was set to be deleted tomorrow, will now not be considered inactive until 90 days from today.
Configuring EFT
EFT via the Server interface , called the administration interface or AI, and configure the client
connections to EFT.
You must configure EFT for the first time on the computer on which the EFT service is installed
.
After you have created the local connection and enabled remote connections , you can connect to and administer EFT remotely.
Even if you plan to restore the Server from a backup , you must still create the initial Server object in the administration interface.
Anytime you connect to the EFT Server service, if no Servers have been defined, the Server Setup wizard Welcome page appears. The Server Setup wizard guides you through EFT configuration or allows you to restore from backup. The wizard helps you configure Server-specific options such as allowing remote administration. After the brief Server Setup wizard is completed, you have the option to run the Site Setup wizard to configure a Site, and then the User Setup wizard to provision a user. (You have to create at least one site for users to be able to connect to EFT.)
You may cancel out of the Server Setup wizard anytime by clicking Cancel or the X in the upper right corner. However, any settings made through the wizard are discarded, except for keys/certificates added to the key manager (by creating
143
EFT v7.2 User Guide
You will need the following information to create and configure EFT:
• If you are allowing remote administration of EFT and you are using SSL , you need to know the
SSL settings and have access to the SSL keys and certificates.
• If you are restricting remote administration to specific IP addresses, you need to know the IP addresses and ports.
DMZ Gateway , install and configure DMZ Gateway (on a different computer)
before creating Servers and Sites. The installation and configuration of DMZ Gateway is not
required before creating Servers and Sites, but the Site setup wizard asks for the DMZ Gateway information. Alternatively, you can configure DMZ Gateway after Site setup is complete, and then provide the DMZ Gateway connection information in EFT's administration interface.
If you are configuring your first EFT Server connection, refer to
Configure the First EFT
Connection
, below. If you are configuring a new, remote EFT connection, jump to
New (Remote)
Connection
.
Configure the First EFT Connection
You must first configure the local connection before you can configure a remote location.
To configure EFT on the local computer
1. After installation is complete, the New Administrator Connection wizard appears. (If you have
already defined a connection and want to create another one, refer to
New (Remote)
Connection
.)
144
2. Leave This computer selected, then specify the Label for the local connection. By default, the label is LocalHost. Because LocalHost is a very common label, it is a good idea to change the label to something that is easily identifiable in error logs, reports, and remote connections. For example, GS_EFTS. You can label EFT anything you want; the EFT name is not dependent upon the computer name.
3. The EFT Administrator Login page appears.
Server Configuration and Administration
4. Click the Authentication box and specify the type of authentication to use for this login. Future connections will default to the authentication type that you specify during this initial login, but you can choose a different type. Authentication types include:
• EFT Authentication - Choose this option to log in with an EFT-specified administrator account, such as the one you created during installation.
• Integrated Windows Authentication - Choose this option to log in as the currently
logged on user (Integrated Windows Authentication). Requires the High Security Module
• Windows Authentication - Choose this option to log in using a specific Windows
account. Requires the High Security Module (HSM) .
5. If you specified EFT Server Authentication or Windows Authentication, in the Username and
Password boxes, provide the login credentials that you created during installation. The Welcome page appears. Because you have not yet activated the software, the "Free Trial" reminders appear. After you activate, you will not see this prompt.
6. Do one of the following:
• If you are evaluating the software or just do not want to activate yet, click Start Trial, then follow the procedures in Configuring EFT .
Mail Express or Secure Ad Hoc Transfer , you should
configure the
Server , define at least one Site , and enable remote administration before installing the module.
• If you have purchased a license, click Activate Now, then follow the procedures for
145
EFT v7.2 User Guide
7. Click Next. The Server Setup wizard Welcome page appears.
• If you are not restoring from a backup (EFT Enterprise only), click Next.
• If you are restoring from a backup, click Restore from Backup, then refer to
Backing Up or Restoring Server Configuration for the procedure.
146
8. Click Next. The FIPS Options page appears. ( FIPS
requires the HSM . On EFT SMB edition,
SFTP requires the SFTP module.)
Server Configuration and Administration
When you enable FIPS mode, the ciphers, keys, and hash lengths and types that are not FIPS approved are not available. If a FIPS-approved state cannot be achieved when FIPS is enabled, the EFT service is stopped and an error is written to the Windows Event Log.
• To use FIPS for SFTP (SSH2), select the Enable FIPS for SFTP check box.
• To use FIPS for SSL, select the Enable FIPS for SSL check box.
• A confirmation prompt appears when you select either check box. When you enable
FIPS, the EFT service must be restarted. Click OK to continue with FIPS enabled or click
Cancel if you do not want to use FIPS and restart the EFT service.
9. Click Next. The Remote Administration page appears.
147
EFT v7.2 User Guide
• If you do not want to allow remote administration , clear the Allow remote administration check box.
• If you want to allow remote administration: a. Select the Allow remote administration check box and specify the Listening
IPs. b. Click Configure to specify one or more IP addresses. The Listening IP Settings dialog box appears.
148 c. All Incoming (IPv4) is selected by default. Select the check boxes for addresses that you want to allow; clear the check boxes for the addresses that you do not want to allow, then click OK.
Server Configuration and Administration
• Specify the Listening port. (For security best practices and compliance with the PCI
DSS, specify a port other than the default of 1100.)
10. Click Next. If you chose remote administration, the Secure Remote Administration page appears.
11. Administrator account credentials are transmitted in plaintext unless SSL is enabled.
Organizations complying with the PCI DSS are required to use SSL for remote administration. To
enable secure remote administration, select the Use SSL for secure remote administration check box, and then click Next. The SSL Certificate Options page appears.
149
EFT v7.2 User Guide
150
12. Do one of the following:
• In the Certificate and Private Key boxes, click the folder icon to browse for the private key pair files.
• Click Create certificate to create one. Refer to
Creating
Certificates
and Importing a Certificate into the Trusted Certificate Database for
information regarding certificates.
13. Click Next. The Auditing and Reporting page appears.
Server Configuration and Administration
14. If you are using Auditing and Reporting , select the Enable auditing check box, then provide the
information required to connect to the ARM database as described below. If you are not using
Auditing and Reporting, skip to the next step . (Auditing and reporting is a requirement of the PCI
DSS.) a. In the Database type area, specify whether you are using SQL Server or Oracle for the auditing database. (Oracle available in EFT Enterprise only.) b. In the Host[\Instance Name] box, type EFT name or IP address.
If you are using SQL Server as the Auditing Database, \InstanceName corresponds to SQL
Server's notion of named instances, a feature that allows a given computer to run multiple instances of the SQL Server Database Service. For more information, refer to http://msdn2.microsoft.com/en-us/library/ms165614.aspx
c. In the Authentication box, specify the type of authentication used by the database, either Windows Authentication or SQL Server Authentication.
• If you choose SQL Server Authentication, you must also specify the "sa" username and password. In the Username and Password boxes, type the username and password used to connect to the database (not the EFT credentials). d. In the Database Name box, type the name of the database. e. In the In case of audit database error area, specify an Action for EFT to take if there is an error with the database. To stop recording data, select Stop auditing. To continue recording data to a file, select Audit to folder, and specify the location for the log file.
151
EFT v7.2 User Guide
UNC paths are supported. The Globalscape Server service must run on a computer that has access to the network share, and the full UNC path must be used, that is: \\xcvd.forest.intranet.xc\Common_Files, not
G:\Common. IPv6 literals must use the Microsoft-specific IPv6 address form that uses "ipv6-literal.net" for use in a UNC path. (Refer to the Wiki article about IPv6 for more information about IPv6 literals in UNC paths.)
15. To try to recover from a database error automatically, select the Attempt to reconnect every check box and specify the frequency in seconds.
16. In the E-mail notification area, select the Notify on disconnect check box and/or the Notify on
reconnect check box, and then specify the e-mail address(es) to which EFT is to send database connection error notifications. You can add as many e-mail addresses as needed; separate the
addresses with a comma or semicolon. EFT uses its global SMTP e-mail settings from the SMTP
Configuration to send the e-mails. You will configure those settings on the next page.
17. Click Next. The specify SMTP Server Settings page appears.
152
18. In the From e-mail address box, specify the e-mail address for e-mail notifications (such as
those triggered by Event Rules ). This is the address that appears in the From box of e-mails sent
by EFT. For example, type [email protected].
• The e-mail address syntax is validated when you click OK. If the e-mail address contains invalid characters or does not contain @, an error message appears. Click OK to dismiss the error message, then correct the address.
19. In the SMTP host address boxes, specify the SMTP server host address and port.
20. If the SMTP server requires authorization, select the check box and provide the Username and
Password.
21. Click Next. Server Setup is complete.
Server Configuration and Administration
You are offered the option of continuing to the Site Setup wizard, or quitting the wizard, saving
EFT settings, and configuring the Site(s) later. You must configure at least one Site (a virtual host) to service inbound connections to EFT.
22. Click an option, then click Finish. If you chose FIPS mode for SSL and/or SSH, prompts appear explaining that EFT has entered FIPS mode. Click OK to dismiss the prompts.
23. If you chose Run the Site Setup wizard now, the Site Setup wizard Welcome page appears.
24. Refer to Defining Connections to EFT for the procedure for configuring the Site. The procedure differs depending on the user authentication type you choose.
New (Remote) Connection
After you have configured a local connection to EFT, you can create a remote connection.
To create a new (remote) EFT administrator connection
1. On the main menu click File > New Server. The New Administrator Connection page appears.
153
EFT v7.2 User Guide
154
2. Be sure that the remote Server service is running , and that it
allows remote administration . Then: a. Click A remote computer. b. In the Label box, provide a name for the remote Server. c. In the Host address box, provide the IP address at which the remote Server allows connections. d. In the Port box, provide the port through which the remote Server allows connections.
3. Click Next. The Login page appears.
Server Configuration and Administration
4. Click the Authentication box and specify the type of authentication to use for this login. Future connections will default to the authentication type that you specify during this initial login, but you can choose a different type. Authentication types include:
• EFT Authentication - Choose this option to log in with an EFT-specified administrator account, such as the one you created during installation.
• Integrated Windows Authentication - Choose this option to log in as the currently logged on user (Integrated Windows Authentication). Requires the High Security Module
(HSM).
• Windows Authentication - Choose this option to log in using a specific Windows account. Requires the High Security Module (HSM).
5. If you specified EFT Server Authentication or Windows Authentication, in the Username and
Password boxes, provide the login credentials that you created during installation. The Welcome page appears. Because you have not yet activated the software, the "Free Trial" reminders appear. After you activate, you will not see this prompt.
6. Do one of the following:
• If you are evaluating the software or just do not want to activate yet, click Start Trial, then follow the procedures in Configuring EFT .
• If you want to install the Secure Ad Hoc Transfer module, you should configure the
Server , define at least one Site , and enable remote administration before installing the module.
• If you have purchased a license, click Activate Now, then follow the procedures for
7. Click Next. The Server Setup wizard Welcome page appears.
155
EFT v7.2 User Guide
156
8. If you are restoring from a backup, click Restore from Backup, then refer to Backing Up or
Restoring Server Configuration for the procedure. Otherwise, continue to the next step.
9. If you are not restoring from a backup (EFT Enterprise only), click Next. The FIPS Options page appears.
Server Configuration and Administration
When you enable FIPS mode, the ciphers, keys, and hash lengths and types that are not FIPS approved are not available. If a FIPS-approved state cannot be achieved when FIPS is enabled, the EFT service is stopped and an error is written to the Windows Event Log.
• To use FIPS for SFTP (SSH2), select the Enable FIPS for SFTP check box.
• To use FIPS for SSL, select the Enable FIPS for SSL check box.
• A confirmation prompt appears when you select either check box. When you enable
FIPS, the EFT service must be restarted. Click OK to continue with FIPS enabled or click
Cancel if you do not want to use FIPS and restart the EFT service.
10. Click Next. The Remote Administration page appears.
157
EFT v7.2 User Guide
11. Because you are configuring a remote administrator connection, ensure that the Allow remote
administration check box is selected.
12. Specify the Listening IPs. a. Click Configure to specify one or more IP addresses. The Listening IP Settings dialog box appears.
158 b. All Incoming (IPv4) is selected by default. Select the check boxes for addresses that you want to allow; clear the check boxes for the addresses that you do not want to allow, and then click OK.
13. Specify the Listening port. (For security best practices and compliance with the PCI DSS, specify a port other than the default of 1100.)
Server Configuration and Administration
14. Click Next. The Secure Remote Administration page appears.
15. Administrator account credentials are transmitted in plaintext unless SSL is enabled.
Organizations complying with the PCI DSS are required to use SSL for remote administration. To
enable secure remote administration, select the Use SSL for secure remote administration check box, and then click Next. The SSL Certificate Options page appears.
159
EFT v7.2 User Guide
160
16. Do one of the following:
• In the Certificate and Private Key boxes, click the folder icon to browse for the private key pair files.
• Click Create certificate to create one. Refer to
Creating
Certificates
, Importing a Certificate into the Trusted Certificate Database for information
regarding certificates.
17. Click Next. The Auditing and Reporting page appears.
Server Configuration and Administration
18. If you are using Auditing and Reporting , select the Enable auditing check box, then provide the
information required to connect to the ARM database as described below. If you are not using
Auditing and Reporting, skip to the next step . (Auditing and reporting is a requirement of the PCI
DSS.) a. In the Database type area, specify whether you are using SQL Server or Oracle for the auditing database. (Oracle available in EFT Enterprise only.) b. In the Host[\Instance Name] box, type EFT name or IP address.
If you are using SQL Server as the Auditing Database, \InstanceName corresponds to SQL
Server's notion of named instances, a feature that allows a given computer to run multiple instances of the SQL Server Database Service. For more information, refer to http://msdn2.microsoft.com/en-us/library/ms165614.aspx
c. In the Authentication box, specify the type of authentication used by the database, either Windows Authentication or SQL Server Authentication.
• If you choose SQL Server Authentication, you must also specify the "sa" username and password. In the Username and Password boxes, type the username and password used to connect to the database (not the EFT credentials). d. In the Database Name box, type the name of the database. e. In the Audit failure notification e-mail address box, type the e-mail address to which
EFT is to send database connection error notifications. You can add as many e-mail addresses as needed; separate the addresses with a comma or semicolon. EFT uses its
global SMTP e-mail settings from the SMTP Configuration to send the e-mails. You will
configure those settings on the next page.
161
EFT v7.2 User Guide f. In the In case of audit database error area, specify an Action for EFT to take if there is an error with the database. To stop recording data, select Stop auditing. To continue recording data to a file, select Audit to folder, and specify the location for the log file.
UNC paths are supported. The Globalscape Server service must run on a computer that has access to the network share, and the full UNC path must be used, that is:
\\xcvd.forest.intranet.xc\Common_Files, not G:\Common.
19. Click Next. The specify SMTP Server Settings page appears.
162
20. In the From e-mail address box, specify the e-mail address for e-mail notifications (such as
those triggered by Event Rules ). This is the address that appears in the From box of e-mails sent
by EFT. For example, type [email protected].
• The e-mail address is validated when you click OK. If the e-mail address contains invalid characters or does not contain the @, an error message appears. Click OK to dismiss the error message, then correct the address.
21. In the SMTP host address boxes, specify the SMTP server host address and port.
22. If the SMTP server requires authorization, select the check box and provide the Username and
Password.
23. Click Next. Server Setup is complete.
Server Configuration and Administration
You are offered the option of continuing to the Site Setup wizard, or quitting the wizard, saving
EFT settings, and configuring the Site(s) later. You must configure at least one Site to service inbound connections to EFT.
24. Click an option, then click Finish. If you chose FIPS mode for SSL and/or SSH, prompts appear explaining that EFT has entered FIPS mode. Click OK to dismiss the prompts.
25. If you chose Run the Site Setup wizard now, the Site Setup wizard Welcome page appears.
26. Refer to Defining Connections to EFT for the procedure for configuring the Site. The procedure differs depending on the user authentication type you choose.
Listening IP Address and Port
EFT's administration listening IP address and port are configured in the EFT Server Setup wizard. You can change the IP address and/or port later, if necessary. For example, you might have initially configured EFT to listen on All incoming IP addresses and want to change it to a specific IP address, or maybe you need to add IPv6 addresses.
IPv6 addresses are not supported by MSMQ; however, a server and/or site can bind to IPv6, if there is also an IPv4 address (e.g., another adapter) that can route between HA nodes.
To change EFT's listening IP address and port
1.
In the administration interface, connect to EFT and click the Server tab.
2.
On the Server tab, click the Server node that you want to manage.
3.
In the right pane, click the Administration tab.
163
EFT v7.2 User Guide
4.
You cannot type an address in the Server administrator listening IP box. Click Configure. The
Listening IP Settings dialog box appears.
164
•
The dialog box displays the IP addresses that are available on the computer, in addition to All Incoming (IPv4) and All Incoming (IPv6).
•
IPv6 is not enabled by default for security reasons; IPv4 is enabled by default.
•
The "All" options are exclusive. That is, you can't select All Incoming (IPv4) and then one or more specific IP addresses. However, you can select multiple individual addresses if none of the "All" options is selected.
Server Configuration and Administration
• "Link local" appears next to certain IPv6 addresses. Routers do not forward packets with link-local addresses. In IPv6, link-local addresses are always assigned, automatically or by configuration, and are required for the internal functioning of various protocol components. IPv6 requires operating systems to assign link-local addresses to network interfaces even when routable addresses are also assigned. A link-local unicast address has the prefix fe80::/10 in standard IPv6 CIDR notation.
5. Select one or more check boxes for the IP address(es) on which the Server is to listen for connections, and then click OK. The selected address(es) appear in the Listening IP addresses box.
• You can copy the addresses in the Server administrator listening IP box: Right-click in the box, click Select All, then right-click again and click Copy or use CTRL+V. (Unicoderelated items on the right-click menu are a Windows feature and do not apply to EFT.)
6. In the Port box, type the new port number.
7. Click Apply to save the changes on EFT.
IP Access for Remote Administration
By default, all IP addresses are granted remote access to EFT. EFT allows you to grant remote administration access to only one specific IP address or a range of IP addresses, or deny access to one specific address or a range of addresses. Refer to Controlling Access to the Site by IP Address for details of banning IP addresses.
To grant/deny access by IP address
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node that you want to configure.
3. In the right pane, click the Administration tab.
4. Select the Allow remote administration check box.
5. Next to IP ban/access list for remote administration, click Configure.
The IP Access Rules dialog box appears. The default configuration is to deny access to automatically banned IP addresses. By default, if no rule matches an IP address, then the IP is allowed.
165
EFT v7.2 User Guide o
Click Deny if you want to exclude all IP addresses that are not explicitly defined in the
Rules list.
To add an IP address to the rules, click Add. The Add IP to Access Control List dialog box appears. o
Specify the IP address or mask, click whether to Allow or Deny the address, and then click OK. CIDR notation is supported for IPv4 addresses (e.g., 192.168.29.0/24) and literal IPv6 addresses (e.g., 001:cdba:9abc:5678::/64).
To remove a rule, click it in the list, and then click Remove. A confirmation prompt appears. Click
Yes. (You cannot remove the default rule.)
To edit a rule, click it in the list, and then click Edit. The Add IP to Access Control List dialog box appears for you to edit the address. Click OK to save your edits.
To test whether an IP address is banned or allowed, click Test IP. The Test IP Connection dialog box appears. o
Provide an IP address to test, and then click Test. The Result (Allowed or Denied) and the Reason the IP is allowed or denied appear in the dialog box. Click OK to close the dialog box.
166
Server Configuration and Administration
To view the list of banned IP addresses, click Autoban List. The IP Auto-ban dialog box appears. o
The IP Address column lists the banned IP addresses. o
The Date Added column displays the date and time the IP address was automatically banned, in MM/DD/YYYY hh:mm:ss AM/PM format. o
The Reason column displays the reason the IP address was automatically banned (e.g.,
DoS/Flood prevention temporary ban, DoS/Flood prevention permanent ban, Invalid password attempts exceeded, Invalid username attempts exceeded, Too many consecutive invalid commands). o
To find an IP address in the auto-ban list, type it in the Search box. o
To sort the auto-ban list, click a column header. o
To remove an IP address from the auto-ban list, click it, and then click Remove
Selected.
6. Click OK to close the dialog boxes.
7. Click Apply to save the changes on EFT.
Remote Administration
You can remotely administer EFT from any computer on which the administration interface is installed
(with network access). If you are using SSL, you must create and/or assign an SSL certificate to use for connections. When you connect from a remote administration interface, an SSL Certificate dialog box appears in which you must accept the certificate to continue. If you reject the certificate, the User Connect
Failed Event is triggered with the Event Reason of "Client SSL Certificate was rejected."
If you are not installing the administrative interface and plan to use the COM API for remote
administration, refer to Remotely Administering EFT Using the COM API in the COM API reference.
Refer to FAQs About Remote Administration for several facts and caveats to consider regarding remote administration.
Remote administration is not allowed after the trial expires if you do not activate the software.
If you are using SQL Express as your database, you may not be able to generate a report remotely, unless the connecting account is a trusted SQL Server connection (e.g., if SQL Server and the remote computer are in the same domain, or if SQL Server is configured to allow "mixed authentication").
167
EFT v7.2 User Guide
What you can't do remotely:
• File browse operations are disabled. However, you can type a path that is relevant to the EFT computer (not the remote interface). For example, when you create a Command or a Monitor
Folder Event Rule remotely, you can't click the folder icon and browse to the path of the file that you want to execute or the folder that you want to monitor on the EFT computer, but you can type the path. (No verification is done on the path that you type.)
• SSL certificates cannot be created or managed remotely.
Before you can connect from the remote administration interface, you must:
1.
Configure the Server . You must do this locally, on EFT computer.
2. Configure remote administration, as described below.
If you have configured remote administration, but are unable to connect, one or more of the following could be preventing the connection:
• The IP address of the computer on which you are attempting to connect to EFT is listed in the
Remote Administration Ban IP list .
SSL certificate is expired or invalid.
• The Allow remote administration check box has been cleared.
• The remote administration port value has changed.
• EFT’s IP address has changed since the last login.
• The firewall settings of the computer on which EFT is installed are blocking the connection.
• There is a version mismatch between your administration interface and the EFT service that you are trying to administer.
• The account with which you are attempting the remote connection does not have access permission to EFT.
• Network errors
The following topics describe:
•
How to configure EFT for remote administration
•
How to configure the remote administration interface
•
FAQs About Remote Administration
To configure EFT for remote administration
1. Launch the administration interface on EFT computer and connect to EFT you want to configure for remote administration. (You cannot setup remote administration remotely.)
2. In the right pane, click the Administration tab.
3. In the Server administrator listening IP box, specify the IP address that is allowed to connect remotely. You can select a specific IP address that is defined on the computer on which EFT is installed or All Incoming IP addresses. (For command-line login, the EFT administrator listening
IP address must be set to a specific IP address, not All Incoming.)
4. In the Port box, specify the port on which EFT listens for connections. The default port is 1100.
For security, you should use a different port other than the default.
5. Select the Allow remote administration check box. A warning message appears advising you to connect over SSL for more secure administration.
168
Server Configuration and Administration
If you attempt to allow remote administration on a high security-enabled Site, a message appears to warn
6. Click Yes to set up secure administration or No to administer the server over a clear (not secure) connection.
7. To require SSL for remote connections, click the Require SSL for remote administration check box, and then click Configure. The SSL Certificate Settings dialog box appears.
8. Do one of the following:
• To create a certificate, click Create and follow the prompts in the wizard. (Refer to
Creating Certificates for details, if necessary.)
• To use an existing certificate: a. In the Certificate box, type the path to the .crt file or click the folder icon to find and select it. b. In the Private key box, type the path to the .key file or click the folder icon to find and select it. c. In the Passphrase box, type the passphrase for the certificate pair.
9. Click OK to close the dialog box.
10. Click Apply to save the changes on EFT.
the remote administration interface using the procedure below.
To configure the remote administration interface
1. Launch the administration interface on the remote computer.
2. Click the Server tab.
3. Specify EFT Group to which you want to add the remote server.
4. On the File menu, click Add New Server. The Login wizard New Administrator Connection page appears.
169
EFT v7.2 User Guide
170
5. Click A remote computer.
6. In the Label box, type the name of EFT to which you want to connect. You can call it anything you want; it has nothing to do with EFT's computer name.
7. In the Host address box, type the IP address of EFT computer.
8. In the Port box, type the port number used by EFT.
9. Click Next. The EFT Administrator Login page appears.
Server Configuration and Administration
10. Click A remote computer, then click its name (the label you gave EFT in step 6) in the box.
11. In the EFT Server administrator credentials area, provide your Username and Password, and then click Connect.
If SSL is required for remote administration, a Server Certificate dialog box appears.
171
EFT v7.2 User Guide
12. Accept or reject the SSL certificate from the remote EFT by clicking Trust Once (just for this session), Trust Always (for this and future connections, provided the SSL certificate does not change), or Reject (do not accept the certificate and do not connect to the server). (To undo a trust-always certificate, delete the appropriate trusted certificate file(s), stored in the %AppData% directory as Cert_for_<ip>.crt.)
• If connection was successful, the remote Server appears in the tree.
• If connection was not successful, verify the IP address and port on which EFT listens for connections, and ensure that SSL is properly configured on EFT, if used.
Remote Administration FAQ
EFT allows you to administer it remotely from any computer with network access. You can administer
EFT with the administration interface (AI) or using the COM API. Below are several facts and caveats to consider regarding remote administration.
• You do not need a separate license for each installation of the AI.
• When you install the AI remotely, SSL.DLL and SFTPCOMInterface.DLL are installed in
C:\Program Files (x86)\Common Files\Globalscape\SFTPCOMInterface on the remote computer.
• SSL certificates cannot be created or managed remotely. You are prohibited from creating certificates for EFT while remotely administering EFT because this action can create a security breach. Any certificates you create remain on the computer on which you created them, unless you take steps to deliver and associate these files with another computer. When you remotely connect to EFT Server, you will be prompted to Trust or Reject the server certificate .
• Organizations complying with the PCI DSS are required to use SSL for remote administration. If you attempt to allow remote administration on a high security-enabled Site without SSL, a message warns you that this setting violates PCI DSS, and allows you to continue with reason or disable the feature.
• EFT must have remote administration enabled if the SAT module is installed on a separate computer.
• File browse operations are disabled for remote administration. However, you can type a path that is relevant to the EFT computer (not the remote interface). You are able to browse for a Settings
Template folder, because you are browsing the VFS, not the physical folders.
• OpenPGP keys cannot be created or managed remotely.
• When the trial period has expired, all remote connections are disallowed.
• You cannot activate the server or modules through a remote installation of the AI.
• You cannot configure remote administration remotely.
• You must configure the local connection before you can configure a remote connection.
• When you are upgrading, remember to upgrade any remote installations of the AI to the same version.
• For remote Active Directory connections, the connecting account must have access to the computer on which EFT is installed.
• You can select AD accounts when performing remote administration as long as the administration interface and EFT are in the same domain or working across trusted domains.
• You can login using the EFT computer's local administrator credentials from a command line or a
Windows shortcut, using the EFT listening IP address and port.
• You should restrict remote administration to one or more known static IP addresses.
172
Server Configuration and Administration
• By default, all IP addresses are granted remote access to EFT. EFT allows you to grant access to only one specific IP address or a range of IP addresses, or deny access to one specific address or a range of addresses.
• For command-line login, the EFT listening IP address must be set to a specific IP address, not All
Incoming. Remote administration must be configured and EFT must be in the same domain as the computer from which you are attempting to log in.
• Before attempting to connect to a remote EFT, first be sure that the remote EFT service is running, and that it allows remote administration.
• If you are logged in to EFT remotely, your username and password are passed to the Windows
System Services on the computer running EFT. The account that you log on with must have administrative rights to make any changes to the Globalscape EFT service running on that computer.
• If you are using SQL Express as your database, you may not be able to generate a report remotely, unless the connecting account is a trusted SQL Server connection (e.g., if SQL Server and the remote computer are in the same domain, or if SQL Server is configured to allow "mixed authentication.")
• When objects are created, added, removed, modified, enabled, disabled, started, or stopped remotely, the action is logged to the database and reported in the Administrator Actions Log.
(Administrator actions logging requires the HSM
• The EFT variable for remote EFT connections is %CONNECTION.REMOTE_IP%.
• If you are unable to connect to a remote server, verify that the remote server is configured to allow remote administration, and that you have provided the correct IP address, port, and login information.
Specifying a New Local or Remote Server
After you have configured the local connection to EFT (that is, a connection on the same computer on which EFT is installed), you might want to create a remote connection to remotely administer EFT. Or if you have added a new Server, you need to configure the new local host.
To specify a new local or remote host
1. Do one of the following to open the New Administrator Connection wizard:
• In the Administrator Login dialog box that appears when you open the administration interface, click A remote computer, and then click New.
• If you are already logged in and want to create a new Server, right-click anywhere on the
Server tab, and then click New Server.
173
EFT v7.2 User Guide
2. Click one of the following:
• This computer
• A Remote computer
3. In the Label box, type the name of EFT to which you want to connect.
4. In the Host address box, type the IP address of EFT computer.
5. In the Port box, type the port number used by EFT.
6. Click Next.
If you close the wizard before the new connection process is complete, none of your settings are saved.
7. After the new host is created, the Login dialog box appears. Type your username and password, and then click Connect.
If you are unable to connect to a remote Server, verify that the remote Server is configured to allow remote administration , and that you have provided the correct IP address, port, and login information.
Creating, Renaming, and Deleting Server Groups
Server Groups are used to organize Servers in the administration interface. They have no effect on the functioning of EFT. The Default Server Group is created when you install EFT. You can rename Server
Groups, create new Server Groups, and delete Server Groups.
To create a new Server Group
1. In the administration interface, connect to EFT and click the Server tab.
2. Click File > New Server Group. The Create New Group dialog box appears.
174
Server Configuration and Administration
3. In the Group Name box, type a descriptive name for the Server Group. The name will appear in the tree and in reports and log files.
4. Click OK.
To rename a Server Group
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server Group you want to rename.
3. On the menu bar, click Configuration > Rename Selected (or press F2).
4. Next to the Server Group's icon, type a different name.
5. Press ENTER.
To delete a Server Group
You can only delete a Server Group if more than one is defined.
1. In the administration interface, connect to EFT and click the Server tab.
2. Click the Server Group that you want to delete.
3. Do one of the following:
• On the main menu, click File > Remove Server Group.
• Right-click the Server Group, and then click Remove Server Group.
Backing Up or Restoring Server Configuration
When migrating from a development, staging, or test computer to another computer, you cannot simply copy over EFT's configuration files to the new host. In EFT Enterprise edition, you can use the Migration wizard to gather each of the necessary files, then package them into one easy-to-transport file. The
Migration wizard can recreate the entire folder structure and settings automatically or you can run it in manual mode and verify every setting as you step through the wizard. (Physical folders under the VFS are not recreated when the configuration is restored. However, if those physical folders are present at the time of restoration, then any VFS permissions assigned to the folders are retained.)
The Migration wizard is not available in EFT SMB edition. Refer to Copying Server Configuration to
Several Computers to backup EFT configuration manually.
The Migration wizard is an interactive tool designed to assist you in the following situations:
• Performing Disaster Recovery. If the production Site is corrupted and configuration is lost, damaged, or destroyed, the wizard can assist you with restoring EFT to a prior working state.
175
EFT v7.2 User Guide
• Migrating from staging to production or to new hardware. If you want to move EFT from a staging or development box to a production server or have set up a Server with one or more Sites on one computer and want to move it to another computer or a different network location, the wizard can assist you with gathering all the necessary files for a successful move.
If you are migrating from a test environment to a production environment and do not need to keep the test environment's Server, Site, and user configuration settings, you do not need to use the Migration wizard. You can just start from scratch, and run the Server, Site, and New
User wizards on the new system.
• Backing up for disaster mitigation (routine backups, or backup prior to major changes). If you need a backup to be readily available and require automatic backup at least once a day, the wizard can backup all of your settings. The Migration wizard can also help if a major change is about to be made, such as a new version installation or new hardware changes to EFT computer, and you need a mechanism to manually backup the current configuration. The Migration wizard can take a snapshot immediately before the major change takes place, in addition to the automatic daily backups.
The migration fails if there is a mismatch/discrepancy in listening IP addresses, VFS root or structure,
Authentication Manager settings, DMZ Gateway settings, or database connectivity.
The Migration wizard backs up the entire EFT configuration in an archive file at a path that is accessible to the EFT service.
The following items are backed up:
• The configuration files
• All certificates and keys that are pointed to from configuration file
• Any custom reports
• All registry overrides (for special settings)
• The \web folder (to capture any customizations)
VFS structure (physical folders recreated only under the Site root, not those pointed to by
virtual folders)
The wizard can be initiated manually in the EFT administration interface from the File menu or automatically in Event Rules. In EFT Enterprise, when you create your first Site, a Timer Rule is created that runs the Backup Server Configuration Action once a day at midnight, using all defaults for naming and backup location (\backup\Server Configuration Backup [Month] [Day] [Year].bak). The Rule includes a Cleanup Action to delete backup files (*.bak) older than 30 days in that same folder. This
Backup and Cleanup Rule is enabled by default, but you can disable it and edit it as necessary.
176
Server Configuration and Administration
It is a good idea to save the backup on a drive other than on the one on which the EFT is installed. If
Configuration Action for details of editing the Backup and Cleanup Rule.
To manually back up Server configuration
1. On the main menu, click File > Backup Server Configuration. The standard Save As dialog box for your operating system appears.
2. Specify the location in which to save the backup, then click Open. Save the backup on a drive other than on the one on which the EFT is installed. The configuration is saved and is named
Server Configuration Backup [Month] [Day] [Year] with a .bak extension.
3. One of the following occurs:
• If a "backup successful" message appears, click OK to dismiss the message.
• If a failure message appears, restart the EFT service, then run the backup again.
Any configuration changes made since the backup are, obviously, not included in the restore. For example, if you have deleted or added users since the last backup, those users will have to be deleted or added again after you restore.
Backups from IPv4-only EFT versions will listen only on IPv4 addresses; if all listeners selected for administrative connections are unavailable, then switch to listening on localhost.
To restore Server configuration
1. Install and activate the product on the target system, if restoring to a different computer.
2. After installation is complete, the New Administrator Connection wizard appears. You must
configure the local connection (i.e., create the LocalHost Server object in the tree) before you can restore from backup.
3. In the Connection wizard, leave This computer selected, and specify the Label for the local connection. By default, the label is LocalHost. Because LocalHost is a very common label, it is a good idea to change the label to something that is easily identifiable in error logs, reports, and remote connections. For example, GS_EFTS. You can label EFT anything you want; the EFT name is not dependent upon the computer name.
4. After you are logged in to EFT, do one of the following:
• In the Server Setup wizard, click Restore from Backup.
• On the main menu, click File > Restore Server Configuration.
The Migration Wizard appears.
177
EFT v7.2 User Guide
178
5. Next to the Backup file location box, click the folder icon to specify the .bak file to use.
6. Click Next. The EFT Server Migration Wizard dialog box appears.
7. Provide the administrator login credentials for the configuration being restored, and then click OK.
(You can use the EFT administrator credentials, Windows Authentication, or the currently logged on user's credentials.)
8. After you click OK, the path to the backup file appears in the Backup file location box. The
Selected Archive Details area displays the date the backup was made and the username that created the backup, if it was a manual backup, or "Automatic Recurring Backup" if it was an
Event Rule-created backup. Click Next. The Restore Options page appears.
Server Configuration and Administration
9. Select the Restore node-specific data check box to restore data that is specific to that node
(i.e., listening IP address, DMZ Gateway settings, registration).
10. Select the Restore cluster-shared data check box to restore data that is shared amongst the cluster. When this check box is selected, the Recreate the entire folder structure check box is also selected. Clear that check box if you do not want to recreate the folder structure.
When the restore process begins, other nodes stop with -1 error. This triggers them to be restarted by Windows Service Manager, at which point those other nodes will wait for restore operation to complete. Once the restore has completed on one of the nodes, the other nodes that had been waiting will proceed with loading configuration. After the restore completes, the node that did restore also restarts in the same way. Thus, all nodes in the cluster have restarted with restored configuration up-and-running.
11. Click either Automatic Restore or Manual Restore:
Automatic Restore—Automatic Restore prompts only when the wizard encounters discrepancies or problems with restoring. Automatic Restore is the default setting. In automatic mode, you are not prompted to verify settings or allowed to change them. a. Click Automatic Restore. The Recreate the entire folder structure check box is selected by default. Clear this check box if you do not want to recreate the VFS folder structure.
If your EFT folder structure includes user folders (e.g.,
C:\Inetpub\EFTRoot\MySite\Usr\<username>), if you clear the Recreate the entire
folder structure check box and do not recreate these folders manually, the users will not be able to access their folders.
b. Click Next. The Ready to Restore page appears. Read the information on the page, and then click Restore. c. After the Server is restored, restart EFT and log in to the administration interface. A log appears describing the restore process, including file names and paths, and contains any errors encountered during restore.
179
EFT v7.2 User Guide
Manual Restore—Manual Restore allows you to verify and make changes to settings, as needed. a. Click Manual Restore, and then click Next. The Sites to Restore page appears. b. Select the check boxes of the Site(s) whose settings you want to import and clear the check boxes of the Site(s) whose settings you do not want to import, and then click Next.
The Site Listening IP Address Assignment page appears. c. Review the IP address for each Site. If you are restoring a Site to a different IP address, click to edit the IP address in the New IP Address Assignment list. The Listening IP
Address Assignment dialog box appears. d. In the New IP Configuration box (right pane), select the check box of one or more the IP addresses to use, and then click OK. e. Click Next. The Site Authentication Manager Settings page appears. f. The authentication database for each Site to be restored appears in the list. In the
Settings column, click View/Modify if you want to view or change the path where EFT will store the user database. (You cannot change the type of authentication.)
If EFT cannot connect to the Site's authentication provider, an error message appears.
Click OK to continue as is or click Cancel to modify the authentication provider settings. g. Click Next. The Site Root Folder page appears. h. Review the root folder location for each Site that you are restoring. If necessary, click the folder icon to specify a different location, and then click Next. i. If the DMZ Gateway is defined and configured in EFT that you are restoring, the DMZ
Gateway page appears. If not, skip this step. i. Review the IP address(es) and port(s) for the DMZ Gateway. Click to edit the IP address or port, if different. ii. Click Next. EFT will test the DMZ Gateway connection and, if successful, the wizard proceeds to the next page.
If a failure occurs, the wizard displays a warning prompt indicating failure to connect to the DMZ Gateway and allowing you to either fix the problem (go back to the previous page to verify the IP address and port) or proceed anyway (if the IP address and port are correct, but the DMZ is not communicating). j. If the Auditing and Reporting module is defined and configured in EFT that you are restoring, the Auditing Database Connectivity page appears. If not, skip this step.
• Click Test to verify connectivity to Auditing and Reporting Module queue and, if successful, send an asynchronous test message to the database. If a connection to the database cannot be made within 5 seconds, a warning prompt appears.
(Verify that the database is available.) k. Click Next. Database connectivity is again verified and the Ready to Restore page appears. l. Read the information on the page, and then click Restore. m. After the restore is complete, restart the EFT service. After you restart the Server service and log back in via the administration interface, the restore log appears in the default text editor. n. Review the log in case errors were encountered during restore.
180
Server Configuration and Administration
Logging In to Administer EFT
at a command line , or using a Windows shortcut . This topic discusses logging in via the
administration interface. These instructions assume that EFT has been configured
and the EFT service is running
. For instructions for installing a remote administration interface, refer to Installing the
Administration Interface Remotely .
To log in to EFT
1. Do one of the following: o
Open the administration interface. The EFT Server Administrator Login dialog box appears. a. If you are logging in to the local computer, leave This computer selected. b. If you are logging in to a remote computer, click A remote computer, then specify the remote host. o
If the administration interface is already open, click the Server object in the tree or the
Connect icon. The Connect to EFT dialog box appears. The Host box displays the
EFT name.
2. Click the Authentication box and specify the type of authentication to use for this login. Future connections will default to the authentication type that you specify during this initial login, but you can choose a different type. Authentication types include:
• EFT Authentication - Choose this option to log in with an EFT-specified administrator account.
• Currently Logged On User - Choose this option to log in as the currently logged on user
(Integrated Windows Authentication). Requires the High Security Module (HSM).
• Windows Authentication - Choose this option to log in with a specific Windows account.
(Requires the High Security Module (HSM).)
3. When logging in with EFT Server Authentication or Windows Authentication, in the
Username and Password boxes, provide the login credentials that you created during installation, and then click Connect.
• If you have not activated your serial number and you are in the 30-day trial period, click
Continue on the Welcome page.
• If you have not activated your serial number and the 30-day trial has ended, click
Developer Mode on the Welcome page.
If your login fails, make sure you've selected the corrected authentication type.
181
EFT v7.2 User Guide
Command Line Login
After EFT is configured, you can open the administration interface and login automatically using the EFT computer's local administrator credentials from a command line or a Windows shortcut, using the EFT administrator listening IP address and port.
The EFT administrator listening IP address must be set to a specific IP address, not All Incoming. To log in remotely, remote administration must be configured and EFT must be in the same domain as the computer from which you are attempting to log in.
To open the EFT administration interface and login automatically at a command line
1. Open a command prompt (Start > Run > cmd).
2. Change to the directory in which EFT is installed (e.g., cd C:\Program Files\Globalscape\EFT
Server Enterprise).
3. Type the name of the administration interface executable (cftpsai.exe), followed by the administrator listening IP address and port, then press ENTER. The IP address and port must be separated by a colon. For example, type: cftpsai.exe 192.168.174.142:1100
The administration interface appears and logs in using the EFT computer's login credentials.
To open the EFT administration interface and login automatically using a shortcut
1. Right-click the EFT administration interface shortcut created when you installed EFT (or create one), then click Properties. The Properties dialog box appears.
182
2. In the Target box, after the quotation mark, add the administrator listening IP address and port.
For example, the Target box would contain:
"C:\Program Files\Globalscape\EFT Enterprise\cftpsai.exe"
192.168.174.142:1100
Server Configuration and Administration
3. Click OK to save the changes.
4. Double-click the shortcut to test it. The EFT administration interface opens and logs in using the
EFT computer's local administrator credentials.
Logging Out of EFT in the Administration Interface
EFT incorporates an internal timeout that applies to connections to EFT via the administration interface. A warning message and countdown timer appear after 10 minutes of inactivity. To change this timeout, refer
to Administration Interface Session Timeout .
To log out manually, click the Server, and then click the Disconnect icon , or simply close the administration interface. (No confirmation message appears.)
If you click File > Stop Server Service, you will stop the EFT service and no clients will be able to connect to
EFT.
Starting and Stopping EFT Remotely
If you are logged in to EFT remotely, your username and password are passed on to the Windows
System Services on the computer running EFT. The account you log on with must have administrative rights to make any changes to the Globalscape EFT service running on that computer.
When you stop the service, EFT breaks all existing connections and waits until all socket threads die. The service can terminate when Timer Event processing is still in progress. The triggering of Monitor Folder and
Timer Event Rules occurs almost simultaneously and is controlled by the operating system, not by EFT. Refer
to Event Rule Order of Execution for more information.
To start or stop EFT remotely
1. In the administration interface, click Edit > Server Service Settings. The Server Service
Settings dialog box appears.
2. In the Connection area, select Administer remote computer.
3. In the text box, type or paste the IP address of the server you want to administer.
4. Click Connect to Service Manager.
5. Click Start service (or Stop service) and close the Server Service Settings dialog box.
183
EFT v7.2 User Guide
Starting and Stopping EFT
EFT starts automatically and runs as a Windows system service. If you close the administration interface,
EFT continues to run in the background as a system service.
On the Recovery tab of the service's properties:
• On non-HA installations, the service is configured to "Take no action" on failure.
• On HA installations, the service is configured to "Restart the Service" on failure.
For the procedure for a remote EFT connection, refer to Starting and Stopping EFT Remotely .
When you stop the service, EFT breaks all existing connections and waits until all socket threads die. The service can terminate when Timer Event processing is still in progress. The triggering of Monitor Folder and
Timer Event Rules occurs almost simultaneously and is controlled by the operating system, not by EFT. Refer
to Event Rule Order of Execution for more information.
To stop EFT in the administration interface
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server that you want to start/stop.
3. In the right pane, click the General tab.
4. Click Stop service, then click Apply. EFT status indicator turns from green to red.
To start or stop EFT using Windows Services
1. Click Start > Run. The Run dialog box appears.
2. In the Open box, type services.msc then press ENTER.
3. Right-click the EFT Server service and click Start (or Stop).
184
Server Configuration and Administration
To start or stop EFT from the command line
1. Click Start > Run. The Run dialog box appears.
2. In the Open box, type cmd or command then press ENTER. The Windows Command Prompt dialog box appears.
3. To start EFT, at the prompt type the following command (include the quotation marks):
Net start "globalscape EFT"
4. To stop EFT, at the prompt type the following command (include the quotation marks):
Net stop "globalscape EFT"
5. After the service is started or stopped, type Exit (or close the Command Prompt).
Any time you run a service, you expose your computer to outside users. The potential exists for exposing files and programs on your computer and network to malicious outside users, particularly if EFT is compromised. Although you can set folder permissions from within EFT administration interface, you can add an extra level of protection by establishing a user account for EFT and then limiting folder access through EFT's user account permissions. This establishes a stopgap until server/system integrity can be restored if EFT is ever compromised.
To configure EFT to run securely, you should:
1.
2.
Assign permissions to EFT's user account and assign EFT to the account
3.
4. If necessary, configure EFT's user account to map a virtual folder to a network drive .
Administering the EFT Service
The Server Service Settings dialog box is used to administer the Server service, either locally or remotely. Using this dialog box, you can uninstall/install the service and stop/start the service.
To administer the EFT service
1. In the administration interface, connect to EFT and click the Server tab.
2. On the main menu, click Edit > Server Service Settings. The Server Service Settings dialog box appears.
185
EFT v7.2 User Guide
• To stop the service, click Stop service. (You can also stop the service on EFT's General tab.)
• To start the service, click Start service.
• To remove the service, click Uninstall service. (The application is not removed from the computer, it's just not accessible in Windows.)
• To reinstall the service and make it accessible from Windows, click Install service.
• To administer a remote computer a. Click Disconnect from Service Manager to make the Connection area available. b. Click Administer remote computer, then type the IP address of the remote computer, including the port if different from the default. For example, type
192.168.20.47:1101
.
• To administer the local computer (if remote was previously selected) a. Click Disconnect from Service Manager to make the Connection area available. b. Click Administer local computer, and then click Close.
Connection Problems
If you are having problems connecting to EFT, verify the following information:
• Your username and password are correct. Each is case sensitive.
• The Host (the IP address) and port are correct. Refer to
Remote Administration .
• The IP address from which you are trying to connect is allowed to access EFT .
• The EFT service is running. Refer to
• The network connection is functioning.
If the EFT service is not running, you may be able to start the service remotely .
When files are being transferred with Event Rules (copy, move, or download), if there are connection problems (e.g., the network is unavailable), EFT will attempt to establish a connection the number of times specified in the Event Rule . When EFT is able to re-establish the connection, it continues to transfer the file from where it stopped, even if there are multiple interruptions. There are no retry attempts after a login failure.
If the network is lost while the Web Transfer Client is transferring files, it waits for a timeout period (30 seconds) and then shows a red X for the transfer. The Status in the queue pane indicates that the transfer failed. If you want to attempt to transfer the file again, you must login again when the network is available. After the Web Transfer Client reconnects, it resumes the transfer from where it stopped.
Server Statistics
In the administration interface, you can view the status of EFT in real time, such as number of users connected, average speed, and so on.
186
Server Configuration and Administration
To monitor current statistics on EFT
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node.
3. In the right pane, click the General tab. EFT's statistics appear in the right pane.
• Start date/time: Displays the date and time that the EFT service was last started.
• Uptime: Displays the length of time that the EFT service has been running since it was last started.
• Last modified time: Displays the date and time that EFT was last modified.
• Last modified by: Displays the username of the user who last modified EFT.
• Users connected: Displays the number of users who are currently logged in to EFT.
• Active uploads: Displays the number of uploads in progress.
• Active downloads: Displays the number downloads in progress.
• Average speed: Displays the average transfer speed.
187
EFT v7.2 User Guide
Renaming, Deleting, and Moving a Server
In the administration interface, you can rename and delete a Server, and move a Server to a different
Server Group. When you delete a Server or Server group, you remove all of its login and configuration information. You can no longer connect to EFT if you delete it or its Server Group.
To rename a Server
1. In the administration interface, connect to EFT and click the Server tab.
2. In the left pane click the Server node you want to rename.
3. On the menu bar, click Configuration > Rename Selected (or press F2).
4. Next to the Server's icon, type a different name.
5. Press ENTER.
To delete a Server
When you delete a Server, you also delete all of its login information. You cannot undo this action.
1. In the administration interface, connect to EFT and click the Server tab.
2. Do one of the following:
• Right-click the Server node you want to delete, then click Remove Server.
• Click the Server you want to delete, then on the main menu, click File > Remove Server.
3. A warning message appears. In the Password box, type the EFT administrator password, and then click Delete.
To move a Server to a different Server Group
1. In the administration interface, click the Server tab.
2. Right-click the Server node you want to move, then click Change Server Group. The Change
Server Group dialog box appears.
188
3. Do one of the following:
• If the Server Group is defined, click the Select Group drop-down menu to select the
Group.
• If the Server Group is not defined: a. Click New Group. The Create New Group dialog box appears.
Server Configuration and Administration b. Type a name for the new group, and then click OK. The Change Server Group dialog box reappears.
4. Click OK.
Copying an EFT Configuration to Several Computers
It is very important that you read all of the information below before you begin. Not following the instructions, including the "Installation and Deployment Considerations" below, could cause you to lose your configuration, users, and permissions. If you do not have a complex configuration or do not have users and permissions configured, you do not need to use this procedure. Simply install EFT on the new computer and ask Globalscape Customer Support to move your serial number to the new computer on the registration server.
Copying or migrating EFT configuration might be necessary for several reasons, such as:
• Moving a Proof of Concept (PoC) in your staging environment without wanting to recreate all the settings and configuration data.
• Creating a standard configuration for installation on multiple computers.
• Updating EFT software with a fresh install rather than patching.
In the EFT Enterprise edition, you can use the Migration wizard to backup and restore configuration (from
EFT Enterprise to EFT Enterprise). Refer to Backing Up or Restoring Server Configuration for details. If you are not using EFT Enterprise, you must use the manual procedure below.
Installation and Deployment Considerations
Consider the following
before
moving a configuration from the source to the target system:
• Set the source Site's Home IP to All Incoming. It must not be bound to a specific IP address unless the system you are deploying to is bound to the same IP address.
• Copy the entire folder structure from the old computer (source) to the new computer (target). If the same folder structure does not exist on the target computer, an error appears that says
"Failed to get permission settings." Make sure the target system's installation paths are the same as the installation path on the source computer. For example, if you installed EFT on drive C, then install it on drive C on the target, too. If the drive letters are different, change the drive letter on the target before installing the software. Make sure EFT root and location of the .aud file on the target system are the same as on the source computer. The path to the .aud file on the target system must match the one on the source system for the Virtual File System (VFS) to be able to find EFT root (if they do not match, all permissions and groups will be lost).
• EFT version 6 and later looks for ftp.cfg in three locations: registry, app data, and installation folder. So, even if you put ftp.cfg in the installation folder, EFT will save it in app data ( or the folder specified in the registry, if it is set ). Because ftp.cfg contains the full path to the Sites' .aud files, you should save the .aud files in the same folder as on the source computer, or save them in the same folder as ftp.cfg and then correct the path to the .aud file on the General tab of the
Site when you first open the administration interface.
• Use the same administrator username and password when installing on the source and target systems.
189
EFT v7.2 User Guide
• If you have made changes to the registry for EFT, be sure to make them on the new computer also. (e.g., You can export the entire HKEY_LOCAL_MACHINE\GlobalSCAPE, Inc.\ node, or just the nodes that you've customized. Importing it as a .reg file on the new computer will overwrite existing settings.)
To copy configuration
1. This procedure assumes you have installed and activated the product on the source system, and configured the Sites, Users, Groups, file and folder permissions, Event Rules, users, and so on.
2. Exit the administration interface.
3. Stop the Server service (Start > Run, type services.msc).
4. Copy the following files to the target computer at the same path as they were on the source
computer. (Refer to the note above and File Location Changes for details about file locations.)
• FTP.cfg
• [Site].aud
• All .bak and .update files
• All OpenPGP key files (*.skr, *.pkr)
• All SSL certificate files (*.cer, *crt)
• All SSH key files (*.pvk, *.pub)
• Any scripts or .bat files that are started as part of a custom command
• Any custom reports
• All registry overrides (for special settings)
• Web Transfer Client folders (to capture any customization)
• PCI folder (PCI DSS Compliance report)
• Ad Hoc folder (to capture any customization)
5. If you are copying from a production system, you can now restart the EFT service and continue to manage file transfers. After the new system is configured, you can switch over to the new system and uninstall EFT from the old system.
6. On the target system, create the same physical folder structure as the folder structure on the source computer.
The easiest way to duplicate the physical folder structure is to copy the folder structure from the source to the target, which avoids introducing typos in folder names.
7. Install and activate the product on the target system.
8. Cancel the automatic setup wizard that appears the first time you run the administration interface.
9. Close the administration interface and stop the Server service in the Services dialog box (in the
Windows control panel).
10. Paste the files gathered from the source system into EFT installation folder on the target system.
Only the FTP.cfg is overwritten, because you have not yet created any Sites, etc. on the target system.
11. Create the necessary account(s) for the EFT service and assign the appropriate permissions.
190
Server Configuration and Administration
12. Restart the Server service and login using the administration interface. You will be prompted to activate your serial number. Be sure to contact the Globalscape customer service team or your account manager so that we can adjust your account on our activation and registration server; otherwise, the registration server will think that the serial number is being used by the other computer.
13. Double-check Server and Site configuration. The target system setup is now complete.
EFT Messages
EFT generates several different types of messages during operation. Some messages can be edited within the administration interface, others must be edited within a text file that you create, and others are hard coded and not editable. The various messages and their uses are described below. (Note that items linked in the Message column are described elsewhere in this user guide. Click the links for more information.)
Message
Audit failure notification email
Password reset reminder message
Description
Sent when database connection errors occur
Where Edited
System message; not editable
Administration interface, Server node > General tab
EFT looks for the file PasswordResetReminderMsg.html in the APP_DAT_PATH directory (by default,
C:\ProgramData\Globalscape\EFT Server Enterprise).
Password reset required message
Notify users of their pending password expiration up to 30 days prior to the password expiration date--applies to all users on the Server; but you can create Site-specific versions, as described at the link.
Notify users that their password has expired--applies to all users on the Server; but you can create Site-specific versions, as described at the link.
Sent when a user requests a password reset--applies to all users on the Server; but you can create Site-specific versions, as described at the link.
Administration interface, Server node > General tab
EFT looks for the file PasswordResetMsg.html in the
APP_DAT_PATH directory (by default,
C:\ProgramData\Globalscape\EFT Server Enterprise).
EFT looks for the file PasswordResetConfirm.html in the
APP_DAT_PATH directory (by default,
C:\ProgramData\Globalscape\EFT Server Enterprise). If the file does not exist, the following text is used (or you can create the file):
<html>
<body>
<p>%USER.FULL_NAME%,</p>
<p>A password change request for
%USER.LOGIN% was requested from
%REMOTE_IP%.</p>
<p>Click the following link to confirm your request and create a new password:</p>
<p> <a href=\"%LINK%\">Click to reset your password.</a></p>
<p>Please note that this link will expire 24 hours from the time it was sent.</p>
<p>If you did not request a password reset then please ignore this message.</p>
</body>
</html>
191
EFT v7.2 User Guide
Message
User login credentials message
Notification
Message
WTC/PTC login error message
Invalid parameter count message
Description
E-mail that contains the login credentials for connecting to
EFT--applies to all users on the Server; but you can create
Site-specific versions, as described at the link.
Sent when a user requests the account username.
Where Edited
Administration interface, Server node > General tab
EFT looks for the file CredentialsTemplate.txt in the
APP_DAT_PATH directory (by default,
C:\ProgramData\Globalscape\EFT Server Enterprise).
EFT looks for the file UsernameResend.txt in the
APP_DAT_PATH directory (by default,
C:\ProgramData\Globalscape\EFT Server Enterprise). If the file does not exist, you can create the file:
%USER.FULL_NAME%
Your login name is: %USER.LOGIN%
This is an automated message. Please do not reply directly.
Administration interface, Site > Connections tab > FTP/S
Config > FTP Settings dialog box
When a client first connects to the Site via FTP, but before the user logs on, the connection banner appears.
Message that appears to the
user when the maximum simultaneous connections limit
is exceeded
Message that appears when the client closes the session gracefully by using the FTP
QUIT command.
E-mail sent with the Send
Mail Action when an Event
Rule is triggered.
Notify users when that their password is about to expire
Administration interface, Site > Connections tab > FTP/S
Config > FTP Settings dialog box
Administration interface, Site > Connections tab > FTP/S
Config > FTP Settings dialog box
Administration interface, Server node > Event Rules node
> Event Rule
Current password is entered incorrectly
Network connection error
Windows Registry to enable, then create the file
PasswordChg_PwdWillExpire.txt and save it in the
\web\public\EFTClient subdirectory
Create the file PasswordChg_PasswordWrong.txt and save it in the \web\public\EFTClient subdirectory
Create the file PasswordChg_NetworkProblem.txt and save it in the \web\public\EFTClient subdirectory
Create the file PasswordChg_Permission.txt and save in the \web\public\EFTClient subdirectory
User does not have permission from AD to change the password
New password does not meet the AD complexity requirements
When a user provides the wrong username and/or password, the message "Not logged in" appears. The message is purposefully vague for security.
Sent when the number of parameters provided to execute a Custom command is not the correct number of parameters.
Create the file
PasswordChg_PasswordComplexity.txt and save it in the
\web\public\EFTClient subdirectory
Hard-coded and not customizable.
( Forgot username and Forgot password links allow the user
to request assistance.)
Administration interface, Command Settings tab of a selected Command, in the FTP Custom Command Specific dialog box.
192
Server Configuration and Administration
Default Paths
EFT allows you to change the default the location of some of its configuration files.
• You can specify the default location for EFT's configuration files. Any changes to the file path take effect the next time the EFT service is started. You should ensure the configuration file exists
in the new location prior to restarting the service.
• The default paths for all user- and Server-generated files rely on Windows-recommend paths.
If your existing data path is set to the same path as your EFT installation directory, then do NOT follow these steps. Instead, contact support for assistance.
To specify the file path for configuration files
1. On the computer on which EFT is installed, as a precaution, back up EFT's configuration, and make note of the backup location:
Copying Server Configuration to Several Computers .
• In EFT Enterprise, use the
Backup Configuration wizard in the administration interface.
2. Open the administration interface and connect to EFT .
3. On the Server tab, click the Server whose configuration settings you want to change.
4. In the right pane, click the General tab.
5. Under Server configuration settings, make note of the current path. If an error occurs, you will need to change it back to the original path. (e.g., copy and paste into a text file).
6. In the Server configuration settings box, provide the new path at which you want to store EFT's configuration files.
193
EFT v7.2 User Guide
7. Click Apply to save the changes. A message appears indicating that you need to restart the EFT service for the changes to take effect.
8. Click OK to dismiss the message, then STOP the EFT service (NOT restart).
9. In Windows Explorer copy (do NOT move) the entire contents (files and folders) from the original path to the new path.
10. After you have copied the server configuration to the new location, start the EFT service .
11. Open the administration interface and connect to EFT .
12. Each of the Sites and other customizations should be visible. Verify that the path in Server
configuration settings is the new path.
If the Server Setup wizard or Site Setup wizard appears, that means there was an error connecting to the new configuration path or you missed a step in this procedure.
To correct this, do one of the following:
• Change the data path back to its original location and restart the
- OR -
• In EFT Enterprise, use the
Migration Wizard to restore the previous configuration with the
.BAK file you created in step 1, selecting Automatic Restore when prompted.
Once you've verified everything is back to the original configuration (after logging in), retry each of the steps above, making sure to carefully follow each step.
Monitoring Connections to EFT
EFT can monitor user's FTP/SFTP connections in real time, display the information in the administration interface, and record the activity to a log.
To monitor a user connection
1. In the administration interface, connect to EFT , and click the Status tab.
2. In the left pane, click the server node.
194
3. The right pane shows the number of users connected to the Server, information about transfers, and server connection time.
Server Configuration and Administration
Audit Database Settings
When you run the Server Setup wizard , you are offered the opportunity to enable auditing and reporting and configure the connection information. If you chose to do that later or if you want to edit the database information, you can do so on the Logs tab in the Audit Database Settings area.
To enable and configure auditing and reporting
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure.
3. In the right pane, click the Logs tab .
4. In the Audit Database Settings area, select the Enable Auditing and Reporting check box to enable communication with the database; clear the check box to disable auditing and reporting.
5. In the Database type area, select SQL Server or Oracle. (Oracle is available in EFT Enterprise only.)
6. In the Database host address[\Instance Name] box, specify the host or database instance name of the database to which you want EFT to connect, or provide a DSN or DSN-less
connection string. Refer to Establishing a System Data Source Name (DSN)
Less Connection with ODBC Authentication
, if you are using ODBC Authentication for your Site.
7. In the Database Name box, provide the name of the database or leave the box empty if you provided a connection string in the Database host address[\Instance Name] box.
8. For SQL Server databases, in the Authentication box, specify whether the database is to use
Windows Authentication or SQL Server Authentication.
9. In the Database username and Password boxes, provide the username and password needed to connect to the database or leave the box empty if you provided a connection string in the
Database host address[\Instance Name] box or if you are using Windows Authentication.
10. In the When a database error occurs area, specify whether you want to audit database errors to a folder:
• If you do want to audit errors, or to stop it temporarily, click Stop auditing.
• To Audit to folder, click the option, then specify the path to the folder in the box.
11. To automatically try to reconnect after an error occurs, select the Attempt to reconnect every check box and specify the frequency in seconds, from once every 7 seconds to once every
86,400 seconds (once per day).
12. In the E-mail notification area, select the On disconnect check box and/or the On reconnect check box, and then in Recipient list specify one or more e-mail addresses that you want to receive error notifications in case of database failure. Multiple e-mail addresses must be separated by semicolons (;). When auditing is enabled, this e-mail is sent any time that EFT cannot reach the database.
13. If you make any changes to the database audit settings, click Apply to save the changes on EFT.
14. To verify the connection information, click Test Connection. The status of the database connection appears above the Reconnect button. If the database is not connected, click
Reconnect to reconnect to the database.
• Test Connection - EFT attempts a connection using the supplied parameters without applying the changes.
• Reconnect - EFT applies the settings (a prompt appears if you made changes and did not click Apply) and attempts to connect to ARM with the new settings.
195
EFT v7.2 User Guide
Configuring SMTP Server Settings
The SMTP Server Settings on EFT's SMTP tab are completed automatically when you define them in
when Events occur, including the address for the outgoing mail server, an address for the
Administrator, and other details described below. SMTP does not support Unicode characters. Refer to
Unicode Exceptions for details.
To configure EFT to send e-mail notifications
1. Click the Server tab in the administration interface and select the Server that you want to configure.
2. In the right pane, click the SMTP tab.
196
3. In the SMTP host address box, specify the address of the mail server EFT will use to send outgoing messages.
4. In the Port box, specify the port number at which the mail server accepts messages. The standard is 25.
5. In the From e-mail address box, type the "From" e-mail address that will appear in e-mail notifications sent by EFT. An error message appears if the e-mail address is not properly formatted.
6. In the From name box, type the "From" name that will appear in e-mail notifications sent by EFT.
"EFT" appears by default.
7. Do one of the following:
• If EFT can connect to the mail server without a login, clear the SMTP server requires
authorization check box.
• If the mail server requires a user name and password, select the SMTP server requires
authorization check box, then provide the Username and Password needed to connect to the mail server.
Server Configuration and Administration
8. In the Address Book area, click Add to add names and e-mail addresses of recipients of EFT
Event notifications. Add only the addresses that you want to receive e-mail notifications. The email addresses will be added automatically to the To box in the Send notification email Action in
Event Rules.
• To edit a name or address, click once to select the box, and then click again to activate the box.
9. Click Apply to save the settings on EFT.
• The e-mail addresses added to the Address Book are validated when you click OK. If the e-mail address contains invalid characters or does not contain @, an error message appears. Click OK to dismiss the error message, then correct the address.
Default Time Stamp
You can specify the default time stamp for directory listings to be the local Server time or UTC
(Coordinated Universal Time)/GMT (Greenwich Mean Time) for FTP/S and HTTP/S.
SFTP listings and file dates always use UTC/GMT, even when the server is configured to use local server time.
If the time zone of the EFT computer is changed, you must restart the EFT service.
To specify the default time stamp
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server that you want to manage.
3. In the right pane, click the General tab.
197
EFT v7.2 User Guide
4. In the Directory listing date stamp settings area, click one of the following:
• Use local server time
• Use UTC/GMT time
5. Click Apply to save the changes on EFT.
This option is ignored when returning the “creation time” and “modification time” SFTP file attributes. SFTP file attribute messages always use UTC/GMT per the RFC, http://tools.ietf.org/id/draft-ietf-secsh-filexfer-
13.txt
. The FTP MDTM command always returns its results in UTC/GMT, independent of EFT's "Directory listing date stamp setting," per the associated RFC.
IPv6 Support in EFT
EFT v6.4 and later support IPv6 connections. You can continue to use IPv4 addresses, only IPv6 addresses, or a both IPv4 and IPv6. All IP address fields accept IPv4, IPv6, and host names transparently; you are not required to understand what an IPv4 or IPv6 address is to use it. Outbound connections are handled transparently based on the IP address or host entered into any host fields. EFT determines whether the connection requires IPv4 or IPv6 without requiring you to specify.
IPv6 is not supported in EFT HA environments.
The following areas of EFT support IPv6 addresses:
•
Configuring EFT - The Server's listening IP address and the IP address used for remote administration each support IPv6 addresses.
•
Defining Connections (Sites) - The Site's listening IP address supports IPv6 addresses.
• IP ban/access rules - The IP address ban/access rules support IPv6 addresses. (Refer to
Controlling IP Access for Remote Administration and Controlling Access to the Site by IP Address for information about banning IP addresses.)
• Event Rules - The
Copy/Move Action and the Download Action support IPv6 address. When you create an Event Rule using one of these actions, you can specify an IPv4 or IPv6 address or let
EFT choose the best available address to use.
• Various
COM API objects have been modified to allow the use of IPv6 addresses, and new methods were added to support multiple listening IP addresses.
•
DMZ Gateway was updated to allow both IPv4 and IPv6 addresses.
Auditing and Reporting module schema has been modified to allow IPv6 addresses.
AS2 module supports both IPv4 and IPv6 addresses.
High Security module supports both IPv4 and IPv6 addresses.
•
Using IPv6 Addresses with the Java-enabled version of the Web Transfer Client - IPv6 addresses can be used with the Web Transfer Client; however, because of limitations in the current Java
API, you must add the IPv6 address that the WTC uses to the Java Control Panel on the users' computers. (Refer to the topic link for details.) IPv6 literal addresses ( RFC 2732 ) are not supported when using the Web Transfer Client (WTC).
198
Server Configuration and Administration
• IPv6 addresses use colons, but a colon is not a valid character in UNC path names. To address this, Microsoft created the "ipv6-literal.net" domain. An IPv6 literal address is an ipv6-address with the colon ':' characters replaced by dash '-' characters, and then followed by the ".ipv6literal.net" string.
For example, for the following IPv6 address:
2001:4898:9:3:c069:aa97:fe76:2449
• would be translated as follows:
\\2001-4898-9-3-c069-aa97-fe76-2449.ipv6-literal.net\share
For more information about the ipv6-literal.net domain, refer to the MSDN article at http://msdn.microsoft.com/en-us/library/aa385353.aspx
.
CIDR notation is supported for both IPv4 and IPv6 literals. For example:
2001:cdba:9abc:5678::/64 for blocking an IPv6 LAN or 192.168.29.0/24 for an IPv4 network.
IPv6 FAQ
Q. What is IPv6?
A. IPv6 is a proposed replacement to IPv4. One of the benefits of IPv6 is a larger address space, with
128 bits versus IPv4’s 32 bits. Search online to learn more about IPv6, the benefits it provides, and challenges it presents.
Q. When will IPv6 replace IPv4?
A. This is the subject of much debate. Many have claimed for years that we are in imminent danger of running out of IPv4 addresses; however, NATing (including ISP carrier grade NATing) and other workarounds have surfaced that will delay the inevitable exhaustion of IPv4 address for at least a few more years.
Q. If the need for IPv6 is not imminent, then why was it incorporated into EFT?
A. Large enterprises are leading the way in converting to IPv6 (at least internally) and EFT is often a critical piece of the edge architecture for many of these companies. Also, our government customers are actively transitioning to IPv6 based on internal mandates and have requested support for IPv6.
Q. Is IPv6 supported limited to EFT? Or does it include the DMZ Gateway as well?
A. EFT and the DMZ Gateway comprehensively support IPv6. DMZ Gateway requires Windows Server
2008 for IPv6. (In Windows 2003, IPv6 is not supported for DMZ Gateway.)
Q. Will EFT operate with a mix of IPv4 and IPv6 addresses?
A. EFT supports the three scenarios (abstract network topologies) described in RFC 4057, in addition to the current IPv4-only scenario. The scenarios include 1) dual-stack, which is the wide-scale deployment of hosts that support both IPv4 and IPv6 running simultaneously; 2) sparse dual stack, in which only some applications in the infrastructure support IPv6 (mainly during the transition to full dual stack or IPv6 only); and 3) IPv6 only, in which all nodes in the infrastructure operate exclusively on IPv6.
Q. How is dual stack possible given that EFT currently supports only “all incoming” or a single listener IP address?
A. EFT 6.4 and DMZ Gateway v3.2 are more flexible than prior versions. You can choose a single listener
IP address, all incoming IPv4 addresses, all incoming IPv6 addresses, all incoming IPv4 and IPv6 addresses, or multiple specific IPv4 and/or IPv6 addresses for the Site and/or administration listeners.
199
EFT v7.2 User Guide
Q. If EFT and DMZ Gateway are working in a pure IPv6 environment, how will they correspond with the outside world, parts of which are still using IPv4?
A. DMZ Gateway's server support for IPv6 was ingeniously implemented so that it can act as a 4to6 or
6to4 translator. For example, DMZ Gateway can listen on IPv4 IPs for incoming connections, but then route those to IPv6 listeners in EFT. Likewise, it can broker IPv6-initiated connections from EFT to external hosts located on IPv4 networks.
Q. Is EFT backward compatible with prior versions of the DMZ Gateway?
A. Yes. EFT 6.4 is compatible with DMZ Gateway v3.1 for IPv4-only support; for IPv6 support, you will need to upgrade to DMZ Gateway v3.2 or later.
Q. Is IPv6 support available by default when newly installed?
A. Yes, IPV6 support is available by default. However, on dual stack systems, IPv6 listener IPs are not selected by default. To comply with Department of Defense requirement 5.3.5.4, 1.2 (all nodes and interfaces that are IPv6 capable must be carefully configured and verified prior to enabling/using IPv6), it is up to the administrator to configure which IPv6 addresses to use as the listener, rather than the default
"All incoming IPv4" selection (if IPv6 support is required).
Q. How does EFT support IPv6 for FTP connections, given the need for separate control and data channels?
A. EFT (as both server and client) fully complies with RFC 2428 for client-initiated negotiation of extended port (EPRT) and extended passive (EPSV) data connection modes. Furthermore, EFT complies with draft-ietf-ftpext2-ftp64-00, an ingenious solution to a scenario in which a pure IPv6 client connects to an
IPv4 server over a 6to4 translator, but receives an error in response to the EPSV command (unsupported by the IPv4 server). In that case, EFT reverts to sending the PASV command to obtain the port number, but then uses the host’s IPv6 address as the data connection address, ignoring the IPv4 address returned because of the PASV command.
Q. Can EFT audit or log IPv6 addresses?
A. Yes. EFT can both audit and report IPv6 addresses, including the file transfer status viewer and anywhere else IP addresses are displayed or saved in the program. Note that IPv6 addresses are displayed in the administration interface, status viewer, and reports using shorthand form to conserve space (according to section 3 of RFC 1924). The exception to this rule is in the DMZ Gateway, which uses the preferred form (also documented in section 3 of RFC 1924).
Q. Can EFT connect to my SMTP server, LDAP, or AD for the authentication provider or the ARM
SQL Server if they are on an IPv6 network?
A. As long as the remote system or component is addressable via IPv6, you can specify an IPv6 address and EFT will connect to the IPv6 host.
Q. How does IPv6 affect upgrades or backup-and-restore functions?
A. The current Site/Admin listeners will be respected and warnings will occur if their IP addresses are no longer present; this is no different than when upgrading prior to v6.4. Existing COM scripts will not be affected. When restoring from a backed up configuration, the specified listener IP addresses are conserved; however, you will be given the option to specify new listeners, including IPv6 addresses (if present), or a mix of IPv4 and IPv6 addresses.
Q. Does EFT’s ban list work with IPv6 IP addresses?
A. DoS and Flood protection work regardless of protocol, along with all controls related to managing IP ban lists. What’s more, EFT now supports CIDR Classless Inter-Domain Routing (CIDR) for IP masking for banned IPv4 and IPv6 addresses, meaning you can now specify masks such as 208.130.29.0/24 or
2001:cdba:9abc:5678::/64 instead of wildcard masking, although wildcards are still supported for IPv4 address masking for legacy users.
200
Server Configuration and Administration
Q. How does EFT know whether the host address supplied for a remote connection is IPv4 or
IPv6?
A. In accordance with RFC 3484, EFT will use address look-up to determine the family and correct connection type without asking the administrator for more information. Address look-up will result in a list of addresses ordered by most preferred. EFT will then attempt to connect to each address in order until a successful connection occurs or that list is exhausted, and will log the result in the EFT debug log. Keep in mind that you can enter an IPv4, IPv6, or host address anywhere an address can be entered. The only exceptions are fields that cannot take host addresses, such as the Site listener IP.
Q. When specifying multiple IP addresses, which source IP address is used for binding when making an outbound connection as part of an Event Rule sequence?
A. EFT can automatically choose the IP address (it selects from the top of adaptor order using whatever internal mechanisms Windows uses) or the administrator can specify the source IP address.
Q. What if I’m not using or don’t care about IPv6? Will I notice any change?
A. We have made IPv6 support as unobtrusive as possible. Pure IPv4 customers will not be affected and will not see any UI or other changes. A difference will only be noticed once/if IPv6 adaptors are physically enabled on the system.
Q. What about COM support for IPv6?
A. New methods have been created to fully support IPv6, while legacy methods have been retained for backward compatibility. (Refer to the COM API reference for details.)
IDN Support in EFT
The Domain Name System (DNS) is restricted to the use of up to 63 ASCII characters. An internationalized domain name (IDN) is an Internet domain name that contains at least one label (e.g., www, globalscape, and com are each labels) that is displayed in a language-specific script or alphabet, such as Chinese, Russian, or the Latin alphabet-based characters with diacritics, such as French. These writing systems are encoded in multi-byte Unicode. Internationalized domain names are stored in the
DNS as ASCII strings using Punycode transcription. (Punycode encoding syntax is defined in RFC 3492,
Punycode: A Bootstring encoding of Unicode Internationalized Domain Names in Applications (IDNA) .)
The table below describes IDN support in EFT.
Product Field GUI Accepts
GUI
Displays
Usage
Stored as
EFT and
SAT
EFT and
SAT
EFT
All domain (host) fields
All email fields (e.g., [email protected])
Email usernames (e.g., Ima
User)
Unicode or
ASCII
ASCII only
(7-bit)
Unicode
Unicode
ASCII
Unicode
Punycode
ASCII
Unicode
Unicode
Unicode
Unicode
201
EFT v7.2 User Guide
Unicode Exceptions
table below lists exceptions to Unicode support in EFT.
Storage
(Internal
Representation on Disk)
GUI
(Allowed and
Displayed)
Usage
(When EFT or
SAT uses the value) Remarks Area
General
All domain (host) fields (SAT and
EFT)
Unicode
(stored in
Punycode in SAT)
Unicode 7-bit ASCII
All e-mail address fields (SAT and
EFT)
SMTP settings
(username + password)
Installer
Unicode
Unicode
8-bit ASCII
7-bit ASCII
7-bit ASCII
8-bit ASCII
7-bit ASCII
7-bit ASCII
8-bit ASCII
IDN
(Internationalization of Domain Names) support by converting Unicode to Punycode upon use. From a user
(presentation) perspective and
EFT’s internal representation, it will be Unicode.
Conversion to
Unicode for storage, but downgrade on usage. No risk/potential for loss of fidelity, as all chars limited to
<128 ASCII.
You can paste in
Punycode ASCII characters directly for the domain portion if you must have Unicode domains for e-mail addresses.
Conversion to
Unicode for storage, but downgrade on usage. No risk/potential for loss of fidelity, as all chars limited in
GUI/usage to <128
ASCII.
for potential problems
202
Area
Keys and OpenPGP
SSL CN field
Storage
(Internal
Representation on Disk)
8-bit ASCII
GUI
(Allowed and
Displayed)
8-bit ASCII
SSL priv. key pass 8-bit ASCII
SSH priv. key pass 8-bit ASCII
PGP priv. key pass 8-bit ASCII
PGP filename and pathnames n/a
PGP key name 8-bit ASCII
PGP public and private key ring paths
RSA
RSA Conf.reg path
RSA usernames and passwords
8-bit ASCII
8-bit ASCII
Unicode
8-bit ASCII
8-bit ASCII
8-bit ASCII n/a
8-bit ASCII
8-bit ASCII
8-bit ASCII
Unicode
Server Configuration and Administration
Usage
(When EFT or
SAT uses the value)
8-bit ASCII
8-bit ASCII
8-bit ASCII
8-bit ASCII
8-bit ASCII
8-bit ASCII
8-bit ASCII
8-bit ASCII
8-bit ASCII
Remarks
RFC allows for
Unicode but
OpenSSL handles the value as ASCII
Passwords stored as octets sequence using same encoding as UI
(ASCII)
Passwords stored as octets sequence using same encoding as UI
(ASCII)
Veridis limitation.
Passwords stored as octets sequence, 8-bit
ASCII.
Unicode filenames will be supported, but the will be temporarily converted to ASCII.
PGP module does not support
Unicode
PGP module does not support
Unicode
RSA dll only takes
ASCII path values
RSA does not support Unicode.
We will downgrade to ASCII on usage.
Potential loss of fidelity resulting in failed authentication attempts.
203
EFT v7.2 User Guide
Area
ARM
ARM report content
Storage
(Internal
Representation on Disk)
Unicode (audited)
GUI
(Allowed and
Displayed)
8-bit ASCII
(reported)
AS2
AS2 outbound n/a
AS2 inbound n/a n/a n/a
Usage
(When EFT or
SAT uses the value)
8-bit ASCII
(reported)
8-bit ASCII
8-bit ASCII
Remarks
Loss of fidelity for
UTF-8 chars that don’t match local code page for ext.
ASCII. The
VSReport Designer does not support
Unicode.
AS2 does not support Unicode encoded filenames.
We can’t downgrade to
ASCII as we would be violating
Drummond, thus we will simply disallow and log error.
AS2 does not support Unicode encoded filenames.
Unlike offloads,
EFT inbound can’t detect whether the incoming file is
Unicode encoded or not, thus we will always hand the file off to the AS2 component, with potential for mixed results. The outcome will be: a) an ASCII encoded filename, b) a failed transaction, or c) an ASCII encoded unique filename.
for additional guidance.
204
Server Configuration and Administration
Storage
(Internal
Representation on Disk)
GUI
(Allowed and
Displayed)
Usage
(When EFT or
SAT uses the value) Area
RADIUS
RADIUS NAS ID
Remarks
Unicode 8-bit ASCII 8-bit ASCII EFT 6.4 used 8-bit
ASCII. EFT 6.5 will represent as
UNICODE strings
(internally) and then downgrade to
8-bit ASCII on use.
Also limited to
ASCII in UI.
RADIUS special cases
RADIUS shared secret
Unicode
RADIUS usernames
Unicode
Unicode
Unicode
UTF-8
UTF-8
RFC says nothing about RADIUS password. EFT 6.4 used 8-bit ASCII.
EFT 6.5 uses UTF-
8. This difference
(between earlier versions of EFT and version 6.5 and the resulting potential loss of fidelity is why this item is included on this list (even though it is UTF-8)
RADIUS usernames and the shared secret can be UTF-8 strings.
HTTP
EFT client action
HTTP/S credentials
EFT client action
HTTP/S Proxy
Unicode
Unicode
AS2 Inbound Operations
n/a n/a
Base64 encoding of UTF-8 string
Base64 encoding of UTF-8 string
AS2 client compliance with RFC 2184
Standard AS2 client.
Does not comply with
RFC 2184. It relies on filename=<text encoded in ASCII>
NOTE: Majority of known
AS2 clients
File encoding of source file on disk
ASCII
Resulting change to file encoding in transit
ASCII
(no change)
EFT treatment
(resulting encoding and/or loss of fidelity)
Filename integrity maintained. No loss of encoding fidelity. Normal use case. This is essentially 7 and 8-bit
ASCII transfers when working with standard
ASCII only AS2 clients works perfect.
205
EFT v7.2 User Guide
AS2 client compliance with RFC 2184
AS2 client is compliant with RFC2184. That is, uses filename*= utf-
8''<text encoded in UTF-
8>
File encoding of source file on disk
Unicode
ASCII
Unicode
Resulting change to file encoding in transit
ASCII – down converts to
"??????" or nonsense characters.
ASCII
(no change)
Unicode
(no change)
EFT treatment
(resulting encoding and/or loss of fidelity)
/n component will fail to process because "????" is an invalid filename.
The transfer will result in a failure to write to disk.
EFT must log this as an error in eft.log.
Filename integrity is NOT maintained. /n component will process but will convert the filename to a unique 8-bit
ASCII filename.
However, there won’t be a loss of encoding fidelity.
EFT will log as warning that filename was changed.
Filename integrity is NOT maintained. /n component will process but will convert the filename to a unique 8-bit
ASCII filename; There is also a loss of encoding fidelity as it is down converted to ASCII. EFT will log as warning that filename was changed.
AS2 Other/Miscellaneous Limitations
AS2 ID (identifier) ASCII only
If source path is:
n/a
ASCII only
If extract path is:
n/a
EFT displays a message indicating that Unicode is not allowed.
Q:
Why is there no AS2 outbound cheat sheet?
A: EFT controls outbound and disallows UTF-8 encoded filenames from being transferred (see main exceptions above). EFT is more lenient on the inbound side, depending on the use cases described above.
PGP SDA Exceptions
If source filename is:
Unicode
Resulting SDA name:
n/a
ASCII
ASCII
Unicode
ASCII
ASCII
ASCII
ASCII
Unicode
Result
Will fail to generate SDA
Works perfect.
Everything preserved
Will fail to extract Unicode
ASCII
206
Server Configuration and Administration
Installer – ASCII ONLY
EFT’s installer is not Unicode compliant. You cannot define Unicode values in the installer for app data path, admin name, etc. The values can be changed in EFT, but with serious ramifications.
Below is a list of ramifications and mitigation strategies if you were to install EFT and then change certain values in EFT to Unicode, and then run the SAT installer or a future EFT installer (upgrade).
Value
Admin credentials
Site Name
EFT Installer
No affect if changed as subsequent installs or upgrades do not query or use this value.
No impact; EFT installer does not use.
SAT Installer
If you install EFT, then modify admin name to
Unicode, then attempts to install SAT, you will
NOT be able to connect to EFT using the admin name with Unicode credentials.
SAT installer will not be able to display the Site name in the installer
Customer support mitigation strategy
Change admin credentials back to non-
Unicode or create a separate admin account with COM privileges and then use that admin from SAT installer.
ARM config
SMTP settings
App data path (configurable value in EFT)
Can affect future upgrades to EFT; user cannot enter Unicode values in fields during upgrade
No affect
Future EFT upgrades will fail; the installer cannot retrieve the app data path if in Unicode
No affect; SAT uses
COM to communicate auditable changes to
EFT
SAT uses these values and will fail to write to config properly
No affect/not used
Create a separate Site in EFT using ASCII only, then use that Site from the SAT installer. If necessary modify the
SAT config xml to reflect the original Unicode Site name, but don’t forget to move all scripts and such from second
(ASCII) Site over to the primary site (Unicode) or SAT won’t work properly.
Do not use Unicode
for ARM values. If you do, then future upgrades of EFT will not work (until our installer supports Unicode). You should change ARM values back to ASCII before performing an upgrade.
Use only ASCII in EFT interfaces for SMTP values or use bogus values during SAT installation, then modify the config.xml to reflect the Unicode values after installation is complete and SAT is working.
Do not use Unicode characters for app
data path. If necessary, change back to ASCII path (don’t forget to move all files over) then run EFT installer/upgrader.
207
EFT v7.2 User Guide
High Availability Message Queuing
EFT's High Availability (HA) installations for active-active clustering use Microsoft Message Queuing
(MSMQ) to share configuration and other data among nodes. All MSMQ message are two-fish encrypted.
MSMQ Broadcasting is used to communicate that a change has been made to the cluster. When an admin makes a change to the FTP.cfg (adds/disables a user, creates an event rule, etc.), the node will broadcast a message to all nodes in the cluster that the FTP.cfg file has been modified and to read in the changes. The broadcasting system is also used to notify other nodes when AML, SSL, SSH, and
OpenPGP files are created or modified.
Almost all EFT data and operations are synced between all of the nodes, except for the following nodespecific data/operations:
• Trial state
• DMZ Gateway settings
• Pending certificates
• Site Start/Stop
• Temporary user lockout
• Invalid login attempts history (when the limit is reached the user is disabled cluster-wide)
• Temporary IP ban (permanent ban is cluster-wide)
• File Lock (hiding the files being uploaded from other connections)
When EFT is installed for active-active clustering, the installer determines whether MSMQ is enabled and enables it if it is not. EFT HA relies on the MSMQ service for two important functions:
• Synchronize changes made to the cluster configuration (eftcoherencequeue)
• Load balance Event Rules (efteventqueue)
The Event queue and the Coherence queue are created at service start and destroyed when the service is stopped. The appear in the Computer Management console, under Services and Applications >
Message Queuing.
To view Message Queuing
1. In Windows 2012, right-click the Start icon, then click Run.
2. In the Run dialog box, type compmgmt.msc then press ENTER.
3. Expand the Services and Applications node.
4. Expand the Message Queuing node.
208
EFT Logging and Visibility
As the EFT log file subsystem writes out the date for the log, it compares the current computer date/time
was within a former period, but the current date/time at write is a new period), EFT rotates the log file name and then writes to that new log.
EFT activities can be logged in various places:
EFT activity log is saved in the Logs subdirectory of the installation directory (e.g.,
C:\ProgramData\Globalscape\EFT Server Enterprise\Logs). The file name depends on the log file format (ex, in, nc) and the date/time it was created. For example, a log file in the Microsoft IIS format created on August 22, 2007 is named in070822.log.
• When EFT’s Download and Copy/Move Action offloads or downloads files to/from other servers,
the session is recorded to a client log file: cl[yymmdd].log, e.g., cl060312.log.
•
HTTP request headers , Authentication Manager activity , and Configuration load activity , can be
saved to the EFT.log file using Log4Cplus logging.
• EFT service startup and failure events appear in the
Windows Event Viewer Application Log.
• Auditing and Reporting module (ARM) errors can be logged to a text file and viewed in the
Windows Event Viewer.
•
AS2 information is logged to the ARM database.
For more on logging and viewing status, refer to:
•
•
•
•
EFT in the Windows Event Viewer
•
•
•
•
Viewing Transfers To and From the Site
•
Client Log
When EFT’s Download and Copy/Move Action offloads or downloads files, the outbound session is recorded to a log file that is named cl[yymmdd].log (e.g., cl060312.log) and saved in the EFT installation folder (C:\ProgramData\Globalscape\EFT Server Enterprise\Logs\logging.cfg). The log file is formatted as follows:
Time; Protocol; Host Name:Port; User Name; Local Path; Remote Path; Operation; GetLastCode
For example:
2006-03-06 10:11:03; ftp; 192.168.20.171:21; ClientA; C:\test1.txt; /test1.txt; download; 226;
209
EFT v7.2 User Guide
A tenth column can be added to the CL log by defining a registry entry. The tenth column indicates status of the Event, Success (0) or Failure (1). To enable the tenth column, create the DWORD
Enable10ColumnInClientLog
at the following path:
32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape Inc.\EFT 4.0
64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape Inc.\EFT 4.0
Value:
0 or not present = disabled
1 = enabled
With the tenth column enabled, the CL log columns are:
TIME; PROT: HOST:PORT; USER; LOCAL_PATH; REMOTE_PATH; OPERATION;
LAST_RESULT_CODE; ACTION_RESULT
When ACTION_RESULT = 1, the transfer failed and the "IF FAILED" Action in the Event Rule will be executed.
When ACTION_RESULT = 0, the transfer succeeded and the "IF FAILED" Action in the Event Rule is not executed.
The log can be used for troubleshooting connection and transfer errors. The "GetLastCode" value returns the protocol success or error code or socket error. For example, trying to connect to a non-existent website will result in the socket error code 10060, connection timeout. For example, if EFT was unable to make a connection to a remote host, a code that could appear in the cl log is 10061 (connection refused).
Windows Sockets Error Codes " in the Microsoft Developer Network for a complete list of common socket error codes.
In addition to the standard socket error codes, EFT defines the socket error codes described below.
# Description
0 Success (connected OK)
1 General socks failure
2 Socket connection not allowed by ruleset
3 The network is unreachable
4 The host is unreachable
5 The remote server actively refused the connection
6 The Time To Live (TTL) expired. This could indicate a network problem.
7 The command was not supported by the remote host. Also a catchall error code.
8 The address type or format is not supported
10 Illegal socks name
11 Socks5 authentication failure (username/password incorrect)
12 Can't connect to socks server
2000 Internal timeout error code (multiple reasons, such as firewall blocking connection, etc.)
FTP and FTP over SSL only return protocol-level success and error codes. For example, a successful transfer would return 226 or a bad login password would return 530. Refer to RFC 959 for a complete list of FTP/S return codes.
210
Authentication
SFTP (SSH2) returns the following success and error codes:
# Description
-1
Undefined or unknown error (not enough information to determine exactly why it failed)
When an OpenSSH client disconnects from EFT, it reports that the exit status is -1. The default return code is -1, unless an optional message is returned from the server. EFT does not return the optional message, so the exit status is always -1.
0 The operation completed successfully
1 The operation failed because of trying to read at end of file
2 The requested file does not exist
3 Insufficient privileges to perform the operation
4 The requested operation failed for some other reason
5
A badly formatted message was received. This indicates an error or incompatibility in the protocol implementation
6 Connection has not been established (yet) and a timeout occurred
7 Connection to the server was lost, and the operation could not be performed
8 A timeout occurred
EFT.log File
EFT can be instructed to log specific or all HTTP request headers. When this following registry value is set to 1, all HTTP request headers will be logged:
[HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape Inc.\EFT 4.0\EFTClient]
"log_request"=dword:1
1
= enable "all request header" loggingo
0
= disable "all request header" logging [default]
For this registry key to work, a file called logging.cfg in the EFT installation folder (e.g.,
C:\ProgramData\Globalscape\EFT Enterprise\logging.cfg) must be configured to log at the DEBUG level. With this logging file, EFT logs requests that require authentication and those that cause sessionchecking failures.
The information is logged to a file named EFT.log in the EFT installation folder. If you want to save
EFT.log to a different location, change the reference at the bottom of the logging.cfg file from: log4cplus.appender.R.File= ${AppDataPath}\EFT.log
to the location you prefer.
• For details of logging HA activities, jump to
High Availability Logging , below.
• For information regarding error codes in the EFT.log, please refer to the MSDN article at http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
. For example, error code "5 (0x5)" indicates that access is denied.
Logger Hierarchy
All loggers inherit from the root logger; i.e., this is the default level that applies to all loggers: log4cplus.rootLogger=WARN, R
Each logger's level can be set independently. Children inherit their parents setting unless set explicitly.
For example, you can set Events and its children to a different level than the others: log4cplus.logger.Events=TRACE
211
EFT v7.2 User Guide
To enable trace level folder monitor logging for the site "My Site" the logger entry would be: log4cplus.logger.Events.FolderMonitor.My_Site=TRACE
To turn on logging for a specific event rule, you can append the event rule name (spaces replaced with underescores _) after the site name. The logger name will have this format: log4cplus.logger.Events.[optional event sub logger].[site name].[event rule name]
For example, to enable trace level logging for the folder monitor rule "My Folder Monitor" for the site "My
Site" the logger entry would be: log4cplus.logger.Events.FolderMonitor.My_Site.My_Folder_Monitor=TRACE
Notes:
• Since logger names are case sensitive, the case of site and rule names used as loggers must match their use in EFT.
• If site or event rule names contain spaces they must be replaced with underscores when used in the logger entry.
• Not all event-logging entries support site or event rule level logging.
The logger hierarchy in EFT includes the following events:
#log4cplus.logger.Administrator=TRACE
#log4cplus.logger.AdminSupport=TRACE
#log4cplus.logger.AdvancedProperties=TRACE
#log4cplus.logger.ARM=TRACE
#log4cplus.logger.ARM.Queue=TRACE
#log4cplus.logger.AS2=TRACE
#log4cplus.logger.AUD.Read=TRACE
#log4cplus.logger.AUD.Write=TRACE
#log4cplus.logger.AuthManager=TRACE
#log4cplus.logger.AuthManager.RADIUS=TRACE
#log4cplus.logger.AuthManager.RADIUS.Packet=TRACE
#log4cplus.logger.AuthManager.RSA=TRACE
#log4cplus.logger.AWE=TRACE
#log4cplus.logger.Backup=TRACE
#log4cplus.logger.CFG.Read=TRACE
#log4cplus.logger.CFG.Write=TRACE
#log4cplus.logger.ClientManager=TRACE
#log4cplus.logger.ClientTransfers=TRACE
#log4cplus.logger.CmdAccess=TRACE
#log4cplus.logger.Common=TRACE
#log4cplus.logger.DMZSupport=TRACE
#log4cplus.logger.Events=TRACE
#log4cplus.logger.Events.AS2=TRACE
#log4cplus.logger.Events.Client=TRACE
#log4cplus.logger.Events.Conn=TRACE
#log4cplus.logger.Events.FolderMonitor=TRACE
#log4cplus.logger.Events.FS=TRACE
#log4cplus.logger.Events.Server=TRACE
#log4cplus.logger.Events.Site=TRACE
#log4cplus.logger.Events.Clustered=TRACE
#log4cplus.logger.Events.ContentIntegrityControl=TRACE
#log4cplus.logger.Events.Workspaces=TRACE
#log4cplus.logger.Events.FolderActions=TRACE
#log4cplus.logger.Events.FileActions=TRACE
#log4cplus.logger.Events.CompressDecompressActions=TRACE
#log4cplus.logger.Events.CompressDecompressServer=TRACE
#log4cplus.logger.Events.WebServices=TRACE
#log4cplus.logger.FileSystem=TRACE
#log4cplus.logger.FTP=TRACE
#log4cplus.logger.HTTP=TRACE
212
Authentication
#log4cplus.logger.HTTP.Handler=TRACE
#log4cplus.logger.HTTP.SessionManager=TRACE
#log4cplus.logger.IPAccess=TRACE
#log4cplus.logger.PathManager=TRACE
#log4cplus.logger.PGP.Adapter=TRACE
#log4cplus.logger.Registration=TRACE
#log4cplus.logger.Reporting=TRACE
#log4cplus.logger.Reports=TRACE
#log4cplus.logger.Server.Startup=TRACE
#log4cplus.logger.Server.Stop=TRACE
#log4cplus.logger.Service=TRACE
#log4cplus.logger.SFTP=TRACE
#log4cplus.logger.SMTP=TRACE
#log4cplus.logger.SSL=TRACE
#log4cplus.logger.Status Viewer=TRACE
#log4cplus.logger.Timer=TRACE
#log4cplus.logger.Cluster=TRACE
#log4cplus.logger.Cluster.SharedFiles=TRACE
#log4cplus.logger.Cluster.ChangeQueue=TRACE
#log4cplus.logger.Workspaces=TRACE
#log4cplus.logger.Workspaces.Invite=TRACE
To enable other loggers, type log4cplus.logger.<name_of_event_to_log>=<log_level>.
For example: log4cplus.logger.Server.Startup=TRACE
Log Levels
EFT.log organizes logging levels as a hierarchy: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF.
When you specify a logging level, each of the lower levels is also included. That is, if you specify DEBUG level, you also get INFO, WARN, ERROR, and FATAL logs. However, if you specify INFO, you will not log
DEBUG or TRACE level activities.
The log reference to "Timeout" is not actually a problem, it is by design in our software. Our auditing mechanism periodically disconnects and reconnects to the database server in order to avoid complications of long-running open connections; in particular, drivers in Oracle 11g and earlier are notorious for having slow memory leaks that caused problems over time. Thus, our system has a timeout value (default to 180 seconds) where we disconnect and reconnect to ensure clean processing. The 180 seconds is currently hardcoded into our system.
For example, these log entries are fully expected and do NOT indicate any error:
06-10-15 11:36:29,997 [1848] INFO ARM <SQL Queue Reader> - Timeout: closing the database connection [timeout = L180 seconds]
06-10-15 11:36:32,774 [1848] INFO ARM <SQL Queue Reader> - Database connection closed. Reconnecting...
06-10-15 11:36:32,852 [1848] INFO ARM <SQL Queue Reader> - Reconnection successful
Appenders
Appenders determine where the output of the logging goes. Each logger can have more than one appender and inherits appenders from parents by default. Appenders have an associated layout that determines the content of the log lines. EFT uses a RollingFileAppender with the TTCCLayout. With this layout, the log contains the name of the logger, date/time, thread id, the log line itself, and other things.
The file logging.cfg in the EFT installation folder provides details of how EFT uses Log4Cplus. For more information about Log4Cplus, refer to http://log4cplus.sourceforge.net/docs/html/classlog4cplus_1_1PropertyConfigurator.html21e8e6b1440cc7
a8a47b8fd14c54b239
The following appenders are enabled by default:
213
EFT v7.2 User Guide log4cplus.appender.RootFileAppender=log4cplus::RollingFileAppender log4cplus.appender.RootFileAppender.File=${AppDataPath}\EFT.log
# Each log file will grow up to 20MB in size log4cplus.appender.RootFileAppender.MaxFileSize=20MB
# Once a log file reaches the maximum file size it will be renamed to a backup
# file. Up to 5 backup files will be kept. log4cplus.appender.RootFileAppender.MaxBackupIndex=5
# The TTCCLayout outputs time, thread, logger, nested diagnostic context, and log line log4cplus.appender.RootFileAppender.layout=log4cplus::TTCCLayout
High Availability Logging
This section of the logging.cfg is disabled (commented out) by default. Log HA activities to a separate file for debug diagnostics by enabling the following section of the file (at the bottom of the file):
#log4cplus.appender.HAAppender=log4cplus::RollingFileAppender
#log4cplus.appender.HAAppender.File=${AppDataPath}\EFT-HA.log
#log4cplus.appender.HAAppender.MaxFileSize=20MB
#log4cplus.appender.HAAppender.MaxBackupIndex=5
#log4cplus.appender.HAAppender.layout=log4cplus::TTCCLayout
#log4cplus.logger.Cluster=TRACE, HAAppender
#log4cplus.logger.Events.Clustered=TRACE, HAAppender
Log Format, Type, and Location
To monitor EFT activity, you can reference EFT’s log files. EFT supports W3C, Microsoft IIS, and NCSA log file formats. Server events are logged to a file named [log file format]yymmdd.log, where YY, MM, and
DD indicate the numeric year, month, and day respectively. Depending on the log file format selected, a
2-letter abbreviation is prepended to the filename, as described in the table below. For example, a log file in the Microsoft IIS format created on August 22, 2007 is named in070822.log.
By default, log files are saved in the EFT data directory in the Log folder (e.g.,
C:\ProgramData\Globalscape\EFT Server Enterprise\Logs). Outbound connection information is audited in that same folder in a log named cl<date>.log
.
To specify log settings
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node.
3. In the right pane, click the Logs tab.
214
4. In the Log File Settings area, in the Folder in which to save log files box, type the path to the directory in which to save this Server's log files. To browse for a path, click the folder icon .
5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging.
Changing the log file format disconnects all active users. It is recommended to stop all Sites or wait until all users are inactive before changing the log file format.
The W3C format records all times in GMT (Greenwich Mean Time).
Authentication
6. The Encode logs in UTF-8 check box is selected by default. If you do not want to encode logs in
UTF-8 format, clear the check box. When the check box is cleared, the ex*.log file is named
u_ex*.log.
From Microsoft TechNet :
When using the UTF-8 logging feature, note the following: o
A log file logged in UTF-8 does not contain a Byte Order Mark (BOM). File editors use this mark to identify text as UTF-8 text. Therefore, if you attempt to open a log file that is logged in UTF-8 in Notepad by double-clicking the file or by using the Open With option, the file might not display correctly. To open the file in a way that displays it correctly, use the Open command on the File menu and then select UTF-8 in the Encoding box. o
UTF-8 is a double-byte character-set standard. ASCII is a single-byte character-set standard. Because of this disparity, logging UTF-8 information to an ASCII file causes a ?
to be logged for the characters that cannot be converted to the code page of the server.
7. In the Log type list, click Standard or Verbose. (Verbose provides more details, but makes larger files.)
8. In the Rotate Log File area, specify Never, Daily, Weekly, or Monthly.
9. Click Apply to save the changes on EFT.
10. Stop and restart EFT .
For information about the Audit Database Settings, refer to Auditing Database Errors and Logging .
Log File
Format
W3C
NCSA
Microsoft IIS
Abbreviation
ex nc in
Log Example
Below is an example of an ex-formatted log:
#Version: 1.0
#Software: CuteLogger
#Date: 2010-04-08 20:07:50
#Fields: date time c-ip c-port cs-username cs-method cs-uri-stem cs-uri-query scstatus sc-bytes cs-bytes s-name s-port
2010-04-08 20:07:07 192.168.241.1 - test [1]user test - 331 - - - 22
2010-04-08 20:07:07 192.168.241.1 - test [1]pass ******* - 230 - - - 22
2010-04-08 20:07:16 192.168.241.1 - test [1]created /Test+File+1.txt - 226 - 54 -
22
2010-04-08 20:08:23 192.168.241.1 - test [1]rnfr /Test+File+1.txt - 350 - - - 22
2010-04-08 20:08:23 192.168.241.1 - test [1]rnto /Test+File+2.txt - 250 - - - 22
2010-04-08 20:08:26 192.168.241.1 - test [1]sent /Test+File+2.txt - 226 - 54 - 22
2010-04-08 20:10:02 192.168.241.1 - test [1]dele /Test+File+2.txt - 250 - - - 22
2010-04-08 20:10:08 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22
2010-04-08 20:10:09 192.168.241.1 - test [1]ssh_disconnect timeout - 421 - - - 22
2010-04-08 20:11:57 192.168.241.1 - test [2]user test - 331 - - - 990
2010-04-08 20:11:57 192.168.241.1 - test [2]pass ****** - 230 - - - 990
2010-04-08 20:12:04 192.168.241.1 - test [2]created /Test+File+1.txt - 226 - 54 -
990
2010-04-08 20:12:16 192.168.241.1 - test [2]rnfr /Test+File+1.txt - 350 - - - 990
2010-04-08 20:12:16 192.168.241.1 - test [2]rnto /Test+File+2.txt - 250 - - - 990
2010-04-08 20:12:28 192.168.241.1 - test [2]rnfr /Test+File+2.txt - 350 - - - 990
215
EFT v7.2 User Guide
2010-04-08 20:12:28 192.168.241.1 - test [2]rnto /Test+File+3.txt - 250 - - - 990
2010-04-08 20:12:31 192.168.241.1 - test [2]sent /Test+File+3.txt - 226 122 - - 990
The log can be read as described below:
Field
date time c-ip c-port csusername csmethod
Description
Date log was recorded
Time log was recorded
Client IP address
Client port
Username
Method
(Command Sent)
Example
(Each field in the log has either a value (e.g., date) or a dash (-) if no value was sent for that field.)
2010-04-08
20:07:16
192.168.241.1
21 test
ABOR
ACCT
ALLO
Abort an active file transfer
Account information
Allocate sufficient disk space to receive a file
APPE
AUTH
CCC
Append
Authentication/Security Mechanism
Clear Command Channel
CDUP Change to Parent Directory
CHANGEPASSWORD Change the password
CLIENTCERT
COMB
Client SSL certificate was rejected
(reason is provided in the log entry).
Combines file segments into a single file on EFT.
CREATED
CWD
DELE
EPRT
EPSV
FEAT
HELP
KICK
LIST
MDTM
File was created (uploaded).
Change working directory
Delete file
Specifies an extended address and port to which the server should connect
Enter extended passive mode
Get the feature list implemented by the server
Display a list of all available FTP commands
Client connection was closed by administrator.
Returns information of a file or directory if specified, else information of the current working directory is returned
Return the last-modified time of a specified file
216
Field Description
Authentication
Example
(Each field in the log has either a value (e.g., date) or a dash (-) if no value was sent for that field.)
MKD
MLSD
MLST
MODE
NLIST
NOOP
Make directory
Lists the contents of a directory if a directory is named
Provides data about exactly the object named on its command line, and no others
Sets the transfer mode (Stream, Block, or Compressed)
Returns a list of file names in a specified directory
No operation (dummy packet; used mostly on keepalives)
OPTS
PASS
PASV
PBSZ
PORT
PROT
PWD
QUIT
REIN
REST
Select options for a feature
Authentication password
Enter passive mode
Protection Buffer Size
Specifies the port to which the server should connect
Data Channel Protection Level
Print working directory Returns the current directory of the host
Disconnect
Re initializes the connection
Restart transfer from the specified point
Transfer a copy of the file
Remove a directory
RETR
RMD
RNFR
RNTO
SENT
SITE
Rename from
Rename to
File was sent (downloaded).
Sends site specific commands to remote server
Return the size of a file SIZE
SMNT
SSCN
Mount file structure
Set secured client negotiation
SSH_DISCONNECT SFTP (SSH) client connection was closed (reason is provided in the log entry).
STAT
STOR
Returns the status
Accept the data and to store the data
217
EFT v7.2 User Guide
Field Description Example
(Each field in the log has either a value (e.g., date) or a dash (-) if no value was sent for that field.) as a file at the server site
STOU Store file uniquely
STRU
SYST
TYPE
Set file transfer structure
Return system type
Sets the transfer mode
USER
WEBSERVICE
XCRC
Authentication username
Web Service was invoked.
Compute CRC32 checksum on specified file cs-uristem cs-uriquery sc-status sc-bytes
Stem portion of URI
Query portion of URI
Status code
The number of bytes that the server sent to the client.
/Test+File+1.txt
-
226 (Closing data connection. Requested file action successful.)
541 cs-bytes The number of bytes that the client sent to the server.
54 s-name - s-port Server port 22
For information about log file formatting, refer to http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/be22e074-72f8-46da-bb7ee27877c85bca.mspx?mfr=true .
218
Authentication
EFT in the Windows Event Viewer
Certain EFT events, such as service startup and failure, appear in the Application log of the Windows
Event Viewer.
• Click the Source column header to group the EFT logs together.
• The Category column displays the component, if applicable, that caused the log to be written. In
the example above, ARM appears in the Category column. (ARM did not start because it was
unable to connect to the database.)
When the trial period ends for modules for which you did not purchase a license, an information error appears in the Event Log to indicate that the module has expired.
You can add a "Write to Windows Event Log" Action to Event Rules.
Authentication
EFT supports the following database types for authenticating users:
• Globalscape Authentication does not rely on outside sources for user information. All information in the database is: o
Protected from the operating system o
Contained within the .aud file located in EFT installation folder (e.g.,
C:\ProgramData\Globalscape\EFT Server Enterprise).
The path to the .aud file is defined in ftp.cfg. If you change the path to either of those files, you must redefine the path to the .aud file on the Site's General tab User auth
manager configuration. o
Encrypted and can only be modified through the administration interface.
•
Windows Active Directory (NTLM/AD) Authentication . Using this method, EFT assigns permissions to users from the NT user database on the system that is running EFT. EFT queries the Primary Domain Controller (PDC) for your domain and adds all domain users to the Settings
Template tree.
•
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing information directories
on an LDAP Server. o
SMS authentication is available on LDAP sites.
•
ODBC Authentication allows all users in an external ODBC database to have access to EFT.
Once a Site has been created, you cannot change the authentication method.
219
EFT v7.2 User Guide
When the High Security module is activated, RADIUS is supported on each Globalscape, LDAP, or
ODBC-authentication Site. (RADIUS is available in EFT Enterprise only)
EFT Authentication Database (.AUD)
When you create a Site, EFT creates a file called FTP.cfg. FTP.cfg contains a list of all of the users defined on a Site, as well as all of the users' personal information, such as AS2 settings, enabled protocols, e-mail address, home folder, etc. The user lists are organized in the file by Site, so you can have multiple sites with the same account name. Depending on the type of authentication chosen, EFT also creates an .aud file for the Site (e.g., MySite.aud). The .aud file is an authentication database that contains information that is not supported by the chosen authentication method, but is used by EFT. For example, LDAP authentication does not use groups, so the .aud file for LDAP contains the list of groups and distribution of users between these groups that are used in EFT. Active Directory authentication uses the methods and properties provided by the AD server; therefore, EFT does not need an .aud file for ADauthenticated Sites.
Automatically Updating the User Authentication Database
EFT can automatically check the user authentication database at regular intervals to make sure the user
Database refresh should be disabled on EFT nodes used in HA configurations. (Set to Never refresh
user list automatically.)
Depending on the refresh settings, a user account might not immediately appear in the administration interface when you create the account. When a user account that has not yet appeared in the list attempts to log on, the Server will query the user authentication manager to determine if the user account is authorized to connect to EFT. Once the account has been verified, it will appear in the list. You can also manually refresh to see any changes (View > Refresh User Database).
In the COM API, use ICISite::ForceSynchronizeUserDatabase.
To automatically update authentication information
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure.
3. In the right pane, click the General tab.
220
Authentication
4. In the Default user database refresh interval list, select how often you want the EFT service to check for changes to the authentication database. If you do not want the service to check, click
Never refresh user list automatically.
When you click Refresh in the administration interface, it only checks the EFT service for updated user information. It does not check the authentication database.
Globalscape EFT™ Authentication
Globalscape EFT Authentication does not rely on outside sources for user information. All information in the authentication database is protected from the operating system, contained within the .aud file located in EFT data folder (e.g., C:\ProgramData\Globalscape\EFT Enterprise). The data is encrypted and can only be modified through the administration interface.
Refer to Defining Connections to the Server for details of creating a Site that uses Globalscape EFT authentication.
Changing the Path to the .aud File
You cannot change the authentication method after you have created a Site; however, if you need to change the authentication options, you can do so on the General tab of the Site. After you change the options, you must manually refresh the administration interface.
To edit the AD authentication options for a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the General tab.
221
EFT v7.2 User Guide
4. Next to the User auth manager box, click Configure. The Authentication Provider
Options dialog box appears.
5. In this dialog box, you can specify whether the user list in the interface is refreshed automatically and, if so, how often it is refreshed. The path to the .aud file for the Site is displayed in the text box. If you move or upgrade the Server, ensure the correct path to the .aud file is displayed in this box.
The user list is not refreshed automatically when a Site is stopped for Server startup; user database synchronization timer; or administrator changes related to the user database. You can manually refresh the user database by clicking View > Refresh User Database on the main menu.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT. You might need to click Refresh to see any changes.
Specifying the Client Home Folder
During Site Setup, you can specify whether EFT should create users' home folders for newly created users. In Globalscape authentication, the user's home folder name/location is determined by the configuration in the Settings Template on the General tab:
As you can see in the table below:
• If the Settings Template folder is not defined, then the user (client) folder (e.g., JDoe) appears in the root of the Site (e.g., /Usr/JDoe)
• If the Settings Template folder is defined (e.g., /Usr/MyUsers), the user (client) folder appears in the Settings Template folder (/Usr/MyUsers/JDoe).
Settings Template home folder Client home folder
Not Defined /Usr/JDoe
/Usr/MyUsers /Usr/MyUsers/JDoe
For details of the Virtual File System (VFS), refer to Virtual File System .
222
Authentication
Changing Windows Authentication Options
You cannot change the authentication method after you have created a Site; however, if you need to change the authentication options, you can do so on the General tab of the Site. After you change the options, you must manually refresh the administration interface. Any users logged on to the Site will be disconnected if you change the AD configuration and click OK, because the Site will stop and then restart. If you remove a logged-on user account from AD, the account is not removed from the interface until after they log off and you refresh the interface.
Regardless of the logon name chosen, EFT will accept the provided logon name type, whether UPN, NT4 account name, common name, or display name, and if a match exists, the user will be authenticated and the chosen logon name type will be displayed in the administration interface.
Logon name type
NT4 Account Name (NT4)
Display Name (DN)
User Principal Name (UPN)
Common Name (CN)
Allowed login form
NT4/UPN
DN/NT4/UPN
UPN/NT4
CN/NT4/UPN
To edit the AD authentication options for a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the AD Site you want to configure.
3. In the right pane, click the General tab.
4. Next to the User auth manager box, click Configure. The Windows Authentication
Options dialog box appears.
5. To specify that the user list is to be updated automatically, select the Refresh user list
automatically every check box, then specify how often you want EFT to check the authentication database for new users. Clear the check box if you do not want the Site's user list to refresh automatically
223
EFT v7.2 User Guide
6. When you created the Site, you specified either Active Directory or Local System Accounts. If you need to change this, click the appropriate option to match the authentication method used on
EFT's domain. Authentication is done with the LogonUser() function. The operating system determines which method to use for authentication, such as Kerberos, NTLM2, etc.
• Active Directory - EFT queries the domain controller for a list of users and groups.
• NTLM Authentication- EFT queries the local system to get the list of users and groups.
7. In the Domain area, do one of the following:
• Click Default if you want to use the authentication database from the computer's current domain.
• Click Specify, then in the box, provide the domain name that contains the authentication database.
8. In the Group area, do one of the following:
• To allow access to every user in the domain's database, click Everyone.
• To allow access to only a specific AD Group, click Specify, then in the box, type the AD
Group name for users that will have access to the Server.
9. In the Use this user attribute as the logon name box, click the list to specify the attribute to use
(only available when AD authentication is selected):
• NT 4 Account Name - Domain name (e.g., "globalscape\bsmith" or "bsmith")
• Display Name - (DN) When a new user is created in Active Directory, the Full name field is always generated in FirstName LastName format (but can be changed manually). This field sets the Display Name field upon account creation.
• User Principal Name - (UPN) Login name in e-mail format. For example, [email protected]
• Common Name - (CN) Dynamic name. Usually the same as Display Name. However if
Display Name is blank, then it will be NT4 account name.
10. In the When creating home folders for newly added users area, specify whether you want the
Site to Create a virtual folder pointing to the user's home folder as defined by AD or Create
a physical folder under the site root folder using the user's login name.
(These options are not available if the Automatically create home folder for new users check box is cleared on the Security tab of the Site. This setting affects all users on this Site, including existing user accounts.)
11. The Use [account] rather than [domain].[account] for folder naming format check box is selected by default when you are using the NT4 Account Name as a logon attribute and if
Create a physical folder under the site root folder is selected. Without the check box selected, the user's folder in the VFS is named with the domain and the user account (domain.username).
12. To verify your settings, click Test. The Authentication Manager Test Results dialog box appears and EFT attempts to connect to the domain controller to get the user list. If it is successful, the list of registered users appears in the tree under the Settings Template. To close the dialog box, click Close or press ESC.
13. Click OK to save the settings. Any users who were logged in to the Site will be disconnected, because the Site will stop and then restart.
14. Click Apply to save the changes on EFT.
224
Authentication
Local Security Policy Setting when Using Active Directory
Authentication
To use AD authentication, Globalscape Customer Support recommends creating an AD account for the
EFT service "Log on as" account with adequate privileges to all of the resources (AD domain query, network shares) required for the Site. There is no set formula for the type of account needed, because network configurations vary. Some EFT customers might need to pull users across multiple domains or might want to restrict that kind of access. Consult with your AD network administrator for assistance, if necessary.
If you are using a Domain User account (an AD account that is a member of the Domain Users group and nothing more), make sure that full permissions are granted to the EFT service domain user account in the following locations:
• Installation folder
• Application data folder
• Windows temp folder (varies by system)
• Any shared drive paths required by EFT
• Any output directories to which EFT may need to read/write files
In Component Services, provide the appropriate permissions:
1. Click Start > Run, type dcomcnfg.exe, then press ENTER. Component Services appears.
2. Expand Component Services > Computers.
3. Right-click the My Computer node, and then click Properties. The My Computer Properties dialog box appears.
225
EFT v7.2 User Guide
226
4. Click the COM Security tab.
5. Under Launch and Activation Permissions group, click Edit Default.
6. Add the domain user and then select the Allow check box for Local Launch and Local
Activation.
Authentication
7. Click OK, then OK again, then close Component Services.
If run into issues, run Process Monitor or similar tools and isolate non-success results caused by cftpsai.exe, cftpstes.exe, gsawe.exe, and other EFT processes.
Refer to Support for Foreign Groups for more information.
Support for Foreign Groups
EFT allows you to specify only one domain and one group. However, that group can contain groups and users from foreign domains, as long as a trust relationship exists between the domains. This allows users from remote domains to authenticate to EFT. So, as long as a trust relationship exists between the domains, EFT can authenticate users from remote domains. The domain in which EFT resides will need to have a group that contains the foreign domain users.
The main point is that EFT only talks to one AD/forest/controller. If the AD/forest/controller is properly configured to get information from the other domain/forest, then EFT will authenticate those users. This also applies to the Secure Ad Hoc Transfer (SAT) authentication module when AD authentication is used.
When your forest contains domain trees with many child domains and you observe noticeable user authentication delays between the child domains, you can optimize the user authentication process between the child domains by creating shortcut trusts to mid-level domains in the domain tree hierarchy. For more information, refer to When to create a shortcut trust on Microsoft's website. For details of controlling access to shared resources across domains, refer to the Microsoft TechNet article, Accessing resources across domains .
In the Windows Authentication page of the Site Setup wizard, you can specify any combination Domain and Group names, as long as the EFT service is running under an account that has rights to list users in that Domain and/or Group.
227
EFT v7.2 User Guide
Login Requirements for Active Directory and Windows Local Account Permissions
Removing Domain from the User Folder Name
The Use [account] rather than [domain].[account] for folder naming format check box in the
Windows Authentication Options configuration (in the Site wizard and on the Site's General tab) is selected by default when you are using the NT4 Account Name as a logon attribute and if Create a
physical folder under the site root folder is selected. Without the check box selected, the user's folder in the VFS is named with the domain and the user account (domain.username). Selecting the check box removes the domain from the folder name.
The relevant settings are indicated in the screen shots below. The table below the screen shots describes what the user's home folder would be in the VFS with various configuration.
228
Authentication
In the examples in the table:
• AD domain name is "win2k3_2.com"
• Domain controller has configuration for user "JDoe"
• Local path: "C:\InetPub\"
• Display Name: "DNJDoe"
229
EFT v7.2 User Guide
230
Automatically create home folder check box in Site
Setup wizard
Selected
Settings
Template
Home folder
(General tab of Settings
Template)
Not Defined
Logon Name
NT4 Account
Name
Home folder type
Virtual
Use [account] rather than
[domain].[account]
Physical
Display Name Virtual
User Principal
Name
Common
Name
/Usr/MyUsers NT4 Account
Name
Physical
Virtual
Physical
Virtual
Physical
Virtual
Physical
Display Name Virtual
Physical
User Principal Virtual
Selected
Cleared
Selected
Cleared
Not available
Not available
Not available
Not available
Not available
Not available
Selected
Cleared
Selected
Cleared
Not available
Not available
Not available
/Usr/JDoe
After first login
/Usr/WIN2K3_2.1
/Usr/JDoe
/Usr/win2k3_2.1
/Usr/DisplayNameJDoe
/Usr/DisplayNameJDoe
/Usr/JDoe@win2k3_2.com
/Usr/JDoe@win2k3_2.com
/Usr/JDoe
/Usr/JDoe
/Usr/MyUsers/JDoe
Usr/MyUsers/win2k3_2.1
/Usr/MyUsers/JDoe
/Usr/MyUsers/win2k3_2.1
Client home folder
(Before logging in, no client home folder is defined)
Actual home folder
C:\InetPub
C:\InetPub
/Usr/JDoe
/Usr/win2k3_2.1
C:\InetPub
/Usr/DisplayNameJDoe
C:\InetPub
/Usr/JDoe@win2k3_2.com
C:\InetPub
/Usr/JDoe
C:\InetPub
C:\InetPub
Usr/MyUsers/JDoe
/Usr/MyUsers/win2k3_2.1
/Usr/MyUsers/DisplayNameJDoe C:\InetPub
/Usr/MyUsers/DisplayNameJDoe /Usr/MyUsers/DisplayNameJDoe
/Usr/MyUsers/JDoe@win2k3_2.com C:\InetPub
231
EFT v7.2 User Guide
Automatically create home folder check box in Site
Setup wizard
Settings
Template
Home folder
(General tab of Settings
Template)
Logon Name
Name
Common
Name
Home folder type
Physical
Virtual
Physical
Cleared Not Defined NT4 Account
Name
Display Name
User Principal
Name
Common
Name
/Usr/MyUsers NT4 Account
Name
Display Name
User Principal
Name
Common
Name
Use [account] rather than
[domain].[account]
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
Not available
(Before logging in, no client home folder is defined)
After first login
/Usr/MyUsers/JDoe@win2k3_2.com /Usr/MyUsers/JDoe@win2k3_2.com
/Usr/MyUsers/JDoe
/Usr/MyUsers/JDoe
C:\InetPub
/Usr/MyUsers/JDoe
Site root
Undefined
Undefined
Undefined
Undefined
Undefined
Undefined
Undefined
Undefined
Client home folder
Actual home folder
Site root
Site root
Site root
Settings Template folder
Settings Template folder
Settings Template folder
Settings Template folder
For details of the Virtual File System (VFS), refer to Virtual File System .
232
Understanding LDAP Authentication
EFT Enterprise supports using an LDAP (Lightweight Directory Access Protocol) database for authenticating users. LDAP is a protocol used for accessing information directories on an LDAP Server. A typical LDAP server is a simple network-accessible database in which user account lists are stored and includes information about those users and the privileges assigned to each user. LDAP support on EFT allows you to authenticate users through connection to LDAP servers such as Novell eDirectory server,
OpenLDAP, Sun ONE Server, Microsoft’s Active Directory server, and Tivoli Access Manager.
This help file is not intended as an LDAP tutorial. For information about LDAP, download the Microsoft white paper "Understanding LDAP" at http://download.microsoft.com/download/3/d/3/3d32b0cd-581c-
4574-8a27-67e89c206a54/uldap.doc
.
Advanced LDAP Filtering
(Available in EFT Enterprise)
EFT’s LDAP authentication manager allows you to create complex filters for retrieving sub-sets of users across your LDAP directory, similar to retrieving users only in a specific group in Active Directory. The
Server follows the filtering conventions outlined in http://www.faqs.org/rfcs/rfc2254.html
.
LDAP filtering is a complex task that requires an advanced understanding of LDAP. For detailed information, please refer to RFC 2252 - Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions, RFC
2251 - Lightweight Directory Access Protocol (v3), and RFC 2254 - The String Representation of LDAP
Search Filters. The operators used in the search filter (&, |, =, ~=, etc.) are defined in RFC 2254.
When you Create a Site that Uses LDAP Authentication , you must specify the User Filter on the LDAP
Authentications page of the wizard. You can also specify or edit the user filter in the LDAP
Authentication Options dialog box.
The default User Filter is (objectClass=person). This means that every ObjectClass attribute of a particular entry of type person will be returned in the search result, which may be highly inefficient if you want to authenticate only the users in your marketing department.
Each entry in an LDAP tree consists of one or more attributes that define that entry. Each attribute has a name (attribute type) and is assigned one or more values. The entry itself is defined using a unique identifier, such as its Distinguished Name (dn), that is constructed from selected attributes in the entry followed by the parent’s dn, such as: cn=john smith,dc=example,dc=com.
Below is a sample entry, with its attributes and values: dn: cn=Jane Smith,dc=example,dc=com cn: Jane Smith givenName: Jane sn: Smith telephoneNumber: 555 1234 telephoneNumber: 555 5678 mail: [email protected] manager: cn=Alma Mia,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top
The User Filter field appends a filter to the LDAP search query so that only the entries that match the filter are retrieved. A default filter is provided that verifies the ObjectClass attribute of a particular entry is of type person. There can be many other types, such as printer.
233
EFT v7.2 User Guide
Suppose you only want to pull users from an Organization Unit (ou) container (similar to a group under
AD) that is a couple of levels removed from the root Organization (o) container. In this case, simply applying a filter where (objectClass=person) pulls users from the entire organization, instead of just the desired OU. Pulling users from the desired OU is accomplished by defining a more complex filter, as described below.
Below is an example of an LDAP directory with multiple ous under an o:
[-] o=Globalscape
[-] ou=ResearchAndDevelopment cn=jbond cn=jsmith
[-] ou=HumanResources cn=jdoe
[+] ou=Marketing
[+] ou=PM
Below are the entry properties for ResearchAndDevelopment and for one of the entries contained within that ou.
For ResearchAndDevelopment:
DN: ou=ResearchAndDevelopment,o=MyOrganization
ObjectClass: Top
ObjectClass: OrganizationalUnit
ObjectClass: ndsLoginProperties
ObjectClass: ndsContainerLoginProperties
Ou: ResearchAndDevelopment
And for jbond:
DN: cn=jbond,ou=ResearchAndDevelopment,o=MyOrganization
ObjectClass: Person
ObjectClass: ndsLoginProperties
ObjectClass: Top
GroupMembership: cn=TestGroup,o=MyOrganization sn: bond cn: jbond
Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:
(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))
The filter above is called an extensible match search because it specifies an attribute name: ou and the
DN’s attributes should be considered as part of the entry.
If you had used ou:= rather than ou:dn:=, no results would have been returned, because the
ResearchAndDevelopment
entry does not match the objectClass=person criteria and jbond
(which does have an objectClass=person ) does not match the ou=ResearchAndDevelopment criteria EXCEPT for the fact that it does have ou=ResearchAndDevelopment as part of that entry's
Distinguished Name (dn). Therefore ou:dn:=ResearchAndDevelopment DOES return jbond as one of the users in the search result.
Below is a similar query, except that Mr. Bond is excluded using an exclusion filter and including everyone else under R&D and HR.
(&(&(!(cn:dn:=jbond))(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))(obj ectclass=Person))
Here is an example of pulling all users from all ous except those in the R&D and HR containers:
(&(!(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))(objectClass=person))
234
Authentication
The filter above includes all entries that have an ObjectClass attribute equal to person, but do not return any entries where ResearchAndDevelopment or HumanResources is specified as an ou attribute in the dn.
Here is one last example that retrieves a user with an objectClass=person attribute and a groupMembership
attribute equal to cn=TestGroup,o=MyOrganization.
(&(objectclass=Person)(groupMembership=cn=TestGroup,o= MyOrganization))
The use of value=value=value in the above example can be confusing. In this case the entire string that follows the first equal sign after groupMembership must match cn=TestGroup,o=MyOrganization
, which is the case for the jbond entry.
Once you have defined a filter, click Test to verify the results, before continuing with creating the Site or editing the LDAP authentication options .
More examples:
Search filter
(objectClass=*)
(&(objectCategory=person)(objectClass=user)(!cn=andy))
(sn=sm*)
(&(objectCategory=person)(objectClass=contact)(|(sn=Smith)(sn=Johnson)))
Description
All objects
All user objects but "andy"
All objects with a surname that starts with "sm"
All contacts with a surname equal to "Smith" or "Johnson"
Connecting to an LDAP Server
LDAP SSL, you need to have a certificate that includes Server Authentication on the LDAP server you are connecting to. If you install Certificate Services on the domain that you install EFT, you can request the certificate on the LDAP server. For more information, refer to the Microsoft Support article " How to enable
LDAP over SSL with a third-party certification authority ."
When you create a Site that uses LDAP authentication, you will need to provide the following information:
• IP address/Domain Name of the LDAP server
• Port of the LDAP server. The default is port 389; port 636 for SSL connections.
• Base DN base distinguished name that specifies the necessary domain components of the LDAP server. Some LDAP systems, such as Sun ONE Server and Microsoft’s Active Directory server, require the organizational unit ("ou") that houses the users on that LDAP server to be included in the BaseDN to allow users to authenticate successfully. The organizational unit is the parent object that contains the user objects. EFT allows you to browse a list of LDAP base DNs from the
LDAP server on the domain specified or the default domain. Click List DNs to select from the list or type it in the Base DN box.
For example, if the classObject that holds user accounts is person, the hierarchical parent node/container could be the organizational unit people. If the organizational unit is required by your LDAP server, prepend it to the distinguished name. For example: o
With Organizational Unit: ou=people,dc=forest,dc=tree,dc=branch o
Without Organizational Unit: dc=forest,dc=tree,dc=branch
235
EFT v7.2 User Guide
• User Filter that EFT uses to query the LDAP server for a list of users. The default setting is: objectClass=person
This finds the LDAP entries that are part of the objectClass person; that is, it retrieves the users on the LDAP server that belong to the person ObjectClass.
• Attribute that denotes user names in the LDAP database. This allows you to specify the attribute from the queried list of users that denotes user names. Commonly used attributes are cn or uid.
• User Information defines how the client is authenticated. When you configure an LDAP Site, you are asked to choose one of the following binding methods:
• Anonymous
• Simple requires a username and password. Note that the username must follow the syntax for the LDAP server that includes the Common Name and the Domain
Components of your LDAP server’s distinguished name. For example, the username might be the following: cn=Manager,dc=forest,dc=tree,dc=branch
• Advanced Options - You can specify SSL encryption and the frequency with which the user list is refreshed.
When you use LDAP as the authentication method, EFT pulls the user account list and the authentication from the LDAP Server. Group lists, Group membership, VFS Groups, and VFS User permissions are handled by EFT and stored in the local AUD and CFG files. These permissions must be configured and maintained in the administration interface or through the COM API .
Changing and Testing LDAP Authentication Options
(Available in EFT Enterprise)
The LDAP Authentication Options dialog box is used to edit and test EFT's connection to the LDAP
server after you have configured LDAP Authentication .
To edit or test LDAP authentication settings
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the LDAP Site that you want to configure.
3. In the right pane, click the General tab.
4. Next to the User auth manager box, click Configure. The LDAP Authentication Options dialog box appears.
236
Authentication
5. To specify that the user list is to be updated automatically, select the Enable Automatic Refresh
every check box, then specify how often you want EFT to check the authentication database for new users. Clear the check box if you do not want the Site's user list to refresh automatically.
(This setting is inherited from the Server's General Settings on the Server's General tab. Never
refresh user list automatically is specified by default.)
The user list is not refreshed automatically when a Site is stopped for Server startup; user database synchronization timer; or administrator changes related to the user database. You can manually refresh the user database by clicking View > Refresh User Database on the main menu.
6. In the Server box, type the Server name or IP address.
7. In the Port box, keep the default port 389 or specify a different port.
8. In the Base DN box, type the base domain name for the LDAP user database, in the format option=value
(e.g.: dc=forest,dc=tree,dc=branch), or click List DNs to complete the box automatically or select from a list.
detailed explanation of LDAP filtering.
10. In the Attribute box, type a comma-separated list of attributes to retrieve. For example, type: userPrincipalName,mail,e-mail,name,cn
(Add userprincipalname to the attributes so that the userprincipalname is used for the account name in queries.)
237
EFT v7.2 User Guide
11. In the User Information area, click one of the following binding methods to define how the client is authenticated: o
Anonymous o
Simple requires a username and password. Note that the username must follow the syntax for the LDAP server that includes the Common Name and the Domain
Components of your LDAP server’s distinguished name. For example, the username might be the following: cn=Manager,dc=forest,dc=tree,dc=branch
For details of creating complex LDAP filters, refer to Advanced LDAP Filtering .
12. If you are using SSL , select the Use SSL check box.
You need to have a certificate that includes Server Authentication on the LDAP server you are connecting to. If you install Certificate Services on the domain on which EFT is installed, you can request the certificate on the LDAP server. For more information, refer to the Microsoft Support article " How to enable LDAP over SSL with a third-party certification authority ."
The LDAP bind password is encrypted in the FTP.cfg file.
13. To change the advanced options (SSL, timeout, scope, etc.), click Advanced and specify advanced options based on your requirements.
238
• Set timeout - Specify the connection/query timeout (in seconds). This option coupled with paging can help you avoid timeouts when querying against large directories.
• Set search scope - This specifies the depth of the level to search for under BaseDN. o
BASE - Only the requested object specified in BaseDN is searched. o
OneLevel - All of the objects just below this object are searched. o
Subtree - Searches for all the objects within the specified BaseDN object recursively.
• Turn on referral chasing - If you have referral chasing on, the query returns information for objects that exist in the LDAP structure, but do not actually exist on EFT to which you are connected. The query displays bookmarks to entries that exist elsewhere in the network that EFT knows about.
• Set LDAP Version - LDAP 2 is widely supported and adds anonymous binding and some filtering. LDAP 3 extends the features of LDAP 2 by adding paging (server side) and more complex filtering.
Authentication
• Use LDAP server-side page control - Asks EFT to limit result sets (or pages) to 1000 at a time or the value specified under Override search page size, if checked. If Use server
page control is not selected, client-side paging is used to mitigate timeouts when retrieving large directory listings.
If you are connecting to a SUN Directory LDAP server, turn off page control. See more information at Using Sun Directory LDAP Server .
• Override search page size - Overrides the default page size (1000) for client or serverside page limits. Making the value too large can cause timeouts. Setting the page size too small reduces the overall efficiency.
• Select attributes - Returns only the specified attributes for the user objects found as part of the search query. Specifying only necessary attributes will greatly increase the efficiency of your query (since the filtering occurs on EFT side). Add userprincipalname
to the LDAP query so that the userprincipalname is used for the account name in queries.
14. To test your settings, click Test. The query returns information about your LDAP connection.
15. To close the dialog box, click the X in the upper right corner or press ESC.
16. Click OK to close the LDAP Authentication Options dialog box.
17. Click Apply to save the changes on EFT.
User Home Folders on an LDAP-Authenticated Site
The user's home folder location and name is dependent on the Automatically create home folder check box in the Site Setup wizard and the ST home folder defined on the General tab of the Settings
Template. The table below describes what the user's home folder name and location would be, based on the dependent settings.
"Automatically create home folder" check box in Site Setup wizard
Selected
Client home folder
Settings Template
Home folder
Not Defined
/Usr/MyUsers
Before login After first login Actual home folder
Undefined /Usr/JDoe />Usr/JDoe
Undefined /Usr/MyUsers/JDoe /Usr/>MyUsers/JDoe
Cleared
Not Defined
/Usr/MyUsers
Undefined Undefined
Undefined Undefined
Site root
Settings Template folder
For details of the Virtual File System (VFS), refer to Virtual File System .
Common Access Card (CAC) Authentication
(Available in EFT Enterprise with the HSM) Common Access Card (CAC) Authentication is available in
EFT Enterprise for LDAP Sites with SSL (HTTPS or FTPS) enabled. When CAC is enabled on EFT, clients are required to provide a certificate when connecting. Once the user’s certificate is validated, EFT uses the Principal Name (UPN) taken from the Subject Alternative Name (SAN) field of the Signature
Certificate to search for the user in LDAP and allow or deny access based on the information found. The certificate provisioned via the web browser must have an Electronic Data Interchange Personal Identifier
(EDI/PI). If the EDI/PI is not found or otherwise cannot be validated, the connection is denied. If the
EDI/PI is found, EFT maps the corresponding fields in LDAP using the appropriate LDAP query string. If the user is found in LDAP, if a certificate is assigned to that user, and if the certificate exactly matches the one provided by the client, the user is allowed access.
239
EFT v7.2 User Guide
When CAC is enabled and HTTPS connection is made, the Logout and Change Password buttons on the Java-enabled Web Transfer Client (WTC) are hidden. To log out, you must close the browser and remove your CAC card. WTC sessions will timeout immediately when the browser is closed. If a user navigates away from the WTC instead of closing the browser, and then goes back to the WTC page, the previous session is expired and a new session ID is generated. This prevents the WTC licenses from being locked when no one is using them.
changing passwords when using CAC.
When CAC is enabled on a Site:
• The WTC uses the JSE instead of the Apache client. The JSE HTTP client provides NTLM v2 proxy authentication support.
• Any attempt to access any of the account management pages causes a "page not found" error.
• When HTTP and HTTPS are both enabled, the Redirect HTTP to HTTPS check box is selected
and disabled, forcing redirection of HTTP traffic to HTTPS .
• When FTPS is enabled, the username and password provided are ignored; the authentication is provided by the certificate.
• The method EnableCAC() can be used to enable CAC via the
• The following major events are logged: o
Could not find proper SAN field in certificate o
The value received from the SAN field o
If user had no certificates in LDAP o
If certificates were present but no certificate matched o
More than one user was retrieved when LDAP was queried (authentication is only attempted against the first one)
• CAC is incompatible with RADIUS, RSA, PCI DSS, ODBC, NT authentication, AD authentication, and Globalscape authentication. PCI DSS Compliance reports do not report on CAC-enabled
Sites.
Refer to Defining Connections (Sites) for details of creating an LDAP-authenticated Site that uses CAC.
Configuring CAC on an Existing LDAP Site
(Available in EFT Enterprise with the HSM) EFT can be configured for Common Access Card (CAC) authentication. To configure CAC on a new Site, refer to Defining Connections (Sites) . For more
information before configuring, refer to Common Access Card (CAC) Authentication .
To configure EFT Enterprise to use CAC Authentication
1. Log in to the EFT administration interface and click the LDAP Site node for which you want to enable CAC.
2. On the General tab, in the Advanced Authentication Options area, click Common Access
Card (CAC).
3. Click Apply to save your settings.
4. Click Yes to restart the Site.
240
Authentication
Using an ODBC Data Source for User Authentication
EFT allows you to use any ODBC-compatible database as a source for user authentication. You may add and remove users and set certain permissions using your existing database utility or in the administration interface. EFT uses ADO to communicate with the authentication databases using "generic" SQL statements.
You do NOT have to use DSN for ODBC authentication. Refer to Using a DSN-Less Connection with ODBC
If you are configuring a DSN on a 64-bit Windows system you need to run the 32-bit version of the Windows
“ODBC Database Source Administrator” application. EFT cannot see DSNs created using the 64-bit version, which is the one that will be launched from the Windows Control Panel on 64-bit Windows Operating
Systems. When configuring a DSN on a 64-bit Windows System, run the 32-bit version, usually
C:\Windows\SysWOW64\odbcad32.exe.
To use an external ODBC data source you must:
•
Create tables in an ODBC data source
• Establish a System Data Source Name (DSN) in the ODBC Source administration tool
•
Configure EFT to use the System DSN
• Install Microsoft Data Access Components (MDAC) 2.6 or higher
• (SQL Server only) The DSNs must be configured to use SQL Server authentication if EFT is running as Local System
• (SQL Server only) SQL Server Native Client Driver must be used for IPv6 connectivity.
Establishing a System Data Source Name (DSN)
After you have created your database, you must associate it with your system by establishing a Data
Source Name (DSN). A DSN is a data structure that contains the information about a database that an
Open Database Connectivity (ODBC) driver needs to connect to it, such as the name, directory, and driver of the database, and the ID and password of the user.
To use a DSN-less connection with ODBC authentication, refer to Using a DSN-Less Connection with
To establish a system DSN
1. In Windows, click Control Panel, Administrative Tools > Data Sources (ODBC). The ODBC
Data Source Administrator appears.
241
EFT v7.2 User Guide
2. Click the System DSN tab.
242
3. Click Add. The Create New Data Source dialog box appears.
Authentication
4. Click the database driver that corresponds with the database type to which you are connecting, and then click Finish.
5. In the dialog box that appears (differs depending on driver selected), type the Data Source Name and Description. The default DSN is EFT.
6. Click Select to specify the database file to use, and then click OK.
7. Click OK to close all of the dialog boxes and save the changes.
Using a DSN-Less Connection with ODBC Authentication
You can use a DSN-less connection to create an ODBC connection between EFT and the database, using a connection string. Connections made in this way are called DSN-less, because they do not require the system administrator to create an ODBC DSN. Rather than relying on information stored in a file or in the system registry, DSN-less connections specify the driver name, and all driver-specific information in the connection string. The connection strings described below combine all the information
EFT needs to connect to the database. If you have several simultaneous database connections, a DSNless connection may be slightly faster than a DSN connection; however, a DSN-less connection is hardcoded to use a certain driver, user identity, and network location, and needs to be updated when the database parameters change.
MDAC version 2.7 or higher must be installed to use a DSN-less connection.
To create a Site with a DSN-less connection
1. Follow the procedure in Configuring ODBC Authentication Options .
2. In the Authentication Provider Options dialog box, type the connection string per the guidelines below.
243
EFT v7.2 User Guide
To create the string for a DSN-less connection
1. On a remote SQL Server, create an ODBC database, login, etc.
2. Create a (system) DSN for the server, and verify that it works.
3. In EFT configure the ODBC pre-populated string with the correct information.
You must know the correct driver to use with your database. Create a connection string as described below and type it into the Authentication Provider Options dialog box. The connection string includes the name of the driver you need for your database, the location of your database, the name of your database, and, if necessary, a user name and password to access the database. Connection strings are lists of keywords and associated values; each keyword identifies a particular connection attribute.
For local databases, the connection string must include:
• Provider [Provider=]
• Driver [DRIVER=]
• Database path and name, including the file extension [Dbq=]
• Username [Uid] and Password [Pwd] are required only if the database is password protected
For remote databases, your connection string must include:
• Driver [DRIVER=]
• Server [SERVER]
• Database [DATABASE]
• Username [UID]
• Password [PWD]
Examples:
DRIVER={SQL
Server};Provider=MSDASQL;SERVER=192.168.100.242;DATABASE=dsh_odbc;UID=sa;PWD=canada
DRIVER={SQL
Server};Provider=MSDASQL;server=eft1;database=eftdb;trusted_connection=yes
• If you are pointing to an Access 2000 database on a local computer named Example that is in the xyz sub-folder of your c drive, the connection string is:
Provider=MSDASQL;Driver={Microsoft Access Driver
(*.mdb)};Dbq=c:/xyz/Example.mdb;Uid=;Pwd=
• If you have a remote MYSQL database named Example your connection string is:
Provider=MSDASQL;DRIVER={MySQL ODBC 3.51
Driver};SERVER=10.10.10.1;DATABASE=Example;UID=myusername;PWD=mypassword
•
If you are connecting to a database server through ODBC, the server's configuration determines whether it is case-sensitive. Check with your database server administrator to determine whether or not your server is configured as case-sensitive. If your database is case-sensitive, you will have to edit the tables accordingly.
•
Do not put any line breaks in your connection strings.
•
With some installations, you may need to add a pointer to a Microsoft Access workgroup file as well as the username and password. A default installation of Access does not require this.
244
Authentication
Changing ODBC Authentication Options
When you create a Site, you specify the user database authentication method. You cannot change the authentication method after you have created a Site, however, if you need to change the authentication
options, you can do so from the Site Options tab. The options available in the Authentication Provider
Options dialog box change depending on which authentication method the Site uses.
To edit the authentication options for a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the General tab.
4. Next to the User auth manager box, click Configure. The Authentication Provider
Options dialog box appears.
5. To specify that the user list is to be updated automatically, select the Enable Automatic Refresh
every check box, then specify how often you want EFT to check the authentication database for new users. Clear the check box if you do not want the Site's user list to refresh automatically.
The user database is not refreshed automatically when a Site is stopped for Server startup; user database synchronization timer; or administrator changes related to the user database. You can manually refresh the user database by clicking View > Refresh User Database on the main menu.
6. In the text box, edit the connection string, as needed. Refer to Using a DSN-Less Connection with
ODBC Authentication for details of how to create a connection string depending on the type of
database to which you are connecting.
7. Click OK to close the dialog box.
8. Click Apply to save the changes on EFT.
User Home Folders on an ODBC-Authenticated Site
The user's home folder location and name is dependent on the Automatically create home folder check box in the Site Setup wizard and the Settings Template home folder definition on the General tab of the
Site. The table below describes what the user's home folder name and location would be, based on the dependent settings.
Settings Template home folder
Not Defined
/Usr/MyUsers
Before login
Client home folder
Client Settings Actual home folder
/Usr/JDoe /Usr/JDoe /Usr/JDoe
/Usr/MyUsers/JDoe /Usr/MyUsers/JDoe /Usr/MyUsers/JDoe
For details of the Virtual File System (VFS), refer to Virtual File System .
245
EFT v7.2 User Guide
Creating Tables for Your ODBC Data Source
necessary tables.
If users receive an error saying they are not logged in, make sure the "anonymous" row in the
"ftpserver_users" table is set to "0" or "1"; it cannot be set to "Null".
The ftpserver_users table lists the user accounts and permissions groups in the Site. A user account uses the information from all fields. A permission group uses only the ID, Name, and Description fields and is used only for organizational purposes, not as a user login.
Field Name
ID (Primary Key)
NAME
PASSWORD
Data Type
AutoNumber
Text
Text
Field
Size
Long
Integer
50
200
Description
User ID
DESCRIPTION
TYPE
PASSWORD_TYPE
MD_ITER
OTP_SEED
ANONYMOUS
Text
Number
Number
Number
Text
Number
200
Integer
Integer
Long
Integer
16
Login name for this user
Password for this user (Stored in clear text; SHA-256 encrypted, if enabled; or optionally, using MD5.)
Description for this user
0=Group, 1=User
Standard, OTP_MD4, OTP_MD5: Differentiates
Regular vs. SKEY (OTP) password type.
•
0 = Standard Password
•
1 = MD4 OTP
•
2 = MD5 OTP
Current MDX iteration - used by OTP accounts only
OTP Seed to be used for MDX Passwords - used by
OTP accounts only.
0=Normal Password, 1=Any password
ANONYMOUS_EMAIL
FULLNAME
PHONE
PAGER
FAX
COMMENTS
ENABLED
HOMEDIRECTORY
SETTINGSLEVEL
Number
Text
Text
Text
Text
Text
Text
Number
Text
Text
Long
Integer
Long
Integer
200
200
200
200
200
200
Integer
512
200
0=Any anonymous password, 1=email password required
User's full name
User's email address
User's phone number
User's pager number
User's fax number
User comments
0 = Account disabled
1 = Account enabled
-2 = Inherited
Legacy field no longer used, but must be present in the database.
Name of user's Settings Template.
The ftpserver_ids organizes users into "groups" of permission levels. For each permission Group to which a user belongs there should be one entry in the table below.
246
Authentication
Field
Name
ID
Data Type Field
Size
AutoNumber Long
Integer
Number Long
Integer
Description
Unique ID for the record (key field).
USER_ID
Group_ID Number Long
Integer
This value refers to a user record in the ftpserver_users table. A corresponding ftpserver_users record (where
ftpserver_ids.User_ID = ftpserver_users.ID) must exist with Type =
1.
This value refers to the Settings Template to which the User_ID user record belongs. A corresponding ftpserver_users record
(where ftpserver_ids.Group_ID = ftpserver_users.ID) must exist
Script for Creating Necessary ODBC Tables
The scripts used to create the SQL or Oracle tables needed for ODBC authentication in EFT can be found in the SQL Server or Oracle subdirectory of the EFT Data directory:
• On Windows Server 2008, data files for all users are in a hidden folder named ProgramData (e.g.,
C:\ProgramData\Globalscape\EFT Server Enterprise (or \EFT Server) \Oracle and \SQL
Server).
• On Windows Server 2003, the scripts are installed by default in C:\Documents and Settings\All
Users\Application Data\Globalscape\EFT Enterprise (or \EFT Server) \SQL Server and
\Oracle.
247
EFT v7.2 User Guide
There is no need to create the scripts; they are copied below for information only.
SQL
The following SQL script creates the tables necessary to run on the Server. if exists (select * from sysobjects where id = object_id(N'[dbo].[ftpserver_ids]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [dbo].[ftpserver_ids]
GO if exists (select * from sysobjects where id = object_id(N'[dbo].[ftpserver_users]') and OBJECTPROPERTY(id, N'IsUserTable') =
1) drop table [dbo].[ftpserver_users]
GO
CREATE TABLE [DBO].[FTPSERVER_IDS] (
[USER_ID] [INT] NULL,
[GROUP_ID] [INT] NULL
) ON [PRIMARY]
GO
CREATE TABLE [DBO].[FTPSERVER_USERS] (
[ID] [INT] IDENTITY (1, 1) NOT NULL,
[NAME] [NVARCHAR] (50) NULL,
[PASSWORD] [NVARCHAR] (200) NULL,
[DESCRIPTION] [NVARCHAR] (200) NULL,
[TYPE] [INT] NULL,
[PASSWORD_TYPE] [INT] NULL,
[MD_ITER] [INT] NULL,
[OTP_SEED] [NVARCHAR] (16) NULL,
[ANONYMOUS] [INT] NULL,
[ANONYMOUS_EMAIL] [INT] NULL,
[FULLNAME] [NVARCHAR] (200) NULL,
[EMAIL] [NVARCHAR] (200) NULL,
[PHONE] [NVARCHAR] (200) NULL,
[PAGER] [NVARCHAR] (200) NULL,
[FAX] [NVARCHAR] (200) NULL,
[COMMENTS] [NVARCHAR] (200) NULL,
[ENABLED] [INT] NULL,
[HOMEDIRECTORY] [NVARCHAR] (512) NULL,
[SETTINGSLEVEL] [NVARCHAR] (200) NULL
) ON [PRIMARY]
GO
248
Authentication
Oracle
The following schema is required for ODBC authentication in Oracle.
CREATE TABLE "FTPSERVER_IDS"
(
"USER_ID" NUMBER(18,0),
"GROUP_ID" NUMBER(18,0)
)
/
CREATE TABLE "FTPSERVER_USERS"
(
"ID" NUMBER(18,0) NOT NULL ENABLE,
"NAME" NVARCHAR2(50),
"PASSWORD" NVARCHAR2(200),
"DESCRIPTION" NVARCHAR2(200),
"TYPE" NUMBER(18,0),
"PASSWORD_TYPE" NUMBER(18,0),
"MD_ITER" NUMBER(18,0),
"OTP_SEED" NVARCHAR2(16),
"ANONYMOUS" NUMBER(18,0),
"ANONYMOUS_EMAIL" NUMBER(18,0),
"FULLNAME" NVARCHAR2(200),
"EMAIL" NVARCHAR2(200),
"PHONE" NVARCHAR2(200),
"PAGER" NVARCHAR2(200),
"FAX" NVARCHAR2(200),
"COMMENTS" NVARCHAR2(200),
"ENABLED" NUMBER(18,0),
"HOMEDIRECTORY" NVARCHAR2(512),
"SETTINGSLEVEL" NVARCHAR2(200),
CONSTRAINT "FTPSERVER_USERS_PK" PRIMARY KEY ("ID") ENABLE
)
/
CREATE SEQUENCE "FTPSERVER_USERS_SEQ" MINVALUE 1 MAXVALUE
999999999999999999999999999 INCREMENT BY 1 START WITH 2 CACHE 20 NOORDER NOCYCLE
/
CREATE OR REPLACE TRIGGER "BI_FTPSERVER_USERS"
BEFORE INSERT ON "FTPSERVER_USERS"
FOR EACH ROW
BEGIN
SELECT "FTPSERVER_USERS_SEQ".NEXTVAL INTO :NEW.ID FROM DUAL;
END;
/
ALTER TRIGGER "BI_FTPSERVER_USERS" ENABLE
/
RADIUS and RSA Authentication
RADIUS for User Authentication
(Available in EFT Enterprise) Remote Authentication Dial In User Service (RADIUS) is a networking client/server protocol that runs in the application layer, using UDP as transport, and provides centralized
Authentication, Authorization, and Accounting (AAA) management for computers to connect to and use a network service. EFT Enterprise, the server has been extended for RADIUS support for RSA SecurID ® two-factor authentication to send and receive RADIUS packets to/from a RADIUS server for user authentication. RADIUS authentication can be added to Globalscape, LDAP, and ODBC-authenticated
Sites in EFT Enterprise's administration interface. The RADIUS settings allow you to configure EFT
Enterprise as a Network Access Server (NAS).
249
EFT v7.2 User Guide
RADIUS and SecurID cannot run together on the same Site and are not available for Active Directoryauthenticated Sites. EFT does not support password reset and aging policies for RADIUS or RSA-enabled
Sites.
How does RADIUS work with EFT Enterprise?
The user or device sends a request to EFT Enterprise to gain access to a particular network resource, then EFT Enterprise sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The request may contain username, password, security certificate, network address, and IP/Port used to connect to EFT Enterprise. RADIUS servers vary, but most can look up client information in text files, LDAP servers, or databases. The RADIUS server can respond with an Access Reject, Access Challenge, or Access Accept. If the RADIUS server responds with an Access Challenge, additional information is requested from the user or device, such as a secondary password.
The diagram below provides a general overview of EFT Enterprise configured in a network with RADIUS.
How do I configure RADIUS in EFT Enterprise?
You configure RADIUS in EFT Enterprise's administration interface. EFT Enterprise's Authentication
Manager, Settings Templates, User Settings, New Site wizard, and New User Wizard each allow RADIUS configuration.
In Globalscape, LDAP, and ODBC-authenticated Sites, the RADIUS Authenticated Settings dialog box, accessed from the New Site wizard and/or the Site's General tab allows you to enable RADIUS or RSA
SecurID authentication and to configure the RADIUS/RSA server's IP address, port, NAS Identifier, shared secret, connection retries, and timeout. On the Settings Template and user account General tabs, and in the New User wizard, a simple enable check box is provided for those instances where you might want the Site to have RADIUS enabled, but want to disable it for a Settings Template or specific user.
Configuring RADIUS or RSA SecurID in EFT Enterprise
The RADIUS Authentication Settings dialog box is available from each Globalscape, LDAP, or ODBCauthenticated Site. The dialog box allows you to enable and configure the connection to the RADIUS server.
250
Authentication
• Enable RADIUS authentication—The check box is disabled by default.
• RADIUS Server—Specifies the name of the RADIUS Server (host name or IP address).
• RADIUS Server Port—Specifies the port the RADIUS Server is bound to. The default port is
1812.
• NAS Identifier—Specifies EFT’s NAS identifier for the RADIUS Server.
• Shared secret—Specifies the shared secret used to encrypt and sign packets between EFT and the RADIUS Server.
• Connection Retries—Specifies the number of times a RADIUS packet will be submitted to the server before giving up. The packet is resubmitted if there is no response from the server.
(RADIUS runs over UDP, so packets may be dropped or ignored by the server). The default is 3 retries.
• Timeout—Specifies how long to wait for a server response, in seconds. The default is 3 seconds.
The RSA SecurID Authentication Settings dialog box is available from each Globalscape, LDAP, or
ODBC-authenticated Site. The dialog box allows you to specify the location of the RSA Server configuration file.
• Click the folder icon to specify the location of the RSA Server configuration file (sdconf.rec), then click OK.
•
RSA SecurID uses a “sdconf.rec” file to configure itself as an authentication agent. Upon initial connection to the SecurID server (the first authentication attempt), a "shared secret” is established between the Authentication Agent (EFT) and the RSA SecurID server. EFT saves this secret in the same path as the Site's “sdconf.rec” file. If you clear the node secret in RSA
SecurID, you will need to clear the secret on EFT, or it will be unable to establish a new one with the server. While the service is stopped, delete the “sdstatus.12” and “securid” files that
EFT created. When you restart the service, a new secret is established.
•
When configuring RSA in an HA environment be sure to have the sdconf.rec file store locally for each node. Each node MUST have its own copy of sdconf.rec.
251
EFT v7.2 User Guide
Supported Protocols
EFT Enterprise supports RADIUS and RSA SecurID authentication for FTP, FTPS, SFTP, HTTP and
HTTPS.
• AS2 does not support interactive authentication.
• EFT does not perform inline checking for PCI DSS compliance for various password controls. In
PCI DSS reports, a Status value labeled "Compensating Control" and the following
Compensating Control text appears: "Compensating Control: User authentication and password controls for %WHO% are being managed by a remote system, such as RSA SecurID ® . (The
%WHO% variable contains the name of the Site, Settings Template, or user account.)
RSA SecurID Supported Features
EFT can be configured to communicate with RSA Authentication Manager via native SecurID protocol or
RADIUS protocol.
Feature
RSA SecurID Authentication via Native RSA SecurID Protocol
RSA SecurID Authentication via RADIUS Protocol
On-Demand Authentication via Native SecurID Protocol
On-Demand Authentication via RADIUS Protocol
On-Demand Authentication via API
RSA Authentication Manager Replica Support
Secondary RADIUS Server Support
RSA SecurID Software Token Automation
RSA SecurID SD800 Token Automation
RSA SecurID Protection of Administrative Interface
Supported?
Yes
Yes
Yes
Yes
No
Yes
No
No
No
No
Related Topics
•
Using SFTP/SSH with Radius/RSA Servers
•
Configuring RADIUS on an Existing Site
• For details of configuring RADIUS on a new Site, refer to
Defining Connections (Sites) .
• For details of enabling or disabling RADIUS, refer to
• For details of COM API methods for RADIUS, refer to "Creating a User" (CreateUser and
CreateUserEx) in the COM API Reference .
Configuring RSA SecurID or RADIUS Support on an Existing Site
(Available in EFT Enterprise) EFT can be configured for RSA SecurID authentication via either Native
SecurID protocol or RADIUS. To configure RADIUS on a new Site, refer to Defining Connections (Sites) .
For more information before configuring, refer to RADIUS for User Authentication.
To configure EFT Enterprise for RSA SecurID or RADIUS
1. If you are using the RSA Native SecurID protocol, use the RSA Security Console to generate the
sdconf.rec configuration file, then copy the file to a location on EFT (typically
%windir%\system32). It is not needed when using RADIUS.
2. Log in to the EFT administration interface and click the Site node for which you want to enable
RADIUS or RSA SecurID.
252
Authentication
3. Do one of the following:
• Click RSA SecurID and then click Configure. The RSA SecurID Authentication
Settings dialog box appears. o
Specify the location of the RSA Server configuration file (sdconf.rec), and then click OK. (Note that SecurID files will reside in this location. Node secret and sdstatus.12 files will be generated at this location.)
• Click RADIUS and then click Configure. The RADIUS Authentication Settings dialog box appears. o
Specify the RADIUS authentication settings, and then click OK.
4. Click Apply to save your settings.
5. Click Yes to restart the Site.
RSA SecurID uses a “sdconf.rec” file to configure itself as an authentication agent. Upon initial connection to the SecurID server (the first authentication attempt), a "shared secret” is established between (the
Authentication Agent (EFT) and the RSA SecurID server. EFT saves this secret in the same path as the Site's
“sdconf.rec” file. If you clear the node secret in RSA SecurID, you will need to clear the secret on EFT, or it will be unable to establish a new one with the server. While the service is stopped, delete the “sdstatus.12” and “securid” files that EFT created. When you restart the service, a new secret is established.
Enabling or Disabling RSA Authentication via RADIUS
(Available in EFT Enterprise) If RADIUS is enabled on a Site and a Settings Template, you can enable or disable the use of RADIUS for individual user accounts. (The username must correspond to a username in the RSA Authentication Manager server’s database.) For example, you may have some users who will use RADIUS to authenticate on the Site, but other user who do not use RADIUS. (You cannot enable RADIUS authentication for user account on a Settings Template or a Site that does not have RADIUS authentication enabled or defined.)
To enable or disable RADIUS for a user account
1. On the Server tab, in the tree of a Site that has RADIUS enabled, expand the Settings Template of users for whom you want to enable or disable RADIUS.
2. In the right pane, on the General tab , clear the Use RADIUS authentication check box to
disable RADIUS; select the check box to enable RADIUS.
• You can also enable or disable RADIUS in the New User wizard when you create the user account.
3. Click Apply to save the setting.
On user accounts that have RADIUS enabled, it is possible for users to lock themselves out of the RADIUS server (e.g., due to multiple invalid logins). The user in this case will not be able to log in to EFT, but will not appear to be locked out of EFT in the administration interface. EFT will log only that a login was denied at the protocol level (on INFO in HTTP).You must unlock the account on the RADIUS server for the user to be able to log in to EFT. (For information about unlocking accounts on the RADIUS server, refer to that server’s user guide.)
SMS PASSCODE® Integration with the EFT™ Platform
(EFT Enterprise only) The EFT platform can connect to SMS PASSCODE for SMS authentication to the server. EFT v6.5.16 and later use the Remote Authentication Dial-In User Service (RADIUS) implementation already built in to EFT, and Microsoft Network Policy Server (NPS) built in to Window
2008 and 2012 to connect to the SMS PASSCODE server for authentication. The RADIUS configuration in EFT will use the same shared secret as NPS. SMS PASSCODE uses a web dispatcher service to deliver messages to mobile phones. (RADIUS is supported on Globalscape, LDAP, and ODBCauthenticated Sites in EFT Enterprise; SMS PASSCODE is currently supported only on LDAPauthenticated Sites.)
253
EFT v7.2 User Guide
SMS PASSCODE can be installed on the same computer as EFT or remotely. SMS PASSCODE requires an Active Directory (AD) domain for user accounts, and can be installed and configured using basic policies, and connected to an AD group named "SMS PASSCODE Users." AD users must have the
"mobile number" value configured in AD.
In EFT, after configuring and testing the RADIUS configuration on the Site, the users on the Site must have the Enable RADIUS check box selected to connect with SMS PASSCODE authentication over
HTTP, HTTPS, or SFTP. If it isn't practical to enable/disable each user account individually, you can create a User Settings Template just for SMS PASSCODE users, then select the Use RADIUS
password management check box on the User Settings Template, which will be inherited by each user in that template.
• FTP and FTPS are not supported for SMS PASSCODE authentication.
• On HTTP and HTTPS, EFT uses a session cookie to allow multiple subsequent operations without further login prompts (up to an idle timeout value, or explicitly logging out).
• In version 7.0 and 7.0.1, EFT will not relay the connecting client's IP address to SMS
PASSCODE, so the GEO-IP security feature of SMS PASSCODE will not be enabled. Future versions of EFT will support this.
• SMS PASSCODE authentication will not work for Event Rules and Custom Commands.
• Some connecting clients, such as CuteFTP, attempt to log in multiple times to perform multiple concurrent transfers. To improve the user experience, on the CuteFTP site that is connecting to
EFT, on the Options tab, reduce Site max concurrent transfers to 1.
Installing and Configuring SMS PASSCODE®
Follow the instructions provided by SMS PASSCODE for installation and configuration. Below are important items to consider:
1. We recommend installing the SMS PASSCODE server on Windows Server 2012 R2.
2. Be sure to configure the SMS PASSCODE server to deliver SMS messages via GSM modems,
SMS Gateways, or however your infrastructure will support SMS delivery.
3. To manage the interaction between EFT and SMS PASSCODE, add the "Network Policy and
Access Services" role to your server, with the "Network Policy Server" (NPS) Role Service enabled.
4. In the NPS administrator, create a RADIUS client that EFT will be configured to use for delegating authentication requests. (You will need the shared secret and NAS identifier to configure RADIUS in EFT.)
5. Confirm proper interoperation with EFT by setting up RADIUS authentication within EFT, as described below, using the same shared secret you supplied in step #4, above.
To configure EFT Enterprise for SMS PASSCODE authentication
1. Log in to the EFT administration interface and click the Site node for which you want to enable
SMS PASSCODE.
2. Click RADIUS and then click Configure. The RADIUS Authentication Settings dialog box appears.
3. Specify the SMS PASSCODE authentication settings, and then click OK.
4. Click Apply to save your settings.
5. Click Yes to restart the Site.
254
Site Configuration
A Site is similar to a virtual FTP server bound to one or more IP addresses. In EFT hierarchy, a Server consists of one or more physical hardware devices (servers) running the EFT executable as a system service. Server Groups are at the top of EFT's setting hierarchy and allow you to group multiple Servers from a management or administrative perspective. Each EFT service, running as a single service on a single hardware device, can support multiple Sites.
You cannot run multiple Sites on the same IP address and port. Each Site requires an IP address and port combination that is not already claimed by other process or Site. To avoid conflicts, when the same protocol is used, each Site requires a distinct IP address (and same port), or the same IP address, but different ports. For example, use port 8080 for HTTP instead of 80, or 2121 for FTP instead of 21. You cannot have two Sites trying to use port 21 on the same IP address. The two Sites will conflict; the Site that starts first claims the contested port.
The hardware in EFT's computer does not limit the number of Sites you can set up, at least regarding how many NICs (Network Interface Cards) you have. In Windows, you can assign any number of IP addresses to a single NIC.
In the above example, your internal users could connect to site 1A using the Site's internal IP address
(192.168.20.134:21) while external users can access site 1C using the host address you designate, such as partners.globalscape.com, which resolves to a different IP address on the same port).
Sites can each have a unique authentication provider type, the same authentication provider type, or even share the same authentication provider database. For example, Site 1A could use Globalscape
Authentication, Site 1B could use Active Directory (AD), and Site 1C could share the AD database.
The EFT service runs under a user account, which must have full administrative rights to the folder in which you installed EFT. With administrative rights, the EFT service can save all your settings. If the EFT service does not have administrative rights, you lose settings and user accounts whenever you restart the EFT service, and you need to reset permissions on the computer where the EFT service is running.
You will need the following information to create and configure a Site:
• Site name, listening IP address, and administrator port
• Root folder path
• DMZ Gateway IP address and port, if used
• SSL/SFTP keys/certificate/ciphers/version information
255
EFT v7.2 User Guide
Creating a Site
To create a Site
1. The Site Setup wizard appears automatically after you complete the Server Setup wizard; otherwise, do one of the following: o
In the administration interface, click Configuration > Create New Site. o
Right-click anywhere in EFT's tree, then click Create New Site.
The EFT Site Setup Wizard appears.
256
2. You are asked to choose the default security level for the Site. If PCI DSS compliance is not a requirement, you can use the default security settings and then manually configure advanced security options individually, as needed. Do one of the following: o
To create a Site that complies with PCI DSS, refer to Creating a High Security-Enabled
o
To create a standard Site, click Default security settings.
3. Click Next. The Site Label and Listening IP page appears.
4. In the Site label box, type a distinguishing name for the Site. MySite appears by default, but you can change this to anything you want.
The Site name cannot have a period at the end of the name or use any characters that are not
allowed in Windows file naming . When you create a Site, EFT creates a file named
site_name.aud in the installation directory (e.g., C:\ProgramData\Globalscape\EFT
Enterprise\MySite.aud). The Site label is also used in the Virtual File System (e.g.,
C:\Inetpub\EFTRoot\MySite\Usr) and in logs and reports.
5. Next to the Listening IPs box, click Configure. The Listening IP Settings dialog box appears.
Site Configuration o
The dialog box displays the IP addresses that are available on the computer, in addition to All Incoming (IPv4) and All Incoming (IPv6). o
You cannot type in an address. o
IPv6 is not enabled by default for security reasons; IPv4 is enabled by default. o
The "All" options are exclusive. That is, you can't select All Incoming (IPv4) and then one or more specific IP addresses. However, you can select multiple individual addresses if none of the "All" options are selected. o
"Link local" appears next to certain IPv6 addresses. Routers do not forward packets with link-local addresses. In IPv6, link-local addresses are always assigned, automatically or by configuration, and are required for the internal functioning of various protocol components. IPv6 requires operating systems to assign link-local addresses to network interfaces even when routable addresses are also assigned. A link-local unicast address has the prefix fe80::/10 in standard IPv6 CIDR notation.
6. Select one or more check boxes for the IP address(es) on which the Site is to listen for connections, and then click OK. The selected address(es) appear in the Listening IPs box. o
You can copy the addresses in the Listening IPs box: Right-click in the box, click Select
All, then right-click again and click Copy or use CTRL+V. (Unicode-related items on the right-click menu are a Windows feature and do not apply to EFT.)
7. Click Next. The Site Root Folder page appears.
8. In the Site root box, click Browse to specify the root folder or keep the default displayed in the box. If you type a folder name that does not exist, it will be created.
9. In the Additional folder options area, select the check boxes as needed: o
Select the Automatically create UNIX-style subfolders check box to create Usr, Pub,
Bin, and Incoming folders with appropriate permissions under the Site's root folder. This is only necessary if you are trying to mimic a typical default *nix EFT setup. It is selected by default. o
Select the Automatically create and assign home folders to newly created users check box to automatically create a user folder under \Site Root\Usr\ when a new user is added. The folder name is the same as the username. For example, username jbite would have the folder C:\InetPub\EFTRoot\MySite\Usr\jbite.
On an AD-authenticated Site, if Automatically create and assign home folders to newly created
users is enabled, EFT creates a virtual folder under the Site's physical root that points to the user's home folders assigned in AD. If Automatically create and assign home folders to newly created
users is disabled, the functions for creating virtual or physical folders for AD users are disabled.
10. Click Next. The User Authentication Provider page appears.
257
EFT v7.2 User Guide
11. (Skip this step if you are creating an AD-authenticated Site or not using RADIUS or RSA;
RADIUS/RSA available in EFT Enterprise only.) If EFT is connecting to a server using RADIUS or RSA SecurID, select Enable RADIUS support or Enable RSA SecurID support, then click
Configure. The applicable Settings dialog box appears:
258 a. In the RADIUS Server box, provide the name of the RADIUS Server (host name or IP address). b. In the RADIUS Server Port box, provide the port the RADIUS Server is bound to. The default port is 1812. c. In the NAS Identifier box, provide EFT’s NAS identifier for the RADIUS Server. d. In the Shared secret box, provide the shared secret used to encrypt and sign packets between EFT and the RADIUS Server. e. In the Connection Retries box, specify the number of times a RADIUS packet will be submitted to the server before giving up. The packet is resubmitted if there is no response from the server. (RADIUS runs over UDP, so packets may be dropped or ignored by the server). The default is 3 retries. f. In the Timeout box, specify how long to wait for a server response, in seconds. The default is 3 seconds. o
Click the folder icon to specify the location of the RSA Server configuration file
(SDConf.rec), and then click OK.
12. In the Authentication provider list, specify the type of user authentication this Site is to use.
(Click a link below to skip to that section.) o
Globalscape EFT Authentication - Does not rely on outside sources for user information.
All information in the authentication database is protected from the operating system, contained within the encrypted .aud file located in the EFT directory (e.g.,
C:\ProgramData\Globalscape\EFT Enterprise), and can only be modified through the administration interface. o
Windows Active Directory (AD) Authentication - Connects to an AD server for user information. o
LDAP Authentication - Connects to an LDAP server for user information.
o
ODBC Authentication - Connects to an ODBC database for user information.
Site Configuration
For Globalscape EFT Authentication
a. Verify that Globalscape EFT Authentication is specified, and then click Next. The EFT
Server Authentication page appears. b. The default path to store the user database appears in the box. If you want to store the user database in a different location, type the path in the box or click the folder icon to find and select or create a folder. c. Skip to configuring Perimeter Network Security .
For Windows Active Directory Authentication
a. EFT is installed by default under the "local system" account, which cannot log in to AD. EFT
must be running under an account that has permission to access the domain controller (i.e.,
create a domain account for EFT). Each Site can connect to only one domain. To connect to multiple domains, you must create multiple AD Sites. b. In the Authentication type list, click Windows Active Directory Authentication. c. Click Next. A prompt appears to remind you that you need to specify a different "Log on as" user for EFT. d. Click OK. The AD Authentication page appears. e. In the Type area, click Active Directory or NTLM/Local System Accounts to match the authentication method used on EFT's domain. Authentication is done with Microsoft's
LogonUser() function in Windows. The operating system then determines which method to use for authentication, such as Kerberos, NTLM2, etc.
Active Directory - EFT queries the domain controller for the list of users and groups.
NTLM Authentication/Local System Accounts - EFT queries the local system to get the list of users and groups. f. In the Domain area, do one of the following:
Click Default if you want to use the authentication database on the computer's current domain.
Click Specify, then in the box, provide the domain name that contains the authentication database. g. In the Group area, do one of the following:
To allow access to every user in the domain's database, click Everyone.
To allow access to only a specific AD Group, click Specify, then in the box, type the AD group name for users that will have access to EFT.
For information about support for foreign groups, refer to Support for Foreign Groups .
h. To verify your settings, click Test. i. To close the Test dialog box, press ESC. j. In the Use this user attribute as the logon name box, click the list to specify the attribute to use (only available when AD authentication is selected):
NT 4 Account Name - Username
Display Name - (DN) When a new user is created in Active Directory, the Full name field is always generated in FirstName LastName format. This field sets the
Display Name field on creation, and you end up with a FirstName LastName formatted global address list.
259
EFT v7.2 User Guide
User Principal Name - (UPN) For example, [email protected]
Common Name - (CN) fully qualified domain name, computer name (netbios), localhost
Regardless of the logon name chosen, EFT will accept the provided logon name type, whether UPN, NT4 account name, common name, or display name, and if a match exists, the user will be authenticated and the chosen logon name type will be displayed in the administration interface.
Logon name type
NT4 Account Name (NT4)
Display Name (DN)
User Principal Name (UPN)
Common Name (CN)
Allowed login form
NT4/UPN
DN/NT4/UPN
UPN/NT4
CN/NT4/UPN k. In the User list refresh interval box, click the list to select how often you want EFT to check the authentication database for new users (server specified, never, or from 5 minutes to 1 day). l. Under When creating home folders for newly created users, click Create a virtual folder or Create a physical folder. If you click Create a virtual folder, the virtual folder will point to the user's home folder as defined in his/her AD profile. (Disabled If Automatically create
and assign home folders to newly created users is disabled on the Site Root Folder page of the wizard, step 6.) m. If NT4 Account Name was selected as logon attribute and if Create a physical folder
under the site root folder was selected, you can choose to not include the domain in the folder name by selecting the Don't include domain attribute in folder name, e.g., /jsmith,
rather than /domain.jsmith check box. n. Skip to configuring Perimeter Network Security .
For LDAP Authentication
a. If you are using Common Access Card (CAC) authentication, click Common Access Card
(CAC) authentication. (The Configure button applies only to RADIUS and RSA.) b. In the Authentication type list, click LDAP Authentication, then click Next. The LDAP
Authentication page appears. c. In the Server box, type the Server name or IP address. d. In the Port box, keep the default port 389 or specify a different port used by your LDAP server. e. In the Base DN box, type the base domain name for the LDAP user database, in the format option=value
(e.g.: dc=forest,dc=tree,dc=branch), or click List DNs to complete the box automatically or select from a list. f.
In the User Filter box, type the search filter information. Refer to Advanced LDAP
Filtering for a detailed explanation of LDAP filtering.
g. In the Login Attribute box, type a comma-separated list of attributes to retrieve. Add userprincipalname
to the LDAP query so that the userprincipalname is used for the account name in queries. For example, type: userprincipalname,mail,e-mail,name,cn
260
Site Configuration h. In the Authentication mode area, click one of the following binding methods to define how the client is authenticated:
Anonymous
Simple requires a username and password. If Active Directory is acting as the LDAP provider, then providing credentials the DOMAIN\username style is sufficient. The credentials provided are typically those of the service account, and the user does not need to have any elevated privileges on the AD domain, only a Domain User.
Otherwise, the username must follow the syntax for the LDAP server that includes the Common Name and the Domain Components of your LDAP server’s distinguished name. For example, the username might be the following: cn=Manager,dc=forest,dc=tree,dc=branch
The LDAP bind password is encrypted in the FTP.cfg file.
i. If you want to encrypt LDAP communications, select the Bind Using SSL check box.
If Microsoft’s Active Directory is the LDAPS provider, Certificate Services must be enabled on the domain before domain controllers will be able to receive encrypted LDAP connections. j. Click Advanced. The LDAP Authentication Advanced Options dialog box appears. k. Specify advanced options based on your requirements:
Set timeout - Specify the connection/query timeout (in seconds). This option coupled with paging can help you avoid timeouts when querying against large directories.
Set search scope - This specifies the depth of the level to search for under BaseDN. o
BASE - Only the requested object specified in BaseDN is searched. o
OneLevel - All of the objects just below this object are searched. o
Subtree - Searches for all the objects within the specified BaseDN object recursively.
Turn on referral chasing - If you have referral chasing on, the query returns information for objects that exist in the LDAP structure, but do not actually exist on
EFT to which you are connected. The query displays bookmarks to entries that exist elsewhere in the network that EFT knows about.
Set LDAP Version - LDAP 2 is widely supported and adds anonymous binding and some filtering. LDAP 3 extends the features of LDAP 2 by adding paging (server side) and more complex filtering.
Use LDAP server-side page control - Asks EFT to limit result sets (or pages) to
1000 at a time or the value specified under Override search page size, if checked. If
Use server page control is not selected, client-side paging is used to mitigate timeouts when retrieving large directory listings.
If you are connecting to a SUN Directory LDAP server, turn off page control.
Override search page size - Overrides the default page size (1000) for client or server-side page limits. Making the value too large can cause timeouts. Setting the page size too small reduces the overall efficiency.
261
EFT v7.2 User Guide
Select attributes - Returns only the specified attributes for the user objects found as part of the search query. Specifying only necessary attributes will greatly increase the efficiency of your query (since the filtering occurs on the LDAP server side). Add userprincipalname
to the LDAP query so that the userprincipalname is used for the account name in queries. For example, type: userprincipalname,mail,e-mail,name,cn l. Click OK to close the LDAP Authentication Advanced Options dialog box. m. To test your settings, click Test. The Authentication Manager Test Results appear. For details of the LDAP test, refer to Testing LDAP Authentication Settings . n. Click the X in the upper right corner to close the dialog box. o. Specify the path at which EFT will store additional user settings, if different from the default shown in the wizard. p. In the User list refresh interval box, specify the frequency at which EFT's user list should be
refreshed. By default, the Server is configured to not refresh automatically .
q. Skip to configuring Perimeter Network Security .
For ODBC Authentication
a. Click Next. The ODBC Authentication page appears. b. In the Specify the data source box, type a connection string for the ODBC database. Refer
to Using a DSN-Less Connection with ODBC Authentication for details of creating the
connection string, if necessary. c. Select the Encrypt user passwords check box to encrypt passwords stored in the database. When this check box is selected, when you create user accounts within EFT, the
ODBC database is populated with the username and a SHA-256 hash of the account password. Alternatively, you can set a value in the registry to use MD5 encrypted passwords instead. d. In the User list refresh interval list, click the list to specify how often you want EFT to check the database for new users.
You change the refresh interval later in the Authentication Options dialog box.
13. Click Next. The Perimeter Network Security page appears.
14. Specify whether to connect the Site to DMZ Gateway .
o
If you choose to connect to DMZ Gateway, specify its IP address and port, and then click
Test Connection. If the DMZ Gateway is properly configured, the test is successful. If the test is not successful, click I'm not using the DMZ Gateway - or I'll configure it
later. o
If you have not yet installed or configured DMZ Gateway Server, click I'm not using the
DMZ Gateway - or I'll configure it later.
15. Click Next. The Connection Protocols page appears.
16. Select one or more check boxes for the protocol(s) that this Site will use to connect to EFT and specify the port number for each protocol. The default ports appear in the boxes.
By default, the FTP server in Microsoft IIS binds to port 21 on all IP addresses. If you want to run both the IIS FTP server and EFT, you need to disable socket pooling for the IIS FTP server.
17. If you selected FTPS, HTTP, or AS2, define the allowed SSL versions and ciphers. Click SSL
options, or skip this step and leave the defaults. a. In the Allowed SSL versions list, keep the default of TLS 1.0 and SSL 3.0, or click Auto
Negotiable.
262
Site Configuration b. In the Allowed ciphers list, select the ciphers in the list or click Manually specify ciphers and provide the ciphers in the Command box. (Manually defining ciphers should only be done by advanced users.)
Refer to Using Ciphers for SSL Connections with EFT for a detailed explanation of SSL
versions and ciphers. If EFT is in FIPS mode, only FIPS-approved ciphers are available.
18. If you selected FTPS, HTTP, or AS2, specify the SSL certificate to use for this Site. Click SSL
certs. The SSL Certificate Options page appears. o
To create a certificate, click Create certificate and follow the prompts in the wizard.
(Refer to Creating Certificates for details, if necessary.) o
To use an existing certificate: i. In the Certificate box, type the path to the .crt file or click the folder icon to find and select it. ii. In the Private key box, type the path to the .key file or click the folder icon to find and select it. iii. In the Certificate passphrase and Confirm passphrase boxes, type and confirm the passphrase for the certificate pair.
If you do not enable SSL, you will not be able to connect to EFT from a remote
administration interface. Refer to SSL Certificate-Based Login ,
Creating Certificates and
Importing a Certificate into the Trusted Certificate Database for information regarding
certificates. If you are using Secure Ad Hoc Transfer, you need to configure remote access to EFT.
19. Click Next to return to the Protocols page.
20. Click SSL Options. The SSL Options page appears. o
TLS 1, 1.1, and 1.2 are selected by default. If you're unsure what to select, leave it at the defaults, then click Next.
21. If you chose SFTP, click SFTP options, and specify the algorithms this Site will use for SFTP. If
FIPS mode is enabled on EFT for SFTP, only the FIPS-approved algorithms are available (i.e., fewer options will appear in the lists of algorithms).
• Click Next to return to the Protocols page, and then click SFTP keys to configure an
SFTP key pair. The Create SSH2 Public/Private Keypair wizard appears. a. Specify a name, location, format, and bit length of the key pair, and then click Next. b. Specify and confirm the passphrase to encrypt the private key, and then click Next. c. Specify whether to use this key as the default host key and whether to copy the public key to the SSH key manager, and then click Finish. d. After the key is generated, click Finish. You care returned to the Site Setup wizard.
22. Click Next to return to the Protocols page.
23. If you chose AS2 over HTTP/S, click Configure. The AS2 Setup Wizard appears.
263
EFT v7.2 User Guide a. Click Next. b. Specify Your AS2 identifier. There is no standard for the AS2 Identifier. You can use your name, your company's name, or some other unique name. EFT validates the AS2 identifier to determine whether it is unique (not used by another partner on this EFT). If you type an ID that is not unique, the field resets to blank. c. Click Next.
264
Site Configuration d. Specify the AS2 certificate path for signing/encryption, populated by default with the SSL certificate paths (if present) for EFT SSL communications. Click the folder icons to specify a certificate pair or click the blue create link to open the SSL certificate wizard to create a new certificate pair. (You can use the same SSL certificate that you are using for the Site.) e. Click Next, then click Finish.
23. Click Next. The Site Setup Completed page appears.
24. If you specified Globalscape authentication, you are offered the option of running the user creation wizard or quitting the Site Setup wizard and creating users later. Click an option, then click Finish. o
If you chose Run New User Creation wizard, the User Creation wizard Welcome page appears. Continue to Creating User Accounts for the procedure.
You can run the Site Setup wizard again at any time to create additional Sites.
You can view and modify individual Site settings in the administration interface.
Changing a Site's Root Folder
The Site root folder is specified when you create a new Site; however, you can later change a Site’s root folder.
265
EFT v7.2 User Guide
If you change a Site's root folder, all previously configured user and Group folder permissions related to that
Site are deleted. You will have to redefine the permissions.
To change the Site root folder
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the General tab.
4. Next to the Site root folder box, click the folder icon to specify a new Site root folder. (The path must be a physical folder, not a virtual folder; using the folder icon to browse for a path is recommended over typing the path.)
5. Click Apply to save the changes on EFT.
Because of a limitation of the HTTP protocol, when a connection is established using HTTP, the client (e.g., a
Web browser) shows the root folder, not the user's home folder.
Changing a Site's IP Address or Port
A Site's IP address and port are specified when the Site is created . You can change the IP address and ports using the procedure below.
To change the listening (incoming) IP address and/or port
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Connections tab.
266
Site Configuration
4. Next to the Listening IP addresses box, click Configure. The Listening IP Settings dialog box appears.
• The dialog box displays the IP addresses that are available on the computer, in addition to All Incoming (IPv4) and All Incoming (IPv6).
• You cannot type in an address.
•
IPv6 not enabled by default for security reasons; IPv4 enabled by default.
• The "All" options are exclusive. That is, you can't select All Incoming (IPv4) and then one or more specific IP addresses. However, you can select multiple individual addresses if none of the All options are selected.
267
EFT v7.2 User Guide
• "Link local" appears next to certain IPv6 addresses. Routers do not forward packets with link-local addresses. In IPv6, link-local addresses are always assigned, automatically or by configuration, and are required for the internal functioning of various protocol components. IPv6 requires operating systems to assign link-local addresses to network interfaces even when routable addresses are also assigned. A link-local unicast address has the prefix fe80::/10 in standard IPv6 CIDR notation.
5. Select one or more check boxes for the IP address(es) on which the Site is to listen for connections, and then click OK. The selected address(es) appear in the Listening IP addresses box.
• You can copy the addresses in the Listening IP addresses box: Right-click in the box, click Select All, then right-click again and click Copy or use CTRL+V. (Unicode-related items on the right-click menu are a Windows feature and do not apply to EFT.)
6. Specify the port number for each of the enabled protocols.
7. Click Apply to save the changes.
8. A confirmation prompt appears. Click Yes to apply the changes and restart the Site or click No if you do not want to restart the Site. (Changes will be applied at the next restart.) Cancel returns you to the tab where you can click Refresh to remove your changes.
Changing the User Database Refresh Rate
When you define EFT, you specify the refresh rate for all Sites that connect to that Server. However, you
can override this refresh rate for the Site . You can also manually refresh to see any user account
changes (View > Refresh User Database).
Database refresh should be disabled on EFT nodes used in HA configurations.
To change the refresh rate
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the General tab.
268
Site Configuration
4. Next to the User auth manager box, click Configure. The dialog box that appears depends on the type of user authentication the Site is using, but each of them have the Enable Automatic
Refresh every check box:
5. Select the Enable Automatic Refresh every check box and specify the frequency with which to refresh the user list from the authentication database; clear the check box if you do not want the
Site's user list to refresh automatically. A grayed check box indicates that the setting is inherited
The user list is not refreshed automatically when a Site is stopped for Server startup; user database synchronization timer; or administrator changes related to the user database. You can manually refresh the user database by clicking View > Refresh User Database on the main menu.
6. Click OK, and then click Apply to save the changes on EFT.
Starting or Stopping a Site
You might occasionally need to stop and restart a Site, such as when you create and assign a certificate to a Site or configure the DMZ Gateway to connect to a Site.
To start or stop a Site
When you stop the Site, EFT breaks all existing connections and waits until all socket threads die. The service can terminate when Timer Event processing is still in progress. The triggering of Monitor Folder and
Timer Event Rules occurs almost simultaneously and is controlled by the operating system, not by EFT. Refer
to Event Rule Order of Execution for more information.
1. In the administration interface, connect to EFT , and then click the Server tab.
2. On the Server tab, click the Site that you want to start or stop.
3. In the right pane, click the General tab.
269
EFT v7.2 User Guide
4. Do one of the following:
• Click Stop. The Site status changes to Stopped.
• Click Start. The Site Status changes to Started.
Viewing Site Statistics
In the administration interface, you can view the status of the Site in real time, such as number of users connected, average speed, the number of active Web Transfer Clients sessions, and so on.
To monitor current statistics on the Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to monitor.
3. In the right pane, click the General tab.
270
Site Configuration
The Site's information appears in the Statistics area.
• Site status: Displays "Running" or "Stopped"; You can also stop and start the Site.
• Start date/time: Displays the date and time that the Site was last started.
• Last modified time: Displays the date and time that the Site was last modified.
• Last modified by: Displays the username of the user who last modified the Site.
• Active sessions: Displays the number of users who are currently logged in to the Site.
• Users defined: Displays the number of user accounts defined on the Site.
• Web Client Sessions: Displays the number of sessions in use/available.
• Active uploads: Displays the number of uploads in progress.
• Active downloads: Displays the number downloads in progress.
• Average speed: Displays the average transfer speed.
for details.
Viewing Connections to a Site
each connected user account.
For example, if a user is connected to EFT via SFTP, the Site tree displays an ID number, the username, the IP address of the Site, and "SFTP." For example, 4: jbite (192.168.174.235) - SFTP. The right pane displays the Login (username), ID, Connection Type, date and time connected, IP address, Average
Upload Speed, and Average Download Speed. The bottom of the right pane displays the connection log.
right pane.
271
EFT v7.2 User Guide
in the right pane.
Viewing Transfers To and From a Site
You can view details of transfers to and from EFT on the Status tab. On the Server tab, a node in the tree labeled Activity has two branches: Transfers - as Server and Transfers - as Client. Click one of the branches to open the Status tab to that view.
Or just click the Status tab, then click the applicable branch.
272
Site Configuration
You can:
• Sort data by a column by clicking the column header.
• Filter results by typing characters in the Filter box. For example, display only transfers by a particular user or from a specific Remote IP address.
• Display or hide successful, failed, or in progress transfers by selecting or clearing the Show
successes, Show failures, and Show in progress check boxes.
• Retrieve historical transactions by specifying the number of minutes (from 1 to 9999) in history that you want to retrieve, then clicking Retrieve. The maximum number of records that can be displayed is 10,000.
• Specify which columns to display or hide by right-clicking on the column header, and then clicking the column name to display or hide.
• Click the linked text (Success or Failure) to view the details of the transfer.
• Stop an in-progress transfer by clicking Stop Transfer. Stopping the transfer can free up bandwidth when large transfers are occurring and a higher priority transfer needs to get through.
You can also select multiple transfers to stop them all at the same time.
Admin Actions report includes transfers stopped by the administrator, as does other
relevant file transfer activity reports .
• Stopped client transfers will not retry automatically. Other connections from the user are unaffected.
• Stopped outbound transfers are audited to the
; stopped inbound transfers are
273
EFT v7.2 User Guide
• When you click Stop Transfer, a prompt appears in which you can choose to disable the user account that initiated the transfer to prevent retries. If disabled, the account must be
enabled by an administrator . (You will have to refresh the interface to see that the user is
disabled.)
• For client offload Event Rule actions (i.e., Copy/Move file Actions), a prompt appears in which you can choose whether to consider the stopped transfer a failed transfer. If you do not want any "If Action Failed" Actions to occur when the transfer is stopped, clear the check box, and then click Stop Transfer.
The available columns are listed in the table below.
Column Description
Date/Time Date and time of transfer in the format MM/DD HH:MM:SS AM/PM
Status Success or Failed
Direction Whether sending or receiving the file
Username Username of account initiating the transfer
File Name Filename of file being transferred
Remote IP IP address of remote computer
Local IP Server's IP address
Local Port Server's port on which the file is transferred
Remote
Port
Port of remote computer used for transfer
Protocol
Path
Remote
Path
Protocol over which the file is transferred
Path on EFT to which file is transferred
Remote path of file being transferred
Local Path Local path of file being transferred
Transferred Size of file being transferred
% Percentage of transfer completed; HTTP/S (both directions), and SFTP, FTP, and FTPS server downloads, and all client (outbound) transfers display %
Transfers as Server
Transfers as Client
x x x x x x x x x x n/a x x x x n/a n/a x x x n/a n/a x x x n/a x x x x
274
Site Configuration
Column Description
Complete complete; SFTP, FTP, and FTPS inbound cannot display % complete.
Rate
Elapsed
Protocol
HTTP
HTTPS
FTP
FTPS
SFTP
EFT as server
Inbound
(client push to server)
%
% n/a n/a n/a
Outbound
(client pull from server)
%
%
%
% n/a
EFT as client (i.e., Event
Rules)
Outbound
(EFT pushing to client)
Inbound
(EFT pulling from client)
%
%
%
%
%
%
%
Rate, in kilobits per second (kbps), at which the file is transferred
Time in HH:MM:SS that it took to transfer the file
%
%
%
Transfers as Server
Transfers as Client
x x x x
Searching a Site
You can use EFT's search feature to find and open an item on a Site, such as a user account, a workflow, or Event Rule. The table below indicates which objects are searched and which details within the objects can be found.
Object Type
Name
Search
Details Search
Settings
Template
User
Group
Command
Advanced
Workflows name name name name name name name, account details (e.g. e-mail address), home folder name name, description, path, parameters name, description
Event Rule name name, paths, download/offload usernames and host names, Send E-Mail
Action e-mail addresses and names
For example, you can search for an e-mail address, and not only find the user to whom the e-mail address belongs, but also any Event Rules that reference that e-mail address.
To find an object on a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to search.
3. Press CTRL+F or click the Search node in the Site tree.
The Search dialog box appears.
275
EFT v7.2 User Guide
4. At the bottom of the Search box, click Search names to find only the names of objects or click
Search names and details to search within objects for things like e-mail addresses or paths.
(Refer to table above to see which objects contain searchable details.)
5. In the text box at the bottom, type the text to find. EFT will automatically search as you type and display the results in the top box. For example, suppose you have a user named jimbob and a user named jimbo. As you type, both jimbob and jimbo appear in the results. When you type the final b, only jimbob appears in the results.
If you enter a character that is not found in any strings, the "<<NO MATCHES FOUND!>>" message appears.
6. Click an item in the tree to open the item and close the Search dialog box. For example, if you click a username, that user's General tab appears.
• You can click the Search node again to reopen the Search dialog box with the latest search results displayed. Also, the latest search results are updated as you create new items. For example, suppose you have a user1, user2, and user3 and you searched for
"user." The Search dialog box will show user1, user2, and user3, and any Group,
Command, Event Rule, or Workflow on that Site that contains the word "user." If you click a search result, close the Search dialog box, and then create user4, the next time you open the Search dialog box, user4 will now appear in the search results (until you clear
"user" from the search field).
7. Click the X in the upper right corner to close the Search dialog box.
Deleting a Site
If you want to delete a Site that you no longer use, you can do so in the administration interface. When you delete a Site, the Site and the objects under it are deleted from the administration interface, but the folders in C:\Inetpub\EFTRoot, which includes Site and user folders, are not deleted. That is, if you were to create a new Site with the exact same name, it would be created with the same users.
If the Site folder (e.g., C:\Inetpub\EFTRoot\MySite) is deleted, a warning message appears in the administration interface.
To delete a Site
1. In the administration interface, connect to EFT and click the Server tab.
276
Site Configuration
2. On the Server tab, click the Site that you want to delete, right-click it, and then click Delete.
3. A password prompt appears. In the Password box, type your EFT administrator password, and then click Delete.
Enable and Configure EFT Workspaces
The Workspaces feature of EFT allows end users to share their folders with other users. The user account that is sharing the folder maintains control of permissions to the shared folder, and can revoke sharing privileges at any time.
Workspaces provides the ability to easily share and collaborate on information that is securely managed by EFT, including existing authentication, access control, auditing, governance, and Event Rule workflow capabilities available in EFT.
To enable Workspaces
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Workspaces tab.
4. Select the Enable Workspaces check box.
5. Under Workspaces Configuration, specify whether to allow EFT users to send invitations to users not in the EFT user authentication database.
• Allow invitations to new EFT users for Workspaces
• Allow Workspaces shared with existing EFT users only
277
EFT v7.2 User Guide
278
Settings Template Configuration
Settings Templates exist within a Site and consist of a group of security and access-control settings used as a template. Every client account or user must be a member of a Settings Template. Each new user is assigned to a Settings Template whose settings determine how EFT resources may be used. One
Settings Template might be quite restrictive, while another might allow more access to resources. For example, power users would be assigned to a Settings Template allowing greater flexibility in using EFT resources while guest users would be assigned to a more restrictive template where use of EFT resources is very limited. Settings Templates allow an administrator to make changes to the Settings
Template that affect all users assigned to that template. The basic profile of individual users can also be changed, overriding the template. Users can also be moved between Settings Templates; users that are
by the administrator.
EFT installs with one Settings Template named Default Settings. Additional Settings Templates can be added to define access to EFT resources for various types of users. You cannot delete the Default
Template when it is the only Settings Template.
folders on your system.
Creating or Deleting Settings Templates
Settings Templates allow you to control EFT’s resources while still giving users the flexibility they need to transfer essential files. You can create one or more Settings Templates before or after creating users and assign users to the desired Settings Template. The Settings Template inherits the settings from the Site, but you can override the settings.
To create a new Settings Template
1. In the administration interface, connect to EFT and click the Server tab.
2. Do one of the following:
• Click a Site or any node below the Site, then on the main menu, click Configuration >
New Settings Template.
• Click the Settings Templates node, then, in the right pane, click New.
• Right-click a Site or any node below the Site, and then click New Settings Template.
• Click a Site or any node below the Site, then press CTRL+L.
The Create New Settings Template dialog box appears.
3. In the Site box, click the list to select a Site.
279
EFT v7.2 User Guide
4. In the User Settings Template box, type a name for the new Settings Template. For example, type WTC Users. The name can contain up to 255 characters.
5. Optionally, type a Description for the Settings Template. For example, type: Web Transfer
Client users
.
6. Click OK. The new Settings Template appears under the User Settings Templates node.
7. Click the new Settings Template, and then click the General tab.
8. The Settings Template is enabled by default. To disable it, clear the Settings Template enabled check box.
9. If this is to be the default Settings Template, click Set as default. (The Set as default button only appears on the Settings Template's General tab if the template is not the default.) The Settings
Template name in the tree will become bold.
10. In the Description box, the description you typed in the Create New Settings Template dialog box appears. If you did not type a description, you can type one here, but it is optional.
11. If you want to ensure that the Settings Template is not controlling the user's home folder, clear
the ST Home folder check box. Refer to Specifying a User's Home Folder for details about
specifying the home folder. This setting affects all users assigned to this Settings Template.
user's home folder check box, then type the limit (in MB) in the Max disk space box.
13. Click the Connections tab. For information about the settings on this tab, refer to the following topics:
•
•
Enable User Access to Web Transfer Client
•
Network Usage, Security Settings, Limits
14. Click the Security tab. For information about the settings on this tab, refer to the following topics:
•
Specifying Invalid Login Options
•
Enforcing Complex Passwords
•
Allowing or Forcing Password Reset
•
•
•
Removing or Disabling Inactive User Accounts
15. Click Apply to save the changes on EFT.
To delete a Settings Template
1. Click the template in the list, and then click Remove.
2. A confirmation prompt appears. Click Yes to remove the Settings Template or No to cancel.
280
Settings Template Configuration
Inheritance
The Settings Template inherits settings from the Site, and a user initially shares the settings of the
Settings Template in which the account was created. You can override inherited settings by clearing or selecting the check box. The link icon to the left of the check box indicates whether the setting is inherited from the parent.
Value
Enabled
Disabled
Inherit from parent; parent enabled
Inherit from parent; parent disabled
Non-editable, value is enabled
Non-editable, value is disabled
Display
Check box selected
Check box cleared
Check box selected with inherit icon
Check box cleared with inherit icon
Check box selected but disabled
Check box cleared but disabled
You can change a user’s Settings Template by dragging and dropping the user into a different Settings
Template, or using the procedure in Moving a User to a Different Settings Template . The account's inherited settings change to reflect the settings of its new Settings Template; however, if a user account contains modified (overridden) settings and is moved to a new Settings Template, those modifications remain in effect at the new Settings Template.
Settings Template Home Folder
You can specify a home folder for the Settings Template, treat the Settings Template's home folder as the user's default root folder, and set a disk quota for each user's home folder in the Settings Template home folder.
To specify the Settings Template home folder
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template that you want to configure.
3. In the right pane, click the General tab.
4. Select the ST home folder check box, then type the path to the home folder or click the folder icon and browse to the folder.
5. If you want the user's root to be the Settings Template home folder, select the Treat home folder
as the user's default root folder check box.
6. If you want to specify a disk quota for each user home folder in the Settings Template home folder, select the Set a disk quota for each user's home folder check box, then specify a value in MB in the Max disk space box.
7. Click Apply to save the changes on EFT.
Enabling or Disabling a Settings Template
When you disable a Settings Template, you disable any users in that Settings Template that are not enabled independently of the Settings Template.
To enable or disable a Settings Template
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template that you want to enable/disable.
3. In the right pane, click the General tab.
281
EFT v7.2 User Guide
4. Do one of the following:
• To disable the Settings Template account, clear the Settings template enabled check box.
• To enable the Settings Template account, select the Settings template enabled check box.
5. Click Apply to save the changes on EFT. When a template is disabled, a red "X" appears over the template icon .
282
User (Client) Account Configuration
This section provides the procedures for creating, editing, and managing user (client) connections. See
for all users.
Creating a User Account
This procedure provides instructions for creating a user account on Sites that use Globalscape
Authentication
. For the procedure for creating an EFT administrator account, refer to Configuring Server
For information about creating anonymous accounts, refer to Anonymous User Accounts .
To create a user account
1. After you have completed the Site Setup wizard , you can continue directly to the New User
Creation wizard. Otherwise, in the EFT administration interface, connect to EFT and click the
Server tab.
2. Do one of the following:
• On the main menu, click Configuration, then click New User.
• Right-click the Server node or any node within it, and then click New User.
• On the toolbar, click the New user icon
.
(On Active Directory Sites, if an invalid domain was created, the New User option is disabled.)
The New User Creation wizard appears.
283
EFT v7.2 User Guide
3. In the Username box, provide the logon name. The following characters are NOT supported:
{ } | [ ] \ < > / : ; " ' * + =
Username length is limited to 149 characters. (If the path to the user's home folder happens to exceed the maximum number of characters allowed by the Windows operating system, the VFS home folder name will be truncated. The default path is in the Site root /Usr/%USER.LOGIN%.)
4. (Optional) Click Details. The New User Account Details dialog box appears.
284 a. Provide the user account Name, Description, Phone, Fax, E-mail, and/or Pager information. In the Custom 1, Custom 2, Custom 3, and Comments boxes, you can provide other phone numbers, office numbers, mail box number, location, and so on. The
E-mail address box cannot contain more than 255 characters. You can specify multiple e-mail addresses, separated by semicolons. b. Click OK to return to the wizard. (The e-mail address format is validated when you click
OK. If the e-mail address contains invalid characters or does not contain the @ symbol, an error message appears. Click OK to dismiss the error message, then correct the address.)
5. In the Password and Confirm password boxes, provide the account password or click
Generate to generate a complex password. If you click Generate, the password appears in the box so that you can provide it to the user. (If the passwords do not match, an error message appears when you click Next.)
6. In the Password Type drop-down list, click one of the following:
• Standard - A plain text password is required.
• Anonymous - Any password, including nothing, allows an anonymous connection. (See
note below, and Anonymous User Accounts for more information about anonymous
passwordsan>.)
• Anonymous (Force e-mail) - Any well-formed e-mail address is the password. (See
note below, and Anonymous User Accounts for more information about anonymous
passwords.)
• OTP S/KEY MD4 - Used for logging in to an OTP- enabled server.
• OTP S/KEY MD5 - Used for logging in to an OTP-enabled server.
User (Client) Account Configuration
7. If RADIUS is enabled on the Site, the Enable RADIUS check box appears under the Generate button. The check box is set to inherit the Settings Template/Site setting by default. If the check box is selected, the Password, Confirm password, Generate, Password type, and the E-mail check box are disabled. If you do not want to enable RADIUS for this account, clear the check box. When the user is created, the account is assigned an auto-generated password based on the password complexity Rules for the assigned Settings Template. Doing so avoids the possibility of a user account with a blank password if RADIUS is disabled. (RADIUS is available in
EFT Enterprise only.)
8. (Optional) In the E-mail address box, provide the user's e-mail address. If you do not provide an e-mail address for the user, the user icon is identified as such in the tree, and the account will not be available for multi-user editing. You can specify multiple e-mail addresses, separated by semicolons. The E-mail address box cannot contain more than 255 characters. (If you provided an e-mail address in the New User Account Details dialog box in step 4 above, the address is copied to this E-mail address box.)
9. (Optional) Select the E-mail login credentials to this user check box. The username and
password are sent to the e-mail address provided. Refer to E-mailing Users' Login Credentials for
details, if necessary.
PCI DSS requires that you should communicate password procedures and policies to all users who have access. You can edit the default text of the e-mail that is sent when you create a new user
(CredentialsTemplate.txt) to include your organization's password policies and procedures. This file is stored in EFT's Application Data folder (by default, C:\ProgramData\Globalscape\EFT Server
Enterprise).
10. Click Next.
PCI DSS requires that you should not use group, shared, or generic accounts and passwords. To address this requirement, EFT hides the Anonymous password types for
Sites defined using the "strict security settings" anywhere that the password type is selectable.
285
EFT v7.2 User Guide
286
11. In the Site drop-down list, click the list to select the Site to which you want to add the user. If only one Site is defined, or if you clicked in a Site tree before clicking New User, the Site's name is displayed in the list box.
12. Click the Settings Template list and click the Settings Template to apply to the new user. All new users are automatically members of the Default Settings Template. You can move the user to a different template later if you have not yet defined a custom Settings Template.
13. In the Home folder box, type or click the folder icon to browse for and select a path (from the relative Site root) to the user's home folder. The default path is in the Site root
/Usr/%USER.LOGIN%
. You can also add the variables %USER.FULL_NAME% and
%USER.EMAIL%
to the path.
You cannot navigate above the Site root
folder. Also, no verification is performed to determine whether the path is valid.
If you use /Usr/ as the account's home folder (and remove the default %USER.LOGIN%) and clear the Grant FULL permissions to user in this folder check box, the account will inherit the permissions of the /Usr/ folder, which are Show this folder in parent list and Show files and
VFS Folder Permissions for details of setting permissions on individual accounts.
• The Make the home folder the default root folder for this user check box setting is inherited from the User Settings Template/Site, but you can override the setting. If you do not want the user to have a home folder, clear this check box. Select the check box to
make the home folder the user's default root folder. Template Settings Admins cannot
change this setting when creating a new user. The user inherits the setting from the
Settings Template.
• Select the Grant the user full permissions in their home folder check box if you want
the user to have full permissions to their home folder.
User (Client) Account Configuration
14. Next to Assign group membership, click Groups. The Group Membership dialog box appears.
15. Permission Groups are used in the Virtual Folder system to assign permissions to users. Each user is assigned to the All Users group. To assign the user to one or more other Groups, doubleclick the Group or click the Group and use the arrows to move the Group between the Member of and Not a member of boxes, and then click OK.
16. Click Next. The protocols page appears.
17. Select one or more check boxes next to the protocols on which the user is allowed to connect to
EFT. (At least one check box must be selected.) Icons next to the check boxes indicate inherited settings from the Settings Template and Site. Clear the check boxes next to the protocols on which the user is not allowed to connect to EFT. If the text next to the protocol is also grayed out, the protocol has not been enabled for the Site and is not available.
• If you selected any SSL protocol check boxes, click SSL Auth to configure
SSL authentication options for this user, if different from the Site/Settings Template.
• If you selected the SFTP check box, click SFTP Auth to configure
SFTP authentication options for this user, if different from the Site/Settings Template. After specifying an SSH key for a user, new user accounts will have the same SSH key preselected.
• You can configure inbound only or outbound only AS2 partners/accounts.
18. Click Finished.
• If you selected the AS2 check boxes, a prompt appears regarding configuring this partner's AS2 settings. Click OK.
287
EFT v7.2 User Guide
19. The user account appears in the tree and is selected. To create more users, repeat the procedure above starting with step 2.
Anonymous User Accounts
If you are enforcing strong passwords (defined on the Site or Settings Template Security tab), the
Anonymous options are not available in the New User Creation wizard. The option to enforce strong passwords is defined for the Site or Settings Template, and is then inherited by any Settings Templates in the Site, and then inherited by any users in that Settings Template. Therefore, on a Site with strong passwords enforced and any/all existing Settings Templates inheriting that setting, you would need to either create a new Template (perhaps called "Anonymous Users") with the option disabled, or otherwise create the new user with a temporary password, and then explicitly disable that user’s "Enforce strong passwords" option on the user's Security tab. With the strong password enforcement disabled for that user, you can click Change Password and assign anything you want, including Anonymous or
Anonymous (Force E-mail).
Enabling or Disabling a User Account
When you disable a user account, the account and user folder are not deleted, allowing you to easily
When a disabled user is re-enabled in AD, the account is also re-enabled on the AD Site defined in EFT.
To enable or disable a user account
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user account that you want to enable/disable.
3. In the right pane, click the General tab.
4. Do one of the following:
• To disable the user account, clear the Account enabled check box.
• To enable the user account, select the Account enabled check box.
5. Click Apply to save the changes on EFT. When an account is disabled, a red "X" appears over the user icon in the left pane .
Deleting a User Account
If you remove a logged-on user account from AD, the account is not removed from the interface until after the user logs off and you refresh the interface.
To delete a user account on Sites that use Globalscape authentication
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, under the Settings Template tree, click or right-click the user account, then click Delete on the submenu, toolbar, status bar, or keyboard.
3. A confirmation prompt appears asking if you want to delete the selected user(s) and the associated home folder(s). Click one of the following:
• Just Users - Deletes the user account, but keeps the user home folder
• Users and Home Folders - Deletes the account and associated folders. Another prompt appears displaying the path to the home folder for verification. If you want to delete the account and the folder, click OK.
288
User (Client) Account Configuration
• Cancel - Neither the user account nor the home folder is deleted.
Expiring a User Account
You can specify a user account to expire on a specific date. Expired accounts are not deleted from EFT; they can be enabled at any time. An expired user account triggers the "User Disabled" Event Rule.
EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
To disable a user on a specific date (account expiration)
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user account for which you want to set an expiration date.
3. In the right pane, click the General tab.
4. Select the Expire this account on check box, and then click the list to select an expiration date.
5. Click Apply to save the changes on EFT. On the specified date, a red "X" appears over the user icon on the Server tab, and the user account is disabled.
To enable an expired account
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user account that you want to enable.
3. In the right pane, click the General tab.
4. Clear the Expire this account on check box and select the Enable this user account check box.
5. Click Apply to save the changes on EFT. The red "X" disappears over the user icon in the left pane.
Configuring User Account Details
The account-specific details associated with a particular user, such as phone number, pager, and e-mail address, are configured on the Details tab of a selected user. Some of these fields (such as the e-mail address) can be used in other areas (such as the Event Rules) to notify the user of a completed transaction.
289
EFT v7.2 User Guide
To configure user information
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user you want to configure.
3. In the right pane, click the General tab.
4. Add or change the user's e-mail address in the E-mail box on the General tab. You can specify multiple e-mail addresses, separated by semicolons. The E-mail address box cannot contain more than 255 characters.
5. Click Account Details. The User Account Details for <username> dialog box appears.
• The E-mail box is populated or updated with what you provide in the E-mail box on the
General tab or the New User wizard ; otherwise, it is left blank. When populated, it is read-only in this dialog box. If no e-mail address is provided, the User icon in the tree has an information icon on top of it to warn you that the user does not have an e-mail address defined. Accounts should have an e-mail address defined for things like forgotten account information, password reset notifications, expiration, and so on.
6. Complete the user information as needed. All boxes are optional; the Full Name and E-Mail
boxes (along with the Server's address book ) are used to populate the Select Names dialog box
in Event Rule e-mail notifications .
7. Click OK to close the dialog box.
8. Click Apply to save the changes on EFT.
Updating a User Account's E-Mail Address
When the e-mail address associated with an account has changed, you can update it on the account's
General tab. (The E-mail box in the User Account Details dialog box is read-only.)
To update the e-mail address associated with an account
1. On the Server tab, click the user account.
2. In the right pane, click the General tab.
290
User (Client) Account Configuration
3. In the E-mail box, provide the new address. You can specify multiple e-mail addresses, separated by semicolons. The E-mail address box cannot contain more than 255 characters.
4. Click Apply to save the changes.
Moving a User to a Different Settings Template
You can move a user to a different Settings Template. For example, if users in the Default Settings
Template do not have access to the Web Transfer Client, and you want only a select group of users to have access to the Web Transfer Client, you would do the following:
1. Create a new Settings Template and name it "Web Transfer Client."
2. Enable the client for all users in that Settings Template.
3. Move the users from the Default Settings Template to the new Web Transfer Client template.
You can move only one user at a time, using drag and drop or the procedure below.
To move a user from one Settings Template to another
1. In the administration interface, connect to EFT and click the Server tab.
2. If the new Settings Template is not already created, create the new Settings Template .
3. Expand the node that contains the user you want to move, and then click the user.
4. Do one of the following:
• On the toolbar, click the Set Settings Template icon
.
• On the main menu, click Configuration > Set Settings Template.
• Right-click the user, and then click Set User Settings Template.
The Select User Settings Template dialog box appears.
5. Click the list to specify to which Settings Template to move the user account.
6. Click OK. The user account moves to the new Settings Template.
Specifying a User's Home Folder
You can specify the user's login folder at Settings Template or per user. This is typically set for each user, but the Settings Template can override the user setting.
When you create a Site and select the Auto assign home folders to newly created users check box, each user account that is created will have a home folder added as a subfolder of the home folder for the
Settings Template to which the user is added. For example, if you add a user "jsmith" to a Settings
Template called "Power Users," and that Settings Template's home folder has a path of /Usr/Power
Users/ in the VFS, then this new jsmith account will be generated with a home folder in the Server's VFS of /Usr/Power Users/jsmith. This is the default behavior when creating a user within the administration interface. However, you can override/change that behavior when the Site is created. If the user is created using the COM API, or the user appears in the Settings Template as a result of Active Directory, LDAP, or
ODBC querying the user account list in real time and finding out that it IS a valid user but not yet added to
EFT, then a home folder is added as a subfolder of the home folder for the Settings Template to which the user is added.
291
EFT v7.2 User Guide
For Sites that use NTLM/AD authentication, if the user account has a Home Folder defined by the AD administrator, then EFT's VFS will not create a physical folder for the new user, but instead creates a virtual folder that points to the path specified in Active Directory for the home folder for that user
(sometimes called a roaming profile). For example, if jsmith exists on the AD controller as a valid user with a home folder mapped to \\192.168.20.19\common_file_share\jsmith, then when jsmith becomes a new user on EFT (using the same path/User Settings Template from the above example), then jsmith will be assigned the home folder /usr/Power Users/jsmith, which is a virtual folder pointing to
\\192.168.20.19\common_file_share\jsmith.
•
You cannot specify a physical folder that is outside the Site root for the user's home folder; you must specify a folder under the Site root. You can then create a VFS entry that points to a physical folder outside the Site root. You cannot specify C:\ for the user's home folder.
HA clustered Site are stored in the shared configuration path (e.g.,
\\x.x.x.x\inetpub\EFTRoot\mySite\Usr\username ).
To set a user's home folder
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user you want to configure.
3. In the right pane, click the General tab.
4. Select the User home folder check box. The home folder box becomes editable.
If you want to ensure that the Settings Template is not controlling the user's home folder, clear the
User home folder check box in the Settings Template.
5. Specify the path to the user's home folder. You can use variables in the path, such
as %USER.FULL_NAME%, %USER.LOGIN%, %USER.EMAIL%.
6. Do one of the following:
• Type the path to the folder. If you type or paste a path in the User home folder box, EFT
does not verify that the folder exists. (Use UNC paths, not mapped drives.)
• Click the folder icon next to the User home folder box. In the Browse VFS dialog
box, click the folder in which you want the user's folder placed, and then click OK.
• Type a forward slash if you want the user's folder to be created at the root of EFT directory instead of the Usr directory.
7. Do one of the following:
• Select the Treat home folder as default root folder check box to make the home folder the user's root folder. If the check box is selected, the user cannot browse above their home directory.
• Clear the Treat home folder as default root folder check box. When it is cleared, if you built the Site with the defaults, the user's root folder is /Usr/<username>.
8. Click Apply to save the changes on EFT.
Viewing a User's Home Folder
on EFT. However, occasionally, you may need to manually manage a user's home folder. In the administration interface, you can right-click a user account to view that user's folder on the VFS tab or in
Windows Explorer. For Sites that use Active Directory authentication, also refer to Setting the Home
Folder for AD-Authenticated Users .
292
User (Client) Account Configuration
Virtual folders that point to a drive other than C: or a UNC share are visible using the MLSD FTP command.
To view the user's home folder in the VFS
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, right-click the user account whose folder you want to view, and then click
Show VFS Home Folder.
3. The VFS tab opens with that user account's home folder selected
To view a user's home folder in Windows Explorer
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, right-click the user account whose folder you want to view, and then click
Explore.
3. Windows Explorer opens with that user account's home folder selected.
Setting the Home Folder for AD-Authenticated Users
By default, the home folder for AD-authenticated users is /user/%username%. For some scenarios, you may want to create and assign each AD user a home folder that is actually a Virtual Folder pointing to a specified UNC path. You can do this by editing the user’s profile in AD as follows:
1. Open a user's properties in your AD management tool, click the Profile tab, and look at the
Home Folder section.
293
EFT v7.2 User Guide
2. Click Connect, select any appropriate drive letter, then in the To box provide the desired UNC path. The UNC path will be used when creating your new AD Authentication site.
3. In EFT, when you create a new AD-authenticated Site, select the Automatically create and
assign home folders to newly created users check box. If that option is enabled, the Home
Folder setting for each AD user's properties will be requested from the network. If that value is set, then a new Virtual Folder will be created in EFT’s file system (the VFS) that points to that
UNC path. When users log in, they interact with that UNC path that will be treated as their home folder. It is not necessary for the user to log in for the home folder to be created.
You should enable the option to Treat home folder as the user's default root folder on the
User Settings Template General tab to confine users to their home folder regardless of the NTFS permissions on the directories above, to simplify the client's interface, and facilitate the use of
HTTP/S and the Web Transfer Client.
Due to the lack of standardization among the various LDAP providers, this feature is not currently supported when using LDAP authentication.
Users are Unable to Upload/Download in Home Directory
If users are unable to upload or download files to or from the home directory, first determine whether the problem is just for one or more certain users or all users. If no users can upload or download file, verify that the EFT service has permissions to modify the network share directory. If the problem only occurs for
that directory.
294
User (Client) Account Configuration
Setting a User Disk Quota
Disk space management is an important aspect of server administration. Setting quotas allows you to
the Settings Template and/or for each user.
The Max disk space setting on the Settings Template's General tab sets the maximum disk space that users can consume in their home folders. EFT administrator can assign a maximum disk space for each user's home folder. As the user uploads and downloads, EFT measures the user's used disk space.
Obviously, uploading files increases used disk space and deleting files decreases this number. If the used disk space equals the maximum disk space, the user has to delete files before any more files can be uploaded.
Tip: Create a "User Quota Exceeded" Event Rule to let users know when they need to clean up their files to reduce their used disk space.
An administrator can use Windows Explorer to add or delete files in a user's home folder, and EFT will update the user's used disk space. Additions and deletions to a user's folder that are performed outside of
EFT are not prohibited, even when the total file size exceeds the maximum disk space allowed. However, exceeding the user's used disk space will cause the user to be prohibited from uploading until the used disk space is less than the maximum disk space.
If users report that they are not able to upload files, check whether they have enough disk space available. If not, you or they will need to remove files from their home folder before they can upload any more files with EFT, or you might need to adjust their maximum disk space allowance.
To set users' disk quotas
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user you want to configure.
3. In the right pane, click the General tab .
4. Select the Set a disk quota for this user's default root folder check box and type the
maximum number of megabytes (MB) the user may store in the home folder . The amount of disk
quota currently in use appears as a percentage to the right of the Used disk space box.
If you attempt to disable this feature on a high security-enabled Site, a message appears to warn you that this setting violates the PCI DSS, and allows you to continue with reason, or disable the feature.
5. Click Apply to save the changes on EFT.
Viewing User Statistics
In the administration interface, you can view the connection status of a user in real time, historical activity, and account administration activities.
To view statistics of a user
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user that you want to monitor.
3. In the right pane, click the General tab . The statistics for the selected user appear in the
Statistics area.
• Last time connected: Displays the date and time that the user last connected to EFT.
• Account created: Displays the date and time that the user account was created.
295
EFT v7.2 User Guide
• Last modified by: Displays the username of the administrator account that created the user account.
• Last modified time: Displays the date and time that the user account was last modified.
Forcibly Logging a User Off of EFT (Kick User)
An administrator with Server, Site, or Settings Template permission can manually disconnect a user from
EFT in the administration interface. Doing so does not disable users, but only disconnects them from
EFT. ( "Change Password" administrators do not have permission to kick users.)
To disconnect a user
• In the administration interface, connect to EFT , then do one of the following: o
On the Server tab: a. In the left pane, click the user account. b. In the right pane, click the General tab, and then click Kick User. o
On the Status tab: a. In the left pane, click the username. The user's statistics appear in the right pane. b. At the bottom of the right pane, click Kick User.
296
All of the user's connections are disconnected from EFT and the Status on the Server's General tab changes to Not Connected.
If the user is connected to the Server using CuteFTP
®
and has the Smart Keep Alive (SKA) feature enabled,
CuteFTP will automatically reconnect to the server. If you do not want the user to reconnect, you must
disable the user account on the user's General tab (or ask users to turn off SKA).
User (Client) Account Configuration
Managing Multiple User Accounts
You can select and manage more than one user account at a time. For example, you can select multiple accounts and then delete, disable, enable, or unlock the accounts, or reset the passwords on each of the selected accounts.
The selected account must have an e-mail address defined to be able to reset the password .
To select and manage more than one user at a time
1. On the Server tab, under the Settings Template tree, press SHIFT or CTRL, and then click each of the users that you want to edit.
2. Right-click the selection, and then click the desired operation, Delete, Disable, Enable, Unlock, or Reset Password.
Unlocking a User Account
If a user account is locked out due to invalid password attempts, the user account's user icon in the tree and the user account's General tab both indicate that the account is locked. The icon in the tree has a red-circled X on it and the General tab's Statistics area indicates the date until which it is locked. (You may have to refresh the interface to see the changes. Also, the view that you see depends on your account permissions.)
297
EFT v7.2 User Guide
• To unlock the user, click Unlock.
You can change the lockout time on the Settings Template's Security tab in the Login Security
Options dialog box.
A sub administrator account would see a view similar to the following illustration:
• In this view, to unlock the user, click the locked user in the list, and then click Unlock.
server (e.g., due to multiple invalid logins). The user in this case will not be able to log in to EFT, but will not appear to be locked out of EFT in the administration interface. You must unlock the account on the RADIUS server for the user to be able to log in to EFT. For information about unlocking accounts on the RADIUS server, refer to that server’s user guide. (RADIUS is available in EFT Enterprise only.)
Specifying a User's Permission Group
When you define a user account , you assign it to one or more permission Groups. The Group to which a
user's permissions independent of a Group).
298
User (Client) Account Configuration
To change a user's Group assignments
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user that you want to configure.
3. In the right pane, click the Security tab.
4. In the Account Security area, click Groups. The Groups dialog box appears.
5. To add/remove the user to/from Groups, double-click a Group in the Member of or Not a
member of lists, or click a Group and click the left- or right-facing arrows.
6. Click Apply to save the changes on EFT.
Username Resend Message
EFT allows users to request their username be resent. You can edit the default message for the Server
(which will apply to all users) and for the Sites (which will apply to all users on a Site). The message is an
editable text file stored in EFT directory, and accepts EFT variables (e.g., %USER.EMAIL%), such as
those shown in Event Rules.
To edit the username resend message
1. In the EFT ProgramData directory (by default, C:\ProgramData\Globalscape\EFT Enterprise), open the file UsernameResend.txt.
2. Edit the text as needed, being careful not to delete the variables (%USER.FULL_NAME%,
%USER.LOGIN%), then save the file and close the text editor.
3. Click Apply to save the changes on EFT.
4.
Restart the Site so it can read in the new template.
299
EFT v7.2 User Guide
User Login Credentials Message
To edit the login credentials reminder
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node.
3. In the right pane, click the General tab.
4. Next to User login credentials message, click the browse icon . Your default text editor, usually Notepad, opens with the reminder text.
300
5. Edit the text as needed, being careful not to delete the variables (%USER.FULL_NAME%,
%USER.LOGIN%
, %USER.PASSWORD%), then save the file and close the text editor.
• The file is stored in the EFT ProgramData directory (by default,
C:\ProgramData\Globalscape\EFT Server Enterprise) and applies to all Sites on the
Server. (In v6.4 and later)
User (Client) Account Configuration
To create Site-specific versions
1. Make a copy of the existing template.
2. Make your edits (using a text editor, such as Notepad), being careful not edit any of the variables or necessary code.
3. Save the edited version with the Site name and an underscore prepended to the front of the filename. For example, name it
MyFrenchSite_CredentialsTemplate.txt
.
6. Click Apply to save the changes on EFT.
7.
Restart the Site so it can read in the new template.
Password Reset Messages
day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.
EFT allows you to set a reminder to notify users of their pending password expiration up to 30 days prior to the password expiration date. You can configure reminder options on the Site, in the Settings
Template , and for each user , from 0 (no reminder) to 30 days (5 is the default) before expiration. The reminder can be in the form of a banner message, e-mail, or both.
EFT will send an e-mail informing the user of the pending expiration and provides instructions on how to change the password for one or possibly all protocols if all of the following are true:
• User's password is scheduled to expire
• E-mail reminder is enabled (The password expiration options are only available if the Allow
users to reset their passwords check box is selected on the Site's, Settings Template's, or user's Security tab. Each will inherit the setting from the parent.)
• User account has an e-mail address associated with it
A user who typically connects over FTP can login via HTTP/S to change the password.
The e-mail reminder messages are editable files stored in the EFT directory, and accept EFT
as described in the procedures below.
The files are stored in the APP_DAT_PATH directory (by default, C:\ProgramData\Globalscape\EFT
Enterprise) and apply to all Sites on the Server. You can also create Site-specific versions (described below).
To edit the password reset messages
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node.
3. In the right pane, click the General tab.
4. Next to Password reset reminder message, click the browse icon. Your default text editor (e.g.,
Notepad) opens with the reminder text.
301
EFT v7.2 User Guide
5. Edit the text as needed, being careful not to delete the variables (%FULL_NAME%,
%USERNAME%, %DAYS_LEFT%, %RESET_PAGE%), then save the file and close the text editor.
To create Site-specific versions
1. Make a copy of the existing template.
2. Make your edits (using a text editor, such as Notepad), being careful not edit any of the variables or necessary code.
3. Save the edited version with the Site name and an underscore prepended to the front if the filename. For example, name it
MyFrenchSite_PasswordResetReminderMsg.html
.
6. Next to Password reset required message, click the browse icon . Your default text editor, usually Notepad, opens with the reminder text.
302
7. Edit the text as needed, being careful not to delete the variables (%FULL_NAME%,
%USERNAME%, %RESET_PAGE%), then save the file and close the text editor.
To create Site-specific versions
1. Make a copy of the existing template.
2. Make your edits (using a text editor, such as Notepad), being careful not edit any of the variables or necessary code.
3. Save the edited version with the Site name and an underscore prepended to the front if the filename. For example, name it
MyFrenchSite_PasswordResetMsg.html
.
8. To edit the Password reset confirmation message, open the file in your default text editor, usually Notepad.
User (Client) Account Configuration
9. Edit the text as needed, being careful not to delete the variables (%USER.FULL_NAME%,
%USER.LOGIN%, %REMOTE_IP%, %LINK%), then save the file and close the text editor.
10. Click Apply to save the changes on EFT.
11. Restart the Site so it can read in the new template.
303
EFT v7.2 User Guide
304
Listener (Protocol) Settings
Protocols are enabled/configured on the Site and inherited by the Settings Templates and user accounts.
(You can then configure the Settings Templates and user accounts differently, if needed.) Before
configuring SSL on the Site, you must configure SSL
and FIPS-approved connections on the Server's
Security tab. The topics below provide the procedures for configuring listener settings and protocols on
Sites, Settings Templates, and user accounts.
EFT supports the following protocols: FTP
configured on the Site and then can be enabled or disabled on the Site or Settings Template, or for each
user. ( SSL must first be enabled/configured on the Server .) The client, not the server, drives the
authentication process. That is, if you specify a protocol that the client doesn't use, the client will not be able to connect.
If the check box contains a gray check mark, the user or Settings Template is inheriting permission from its parent.
To enable a connection protocol
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
305
EFT v7.2 User Guide
4. Do one or more of the following:
• To allow/disable FTP access, select/clear the FTP check box, and then click FTP Config
SSL /TLS) access, select/clear the FTPS (SSL/TLS) check box,
then click FTP Config to configure FTP Settings, and next to SSL certificate settings, click Configure to configure SSL certificate settings .
SFTP access, select/clear the SFTP (SSH2) check box, and then
click SFTP Config to configure SFTP authentication options .
HTTP access, select/clear the HTTP check box.
HTTPS access, select/clear the HTTPS (SSL) check box, then, next to
SSL Certificate settings, click Configure to configure SSL certificate settings .
• To allow/disable
AS2 access, select/clear the AS2 check box. (This check box is disabled
if HTTP or HTTPS is disabled.) Click AS2 Config to configure AS2 connections to the
Site , then, next to SSL certificate settings, click Configure to configure
SSL certificate settings .
•
To allow/disable Web Services , select/clear the Enable Web Services check box.
•
To redirect all plaintext HTTP traffic to HTTPS , select the Redirect all plaintext HTTP
traffic to HTTPS check box. (HTTPS must be selected first.)
•
To enable account management over HTTP or HTTPS , select the Enable account
management over HTTP/S check box. The IP address for account management appears in the adjacent text box. It is not editable, but you can copy it to paste into emails.
•
To enable WTC access (on the Settings Template or user account), select the HTTPS
check box, then select the Allow Web Transfer Client (WTC) over HTTP/S check box.
5. Click Apply to save the changes on EFT.
306
Listener (Protocol) Settings
FTP
These topics provide the procedures for configuring FTP access.
Configuring FTP/S
If you specify plain-text FTP or HTTP for a Site created using the "strict security settings" option, EFT prompts you to disable these insecure protocols, or continue with reason.
The FTP protocol is an interactive file-transfer mechanism that enables file transfers between Internet sites, or, more specifically, between two systems. It was created for transferring files independently of the operating system used, for example between a Macintosh and Windows PC. FTP’s more notable features include handling for specific error situations and ensuring that a file sent from point A to point B will get there reliably.
The FTP protocol specification (RFC 959) was published many years ago when security was not a priority issue. As security became a concern, secure mechanisms such as SSL and TLS were adapted to help protect the FTP session from being intercepted or exploited. EFT provides security with FTPS (using
SSL/TLS).
FTP Settings Dialog Box
The FTP Settings dialog box is used to allow or deny various FTP commands on a Site, Settings
Template, or user account. The available options on the Site's FTP Settings dialog box differ slightly from the options on the Settings Template/user dialog box.
You can configure FTP connections to the Site on the Site's Connections tab. You can enable or disable
FTP transfers at the Site, Setting Template, or per user.
•
For information about how to configure your firewall to allow FTPS connections to EFT, refer to your firewall's user guide or knowledge base.
•
FTP requires UPLOAD permission in addition to APPEND to resume a partial file transfer.
To open the FTP Settings dialog box
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Select the FTP, FTPS (SSL/TLS) - Explicit, or FTPS (SSL/TLS) - Implicit check box.
5. Specify the port used for the connection (by default, 21 for plain FTP or 990 for FTPS Implicit).
6. Click FTP/S Configure (on the Site's Connection tab) or FTP Config (on the Settings
Template's or user account's Connection tab). The FTP Settings dialog box appears.
307
EFT v7.2 User Guide
Refer to the linked procedures below for details of each option:
Allowing Site-to-Site Transfers (FXP)
Allowing Client Anti-Timeout Schemes (NOOP)
Allowing Multipart Transfers (COMB Command)
File Integrity Checking (XCRC)
Allowing ZLIB Compression (Mode Z)
Specifying a PASV IP or PASV Port Range
Encoding for FTP Transfers
Support for UTF-8 encoding is communicated in response to the FEAT command, which occurs after authentication. Therefore, if you provide a Unicode username/password and try to connect to the server via FTP, the connection will fail. EFT starts negotiation in ASCII and can't switch to Unicode until after authentication. If you want EFT to use Unicode from the start, you can change the initial encoding in the interface in the FTP Settings dialog box.
You can specify UTF-8 or Auto-detect encoding for inbound FTP transfers on the Site. For most connecting clients, Auto-detect is preferred and is the default.
308
Listener (Protocol) Settings
To configure FTP encoding
1. Open the FTP Settings dialog box .
2. In the Encoding area, click UTF-8 or Auto-detect. o
UTF-8—For Unicode-only transfers o
Auto-detect—Detects whether to proceed in ASCII mode or can switch to UTF-8 mode for the transmission and receipt of path names and other strings communicated between client and server.
3. Click OK to close the dialog box.
4. Click Apply to save the changes on EFT.
Specifying a PASV IP or PASV Port Range
If EFT is behind a firewall or NAT device, you may need to specify EFT's IP address or range of ports used when issuing IP:PORT information to clients.
If you specify a PASV (passive) mode port range, you must open the same range of ports on your firewall.
To specify a PASV connection through a range of ports
1. Open the FTP Settings dialog box.
2. Select the Assign PASV mode IP address check box.
3. In the IP box, specify the Site's IP address as it should be seen by those outside of your network.
This usually applies to SSL sessions when the NAT or firewall device cannot see nor properly map the internal IP address to connect to EFT. This also applies if the NAT or firewall device is misconfigured. You should first try connecting to EFT with this box left as is.
4. In the Port Range boxes, specify the range of ports EFT uses for PASV connections.
Use this setting primarily to limit the amount of ports used for the data connection portion of the session, especially when the firewall or NAT device was configured to only allow traffic on certain ports.
5. Click OK to close the dialog box.
6. Click Apply to save the changes on EFT.
Allowing Site-to-Site Transfers (FXP)
Although site-to-site transfers (FXP command) can expedite what otherwise could be a slow transfer, many administrators consider site-to-site transfers a security risk, exposing servers to "port theft" or "FTP by proxy" attacks. Depending on how your servers are configured, you might want to block these types of transfers.
To allow or block Site-to-Site transfers
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Click FTP Config. The FTP Settings dialog box appears.
5. Do one of the following:
• To allow transfers, select the Allow site-to-site transfers (FXP) check box.
• To block transfers, clear the Allow site-to-site transfers (FXP) check box.
309
EFT v7.2 User Guide
6. Click OK to close the FTP Settings dialog box.
7. Click Apply to save the changes on EFT.
Allowing Client Anti-Timeout Schemes (NOOP)
Many FTP clients send random commands such as REST 0, PWD, TYPE A, LIST, etc., to the FTP server to keep the session alive while the client is idle. Many FTP clients send a NOOP command to EFT during idle times to keep the connection alive. You can choose whether to allow the NOOP command. If you disallow the NOOP command, it will be considered an invalid command and treated according to your settings under Disconnect after <n> invalid commands.
To allow or disallow the NOOP command
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Click FTP Config. The FTP Settings dialog box appears.
5. Select the Allow FTP client anti-timeout schemes check box to allow the NOOP command or clear the check box to treat the NOOP command as an invalid command. (Selected by default.)
If you are banning users who send excessive invalid commands while treating NOOP as an invalid command, then you will be banning users for sending the NOOP command. You may later allow the user to connect by removing their IP address from the Site's list in the IP Access tab. A gray check box in a user account indicates that the account is inheriting parameters from the Settings Template.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Allowing Multipart Transfers (COMB Command)
EFT supports multi-part transfers from advanced FTP clients such as CuteFTP . The user must have
takes care of most details, including splitting the file apart, sending the multiple parts, and then requesting that the Server to join them again upon receipt.
To allow or block multipart transfers
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Click FTP Config. The FTP Settings dialog box appears.
5. Do one of the following:
• To allow transfers, select the Allow multi-part transfers (COMB) check box.
• To block transfers, clear the Allow multi-part transfers (COMB) check box.
6. Click OK to close the FTP Settings dialog box.
7. Click Apply to save the changes on EFT.
310
Listener (Protocol) Settings
Refer to the Globalscape Knowledgebase article at http://kb.globalscape.com/KnowledgebaseArticle11120.aspx
for details of enabling the COMB command via a registry setting.
How does the COMB command work?
The COMB command joins the parts back together. The benefits of segmented (multi-part) and concurrent delivery for accelerated transfers include:
• Accelerate throughput and maximize available bandwidth available to the client by allowing uploaded files to be split apart and transferred in multiple segments simultaneously.
• Command can be toggled on or off.
The COMB command is a proprietary command and is not defined nor endorsed by any FTP-related
RFC; however, the command can be integrated with other servers using the following syntax:
COMB <TF> <SF 1> ... <SF n> where
<TF> is the path to target file, which will contain the combined data from the source parts.
<SF #> are the source files (parts).
Which means combine n source files (SF 1...n) into one file (TF).
Notes regarding the COMB command:
• If the target file already exists, then EFT appends source files to it.
• EFT will delete all the source files once they are combined successfully.
• All file names should be in quotation marks.
• Upload, download, append, and delete permissions are REQUIRED, otherwise COMB will fail. o
Upload and Append permissions are checked for the target result file. o
Download and Delete permissions are checked for the source parts that are read for the
COMB into the target result file. o
Cleanup (delete) is performed on the target result file if an error occurs accessing the source parts.
Examples of using the COMB command:
• You can append a single part onto an existing (or new) file: e.g., COMB "final.log" "132.log".
• Paths are accepted for the target filename, but not for source parts file path. For example: o
COMB "boslin/blah/final.log" "70.log" "71.log" "72.log" "73.log"
• There is no limit to the number of parts, but there is a server-side processing limit of approximately 1024 characters.
• A space is not required between quote-delimited file names. For example: o
COMB "final3.log""60.log" o
COMB COMB "final3.log" "60.log"
• Target and source files do not require enclosing quotes UNLESS the filename includes spaces. In that case you should use quotes. For example: o
The following syntax is correct:
COMB final5.log 64.log 65.log
COMB “final5.log” “64.log” “65.log”
311
EFT v7.2 User Guide
COMB final7.log "6 6.log" 67.log o
The following syntax will not work because the filename includes spaces:
COMB final6.log 6 6.log 67.log
The following table presents the support that is available for each protocol:
Protocol
HTTP
HTTPS
FTP
FTPS
SFTP
AS2
Upload to
EFT
Not supported
Not supported
Remote client must issue
COMB command to
EFT to join the uploaded parts.
Not supported
Not supported
Download from EFT
EFT does nothing to prevent a client from using whatever techniques it wants to perform a multi-part transfer. For example the client could use the
REST command to resume multiple segments of the same file then rejoin upon receipt.
EFT Push
(offload/upload)
Not supported
Not supported
Registry enabled ;
Remote server must support COMB command.
Otherwise will not work.
Not supported
Not supported
EFT Pull
(retrieve/download)
Not supported
Not supported
Registry enabled ;
Does NOT require remote server to support COMB. Uses
REST (resume) at byte offset.
Not supported
Not supported
File Integrity Checking (XCRC)
Although TCP/IP checks that all packets are received, malformed packets or other mishaps can occur, leading the client to believe that a transfer was successful when it was not. EFT's file integrity command is defined as XCRC. Once an XCRC-enabled client (such as CuteFTP) performs a transfer, it can request
EFT to do a checksum calculation on the file. If it matches the checksum on the client, then the transfer is deemed successful. Performing XCRC checksum calculations is processor intensive; enable or disable the feature accordingly.
of file integrity checking in SFTP.
Refer to XCRC Integrity Checking in Web Transfer Client (Java-enabled version) for details of enabling/disabling XCRC in the Web Transfer Client.
XCRC is a proprietary command and is not defined nor endorsed by any FTP-related RFC. Competing servers who want to implement this command may do so using the syntax described below.
XCRC <File Name>
XCRC <File Name>, <EP>
XCRC <File Name>, <SP>, <EP>
SP = Starting Point in bytes (from where to start CRC calculating)
EP = Ending Point in bytes (where to stop CRC calculating)
FTP Client Log Example
COMMAND:> XCRC "/Program Files/MSN Gaming Zone/Windows/chkrzm.exe" 0 42575
• SP and EP are optional parameters. If not specified then it calculates the CRC for the whole file.
If only EP is specified, then the CRC calculation starts from the beginning of the file to the EP.
• This command can be used for a single file at a time. It does not allow file lists as parameters.
• The standard CRC32 algorithm is used (for speed and efficiency).
312
Listener (Protocol) Settings
• A client can invoke this command for uploads, downloads, and single and
Server Reply
250 <XCRC>
450 Requested file action not taken
550 Requested action not taken
Indicates
calculated CRC value file is busy file is not found or has no read permission; or the SP or
EP are not correct
File Integrity Checking in FTP and SFTP
FTP provides a very raw mechanism to transfer files – the data for a file is uploaded/downloaded as a stream of bits over a TCP/IP connection. There is no additional overhead on that operation, so it is fast; however, this also means that there are no intrinsic mechanisms for ensuring that the file got to the other end intact. That is why many servers, including EFT, support the XCRC command, an extension to the
FTP protocol. The XCRC command performs a CRC32 checksum over the file (either the whole file, or a portion of the file if a byte range is specified on the command line). This gives a 32-bit value that EFT computes on the file, which can be compared to the 32-bit value computed on the client side. If both files are the same size and the CRC32 matches, then there is a very high probability that the files are identical and files were transferred correctly.
In contrast, SFTP does add overhead to the transfer of files. As a file is transferred between client and server, it is broken up into smaller chunks called "packets." For example, suppose each packet is 32KB.
The SFTP protocol does a checksum on each 32KB file as it is sent, and includes that checksum along with that packet. The receiver gets that packet and decrypts the data, and then verifies the checksum.
The checksum itself is "stronger" than the CRC32 checksum. (Because SFTP uses a 128-bit or higher checksum, such as MD5 or SHA, and because this is done on each and every packet, there is a very granular integrity checking that is accomplished as part of the transfer.) Thus, the protocol itself is slower
(because of the additional overhead), but the successful completion of a transfer means, de facto, that it has be transferred integrally and there is no need for an additional check.
If you want to verify integrity, then use SFTP protocol and it is built-in or use FTP and after a transfer issue the raw command "XCRC /path/to/file" and read the results, comparing to a locally calculated
CRC32 on the client side. EFT also supports querying the CRC32 value over the HTTP/S protocol by issuing a "HEAD" request to the file. The result of a HEAD method invocation on the HTTP/S engine will result in a response that includes the "X-CRC" header, which contains the CRC32 value of the file in question. This can be compared to the CRC32 computed over the local file, just like in the FTP case.
XCRC can be used on files larger than 2 GB.
To enable or disable the XCRC command
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Click FTP Config. The FTP Settings dialog box appears.
5. Do one of the following:
• To allow transfers, select the Allow integrity checking (XCRC) check box.
• To block transfers, clear the Allow integrity checking (XCRC) check box.
6. Click OK to close the FTP Settings dialog box.
7. Click Apply to save the changes on the Server.
313
EFT v7.2 User Guide
Allowing the Mode Z Command
Mode Z compression compresses files on the fly for file transfers, saving bandwidth and improving transfer times. The client must also support MODE Z to take advantage of this feature. If MODE Z is enabled, EFT will listen for MODE Z requests, then enable it for subsequent transfers from the client that requested it.
To allow a client to use Mode Z compression
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Click FTP Config.
5. Select the Allow MODE Z Compression check box.
6. Click OK to close the FTP Settings dialog box.
7. Click Apply to save the changes on EFT.
Connection Banner Message
When a client first connects to the Site via FTP, but before the user logs on, the connection banner appears. For example:
[8/25/2009 9:47:43 AM] 220 Globalscape EFT * UNREGISTERED COPY *
(UNREGISTERED COPY appears until you activate your serial number.)
You can use the variables %DATE% and %TIME% to display the date and time of the login. For example:
EFT Server Login
%DATE% %TIME%
Other variables allowed in the banner message include %USER.Full_Name%, %USER.LOGIN%,
%USER.EMAIL%
, %USER.FIRST_NAME%, and %USER.LAST_NAME%.
In addition to or instead of the Site's FTP banner message, you can display a message unique to a
Settings Template or user account (a login message).
Ensure that all banner messages are generic and do not convey product name or version details (e.g.,
Globalscape EFT (v. 6.1). This will help obfuscate your server version, making it more difficult for attackers to identify your server as a likely candidate for exploit.
What is the difference between a connection banner and a login message?
1. EFT displays a connection banner immediately after a client connects via FTP, before requesting the login credentials.
2. After the client provides the login credentials and the credentials are authenticated, EFT displays a login banner .
3. The default login banner is “Login OK, proceed.”
4. In the Settings Template, you can specify the following alternatives: use default (“Login OK, proceed.”) banner, append something to default (“Login OK, proceed.”) banner, use its own banner, and show no banner at all.
5. In the user account, you can specify the following alternatives: use default (the one formed in the
Settings Template) banner, append something to default (the one formed in Settings Template) banner, use its own banner, and show no banner at all.
314
Listener (Protocol) Settings
To modify the connection banner
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Click FTP Config. The FTP Settings dialog box appears.
5. In the Connection (banner) message box, specify the text that you want to appear when a client connects.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
User Limit Reached Message
You can configure a Site to allow only a specified number of maximum simultaneous connections. If you
click this option, you can specify a message for users when the maximum simultaneous connections is
exceeded. You can display a message unique to a user in addition to or instead of the Site's user-limit message. Users automatically inherit the default message applied to their Settings Template.
To modify the maximum connections message
1. Open the FTP Settings dialog box .
2. In the User limit reached message box, specify the message you want to display if the maximum simultaneous connections number is exceeded.
3. Click OK to close the dialog box.
4. Click Apply to save the changes on EFT.
Quit Session Message
EFT can send an exit message when the client closes the session gracefully by using the FTP QUIT command. You can display a message unique to a user in addition to or instead of the Site's FTP banner message. Users automatically inherit the default message applied to their Settings Template.
To modify the Quit Session message
1. Open the FTP Settings dialog box .
2. In the Quit session message box, specify the exit message to display.
3. Click OK to close the dialog box.
4. Click Apply to save the changes on EFT.
FTP Commands Supported by EFT
During FTP sessions, servers send and receive various numbered codes to/from FTP clients. Some codes represent errors; most others simply communicate the status of the connection.
When determining a course of action, review the entire log; some codes are informational only, others indicate that you have entered the wrong information, and others indicate what information you need to provide before continuing with your file transfer.
For brief explanations for the most common FTP status and error codes, refer to Knowledgebase article
#10142 at http://kb.globalscape.com/KnowledgebaseArticle10142.aspx
.
Below is the list of FTP commands that EFT supports and will give a known response to, followed by a few commands that it recognizes, but gives an error message of "202 Command not implemented, superfluous at this site."
315
EFT v7.2 User Guide
Cmd
ABOR
ALLO
RFC
RFC959
RFC959
Description
Abort a file transfer
Allocates sufficient storage space to receive a file. e.g., ALLO size [R maxrecord-size]
Append data to the end of a file on the remote host. e.g., APPE remote-filename
Used to initiate an SSL encrypted session
APPE
AUTH
CCC
CDUP
CLNT
RFC959
RFC
2228
RFC
2228
RFC959
-
COMB
CWD
DELE
EPRT
EPSV
FEAT
HELP
LANG
LIST
MDTM
MKD
MLSD
MLST
MODE
NLST
NOOP
OPTS
PASS
PASV
-
RFC
697
RFC959
RFC
2428
RFC
2428
RFC
2389
RFC959
RFC
2640
RFC959
RFC
3659
RFC959
RFC
3659
RFC
3659
RFC959
RFC959
RFC959
RFC
2389
RFC959
RFC959
Clear Command Channel for FTPS transfers
Change working directory to the parent of the current directory
Used to identify the client software to the server. This command serves no functional purpose other than to provide information to the server. EFT does not alter its behavior based on the parameters provided in the CLNT command.
Combines file segments into a single file on EFT. (For information about using the
COMB command with EFT, refer to Allowing Multipart Transfers (COMB Command) .)
Change working directory. e.g., CWD remote-directory
Delete remote file
Specifies an extended address and port to which the server should connect
Enter extended passive mode
List all FTP features that EFT supports
Display a list of all available FTP commands
Language Negotiation; defaults to English-US, even if a different language is requested.
Send list of file names and details
Display date/time file was modified, in the format YYYYMMDDhhmmss. YYYY is the four-digit year, MM is the month from 01 to 12, DD is the day of the month from 01 to
31, hh is the hours from 00 to 23, mm is the minutes from 00 to 59, and ss is the seconds from 00 to 59.
Create (make) a remote directory
Display an abbreviated list of a remote directory's files and subdirectories
Display detailed file or directory information
Sets the mode in which data is to be transferred to S (Stream) or Z (Compressed); The default mode is Stream. (Only "s" or "z" supported.)
Send list of file names (no details)
Do nothing; often used to keep the session alive.
Used to specify optional parameters for the command that follows the OPTS command, if that command supports such optional parameters. (The commands "mslt" and "mode z level X," where x=1-9, are supported.)
Send password. e.g., PASS <password>
Enter passive mode
316
Listener (Protocol) Settings
Cmd
PBSZ
PORT
PROT
PWD
QUIT
REIN
REST
RETR
RMD
RNFR
RFC959
RFC959
RNTO RFC959
SITE
SIZE
SSCN
STAT
STOR
STOU
SYST
TYPE
RFC
RFC
2228
RFC959
RFC
2228
RFC959
RFC959
RFC959
RFC
3659
RFC959
RFC959
RFC
3659
-
RFC959
RFC959
RFC959
RFC959
RFC959
USER
XCUP
XCWD
XMKD
XNOP
XPWD
RFC959
RFC
775
-
RFC
775
-
RFC
Description
Protection Buffer Size. If EFT receives this command, it sets it to 0.
Specifies the host and port to which EFT should connect for the next file transfer.
Data Channel Protection Level. Used to set the protection level to be used for data transfers. PROT P is used to secure the data channel; PROT C is used to clear the data channel.
Display current directory (print working directory)
Closes the connection and terminates the FTP session.
Reinitialize the connection and cancels the current user/password/account information
Sets the point at which a file transfer should start. e.g., REST position
Begins transmission of a file from the remote host. Must be preceded by either a PORT command or a PASV command to indicate where EFT should send data. e.g., RETR remote-filename
Deletes the named directory on the remote host. e.g., RMD remote-directory
Rename from (followed by an RNTO command to specify the new name for the file) e.g., RNFR from-filename
Rename to (after sending an RNFR command to specify the file to rename, this command is used to specify the new name for the file) e.g., RNTO to-filename
Site-specific commands. e.g., SITE site-specific-command
Display size of a file. e.g., SIZE remote-filename
(Set Secured Client Negotiation) Extension for secure site-to-site transfers over
SSL/TLS connections
Display server status. e.g., STAT [remote-filespec]
Begins transmission of a file to the remote site. Must be preceded by either a PORT command or a PASV command so that EFT knows from where to accept data. e.g.,
STOR remote-filename
Begins transmission of a file to the remote site; the remote filename will be unique in the current directory.
Displays a string of "215 UNIX Type: L8"
Sets the type of file to be transferred. For example: TYPE type-character
[second-type-character]
"type-character" can be A (ASCII text) or I (image, binary data) The second-type-character specifies how the text should be interpreted. It can be N (Non-print; not destined for printing. This is the default if second-typecharacter is omitted), T (Telnet format control <CR>, <FF>, etc.), or C (ASA Carriage
Control).
Send username. e.g., USER username
(same as CDUP)
(same as CWD)
(same as MKD)
(same as NOOP)
(same as PWD)
317
EFT v7.2 User Guide
Cmd
XRMD
XCRC
RFC
775
RFC
775
-
Description
(same as RMD)
Compute CRC32 checksum on specified file
The following commands are recognized, but not supported:
Cmd
ACCT
SMNT
STRU
RFC
RFC959
RFC959
RFC959
Description
Send account information
Mount a different file system data structure without altering login or accounting information
Set file transfer structure
Value Returned by the FTP SYST Command
A SYST request asks for information about the server's operating system. The server accepts this request with code 215. EFT, and most servers, respond with 215 UNIX Type: L8:
Some clients disable essential features when they do not see particular strings in the SYST response. If your server requires a particular response, EFT provides a registry setting with which you can specify the value returned by the FTP SYST command.
64 bit: HKLM\SOFTWARE\Wow6432Node\Globalscape Inc.\EFT 4.0\FTPSYSTResponse
32 bit: HKLM\SOFTWARE \Globalscape Inc.\EFT 4.0\FTPSYSTResponse
Value data: Windows_NT
The string value provided in the registry will be truncated to 128 characters, if necessary.
After adding the registry key above, the response is 215 Windows_NT:
318
Listener (Protocol) Settings
For more information about the SYST response, refer to http://cr.yp.to/ftp/syst.html
.
EFT Support for EBCDIC
Extended Binary Coded Decimal Interchange Code (EBCDIC) is an 8-bit character encoding used on IBM mainframe operating systems such as z/OS, OS/390, VM and VSE, IBM midrange computer operating systems such as OS/400 and i5/OS, and on various non-IBM platforms such as Fujitsu-Siemens'
BS2000/OSD, HP MPE/iX, and Unisys MCP.
EFT complies with TYPE E (EBCDIC) mode for FTP-based file transfers (in server mode).
• When a client or mainframe uploads a file over FTP/S and requests TYPE E, EFT converts the file to ASCII (native Windows format).
• When a client or mainframe downloads a file and requests TYPE E, EFT converts the file into
EBCDIC format and sends it to the requesting client.
EFT supports conversion of ASCII to EBCDIC and vice versa. Unfortunately, there are several “standard” mappings and EFT currently supports only one of them, the one recommended by Microsoft and IBM.
Refer to the following articles for details:
• http://support.microsoft.com/kb/216399
• http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.csfb400/e2aa2 e.htm
EFT does not support the HP standard (used by the dd tool in Linux).
SSL
These topics provide information regarding configuring SSL on a Site. For enabling and configuring SSL
on the server, refer to Enabling SSL on the Server .
SSL Overview
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. EFT is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT will be able to decrypt the data.
EFT supports SSL for client and server authentication, message integrity, and confidentiality. You can configure EFT's security features to verify users' identities, allows users to verify your identity, and to encrypt file transfers. The key to understanding how SSL works is to understand the elements that take part in the process.
FTPS is an enhancement to standard FTP that uses standard FTP commands (and protocol) over secure sockets. FTPS adds SSL security in both the protocol and data channels. FTPS is also known as FTP-
SSL and FTP-over-SSL. You might also see the term SSL used in conjunction with TLS. SSL has been merged with other protocols and authentication methods into a new protocol known as Transport Layer
Security (TLS). EFT employs SSL/TLS to perform FTPS to keep your data secure. Refer to EFT
Specifications for information about the OpenSSL version used in this version of EFT.
319
EFT v7.2 User Guide
Elements that Work Together to Establish a Secure SSL Connection:
• Client: The client needs to be an FTP client with SSL capabilities.
• Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by EFT's certificate to open an SSL connection.
• Session Key: The client and EFT use the session key to encrypt data. It is created by the client via EFT’s public key.
• Public Key: The client encrypts a session key with EFT’s public key. It does not exist as a file, but is produced when a certificate and private key are created.
• Private Key: EFT's private key decrypts the client's session. The private key is part of the publicprivate key pair.
• Certificate Signing Request: A Certificate Signing Request (CSR) is an unsigned copy of your certificate. A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the .csr file is signed, a new certificate is created and replaces the unsigned certificate.
SSL must first be enabled on the Server and Site, and then can be enabled in the Settings Template
allows or denies connections based on specified or approved ciphers.
EFT supports two levels of authentication with SSL:
• High - EFT is configured so that it contains a certificate, but does not require a certificate from the
FTP client.
• Highest - EFT is configured so that it provides a certificate and also requests a certificate from the client. EFT compares the client certificate to a list contained in its Trusted Certificates database. EFT either accepts or rejects the connection based upon a match.
SSL Certificates
The key to understanding how SSL works is to understand the elements that take part in the process. A key element of SSL is the SSL certificate. A public-key certificate (usually just called a certificate) is a digitally-signed document that ties the value of the public key to the identity of the server service that holds the corresponding private key.
320
Listener (Protocol) Settings
Typically, a certificate contains the following information:
• EFT’s public key value, which the clients use to encrypt a session key (the client and EFT use the session key to encrypt data). This public-key does not exist as a file. It is produced when a certificate and private key are created.
• EFT’s identifier information, such as the name, e-mail address, common domain name, and other details.
• The validity period (the time that the certificate is considered valid)
• Issuer or signer identifier information
• The digital signature of the issuer, which attests to the validity of the binding between EFT public key and the organization's identifier information.
Many certificate types or standards exist, and EFT supports the most common ones. EFT can import into its certificate store any client-provided certificate of type PKCS 7 or 12, and the X.509 DER encoded standard. For the certificate that EFT itself provides (to the connecting client during the SSL handshake), it supports X.509 and PKCS #12 only. Note that PKCS #12 embeds both the certificate AND private key into a single file. The default type that is created by EFT is x.509 base-64 standard DER encoded.
Before a certificate can be used for securing connections, it must be created (generated) and signed (or vouched for). Certificates can be created directly from EFT, or by a trusted Certificate Authority (CA), which is an independent and trustworthy entity responsible for issuing and managing digital certificates, including revocation of certificates that are expired or are otherwise unauthorized. Once created, a certificate should be signed. By digitally "signing" a newly issued certificate, the signer guarantees the authenticity of the data held in the signee’s certificate. EFT can sign its own certificates; however, it is recommended that the certificate be signed by a trusted 3rd-party CA.
When generating a new certificate, EFT creates a self-signed certificate and a certificate signing request
(or CSR) file that you can send to a CA for signing and then import into EFT.
321
EFT v7.2 User Guide
Files created by EFT:
• Private key file (.key) - The private key should never be distributed to anyone. It is used to decrypt the session that is encrypted by the public key.
• Certificate request file (.csr) - Each time you create a certificate using the wizard in EFT, a
Certificate request file is also created. This file can be signed by EFT's Certificate Signing Utility or sent to intermediate certificate authority such as GeoTrust, Verisign (www.verisign.com), or
Thawte (www.thawte.com) for signing.
• Certificate file (.crt) - This is a self-signed certificate. To obtain a 3rd-party signed certificate, you must send the certificate signing request file to a Certificate Authority (CA) such as Verisign,
Geotrust, or Thawte. The CA in turn will send you a new .crt file with which you can replace your self-signed one.
SSL Certificate Chain-of-Trust
Trust in a certificate is established when you have a copy of the signing certificate in your certificate store
(for example, EFT’s store or Internet Explorer's Trusted Root Certification Authority for clients). The certificate does not necessarily have to be signed by a root CA; it can be signed by subordinate intermediate CA, as long as there is a valid certification path from the signing certificate to a trusted root certificate, meaning that none of the certificates in the certification path have been revoked or is expired.
Explicit Versus Implicit SSL
Secure Socket Layer (SSL) was originally created for secure Web browsing. When both a client and server support the AUTH SSL command, security is accomplished through a sequence of commands passed between the two computers. The FTP protocol definition provides at least two distinct mechanisms by which this sequence is initiated: explicit (active) and implicit (passive) security.
Explicit Security: To establish the SSL link, explicit security requires that the FTP client issue a specific command to the FTP server after establishing a connection. The default FTP server port is used. This formal method is documented in RFC 2228 .
Implicit Security: Implicit security automatically begins with an SSL connection as soon as the FTP client connects to an FTP server. In implicit security, the FTP server defines a specific port for the client (990) to be used for secure connections.
Implicit SSL is discussed in various SSL drafts, but is not formally adopted in an RFC. For strict compliance to standards, use the explicit method.
Because implicit SSL has a dedicated port strictly used for secure connections, implicit SSL connections require less overhead when you establish the session. There are various FTP servers that support this mode, including EFT, EFT, RaidenFTPD, IBackup’s FTP server, and others.
Think of implicit security as "always on" and explicit security as "turn on." The following diagram contrasts implicit and explicit SSL connections.
322
Listener (Protocol) Settings
SSL Certificate-Based Login
EFT Enterprise supports authentication using SSL certificates for FTPS, and HTTPS, and AS2 connections, rather than password-based login. This is similar to SFTP authentication in which a particular SFTP key is associated with a user account; when the user logs in and provides the key, as long as the keys match, they are allowed to proceed. Unlike SFTP, SSL offers the option to authenticate using both password and certificate rather one or the other.
Normally, when a client supplies an SSL certificate for the SSL handshake (if requested by EFT), EFT determines whether that certificate is in the global trusted list. If the certificate is trusted, EFT completes the process of negotiating a shared secret and then moves on to the authentication stage, requesting a username followed by a password. If the user enters the wrong password (or no password at all), the authentication attempt fails, even though a certificate was found in the trusted store that matched the client’s certificate.
. Refer to Possible Compliance Report Outcomes for more information.
With certificate-based authentication, the sequence of steps would be virtually the same. If certificatebased authentication is enabled, and after the client’s username has been provided, but prior to EFT requesting the user’s password, EFT verifies that the public key of the provided certificate matches the certificate in the trusted store that is associated with (mapped to) this particular user’s account. If a match is made, that user is automatically authenticated for that session. If the protocol expects a username/password sequence, EFT always returns TRUE, regardless of the password supplied by the client (whether null or invalid pass).
Compliance with PCI DSS requires that users change their password upon initial login. Because this login method does not use a password, it potentially violates the PCI DSS and is, therefore, not available on Sites defined using the "strict security settings" option.
The procedures below describe how to specify SSL-based logins for Site ,
Settings Template, and user accounts .
To specify SSL certificate-based logins for the Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
323
EFT v7.2 User Guide
4. Next to SSL certificate settings, click Configure. The SSL Certificate Settings dialog box appears.
5. Do one of the following:
• Create a certificate: a. Click Create. The Create SSL Certificate wizard appears. b. Follow the steps in Creating Certificates to create the SSL certificate for the Site.
• Use an existing certificate: a. In the Certificate box, specify the SSL certificate that is required to connect to the Site. b. In the Private key box, specify the private key for the certificate. c. In the Passphrase and Confirm passphrase boxes, provide the password for the certificate.
6. To require connecting clients to use the certificate, select the Require SSL certificates from
connected clients check box.
7. Click OK to save the changes.
8. Click Apply to save the changes on EFT.
To specify SSL certificate-based logins for the Settings Template or a User
Do not specify SSL authentication options for accounts that need to send AS2 transfers. EFT’s HTTP/S protocol handler requires a username and password at the outset of HTTP/S-based AS2 transactions.
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user that you want to configure.
3. In the right pane, click the Connections tab.
4. Select the FTPS (SSL/TLS) check box, if not inherited from the Site, and then click SSL Auth.
The SSL Authentication Options dialog box appears. (If the SSL Auth button is dimmed, you are using EFT SMB edition. This feature is available in EFT Enterprise only.)
324
Listener (Protocol) Settings
5. In the SSL authentication options list, specify the authentication method:
• Specified in Settings Template (if the user account is selected)
• Password only (the default for the Settings Template)
• SSL Certificate - If SSL Certificate is specified, the bottom box becomes available.
Certificates that are defined on the Site appear in the box. Click the user certificate in the box. If no certificate is available: a. If you need to define a certificate, click Create Cert. The Create SSL Certificate wizard appears. b. To view or import certificates, click Cert. Manager. The Certificate Manager appears.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
SSL Certificate Compatibility
The table below indicates the types of functions and associated encoding that have been tested for compatibility on EFT.
Function
PEM - ASCII encoded
Encoding
DER - binary encoded
PKCS#7/P7B PKCS#12/PFX
AS2 public
AS2 private
AS2 partner public
General SSL public
General SSL private
Create Public
Certificate
Create Private
Certificate
Certificate Manager
Import
Certificate Manager
Export
YES
YES
YES
YES
YES
YES
YES
YES
YES (public only)
YES
YES
YES
YES
YES
YES
YES
YES
YES (public only)
YES n/a
YES
YES n/a
YES n/a
YES
YES (public only)
YES (imports public key)
YES n/a
YES (imports public key)
YES n/a
YES
YES (imports public key only) n/a
325
EFT v7.2 User Guide
Creating SSL Certificates
A self-signed certificate contains a public key, information about the owner of the certificate, and the owner's signature. It has an associated private key, but it does not verify the origin of the certificate through a third-party certificate authority.
To achieve the highest level of authentication between critical software components, do not use selfsigned certificates, or use them selectively.
A certificate on the client must be associated with EFT to initiate an SSL connection. When you are administering EFT on the local computer, you can import your own certificates or create new ones using the Certificate Creation Wizard (described below). There are three types of files associated with an SSL certificate key pair:
• Private key file - The private key should never be distributed to anyone. It is used to decrypt the session, which is encrypted by the public key. Available formats include: o
PEM (ASCII) encoded - *.key o
PKCS#12 (PFX combined) - *.pfx o
DER (binary private key) - *.der
• Certificate file - This is a signed certificate, whether self-signed or signed by an intermediate certificate authority. Available formats include: o
PEM (ASCII) encoded - *.crt o
PKCS#7 (P7B public key) - *.p7b o
DER (binary public key) - *.cer
• Certificate signing request file (.csr) - Each time you create a certificate using EFT, a
Certificate Signing Request file is also created. A Certificate Signing Request (CSR) is an unsigned copy of your certificate. This file can be signed by EFT's Certificate Signing Utility or sent to an intermediate certificate authority, such as GeoTrust, for signing.
For maximum compliance with security standards, you should use a trusted authority signed SSL certificate
. You can import certificates or use this wizard to create your own. The private key (.key) and
certificate request (.csr) files are created at the same time. You are prohibited from creating certificates for EFT while remotely administering EFT because this Action can create a security breach. Any certificates you create remain on the computer on which you create them, unless you take special steps to deliver and associate these files with another computer.
The Certificate Creation Wizard does not create SHA-2 certificates; however, EFT can apply a
SHA-2 certificate generated through other means, like certificate authorities and third party applications.
To create an SSL certificate
1. In the administration interface, connect to EFT , click the Server tab, then do one of the following:
• On the main menu, click Tools > Create SSL Certificate.
• On the toolbar, click the New SSL Certificate icon .
• On the keyboard, press ALT+T+C.
The Create SSL Certificate wizard appears.
326
Listener (Protocol) Settings
2. In the Certificate name box, specify the name (up to 256 characters) of the certificate that will be generated.
3. In the Path box, specify the path to the folder in which the certificate is to be saved. The wizard saves each of the files in this folder.
If you are purchasing a signed certificate from a certificate authority (CA), you usually need to forward the contents to the CA. To do this, locate the .csr and open it in a text editor. Then you can copy and paste the contents.
4. In the Expiration Date box, specify the date on which the certificate will expire.
5. In the Passphrase and Confirm passphrase boxes, type the passphrase used to encrypt the private key. The passphrase can be any combination of characters or spaces. Do not lose the passphrase; the certificate is useless without it.
6. In the Key Length (in bits) box, specify the key length: 512, 1024, 2048, and 4096 bits. Smaller keys are faster, larger keys are more secure.
If you create a certificate with a key length of 4096 bits or greater, the Java-enabled Web Transfer
Client will not function properly due to its reliance on the Java runtime (JRE), which currently does not support key lengths of 4096 bits or greater .
7. Click Next. The Certificate Information page appears.
327
EFT v7.2 User Guide
Each of the boxes must be completed before continuing. The information you provide is stored in the certificate.
8. In the City/Town box, provide the name of your city, town, or other locality.
9. In the State/Province box, provide the name of the state or province.
10. In Organization box, provide the name of your organization, or any other designator.
11. In the Common Name box, provide the common name or fully qualified domain name, such as www.globalscape.com. (Typically, the name or domain name associated with the Site.)
12. In the E-Mail box, provide your e-mail address in the format [email protected].
13. In the Unit box, type any other information about your organization, such as department name.
14. In the Country box, provide the 2-letter ISO country code using uppercase letters.
15. Click Next. The Certificate Options page appears.
328
16. If the Associate the certificate to the Site(s) specified below check box is cleared, the wizard saves only the certificate files in the folder you previously specified, but does not associate it with any Site. If the check box is selected, the wizard associates the certificate to the administration service or Site(s) you specify in the Apply certificate to box.
Listener (Protocol) Settings
17. In the Apply certificate to box, specify which components of EFT are affected (Administration
Service, All Sites, or a specific Site).
disconnected, so it is recommended that you associate certificates when Sites are inactive or stopped.
18. If the Add this certificate to the Trusted Certificate list check box is selected, the wizard adds the certificate to the Trusted Certificates database. Use this feature if you are creating certificates for user distribution. You can limit EFT access to just the users that have the certificate. You can verify the addition to the Trusted Certificate database by clicking Tools > Certificate Manager or, on the toolbar, click the Certificate Manager icon . (Refer to The Certificate Manager for more information.)
19. In the Certificate Format box, specify the format of the certificate file.
20. In the Private Key Format box, specify the format of the key file.
21. Click Finish. The certificate is created and a message box appears. You can select and copy the certificate information, if desired, and then click OK to dismiss the message.
Enabling SSL on the Server
Before configuring SSL on the Site, you must configure SSL on the server. Specify SSL versions and ciphers before enabling SSL connections. After you have enabled SSL for the server, SSL connections
Settings Template, and/or for each user . Each level can inherit the settings from the parent.
To configure SSL
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the server node that you want to configure.
3. In the right pane, click the Security tab.
329
EFT v7.2 User Guide
4. In the SSL Compatibility area, specify the SSL versions/ciphers to use:
5. Select the check box of one or more ciphers/algorithms to use, or manually specify the ciphers. At least one cipher must be specified.
Only advanced users should manually specify ciphers.
6. Click the arrows to arrange the ciphers in top-down priority. If more than one approved cipher is specified, and the connecting client has in its list one or more ciphers that are also on EFT’s approved list, EFT will select and use the cipher based on ordering (priority) shown in the list box.
7. Click Apply to save the changes to EFT.
•
SSL Cipher and Version-allowed settings affect ALL Sites on EFT.
•
For PCI DSS compliance, EFT checks for 128-bit or higher ciphers, and SSLv3 or greater, and no use of
CCC or PROT-C.
•
A Certificate Authority (CA)-signed certificate establishes your validity better than a self-signed certificate.
•
For details of SSL when using FIPS mode, refer to FIPS-Compliant Protocols and Ciphers .
Assigning a Certificate
An SSL Certificate is necessary for FTPS, HTTPS, and AS2 connections. After you create
SSL certificate, you can assign the certificate to one or more Sites.
To assign a certificate you have created or obtained to a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Connections tab.
330
Listener (Protocol) Settings
4. In the SSL certificate settings area, click Configure. The SSL Certificate Settings dialog box appears.
• To create a certificate, click Create and follow the prompts in the wizard. (Refer to
Creating Certificates for details, if necessary.)
• To use an existing certificate: a. In the Certificate box, type the path to the .crt file or click the folder icon to find and select it. b. In the Private key box, type the path to the .key file or click the folder icon to find and select it. c. In the Certificate passphrase and Confirm passphrase boxes, type and confirm the passphrase for the certificate pair.
5. Select the Require SSL certificates from connected clients check box, if you want connecting clients to use an SSL certificate.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Using Ciphers for Inbound SSL Connections
This topic describes the use of ciphers for inbound SSL (HTTPS and FTPS) connections with the Server.
For the procedure for configuring SSL on EFT, refer to Enabling SSL on the Server .
EFT validates inbound SSL sessions, and allows or denies connections based on ciphers specified on the
Server's Security tab. During SSL negotiation, the connecting (inbound) SSL client is allowed to select its preferred combination from the specified list.
•
The PCI DSS states that you should use strong ciphers and protocol versions. On a high securityenabled Site, if you attempt to specify weak ciphers and protocol versions or to create a cipher manually,
•
If FIPS mode is enabled for SSL connections, only FIPS-approved SSL ciphers are available (AES 256
bit, 3DES 168 bit, AES 128 bit).
EFT provides two options for specifying ciphers:
• Select algorithms and order by preference—(selected by default) If this list is used to specify more than one approved cipher, and the connecting client has in its list one or more ciphers that are also on EFT’s approved list, EFT selects and uses the cipher based on ordering (priority) shown in the list box. You can change the priority by clicking the up and down arrows to the right of list. Click Reset to Defaults to clear any edits. You can choose one or more ciphers available from the OpenSSL library installed with EFT. At least one check box must be selected.
331
EFT v7.2 User Guide
• Manually specify algorithms—This selection uses the parameterized cipher string for creating an ordered SSL cipher preference list per http://www.openssl.org/docs/apps/ciphers.html
. The cipher negotiation will use the ordering defined by the user in the cipher string (for example
@STRENGTH) or, if no ordering was defined, the default ordering.
When Manual is selected, the Select list is disabled, and the advanced ciphers string list is used.
Provide a string that will be passed directly to the SSL library.
For example:
ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH or
ALL:!ADH:HIGH:@STRENGTH
Each cipher is separated by a colon and can be preceded by the characters !, -, or +.
• ! (exclamation point) = the ciphers that follow are not to be used
• + (plus sign) = the ciphers are moved to the end of the list
• If none of these characters is used, then the string is interpreted as a list of ciphers to be used.
• @STRENGTH can be used at any point to sort the current cipher list in order of encryption algorithm key length.
• To exclude 0-bit ciphers, do not use COMPLEMENTOFALL; use !NULL
• Use ALL:!EXPORT:!LOW to exclude 40- and 56-bit ciphers, as shown in the table below.
• Use ALL:COMPLEMENTOFALL to allow all off the supported ciphers, as shown in the table below.
Refer to The OpenSSL ciphers page for details of cipher strings, including examples.
EFT validates the cipher string against the SSL library once when Apply is clicked or if the user clicks away from the Security tab. If the string is faulty, EFT returns an error indicating that it failed and the failure reason, if available. After the prompt appears and you click OK or Cancel, the prompt closes, but does not clear out the cipher box in case you want to refine it, if needed.
Changes cannot be applied until the string is valid. (Or you can go back to the Select list, then click Apply.)
Signing a Certificate
EFT can sign certificate requests created by other clients. Typically, the client certificate request is signed with the certificate created for EFT. If a certificate from the FTP server's Trusted Certificates database is used to sign client certificates, then all certificates you sign are automatically trusted.
certificate and Site certificates); client certificates (i.e., trusted certificates) are not checked.
To sign a certificate request
1. Obtain the Certificate Signing Request file. This can be done through e-mail or any other file delivery method.
2. In the administration interface, connect to EFT and click the Server tab.
3. On the Server tab, click the Server or a Site node. (If the Server Group node is selected, the certificate options are unavailable.)
4. On the main menu, click Tools > Sign SSL Certificate, or click the Certificate Signing
Utility icon . The Certificate Signing Utility dialog box appears.
332
Listener (Protocol) Settings
5. In the Client certificate request box, click the folder icon to browse for and specify the
Certificate Signing Request file that you want to sign.
6. In the Output path box, click the folder icon to browse for and specify the folder in which to save the signed certificate file.
7. In the Resulting certificate expiration date box, click the list to open a calendar in which to specify an expiration date.
• Click the left- and right-facing arrows to scroll through the months.
8. In the Signing certificate box, specify the certificate that you want to use to sign the certificate
request file. The signing certificate must be in your trusted certificate
submitting the signed certificate to connect to the Site.
9. In the Private key box, specify the private key file associated with the signing certificate.
10. In the Passphrase box, provide the passphrase associated with the signing certificate.
11. Click OK. The new certificate is saved in the folder you specified.
12. Return the certificate file to the user.
333
EFT v7.2 User Guide
Certificate Manager
The Certificate Manager is used to manage the SSL certificates for a Site. The Certificate Manager browses your My Documents folder by default when you click Import or Export. For a client to connect to the server, their certificate must appear in the Trusted Certificates list.
To open the Certificate Manager
1. In the administration interface, connect to EFT and click the Server tab.
2. On the main menu, click Tools > Manage SSL Certificates. The Certificate Manager appears.
• To view all of the certificates for a Site, click the Site drop-down list to select the Site. The certificates for the selected Site appear.
• To view the properties of a certificate, click the certificate in the list, and then click
Properties. The Certificate Contents dialog box appears, showing the Issuer and
Subject information and the dates the certificate is valid.
• To import certificates for a Site, refer to
• To export certificates from a Site, refer to
• To remove a certificate, click the certificate in the list, and then click Remove.
• To create a new certificate, refer to
Creating Certificates .
• To move a certificate from the Pending to the Trusted list, click the certificate and then click Make Trusted.
3. Click Close to close the Certificate Manager.
Certificate Chaining
A certificate chain is used to establish a chain of trust from a peer certificate to a trusted CA certificate.
Each certificate is verified using another certificate, creating a chain of certificates that ends with the root certificate. The issuer of a certificate is called a certification authority (CA). The owner of the root certificate is the root certification authority. The last certificate in the chain is usually a self-signed certificate .
EFT supports full certificate chains, which is a single file with a combination of all certificates in the chain.
Usually, you will receive this file from a signing authority. Otherwise, you can create the chain manually, as described below, or ask the Globalscape Technical Support team
to create one for you.
334
Listener (Protocol) Settings
To create the chain, the general steps include:
1. You must have the following certificates:
• Client/server certificate signed with the intermediate CA certificate
• One (or more) intermediate CA certificates
• A root CA certificate
2. Download the OpenSSL command line utility, available free from http://www.openssl.org/related/binaries.html
.
3. Run the x509 command on a certificate file, outputting the text version of that file. (Refer to the example below.)
4. Redirect the output into a combined file as a concatenated block of text.
For example, suppose you created a certificate in EFT called "mycert.crt" (and it has the associated private key "mycert.key"), then sent the CSR file ("mycert.csr") to Verisign, who sent you the following:
• Signed certificate ("mycert_Signed.crt")
• Intermediate certificate ("Verisign_Intermediate.crt")
• Root certificate ("Verisign_Root.crt").
To combine these into a single file that EFT supports, use the following commands in OpenSSL:
c:\> openssl x509 -inform PEM -in "mycert_Signed.crt" -text > mycert_combined.crt c:\> openssl x509 -inform PEM -in "Verisign_Intermediate.crt" -text >> mycert_combined.crt c:\> openssl x509 -inform PEM -in "Verisign_Root.crt" -text >> mycert_combined.crt
You now have a certificate file that EFT can use to deploy the entire chain.
The way you access the intermediate and root certificates, as well as the format of those certificates, might differ between signing authorities.
Importing a Certificate
For expediency, you should save the certificates that you want to import into EFT in your My Documents folder. The Certificate Manager browses your My Documents folder by default when you click Import.
If you attempt to import a certificate that has a key length of 512 bits or less on a Site created using the "strict security settings" option, EFT prompts you that only strong keys should be used. You are offered the option of importing a key that has at least 1024 bits or continuing with reason.
To import a certificate to a Site
1. On the main menu, click Tools > Manage SSL Certificate. The Certificate Manager appears.
335
EFT v7.2 User Guide
2. In either the Trusted Certificates list, click Import.
3. Browse to the folder that contains the client's certificate file and click the file.
EFT can import a digital certificate from the following formats: PEM, Base64 Encoded X509, DER
Encoded X509, PKCS#7, PKCS#12.
The private key associated with the digital certificate must be in one of the following formats: PEM,
DER, PKCS#8, PKCS#12.
A Certificate Signing Request (.csr) is a PKCS10 request, which is an unsigned copy of your certificate.
4. Click Open. EFT automatically determines the certificate format. If EFT is unable to determine the format, or if the import fails, you can manually convert a digital certificate to one of the above formats and import it. Consult the distributor/vendor of your certificate for details on this process.
The certificate is added to the Trusted Certificates database. Clients submitting that certificate are now able to connect to EFT.
Exporting a Certificate
For expediency, you should save the certificates that you want to export into EFT in your My Documents folder. The Certificate Manager browses the My Documents folder by default when you click Export.
To export a certificate from the database
1. On the main menu, click Tools > Manage SSL Certificate. The Certificate Manager dialog box appears.
336
Listener (Protocol) Settings
2. In either the Trusted Certificates list, click Export, and browse to the folder where you want to save the certificate file.
3. Type a name for the certificate file, and then click Save.
Enabling FTPS and HTTPS (SSL) on the Site
Specify SSL versions and ciphers before enabling SSL connections. SSL must first be enabled on EFT
and Site, then can be enabled in the Settings Template and user .
If you require certificates from connecting clients before they can connect, then their certificate must be in the Trusted Certificates Database or signed by a certificate in the Trusted Certificate Database.
password authentication, not certificate authentication.
To enable SSL
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, select the Site you want to configure.
3. In the right pane, select the Connections tab.
4. In the Listener Settings area, select the applicable check boxes (FTPS, HTTPS, and/or AS2).
5. In the SSL certificate settings area, click Configure. The SSL Certificate Settings dialog box appears.
337
EFT v7.2 User Guide
6. Do one of the following:
• To create a certificate, click Create and follow the prompts in the wizard. (Refer to
Creating Certificates for details, if necessary.)
• To use an existing certificate: a. In the Certificate box, type the path to the .crt file or click the folder icon to find and select it. b. In the Private key box, type the path to the .key file or click the folder icon to find and select it. c. In the Certificate passphrase and Confirm passphrase boxes, type and confirm the passphrase for the certificate pair.
7. Select the Require SSL certificates from connected clients check box, if you want connecting clients to use an SSL certificate.
8. Click OK to close the dialog box.
9. Click Apply to save the changes to EFT.
Configuring SSL for a Settings Template or User Account
(EFT Enterprise only) SSL must first be enabled on the Site
and Server . In EFT Enterprise, it can then
be enabled for a Settings Template and/or for each user.
If you require certificates from connecting clients before they can connect, then their certificate must be in the Trusted Certificates Database or signed by a certificate in the Trusted Certificate Database.
password authentication, not certificate authentication.
To enable SSL
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, select the Settings Template or user account that you want to configure.
3. In the right pane, select the
(If the SSL Auth button is dimmed, you are using EFT SMB. This feature is available in EFT
Enterprise only.)
4. In the Protocols area, select the applicable check boxes (FTPS, HTTPS, and/or AS2).
5. Click SSL Auth. The SSL Authentication Options dialog box appears.
338
6. In the SSL authentication options list, specify the authentication method:
• Specified in Settings Template (available for user accounts)
• Password only
Listener (Protocol) Settings
• SSL Certificate - If SSL Certificate is specified, specify the user certificate in the second list that appears.
Compliance with PCI DSS requires that users change their password upon initial login.
Because the "SSL Certificate" login method does not use a password, it potentially violates the PCI DSS and is, therefore, not available on Sites defined using the "strict security settings" option.
7. Click OK to close the dialog box.
8. Click Apply to save the changes to EFT.
Disabling SSL Connections
You can disable SSL support for every user on EFT by disabling SSL support on the Site or you can disable SSL for a specific user or Settings Template.
To disable SSL connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user for which you want to disable SSL
3. In the right pane, click the Connections tab.
4. Clear the FTPS (SSL/TLS) - Explicit mode, FTPS (SSL/TLS) - Implicit mode, and HTTPS check boxes. At least one of the non-SSL protocol check boxes (FTP, SFTP, HTTP, AS2) must be selected or inheriting the parent settings.
5. Click Apply to save the changes on EFT.
339
EFT v7.2 User Guide
If SSL connections are disabled on the Site, they are also disabled for all Settings Templates and users on the Site.
Exporting a Certificate from PFX to PEM
For security, EFT does not allow you to use a certificate file with a .p* (e.g., pfx, p12) extension. The .p* extension indicates that it is a combined certificate that includes both the public and private keys, giving clients access to the private key. You can create certificate files using EFT's Certificate wizard . If you have a combined certificate from a third-party, use the procedure below to extract the public key.
To export the certificates from PFX to PEM
1. Download the precompiled Windows binary and Windows Installer for OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html
. The OpenSSL distribution contains a number of utilities, including the main utility openssl.exe. By default, the utilities are installed in
C:\Openssl\bin.
2. Open a Windows command prompt and navigate to \Openssl\bin.
3. Type openssl.exe and press ENTER. The OpenSSL prompt appears.
4. Execute the following command: pkcs12 -in <cert.pfx> -out <cert.pem> -nodes where <cert.pfx> is the name of the PFX file (you might need to include the path and quotes), and
<cert.pem> is the name of the file that OpenSSL is to generate (include the path if you want to save it in a location other than \Openssl\bin.)
For example, type: pkcs12 -in "C:\Program Files\nsoftware\IPWorks EDI V7 AS2
Connector\as2datacert.pfx" -out cert.pem -nodes
5. The command converts the data in the <cert.pfx> file to PEM format in the <cert.pem> file. The
PEM file contains all of the certificates that were in the PFX file:
• Private key
• Identity certificate
• Root certificate
• Intermediate certificate
Each of the certificates (Private Key, Identity certificate, Root certificate, Intermediate certificate) is wrapped within headers, and these headers are part of the certificates. The PEM file looks similar to the following:
340
Listener (Protocol) Settings
6. Open the PEM file in a text editor (NotePad, EditPlus) and delete all but the last certificate section so that the file only contains the section that starts
-----BEGIN CERTIFICATE----- and ends
-----END CERTIFICATE-----
7. Save the file with a .crt extension. The file is now ready to be used in EFT for the partner certificate.
Refer to Knowledge Base article Q10401 - HOWTO: Using OpenSSL to Generate/Convert Keys and
Certificates for more information regarding using the OpenSSL command-line tool to generate and convert private keys and public certificates.
Using OpenSSL to Generate/Convert Keys and Certificates
These online topics provide the procedures for using OpenSSL to generate and convert keys and certificates for use in EFT.
•
Using OpenSSL
•
KB11030: Converting an EFT Certificate to PFX Format
•
KB11037: Generating an Unencrypted Private Key and Self-Signed Public Certificate
•
KB11038: Generating an Encrypted Private Key and Self-Signed Public Certificate
•
KB11039: Generating a PKCS#12 Private Key and Public Certificate
•
KB11040: Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12
•
KB11041: Converting a PEM-Encoded PKCS#8 Format Encrypted Private Key to PKCS#8 Format
•
KB11042: Converting a Traditional PEM Encoded Encrypted Private Key to PKCS#8 Format
341
EFT v7.2 User Guide
SFTP (SSH)
These topics provide information regarding using SFTP with EFT.
SFTP Key Support
EFT supports the following actions for SFTP key support:
• Importing multiple keys stored in a single key file
• Authentication of multiple keys stored in a single key file
• Association of one or more keys to a user account
• Assignment of the same key (or keys) to more than one user account.
Below is an illustration of a basic SFTP transport and SFTP Public Key authentication sequence.
342
Listener (Protocol) Settings
During the client-server handshake, EFT gets the ultimate say in which encryption cipher will be used out of the list of ciphers offered by the client and supported by EFT. For example, assume EFT has the following algorithm list:
aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofish128-cbc,cast128-cbc
And assume the client sends the following list:
blowfish-cbc,aes128-cbc,twofish128-cbc,cast128-cbc,3des-cbc,arcfour
Then the matching cipher will be aes128-cbc, because EFT scans the client list from left to right and looks for the first matching algorithm on EFT, from left to right. To force strong cipher usage, change EFTsupported algorithms to a list that fits your security needs.
Clients often present a single key file that has one or more public keys in it. Some servers read in the first key and ignore any other keys available in the file, which presents a problem if the public key associated with that user’s account is found further down in the public key file presented by the connecting user. It also presents a problem when the administrator attempts to import a bunch of keys all located in a single key file.
EFT evaluates where the delimiters are for each key and parses each key until no more keys are found.
In the case of client authentication, once a match is made, there is no need to parse the file further (e.g., parse first one below, if no match, parse second one, etc., until it reaches the end of file).
EFT maps the selected key (name) to the key assigned to that user, so that when an authentication attempt occurs, it is compared to each mapped key, rather than just a single key. EFT does not hide already selected keys for different users. That is, if you assign keya.pub to user jsmith, you can then go and assign that same keya.pub to bjones as well.
When EFT imports a key file, each imported key is given the same name as chosen by the administrator upon importing the key. Same name keys are distinguished by their fingerprint and are displayed in the key manager. You can rename keys in the Key Manager.
All user account names mapped to a particular key are displayed in the Assigned column in the Key
Manager. Multiple user->key assignments are displayed in comma-delimited format in the Assigned column in ascending alpha order. By default, when first importing the key, there are no assigned users; assignment occurs in the user account's Security tab. You can assign the same key to multiple users, multiple keys to the same user, and multiple keys to multiple users. If any key in the provided key file matches one of the keys mapped to a user who is attempting to authenticate, the user is authenticated and no further parsing of the key file is done.
Below is a sample .pub file containing multiple keys:
-----BEGIN RSA PUBLIC KEY----- mcazCANrC+BCYIywA0I3TVmrv2FTMWo7bpB9rgJx7xGeAZ22JV4IMEI4eCkMor/B
9ADRUDsYDOKA3yZav3Q4yvG8Z3T+hhqJ2hBob+bj8M4e08C3VwmVRz4j4Y+DnvJo
HcKvvmRcd2GvWRN3Q3OQ+QePfaQnUkDxnEWd+mrX1kwGv96GPqmrFREjm0eT966B qhPtyRa/gNkyoOnXV4/wsXPQb78UnfrFiM0N2CV7v7yj9koaod7p5CCx4ciw4
A5iEWdmInGcGHEgkP/LBuzOfwoXJWGCwttx0AP0FvZL3iplPmGnfKA==
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY----- mRwnVp5OR7FkLOpXEtxE/JBTvhaLDLFGKPHWxS8c4LYIiPHs/Z5arkCsfZbtZNUD iPbj6QzjjNpAp1HvP0749+CTNTqFLnFAEj9d5YFxXLNWVjz8NwWwNSGH2hvuDOxR
WsixMQg7esHepAvuiwFRyehmhS7wadpdoXxz3dMIFLovxdrhZKSGCOJIUZk5bIjk
OtHn0RQwe8TXYPe3zJvK6s1ank6hPlyhLsqFhn7KueU75ABPV3U2SlboJUPy6DV+
Qk4/B1vcbn4s/Q8Wk1RGZJ5jrGvjT6GcSaQH7y7e4KLzLXlkiSuVFJAqr1nFYa9m
-----END RSA PUBLIC KEY-----
343
EFT v7.2 User Guide
SSH Keys - Security Best Practices
You should not use EFT's key pair in the client, because doing so would involve sending the client the public and private key, potentially creating a security vulnerability. It is also an atypical way of setting up public key authentication for one or more clients. The common practice is to create the key pair in each client and then make the client’s public key available to EFT administrator, who in turn should import the client's public key into EFT's trusted list.
SSH Key Formats
EFT imports the PEM format, also called the SECSH Public Key File Format, and the OpenSSH format.
Creating an SSH Key Pair on EFT.
PEM format:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted from OpenSSH by don@untu-DSH"
AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o
39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS
7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2 sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu
LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368
+dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22
5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM
IB+X+OTUUI8=
---- END SSH2 PUBLIC KEY ----
EFT looks for the BEGIN and END tags when importing.
344
Listener (Protocol) Settings
OpenSSH format:
If you generated your key on a *nix box, it is most likely in this format. ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o
39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS
7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2 sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu
LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368
+dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22
5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM
IB+X+OTUUI8= don@untu-DSH
To make a key
1. To generate the key, on a Linux computer, type: ssh-keygen -t rsa
2. To convert to PEM format, on a Linux computer, type (assuming your public key is id_rsa.pub): ssh-keygen -e -f id_rsa.pub > yourfilename.pub
-i is the inverse of the -e switch
I see the fingerprint in EFT. How do I see the fingerprint in Linux?
Assuming your public key is id_rsa.pub, on a Linux computer, type: ssh-keygen -l -f id_rsa.pub
This will return three things:
• the bit strength (4096 )
• the fingerprint (18:9f:7d:8f:e0:ab:13:56:b7:49:89:b3:07:93:9f:da )
• the filename (id_rsa.pub )
The string returned from this example public key is:
4096 18:9f:7d:8f:e0:ab:13:56:b7:49:89:b3:07:93:9f:da id_rsa.pub
Linux has standard folders/files for SSH:
• The SSH files are stored in "~/.ssh"
The tilde ~ is an alias for the user home folder, e.g., /home/<your username>
• The public key filename is the private key filename with .pub as the extension.
• Stored (known) server fingerprints are written to known_hosts
This is used to detect "man in the middle" attacks. If the host fingerprint changes, SSH will report an error.
345
EFT v7.2 User Guide
• The file authorized_keys is used to store public keys
This is used to allow the user to maintain a collection of identity keys in one place (easier to backup and restore). The authorized_keys file is a collection of public keys, created by simply echoing out (cat) the contents of a public key, appending it to the bottom of the existing authorized_keys
file.
• SSH keys must have 600 or more restrictive permissions in place
If permissions are too open, SSH will report an error and refuse to run until you correct the security problem.
Configuring SFTP for a Site
When you enable SFTP for a Site, you must configure the SFTP settings. You can then configure SFTP options for a Settings Template and/or user account .
To configure SFTP for a Site
1. Before you can enable and configure SFTP on the Site, you must create or import an SFTP key defined on the Site.
2. In the administration interface, connect to EFT and click the Server tab.
3. On the Server tab, click the Site you want to configure.
4. In the right pane, select the Connections tab.
5. Select the SFTP (SSH2) check box, then specify the port, if different from the default shown.
6. Click SFTP Config. The SFTP Settings dialog box appears.
346
Listener (Protocol) Settings
7. In the Encoding area, click UTF-8 or Auto-detect. o
UTF-8—For Unicode-only transfers o
Auto-detect—Detects whether to proceed in ASCII mode or can switch to UTF-8 mode for the transmission and receipt of path names and other strings communicated between client and server.
8. The key that you created when you defined the Site (if you enabled SFTP and created keys) appears in the SFTP settings dialog box. If you did not enable SFTP when you created the Site, the dialog box is empty.
9. Do one of the following:
• To create a key pair, click Create. The SSH2 Key Pair Generation Wizard appears.
Refer to Creating an SSH Key Pair for instructions, if necessary.
• To specify an existing key pair, click the folder icon then browse for and select a key pair (.pvk) file.
• Click Export to extract and export the public key (.pub). A Save As dialog box appears in which you can specify a name and location for the .pub file.
• Click Manage to view, import, rename, and/or delete keys .
10. Specify the SFTP private key path, public key path, public key blob , allowed ciphers , allowed
, and SFTP identification string , as necessary.
11. Click OK to close the dialog box.
12. Click Apply to save the changes on EFT.
Configuring SFTP Authentication Options for a Settings Template or User
Account
Enable and configure SFTP on the Site first. then specify the SFTP authentication options for the Settings
Template and user accounts.
To specify SFTP authentication options
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user that you want to configure.
3. In the right pane, click the Connections tab.
4. In the Protocols area, select the SFTP (SSH2) check box, then click SFTP Auth. The SFTP
Authentication Options dialog box appears.
347
EFT v7.2 User Guide
5. In the SFTP authentication options list, specify whether user are to connect using Password
only, Public key only, Public Key & Password, or Public key or Password.
Compliance with PCI DSS requires that users change their password upon initial login. Because the
Public key only method does not use a password, it potentially violates the PCI DSS and is, therefore, not available on Sites defined using the "strict security settings" option. You can, however, use the Public Key and Password method.
On Active Directory-authenticated Sites, the Public Key Only and Public key or Password options are not available, because AD Sites require keyboard authentication.
6. If you selected any option besides Password only, click Edit. The SFTP Public Key
Select dialog box appears.
348
The SFTP public keys that are defined for this Site appear in the List of keys. If no keys appear, click Key Manager to import keys .
7. In the List of keys box, double-click the key(s) to use, or click each key, and then click Add. The selected key(s) appear in the Keys valid for client list.
Listener (Protocol) Settings
8. Click OK to close the SFTP Public Key Select dialog box. The selected key(s) appear in the
Authentication key list.
9. Click OK to close the SFTP Authentication Options dialog box.
10. Click Apply to save the changes on EFT.
Creating an SSH Key Pair
In the administration interface, you can define an SSH key pair for EFT and connecting clients. A wizard walks you through each step to create and store the key pair files.
To create a key pair
1. On the main menu, click Tools > Create SSH2 Key.
The Create SSH2 Public/Private Keypair wizard appears.
2. Specify a name for the key pair. The default is "New SSH Key," but you can name it anything.
(You are prompted to specify a different name if a key with the same name exists.)
3. Specify a location in which to store the key pair.
4. In the Options area:
• Select the bit length for your key pair, 1024, 2048, or 4096 bits.
• Select the output format for your key pair, OpenSSH or ssh.com.
5. Click Next. The password page of the wizard appears.
349
EFT v7.2 User Guide
6. Provide and confirm the passphrase used to encrypt the private key. The passphrase cannot contain more than 256 characters, cannot contain only spaces and periods, and cannot contain the following characters:
/ (forward slash)
\ (back slash)
[ (left bracket)
] (right bracket)
; (semicolon)
7. Click Next.
: (colon)
| (pipe)
= (equal sign)
, (comma)
+ (PLUS sign)
? (question mark)
< (left angle bracket)
> (right angle bracket)
{ (left curly brace)
} (right curly brace
350
8. If you want to use this key to authenticate EFT for inbound transactions, select the Use this key
pair as the default host key.
9. If you select the check box, specify the Site to which the key will apply.
Listener (Protocol) Settings
10. If you want to copy the public key to the SSH key manager, select the Copy the public key to the
SSH key manager check box.
• If you select the check box, you can provide a different name in the Public key name box, or keep the default that appears.
Copying the public key to the key manager is unnecessary unless you created this key pair for your partner. For security best practices, your partners should create their own key pairs, then give you a copy of their public key, which you would then import into the SSH key manager.
11. Click Finish.
Specifying SFTP Algorithms
Certain cipher algorithms allow for variable sized keys, while others only allow a specific key size. The length of the key correlates with the strength of that algorithm; larger keys are harder to break than shorter keys. EFT supports the ciphers shown in the SFTP Settings dialog box.
To specify encryption algorithms (applies to inbound only)
1. Open the SFTP Settings dialog box .
2. In the Allowed ciphers list, clear or select the check boxes to specify which ciphers you want to allow for encrypting SFTP sessions.
3. Click OK to close the dialog box.
4. Click Apply to save the changes on EFT. EFT tries each selected algorithm with the client until one is agreed upon.
Refer to Creating an SSH Key Pair for instructions for creating key pairs, if necessary.
Viewing or Modifying Message Authentication Codes (MAC) Settings
A keyed-Hash Message Authentication Code (HMAC) is used to verify data integrity and message authenticity, to confirm data has not been altered between the client and the server. SHA (Secure Hash
Algorithm) is a cryptographic hash algorithm published by the United States Government. It produces a
160-bit hash value from an arbitrary length string.
EFT supports the following HMAC algorithms, which are each selected/enabled by default:
• hmac-sha1
• hmac-md5
• hmac-sha1-96
• hmac-md5-96
To select Message Authentication Codes (MAC)
1. Open the SFTP Settings dialog box.
2. In the Allowed MACs list, clear or select the check boxes to specify which algorithms you want to use for message authentication.
3. Click OK to close the dialog box.
4. Click Apply. EFT tries each selected MAC with the client until an algorithm is agreed upon.
351
EFT v7.2 User Guide
Viewing, Importing, Renaming, and Deleting Client Keys
SFTP/SSH Keys defined for a Site appear in the SSH Key Manager. The Key Manager displays the key name, fingerprint, and username assigned.
To view, import, rename, or delete keys
1. Open the SFTP Settings dialog box .
2. Click Manage. The SSH Key Manager appears.
• Name - displays the name of the key. When a key is imported, no assigned usernames are displayed.
• Fingerprint - displays the fingerprint of the key.
• Assigned - displays the username(s) assigned to the key. Multiple usernames are separated by commas.
To assign one or more users to a key, refer to Configuring SFTP Authentication Options .
3. Do one of the following:
• To sort keys, click the Name or the Fingerprint column.
• To import keys, click Import, then browse for and select the key. You can import any
.pub file accessible from the computer on which the administration interface is installed.
• To delete a key, click the key in the list, and then click Delete. EFT will prompt you to confirm that you want to delete the key.
• To rename a key, click the key in the list, and then click Rename, or press F2. The server will verify that the name is unique and prompt you to change it if it is not.
4. Click Close to close the SSH Key Manager.
5. Click OK to close the SFTP Settings dialog box.
6. Click Apply to save the changes on EFT.
Modifying the SFTP Identification String (Optional)
This procedure is for advanced users; in most cases, you will not need to use this procedure.
When an SFTP (SSH) connection has been established, both EFT and the client must send an identification string. This identification string must be in the format:
SSH-protoversion-softwareversion SP comments CR LF
352
Listener (Protocol) Settings
EFT hard codes "SSH-2.0-" into the string; you provide only the software version and, optionally, comments. The software version box must consist of printable US-ASCII characters, with the exception of whitespace characters and the minus sign (-).
To modify the SFTP identification string (optional)
1. Open the SFTP Settings dialog box .
2. In the Optionally specify area, specify the software version and comments.
3. Click OK to close the dialog box.
4. Click Apply to save the changes on EFT.
For more information about modifying the SFTP identification string, refer to http://www.ietf.org/rfc/rfc4253.txt
section 4.2.
Extracting the Public SFTP Key
If you require clients to authenticate with a public key to access the Site, you need to provide them with the public key file (.pub). You can extract the public key from the SFTP key on the Connections tab of the
Site.
To configure SFTP for a Site
1. Before you can enable and configure SFTP on the Site, you must create or import an SFTP key defined on the Site.
2. Open the SFTP Settings dialog box .
3. The key that you created when you defined the Site (if you enabled SFTP and created keys) appears in the SFTP settings dialog box. If you did not enable SFTP when you created the Site, the dialog box is empty.
4. Click Export to extract and export the public key (.pub). A Save As dialog box appears in which you can specify a name and location for the .pub file.
5. Click OK to close the dialog box.
6. Click Apply.
Using SFTP (SSH) with Radius/RSA SecurID
(Two-factor authentication available in EFT Enterprise) Authenticating with RADIUS/RSA SecurID can be a multi-step process on your first login, as you establish your PIN. The server can request additional information from the user or device, such as a secondary password. The secondary password prompt can cause problems with SFTP clients who may not allow multiple prompts.
353
EFT v7.2 User Guide
For example, in the screenshot above:
• The first login is a successful login for the user khy (the PIN had already been setup elsewhere).
• The second login attempt by khy is made after the administrator forces PIN setup on the next login (done through the RADIUS/RSA configuration console elsewhere, not in EFT).
To successfully complete the PIN change with OpenSSH SFTP client
• Specify the option:
"-oNumberOfPasswordPrompts=N"
This option allows multiple password prompts up to the number (N) that you specify.
Refer to the OpenSSH man pages for more information: http://www.manpagez.com/man/5/ssh_config /.
Encoding for SFTP Transfers
You can specify UTF-8 or Auto-detect encoding for SFTP transfers on the Site. For most connecting clients, Auto-detect is preferred and is the default.
To configure SFTP encoding for the Site
1. Open the SFTP Settings dialog box .
2. In the Encoding area, click UTF-8 or Auto-detect. o
UTF-8—For Unicode-only transfers o
Auto-detect—Detects whether to proceed in ASCII mode or can switch to UTF-8 mode for the transmission and receipt of path names and other strings communicated between client and server.
3. Click OK to close the dialog box.
4. Click Apply to save the changes on EFT.
354
Listener (Protocol) Settings
HTTP and HTTPS
These topics provide the procedures for using HTTP and HTTPS on the Site, Settings Template, or user account.
HTTP and HTTPS Overview
If you specify HTTP for a Site created using the "strict security settings" option, EFT prompts you to disable these insecure protocols, or continue with reason.
HTTP
HTTP is the communication protocol for establishing a connection with a Web server and transmitting
HTML pages to the client browser or any other files required by an HTTP client application.
HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and server only for the immediate request, after which the connection is subsequently closed. Each time you need something from EFT, your client (browser) makes a connection, gets that file, and then the connection is closed. Since you do not connect and stay connected, the browser remembers your username and password for you, so it can send the authentication hash along with every new connection request.
For example, when you type http://www.globalscape.com/eft/whatsnew.aspx in your browser's address bar and press ENTER, your browser uses HTTP as specified in the URL to send a command to EFT running at the host name www.globalscape.com with the HTTP command "GET
/eft/whatsnew.aspx HTTP/1.1
," and EFT replies with that file (the HTML that makes up the page).
In that page, there are references to a number of files (e.g., images, CSS documents, flash files), and your browser makes a separate connection to get each one of those resources.
How does HTTP support in EFT differ from a typical Web Server?
EFT is primarily a file transfer server, not a Web server. This means it is not meant to "serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web browser).
However, there are provisions for transferring files in the HTTP protocol, which is a convenience when a connecting partner, customer, or employee does not have an FTP client installed, but does have an
HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX control or Java applet).
When EFT is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload) or GET
(download) files to EFT, provided the client supports both of these HTTP commands. Most Web browsers only support the GET command or, if they support the PUT command, they provide no interface for browsing to the user's local file system to select and upload (PUT) files onto EFT. A few dedicated clients
(such as CuteFTP) and various thin clients (based on ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to transfer files to EFT in both directions.
For details of WebDAV and EFT, refer to Using WebDAV with EFT .
HTTP Limitations in EFT
• EFT allows you to customize messages sent by EFT upon connection, login, maximum connections reached, and disconnect (for FTP sessions). Due to the nature of the HTTP protocol, custom login messages are not displayed for connecting HTTP clients.
• Another limitation of HTTP is that after a connection is established, the browser sees EFT's root folder instead of the user's home holder. A workaround is to setup a distinct Site for HTTP sessions.
• Microsoft Internet Explorer browsers that have installed MS04-004 Cumulative Security Update
for Internet Explorer (832894), no longer support URLs that contain username info, even though they are properly formed URLs. This problem is unique to Internet Explorer, and does not affect the other major browsers. For more information, refer to http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp
.
355
EFT v7.2 User Guide
Event Rule that sends a notification e-mail for each successful login Event, an e-
mail is sent every time a user connected through HTTP changes directories. This is a result of
HTTP being a stateless protocol and can result in a large volume of notification e-mails even when performing typical directory browsing.
HTTPS
HTTPS is the protocol for accessing a secure Web server when authentication and encrypted communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443.
The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL
(Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-themiddle attacks.
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. EFT is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.
The following elements work together to establish a secure HTTPS connection:
• Client: The client must have SSL capabilities.
• Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by EFT's certificate to establish an SSL connection.
• Session Key: The client and EFT use the session key to encrypt data. It is created by the client via EFT’s public key.
• Public Key: The client encrypts a session key with EFT’s public key. It does not exist as a file, but is produced when a certificate and private key are created.
• Private Key: EFT's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.
• Certificate Signing Request: A Certificate Signing Request (CSR) is a PKCS10 request, which is an unsigned copy of your certificate. A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.
In Web pages that use HTTPS, the URL begins with https rather than http. HTTP clients should connect using standard requests (i.e., https://domain_name). You can configure EFT to provide connecting clients with a certificate, and can require that the client provide a certificate upon connection (to validate the client's identity further).
Configuring HTTP or HTTPS Transfers
You can enable or disable HTTP or HTTPS transfers for the Site, Settings Template, or user account on the Connections tab.
To enable HTTP or HTTPS transfers
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
356
3. In the right pane, click the Connections tab.
Listener (Protocol) Settings
4. Select (enable) or clear (disable) the HTTP or HTTPS (SSL) check box, and then (if enabled): a. On the Site, specify the HTTP and HTTPS ports. The default port numbers are 80 and
443. (Note that Microsoft IIS also uses port 80 by default, so you will have to change one of them.)
b. On the Site, specify whether to enable account management over HTTP/S and whether
to redirect HTTP connections to HTTPS .
c. The Settings Template and/or user accounts will inherit the Site settings. If you want the
Settings Template or user accounts to have a different setting than the Site, on the
Settings Template and/or user account Connections tab, select (enable) or clear
(disable) the HTTP or HTTPS check box.
5. Click Apply to save the changes on EFT. If you are enabling HTTPS, you must also assign an
SSL certificate .
Redirecting HTTP to HTTPS
not activate the HSM , this feature is disabled after the 30-day trial expires.
When HTTPS is enabled, EFT will automatically redirect HTTP traffic to HTTPS for logins, forced password changes, and lost username and password functionality. A registry override can be used to prevent this redirect. The redirect check box described below controls both the login page and the connection, but only when HTTPS is enabled. The registry override's main purpose is to control whether the logon portion of the session is redirected to HTTPS when redirect is OFF in the administration interface. (The redirect check box is unavailable when HTTPS is disabled.)
Doing so disables HTTP transfers.
EFT simply tells the connecting client that the resource was moved to the new HTTPS URL. The connecting client decides whether it will allow the redirect, because the new URL could be on a different server.
357
EFT v7.2 User Guide
In general, the redirect process includes the following steps:
1. Client sends a request to the HTTP port (by default, port 80).
2. EFT redirects all plain HTTP requests to HTTPS (by default, port 80 to port 433). EFT replies to the client with 302 code (the requested resource resides temporarily under a different URL), and sends the client the new URL where the resource is now located.
3. The client now knows that the resource is not available at the old URL and knows the new URL.
Client decides whether it wants to connect to the new URL and get this resource.
Refer to RFC 2616, section 10, http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
, for more information about redirection on HTTP.
The redirect option also affects incoming AS2 requests through HTTP. If the connecting AS2 client does not allow redirection to a different port, the connection will fail.
To redirect HTTP to HTTPS
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Connections tab.
358
4. Select the HTTPS (SSL) check box and configure SSL if not already configured.
5. Select the Redirect HTTP to HTTPS check box.
6. Click Apply to save the changes on EFT.
Even if HTTP is enabled for the user or Settings Template, HTTP transfers will be redirected to the HTTPS port (443 by default).
Listener (Protocol) Settings
Customizable HTTP Error Messages
During your HTTP sessions, you will receive various numbered codes from Web servers. Some codes represent errors; most others simply communicate the status of the connection. For brief explanations for the most common status and error codes, refer to Knowledgebase article 10141 at http://kb.globalscape.com/KnowledgebaseArticle10141.aspx
.
EFT provides customizable HTTP error messages in HTML files in the \HTTPMessages folder (e.g.,
C:\ProgramData\Globalscape\EFT Server Enterprise\HTTPMessages).
Each time the EFT service starts up, each of the HTTPMessages files is created if they do not already exist. When an HTTP response is needed, EFT first tries to load the response from files in this location.
Failing that, EFT uses its internal response strings.
HTTP responses that are stored through this mechanism that can be customized are limited to the following responses:
HTTP Error
BAD_PARAMETER
BAD_REQUEST
BAD_URI
FORBIDDEN
Default Text
HTTP/1.1 406 Bad Parameter; The requested URL was not found on this server.
HTTP/1.1 400 Bad Request
Bad URI
HTTP/1.1 403 Forbidden
INTERNAL_SERVER_ERROR HTTP/1.1 500 Internal Server Error
MAX_QUOTA_REACHED HTTP/1.1 413 Max Quota Reached
NOT_FOUND
HTTP/1.1 404 Object Not Found; The requested URL was not found on this server.
HTTP/1.1 501 Not Implemented NOT_IMPLEMENTED
PRECONDITION_FAILED
REQUEST_TOO_LARGE
SERVICE_UNAVAILABLE
URI_TOO_LARGE
HTTP/1.1 412 Precondition Failed
HTTP/1.1 413 Request Entity Too Large
HTTP/1.1 503 Service Unavailable
HTTP/1.1 414 Request-URI Too Large
Using WebDAV in EFT
EFT supports a subset of the WebDAV, which is an extension to the HTTP/1.1 protocol that allows clients to perform remote Web content authoring operations. HTTP defines many headers that can be used in
WebDAV requests and responses. WebDAV provides functionality to create, change, and move documents on a remote server (typically a web server or "web share"). This is useful, among other things, for authoring the documents that a web server serves, but can also be used for general web-based file storage that can be accessed from anywhere. Important features in WebDAV protocol include locking
(overwrite prevention), properties (creation, removal, and querying of information about author, modified date, etc.), name space management (ability to copy and move Web pages within a server's namespace), and collections (creation, removal, and listing of resources). Refer to the HTTP Extensions for Web
Distributed Authoring and Versioning standard for more information.
All methods\headers marked as supported below (MKCOL, GET for Collections, DELETE fro Collections,
PUT for Non-Collection Resources, MOVE + Destination header) are used by ClientFTP and Web
Transfer Client. EFT's Advanced Workflow Engine (AWE) works with the WebDAV protocol in the Get
Email Action , Send E-mail Action , and Exchange Action .
359
EFT v7.2 User Guide
The table below indicates which WebDAV extensions are supported by EFT. The numbers indicate the section of the standard . Descriptions, status codes, and examples from the standard appear after the table.
Method
9.1. PROPFIND Method
9.2. PROPPATCH Method
9.3. MKCOL Method
9.4. GET, HEAD for Collections
9.5. POST for Collections
9.6.1. DELETE for Collections
9.7.1. PUT for Non-Collection Resources
9.7.2. PUT for Collections
9.8. COPY Method
9.9.1. MOVE for Properties
9.9.2. MOVE for Collections
EFT Support
NOT supported
NOT supported
Supported
Supported
NOT Supported
Supported
Supported
NOT supported
NOT supported
NOT Supported
Supported
9.9.3. MOVE and the Overwrite Header
9.10. LOCK Method
NOT Supported
NOT Supported
9.11. UNLOCK Method NOT Supported
10. HTTP Headers for Distributed Authoring NOT Supported
10.1. DAV Header NOT Supported
10.2. Depth Header
10.3. Destination Header
10.4. If Header
NOT Supported
Supported
NOT Supported
10.5. Lock-Token Header
10.6. Overwrite Header
10.7. Timeout Request Header
NOT Supported
NOT Supported
NOT Supported
360
Listener (Protocol) Settings
Descriptions, Examples, and Error Codes
Method
9.3. MKCOL
Method
9.4. GET, HEAD for Collections
9.5. POST for
Collections
9.6.1. DELETE for Collections
9.7.1. PUT for
Non-Collection
Resources
9.9.2. MOVE for
Collections
Description, Examples, and Error Codes
MKCOL creates a new collection resource at the location specified by the Request-URI.
Example:
>>Request
MKCOL /webdisc/xfiles/ HTTP/1.1
Host: www.example.com
>>Response
HTTP/1.1 201 Created
Status and error codes:
•
201 (Created) - The collection was created.
•
403 (Forbidden) - This indicates at least one of two conditions: 1) the server does not allow the creation of collections at the given location in its URL namespace, or 2) the parent collection of the Request-URI exists but cannot accept members.
The semantics of GET are unchanged when applied to a collection, since GET is defined as, "retrieve whatever information (in the form of an entity) is identified by the Request-
URI" [RFC2616]. GET, when applied to a collection, may return the contents of an
"index.html" resource, a human-readable view of the contents of the collection, or something else altogether. Hence, it is possible that the result of a GET on a collection will bear no correlation to the membership of the collection.
Since by definition the actual function performed by POST is determined by the server and often depends on the particular resource, the behavior of POST when applied to collections cannot be meaningfully modified because it is largely undefined. Thus, the semantics of POST are unmodified when applied to a collection.
DELETE instructs that the collection specified in the Request-URI and all resources identified by its internal member URLs are to be deleted.
>>Request
DELETE /container/ HTTP/1.1
Host: www.example.com
A PUT performed on an existing resource replaces the GET response entity of the resource.
10.3.
Destination
Header
A MOVE with "Depth: infinity" instructs that the collection identified by the Request-URI be moved to the address specified in the Destination header, and all resources identified by its internal member URLs are to be moved to locations relative to it, recursively through all levels of the collection hierarchy.
The Destination request header specifies the URI that identifies a destination resource for methods such as COPY and MOVE, which take two URIs as parameters.
Destination = "Destination" ":" Simple-ref
Enabling the Account-Management Page
The account management page is not available when CAC is enabled.
EFT provides an HTTPS account management page on which users can reset their password, if so configured in the administration interface.
The account management page is hard-coded to https://<server-URL>/manageaccount with the default port of 443. If the HTTPS port is set to a different port, the user must provide the port number in the URL to log into the page (e.g., https://192.168.123.456/manageaccount:4433).
361
EFT v7.2 User Guide
It is strongly recommended that you enable the account management page over HTTPS (using the
procedure below) so that your users will be able to change their passwords. You also have to enable
and SSL to use the account management page.
To enable the account management page
1. In the EFT administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. Select the HTTPS check box and specify the port, if different than the default.
5. Select the Enable account management page over HTTPS check box. The URL is displayed in the text box to the right (e.g., https://localhost/manageaccount). The URL is not editable, but you can select and copy it to provide to users.
6. Click Apply to save the changes on EFT.
Enabling User Access to the Web Transfer Client
Before users can log in to EFT using the Web Transfer Client (WTC), EFT administrator must configure
EFT to allow connections from the WTC. Active Directory domain users must have logon permission on
EFT computer in order to log on to EFT through the WTC. This is accomplished by adding AD domain users to the "Allow log on locally" list on EFT computer. If an AD domain user is not in this list, logging on to EFT through the WTC will fail and an error message appears informing the user that Local login access is required to log on to EFT.
362
Listener (Protocol) Settings
If a user has multiple sessions open and you want to make the licenses available to other users, stop and restart the Site. Stopping and restarting the Site resets the license count and disconnects everybody who is connected; users must reestablish their session.
To configure EFT to allow Web Transfer Client Connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user.
3. In the right pane, click the Connections tab.
4. In the Protocols area, select the Allow Web Transfer Client over HTTP/S check box. If this
check box is not available, you have not activated the Web Transfer Client or the trial has
expired.
5. Click Apply.
Enabling and Using Web Service
In EFT Enterprise, the Web Service allows administrators to initiate EFT workflow from an external application such as an enterprise scheduler. For information about how EFT supports Web Service, refer
. An SSL certificate is required to use Web Service, because EFT sends the HTTP
Web Services requests via HTTPS
. (Specify SSL versions and ciphers before enabling SSL connections.
SSL must first be enabled on EFT
•
The administrator account must have the COM administration privilege for access to any /WebService
URL (or sub-URLs).
•
If you are using Internet Explorer 6.0, TLS 1.0 is turned OFF by default. If Web Services is not working in
IE6, click Tools > Internet Options, then on the Advanced tab, select the Use TLS 1.0 check box.
Save the changes, then close and reopen the browser.
To enable Web service
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. Select the Enable Web Services (WS) over HTTPS check box.
5. Click Apply to save the changes on EFT.
363
EFT v7.2 User Guide
To use Web Service in your browser
1. Open a browser.
2. In the Address bar, type the URL of the Site and the port number (if different from the default), a forward slash, and webservice, then press ENTER. For example, type: https://localhost:443/webservice
(You will have to change the URL of the Site and the port number if you are not using "localhost" and port 443!)
3. A login prompt appears. Provide an EFT administrator login credentials. The EFTWebService interface appears.
364
4. To execute an Event Rule, click InvokeEventRule. The Invoke Event Rule interface appears.
Listener (Protocol) Settings
5. In the Value boxes, provide the EventRuleName and, if necessary, EventParams, then click
Invoke.
6. For example, in the EventRuleName Value box, type Backup Server Configuration, leave
EventParams blank, and then click Invoke. ("Backup Server Configuration" is a default Event
Rule available in EFT Enterprise only.) The browser returns the following string:
<int xmlns="HTTPS://localhost:443/">1</int>
• 0 indicates failure
• 1 indicates success
• -1 indicates EFT could not find the Event Rule (e.g., the requested EventName does not exist or was not typed correctly.)
7. For this example, you can open the Backup folder and see that a backup file was created (e.g.,
C:\ProgramData\Globalscape\EFT Enterprise\Backup).
365
EFT v7.2 User Guide
FIPS (Federal Information Processing Standard)
These topics provide information about using FIPS-compliant protocols with EFT.
FIPS-Certified Libraries
The Federal Information Processing Standard (FIPS) Publication 140-2 specifies the security requirements of cryptographic modules used to protect sensitive information. When the EFT service is started, if FIPS is enabled, a message displays which protocols are in use and which of the protocols in use are FIPS compliant. When you enable FIPS, the ciphers, key lengths/types, and hash lengths/types that are not FIPS-approved are not available, and an initialization routine executes a series of startup tests that set the cryptographic module into a FIPS-approved operational state. (Toggling FIPS mode requires that you restart the EFT service.)
If a FIPS-approved state cannot be achieved when FIPS is enabled, all Sites will stop, and an error message appears in the Windows Event Log and the EFT administration interface. After you dismiss the message, the EFT administration interface closes.
If the High Security module (HSM) is not licensed, when the HSM trial expires, EFT can no longer
operate in FIPS mode.
• You can enable FIPS mode for: o inbound SFTP (SSH2) o inbound HTTPs/FTPs (SSL) o outbound HTTPs/FTPs (SSL) through Event Rules (except when using AWE) o outbound client SFTP (SSH2) through Event Rules (v6.1 and later)
• FIPS mode does not apply to: o
AWE-based HTTPs/FTPs (SSL) o
AWE-based SFTP (SSH2) o
AS2 inbound nor outbound transactions
The SSL connections for AS2 are through HTTPS sockets, so the AS2 transaction is over a FIPS tunnel; however, the encryption within the AS2 MIME payload, is not FIPS.
For FTPS/HTTPS (SSL) Connections
EFT supports operation with the FIPS 140-2 Validated Globalscape Cryptographic Module (GSCM) for
SSL/TLS and certificate generation. FIPS 140-2 validated Globalscape Cryptographic Module (GSCM) is based on the openssl-fips-1.1.1 FIPS source and the openssl-0.9.7m project. If FIPS is not enabled, the
non-FIPS SSL version of OpenSSL is used.
For more information about certification of the Globalscape Cryptographic Module (GSCM), refer to the
Module Validation List on the National Institute of Standard and Technology (NIST) Website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#908 . The GSCM’s certificate number is 908.
Imported certificates that were signed using non-FIPS compliant algorithms (EFT before v6 or in
Secure FTP Server) will not work in EFT version 6 or later when using FIPS mode. (Certificates must
use SHA-1.) For details of converting certificates prior to importing them into EFT, refer to Using
OpenSSL to Generate/Convert Keys and Certificates .
EFT uses one of the following three cipher combinations during SSL/TLS negotiation:
• TLS 1.0 RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1 HMAC
• TLS 1.0 RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1 HMAC
366
Listener (Protocol) Settings
• TLS 1.0 RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1 HMAC
The use of the SHA1 HMAC is TLS 1.0 specific. By limiting the algorithms, we force use of TLS 1.0 in
EFT. For more info on why FIPS requires TLS 1.0, refer to the following link: http://www.mail-archive.com/[email protected]/msg54318.html
.
The order of preference, as listed above, is provided by EFT to the SSL client (e.g., the administration interface or CuteFTP). During SSL negotiation, the SSL client is allowed to select its preferred combination from this list. By default, the SSL client typically picks the highest common denominator. EFT allows only these three cipher combinations; the algorithms cannot be NULL. FIPS certifies both DSA and
RSA for digital signature generation and verification, but only allows RSA for key wrapping. Since SSL requires key wrapping, when EFT is in FIPS mode, only RSA can be used. Per FIPS requirements for
RSA key wrapping, EFT enforces a minimum key length of 1024 bits and a maximum key length of 4096 bits.
If EFT requires SSL certificates from connected clients , those certificates must also use SHA-1.
For SFTP (SSH) Connections
EFT uses the FIPS-certified version of Crypto++ for inbound and outbound SFTP (SSH) connections.
When the EFT service is started, if FIPS is enabled, a message displays the protocols in use and which of the protocols in use are FIPS compliant. When you enable FIPS, the ciphers, key, and hash lengths/types that are not FIPS-approved are not available. If a FIPS-approved state cannot be achieved when FIPS is enabled, all Sites will stop, and an error is written to the Windows Event Log.
When the SFTP DLL is operated in FIPS mode, it passes the configured algorithms through a filter to ensure only these FIPS-compliant algorithms are enabled:
• Cipher algorithm values: o
SFTP2_AES128 o
SFTP2_AES256 o
SFTP2_TripleDES
• MAC algorithm values: o
SFTP2_SHA1_96 o
SFTP2_SHA1
Enabling FIPS Mode for SSL (HTTPS and FTPS) Connections
After you enable or disable FIPS mode, you must restart the EFT service.
To enable FIPS mode for SSL Connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node on which you want to enable FIPS mode.
3. In the right pane, click the Security tab.
4. In the Federal Information Processing Standards (FIPS) area, select the Use FIPS certified
library for SSL connections check box.
5. Click Apply to save the changes on EFT.
6.
Stop and then restart the EFT service . Review the Statistics area of EFT's General tab to verify
that the service started.
367
EFT v7.2 User Guide
HSM has expired when you attempt to start a Site on a Server that has FIPS mode
enabled, an error message appears in the administration interface, and the Server sends an error message to the Event Log.
• In Internet Explorer (IE) version 6, TLS mode must be enabled for SSL communications to work. (In Internet Explorer, click Tools > Internet Options. Click the Advanced tab.
Scroll to the Security settings and select the Use TLS 1.0 check box. TLS is enabled by default starting in IE7.)
Refer to SSL for information about configuring SSL on the Site.
Enabling FIPS Mode for SSH (SFTP) Connections
To enable FIPS mode for SSH connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node on which you want to enable FIPS mode.
3. In the right pane, click the Security tab.
4. In the Federal Information Processing Standards (FIPS) area, select the Use FIPS certified
library for SSH connections check box.
5. Click Apply to save the changes on EFT.
6. On EFT's General tab, review the Statistics area to verify that the service started.
HSM has expired when you attempt to start a Site on a Server that has FIPS mode
enabled, an error message appears in the administration interface, and the Server sends an error message to the Event Log.
Refer to SFTP for details of configuring and enabling SFTP (SSH2) on a Site.
FIPS Mode Event Messages
EFT displays FIPS-related messages when switching to/from FIPS modes, starting/restarting EFT or Site, making administration interface connections, or managing certificates. EFT presents messages in the administration interface and in the Windows Event Log and allows you to correct the error. That is:
• A FIPS initialization error at Server startup does not stop the EFT service. Instead, the service is started and listening for administrator connections, but the Sites are stopped so that you can connect, get diagnostics, disable FIPS mode, and so on.
• An administrator SSL certificate failure at Server startup does not stop the EFT service immediately. Instead, EFT starts, but does not accept SSL administrative connections. The administrator is able to login locally, get diagnostics, replace the certificate, and so on.
• An administrator SSL certificate failure after SSL FIPS mode switching does not stop the EFT service. Instead, EFT continues working, but does not accept SSL administrative connections.
The Administrator can connect to replace the certificate, and so on.
368
Listener (Protocol) Settings
FIPS Mode Messages in the Administration Interface
EFT displays the following FIPS-related messages in the administration interface.
<SITENAME> will be started with the following protocols: FIPS compliant protocols:
<FIPSPROTOCOLS> Non-FIPS protocols: <NONFIPS> To ensure FIPS compliant operation, please enable only FIPS compliant protocols.
When EFT is in SSL or SSH FIPS mode, this message reports which Site protocols are FIPSsecured and which are not each time the Administrator explicitly starts the Site (e.g., clicks Go).
The EFT is stopped: FIPS mode initialization error. All sites and protocols are disabled.
This warning message appears upon new administration connections if FIPS fails to initialize. FIPS can fail to initialize because EFT could not load the FIPS library or the library self-test failed. When this occurs, EFT is stopped and all Sites and protocols are disabled.
An error occurred while attempting to start EFT. FIPS mode initialization error; all sites and protocols have been disabled.
This message appears in the administration interface during Server start or restart when FIPS fails to initialize. FIPS can fail to initialize because EFT could not load the FIPS library or the library selftest failed. When this occurs, EFT is stopped and all Sites and protocols are disabled.
An error occurred while attempting to start Site ‘<SITE_NAME>. The SSL certificate provided for
Site ‘<SITE_NAME>’ has an improper key length. FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive). Please choose a different certificate, or generate a new one that has at least 1024 but no more than 4096 bits in the public key.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
An error occurred while attempting to start Site ‘<SITE_NAME>’. Could not load SSL certificate.
This message appears during Site start/restart if a Site uses SSL and its certificate does not meet
FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.
An error occurred while attempting to start Site ‘<SITE_NAME>. The SFTP key provided has an improper key length. FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive).
Please choose a different key, or generate a new one that has at least 1024 but no more than 4096 bits in the public key.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
An error occurred while attempting to start Site ‘<SITE_NAME>’. Could not load SFTP certificate.
This message appears during Site start/restart if a Site uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test).
The Site is stopped.
369
EFT v7.2 User Guide
The Site <SITE_NAME> is not started: [SSL certificate | SFTP key] is too weak and does not meet
FIPS 140-2 requirements. Clients will not be able to connect to the Site.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
The Site <SITE_NAME> is not started: could not load [SSL certificate | SFTP key]. Clients will not be able to connect to the Site.
This warning message appears during new administration interface connections if a Site uses SSL and its certificate does not meet FIPS requirements or uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test).
The Site is stopped.
EFT SSL certificate for remote administration is not an approved size (must be at least 1024 but no more than 4096 bits). Administrators will not be able to connect to EFT remotely.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
EFT SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT remotely.
This warning message is used in to notify all connected administration interfaces if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.
EFT SSL certificate for remote administration is too weak and does not meet FIPS 140-2 requirements. Administrators will not be able to connect to EFT remotely.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
EFT SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT remotely.
This warning message is used during new administration interface connections if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.
EFT [SSL | SSH] subsystem has entered FIPS mode. All new connections over [SSL | SSH] will use
EFT’s FIPS certified cryptographic libraries.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
EFT [SSL | SSH] subsystem has exited FIPS mode. All new connections over [SSL | SSH] will use EFT’s standard (non-FIPS) cryptographic libraries.
These informational messages appear in the administration interface to notify all connected administration interfaces when an administrator explicitly switches SSL or SSH FIPS mode or FIPS mode is disabled due to trial expiration.
FIPS Mode Events in the Event Log
EFT displays the following FIPS-related events in the Windows Event Log.
Globalscape EFT - FIPS [SSL|SSH] mode initialization error; all sites and protocols are disabled.
This error message appears in the Event Log upon the EFT service start or restart if FIPS fails to initialize. FIPS can fail to initialize because EFT could not load the FIPS library or the library selftest failed. When this occurs, EFT service is stopped and all Sites and protocols are disabled.
370
Listener (Protocol) Settings
Globalscape EFT - FIPS mode initialization error for site "<SITE_NAME>": the specified [SFTP key|SSL certificate key] is not an approved size (must be at least 1024 but no more than 4096 bits).
The site has not been started.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
Globalscape EFT - FIPS mode initialization error for site "<SITE_NAME>": the specified
[SFTP key|SSL certificate] is broken. The site has not been started.
This message appears during Site start/restart if a Site uses SSL and its certificate does not meet
FIPS requirements or uses SFTP and its key does not meet FIPS requirements (e.g., FIPS mode gets turned on and old certificate/key does not pass the FIPS test). The Site is stopped.
EFT SSL certificate for remote administration is not an approved size (must be at least 1024 but no more than 4096 bits). Administrators will not be able to connect to EFT remotely.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
EFT SSL certificate for remote administration is broken. Administrators will not be able to connect to EFT remotely.
This warning message appears in the Event Log if the SSL certificate for remote administration does not meet FIPS requirements. Remote administration connections via SSL are not accepted.
EFT [SSL | SSH] subsystem has entered FIPS mode. All new connections over [SSL | SSH] will use
EFT’s FIPS certified cryptographic libraries.
or, if other certificate error (forbidden algorithms, inconsistent private key, or invalid private key password):
EFT [SSL | SSH] subsystem has exited FIPS mode. All new connections over [SSL | SSH] will use EFT’s standard (non-FIPS) cryptographic libraries.
This informational message appears in the Event Log when an administrator explicitly switches
SSL or SSH FIPS mode or FIPS mode is disabled due to trial expiration.
Globalscape EFT - FIPS [SSL|SSH] mode initialized successfully; operating in compliance with
FIPS 140-2.
This informational message appears in the Event Log every time the EFT service starts or restarts to report its successful FIPS mode initialization.
371
EFT v7.2 User Guide
372
Network Usage, Security Settings, Limits
These topics provide the procedures for configuring network usage and security settings.
Connection Limits Dialog Box
The Connection Limits dialog box is used to set maximum speed, logins, and connections, on a Site,
Settings Template, or user account.
To open the Connection Limits dialog box
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. In the Network Usage and Security Settings area, next to Connection limits, click Configure.
The Connection Limits dialog box appears.
5. Refer to the following procedures:
•
Setting Maximum Transfer Speeds
•
Setting Maximum Concurrent Socket Connections
•
Setting Maximum Concurrent Logins
•
Disconnecting Users on Timeout
•
Setting Maximum Connections per User
•
Setting Maximum Connections per IP Address
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Transfer Speeds
You can control a user's maximum transfer speeds at the Site level, Settings Template, and/or for each user.
The Site sets the limits of the users and Settings Templates. That is, you cannot set the maximum transfer speed on the Settings Template or for user accounts higher than it is set on the Site.
To configure maximum transfer speeds on the Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure.
373
EFT v7.2 User Guide
3. In the right pane, click the Connections tab.
4. Next to Connection limits, click Configure. The Connection Limits dialog box appears.
5. Select the Max transfer speed (kbps) check box, then specify the maximum transfer speed for the Site. If the check box is cleared on the Site, the maximum transfer speed is not specified for the Site, but can be specified in the Settings Template or for each user account.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Concurrent Socket Connections
The Max concurrent socket connections check box limits the amount of socket or low-level connections on a Site allowed by EFT. When this limit is reached, any subsequent connection attempt generates a socket or network error in the client. It reacts as if EFT is not available, because EFT refuses the connection entirely.
EFT will allow the user to partially connect before being told that EFT is full or busy, which is a more graceful way of denying the connection.
Maximum number of socket connections to EFT is configured on a Site. If you have multiple Sites, you can configure some Sites to allow more users than other Sites.
To restrict the number of socket connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. Next to Connection limits, click Configure. The Connection Limits dialog box appears.
374
5. Select the Max concurrent socket connections check box, then specify the maximum number of users you want to allow at any given time. If the box is cleared, EFT does not restrict the number of users.
Network Usage, Security Settings, Limits
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Concurrent Logins
You set the maximum number of logins to EFT on the Site. If you have multiple Sites, you can configure some Sites to allow more connections than other Sites.
To restrict the number of socket connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. Next to Connection limits, click Configure. The Connection Limits dialog box appears.
5. Select the Max concurrent logins check box, then specify the maximum number of logins you want to allow at any given time. If the box is cleared, EFT does not restrict the number of logins.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Connections per User
You can set the maximum number of simultaneous connections for a user on the Site, Settings Template, and/or for each user.
The Site sets the limit for all sub levels. For example, if the Site's Max connections per user is 5, and a user's Max connections per user is set to 10, the user can still only connect to the Server 5 times simultaneously.
To set maximum connections per user
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure.
3. In the right pane, click the Connections tab.
4. Next to Connection limits, click Configure. The Connection Limits dialog box appears.
375
EFT v7.2 User Guide
5. Select the Max connections per user check box, then type or use the arrows to select a number. (You must specify an integer between 1 and 99999.)
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Connections per IP Address
You can set the maximum number of simultaneous connections emanating from the same IP address on the Site, Settings Template, and/or for each user.
The Site sets the limits of the user accounts and the Settings Templates. That is, you cannot specify a larger number on the Settings Template or user account than is set on the Site.
To set maximum connections per IP address for a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Next to Connection limits, click Configure. The Connection Limits dialog box appears.
376
5. Select the Max connections from same IP check box and type the maximum number of simultaneous connections you want to allow from the same IP address. (You must specify an integer between 1 and 99999.)
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Network Usage, Security Settings, Limits
Disconnecting Users on Timeout
You can automatically disconnect users after a specified time of inactivity, set per user or Settings
Template. The idle timeout setting applies across all connection protocols supported by EFT (FTP/S,
SFTP, HTTP/S). If a session has been idle for more than the specified timeout, the user has to log back in.
This is different from the Administration Interface Session Timeout value.
To set a maximum idle limit for a user or Settings Template
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user account or Settings Template that you want to configure.
3. In the right pane, click the Connections tab.
4. In the Connection limits area, next to Connection limits, click Configure. The Connection
Limits dialog box appears.
5. Select the Connection timeout check box, then type or select the maximum allowable seconds of inactivity allowed before the user is disconnected.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Transfers per Session
You can set a limit on the number of file transfers allowed per login session for the Settings Template or per user.
To set the maximum allowed transfers per session
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user account that you want to configure.
3. In the right pane, click the Connections tab.
4. Next to Transfer limits, click Configure. The Transfer Limits dialog box appears.
377
EFT v7.2 User Guide
5. Select the Uploads and/or Downloads per session check box and specify the maximum number of uploads/downloads the user may transfer during a session.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting Maximum Transfer Size
The maximum transfer size limits the user to a specified number of upload or download kilobytes per session. FTP does not send information to EFT regarding the number of bytes that a user sends. A user can start a transfer of virtually any size; however, once the limit is reached, EFT will not transfer the rest of the file.
To set the maximum transfer size
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user that you want to configure.
3. In the right pane, click the Connections tab.
4. Next to Transfer limits, click Configure. The Transfer Limits dialog box appears.
5. Select the Max Upload/Download Size check boxes and specify the maximum amount of data
(in kilobytes) the user may transfer during a session.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Controlling Access to the Site by IP Address
By default, all IP addresses are granted access to EFT. EFT allows you to grant access to only one specific IP address or a range of IP addresses, or deny access to one specific address or a range of addresses. EFT controls access on the Server, Site, Settings Template, and user account.
The IP access/ban list consists of a multiple, prioritized list of IP addresses, with each IP address designated as either allowed (whitelisted) or denied (blacklisted):
• EFT filters incoming IP addresses based on the IP address entries in the list, in order of precedence. The first "Deny" match on the list causes the filtering to cease Rule matching/parsing. If there is no match or no "Deny" for the Site list, the Rule will process against either the user list (if explicitly enabled) or against the Settings Template list (if user list is set to inherit).
378
Network Usage, Security Settings, Limits
• Any IP address allowed access is parsed against the Settings Template or user account IP address access/ban list upon user authentication. o
If the user list is disabled, then no checking occurs. o
If the user list is inherited, then the IP address is checked against the Settings Template list. o
If the user list is enabled, then the IP address is checked against the user list only. See diagram below.
• All automatically banned IP addresses are maintained in a separate list, for both purposes of readability and for easier prioritization of all automatically banned IP addresses relevant to manually whitelisted or blacklisted IP addresses.
• You can unban more than one IP address at a time and search for specific IP addresses in the list.
• The IP Auto-Ban dialog box displays when and why an IP address was banned.
The diagram below provides a logic flow of EFT's IP address ban process.
379
EFT v7.2 User Guide
IP address policy changes are propagated to the DMZ Gateway whenever the policy is modified in the administration interface or by the auto-ban logic.
To grant/deny access by IP Address on a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account, and then click the
Connections tab.
3. In the Network Usage and Security Settings area, next to IP access/ban list, click Configure.
The IP Access Rules dialog box appears.
380
The Auto-banned IPs Rule is defined by default. Any IP address that is banned automatically by the system is denied access, until an administrator removes it from the Auto-ban List.
• To add an IP address to the Rules, click Add. Specify the IP address or mask, click whether to Allow or Deny the address, and then click OK. You can also specify a range of addresses. CIDR notation is supported for both IPv4 and IPv6 literals. For example:
001:cdba:9abc:5678::/64 for blocking an IPv6 LAN or 192.168.29.0/24 for an IPv4 network.
• To remove a Rule, click it in the list, and then click Remove. A confirmation prompt appears. Click Yes.
• To edit a Rule, click it in the list, and then click Edit. Edit the address, then click OK to save your edits.
• To test whether an IP address is banned or allowed, click Test IP. The Test IP
Connection dialog box appears. o
Provide an IP address to test, and then click OK. The Result (Allowed or Denied) and the Reason the IP is allowed or denied appear in the dialog box. Click OK to close the dialog box.
• To view the list of banned IPs, click Autoban List. (On the Site only) The IP Auto-
ban dialog box appears. o
To find an IP in the list, type it in the Search box. o
To sort the list, click a column header.
Network Usage, Security Settings, Limits o
To remove an IP from the list, click it, and then click Remove Selected. o
The Date Added column displays the date and time the IP was added to the
Autoban List, in MM/DD/YYYY hh:mm:ss AM/PM format. o
The Reason column displays the reason the IP address was automatically banned (DoS/Flood prevention temporary ban, DoS/Flood prevention permanent ban, Invalid password attempts exceeded, Invalid username attempts exceeded,
Too many consecutive invalid commands). o
Click OK to close the dialog box. The IP address/mask appears in the exceptions list.
4. Click OK to close the IP Access Rules dialog box.
5. Click Apply to save the changes on EFT.
If an IP address appears in this list that should not have been banned, you can delete it from the list by clicking it, and then clicking Remove.
For more information about how IP addresses are banned, refer to Disconnecting Users after a
Defined Number of Invalid Commands ,
Banning an IP Address that Uses an Invalid Account , and
Flooding and Denial of Service Prevention .
Disconnecting Users after a Defined Number of Invalid Commands
EFT can automatically disconnect and even ban the IP addresses of users who send an excessive number of invalid commands.
To automatically disconnect users after a defined number of invalid commands
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Connections tab.
4. In the Network Usage and Security Settings area, next to Denial of Service settings, click
Configure. The Anti-Flood/Hammer Settings dialog box appears.
5. Select the Disconnect user after <n> consecutive invalid commands check box, then type the number of invalid commands allowed before you disconnect the user. You can automatically add the user's IP address to the Site's banned IP address list by selecting the Add IP address to ban
list if excessive invalid commands received check box. You can later remove the ban on the user by deleting the user's IP address from the list in the Site's IP Access/Ban List dialog box.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
See also Flooding and Denial of Service Prevention and Controlling Access to the Site by IP Address .
381
EFT v7.2 User Guide
Flooding and Denial of Service Prevention
In a typical network connection, a computer "asks" a server to authenticate it, the server returns the authentication approval to the computer, the computer acknowledges this approval, and then the computer is allowed to connect to the server.
In a denial of service (DoS) attack, a computer sends multiple authentication requests to the server. All requests have false return addresses, so the server can't find the computer when it tries to send the authentication approval. When the server closes the connection, the DoS attacker sends a new batch of forged requests, and the process begins again, causing the server to be unavailable for legitimate connections.
A common method of blocking a DoS attack is to set up a filter on the network that looks for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the server from being overloaded by malicious attacks.
Attacks can be divided into three types:
• Connection-oriented attack - Attack that establishes numerous FTP connections to make the server inaccessible.
• Command-oriented attack - Attack that establishes a set of connections that flood the server with
"hard" commands (commands that require lots of server resources), trying to make the server inaccessible.
• Combined attack - Attack that combines both above approaches—the most widespread type.
EFT's Auto-Ban System
EFT's auto-ban system is intended to prevent possible DoS attack attempts, by identifying possible attacks based on user activity density (occurrences per second). The algorithm in context of each attack type has different implementations.
• For a Connection-oriented attack, EFT has a map of IP addresses. Each IP address map node contains IP address fail points. Once EFT accepts a connection, it finds the corresponding IP address node and increases fail points by connection weight value. If IP address fail points reach a fail-points limit, EFT refuses the connection and bans the IP address.
• A Command-oriented attack is similar to a connection-oriented attack, but instead of an IP address map, EFT uses a Connection ID map. The moment a connection is established, EFT creates a connection node that contains fail points and an IP address. After each command, EFT increases connection fail points by command weight. If connection fail points reach a fail points limit, the connection is closed and the IP address is banned.
• The auto-ban sensitivity slider controls connection oriented attacks. It assigns a weight to both recognized and non-recognized commands. Other than that, it behaves as connection oriented
logic. The Disconnect user after N invalid commands setting looks for sequence of invalid (non-
recognized commands) in a row, without regard to time interval between commands. When used together, if a command's points exceed a given threshold in a given period OR if the number of invalid commands in a row exceeds a given threshold, then EFT disconnects and (optionally) bans the user.
382
Network Usage, Security Settings, Limits
By default, all IP addresses are granted access to EFT. EFT allows you to grant access to only one specific IP address or a range of IP addresses, or deny access to one specific IP address or a range of IP addresses. EFT can automatically disconnect and even ban the IP addresses of computers who send an
Commands .) You can configure EFT to ban IP addresses automatically that may potentially be
associated with a DoS (Denial of Service) attack. EFT monitors connection patterns, tracks each computer's activity density, and then bans IP addresses with unnaturally dense activity. When EFT bans an IP address, it can ban it permanently (add it to the IP Access Restrictions list) or temporarily for a certain period of time.
Banning an IP address temporarily protects EFT from attacks. If EFT is correct and a temporarily banned
IP address was the source of an attack, EFT will not be harmed by the attempted attack. EFT's resources will remain free or minimally burdened, instead of being completely bogged down by the attacking IP address. If you select to ban IP addresses temporarily, the IP address's access to EFT is restricted for a minute or two, based on the EFT security setting you select using the Auto-Ban Reliability slider bar.
Temporarily banning users means that if EFT identifies an ordinary but very active user as a threat, the user will soon be able to reconnect to the Site. When you ban IP addresses temporarily, the level of security you set for the slider indicates both the number of seconds the user can attempt to occupy all of
EFT's resources before being banned and the number of seconds the user is banned. The higher the security, the less time before the user is banned and the longer the user remains banned.
The reason for a temporary ban is that attack identification is not fool proof and there can always be a chance of a mistake. If EFT is allowed to decide which IP address to ban, we risk that some users will be banned by mistake when it might not be appropriate to ban that user permanently.
If you elect to permanently ban the IP addresses of users whose activity fits the pattern of an attack, those users are immediately banned when they exceed the number of connections allowed for the security level (based on the slider setting). If EFT has banned a user to whom you want to allow access, you can delete it from the IP address ban list.
With the slider, you can set the Auto-ban reliability (security level) or turn auto ban off. The default is
Medium.
EFT has predefined security levels that correlate to the slider values: Off, Very Low, Low, Medium, High, and Very High.
383
EFT v7.2 User Guide
IP address policy changes are propagated to the DMZ Gateway whenever the policy is modified in the administration interface or by the auto-ban logic.
To activate auto-ban
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Connections tab.
4. In the Network Usage and Security Settings area, next to Denial of Service settings, click
Configure. The Anti-Flood/Hammer Settings dialog box appears.
384
5. In the Flood/hammer auto-ban sensitivity level area, specify a sensitivity level using the slider bar.
If you set the slider to Off, Very Low, or Low on a high security-enabled Site, a message appears to warn you that this setting violates PCI DSS requirements related to securely configuring cardholder environments.
6. Click a ban period:
• Ban IPs for time period proportional to sensitivity (higher = longer)
• Ban IPs permanently (add to TCP/IP access restrictions list)
Network Usage, Security Settings, Limits
7. Click OK to close the dialog box.
8. Click Apply to save the changes on EFT.
See also Disconnecting Users after a Defined Number of Invalid Commands and
Controlling Access to the Site by IP Address .
385
EFT v7.2 User Guide
386
Password Security Settings
These topics provide the procedures for configuring the password rules.
Allowing or Forcing Password Reset
Occasionally, EFT users may want to change their passwords. You may also want them to change their password the first time they log in with the temporary password that you've assigned them. The account management page is provided (via HTTPS) for users to change their passwords without intervention from the system administrator. (You can enable the password reset page while disallowing general access to
HTTP or HTTPS, but you still must provide an SSL certificate.)
The option to force password reset requires that the High Security module (HSM) is installed and
activated. If Force users to change their first-time password immediately upon first use check box is selected, users are forced to change their passwords the first time that they log in to the server. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the Change
Password page (e.g., https://localhost:4439/EFTClient/Account/ChangePassword.htm). After the user creates a new password, they are returned to the index page (WTC or PTC).
(On AD/LDAP Sites, if you have enabled the "User must change password at next logon" feature in AD, you must enable (set to "on") the registry setting described in KB article 10516 . If you have enabled the
"User cannot change password" feature in AD, users will not be able to change their passwords.)
When a user logs in to the HTTPS index page for the first time, the user is automatically redirected to the change password page if:
Enable account management page over HTTPS check box is selected and the user logs in
with a temporary password.
Enable account management page over HTTPS
and the Redirect all plaintext HTTP traffic to
HTTPS check box are selected, and the user logs in with a temporary password.
• The user logs in with a temporary password to the FTP port or SFTP engine. (No commands are allowed other than exiting or changing the password until the password has been changed; the user is prompted to change the password.)
• An administrator logs in using a temporary password. A warning appears to prompt the administrator to supply a new password.
Note: "Temporary password" means the administrator created a password for them and selected the check box requiring them to change the password when they log in for the first time with that password.
You can configure password rest on the Site, Settings Template, and for each user. (The Site setting is inherited by the Settings Templates; the Settings Template setting is inherited by the users in that
Settings Template.)
To configure the Site, Settings Template, or user account to allow or force password reset
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure.
3. In the right pane, click the Security tab.
387
EFT v7.2 User Guide
4. Select the Allow users to reset their passwords check box.
• If you want users to reset their password the first time they log in to the server, select the
Force users to change their first-time password immediately upon first use check box.
• If you want to configure password expiration options, click Configure.
5. Click Apply to save the changes on EFT. Users will be prompted to change their password when they log in to the Site.
•
There is no way to ask FTP users to change their password prior to logging in. We must allow them to actually login (authenticate) but then prevent any further interaction with their session until they change their password.
•
Refer to Using the HSM with the Secure Ad Hoc Transfer Module if you are using a high security-
enabled Site.
password is created and accepted by the system. If the password is not accepted by the system:
• In HTTPS and SFTP, the authentication request will be denied.
• In FTP, no further FTP commands will be accepted until the new password is provided and meets
complexity and password history requirements, if those features are enabled.
If a Site is running in PCI DSS (high security) mode, warnings will appear when you enable or disable settings that may take you out of compliance.
Enforcing Complex Passwords
When you create or update a user account, you can require the user to create strong (complex) passwords. Complex passwords are enabled by default when you create a Site using the "strict security
To require accounts use complex passwords
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure, then click the Security tab.
3. Select the Enforce strong (complex) passwords check box, and then click Configure. The
Password complexity settings dialog box appears.
388
Password Security Settings
4. Refer to the guidelines in the table below:
Field
Minimum password length - Specify the minimum number of characters that must be in the password
In the Character categories area, specify the type of characters that must be in the password:
The password must contain characters from at least N of the following categories:
•
Uppercase
•
Lowercase
•
Numeric (0-9)
•
Non alpha-numeric (e.g., !, #, $, %)
•
Unicode (UTF-8)
Must not contain N or more characters from the user name
Must not contain N or more repeating characters.
Default Min/Max Values
8 6 - 99
3 2 categories, up to the categories maximum password length
3
3
2 characters, up to maximum password length
2 characters, up to maximum password length n/a Must not consist solely of a word in the following Dictionary file. on
(Click the ellipse icon to select a file.)
Must not be a dictionary word backwards off
5. Click OK to save the settings or Cancel to keep existing settings.
6. Click Apply to save the changes to EFT.
For example, suppose you specified that the password must:
• contain at least 6 characters
• contain uppercase letters
• contain lowercase letters
• contain numbers n/a
389
EFT v7.2 User Guide
That means that the password must contain at least one uppercase character, at least one lowercase character, and at least one digit. So in this case, a password could be A5s3*v35, but not a5s3*v35, because you specified that a password should have at least one uppercase letter.
•
PCI DSS requirements include minimum password lengths, complexity, and reuse rules.
•
The dictionary file cannot exceed 10 MB. If you exceed the file size, the Event log will indicate that not all of the file could be loaded. If the dictionary file is not available, EFT operations will continue and a log error is written to the Event log.
•
Non-alphanumeric characters are not required by default; you must explicitly specify this option if you want to require it. For those who might be using a non-English language operating system, it is best to leave the Non alpha-numeric check box cleared because of characters that are not normally found on a standard keyboard. In this case, your users are free to use non-alphanumeric characters when they create their own password, you just would not require that they do, and the system will not include them when you automatically generate a complex password.
•
COM-created accounts are not subject to complexity requirements unless the
•
When using EFT with the Secure Ad Hoc Transfer (SAT) module, if the password settings are set to use a minimum of more than 20 characters, the SAT temporary user creation will fail. If your Site's complex password settings require more than 20 characters, be sure to configure the Ad Hoc
Settings Template to override the Site's password settings so that complex passwords for Ad Hoc users contain fewer than 20 characters.
Reminding Users when Password is About to Expire
EFT allows you to set a reminder to notify users of their pending password expiration up to 30 days prior to the password expiration date. You can set the reminder on the Site for all accounts, on the Settings
Template, and/or for each user, from 0 (no reminder) to 30 days (5 is the default). The reminder can be in
the form of a banner message or an e-mail or both .
EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
To remind users of expired passwords
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure, and then
3. Select the Allow users to reset their passwords check box.
4. Next to Password Expiration Options, click Configure. The Password Expiration dialog box appears.
390
Password Security Settings
5. Select the Expire check box, then specify the number of days after which to expire the password.
6. Select the Remind check box, then specify the number of days prior to expiration to remind the user.
7. Do either or both of the following:
• To send an e-mail when the password is about to expire, select the Send user an e-mail
prior to expiration check box.
• To send an e-mail when the password has expired, select the Send user an e-mail
upon expiration check box.
8. Click OK to save the settings and close the dialog box.
9. Click Apply to save the changes on EFT.
10. Edit the Password Reset Messages , as desired.
For all protocols, if the user’s password is scheduled to expire, the e-mail reminder is enabled, and the user account has an e-mail address associated with it, an e-mail will be sent informing the user of the pending expiration and provides instructions on how to change the password for one or possibly all protocols. A user who typically connects over FTP may optionally login via HTTP/S to change the password.
For details of reusing passwords, refer to Prohibiting Password Reuse .
Banning an IP Address that Uses an Invalid Account
EFT can add an IP address to the Site’s IP ban list when a specified number of invalid login attempts occur over a specified period when a non-existing username was supplied. The offending IP address is added to the Site's IP address ban list. (The Site's IP address ban list can be viewed and managed on the
Site's Connections tab.)
To automatically ban an IP address after a number of invalid login attempts
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site.
3. In the right pane, click the Security tab.
4. In the Password Security area, next to Invalid login options, click Configure. The Login
Security Options dialog box appears.
5. Select the Ban IP address check box, then specify the number of invalid login attempts and number of minutes during which to count the invalid logins.
6. Click OK to save the changes and close the dialog box.
7. Click Apply to save the changes on EFT.
391
EFT v7.2 User Guide
The settings above (6 invalid login attempts over a 5-minute period) cause the IP address to be added to the ban list after the 6th attempt (n+1). The values are the maximum failures ALLOWED before the IP address is banned. After the 6th login failure, the IP address would be banned.
• In EFT 6.2 and later and DMZ Gateway 3.0 and later, EFT communicates the new IP address to the DMZ Gateway, and these attempts are rejected at the edge/DMZ.
• In EFT 6.1 and DMZ Gateway 2.0, the IP address is added to the ban list, but the list is not communicated to the DMZ Gateway until the next EFT/DMZ Gateway reconnect.
• If a hacker is using a legitimate username, but is running through a list of passwords, the IP address will be banned, but the legitimate user account is not disabled or locked out. The legitimate user can still login from a valid/non-banned IP address. The IP access/ban list displays newly added IP addresses. (You have to press F5 to refresh to ensure that it displays the current set of IP addresses. The GUI does not refresh automatically.)
Prohibiting Password Reuse
You can configure EFT to remember a user account's previous passwords and not allow a user to submit a new password that is the same as any of the last 4 to 99 prior passwords for that account. You can set this at the Site, Settings Template, and user accounts.
On a high security-enabled Site, password history is enabled by default. If a user attempts to change a password to one of the specified number of passwords previously used for that account, EFT denies the password change request. The option is available at the Site, User Setting, and per user.
EFT validates any password change attempt for reuse (no special casing), whether via COM or the
Administrator, resulting in a prompt (in the Administrator) or an error code (COM).
The password history is reset when transitioning from a non-PCI state to a PCI state. For example, if you disable this option, click Apply, then re-enable the option, and then click Apply again, the count is started over (the password history is discarded when the option is disabled.)
To enable enforcement of password history
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure.
3. In the right pane, click the
4. Select the Prohibit reuse of previous check box, then type the number of passwords to remember.
The number of iterations does not include the current password. For example, if you set password history to 4, and a password change attempt is made, EFT first determines whether the new password matches the current password, then evaluates whether the new password matches any of the previous 4 passwords.
5. Click Apply to save the changes on EFT.
Password Reuse Warnings
The following password-reuse violations cause warning messages to appear:
• On a high security-enabled Site, if you disable enforcing password history, a warning message appears.
• If enforcing password history is enabled and a password change request is made by the end-user
(either by a user-initiated password reset or a forced reset), and the new password is the same as any of the specified number of previous passwords, EFT rejects the password change attempt.
If a password change attempt over HTTP/S fails due to reuse, a warning message appears.
392
Password Security Settings
• If a user logged in via FTP attempts to change the login password without being prompted (i.e., not a forced reset), and the password fails due to reuse, EFT rejects the password change, but the user may continue the FTP session. If the change attempt was due to a forced reset (i.e., require password change on initial login), the user will not be allowed to continue their session until a valid password is provided.
• If a password change attempt over SFTP fails due to reuse, EFT rejects the change and prompts the user to resubmit a valid password. The user is not allowed to continue until a valid password is provided.
• If a password change attempt in the Administrator Login dialog box fails due to reuse, EFT rejects the change attempt, and a warning message appears.
Changing a User’s Password
You can change users' passwords from within the administration interface. When a new password is
created, EFT determines whether the password meets complexity and reuse requirements.
The change password function supports user principal and common names (AD/LDAP). That is, it supports UPN (e.g., [email protected]; looks like an e-mail address) and CN (e.g., jdoe).
For high security-enabled Sites, you cannot manually create a password; the only option is to click
Generate to create a unique, complex password.
feature in AD, you must enable (set to "on") the registry setting described in KB article 10516 . If you have enabled the "User cannot change password" feature in AD, users will not be able to change their passwords.)
To change a user's password
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user you want to configure.
3. In the right pane, click the General tab.
4. Click Change Password. The Change User Account Password dialog box appears.
5. Do one of the following:
• In the New password and Confirm password boxes, type and confirm the password.
(Not available for high security-enabled Sites.)
• Click Generate. A complex password is generated and entered in the New password and Confirm password boxes.
393
EFT v7.2 User Guide
6. Click the Password type list to specify a type from the following:
• Standard - A plain text password is required.
• Anonymous - Any password, including nothing, allows an anonymous connection.
• Anonymous (Force e-mail) - Any well-formed e-mail address is the password
• OTP S/KEY MD4 - Used for logging in to an OTP-enabled server.
• OTP S/KEY MD5 - Used for logging in to an OTP-enabled server.
PCI DSS requirements state that you should not use group, shared, or generic accounts and passwords. To address this requirement, EFT hides the Anonymous password type for high securityenabled Sites anywhere that the password type is selectable, or if Enforce Strong Passwords is enabled.
7. To e-mail the user's password , type the e-mail address and select the E-mail login credentials
check box. If the e-mail address is configured in the User Details , the E-Mail Address box is completed automatically. If you type an invalid e-mail address, an error message appears.
( SMTP must be configured on EFT to e-mail the user.)
8. Click OK. The Change User Account Password dialog box closes and the e-mail is sent, if configured.
9. Click Apply to save the changes on EFT.
E-mailing Users' Login Credentials
When you create a user or change a user's password , EFT can e-mail the login credentials to the user.
The option is enabled by default. You can also specify whether to send the username and password in the same e-mail or in separate e-mails or to only send the username. The e-mail consists of a basic message with dynamic tags for username and password. The e-mail text is defined on Server. Refer to
Editing the User Login Credentials Message for details.
To specify e-mail options
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Security tab.
4. Select the Enable option to e-mail users their login credentials check box, then specify one of the e-mail options. o e-mail both username and password together o e-mail the username and password in separate e-mails o e-mail the username only
5. Click Apply to save the changes on EFT.
You can send a password to a user at any time (e.g., after you've created the account or changed the password).
To e-mail a user a password
1. In the Change User Password dialog box or the New User Account Setup wizard, type the user's e-mail address, and then select the E-mail login credentials check box.
2. EFT sends the password to the user's e-mail address when you click OK in the Change User
Password dialog box or Finish in the New User Account Setup wizard.
394
Password Security Settings
Expiring Passwords for the User
provides a method for resetting the password via FTP and SFTP. (If you do not activate the
this feature is disabled after the 30-day trial expires
.)
To expire a password after <n> days
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure, and then
3. If Password expiration options is not available, select the Allow users to reset their
passwords check box.
4. Next to Password expiration options, click Configure. The Password Expiration dialog box appears.
5. To expire the password after a certain number of days, select the Expire passwords in check box, and then specify the number of days.
6. Do either or both of the following:
• To send an e-mail when the password is about to expire, select the Send user an e-mail
prior to expiration check box.
• To send an e-mail when the password has expired, select the Send user an e-mail
upon expiration check box.
7. Click OK to close the dialog box.
8. Click Apply to save the changes on EFT.
If reminders are enabled, users are prompted when their account passwords are about to expire and after the account is expired.
The text of the password expired message, below, is stored by default in
%systemroot%\ProgramData\Globalscape\EFT Enterprise\PasswordResetMsg.html.
%full_name%, The password for account: %username% has expired. Please change your password at your earliest convenience. Instructions for changing your password via
FTP, SFTP, and HTTP/S are provided below for your convenience: 1. Please enter the following URL into your browser: %reset_page% 2. Supply your current password when prompted 3. Enter your new password and confirm 4. If approved, exit the browser and login as normal.
The text of the password expiration reminder message, below, is stored by default in
%systemroot%\ProgramData\Globalscape\EFT Enterprise\PasswordResetReminderMsg.html.
% full_name%, The password for account: %username% will expire in %days_left% days.
Please change your password at your earliest convenience. Instructions for changing your password via FTP, SFTP, and HTTP/S are provided below for your convenience: 1.
Please enter the following URL into your browser: %reset_page% 2. Supply your current password when prompted 3. Enter your new password and confirm 4. If approved, exit the browser and login as normal.
On Sites defined using the "strict security settings," users are forced to change their passwords on first use. Each day it also checks whether passwords are <n> days from expiration, and those passwords are flagged for reminders, if reminders are enabled. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the reset page.
After the user creates a new password, they are returned to the index page.
395
EFT v7.2 User Guide
If a user with an expired password logs in over FTP, the user is prompted that the password is expired and must be reset. Until the password is successfully changed, EFT will not process any commands other than changing the password or exiting. If a user with an expired password logs in over SFTP, the user is forced to reset the password before continuing with the login process.
When a password is reset, EFT verifies the new password against complexity criteria and
password history , if those features are enabled. Users are not allowed to proceed with their
session until a password is created and accepted by the system. If the password is not accepted by the system:
• In HTTPS and SFTP, the authentication request will be denied.
• In FTP, no further FTP commands will be accepted until a new password is provided that meets
complexity and password history requirements, if those features are enabled.
•
EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
•
There is no way to ask FTP users to change their password prior to logging in. EFT must allow them to login (authenticate), but then prevents any further interaction with their session until they change their password.
•
You can edit the HTML file for the password messages; however, be sure not to change the variables, which are enclosed in percent signs (%text%).
•
If Expire password in N days is enabled, \manageaccount and the reset page are enabled, the password has expired, and the user logs in with an expired password, EFT automatically redirects the authenticated user to the reset page. (In HTTPS, the user is redirected to the rest page on the HTTPS port.)
• When resetting passwords, all password complexity requirements, reuse history ,
and cyclical password-use checks apply, if those settings are enabled in the administration interface.
• If a Site is running in PCI DSS (high security) mode, warnings will appear
when you enable or disable settings that may take you out of compliance.
Changing an AD Password via the Java-Enabled Web Transfer Client
Active Directory (AD) and LDAP Site users can change their AD password through the Web Transfer
Client (WTC). If changing the password is disabled by EFT, the Change Password button is not available.
Two registry scripts are provided to enable/disable the password change feature. These registry scripts are located in the EFT Server installation directory \web\public\EFTClientsubdirectory.
Refer to the Knowledgebase article " Changing a User Password on AD/LDAP Sites
" for details.
AD Password Expiration
On NTAD/LDAP Sites, you can configure EFT through a registry key setting to send an e-mail notifying users that their password is about to expire in <n> days. Without this value, EFT (for AD/LDAP Sites) will not attempt to check password status or send notification e-mails. If the user's password expiration date matches any of the list of days in the registry key, a notification e-mail will be sent to the user’s e-mail address specified in the E-Mail address field of the user's AD account. This default setting sends e-mail notifications 30 days, 15 days, 10 days, 5 days, and 1 day before the password expires. You can edit the number of days and frequency to send notifications.
396
Password Security Settings
EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.
The EFT must have "Log On as a domain user" permission for e-mail notifications to work.
In the Client directory of the Server installation folder, the file PasswordChg_EmailInterval.reg provides a script to write the following key to the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape Inc.\EFT 4.0\EFTClient]
"PasswordChg_EmailInterval"="30:15:10:5:1"
The string value is in the format of d1:d2:d3 etc. For example, the 30, 15, 10, 5, 1 interval values will be represented by 30:15:10:5:1. It can also be a single value, such as 25, which would send only one email notification on the 25th day before expiration. If the string value is empty, no notifications are sent.
(On a 64-bit OS, use the path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE
Inc.\EFT Server 4.0\EFTClient]
)
This feature can be turned off by running the PasswordChg_EmailInterval_None.reg script or setting the value of PasswordChg_EmailInterval to null (empty string). When the feature is turned off, notification e-mails are no longer sent to users when their passwords expire. (Both scripts are installed in the \Client directory).
When the password has expired or if the password must be changed at the first login, the following message appears:
Your password has expired. Please create a new password that meets AD complexity requirements.
EFT sends the message and logs the password checking activity, including whether e-mails are sent.
Generating a List of Expired User Accounts and Expiration Dates
EFT Administrators may need to retrieve a list of expired user accounts and view the expiration date of user accounts. This functionality is not yet available in EFT or the Auditing and Reporting module.
However, there are commands in the COM interface that can provide this information.
Below is an example for advanced users who can use the example as a guide to creating their own scripts.
If you need assistance with creating custom scripts, please contact
Globalscape Professional Services .
Determining the Expiration Date for a User Account (GetExpirationDate)
Use the ICIClientSettings interface GetExpirationDate method to determine the expiration date for a particular user account; set it with SetExpirationDate.
Signature:
HRESULT GetExpirationdate (
[out] VARIANT *dDate,
[out, retval] VARIANT_BOOL *pVal); dDate results in a string value, i.e. "4/29/05"
Example:
Dim strUser: strUser = "test" set oUserSettings = oSite.GetUserSettings(strUser) dtAccExpDate = oUserSettings.GetExpirationDateAsVariant()
WScript.Echo ("dtAccExpDate = " & dtAccExpDate)
397
EFT v7.2 User Guide
In many non-windows environments, "KMarsh" and "kmarsh" are two different usernames, and case matters.
GetUserSettings is case insensitive (in versions 5.2.5 and later). That is, with this method, "KMarsh",
"KMARSH", and "kmarsh" are all the same user account.
Example Script
The example VB script provided below retrieves user accounts and expiration dates and writes them to a
Microsoft Excel spreadsheet. (Of course, Excel must be installed on the computer on which you are running the script.)
To use the script
1. Copy the script below into a VB script editor.
2. In the section that contains EFT address and administrative login, provide your Server address and port and the administrator username and password.
'Get Server address and administrative login
txtServer = "localhost"
txtPort = "1100"
txtUserName = "root"
txtPassword = "root"
3. Execute the .vbs file.
-----------------------------------------------------------START--------------------------------------------------------
' Declare variables
Dim CRLF
Dim EFTServer
Dim Sites, Site, aUsers
'Create the COM Object
Set EFTServer = CreateObject("SFTPCOMInterface.CIServer")
CRLF = (Chr(13)& Chr(10))
'Get Server address and administrative login
txtServer = "localhost"
txtPort = "1100"
txtUserName = "root"
txtPassword = "root"
'Connect to Server
On Error Resume Next
EFTServer.Connect txtServer, txtPort, txtUserName, txtPassword
If Err.Number 0 Then
MsgBox "Error connecting to '" & txtServer & ":" & txtPort & "' -- " & err.Description & " [" & CStr(err.Number) & "]", vbInformation, "Error"
WScript.Quite(255)
End If set Sites=EFTServer.Sites
'Set Site to first ftp site in list on server set Site=Sites.Item(0)
Dim objexcel
Set objExcel = createobject("Excel.application") objexcel.Visible = True objexcel.Workbooks.add arUsers = Site.GetUsers()
For j = LBound(arUsers) to UBound(arUsers)
'Name in first column
objExcel.Cells(j+1, 1).Value = arUsers(j)
398
Password Security Settings
Set oUserSettings = site.GetUserSettings(arUsers(j))
'boolAccExp = oUserSettings.GetExpirationDate
dtAccExpDate = oUserSettings.GetExpirationDateAsVariant()
If (dtAccExpDate = "12:00:00 AM") Then
objexcel.Cells(j+1, 2).Value = "not set to expire"
Else
objexcel.Cells(j+1, 2).Value = dtAccExpDate
End If
objexcel.Columns("A:A").EntireColumn.Autofit
objexcel.Columns("A:B").EntireColumn.Autofit
Next
'Close COM connection
EFTServer.Close
' Release interfaces set oSettings = nothing set Site = nothing set Sites = nothing set EFTServer = nothing
WScript.Quit(0)
--------------------------------------END----------------------------------------------
Disabling or Locking Out an Account
EFT can automatically disable or lockout user accounts after a specified number of bad password login attempts over a specified time. This feature can be enabled for a Site, Settings Template, and/or per user.
Once an account is disabled, you can re-enable the account on the General tab of the user.
The PCI DSS requires that you should limit repeated access attempts by locking out a user after not more than six attempts and that you should set the lockout duration to thirty minutes or until administrator enables the user account. On a high security-enabled Site, if you clear the Disable/Lockout check box or set the maximum login attempts to a value greater than 6, a warning appears.
To disable or lockout an account after a defined number of incorrect login attempts
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user that you want to configure.
3. In the right pane, click the Security tab.
4. In the Password Security area, next to Invalid login options, click Configure. The Login
Security Options dialog box appears.
5. Select the check box next to Lockout, then specify the following:
• Whether to Disable or Lockout the account
• Number of minutes to lock out the account (30 minutes is the default)
• Number of invalid login (bad password) attempts after which to disable or lock out the account (6 attempts is the default)
399
EFT v7.2 User Guide
• Number of minutes during which to count the invalid login attempts (5 minutes is the default)
6. Click OK to save the changes and close the dialog box.
7. Click Apply to save the changes on EFT.
Encrypting Passwords
EFT provides the following password-encryption features:
• Two-way TwoFish encryption cipher on passphrases that must be reversible
• One-way hash for passphrases that do not need to be reversible
• Encrypt all passwords used in the following areas: o
ClientFTP.dll client authentication o
Authmanager.dll for AD, ODBC, and LDAP authentication o
PGP private key passphrases o
ARM connection string password
The PCI DSS states that you should encrypt all passwords during transmission and storage on all system components.
Using Login Credentials in Event Rules
User name and password variables are used by Event Rules to use a single Event Rule to support multiple users with a single Copy/Move Action. This allows EFT to store user name and password variables in memory for the duration of a client session. You can enable or disable this feature on the
Site. The default is disabled. For more information on using this in an Event Rule, refer to Copy/Move
File to Host Action .
To persist login credentials in memory for use in Event Rules
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Security tab.
4. Select the Persist username and password credentials for use in Event Rule context
variables check box.
5. Click Apply to save the changes on EFT.
Allowing user name and password replacement variables introduces a potential security vulnerability, because it allows passwords to reside in memory on EFT.
The risk is low, but should be avoided unless you require the variables for an Event Rule.
400
Account Security Settings
These topics provide the procedures for configuring account security on the Site.
Automatically Creating a Home Folder for New Users (Site)
EFT can automatically create a home folder for new users, and grant full permissions to those users in their home folders. You can set this on the Site, Settings Template, and/or for each user. Each child inherits from its parent, but you can override that setting.
To automatically create home folders for new users on the Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure, and then click the Security tab.
3. In the Account Security area, select the Automatically create a home folder for newly added
users check box.
4. To allow the users full permissions in their folders, select the Grant full permissions to users in
their home folder check box.
5. Click Apply to save the changes on the Server.
Deleting or Disabling Inactive User Accounts
EFT allows you to automatically disable or remove accounts that have been inactive for a period that you specify (1 to 365 days). You can account security on the Site, Settings Template, and per user. The
deletion of accounts is captured in the Auditing and Reporting database for reporting.
Deleting a user account deletes the account from the authentication manager, but does not delete the user's home folder or its contents.
When a high security-enabled Site is created in the Site Setup wizard, the option to delete inactive
one or more administrator accounts already exist, and that the option to delete administrator accounts after 90 days is not enabled or set to a value greater than 90 days, you are prompted to enable or change that setting.
If a Server administrator attempts to login from a remote system via the administration interface and the password was incorrect or the username does not exist (either because it never existed or because it was removed), when you click Apply, EFT does not commit the change, and a warning message appears. In the message that appears, you can accept the non-compliant setting and provide a reason for using this setting (e.g., if you are using an alternate solution), or discard the change. If you accept the change and provide a reason, a warning message and the reason that you provided appear in the PCI DSS
Compliance report.
EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.
401
EFT v7.2 User Guide
Any transition from a non-PCI DSS compliant state to a PCI DSS compliant state, or a change in any datesensitive value, will reset all data value calculations. For example, on a high security-enabled Site, if the administrator disables Remove inactive admin accounts after 90 days, clicks Apply, and then immediately decides to re-enable that option, the date values for all administrator accounts are reset from the time the option is enabled, even if the last login dates for those administrators was <n> days ago. The same reset also occurs if you change the password reset period from 30 days to 60 days; that is, the change itself prompts a reset of all the time-based values for that feature.
To specify automatic deletion or disabling of inactive user accounts
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site, Settings Template, or user account that you want to configure, and then click the Security tab.
3. In the Account Security area, select the Disable/Remove account after <n> days of inactivity check box.
4. Click the list to specify Disable or Remove.
5. Specify the number of days of inactivity after which the account is deleted or disabled. You can
specify from 1 to 365 days. 90 days is the default, per PCI DSS 8.5.5
6. Click Apply to save the changes on EFT.
On a high security-enabled Site, if you do any of the following and then click Apply, EFT does not commit the change, and a warning message appears.
• Disable the disable/remove inactive account option for administrators or regular users
• Set the inactivity period to a value > 90 days of inactivity
• Change the setting from "remove" to "disable"
In the message that appears, you can discard the change or accept the non-compliant setting and provide a reason for using this setting (e.g., if you are using an alternate solution). If you accept the
change and provide a reason, the warning and the reason that you provided appear in the PCI DSS
Data Security Settings
These topics provide the procedures for configuring data security on the Site.
Banning Unwanted File Types
EFT can block the upload or download of certain files. You can specify which files to block using wildcards or exact file names.
For example, to block a file called virus.wav, you can type any of the following: virus.wav
(blocks the specific file)
*.wav
(blocks all wav files)
*.wa?
(blocks all files whose extension starts with wa)
Take care when defining files to block using wildcards so that you do not block files that you want to allow.
402
Data Security Settings
To ban files
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Security tab.
4. In the Data Security area, next to Banned file types, click Configure. The Banned File Types dialog box appears.
5. Select the Exclude the following files from the Site check box, then type the filename or wildcard representation (*.mp3 or *.mp?) for the file(s) you want to exclude from the Site.
Separate multiple entries with commas.
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
Setting OpenPGP Security for the Site
This procedure describes setting OpenPGP security for the Site. For details of OpenPGP, refer to The
OpenPGP Module .
To set OpenPGP security
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Security tab.
4. In the Data Security area, next to OpenPGP security, click Configure. The OpenPGP Security dialog box appears.
403
EFT v7.2 User Guide
5. If an OpenPGP key pair is defined on EFT, click the Default Site key pair drop-down menu and click the key. Otherwise, click Create and follow the instructions in Creating Key Pairs for
OpenPGP
or click Manage and following the instructions in Importing and Exporting Key Pairs for
6. In the Private key passphrase box, provide the passphrase for the selected key. Select the Hide
typing check box if you do not want the passphrase to be viewable.
7. Select the Enable debug logging check box if you want to log errors, and then click the dropdown menu to specify the level of logging: 0 (minimum logging), 1, or 2.
• If you select the Enable debug logging check box, you can select the Enable dynamic
log file name to add the date to the file name.
8. In the Log file path box, specify where to save the log file.
9. Click OK to save the changes.
10. Click Apply to save the changes on EFT.
Specifying File Deletion Options
provides a data sanitation/data wiping option. If you do not activate the HSM , this feature is
disabled after the 30-day trial expires.
You can configure EFT to securely delete or purge a file by writing over the initial data using encrypted and/or pseudorandom data. A menu of purging methods is available; available options depend on the library used.
• The 3-pass DoD method overwrites all addressable locations with a character and its complement, then a random character, and does this three times.
• The pseudorandom data wiping method does the following:
1. Initializes the wincrypt library
2. Fills the file with randomly generated data from the wincrypt library
3. Flushes the data to disk
4. Deletes the file from file system calling the standard function DeleteFile()
*.pgp files are automatically excluded from the wipe process. When wipe is enabled, ANY delete operation also includes the wipe (sanitization) process.
You can specify which files EFT is to purge , including client-initiated delete commands, source files after successful OpenPGP encrypt operation, source file after move command across partition/drive, and others.
To specify a delete method
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Security tab.
4. In the Data Security area, next to Secure data removal, click Configure. The Data Sanitation dialog box appears.
404
Data Security Settings
5. In the Delete method box, click the list to specify one of the following methods:
• Windows standard (fastest)
• Pseudorandom data (medium)
• 3-pass DoD 5220.22-m (slow)
6. Click OK to close the dialog box.
7. Click Apply to save the changes on EFT.
8. A message appears when the purging mechanism is changed to anything other than the
Windows standard delete method.
For further reference regarding data wiping, see the following articles:
(These links are outside of Globalscape's domain and could change.)
• Data remanence: http://en.wikipedia.org/wiki/Data_remanence , specifically the section titled "Standard Patterns for Purging": http://en.wikipedia.org/wiki/Data_remanence#Standard_patterns_for_purging
• US DoD 5220.22-M Standard, defined in the US National Industrial Security Program Operating
Manual of the US Department of Defense: http://en.wikipedia.org/wiki/National_Industrial_Security_Program
• "Secure Deletion of Data from Magnetic and Solid-State Memory": http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
405
EFT v7.2 User Guide
406
Permission Groups
These topics provide information for creating and managing Groups in the administration interface.
Introduction to Permission Groups
Just as User Settings Templates control access to EFT resources, such as bandwidth allowances and connectivity privileges, the Permission Groups control access to files and folders. Permission Groups set
Site: Administrative, All Users, and Guests. You can create new Groups and/or modify the settings for the default Groups. Consider your security and access needs, configure Groups according to those needs, then add users to the Groups based on the permissions that you want to allow. The Groups node appears in the left pane under the Site node on the Server tab. (You cannot move Groups between
Sites.)
To specify user permissions
1. Create a Group (on the Server tab)
2.
Add users to the Group (on the Server tab)
3. Add the Group to the Permissions pane (on the VFS tab)
4.
Set the Group's VFS permissions (on the VFS tab)
To view Group permissions
1. In the administration interface, connect to EFT , then click the VFS tab.
2. In the left pane, click a folder. The default Groups appear in the Permissions pane. Groups that you have defined on the Site do not appear in the Permissions pane until you add them .
407
EFT v7.2 User Guide
The default All Users and Guests Groups have minimal permissions; the Administrative Group has every permission. The letters and their organization in the Permissions column (UDADRSCDLHO) represent the permissions that are enabled:
U = Upload
D = Download
A = Append
D = Delete
R = Rename
S = Show this folder in parent list (show the folder selected in the left pane)
C = Create Folder
D = Delete Folder
L = Show files and folders in list
H = Show hidden (Show files and folders in list must be selected)
O = Show read only (Show files and folders in list must be selected)
If the permission is not enabled, two dashes appear instead of the letter. The default Groups have the following permissions, but you can edit them to suit your needs:
• Administrative = UDADRSCDLHO; every permission
• All Users = -- -- -- -- -- -- S -- -- L -- -- ; Show folder in the parent list and Show files and
folders in list
• Guests = -- D-- -- -- -- S -- -- L -- -- ; Download, Show folder in the parent list, and Show files
and folders in list
Groups can provide the permissions implied by their name (i.e., the Upload file Permission allows users in the Group to upload files; the Delete folder permission allows users in the Group to delete files). Users' permissions are inherited from the Groups to which they belong. For example, if user jsmith is a member of the Accounting, All Users, and HR Groups, their permissions are combined. The Inherit check box is not available when the root folder (e.g., MySite - Root Folder) is selected.
For detailed descriptions of the permissions, refer to How VFS Permissions Work .
408
Permission Groups
Lost Users in Permission Group
(turned on), users are removed from all administrator-added Permission Groups. (Default Permission
Groups, Administrative, All Users, and Guests, are unaffected.)
A Site's Permission Group membership is a part of the user database. To display the group's
membership, authentication manager synchronization must be performed. Before EFT v6.5, the
synchronization was performed automatically on service startup, but in EFT v6.5 and later, Sites that are stopped are not synchronized. (i.e., EFT should not pull users from the authentication manager if the Site is disabled.
Workaround: Synchronize the Site's user database manually after turning on the Site, or wait until the
"auto-refresh" timer has fired.
Creating Permission Groups
Deleting Groups for information about deleting a Group.
To create a permission Group
1. In the administration interface, connect to EFT and click the Server tab.
2. Do one of the following:
• Press CTRL+G.
• Right-click in the left pane, and then click New Permission Group.
• On the main menu, click Configuration, and then click New Permissions Group.
• On the Server tab, click the Groups node, then in the right pane, click New.
The Create New Group dialog box appears.
3. In the Site box, click the list to specify the Site for which you want to create the new Group (if you didn't click the Groups node in a Site tree).
4. Type a name for the Group in the Group Name box. For example, type R&D. The Group Name can contain up to 255 characters.
5. Click OK. The new group appears under the specified Site in the Groups node.
Refer to Adding or Removing Users to or from a Group
and The Virtual File System for information about
users' permissions in relation to their assigned Group(s).
Deleting Groups
Deleting a Group does not delete the users assigned to that Group. You cannot delete the All Users
Group.
To delete a group
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Groups node.
409
EFT v7.2 User Guide
3. Do one of the following:
• Expand the Groups node, click the Group you want to delete, and then click the Delete icon or press DELETE on the keyboard.
• In the right pane, click the Group that you want to delete, and then click Remove.
A confirmation prompt appears.
4. Click Yes. The users in the deleted Group retain membership in any other of their assigned
Groups and the All Users Group.
Viewing Group Membership
EFT creates the following default permission groups for every Site: Administrative, All Users, and
Guests. User accounts are assigned to the All Users Group automatically. You can create other
Groups
and add/remove users from Groups . You cannot delete the All Users Group.
The procedure below describes how to view which users are assigned to a selected Group.
To view group membership
1. In the administration interface, connect to EFT and click the Server tab.
2. Expand the Groups nodes, and then click a Group. The Group Membership tab appears.
• The Member of box displays the users assigned to the selected Group.
• The Not a member of box displays the users not assigned to the selected Group.
Adding or Removing Users to or from a Group
When you create a user in the Create New User wizard, you are asked to add the user to a Group. You can later add/remove users to/from Groups on the Group Membership tab or the user's Security tab .
You can add any user to any Group on the same Site. You cannot add users from one Site to a Group on another Site.
If a user does not have individual permissions for a folder and is a member of more than one Group, EFT gives the user the least-restrictive access for the folder. You can individually modify user permissions and those modified permissions will outweigh all Group permissions. For example, if a user is a member of three
Groups that all have upload permissions to a particular folder, but you have denied that specific user permission to upload to the folder, then the user cannot upload to the folder.
410
Permission Groups
To move users into or out of a group
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, expand the Groups node, and then click the Group you want to configure.
3. In the right pane, in the Group Membership tab, double-click the user or use the arrows to move the user into or out of the Group. (You can multi-select using SHIFT and CTRL.)
4. Click Apply to save the changes on EFT.
Renaming a Group
When you rename a permission Group, all references to the Group are also updated.
To rename a permission Group
1. In the administration interface, connect to EFT and click the Server tab.
2. Expand the Site node, then expand the Groups node.
3. Click the Group that you want to rename, then do one of the following:
• Click the name. (Do NOT double-click.)
• Right-click the name, and then click Rename.
• On the main menu, click Configuration > Rename Selected.
• Press F2.
The name will become an editable text box.
4. Type the new name in the text box, then press ENTER or click away from the box. The Groups node will automatically resort alphabetically.
Adding a User or Group to VFS Permissions
You can add a user or Group to existing permissions on the VFS tab's Permission pane. The All Users,
Administrative, and Guests Groups are default Groups created by EFT during installation. You can
create other Groups on the Server tab. Refer to Permission Groups for more information about Groups.
(You must create the user or Group on the Server tab before you can add it to VFS permissions.)
To add user or Group permissions
1. In the administration interface, connect to EFT , and then click the VFS tab.
2. In the left pane, click the folder you want to configure. The right pane displays each of the users and Groups who have permissions on the selected folder.
411
EFT v7.2 User Guide
3. In the right pane, click the user or Group you want to modify or click Add to add a user or Group to assign their permissions on the folder that you clicked in the left pane. The Add User/Group dialog box appears.
4. Do one of the following:
• Click the Groups list to specify a group to add. Groups that you have defined on the
Server tab appear in the Groups box. (Default groups do not appear, because they are already defined in the Permissions pane.)
• Click the Users list to specify a user to add. Users that you have defined on the Server tab appear in the Users box.
5. In the Permissions area, click one of the permissions:
• Administrator (full permissions)
• Guest (read permissions)
• None
6. Click OK. The user or Group appears in the Permissions pane.
7. Click Apply to save the changes on the server.
For information about viewing a user's VFS home folder from the Server tab or viewing a user's physical
home folder in Windows Explorer from the VFS tab, refer to Viewing a User's Home Folder .
412
Virtual File System
These topics provide information regarding the Virtual File System in EFT, which allows you to grant access to files and folders on your system based on user and Group permissions.
Introduction to the Virtual File System (VFS)
The Virtual File System (VFS) allows you to make files and folders available to EFT users through the granting of permissions. The VFS allows you to create physical folders and virtual folders.
• Physical folders are folders you create on the local hard drive from EFT.
• Virtual folders refer (point) to existing folders on your computer or another system, similar to a
Windows shortcut. Because a virtual folder name is only an alias for the real folder, when you create a virtual folder, you do not have to give it the same name as the folder it references.
On the VFS tab of the administration interface, you can specify which files and folders are available to
and virtual folders available to users by granting permissions based on their Group membership. VFS
permissions are constructed to allow users the least restrictive access to folders.
For example, suppose a user is a member of a Group that has read, upload, download, and delete permissions to a folder. Even if the user is a member of another Group that has only download permissions to the same folder, the user will be able to read, upload, download, and delete files from that folder.
User permissions are given priority.
In the folder that the user wants to access, if EFT finds user-specific permissions that are not those from
Groups, EFT does not look for any Group permissions. EFT gives priority to individually configured permissions. For example, suppose there is a user with the user name Bob. Bob is a member of two permission Groups that have only download and list permissions for Folder1. However, you have decided to give Bob full permissions for Folder1 without creating a new permission Group. Because EFT looks for these individual user permissions first, then Bob will have full permissions for Folder1 no matter how his
Group membership is configured. This same rule implies that if Bob has individual permissions that only allow him to download files from that particular folder, it does not matter if he is a member of two Groups that have full permissions for the folder. Bob will only have permission to download files.
If a user does not have individual permissions for a folder and is a member of more than one
Group, EFT gives the user the least restrictive access for the folder.
From their Groups, users receive all the permissions available for the folder. For example, suppose a user with the user name Jan is a member of two Groups, Group1 and Group2, that both have permissions for a particular folder, Folder2. If Group1 has download permission and Group2 has upload permission then
Jan will have both upload and download permissions for Folder2.
The All Users Group is the same as any other Group except that it can't be removed from the root folder permissions list.
You can use the All Users Group to determine inherited permissions from the parent folder. If you change any inherited permissions for the All Users group, EFT displays a confirmation message to make sure you want to change the inherited permissions.
EFT Server supports multiple concurrent administration for most setting changes but not for changes made to the VFS. This means that last committed changes will overwrite changes made by other administrators when both administrators are working from the same version of the configuration.
413
EFT v7.2 User Guide
How VFS Permissions Work
access depends on the permissions assigned on the VFS tab of the administration interface. The VFS tab allows you to enable or disable permissions for a group or a user as described below.
The Inherit Permission and Content settings from parent check box causes the selected folder in the tree to inherit the permissions assigned to its parent folder. For example, if you specify that folder Usr is to inherit the permissions assigned to its parent folder, then Usr has the same permissions as the Site root folder. If you clear the check box, a message appears in which you can copy the parent folder's
permissions and then edit them as needed or remove all inherited permissions. (Refer to Disabling
Inheritance in the VFS for more information about inheritance.)
The Encrypt contents (EFS) check box allows you to right-click a folder in the VFS tree (left pane) and
encrypt the contents of the selected folder. Refer to Streaming Repository Encryption for details.
Permissions
The check boxes in the Permissions area specify whether a user or group is allowed the permission:
• Upload - Allows users to upload to their folder. By default, the Administrators group and the user folders each have Upload permission. (The All Users and Guest groups do not have this permission by default.)
• Download - Allows users to download to their folder. By default, the Administrators group, the
Guest group, and the user folders have Download permission. (The All Users group does not have this permission by default.)
• Delete - Allows users to delete files from the folder. By default, only the Administrators group has this permission.
• Rename - Allows users to rename files. By default, only the Administrators group has this permission.
• Append - Allows users to add to existing files after resuming an incomplete transfer. By default, only the Administrators group has this permission.
• Delete folder - Allows users to delete folders.
• Create folder - Allows users to create folders.
414
Virtual File System
Contents
The check boxes in the Contents area specify
• Show hidden - Allows users to view hidden folders and files.
• Show read only - Allows users to view read-only folders and files.
• Show files and folders in list - Allows users to retrieve a directory listing (of files and folders) from the Server. If it is not selected, no files or folders are visible. By default, only the
Administrators group has this permission. The Show files and folders in list file permission refers to the user’s ability to retrieve a directory listing from EFT. If this option is enabled, the user is able to see a list of files in the directory. If it is disabled, no files or directories will be visible.
(Refer to the example below for more information.)
• Show this folder in parent list - Allows users to view the folder when the parent directory's listing is retrieved. The Show this folder in parent list permission is a bit more complex in that the permission corresponds to whether the directory is visible when a directory listing is retrieved in the parent directory. The interaction between inheritance and this setting can therefore lead to a bit of confusion. (Refer to the example below for more information.)
Within the VFS system, the Show files and folders in list file permission and the Show this folder in
parent list folder permission can confuse users as to the intended operation of the server. Let’s use the following folder structure as an example to explain the purpose of these check boxes.
The default folder User contains user folders for Alex and Jane.
If you select user Alex and disable the Show this folder in parent list permission for user Jane, then when user Jane navigates to the Usr directory and retrieves a directory listing, the folder Alex will NOT appear in her directory listing. To complicate matters, however, Jane still has access to the folder and if someone tells her to manually navigate to that folder, she will still be able to perform actions within the
Alex folder (provided she has appropriate permissions). In this scenario, by default, when user Jane retrieves a directory listing from within the folder Alex, she will only see a list of files in the folder; she will not see any subfolders in the folder, because the subfolders, incoming, outgoing, and shared, have all inherited the disabled Show this folder in parent list setting.
• The Show files and folders in list permission applies to both files and folders in the selected directory.
• The Show this folder in parent list permission applies to the visibility of the selected folder in its parent directory.
• Default inheritance rules will cause the subfolders of a Show this folder in parent list-disabled folder to not display.
415
EFT v7.2 User Guide
Disabling Inheritance in the VFS
You can override a user’s inherited settings by clearing the Inherit permissions from parent folder check box. If you later decide you want the folder to inherit permissions again, simply select the Inherit
permissions from parent folder check box.
The following procedure describes how to prevent a folder from inheriting its parent folder’s permissions and force a single modified folder to begin inheriting permissions to sub-folders.
To reset all subfolders of a particular parent folder to inherit permissions from that parent, refer to
Resetting VFS Folder Permissions .
To stop or force a folder from inheriting permissions
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, click the folder you want to configure.
3. In the right pane, do one of the following:
• To force the selected folder to inherit permissions from a parent folder, select the Inherit
permissions and Content settings from parent folder check box.
• To stop the selected folder from inheriting permissions from a parent folder, clear the
Inherit permissions and Content settings from parent folder check box. A message appears.
4. On the message that appears, click one of the following:
• Copy - duplicates the permissions of the parent. You may later edit the permissions.
• Remove - deletes all inherited permissions
• Cancel - aborts the changes and closes the message
Creating a New Physical Folder
You can create a physical folder in the Virtual File System (VFS) of the administration interface.
To create a new physical folder
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, click the folder in which you want to create a subfolder, then do one of the following:
• Right-click the folder, and then click New Physical Folder.
• On the toolbar, click the New Folder icon
.
• On the main menu, click Configuration > New Physical Folder.
The Create Folder dialog box appears.
416
Virtual File System
3. Type a name for the new folder, and then click OK. The new folder appears in the tree.
Renaming a Physical Folder
You can change the name of a physical folder in the VFS tree.
To rename a physical folder
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, right-click the folder you want to configure, and then click Rename Folder. The folder name becomes an editable text box.
3. Provide the new name, then press ENTER.
Deleting a Physical Folder
When you delete a physical folder from within EFT, the folder is deleted from EFT AND your computer's
To delete a physical folder
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, right-click the folder you want to delete, and then click Delete Folder. A confirmation message appears.
3. Click Yes.
Creating a New Virtual Folder
Virtual folders reference physical folders on a computer's hard drive. Similar to a Windows shortcut, a virtual folder is only an alias for the real folder. When you create a virtual folder, you do not have to give it the same name as the folder it references. You cannot change the name of a virtual folder, but you can delete the virtual folder and then re-create it with a new name.
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, click the folder in which you want to add a virtual subfolder, then do one of the following:
• Right-click the folder, and then click New Virtual Folder.
• On the toolbar, click the New Virtual Folder icon
.
• On the main menu, click Configuration > New Virtual Folder.
417
EFT v7.2 User Guide
The New Virtual Folder dialog box appears.
3. In the Alias box, type a name for the folder. For example, type Shared.
4. In the Target box, specify the target folder by typing the path or click the folder icon and browse to the target folder. For example, browse to C:\Documents and Settings\All
Users\Documents\
.
5. Click OK. The new virtual folder appears in the tree with the name that you typed in the Alias box, plus "Virtual" and the full path. For example:
Shared - Virtual (C:\Documents and Settings\All Users\Documents\).
Renaming a Virtual Folder
You can change the name of a virtual folder in the VFS tree.
To rename a physical folder
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the VFS tree (left pane), right-click the folder you want to configure, and then click Rename
Folder. The folder name becomes selectable.
3. Provide the new name, then press ENTER.
Deleting a Virtual Folder
When you delete a virtual folder, you merely delete a pointer, not the actual folder it references. (If you
EFT does not allow removal of the system-created folders Bin, Pub, and Usr, because user folders are saved in these folders.
418
Virtual File System
To delete a virtual folder
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, right-click the folder you want to delete, and then click Delete Folder. A confirmation message appears.
3. Click Yes.
Setting VFS Permissions
After you create a Group
, you add users to the Group , then on the VFS tab you
add the Group to the
Permissions pane , and then set the Group's VFS permissions. You can set permissions by Group or per user. If you specify a home folder when you create a new user, the user has full permission on that folder.
Refer to Introduction to the Virtual File System (VFS)
and How VFS Permissions Work for details of how
virtual folder permissions work.
Any time a new folder is created, it inherits permissions from its parent folder. Using permission inheritance, administrators can make global access changes by simply changing group access in a parent folder. You can modify a folder's permissions even while it is inheriting permissions from a parent folder.
You can specify different permissions for child folders, rather than inheriting all permissions from the parent. When you select or the clear the check box for one or more permissions on a parent folder, and then click Apply, a message appears asking whether you want to apply the changes to the child folders also.
• Click Yes to apply the permissions to each of the child folders or No if you only want the permission to apply to the parent folder. You can then, if you so choose, set folder permissions for the subfolders independently of the parent folder.
To set folder permissions
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the VFS tree (left pane), click the folder you want to configure. The Permissions area in the right pane displays each of the users and Groups who have permissions defined for the selected folder.
3. In Permissions area in the right pane, click the user or Group you want to modify or click Add to specify permissions for a user or Group on the selected folder. Refer to Adding a User or Group to VFS Permissions for the procedure for adding a user or Group.
4. Select or clear the appropriate permission check boxes.
Modifying a permission affects all subfolders containing the user or Group for which the Inherit
permissions from parent folder check box is selected.
5. (Optional; Available in EFT Enterprise and in EFT SMB with High Security module) Select the
Encrypt contents (EFS) check box. Refer to Streaming Repository Encryption for more
information.
6. Click Apply to save the changes on EFT.
419
EFT v7.2 User Guide
Resetting VFS Folder Permissions
When you reset permissions on a parent folder, you force the subfolders to mirror the parent folder's permissions. This simplifies the permissions status of these folders, making them more predictable.
Resetting folder permissions from a parent folder differs from manually changing the inheritance values of subfolders. In a subfolder, you have the option either to mirror the parent folder's permissions or to keep permissions for any new users and Groups you have added while also mirroring the permissions for all
Groups in the parent folder.
To reset folder permissions from a parent folder
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, right-click the parent folder you want to configure, and then click Reset
Subfolders.
3. Click OK.
Mapping a Virtual Folder to a Network Drive
To map a virtual folder to a network drive, you need to:
Windows account for the EFT service.
• The account must have full access to any folder you want to make available on EFT.
• Your account on the computer on which EFT is running must have full access to any folder you want to make available on EFT.
To map to a network drive
1.
Create and assign a Windows account on the computer on which the EFT service is installed.
This should not be the default (system) account.
2. Assign restrictive file and folder permissions for this account.
3. If you are mapping to a network drive in a workgroup, create a matching account on the target remote computer. Make certain it uses the SAME user name and password. Restrict permissions to this account to allow users access to only the folders they need.
4. In the administration interface, connect to EFT , and then click the Server tab.
5. Create a virtual folder for a folder on your networked drive. If you are administering remotely or the drive is not mapped to your computer, make sure that you use a UNC path name.
6. In the administration interface, assign permissions for users by clicking the VFS tab, clicking the folder to which you want to specify the permissions for that user, and then selecting or clearing the appropriate permission boxes.
To create accounts, you need administrative rights to the system on which the service is running.
Virtual folders that point to a drive other than C: or a UNC share are visible using the MLSD FTP command.
420
Virtual File System
Streaming Repository Encryption
(Available with the High Security module)
Physical folders stored on the disk in EFT's Virtual File System (VFS) can be transparently encrypted during read/write using Microsoft's Encrypting File System (EFS). Data is encrypted as it is written to disk, and decrypted prior to transmission.
• If you turn on this feature, it is recommended that you set up appropriate backup measures to protect your data. If you need to recover a private key to decrypt data, and that key is lost, you will not be able to recover the data that the key protects. Streaming repository encryption leverages Microsoft's Encrypting File System (EFS). If you need more information on setting up
appropriate backup procedures, refer to Configuration and Security Best Practices .
• Streaming repository encryption is not available for systems running on FAT32 file systems.
NTFS is required.
• Streaming repository encryption is not available with NT authentication due to limitations of NT authentication. If you require this feature with an NT set up, LDAP authentication is recommended.
• The PCI DSS requires that logical access and decryption keys be managed independently for
disk-level encryption. If you enable this feature for a high security-enabled Site , EFT prompts you
to disable it, or continue with reason.
• The PCI DSS requires that if disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts).
Decryption keys must not be tied to user accounts. That does not mean EFS cannot be used at all, but rather that it cannot be used as the sole mechanism for repository encryption. For this reason, the Server will only warn, rather than fail, during an audit.
• If you have a large number of VFS folders and the interface becomes unresponsive when EFS is
enabled, be sure to clear the EFS folder icon check box . Selecting the Enable EFS folder icons
check box when you have a large number of VFS folders can cause the interface to become unresponsive while the server checks each one for encrypted contents.
To enable streaming repository encryption
1. In the administration interface, connect to EFT and click the VFS tab.
2. In the left pane, right-click the parent folder you want to configure, and then click Encrypt
Contents.
3. If the folder you selected has subfolders, a confirmation message appears.
421
EFT v7.2 User Guide
•
4. Specify whether to Apply changes to this folder only or Apply changes to this folder and all
subfolders, and then click OK.
If the Enable EFS folder icons check box is selected , the encrypted folder and
subfolders display a red asterisk to indicate that the folder contents are encrypted.
5. To remove encryption, right-click the encrypted folder and click Encrypt Contents to clear the check box.
6. If the folder you selected has subfolders, a confirmation message appears. Specify whether to
Apply changes to this folder only or Apply changes to this folder and all subfolders, and then click OK.
Enable EFS Folder Icons
When EFS is applied to a folder, you can configure the Server to add a red asterisk to the folder icon to indicate that the folder contents are encrypted. This setting is turned off by default. If you select the
Enable EFS folder icons check box, the server will check each folder for encrypted contents before displaying the icon.
If you have thousands of folders, you should leave the check box unselected; selecting the check box when you have a large number of folders can cause the interface to become unresponsive while the server checks each one for encrypted contents.
To enable the EFS folder icons
1. On the main menu, click Edit > Global Settings.
422
2. Select the Enable EFS folder icons check box.
Virtual File System
3. Click OK. (To disable the feature, clear the check box.)
Virtual Folders for Secure Ad Hoc Transfer Users
In the Virtual File System (VFS), you can configure home folders on a remote computer for Secure Ad
Hoc Transfer (SAT) temporary users. Similar to a shortcut, you can point a Virtual Folder to a physical path on the same computer or on a remote computer, but the computer on which SAT and IIS are installed must have permission to write to that folder.
To specify Virtual Folders for SAT users
1. Create the shared folder on the computer on which you want to store SAT users' home folders.
2. Ensure that SAT and IIS have read and write permission on the shared folder.
3. In the EFT administration interface, connect to the Server, and then click the VFS tab.
4. Right-click the Site tree, and then click New Virtual Folder. The New Virtual Folder dialog box appears.
5. In the Alias box, type any name. For example, type adhoc2.
6. In the Target box, type the physical path to the location. For example, type
\\10.1.2.3\adhoc2
.
7. Click OK.
8. Click the Server tab, and then click the EFTAdhoc node.
9. On the General tab, select the ST home folder check box, and then click the folder icon. The
Browse for VFS dialog box appears.
10. Click the Virtual Folder that you defined in step 5, and then click OK.
11. Click Apply to save the changes on the Server.
Now when a file is sent, the SAT user's home folder is created at the location you specified for the Virtual
Folder.
Folder Locations for WTC Users
The WTC user folders and files are stored:
HA installations, on the EFT computer (e.g., C:\InetPub\EFTRoot\MyGSSite\Usr\).
• On HA installations, in the shared HA configuration location (e.g., <NAS_drive>\<HA config folder>\InetPub\EFTRoot\MyGSSite\Usr\).
423
EFT v7.2 User Guide
424
Workspaces
The topics below provide information about Workspaces and procedures for enabling, configuring, and using Workspaces.
Workspaces Overview
Workspaces extends the secure and robust EFT file transfer platform with features that allow end users to easily share folders with existing and new user accounts, without burdening the IT administrator.
Workspaces empowers end users to share folders quickly and easily, while IT administrators retain full control and visibility of the file transfer infrastructure, leveraging the highest levels of security, regulatory compliance, flexible authentication, and data encryption aspects of the EFT platform. No file sync and share vendors have the underlying security features empowered by EFT for Workspaces as a sharing solution (DMZ Gateway, multiple secure protocols, workflow automation, flexible authentication, etc.).
Administrators Retain Control
IT Administrators are able to delegate to end users the power of managing shared folders with existing and new users without losing governance, visibility, and control. End users are given a tool that fulfills the workflows they have become used to (online file sharing) in a way that conforms to corporate policy.
Workspaces gives IT administrators the freedom to deny access to cloud-based file sharing services within their organization, because they have provided a safe alternative to their internal customers.
When a user's folders are shared, via the Web Transfer Client , the shared folder appears in the EFT
administration interface on the VFS tab under the Workspace node.
Here, the administrator can see:
• With whom the folder is shared
• What the permissions are on each user account
• When the Workspace was created
• The physical path to the folder
• Who owns the folder
The administrator can also add or remove specific permissions on the folder for each participant.
425
EFT v7.2 User Guide
Licensing Workspaces
Licenses are purchased per number of Workspaces OWNERS, not the number of Workspaces created.
For example, if you purchase a 25-seat license, 25 users can create Workspaces; there is no limitation to the number of Workspaces each owner may possess. The limit on owners applies across all Site on the
Server or cluster. Workspaces access is managed at the Site level. This means that if Workspaces is enabled for a Site, each user defined on the Site, regardless of Settings Template, can create
Workspaces. There is currently no way to specify which users can or cannot own a Workspace.
Workspaces are enabled only at the Site level, so it's enabled for all users; currently, you can't enable
Workspaces at the Settings Template level. (There is no limit to the number of users who can access a
Workspaces folder; however, EFT limits the number of users per Site to 150,000.)
Enable and Configure EFT Workspaces
The Workspaces feature of EFT allows end users to share their folders with other users. The user account that is sharing the folder maintains control of permissions to the shared folder, and can revoke sharing privileges at any time.
Workspaces provides the ability to easily share and collaborate on information that is securely managed by EFT, including existing authentication, access control, auditing, governance, and Event Rule workflow capabilities available in EFT.
To enable Workspaces
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Workspaces tab.
426
Workspaces
4. Select the Enable Workspaces check box.
5. Under Workspaces Configuration, specify whether to allow EFT users to send invitations to users not in the EFT user authentication database.
• Allow invitations to new EFT users for Workspaces
• Allow Workspaces shared with existing EFT users only
Workspaces Invitations
An EFT administrator can invite internal users to join existing Workspaces in the VFS tab. External users cannot be invited via the VFS tab; they can only be invited by email address in the Web Transfer Client
(WTC).
When a user is invited via the WTC, EFT follows the following logic flow:
1. EFT will first look for a matching email address in the existing Site user profiles and usernames.
For example, let's say a Workspaces folder owner invites a user to share a folder with the email address [email protected]. EFT will search for a user in the existing Site for either a username of
"[email protected]" or a username with an associated email of [email protected]. If a match is found, then
EFT sends an email to the invited user to let them know that they have been invited to share a
Workspaces folder. Internal users are not invited, they are automatically joined.
2. If more than one internal user is associated with the invited email address, either by username or profile e-mail address, EFT will decline to add the user.
3. If the email address is not associated with any internal username or email profile and the Sitelevel Workspaces tab has the Allow invitation to new EFT users for Workspaces option enabled, then EFT will add the user to the Workspaces folder as a "pending" user, and the user will be invited to create an EFT account to gain access to the shared folder. However, if the option is not enabled, then the invitation request will be denied.
Internal Users
When adding participants to Workspaces folders, the email address is the unique participant identifier.
Existing users will be added to a Workspaces folder only if there is one and only one match for the e-mail address being invited. Before completing an invitation, EFT will check both the username and email address fields for all users on the Site for matching addresses.
427
EFT v7.2 User Guide
• If two internal EFT users on the same Site have the same email address, they cannot both be joined to the same Workspaces folder. For example, if user accounts test2 and test3 each have the email address [email protected], and the administrator attempts to add users test2 and test3 to a Workspaces folder, EFT will not permit test3 to join, and will state that it's due to duplicate users. In the WTC, the "Unspecified error has occurred" message will appear. If
Workspaces trace level logging is enabled, then the log will report the offending email address.
• If one user’s username is the same as another user account's e-mail address and a Workspace owner attempts to invite that address, an error will occur and the user will not be invited.
External (non-EFT) Users
When external users are invited to join a Workspaces folder, they must individually accept and activate each and every Workspaces invitation. The recipient must accept each invitation and fill out the "Already
Have an Account" form to gain access to the Workspaces folder.
• EFT doesn't provide any sort of visual indicator to distinguish between internal users vs. external users. When external users join a Workspaces folder, their user accounts are created under
EFT's Default User Settings Template. External users are permitted to create Workspaces, but cannot invite new external users to share the folder. External users can only invite users who already have an EFT account.
• The EFT VFS tab indicates which users are in the "pending" state, meaning they have not yet accepted their invitations. Once a user accepts an invitation, the "Pending" status is removed.
Externally invited users have 5 days to accept and activate a pending invitation, after which the invitation will expire. This is a hard-coded value and cannot be modified.
• Workspace owners and EFT administrators are not notified when an external user's invitation expires. When an invitation expires, the user is automatically removed from the Workspaces folder and no longer will appear as a pending user. There is no resend-invitation option. In order to re-invite an external user whose invitation has expired, the Workspaces owner, via the WTC, has to re-invite the user, at which point the invited user will go back into a pending status and will again have 5 days to activate the account. Pending user status can only be viewed via the VFS
Tab.
Workspaces Permissions
Workspaces permissions are separate from the VFS permissions, such as those permissions for the Usr folders. Users who have Workspaces permissions on a folder will not appear in the VFS permissions for that folder. For example (as shown below):
1. "imauser2" has full permissions on the \Usr\imauser2\ folder in VFS.
2. In Workspaces, "imauser2" has shared a folder called "folder 2" with "imauser1."
3. When the administrator clicks "folder 2" in the Workspace Folder tree, you can see that
"imauser1" has Workspaces permissions on that folder.
4. However, only "imauser2" has VFS permissions on that folder.
428
Workspaces
Specify Custom Default Workspaces Sharing Permissions
By default, all Workspaces permissions are selected, and the user is expected to clear any permissions that are not wanted when a folder is shared. Alternatively, the EFT administrator can change the default permissions so that one or more permissions are NOT selected by default, and then the user sharing the folder has to explicitly enable the permission. Changing the defaults does NOT disable the permission; it simply is not selected by default. The sharing user can still enable it.
To specify default sharing permissions
1. In C:\Program Files (x86)\Globalscape\EFT Server Enterprise\web\public\EFTClient\jument\scripts, find the adminConfig.js file. (There is a number in front of the name.)
2. Open the configuration file in a text editor, such as Notepad++ . (It may be necessary to change the extension from JS to TXT to view it properly.)
429
EFT v7.2 User Guide
3. Look for the Default permissions section and the following text: gsb.config.defaultWSPermissions = {
canUploadFile: true,
canDownloadFile: true,
canDeleteFile: true,
canRenameFileFolder: true,
canCreateFolder: true,
canDeleteFolder: true
};
4. For the permission that you do NOT want selected by default, change true to false, then save the file.
For example, if you do not want the Delete File permission selected by default, change canDeleteFile: true
to false.
5. If you changed the name of the file to edit it, be sure to change it back.
Workspaces Notifications
When a Web Transfer Client user shares a folder, an invitation is sent to the user with whom the folder is shared. If the recipient does not have an account on EFT, the user can register the account. (On
AD/LDAP Sites, you can only invite users in the Active Directory domain.) For invitations sent to non-EFT users, an email is sent to verify the account when the user registers the account.
The text for the invitation and verification emails is contained in an HTML file that can be customized for localization or to provide company-specific information.
Workspaces invitations expire after 5 days.
The files are stored in the APP_DAT_PATH directory (by default, C:\ProgramData\Globalscape\EFT
Enterprise) and apply to all Sites on the Server.
To edit the Workspaces messages
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node.
3. In the right pane, click the General tab.
430
Workspaces
Next to Workspaces invite message, click the browse icon. Your default text editor (e.g.,
Notepad) opens with the invitation text.
Edit the text as needed, being careful not to delete the variables (%USER.EMAIL_ADDRESS%,
%WS_OWNER_NAME%, %FOLDER_NAME%, %LINK%), then save the file and close the text editor.
4. Next to Workspaces verify message, click the browse icon. Your default text editor (e.g.,
Notepad) opens with the verify text.
431
EFT v7.2 User Guide
5. Edit the text as needed, being careful not to delete the variables (%USER.EMAIL_ADDRESS%,
%LINK%), then save the file and close the text editor.
Managing Workspaces in the VFS
The VFS tab has a Workspaces view in which EFT Server- and Site-level administrators can:
• Delete shared Workspaces
• Add existing users to existing Workspaces
• Modify participant permissions of shared Workspaces
Sharing folders via the VFS tab
• Workspaces cannot be created via the VFS tab.
• External users cannot be invited via the VFS tab. External users can only be invited via the WTC.
• Users joined to Workspaces via the VFS tab, unlike users joined via WTC, are not sent invitation notification emails.
• Workspaces permissions may be granted via the VFS Workspaces view, however, the permissions may not be permitted. The VFS tab will appear to permit all user permissions to be granted to a Workspaces participant, however, the available permissions extend from the
Workspaces owner's folder permissions. Suppose an EFT user creates a shared folder with only
Upload permissions; an EFT administrator may invite participant1 to join the Workspaces folder, granting participant1 full administrative privileges to the folder. However, participant1 will receive an "access denied" response if they attempt to perform any actions within the folder other than upload, because the Workspaces folder respects the Workspaces owner's folder permissions.
432
Workspaces
Sharing Folders
Users can share an EFT folder with other EFT users through the Web Transfer Client. Additionally, you can, if the EFT administrator allows it, invite external users to share your folders. Users outside of the
EFT network who were invited to share a Workspace (externally provisioned users) cannot themselves invite new users.
The invitation recipient clicks the link embedded in the email and then either signs in to EFT if an account has previously been created, or creates an account on EFT. (To share folders, the administrator has to have enabled Workspaces in the EFT administration interface on the Workspaces tab of the Site.)
To share a folder
1. Log in to the Web Transfer Client .
2. Select the check box of the folder that you want to share, then click the Share Folder icon or click File > Share Folder.
In the example below, the "WhitePapers" folder is selected and the Share Folder icon appears.
,
The Create a Workspace dialog box appears.
433
EFT v7.2 User Guide
434
The administrator can specify which check boxes are selected by default, if any. The sharing user
3. Provide up to 10 email addresses of users with whom you want to share the folder. (You can later add more participants, 10 at a time.)
4. Assign permissions by clearing or selecting the check box next to that permission. By default, all permissions are selected (enabled). Clear the check boxes of the permissions that you do not want to assign to the users.
Permissions that the administrator assigns to folders override any permissions that you assign. That is, if the folder that you are sharing does not have rename permission, you cannot assign that permission to the folder.
5. Click Share
The folder icon changes to indicate that the folder is shared .
If you click the folder, a message indicates with whom the folder is shared and allows you to add more participants.
6. To make participant changes for the shared folder, click the link in the message (in this case "4 more").
The Edit Workspace Participants dialog box appears.
Workspaces a. To view a participant's permissions, click the gear icon for that participant. b. To remove a participant form the list, click the trash can icon for that participant.
The deleted user(s) will no longer have access to that folder. This action does not delete the user from the system nor prevent the user from accessing other Workspace folders on which they have permissions. c. To add more users to the shared folder, click add more participants.
435
EFT v7.2 User Guide
The users with whom you have shared the folder will see the shared folder in their Joined
Workspaces tree.
In the EFT administration interface, on the VFS tab, the shared folder appears in the Workspace
Folder tree, and the administrator can see who has shared the folder, who has access to the folder, and what each participants' permissions are. On the VFS tab, the administrator can add or remove permissions and add/remove users from the share.
436
7. To stop sharing the folder, thereby removing the folder from Joined Workspaces, click the stop sharing icon in the banner . The Stop Sharing Workspace message appears.
Workspaces
Descriptions of Preconfigured Reports
The Auditing and Reporting module comes with a number of preconfigured reports that allow you to start analyzing data right away. The report templates are .xml files and are installed in
%systemroot%\ProgramData\Globalscape\EFT Server Enterprise\Reports or \EFT Server\Reports.
If you plan to edit the default templates, it is a good idea to save a backup of them first. (Note: On
Windows Server 2003 and earlier, the files are in ..\Documents and Settings\All Users\Application
Data\Globalscape\EFT Enterprise\Reports or \EFT Server\Reports.) You can also use these reports
as templates to create your own custom reports .
The preconfigured reports fall into the following categories:
• Billing: If you need to bill your customers for file transfer services and need to supply accurate reports to customers and for your own invoicing purposes, these reports allow you to query and produce reports based on multiple criteria such as a specific client, a group of clients or all clients, a particular date range, and a specific file or all files transferred for that user.
• Non-repudiation: If you need to audit transactions throughout their life cycle and determine whether a particular Event occurred and when it occurred, these reports allow you to search for all activity for a specific user for a specific date or to locate a transaction within a date range for auditing purposes, and allow you to show conclusively whether something happened, when it happened, and who was responsible for making it happen.
• Statistics: Gathering statistical data allows you to take preventive measures (such as scale to meet increasing demand), to establish trends, create general usage reports for stakeholders, and to query and analyze trends and server usage (peak usage times, most active customers, etc.).
• Technical troubleshooting: Granular auditing of all socket, protocol, authentication, and transaction information allows the administrator to quickly locate and solve problem scenarios.
The preconfigured reports described below are provided with the Auditing and Reporting module. You can run the reports as is or edit them to suit your specific needs.
• Activity-Ad Hoc (Detailed) - This report displays activity for ad hoc file transfer activity, sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. (For Mail Express reports, the Temporary User Name column is blank.)
• Activity-Ad Hoc (Summary) - This report displays all ad hoc file transfer activity, grouped by username, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. (For Mail Express reports, the Temporary User Name column is blank.)
• Activity-Ad Hoc by File (Detailed) - This report displays all ad hoc file transfer activity for a specified file name, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. (For Mail Express reports, the Temporary User
Name column is blank.)
437
EFT v7.2 User Guide
• Activity-Ad Hoc By Recipient (Detailed) - This report displays all ad hoc file transfer activity for a specified recipient's e-mail address, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. When you click Show Report, the
Enter Report Parameters dialog box appears. Provide the entire e-mail address. (For Mail
Express reports, the Temporary User Name column is blank.)
• Activity-Ad Hoc by Sender (Detailed) - This report displays all ad hoc file transfer activity for a specified sender's e-mail address, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. When you click Show Report, the
Enter Report Parameters dialog box appears. Provide the entire e-mail address. (For Mail
Express reports, the Temporary User Name column is blank.)
• Activity - All File Transfers - This report displays all file transfers as server, client, and LANcopy event. Displays date and time, target path, account, direction, IP address, size in KB, code, and result (success/failure).
• Activity - All File Transfers (as Server) - This report displays all file transfers as server.
• Activity - All Groups (Detailed) - This report displays the various Actions performed by all the groups, such as Administrator, All users, and Guests, and it displays Date/Time, Remote IP address, protocol, Action, filename, folder, bytes transferred, and the result.
• Activity - All Users (Summary) - This report displays the transfer activity (total number of uploads and downloads) for all users who logged on to EFT during the date range specified, grouped by username, subgrouped by date, sorted by username, then transfer direction, and date, in ascending order.
• Activity - All Users (Detailed) - This report displays all folders and files created and the delete activity for all users who logged on to EFT during a particular period, grouped by username, and sorted in reverse chronological order. The report includes the time stamp, remote IP address of the user, protocol, Action, file name, folder, KB transferred, and the result.
• Activity - By File - This report displays all the activities related to a specified file, based on wildcard masks, grouped by Site name, subgrouped by matching filename, sorted in chronological order. The report displays the time stamp, user name, remote IP address, and protocol. To generate this report, you have to specify the report parameters, such as .txt to view only txt files or *.* to view all files.
• Activity - By Group (Detailed) - This report displays the folder and file create and delete activity during a specified period for a specific group, grouped by group name, and sorted by date in reverse chronological order. The report displays the remote IP address, protocol, Action, time stamp, file name, folder, bytes transferred, and result. When you click Show Report, the Report
Parameters dialog box appears asking for the group name.
• Activity - By User (Detailed) - This report displays the folder and file create and delete activity during a specified period for a specific user, grouped by username, and sorted by date in reverse chronological order. When you click Show Report, the Report Parameters dialog box appears asking for the name of the user.
• Activity - By User (Detailed) - Group by Username-Action - This report displays the folder and file create and delete activity during a specified period for specific users, grouped by username, subgrouped by Action, and sorted by date in reverse chronological order. That is, the report displays all files created under the Created Action and all files that are sent are displayed under the Sent Action. When you click Show Report, the Report Parameters dialog box appears asking for the name of the user.
• Activity - By User (Summary) - This report displays the transfer activity for specifics users, grouped by username, subgrouped by date, sorted by username, transfer direction, and date, in descending order.
438
Workspaces
• Admin Actions - (Requires High Security Module in addition to ARM) This report displays all
EFT administrator activity for the specified range. Columns displayed in the report and available
report filters include Date/Time (Timestamp), Function (e.g., User Account, Site, Database
Refresh, SMTP Settings), Action (e.g., Created, Enabled, Disconnected, Modified, Started,
Renamed), Affected Area (e.g., User Account, Site, Server, Administration), Affected Name
(username), ChangeOriginator (administrator username), SiteName (e.g., MySite).
• Admin Activity (Summary) - This report displays all administrative connections (successes and failures) to EFT.
• AS2 Transactions Detailed - A verbose AS2 file transfer report that provides the information necessary for troubleshooting problem transactions.
• AS2 Transactions Overview - A transaction report that displays the same information as shown on the Transfers - AS2 node. The report queries all AS2 transactions for the dates specified, grouped by site, sorted by date, and listed in reverse chronological order.
• Content Integrity Control - Actions (detailed) - A report showing all Event Rules with CIC actions, grouped by site name, sub-grouped by the user-defined event name, sorted by the unique event ID (not shown) in descending order. Includes Parameters, Begin and End
Date\Time, and Result.
• Event Rules - Actions (Summary) - This report summarizes all Event Rules with their corresponding Actions, grouped by Site name, subgrouped by the user-defined Event name, sorted by the unique Event ID (not shown in report) in descending order.
• Event Rules - Activity (Detailed) - This report displays the Event Rule activity by user-defined
Event name, grouped by Site name, subgrouped by the Event type, sorted by date in reverse chronological order.
• Event Rules - Activity (Summary) - This report summarizes the Event Rule activity by userdefined Event name, grouped by Site name, sub-grouped by the Event type, sorted by date in reverse chronological order.
• Event Rules - Inbound-Outbound By Date - This report details all offload and download
Actions, grouped by Site subgrouped by Action, sorted by date in reverse chronological order.
• Event Rules - Inbound-Outbound By User - This report details all offload and download
Actions, grouped by Site name, then by remote host IP address, then by username, sorted in reverse chronological order.
• Executive Summary Report - This report summarizes the following information for the period specified: o
Average transfer speed o
Total number of downloads, uploads o
Total bytes transferred (inbound/outbound) o
Top 5 users (by # of connections) o
Top 5 users (by bytes transferred)
• Security - Failed Logins - This report displays the number of users who could not connect to
EFT. It displays the user name, remote IP address, protocol used, date, time, remote IP address, port number, and result.
• Traffic - Average Transfer Rates by User - This report displays the average transfer rate for specific users, grouped by username, subgrouped by date, sorted by username, transfer direction, and date, in descending order.
• Traffic - Connections Summary - This report details connections to EFT (IP address or user connections) and bytes transferred by date, grouped by Site name, sorted by date in reverse chronological order.
• Traffic - Datewise-Hourly Bytes Transferred - This report details the connections and bytes transferred sorted by date and hour, in chronological order.
439
EFT v7.2 User Guide
• Traffic - Datewise-IPwise bytes transferred - This report displays the connections established by remote IP addresses and total bytes transferred.
• Traffic - IPwise Connections (Summary) - This report displays the connections established by remote IP addresses and total bytes transferred.
• Traffic - Monthwise-IP-wise Bytes transferred - This report displays the connections established by various remote IP addresses each month. It displays the Site name, month name, remote IP address, connections, and total bytes transferred.
• Traffic - Most Active IPs - Connections - This report displays the most active IP addresses; that is, the IP addresses of the users who frequently log on to EFT. It displays the data transferred,
Site name, remote IP address, and bytes transferred. This report can be used to determine
Denial of Service (DoS) attacks against EFT.
• Traffic - Most Active IPs - Data Transferred - This report displays the IP addresses of users who log on to EFT frequently; the number of connections established by various users. It displays the information on the total bytes transferred, number of connections, remote IP address, and
Site name.
• Traffic - Most Active Users - Connections - This report displays the connections established by the most active users.
• Traffic - Most Active Users - Data Transferred - This report displays the usernames of users who log on to EFT frequently, the number of connections established by various users, and number of bytes transferred.
• Traffic - Protocolwise Connections (Summary) - This report displays the connections established by various users and the protocol used by the users to transfer the data, that is, whether the users have used FTP, HTTP, or any other protocol to upload or download the files.
• Traffic - Sitewise-Hourly by User - This report displays the total number of connection established by various users on a particular Site each hour.
• Troubleshooting - Connection Errors - This report displays the number of connection errors occurred while connecting to a site.
• Troubleshooting - Event Rules Failures - This report displays failures related to the Event
Rules.
• Troubleshooting - IP Address Activity (Detailed) - This report displays the details of the user, the date/Time on which the user logged on EFT; other details such as local port, socket result ID, protocol, password, physical folder name, virtual folder name, and so on are also displayed. To view this report, you must specify the IP address in the Enter Report Parameters dialog box that opens when you click Show Report.
• Troubleshooting - Operation Errors - This report displays protocol error codes and corresponding commands, sorted in reverse chronological order. The report includes the date and time the error occurred, remote IP address, protocol used, username, command, filename, virtual folder, and result (e.g., transfer completed).
• Web Service- Invoke Event Rules (Detailed) - This report is used to view detailed activity for invoking Event Rules through Web Service, grouped by username, and sorted by date in reverse chronological order.
• Workspaces Activity - Shows shared Workspaces invitation activity on EFT for a given period by Site. Displays date, Workspace, path, owner, action (status), and participant (permission).
(Refer to Winsock Error Codes for a list of Socket ID error codes.)
440
Commands
These topics provide the procedures for configuring and using Commands in EFT.
Introduction to Commands
EFT's Commands can execute programs, scripts, or batch files with or without command line arguments, providing administrators almost limitless extensibility. These Commands can be invoked directly by a user from their client (if permitted by the Server administrator) or as an automated Action from EFT’s Event
Rules.
When the Event Rule is triggered, EFT executes the specified custom Command and attributes. To
configure EFT to execute Commands, you first create the command , then
add the command to an Event
Rule . In the administration interface, the Commands appear in the tree in the left pane within the Site for which they are defined.
With the Server tab selected, when you click the Commands node on the Server tab, the Commands
List appears in the right pane.
• Click New to open the Custom Command Wizard and create a new Command .
• Click a Command then click Edit to edit an existing Command .
• Select a Command in the list, and then click Remove to delete it. (A confirmation message appears.)
Creating a Command with the Custom Command Wizard
The Custom Command wizard steps you through the process of creating a Command to tell EFT to execute programs, scripts, or batch files.
To create a command with the Custom Command wizard
1. Do one of the following:
• On the toolbar, click the New Command icon
.
• On the main menu, click Configuration > New Command.
• In the left pane, right-click the Commands node, and then click New Command.
• Click the Commands node in the left pane, then, in the right pane, click New.
• Press CTRL+M.
The Custom Command Wizard appears.
441
EFT v7.2 User Guide
2. In the Name box, type a descriptive name for the command. You will reference the Command name in Event Rules , so you should give the Command an intuitive name. For example, instead of Command 1, you might call it Run CScript.
3. Provide a Description that will help you identify the command.
4. Click Next. The path page appears.
442
5. In the Path to executable box, browse to or type the path to the executable. For example, you can specify a program, a batch file, or a Windows scripting executable, such as cscript.exe or wscript.exe. If you are connected to EFT remotely, you can type the path to the file, but be sure the path is relevant to the EFT computer, not the remote interface.
Commands
6. (Optional) Specify any required parameters. Alternately, you can specify the parameters when you add the Command to an Event Rule. If there are "standard" parameters that you will always use with the script, you can specify them here, then modify them or add additional parameters when you add the Command to an Event Rule.
7. Click Finish. The Command is added to the Commands node for the Site and appears in the
Command Settings tab in the right pane.
8. If the Command is a custom SITE command executed by a connecting FTP client, you can also configure the FTP Custom Command Specific settings, the invalid parameter count message, and which Groups are allowed to execute the Command by clicking Configure. The FTP
Custom Command Specific dialog box appears.
443
EFT v7.2 User Guide
9. Select the Redirect command output to connecting client check box to redirect the output from the executed command to the client in a 220 response message. If the check box is not selected, then the output of the command is not returned to the client, even though the command is still executed on the server. Redirecting command output can help the end user ascertain whether the command worked properly (depending on result codes returned by the script or application executed by the custom command on the server).
10. If you want to force the FTP client to send a minimum number of parameters, select the Require
a minimum of check box and specify the minimum number of parameters required.
• To provide a message that users will receive when the parameter number is not met, next to Invalid parameter count message, click Configure. Provide the message, and then click OK.
• To specify the users and Groups that can execute the Command, next to User(s) or
group(s) allowed to execute this custom command, click Configure. Double-click the users and/or groups, or use the arrows to move them between the Site users/groups list and the Permit execution list, and then click OK.
444
11. Click Apply to save the changes on EFT.
Commands
Editing a Command
The procedure below describes how to edit a command that you can execute with an Event Rule . For a
general introduction to Commands, refer to Introduction to Commands . To create a command, refer to
Creating a Command with the Custom Command Wizard .
To edit a command
1. In the administration interface, connect to EFT , then click the Server tab.
2. On the Server tab, expand the Site node for the Site that you want to configure, and then click the Commands node.
3. In the right pane, double-click the Command that you want to edit. The Command Settings tab appears.
4. The Command label box displays the name you gave the Command. You will reference the
Command label in the Event Rule and Custom Command dialog box (in the Select Command drop-down menu), so you should give the Command an intuitive name. For example, instead of
Command 1
, you might call it Run CScript.
5. The Command description box displays the description that you gave the Command.
6. The Executable path box displays the path to the file that you want the Command to execute.
7. The Parameters box displays any parameters that the client must send. (Parameters are optional.)
8. To create a log that you can use to troubleshoot the command in case of failure, select the
Redirect output to a log file check box, then type the path to the log file or click the folder icon to browse to and select the file.
9. If you want EFT to return an error if the launched process fails to respond, select the Enable
process timeout check box and specify the number of seconds the Server should wait before terminating the command.
10. To specify FTP client settings, in the FTP Custom Command Specific area, click Configure.
The FTP Custom Command Specific dialog box appears.
445
EFT v7.2 User Guide
11. Select the Redirect command output to connecting client check box if the command will be launched by a connecting FTP client. If you select Redirect command output to connecting
client, the result is sent to the connecting FTP client in a 220 message response.
12. If you want to force the FTP client to send a minimum number of parameters, select the Require
a minimum of check box and specify the minimum number of parameters required.
13. To provide a message that users will receive when the parameter number is not met, next to
Invalid parameter count message, click Configure.
14. Provide the message, and then click OK.
15. To specify the users and Groups that can execute the Command, next to User(s) or group(s)
allowed to execute this custom command, click Configure.
446
16. Double-click the users and/or groups, or use the arrows to move them between the Site
users/groups list and the Permit execution list, and then click OK.
17. Click Apply to save the changes on EFT.
Commands
Custom Command Example
The following example Command shows the configuration of a custom Command from the perspective of both EFT and a client. To follow the example exactly, you will need to download and install CuteFTP, which is available as a free 30-day trial and can be downloaded from http://www.globalscape.com/downloads . However, any client that supports custom commands or raw FTP commands will work.
Creating the Command
This Command copies EFT log files from the Logs folder to C:\Temp using the Windows xcopy command and CuteFTP's command-line functions.
To create a custom Command
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, expand the Site node for the Site that you want to configure, and then click
Commands.
3. In the right pane, click New. The Custom Command Wizard appears.
4. Follow the instructions in Creating a Command with the Custom Command Wizard to define a
Command that uses xcopy.
Executing the Command
You can run the Command " on the fly
," configure the Command in the FTP client (in this example,
CuteFTP), or insert the Command in an Event Rule . Each of these methods is described below.
Using the Command "on the fly" in CuteFTP
1. Start CuteFTP, and create a connection to EFT. (Refer to the CuteFTP help for details of how to connect to a server.)
2. If not already displayed, open the Session Log pane. (On the main menu, click View > Show
Panes > Individual Session Logs or press ALT+2.)
3. Right-click a blank area of the Session Log, then click Input Raw FTP Command, or press
CTRL+SHIFT+I. The Input FTP Command dialog box appears.
4. In the Command box, type site, the name of the Command as defined in EFT and any required parameters. For this example, type: site xcopy "C:\InetPub\EFTRoot\MySite\Usr\jbite" "C:\Temp"
5. Click OK. The Command executes. In this example, each of the files in the \Usr\jbite folder was copied to the \Temp folder. If you selected the Return output to client check box when you defined the Command in EFT (step 8 above), the Session Log displays the results of the
Command. For example:
COMMAND:> site xcopy "C:\InetPub\EFTRoot\MySite\Usr\jbite" "C:\Temp"
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\cftpsaiProperties.gif
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\EFTtaxonomy_filelist.xml
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\EFTtaxonomy_image001.png
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\inheritance.doc
220-220-C:\InetPub\EFTRoot\MySite\Usr\jbite\Message3.gif
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\RE Certificate Chaining.htm
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\Root Migration Scripts.htm
447
EFT v7.2 User Guide
220-C:\InetPub\EFTRoot\MySite\Usr\jbite\Thumbs.db
220-8 File(s) copied
220-220-
220 Command completed with code 0.
Configuring the Command in CuteFTP
1. Start CuteFTP and connect to EFT. (Refer to the CuteFTP help for details of how to connect to a server.)
2. On the main menu, click Tools > Custom Commands > Edit Custom Commands. The
Custom Commands dialog box appears.
You must be connected to an FTP server in order for the Commands option to be available.
3. Click New then type a name for the command. For this example, type xcopy.
4. Click the command in the tree, and then click Edit or right-click the new command and click
Properties. The Custom Command Properties dialog box appears.
5. In the Label box, the name of the command appears.
6. In the Command box, type: site xcopy "C:\InetPub\EFTRoot\MySite\Usr\jbite" "C:\Temp" /d
Commands must start with site and then the command name you used in EFT, not the name you gave the command in CuteFTP. The /d parameter copies all new files in the specified folder.
7. Optionally, specify any key or key combination for the Shortcut Key and any icon for the Toolbar
Icon.
8. Select the Place on the Custom Commands toolbar check box, and then click OK to close the
Custom Commands Properties dialog box.
9. Click OK to close the Commands dialog box. Your custom command is now enabled and the icon, if specified, appears on the toolbar. (If the command is not displayed, click View > Toolbars
> Custom Commands Bar.)
10. Start CuteFTP and connect to EFT.
11. If it not already displayed, open the Session Log pane. (On the main menu, click View > Show
Panes > Individual Session Logs or press ALT+2.)
12. On the toolbar, click the Command icon that you just created.
13. Monitor the output in the Session Log. You should receive various response messages indicating the progress of the archive.
Executing the Command Automatically Using an Event Rule
If you want to copy the log file automatically every day, you can create a Scheduler (Timer) Event and insert the Execute command in folder Action . Using this method, you would have to define the parameters in the Execute Command dialog box from within the Event Rule. See also Using an Event
Rule to Execute a Command (Run a Process) .
448
Commands
Possible Error Situations
• If you repeat the hard coded parameters in both the client and EFT, then the first parameter that the client sends will be used. For example, if SITE ZIP -c %at[archive name] %ff is configured in the client, and -c %1% %2% is configured in EFT, then the first parameter (-c) that the client sends will be used as %1% and the resulting string would be -c -c filename.ext.
Therefore, it is important to educate the FTP user on the proper syntax and supply most of the hard-coded parameters on the EFT side.
• You must give the FTP client user permission to run the Command on the Permissions tab on
EFT; otherwise, they will receive a "Permission Denied" error.
• Certain command line utilities that may show a Windows prompt or other dialog may not execute properly when called from the FTP engine while it is running as a service. This is especially true when the service is logged in to from a Local System account.
• EFT can return an error if the client provides the wrong number of parameters or invalid parameters.
• To limit security vulnerabilities to EFT, the EFT administrator should only allow limited access to commands that launch processes.
Always use caution when giving program access to your system32 directory (especially an FTP server).
Viewing and Deleting Commands
Custom Commands defined on a Site appear in the left pane under the Commands node for the Site and
in the right pane when the Commands node is selected. To create a command, refer to The Custom
Command Wizard . On the Commands List tab, you can view, edit, delete, and
add new Commands.
To view the Commands defined on a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, expand the Site node for the Site that you want to configure, and then click
Commands.
The Commands appear under the Commands node.
The Commands List tab appears in the right pane.
Double-click a Command to view its properties.
To delete a command, do one of the following:
• In the right pane, click the Command in the Commands List, and then click Remove.
• In the left pane, click the Command, then press DELETE.
• In the left pane, right-click the Command, and then click Delete.
449
EFT v7.2 User Guide
Enabling and Disabling Commands
You can enable and disable Commands as needed, without deleting them. When you create a new
Command, the Enable this command check box is selected on the Command Settings tab.
To enable or disable a Command
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, expand the Site node for the Site that you want to configure, click
Commands, and then click a Command in the tree. The Command's definition appears in the right pane on the Command Settings tab.
3. To disable the Command, clear the Enable this command check box, and then click Apply.
When the Command is disabled, an x within a red circle appears over the Command's icon.
4. To enable the Command, select the Enable this command check box, and then click Apply.
When the Command is enabled, the x within a red circle does not appear over the Command's icon.
Execute a Command (Run a Process)
You can configure EFT to run executables, batch files, and scripts automatically when specific events occur. EFT calls these Commands. When the Event Rule is triggered, EFT executes the specified custom command and attributes.
To execute a Command from EFT’s Event Rule system
1. Identify the Command you want to execute with the Event Rule or create a new custom
Command using the procedure in Creating a Command . Or you can create a new Command later
from within the Event Rule (in step 6 below).
2. Open the Event Rule with which you want to execute the Command or create a new Event Rule using the procedure in Defining Event Rules .
3. (Optional) If you need to apply any conditional behavior, click it in the Conditions list.
4. In the Actions list, double-click Execute command in folder. The Action is added to the Event in the Rule Builder.
Links in the Rule Builder indicate parameters that must be defined to save the Rule.
5. In the Rule Builder, click one of the underlined text links. The Execute Command dialog box appears.
450
Commands
6. In the Choose an existing or create a new Command list, click the list to select the command.
(If you did not create the Command in step 1, click New to create the Command now.)
7. The Executable path and Executable switches and/or parameters boxes display the path and switches for the selected Command. (If you want to change anything, you will have to close this dialog box, apply any changes to the Event Rule, go edit the Command, then reopen the Event
Rule to continue defining it.)
8. In the Working directory box, type the path or click the folder icon to specify the folder in which the script or executable resides e.g., C:\EFTscripts. For mapped drives, use their UNC path. (File browse operations are disabled when you are connected remotely. You can't click the folder icon and browse, but you can type a path that is relevant to the EFT computer, not the remote interface).
9. (Optional) In the Command parameters box, include any parameters for the command.
You can select items in the Context variables list to add them as parameters. For example, suppose you want to run a script on a file that was uploaded and triggered the Event Rule. You would type the script name and the tag %FS.FILE_NAME%, as shown below: dosomethingwithfile.vbs -file %FS.FILE_NAME%
Refer to Variables for details of available variables and how to use them.
EFT passes the complete variable along to the Command; however, due to limitations of some command-line applications, they may not be able to interpret the Command properly. In certain instances, such as when there is a semicolon in a file name, you may need to enclose the variable in quotation marks in the Command Parameters box after you insert it from the Context variables box.
10. Click OK to save the Command.
11. Add other Actions as needed, and then click Apply to save the Event Rule.
451
EFT v7.2 User Guide
Command Permissions
(EFT Enterprise only) Certain delegated administrators have all permission (Write, Read, Delete, and
Manage Permissions) to manage the Custom Commands. Granular permissions allow the EFT administrator to control which administrators have control over certain objects. For example, you might want to give the Site administrator permission to Manage Permissions, but give the Event Rules administrator only Read permission.
To edit permissions
1. Right-click the Commands node or a specific command, then click Permissions.
2. Clear the check boxes for the permission you do not want to assign; select the check boxes for the permissions that you want to explicitly Allow or Deny.
3. When you assign permissions at the Commands node, the permissions are inherited by the
Commands. You can change the permissions for each of the Commands and for each administrator, if necessary.
4. Click OK.
452
Connection Profiles
Introduction to Connection Profiles
(EFT Enterprise only) A Connection Profile is a connection settings template to be used in Event Rules that contains the server connection settings. A profile includes the Profile Name, Description, and
Connection details such as protocol, host address, credentials, proxy, socks, and so on. A Test button is provided to verify the specified connection options. After you've created the profile on the Site, you can specify it in Copy/Move and Download Actions so that you don't have to define it every time you create a
Copy/Move or Download Event Rule. For more information about how the Connection Profiles are used, refer to Copy/Move (push) File to Host Action and Download (pull) File from Host Action .
To define a Connection Profile
1. Right-click the Connection Profiles node, then click New Connection Profile.
2. In the Connection Profile name box, provide a name for the profile.
3. In the Description box, provide a description for the profile.
4. In the Connection details area, click the Protocol list to specify a protocol for the connection:
Local (Local File or LAN), FTP (standard File Transfer Protocol), FTP SSL/TLS (AUTH TLS),
FTP with SSL (Explicit encryption), FTP with SSL (Implicit encryption), SFTP using SSH2
(Secure Shell), HTTP (HyperText Transfer Protocol), HTTPS (Secure HTTP access).
453
EFT v7.2 User Guide
Local /LAN:
FTP, HTTP:
454
Protocols that use SSL:
Connection Profiles
SFTP with SSH:
5. If you selected Local (Local Files or LAN), provide the Windows account username and
Password for connecting to remote shares (not local folders). These credentials are used only if/when a resource cannot be accessed using the credentials under which the EFT service is running. The Optional credentials override boxes allow you to specify an alternate set of logon credentials for accessing remote network shares to which the EFT service account may not have access (due to security constraints). If alternate credentials are specified, EFT will use its current security token (associated with the “Log on as” account specified in the EFT service settings) for local folder access and then new security token (associated with the alternate logon credentials) for the remote source folder accessed over network connections (e.g. network shares).
6. If you chose anything except Local do the following: a. In the Host address box, type the IP or host address of the EFT to which you want to connect. b. The Port number for the selected protocol changes automatically based on the offload method. Provide a different port number, if necessary. c. In the Username and Password boxes, type the username and password used to authenticate.
7. If you chose SFTP, provide the client SFTP certificate information.
8. If you chose a protocol that uses SSL (FTPS or HTTPS), provide the client SSL certificate information.
9. Select the Use connected client's login credentials to authenticate check box if you want to use the local system account to authenticate. The availability of this check box is controlled by the
Persist username and password credentials for use in Event Rule context variables check box on
the Site's Security tab.
10. If you connect to EFT through a proxy server, click Proxy and then specify the Proxy type, Host
name, Port, Username, and Password.
Using the DMZ Gateway as proxy is available only in the Enterprise edition of EFT. For security best
practices, selecting PORT mode in the Advanced Options dialog box below is not allowed when
brokering outbound connections through DMZ Gateway.
455
EFT v7.2 User Guide
11. (Optional) To specify an Authentication Type and login sequence, in the Proxy Settings dialog box, click Advanced. You must have selected FTP Proxy or HTTP Proxy in the Proxy Settings dialog box to specify advanced settings.
456
Specify one of the following Authentication Types:
• USER user@site if your proxy server requires the USER command followed by your user name and the Site name to allow connection with a remote Site. You can change the @ symbol if a different separator is required by your proxy server.
• SITE site if your proxy server requires the SITE command followed by the address of the remote FTP site to allow a connection.
• USER with logon if your proxy server requires the USER command followed by a user name and password to allow connection with a remote Site.
• USER/PASS/ACCT if your proxy server requires all three commands before allowing a connection to a remote Site.
• OPEN site if your proxy server requires the OPEN command followed by the Site name before allowing connection to the Site.
Connection Profiles
• Custom if your proxy server requires a login sequence different from those above. Refer to the procedure below for details of creating a custom authentication method (login sequence).
To create a custom authentication method for a proxy server
i. In the Advanced Proxy Settings dialog box, click Custom, then specify the login sequence in the text box using the following variables: %host%, % user%,
%pass%, %port%, %fire_pass%, %fire_user%. Be sure to type each variable with percent signs before and after, and press ENTER to separate commands. ii. Type any other commands and variables, separating commands with a line break
(press ENTER). iii. Click OK to accept the changes and close the Advanced Proxy Settings dialog box.
Contact your system administrator for the proper Host name, Port, User name, Password, and proxy type, as well as any required advanced authentication methods.
12. Click OK to accept the changes and close the Advanced Proxy Settings dialog box.
13. (Optional) If you connect to EFT through a Socks server, click SOCKS. a. Specify the Socks Type (SOCKS4 or SOCKS5). b. Specify the Host name and Port. c. If you specified SOCKS5 and the server requires authentication, select the Use
Authentication check box, then provide a Username and Password. d. Click OK to save the changes and close the SOCKS Settings dialog box.
14. (Optional) To configure advanced transfer options, in the Connection Profile, click Advanced.
The Advanced Options dialog box appears.
457
EFT v7.2 User Guide
458 a. In the General transfer options area, you can provide more control over Max
concurrent transfer threads, Connection timeout, Connection retry attempts, and
Delay between retries. When files are being transferred with Event Rules (copy/move), if there are connection problems (e.g., the network is unavailable), EFT will attempt to establish a connection the number of times specified in Connection retry attempts.
When EFT is able to re-establish the connection, it continues to transfer the file even if there are multiple interruptions. b. In the Use the following local IP for outbound connections box, click the menu to specify an IP address. If the computer has multiple IP addresses available and/or both
IPv4 and IPv6 addresses, you can let EFT choose which IP address to use or you can specify which one it is to use. c. Select the Validate file integrity after transfer check box to specify that EFT should double check binary files to ensure the files downloaded completely and correctly. (Not applicable to SFTP.) d. In the Data port mode box, click the drop-down list and select one of the following (not applicable to SFTP):
• Auto—When Auto is selected, EFT initially makes connections in PASV mode. If the PASV connection fails, EFT attempts to connect in PORT mode automatically.
• Port—When Port mode is selected, EFT opens an additional port and tells the remote server to connect to <IP:PORT_RANGE> to establish a data connection.
This is useful when the server is behind a firewall that closes all unnecessary ports. If you select this mode, specify the port range from which the client will choose.
Connection Profiles
• Pasv—When Pasv mode is selected, EFT tells the remote server to provide
<IP:PORT> to which EFT can connect to establish a data connection. This is useful when a client is behind a firewall that closes all unnecessary ports. Helps avoid conflicts with security systems e. Select the Clear command channel check box to send FTP commands in clear text.
(Only available when FTPS is specified.) f. Select the Clear data channel check box to transfer files without encryption. (Only available when FTPS is specified.) g. In the ASCII transfer mode area, specify the file types that can be transferred. TXT, INF,
HTML, and HTM are specified by default. If an asterisk (*) is specified, all files are downloaded in ASCII mode, even if that file doesn't have an extension. (To conserve
Unicode file content, you must transfer the file using binary transfer mode. To force download in binary, clear the file types box.) h. In the Time stamps area, select one of the following:
• Select the Preserve remote time stamp for downloaded files check box to keep the time stamp the same on the destination file as it is on remote file.
• Select the Preserve the local time stamp for uploaded files if the server allows MDTM check box to keep the time stamp the same on the remote file as it is on the source file. (Not applicable to SFTP.) i. Click OK to accept the changes and close the Advanced Options dialog box.
15. In the Connection Profile, click Test to verify the connection settings.
459
EFT v7.2 User Guide
460
Event Rules (Automation)
These topics provide the procedures for defining and using Event Rules in EFT.
Introduction to Event Rules
Event Rules are based on a simple premise: an event occurs that triggers an action. In the EFT administration interface or with the COM API, you specify Actions to occur when an Event takes place.
You can also specify one or more Conditions that must exist before an Action is taken or that change the
Action that is taken.
For example, suppose you have a folder into which remote partners can drop files. In EFT Enterprise, you can set up an Event Rule that monitors that folder, and when someone puts a file into that folder, EFT can encrypt that file, move it into another folder, and then send e-mails to anyone you specify informing them that a file has been moved. You can also set up a Rule that only moves certain files. For example, you can configure the Rule to move only the files with "Important" in the name, or you can route certain files to different folders.
Two administrators can work on Event Rules at the same time, but if they are working on the same Rule at the same time, when one administrator saves a Rule, the other administrator will get a notice when he clicks
Apply saying that the changes could not be saved because changes have been made by someone else. The administrator who receives that message will have to refresh (View > Refresh or press F5) to see the other changes, and then make any changes to the Rule again.
Sample Logic
You can easily create complex programmatic Event Rules in EFT's administration interface. The Event
Rule system contains objects that you click to add to the Rule builder, and then you click within the Rule to modify parameters and add variables. Below are some examples of logic you can create (in pseudo
(In the examples below, "ON FILE UPLOAD" is the Event trigger; the "if" statements are Event Rule
Conditions
; "PGP" and "MOVE" are Event Rule Actions .)
Always run an Action if an Event occurs:
ON FILE UPLOAD
{
PGP Encrypt %FS.PATH%
}
Conditionally run an Action if an Event occurs (IF-THEN statement):
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" )
{
PGP Decrypt %FS.PATH%
}
}
Multiple IF-THEN statements (if something, do this; if something else, do that):
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" )
{
PGP Decrypt %FS.PATH%
}
461
EFT v7.2 User Guide
if ( %FS.FILE_NAME% = "*.zip" )
{
MOVE %FS.PATH% to "%FS.PATH%\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%\"
}
}
Else statements (if preceding Condition is not met, do something):
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" )
{
PGP Decrypt %FS.PATH%
}
else
{
MOVE %FS.PATH% to "%FS.PATH%\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%\"
}
}
Run always Action (Action that will always run when the Event occurs even if preceding IF-THEN-ELSE statements are true):
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" )
{
PGP Decrypt %FS.PATH%
}
else
{
MOVE %FS.PATH% to "%FS.PATH%\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%\"
}
MOVE "%FS.PATH%\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%\*.*" to https://somehost/%USER.LOGON%/
SEND NOTIFICATION e-mail TO %user.email%
}
Run the same Action more than once:
ON FILE UPLOAD
{
SEND NOTIFICATION e-mail TO [email protected]
SEND NOTIFICATION e-mail TO %user.email%
}
462
Event Rules (Automation)
Create compound conditional statements supporting AND and OR logical operators:
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" ) || ( %FS.FILE_NAME% = "*.encrypted" )
{
PGP Decrypt %FS.PATH%
}
else
{
MOVE %FS.PATH% to "%FS.PATH%\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%\"
}
SEND NOTIFICATION e-mail TO %user.email%
}
It is possible to configure Event Rules that create infinitely recursive cycles. Because all Event Rules operate synchronously, a file upload Event cannot be completed until all corresponding Event Actions are finished.
This could lead to unpredictable server behavior due to conflicts with shared access to the same files or deleting open files. Be careful not to create circumstances where such recursive cycles might occur. For file upload Events, recursive cycles are not typical. It is recommended that you move files on the same server using the file system, not FTP.
Event Rule Order of Execution
execute 2, wait until 2 finishes, execute 3 … etc.), because there may be Actions that follow that depend on the prior Action completing successfully. Each Action is completed before continuing to the next, with a few exceptions, which are described below (Timer Rules, Monitor Folder Rules, and Rules that use the
Execute Command Action or AWE Action).
If you create more than one Event Rule for a single type of Event trigger (e.g., Monitor Folder), EFT prioritizes the Rules in the order they appear in the Rule list. You change the priority by moving a selected Rule up or down in the Rule list. The Rule list is grouped by Rule type. You can only prioritize the Rules within a Rule type. For example, you cannot move an On Folder Monitor Rule above an On
Scheduler (Timer) Event Rule, but you can prioritize the Rules within the Rule type (e.g., place one
Timer Event to occur before another Timer Event).
To change the priority of a Rule
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure, then click Event Rules. The Rule list appears in the right pane.
3. In the right pane, select the Event Rule you want to move.
4. To reorder the Event Rules, under Rule Priority, click Higher and Lower.
463
EFT v7.2 User Guide
Event Rule Sequence for Matching Event Rules
One or more Event Rules may be triggered when Conditions are met. For Event Rules with duplicate
Event trigger definitions and Conditions, but with different Actions, the order of execution is sequential according to the sort order defined in the interface.
Event Rule Sequence for Matching Timer or Folder Monitor Rules
This sequential firing of duplicate Event Rules applies to almost all of EFT’s supported Events. However, the Monitor Folder and Timer Event Rules are executed asynchronously (i.e., not at the same time).
When you stop the Site or the Server service, EFT breaks all existing connections and waits until all socket threads die. The service can terminate when Timer Event processing is still in progress. The triggering of Monitor Folder and Timer Event Rules occurs almost simultaneously and is controlled by the operating system, not by EFT.
464
Event Rules (Automation)
Event Rule Sequence for Matching Folder Monitor Rules
As mentioned above, matching Timer and Monitor Folder Events are not executed at the same time.
However, Monitor Folder "threads" are limited to 3 concurrent threads by default. This means that if you have 5 Monitor Folder Event Rules monitoring the same folder and a file is added to the monitored folder, only 3 of the 5 Rules will fire, as determined by the operating system. The 4th and then 5th Rule execute only when one or more of those 3 threads are done firing and executing any actions.
Order in which Actions are Executed
EFT executes Event Rules according to whatever synchronicity applies to that Event Rule. For example:
• Triggering an Execute Command Action is asynchronous, unless the "If Failed" sequence has an Action defined for that Command.
• Move, copy, and download operations are synchronous.
• OpenPGP operations are synchronous and cause the Event dispatcher to wait until the operation is finished before moving on to the next Action/Condition.
• E-mail notifications are synchronous up to the point of generating the contents of the e-mail and putting the data into a queue. However, EFT has a separate thread that manages the e-mail notification queue to pick up ready messages and send them to the destination server. Therefore, e-mail notifications are roughly asynchronous.
Execute Command Actions and Execute Advanced Workflow Actions execute asynchronously, which means that EFT does not wait for a reply before returning control to the Event Rule thread, unless an "if failed" Condition is specified, such as Stop Processing this Rule. If an "if failed" Condition is specified, regardless of whether the Command succeeded or failed, the Event Rule processor waits for a return message from the invoked process before moving on to the next Rule.
465
EFT v7.2 User Guide
Example: Command Action Followed by OpenPGP Action
A common Event Rule scenario is downloading a file, running a script against that file (either with an
Execute Command Action or an Execute Advanced Workflow Action), then encrypting or decrypting the file.
In the illustrations below, an Event Rule has three Actions: first an SFTP get (download a file from the
Remote Server), followed by an Execute Command Action that runs a script (cscript.exe), followed by an
OpenPGP Action.
In Example 1, an "If failed" Condition was not defined for the Command, so when the Command executes, the next Action (PGP) is called almost immediately after the script is called. If you are doing a transform on the file you just retrieved that must be completed PRIOR to the OpenPGP operation, the potential risk is that there will be a race condition and likely OpenPGP will lose; that is, the pretransformed file will be OpenPGPed or the Action will fail because the script has locked the file for some reason.
466
Event Rules (Automation)
In Example 2 we've added the "If failed" Condition so that the OpenPGP Action does not start until after the Command has finished running the script.
Defining Event Rules
To define Event Rules in the administration interface, you begin with an Event you want to use as a trigger for the Event Rule. The Event could be when someone uploads a file, when a user quota is
exceeded, when a change is detected in a folder, or many other Event triggers . Then you specify an
the Action to be taken. You can even branch the Actions and define one Action to be taken if specified criteria are met. You do this using standard If>Else logic.
To define an Event Rule
1. In the administration interface, connect to EFT and click the Server tab.
2. Do one of the following:
• Right-click on the Server tab, and then click New Event Rule.
• On the Server tab, expand the Site you want to configure, and then click Event Rules. In the right pane, click New.
• On the main menu, click Configuration > New Event Rule.
The Create New Event Rule dialog box appears.
467
EFT v7.2 User Guide
468
3. In the Event Rule name box, type a descriptive name for the Rule. This name will appear in the
Event Rules node and in reports and logs. Therefore, name it something you will recognize, rather than something generic such as "Rule #24."
4. In the Description box, provide any notes about the Rule, such as "Periodically move and delete accounting files." You can edit these notes later in the Comment area for the Rule, if necessary.
5. In the Select event trigger box, click the Event you want to use as the basis of the Event Rule,
such as Folder Monitor. For a description of the available Event triggers, refer to Events and
6. Click Create. The Create Event New Rule dialog box closes and the Conditions and Actions available for the Event Rule are displayed.
7. Conditions are optional. Available Conditions for the specified Event trigger appear in the
Conditions list. When applicable to the Event Rule, the Else option also appears. To add a
Condition to the Rule, double-click the Condition, or click to select it, and then click Add
Condition.
Not all Conditions that EFT supports are available for every Event. To learn more about
available Conditions, refer to Event Rule Conditions .
8. Available Actions for the specified Event trigger display in the Actions list. To add an Action to the Rule, double-click it or click the Action, and then click Add Action. To learn more about
Actions, refer to Event Rule Actions .
As you add Conditions and Actions, they appear in the Rule Builder.
Event Rules (Automation)
9. In the Rule Builder, click the underlined text to specify the parameters used in the definition of the Event Rule. You can also reorder the sequence of the Rule logic using the blue up/down arrows, or by clicking the Action or Condition and dragging it to the new location.
10. Click Apply to save the changes on EFT. EFT will not save the Rule unless it is adequately defined. Links displayed in the Rule box are parameters that must be defined before you can save and apply the Rule.
11. After the Rule is defined, click the Event Rules node in the Server tree in the left pane. In the right pane, each of the Rules defined on the Site appear.
12. In the right pane, in the Rule List, click a Rule. Comments for the Rule appear beneath the Rule
List in the Comment box and the definition of the Rule (the Conditions and Actions defined) appears in the Rule overview box.
• To edit the notes in the Comment box, click in the box and type or paste the changes.
469
EFT v7.2 User Guide
• To manage the Rules (edit, delete, clone, reorder), click the controls on the right. Refer to
Managing Event Rules for details.
13. To delete a Rule, click to select it in the Event Rules node, and then click Remove at the bottom of the right pane or on the toolbar. A confirmation message appears. Click Yes to confirm or click No or Cancel to not delete the Rule.
Managing Event Rules
When you click the Event Rules node for a Site, the right pane provides controls for managing the Event
Rules defined for that Site. Using this interface, you can do the following:
Edit - You can fine tune your Rules by adding, editing, deleting, and rearranging Conditions and Actions.
Delete - If an Event Rule is no longer needed and you are sure you will not need it again in the future, you can delete it. However, you can also disable the Rule so that, if you need the Rule again, you can simply enable it.
Clone - You can create a copy of Rule and modify it to your needs. You can then rename the Rule.
Prioritize - If you create more than one Rule for a single type of Event, EFT prioritizes the Rules in the order they appear on the Event Rules list. You can rearrange them using the Rule Priority buttons.
Disable - If you want to disable a Rule temporarily without deleting it, you can disable it by clearing the
Enable this rule check box.
Rename - You can rename an Event Rule.
To manage the Event Rules
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure, and then click Event Rules. The list of configured Event Rules appears in the Event Rules node and in the right pane in the Rule list.
470
Event Rules (Automation)
3. Click the Event Rule you want to change, and then click Edit, Delete, or Clone. The right pane updates to display the details specific to that Event Rule.
Event triggers are indicated by a green triangle icon .
Conditions are indicated by a blue question mark icon .
Else Conditions are indicated by a green question mark icon .
Actions are indicated by their associated icons.
To edit an Event Rule
a. To add a Condition to a Rule, click a Condition from the Conditions list then click Add
condition. The Condition appears in the Rule pane below the current highlighted insertion point. You can add multiple Conditions to a single line and create AND/OR criteria. b. To add an Action to a selected Condition, click it in the Actions list, and then click Add
action. The Action appears in the Rule pane below the highlighted Condition. c. Configure the Condition or Action by clicking the underlined variables (red or blue underlined text) d. You can reorder Conditions and Actions by dragging them where you want them and using the up and down arrows. e. Click Apply to save the changes on EFT.
471
EFT v7.2 User Guide
To delete an Event Rule
a. In the right pane, click Delete. A confirmation message appears. b. Click Yes. The Rule is deleted from the Site.
To clone an Event Rule
a. In the right pane, click Clone. A clone of the Rule opens in the Event Rule editing pane and is added to the Rules list. b. Edit the copy of the Rule as needed, and then click Apply to save the changes on EFT.
Your new Rule appears in the Event Rules node with "Copy" appended to the name. c. To rename the Rule, in the left pane, right-click the Rule, and then click Rename.
To change the priority of a Rule
a. In the right pane, click the Rule you want to move. b. Under Rule Priority, click Higher and Lower.
Refer to Event Rule Order of Execution for details of changing the priority of a Rule.
To disable an Event Rule
a. In the right pane, clear the Enable this rule check box. b. Click Apply to save the changes on EFT.
To re-enable an Event Rule
a. In the right pane, click the Enable this rule check box. b. Click Apply to save the changes on EFT.
To rename an Event Rule
a. In the Event Rules node, do one of the following to make the name editable:
• Right-click the Event Rule, and then click Rename.
• Click the Event Rule, and then click it again. (Do not double-click it.) b. Type the new name, then press ENTER or click away from the name. The name is changed.
Event Rule Permissions
(EFT Enterprise only) Permission to manage various aspects of the Event Rule system must be
Granular Event Rule permissions allow the EFT administrator to control which administrators have control over certain objects.
For delegated administrators to have Allow permission for ALL Event Rules, the Server administrator must configure permissions at the Event Rules node. To assign permissions only on certain Event Rule folders or only on certain Event Rules, right the folder or Event Rule, then click Permissions.
472
Event Rules (Automation)
473
EFT v7.2 User Guide
To manage permissions
1. Log in as the Server administrator.
2. Right-click the Event Rules node, an Event Rules folder, an Event Rule, the Advanced Workflows node, or a Workflow, then click Permissions. The Permissions dialog box appears. (The text in the title bar of the dialog boxes changes depending on which item in the tree you clicked.)
3. Click Add to specify the Permission Group or user account.
4. Select the check boxes of the permissions that you want to Allow or Deny.
5. Click OK.
6. The permissions assigned at the node level and at the folder level are inherited by the items in the node or folder. You can then, as needed, edit the permissions for specific Event Rules,
Workflows, or Event Rule folder.
Event Rule Folders
(EFT Enterprise only) Event Rules can be organized into folders for easier management and organization. You can also apply permissions to an Event Rule folder that apply to all Event Rules in that folder. You can "drag and drop" Event Rules into a folder, and create new Event Rules within a folder.
(You cannot create subfolders in folders.)
To create an Event Rule folder
1. Click the Event Rules node or an Event Rule, then click New Event Rule Folder. (NOTE: If you right-click an Event Rule and then click New Event Rule Folder, the selected Event Rule is NOT placed in the folder.) The New Event Rule Folder dialog box appears.
474
Event Rules (Automation)
2. Provide a name for the folder, then click OK.
3. Click Apply.
4. Now you can click and drag Event Rules into your new folder.
Event Rules Change Log
The Event Rules Change Log is used to record changes made to the Event Rules. For example, if three different administrators on three different shifts are making updates to the Event Rules or creating new
Event Rules, logging these changes in the log ensures that all responsible parties are aware of the changes. Over time, this also creates a history of changes. NOTE: The Change Log only indicates changes made to existing Event Rules. It does not document the created of an Event Rule. That is, if you've created a Rule and have never made any changes to it, it will not show up in the log.
You must first enable the Change Log on the Server's Administration tab before changes can be recorded.
To enable and use the Change Log
1. On the Server's Administration tab, under Event Rule Change Log, click On.
2. Select the Require description check box to require that changes contain descriptions. Without this check box selected, you can still add a description, but it is not required.
3. When the Change Log is enabled and you make a change to an Event Rule, a message appears that tells you to provide a change description.
4. Click OK. The Enter change description box is enabled.
475
EFT v7.2 User Guide
5. Provide a description of the change, then click Apply.
To view the Change Log
1. Open the Rule in the Rule Builder
2. Click Change Log. The log appears.
476
The log displays the name of the Event Rule, the date/time of the change, the name of the user who changed it, and the description if one was entered.
By default, only the selected Event Rule, all users, and changes on today's date are displayed.
You can choose to show changes for all Event Rules, specific users, and a date range, then click
Apply.
3. Click Exit when you're finished.
Event Rules (Automation)
Exporting and Importing Event Rules
(EFT Enterprise only) When moving an installation of EFT from staging to production, the biggest issue is moving the Event Rules. When you do a Server Backup, all of the Event Rules are copied. Often, however, you don't want ALL of the Event Rules moved to production, just certain ones. With the import/export feature, you can export just the Event Rules that you want, save them as an XML file, edit
them as needed, and import them into another EFT installation.
To export Event Rules
1. Right-click the Event Rule that you want to export, then click Export Event Rule. The Windows
Save As dialog box appears.
2. Click Save. The Event Rule is saved as an XML file with the name you gave it. A message appears to confirm that it was saved.
3. You can view and edit XML files in a text editor, such as Notepad.
477
EFT v7.2 User Guide
To import Event Rules
1. Right-click the Event Rule that you want to import, then click Import Event Rule. The Windows
Open dialog box appears.
2. Click Open. The Event Rule is added to the Event Rules node. A message appears to confirm that it was imported and you offered the option to view the log.
3. If an Event Rule exists with the same name as the one being imported, a number is added to the name.
4. After the Event Rule is imported, you can drag and drop it into a folder, edit it, and so on, just like any other Event Rule.
478
Event Rules (Automation)
Variables
EFT uses context variables to pull data from the database. The variable contains specific information about an Event. You can use the variables below in Event Rules, e-mail notifications
•
Scheduler (Timer) Rule Variables - Used for Scheduler (Timer) Rules (For file operation triggers, use File System Variables .)
•
Connection Variables - IP address, port, etc. for connecting to EFT
•
Event Variables - Name, date, time, reason, etc. for Event trigger
•
File System Variables - File name, date, size, path, etc. that was transferred; also report name and content
•
Server Variables - Server status, logs, and computer name
•
Site Variables - Site URL and status
•
User Variables - User name, login information, etc.
•
AS2-Related Variables - Status of AS2 transfers (available only in AS2-related Event triggers)
•
Workspaces-Related Variables - Virtual/physical path, owner, and so on.
In the AWE module, variables cannot contain periods; therefore, in each variable that contains a period, the period is replaced with an underscore. For example, %
CONNECTION.LOCAL_IP% is % CONNECTION_LOCAL_IP% in the AWE module.
How to Use the Variables
In the Variables box, click a property that you want to insert.
• If you just want the information contained to the variable, click the variable in the right column of the Variables box.
• If you want the information and a label, click the text in the left column of the Variables box.
For example, if you click Event Time in the left column the label "Event Time" and the time are displayed.
If you select %EVENT.TIME% in the right column, the time will be displayed without a text label.
For example, when you create an Event Rule, you can configure an e-mail to be sent when the Event occurs. In the Edit Mail Template dialog box, you can send the default e-mail or you can add one or more variables listed in the Variables box at the bottom of the e-mail. Each of the variables defined in
EFT is described below ; however, not all of the variables described below are available in the e-mail notification. In the e-mail notification, you can specify to display the text along with the value of the variable (e.g., File Creation Date: 8/28/2007), or just the value of the variable (e.g., 8/28/2007).
479
EFT v7.2 User Guide
Suppose you configured this e-mail notification:
You then uploaded a file on August 28, 2007 at 10:01:56. The e-mail would appear similar to the following:
This message was sent to you automatically by EFT on the following
Event: File Uploaded.
Event Time: 28 Aug 07 10:01:56
File Creation Date: 8/28/2007
File Creation Time: 10:01:56
Event Date Stamp: 20070828
Event Time Stamp: 100156
480
Event Rules (Automation)
In Event Rules and Commands with a defined path or filename, do not use variables that add invalid filename characters, such as a slash, colon, parenthesis, etc.
For example, you cannot use %FS.FILE_CREATE_DATE% and %FS.FILE_CREATE_TIME% for file naming, because the output of these variables is DD/MM/YYYY and HH:MM:SS and the forward slash (/) and colon (:) are not valid characters for filenames.
In most cases, the file created date and time is the same as the Event triggered time, therefore you can use
%EVENT.DATESTAMP%
(YYYYMMDD) and %EVENT.TIMESTAMP% (HHMMSS) when renaming files (because they do not use invalid characters), and %FS.FILE_CREATE_DATE% and %FS.FILE_CREATE_TIME% for email notifications.
For example, suppose an OnUpload Event Rule causes an Offload Action that moves myfile.txt to the following path:
C:/Inetpub/EFTRoot/Site1/Usr/jsmith/%EVENT.DATESTAMP%_%FS.FILE_NAME%
The resulting path is:
C:/Inetpub/EFTRoot/Site1/Usr/jsmith/20070728_myfile.txt
Connection Variables
Text
Displayed
Local IP
Local Port
Protocol
Remote IP
Variable
%CONNECTION.LOCAL_IP%
%CONNECTION.LOCAL_PORT%
%CONNECTION.PROTOCOL%
%CONNECTION.REMOTE_IP%
Description
Using Web
Transfer
Client
HTTP
Query
String
(EFT
Enterprise
only)
HTTP
Headers
List
(EFT
Enterprise
only)
%CONNECTION.USING_WEB_TRANSFER_CLIENT%
%CONNECTION.HTTP.QUERY_STRING%
%CONNECTION.HTTP.HEADERS_LIST%
Event Variables
Text
Displayed
Event Date
Stamp
Event Full
Name
Variable
%EVENT.DATESTAMP%
%EVENT.EVENTNAME%
Description
Local IP address used to connect
Local port used to connect
Protocol used to connect
Remote IP address used to connect
Indicates whether the user connected via the Web Transfer client
Date that the Event was triggered, e.g.,
20070828
(suitable for file naming)
User-defined name for the Event Rule (e.g.,
My File Renamed Event Rule)
481
EFT v7.2 User Guide
Text
Displayed
Event Monitor
Health
Event Name
Event Reason
Event Time
Event Time
Stamp
(including milliseconds)
Event
Timestamp
%EVENT.TIMESTAMP_PRECISE%
%EVENT.TIMESTAMP%
Event
Transaction
ID
(EFT
Enterprise
only)
Folder
Monitor
Failure
Reason
Folder
Monitor
Health
%EVENT.TRANSACTION_ID%
%EVENT.MONITORFAILUREREASON%
%EVENT.MONITORHEALTH%
File System Variables
Text
Displayed
Report File
Name
Variable
%FS.REPORT_FILENAME%
Report
Content
Report File
Variable
%EVENT.MONITORHEALTH%
%EVENT.NAME%
%EVENT.REASON%
%EVENT.TIME%
%FS.REPORT_CONTENT%
%FS.REPORT_FILE%
Description
Health of network share
Server-defined name for the Event trigger
(e.g., File Renamed)
Action completed successfully or Action Failed
Date and time that the Event was triggered, e.g., 28 Aug 07 10:01:56
( This variable is
not
suitable for file naming because of the colons; use
%EVENT.DATESTAMP% and
%EVENT.TIMESTAMP% when using variables for a filename.)
Time to the millisecond when Event was triggered (e.g., Event Time Stamp (including milliseconds): 154207233)
Time that the Event was triggered, e.g.,
100156
(suitable for file naming)
Time that the Event was triggered, e.g.,
100156
(suitable for file naming)
Reason why the Folder Monitor Rule failed.
Description
Location of generated report. This variable can be used in e-mail notifications to include a link to the new location for the file after a copy/move Action.
Content of the report generated by the
Generate Report Action
Name of the report generated by the
Generate Report Action. This variable can be used in copy/move, OpenPGP, and custom command actions that are executed synchronously (i.e., custom commands that have a failure Event defined), but should not be used for custom command actions that are executed asynchronously (i.e., custom commands that do not have a failure Event defined.)
In some cases, it may be more appropriate
482
Event Rules (Automation)
Text
Displayed Variable
File Change
Virtual Path
Physical
Path
Virtual
Folder Name
Physical
Folder Name
File Name
File Size
File Creation
Date
%FS.MONITOR_OPERATION%
%FS.VIRTUAL_PATH%
%FS.PATH%
%FS.VIRTUAL_FOLDER_NAME%
%FS.FOLDER_NAME%
%FS.FILE_NAME%
%FS.FILE_SIZE%
%FS.FILE_CREATE_DATE%
Description
to use %FS.REPORT_CONTENT% because this variable represents a copy of the contents of the file rather than a link to the file, which is only good so long as the file exists. For example, since the file will be deleted when EFT stops processing the
Event Rule, do not use this variable in e-
mail notifications; use
%FS.REPORT_CONTENT% instead.
File change that triggered the Event (added, removed, etc.)
Original virtual location of the file
Original physical location of the file
The structure of the virtual folders
Name of the physical folder
File Creation
Time
Virtual
Destination
Path
Physical
Destination
Path
Physical
Destination
Folder Name
Destination
File Name
Compressed
File Physical
Path
Compressed
File Name
Compressed
File Base
Name
%FS.FILE_CREATE_TIME%
%FS.DST_VIRTUAL_PATH%
%FS.DST_PATH%
%FS.DST_FOLDER_NAME%
%FS.DST_FILE_NAME%
%FS.COMPRESSED_PATH%
%FS.COMPRESSED_FILE_NAME%
Name of the file
Size of the file involved in the Event
Date the file was created, in the format
YYYY/MM/DD, e.g., 8/28/2007 (not suitable for file naming because of the slashes)
Time the file was created, in the format
HH:MM:SS, e.g., 10:01:56 (not suitable for file naming because of the colons)
Virtual destination path of the file involved in the Event
Physical destination path of the file
Physical destination folder
Destination file name
%FS.COMPRESSED_BASE_FILE_NAME%
483
EFT v7.2 User Guide
Scheduler (Timer) Rule Variables
The %SOURCE.FILE_NAME% variable is available in the list box of Destination Folder page of the
Copy/Move Action and Download Action wizards if the Rule is a Timer/Scheduler Rule.
• If the Rule has a file operation as a trigger (Folder Monitor, On File Upload, File Renamed by
Connected Client, etc.) then the variable selection list will include the %FS.*% family of variables and they will have a valid value.
• If the Rule does not have a file operation as a trigger (Timer, User Connected, etc.) then the variable selection list will include the %SOURCE.*% family of variables.
If one of these non-file-trigger Rules contains an %FS.FILE_NAME% variable, it will be converted to
%SOURCE.FILE_NAME% and a WARNING will record the change in the EFT.log
The %SOURCE.FILE_NAME% and %SOURCE.BASE_FILE_NAME% can be used in a Timer Rule to download a mask of files (e.g., *.xml), and then FTP offload each of those files to a remote server with a
*.TMP extension (%SOURCE.BASE_FILE_NAME%.TMP). After each file transfer is complete, you can then rename each individual file back to its original name (%SOURCE.FILE_NAME%).
Variable
%SOURCE.BASE_FILE_NAME%
%SOURCE.FILE_NAME%
Description
Source file name without extension
Source file name with extension
Server Variables
Variable Text
Displayed
Log Location
New Log File
Name
New Log File
Path
Old Log File
Name
Old Log File
Path
%SERVER.LOG_LOCATION%
%SERVER.LOG_NEW_NAME%
%SERVER.LOG_NEW_PATH%
%SERVER.LOG_OLD_NAME%
%SERVER.LOG_OLD_PATH%
Description
Location of the log file
New name of the log file
New path of the log file
Old name of the log file
Log Type
Node Name
Server
Running
Private Key ring path
Public Key ring path
Install
Directory
%SERVER.LOG_TYPE%
%SERVER.NODE_NAME%
%SERVER.STATUS%
%SERVER_PRIVATE_KEYRING_PATH%
%SERVER_PUBLIC_KEYRING_PATH%
%SERVER.INSTALL_DIRECTORY%
Old path of the log file
Either Standard or Verbose, per the setting
Computer name on which EFT is running
Indicates whether the EFT service was running when the Event was triggered. (Yes or No)
Pass the location of the private key ring to the AWE module
Pass the location of the private key ring to the AWE module
Directory in which the server is installed
484
Event Rules (Automation)
Site Variables
Variable Text
Displayed
Account
Management
URL
Site Name
%SITE.ACCOUNT_MANAGEMENT_URL%
%SITE.NAME%
Site Status %SITE.STATUS%
User Variables
Variable Text
Displayed
User can connect using FTP
User can connect using
SFTP
User can connect using SSL
User can change password
Comment
%USER.ALLOW_FTP%
%USER.ALLOW_SFTP%
%USER.ALLOW_SSL%
%USER.CAN_CHANGE_PASSWORD%
%USER_COMMENT%
Description
Site account management URL,
https://../manageaccount:<port> (if port is not equal to 443)
Site name.
Indicates whether the Site was running when the Event was triggered. (Yes or No)
Description
Indicates whether user is allowed to connect using FTP (Yes or No)
Indicates whether user is allowed to connect using SFTP (Yes or No)
Indicates whether user is allowed to connect using SSL (Yes or No)
Custom 1
Custom 2
Custom 3
Address
Account
Enabled
(v6 and earlier only)
Account
Expiration
Date
%USER.CUSTOM1%
%USER.CUSTOM2%
%USER.CUSTOM3%
Description %USER.DESCRIPTION%
%USER.EMAIL%
%USER.ENABLED%
%USER.EXPIRATION_DATE%
Indicates whether the user is allowed to change the login password (Yes or
No)
Text in the Comment box, if defined in the User Account Details dialog box
Text in the Custom 1 box, if defined in the User Account Details dialog box
Text in the Custom 2 box, if defined in the User Account Details dialog box
Text in the Custom 3 box, if defined in the User Account Details dialog box
Description of the user account, as defined on the General tab
E-mail address of the user, if defined in the User Account Details dialog box. In EFT v6.4 and later, you can pass multiple addresses to the
Advanced Workflow Engine using this
variable.
Indicates whether the user account is enabled. (Yes or No)
Indicates the date (in the default system locale) when the user account expired. Date , or Never
(See HSM note, below.)
485
EFT v7.2 User Guide
Text
Displayed
Fax
Number
Full Name
Groups
Home
Folder
Home IP
Home
Folder is
Root
Invalid login attempts
Account
Locked
Out (v6 and earlier only)
Last Login
Date
Variable
%USER.FAX%
%USER.FULL_NAME%
%USER.GROUPS%
%USER.HOME_FOLDER%
%USER.HOME_IP%
%USER.HOME_IS_ROOT%
%USER.INVALID_LOGINS%
%USER.IS_LOCKED_OUT%
Description
Fax number of the user, if defined in the User Account Details dialog box
Full name of the user, if defined on the
User Account Details dialog box
Groups in which the user is a member
User's home folder
IP address of the user
Indicates whether the Treat Home
Folder as Root check box is selected.
(Yes or No)
Number of invalid login attempts by the user
Indicates whether user account is locked out. Yes or No (See HSM note, below.)
%USER.LAST_LOGIN% Provides the date and time (in the default system locale) the user last logged in to EFT
Login username of the user Logon
Name
Pager
Number
Logon
Password
Password
Expiration
Date
%USER.LOGIN%
%USER.PAGER%
%USER.PASSWORD%
Pager number of the user, if defined in the User Account Details dialog box
Login password of the user
Phone
Number
Quota Max
Quota
Used
User Must
Change
Password at Next
Login
%USER.PASSWORD_EXPIRATION%
%USER.PHONE%
%USER.QUOTA_MAX%
%USER.QUOTE_USED%
%USER.RESET_PASSWORD_AT_FIRST_LOGIN%
Provides the date and time (in the default system locale when the user account is set to expire, or Never
(See HSM note, below.)
Phone number of the user, if defined in the User Account Details dialog box
Max disk space specified for the user
Amount of disk space in use by the user
Indicates whether user is required to reset the account password at first log in (Yes or No). (See HSM note, below.)
Settings
Template
%USER.SETTINGS_LEVEL% Settings Template of the user
For %USER.EXPIRATION_DATE%, %USER.RESET_PASSWORD_AT_FIRST_LOGIN% and
%USER.PASSWORD_EXPIRATION%, if the HSM is disabled (not in Activated or Trial state), No or Never is
displayed.
486
Event Rules (Automation)
AS2 Variables
Text Displayed
AS2 Content Type
AS2 Direction
AS2 EFT ID
AS2 Host
AS2 Local MIC
AS2 MDN
AS2 Message ID
AS2 Partner ID
AS2 Payload
AS2 Remote MIC
Variable
%AS2.CONTENT_TYPE%
%AS2.DIRECTION%
%AS2.EFT_ID%
%AS2.HOST%
%AS2.LOCAL_MIC%
%AS2.MDN%
%AS2.MESSAGE_ID%
%AS2.PARTNER_ID%
%AS2.PAYLOAD%
%AS2.REMOTE_MIC%
Value Contained in Variable
Transfer's content type:
Application, EDIFACT, XML, Mutually defined
EDI, Binary, Plaintext
Direction of the transfer
EFT ID used in this transfer
Address of the host being sent to (outbound) or received from (inbound)
Local AS2 message identification code (MIC)
Message Disposition Notification. The Internet messaging format used to convey a receipt.
AS2 message identifier
Transaction partner's AS2 ID
Name of the file (or an array of file names if
MA is used) being transferred over the AS2 session
Remote AS2 message identification code
(MIC)
AS2 Transaction
Error
%AS2.TRANSACTION_ERROR% Error (if any) in the AS2 transaction
AS2 Transaction
Result
%AS2.TRANSACTION_RESULT%
Overall transaction result (In Progress,
Failure, or Success) of the in-context AS2 transaction
AS2 Transaction
Verbose
%AS2.TRANSACTION_VERBOSE% Verbose message for the AS2 transaction
Workspaces-Related Variables
Text
Displayed
Workspace
Virtual Path
Workspace
Physical Path
Workspace
Name
Workspace
Participants
List
Workspace
Owner
Workspace
User
Permissions
Workspace
User Email
Workspace
User Account
Exists
Variable
%WORKSPACE.VIRTUAL_PATH%
%WORKSPACE.PATH%
%WORKSPACE.NAME%
%WORKSPACE.PARTICIPANTS%
%WORKSPACE.OWNER%
%WORKSPACE.USER_PERMISSIONS%
%WORKSPACE.USER_EMAIL%
%WORKSPACE.USER_ACCOUNT_EXISTS%
Value Contained in Variable
Virtual path of the Workspace
Physical path of the Workspace
Name of the Workspace Folder
Participants sharing the Workspace
Owner of the Workspace
User permissions of the Workspace
User email of the participant
Identifies whether the user account exists
(or needs to be created)
487
EFT v7.2 User Guide
Events (Triggers) and Examples
These topics provide examples of some common uses of Event Rules.
Event Triggers
EFT includes over 25 different Event triggers, based on the following Event types:
•
AS2 -related Events, such as the transfer was successfully completed (available only in EFT
Enterprise)
•
Connection -related Events, such as a user connections failed
•
File system -related Events, such as file uploaded or file deleted
•
Operating System -related Events, such as a folder’s contents changed or a recurring Timer has
executed (available only in EFT Enterprise)
•
Server -related Events, such as Server stopped or started
•
Site -related Events, such as Site stopped or started
•
User -related Events, such as User Account Locked
•
Workspaces -related Events, such as User Invited
Operating System Events and AS2-related Events are available only in EFT Enterprise. These Events are visible, but unavailable (grayed out) in EFT SMB edition.
Not all variables are available with every Event trigger. For example, it does not make sense to use the
%EVENT.REASON% variable with the File Downloaded Event, but it does make sense with the Upload
Failed Event, because EFT can determine the reason for the failure.
for file naming and %FS.REPORT_FILE% should not be used in e-mail notifications).
Operating System Events (available only in EFT Enterprise)
•
Scheduler (Timer)
—Execute a specified Action one time or repeat at a specified interval.
(Enterprise only)
•
Folder Monitor —Monitor a specified folder, then execute an Action whenever a change is detected. (Enterprise only)
•
Folder Monitor Failed —Monitor a specified folder, then execute a specified Action whenever a failure is detected. (Enterprise only.)
Use the File Uploaded file system Event to notify you when a file is uploaded to the Site.
File System Events
•
File Uploaded —File is uploaded to the Site.
• File Downloaded—File is downloaded from the Site.
• Verified Upload Succeeded—Integrity check of uploaded file succeeds when transferred using the Web Transfer Client.
• Verified Download Succeeded—Integrity check of downloaded file succeeds when transferred using the Web Transfer Client.
• File Renamed—File on the Site is renamed by a connected client.
• File Moved—File is moved from one folder in the VFS to another by a connected client.
488
Event Rules (Automation)
• File Deleted—File is deleted from the Site by connected client
• Folder Created—Folder is created on the Site by a connected client.
• Folder Deleted—Folder is deleted from the Site by a connected client.
• Folder Changed—User navigates to a new folder on the Site.
• Upload Failed—Upload fails to transfer successfully.
• Download Failed—Download fails to transfer successfully.
• Verified Upload Failed—Integrity check of uploaded file fails when transferred using the Web
Transfer Client.
• Verified Download Failed—Integrity check of downloaded file fails when transferred using the
Web Transfer Client.
• Before Download—If a download is requested, perform the Action(s) defined in this Event, then continue with the download.
Workspaces Events
Workspaces Events can be used when you want to be notified about Workspaces being created, deleted, and so on.
• Workspace Created
• Workspace Deleted
• Before Workspace Deleted
• User Invited to Workspace
• User Joins Workspace
• User Removed from Workspace
Server Events
• Service Stopped—When the EFT service stops.
• Service Started—When the EFT service starts.
• Log Rotated—When the current activity log closes and EFT opens a new log file.
Site Events
• Site Stop—When the Site stops.
• Site Started—When the Site starts.
•
IP Added to Ban List — This Event will trigger when an IP address is banned by EFT (non-
interactively) due to invalid login attempts exceeded or other security criteria.
User Events
• User Account Enabled—When an administrator enables a user account on the Site.
• User Account Disabled—The user account is disabled via the
Account Security settings or the
Invalid login options on the user account's Security tab. This Event is also checks at midnight for any expired accounts.
• User Account Locked—The user account has been locked out by the server (e.g., invalid login attempts).
489
EFT v7.2 User Guide
• User Quota Exceeded—The user has taken too much disk space on EFT. (This applies ONLY to allotted disk space, not to file size.)
• User Logged Out—The user closes a session gracefully.
• User Logged In—The user logs in to EFT.
• User Login Failed—The user attempted an incorrect username or password.
• User Password Changed—The user or administrator changes a user's password.
• User Account Created—The administrator has created a new user.
Typically this occurs when using AD or LDAP authentication. When a synchronization occurs with the user data source, EFT creates the necessary users on the Site, but if the user is disabled in the user data source, then the new user account will be created in a disabled state. You can use the If Account
Enabled Condition if the enable/disable state is part of the Action(s) you want to trigger.
• User Account Deleted—An administrator deletes a user account from the Site.
Connection Events
• User Connected—When a user connects to the Site (this occurs before log in).
• User Connect Failed—When a user attempts to connect and fails (this can occur before log in).
• User Disconnected—When a user disconnects from the Site (this can occur before log in).
AS2 Events (available only in EFT Enterprise)
In AS2 Inbound Transaction Succeeded and AS2 Inbound Transaction Failed Events, the FS.FILE_NAME
Attachment (MA) transaction).
• AS2 Inbound Transaction Succeeded—Triggers if the inbound transmission was successful,
MDN was successfully sent, MICs all match, and no other errors occurred.
• AS2 Inbound Transaction Failed—Triggers if the AS2 file upload failed for some reason, such as bad MIC, no permissions/access, duplicate message ID, or other AS2 transfer-related error.
• AS2 Outbound Transaction Succeeded—Triggers if EFT has offloaded a file to a remote partner, and that partner replied with a receipt asynchronously over HTTP/S, indicating that the transfer was successfully completed.
• AS2 Outbound Transaction Failed—Triggers if the expected MDN receipt was not received in the expected time or the receipt signature or MIC failed.
Scheduler (Timer) Event
(Available in EFT Enterprise) The Scheduler (Timer) Event allows you to execute a specified Action
(e.g. send an e-mail or a report) only one time or to repeat at specified intervals. For example, you could schedule the Cleanup in folder Action to occur on July 8 at midnight, or every Monday morning, or on the last Friday of every month at 2 a.m.
The PCI DSS requires that you develop a data retention and disposal policy. With the Cleanup in folder
Action , you can configure EFT to clean up a specified folder at regularly scheduled intervals. If Strict
security settings for compliance with PCI DSS was selected during Site setup, the Data Retention
and Disposal dialog box appears in which you can create a Scheduler Timer Event with the Clean-up
Action to delete files matching the expressions you specify. You can also choose to define it in the administration interface on existing Sites.
490
Event Rules (Automation)
A recurring Timer does not stop recurring if the Rule Actions fail; it will recur as scheduled until you disable or delete the Rule. For example, suppose you want to download a file from a remote server, delete the file from the remote location after transfer, then send yourself an e-mail . If the file that you want to download is not yet in the remote directory, the Rule will fail for that particular instance of the Timer running, but it will run again at the next scheduled time (e.g., every four hours). In the case of Timer
Rules, "Stop processing this rule" means "do not execute any further Actions with this Rule" (such as sending an e-mail), but it does NOT mean that the Timer will stop. For example, if you have defined the
Rule to run every hour, the Timer Rule will fail when the file is not in the remote location, but the Timer
Rule will run again the next hour, and the next hour, and so on, until you tell it to stop (by manually disabling it).
Refer to EventRuleExamples.pdf
for an example of defining an Event Rule using the Scheduler (Timer)
Event .
To define a Timer Rule to download a remote file
1. Follow the procedure in Creating Event Rules .
2. In the Create New Rule dialog box, click Scheduler (Timer) Event, and then click OK. The new
Rule appears in the Rule Builder.
3. To specify the start date, start time, recurrence pattern, and/or interval, in the Rule Builder, click the link. The Scheduler dialog box appears.
4. In the Scheduler dialog box, specify the parameters of the Timer Event: the Run frequency, whether to exclude holidays, when the Event should start, date the Event should end (optional), time the Event should end (optional), and recurrence frequency (optional). (When the End date is reached, the Rule will remain active in the Event Rule list, but will no longer execute any Actions.)
The Run options include the following frequencies. The dialog box options change depending on your selection in the Run box.
• Once—The event runs one time at a specified date and time, and never repeats. (e.g.,
Monday, September 27, 2010 at 8 AM.)
• Continually—The event starts at a specified date and time and repeats every <n>
Hours, Minutes, or Seconds. (e.g., Monday, September 27, 2010 at 8 AM and every hour thereafter.)
491
EFT v7.2 User Guide
• Daily—The event runs every <n> days or every weekday, starting at a specified date and time, and ending on a specified date and time or repeating every <n> hours, minutes, or seconds. You can also exclude certain holidays and/or end the recurrence of the event at a specified date and time. (e.g., Every weekday, excluding US holidays, starting
Thursday, Monday, September 27, 2010 at 8 AM and every hour thereafter.)
• Weekly—The event runs every <n> weeks on a specified day(s) of the week, starting at a specified date and time and ending on a specified date and time or repeating every <n> hours, minutes, or seconds. You can also exclude certain holidays and/or end the recurrence of the event at a specified date and time. (e.g., Every 2 weeks on Monday at 8
AM starting on Monday, September 27, 2010, with no defined end date.)
• Monthly—The event runs on the <n> day of every <n> month(s) or the <nth> day of the week of <n> month(s) starting at a specified date and time and ending on a specified date and time or repeating every <n> hours, minutes, or seconds. You can also exclude certain holidays and/or end the recurrence of the event at a specified date and time. (e.g.,
The first day of every month, starting on Friday, October 1, 2010 at 8:00:00 AM, excluding US holidays with no defined end date.)
• Yearly—The event runs every <month> <day> or on the <n> <day of the week> of
<month> starting at a specified date and time and ending on a specified date and time or repeating every <n> hours, minutes, or seconds. You can also exclude certain holidays and/or end the recurrence of the event at a specified date and time. (e.g., The first
Monday of December, starting on Monday, December 6, 2012 at 8:00:00 AM, excluding
US holidays with no defined end date.)
• Custom—The Run Day Calendar appears in which you can specify a date. (Past dates are dimmed and not selectable.) o
Click to select the date(s) to run the event. Selected dates are highlighted in green. Click the date again to clear it. o
Click the right arrow to advance the calendar to the next year; click the left arrow to go back. Or click the name of a month to display the same month in subsequent years. With the month name selected, move the cursor up or down to scroll through the years, then release the cursor to select the year. (For example, click October 2010 to jump to October 2012. The entire calendar jumps, not just the selected month.) o
The Propagate selected date(s) to all subsequent years check box is selected by default. Clear the check box if you do not want the event to run on the same date every year. o
After you select one or more dates to run the event, you can save the schedule by clicking Save. In the Save Calendar box that appears, provide a name for the calendar, and then click OK. The calendar is saved and its name appears in the
Run box. You can edit your custom calendar by click the ellipsis button next to the Run dialog box. (Up to 100 custom calendars can be saved and/or displayed in the Run box.) o
You can Export your custom calendar (as <name>.csv) and Import custom calendars. After importing a custom calendar, you can use Save As to save it with a new name, Rename it, or Delete it from your custom calendars. (A confirmation prompt appears when you click Delete.) o
You can create up to 100 custom calendars.
5. Click OK to save your changes. The event is updated in the Rule Builder.
6. Specify the Action to occur when this event is triggered.
7. Click Run Now to test your Rule.
492
Event Rules (Automation)
When you create a Timer Rule, the Run Now button appears at the bottom of the Rule Builder.
When you click Run Now, EFT executes any actions associated with the event, and any Rule construction errors are identified. You cannot perform any other operations in the EFT administration interface while EFT tests the Rule. Multiple synchronous Actions defined in the Rule, such as move, copy, or download, take longer to test than asynchronous operations such as e-mail notifications.
8. If there are no errors, a confirmation message appears asking you to verify the expected outcome. Click Continue to execute the Rule or Cancel to refine the Rule.
9. Click Apply to save the changes on EFT.
Folder Monitor Event
(Available in EFT Enterprise) EFT’s Folder Monitor Event Rule trigger is used to detect the creation, deletion, and renaming of files in a monitored folder and to perform Actions based on these triggers. You can use a Folder Monitor Rule to trigger when files are added to a folder using the network file system.
When monitoring folders for files added to EFT via the FTP/S and HTTP/S protocols, use File Uploaded,
to folders, such as the addition, renaming, or removal of a folder; it only applies to file changes within the folder or subfolders.
The Folder Monitor Rule can pass Unicode filenames to the Event Rule system, including the Advanced
Workflow Engine , Custom Commands, text-based log files, and ARM. The Unicode filename will be saved
in the auditing database, but the reporting tool cannot display Unicode filenames.
Folder Sweep
Occasionally, file system notification will fail (e.g., due to network errors), so files added to the monitored folder are missed and not processed (e.g., not moved to another location) if the Rule is using only notifications to detect files. After the Folder Monitor Rule is created, the Event Rule system can periodically poll the monitored folder (and subfolders, if specified) to ensure that all files have been processed. This "Folder Sweep" feature is allowed only for "file added" Actions. The Folder Sweep polling occurs at a user-specified frequency. Immediately upon Site or Event Rule start, the initial polling occurs and will trigger any Actions added to the Rule. Folder Sweep is enabled by selecting the Scan for files
every check box in the Monitor Folder dialog box. If the check box is not selected, the associated frequency controls are disabled. Refer to the procedure below for instructions for enabling Folder Sweep.
A new Event type named "Folder Monitor – sweep" is defined and used to populate the eventType field in the auditing database when reporting Folder Monitor Rules that were triggered because of Folder
Sweep. Also, the Folder Sweep archiving of files will be recorded using the EVENT_ACTIONS value of
EVENT_ACTION_FS_ARCHIVED.
493
EFT v7.2 User Guide
The following table describes the Folder Sweep information entered in the log:
Log
Level
Debug
Error
Event
•
When a Folder Monitor Rule starts execution, log which triggering mechanism(s) are being employed and whether subfolders are being monitored. Also log: o If folder sweep is on, show frequency, time units, and archive subfolder name. o If RDCW* is on, show whether health check is on and its frequency. o When a monitored folder is polled for its contents with special indication for the first poll. o
Log which mechanism, RDCW notification or folder polling, triggers the processing of a file. o Log when file has been archived. o Log when file is still in folder after Event Rule Actions have completed and user chose not to archive. o
Record trigger collisions by logging if Event is being ignored because file is already in process. o For folder sweep, log when folder contents have been received and are about to be processed.
*RDCW = ReadDirectoryChangesW function; Retrieves information that describes changes within a specified directory.
•
Log reason for archive folder creation failure.
•
Log reason for file archive Action failure.
Risks associated with Folder Sweep include:
• If you do not use the archive feature and the file is not removed from the Monitored Folder due to an Action failure, the file will unintentionally be reprocessed in the next Folder Sweep cycle.
• If the Event Rule has been placing files in the Archive subfolder specified in the Folder Monitor and then you change the name of the Archive subfolder, files that were previously archived by
Folder Sweep will be reprocessed.
• If multiple Folder Monitor Rules point to same folder, a "race condition" can occur when the two
Rules attempt to concurrently process the same file.
Archiving
After all Folder Monitor Rule Actions have been executed and if the archive option is enabled, the Folder
Monitor Rule will determine whether a file is still in the monitored folder. For this reason, Rule Actions are forced to be synchronous (i.e., "Stop processing" is selected) so that execution returns to the Rule only after all Actions have finished. If the file is still in the folder, the Folder Monitor Rule creates the Archive subfolder (if not there already) in the folder containing the file to be archived. If an error occurs while creating the Archive subfolder, a message containing the failure reason will be logged; otherwise, the file is moved from the monitored folder into the Archive subfolder. If an error occurs during archival, a message containing the failure reason is logged. Whatever the reason, if a file’s archival fails, the file is left alone. If the archive feature is not enabled, files are left in the monitored folder, if Event Rule Actions have not otherwise disposed of them. Archive folders will have the same permissions as their parent folders and will not be given special attributes for connecting clients.
Creating a Folder Monitor Rule
EFT keeps track of the number of active threads over time and periodically calculates the average number of concurrent active threads during that time. The sample rate is once every 5 seconds, and the sample period is 10 samples. After sampling 10 times and finding the average concurrent active threads over that period, the system can grow the pool of the concurrent active threads, up to a set maximum number of threads. This means that if EFT is currently running close to or above the prior average of concurrent threads, it will grow the thread pool to allow for room for more Events. By default, EFT starts with 3 threads in the pool per Site, and can grow to a maximum of 32 threads.
EFT will only reset affected (modified) folders when applying configuration changes to an Event Rule, rather than resetting all folders.
494
Event Rules (Automation)
When monitoring a folder, EFT watches for any file being added to, removed from, or renamed in the monitored folder. Moving a file, performing OpenPGP operations, and other Actions can trigger the Rule again, resulting in failures. This can be avoided by selecting the Stop processing this rule check box after if
action failed then.
The Require Active Directory domain trust relationship check box is cleared by default for new installs and selected by default when upgrading from a version prior to EFT v6.4, if the
FolderMonitorUseNonInteractiveLogon registry entry is present during the upgrade. The Scan for files every check box is not selected and associated controls are disabled. All other control settings are carried over from existing Rules during upgrade (health check yes/no and rate, subfolders yes/no, login credentials).
Refer to EventRuleExamples.pdf
for an example of defining an Event Rule using the Monitor Folder
Event.
To configure a Folder Monitor Rule
1. Open the Create New Event Rule dialog box .
2. In the Create New Event Rule dialog box, click Folder Monitor, and then click OK.
The new, blank Rule appears in the Rule Builder.
3. In the Monitor folder Event, click [select]. The Monitor Folder dialog box appears.
495
EFT v7.2 User Guide
496
4. Next to the Folder box, click the folder icon to specify a folder to monitor.
To monitor a folder on a remote, non-EFT FTP server, supply the full UNC path to the network share. (The format for a UNC path is \\server\volume\directory and is not case-sensitive. For example: \\Shared1_svr\Shared1\WGroups\Network). Make sure that the EFT service has sufficient privileges to perform READ operations on the remote share. If you are using the "health check" feature, it must also have WRITE permissions. This is generally easiest if you set the EFT service to run as a domain account, or specify a dedicated “run as” account in the Monitor Folder dialog box. Wildcards are not supported.
5. If you also want to monitor subfolders, select the Include subfolders check box. For example, if you are monitoring a user folder and the user has created subfolders, unless you select the
Include subfolders check box, files added to or changed in subfolders do not trigger the Rule.
6. If login credentials are required to access the folder and subfolders, select the Use the following
credentials to access the monitored folder check box, then specify the username and password.
The Microsoft definition of noninteractive login states: “Noninteractive authentication can only be used after an interactive authentication has taken place. During noninteractive authentication, the user does not input logon data; instead, previously established credentials are used. Noninteractive authentication is the mechanism at work when a user connects to multiple computers on a network without having to re-enter logon information for each computer.” In this case, EFT has joined the domain and/or the Server service runs as a domain user. You could supply different credentials to run as a different user for this Action.
Event Rules (Automation)
7. The Require Active Directory domain trust relationship check box specifies how the Folder
Monitor Event Rule will log in to monitor remote folders. Selecting this check box indicates that
Folder Monitor must establish a "trustful" connection to the system containing the folder(s) being monitored. This control is not enabled unless the Use the following credentials to access the
monitored folder check box is selected. (Please also refer to the note above regarding this check box.)
8. In the Triggers area, select the Trigger based on folder change notifications check box to cause Events to be set off by the receipt of directory change notifications (add, delete, and rename) generated by the system.
9. To monitor the status of the network connection and report failures, select the Perform health
check every check box, and specify an interval. An hour (60 minutes) is specified by default.
When the check box is selected, EFT periodically writes a special file to the folder specified and then waits for the "file added" notification to verify that it can receive notifications of changes within the folder. When there is a loss of connectivity, EFT attempts to re-establish a link to the folder and triggers the Folder Monitor Failed Event internally. If you want to receive e-mail failure notifications (or other Actions) when the Folder Monitor health check returns a connection failure, create an additional Event Rule using the Folder Monitor Failed Event, and add the Send
notification e-mail Action to it.
The time EFT waits for the notification from Windows when a Folder Monitor health check file is created can be controlled by a registry value. Refer to the knowledgebase article at http://kb.globalscape.com/KnowledgebaseArticle10682.aspx
.
10. To enable Folder Sweep, select the Scan for files every check box and specify the frequency.
The default is 30 minutes. A value between 1 and 9999 can be specified with units of seconds, minutes, or hours. The timer for the next sweep cycle is not started until all the files for the current sweep cycle have processed through all Event Rule Actions. Folder Sweep limits its processing to 1000 files at a time. If the monitored folder contains more than 1000 files, up to 1000 of the remaining files will be processed during the next sweep cycle. Selecting the Scan for files every check box will cause a Folder Monitor scan upon Event Rule start up (such as when you create the Rule and then click Apply). If you have Actions in the Rule, such as an e-mail notification, those Actions will be triggered. (This check box is not selected by default.) Selecting the Scan for
files every check box causes the Event Rule's If File Change Condition to be set to does equal
to added.
11. All files in a monitored folder will be processed every sweep cycle so if a user neglects to remove processed files or if a Rule Action that was supposed to remove the file fails, the file will be reprocessed. In the Post Processing area, select the Once all actions are completed, archive
any files still present in the monitored folder to avoid reprocessing check box, and then specify the name of the folder in which to archive any remaining files. The default is
EFTArchive
. The Archive subfolder will reside directly under the folder in which the file was added. The Archive subfolder name cannot contain any of the following characters: | / \ ?
* < " : > + [ ]
and is limited to 248 characters. (The total cannot exceed Windows path limit.)
• Select the Include timestamp in archived filenames check box to avoid overwriting any files of the same name in the Archive subfolder. The file name will be appended using
the Event Rule variables %EVENT.DATESTAMP% and
%EVENT.TIMESTAMP_PRECISE% (time to the millisecond).
• If Folder Sweep is enabled and you have specified an Archive subfolder, the Archive subfolder is ignored when Include subfolders is enabled .
• If you change the name of the Archive subfolder, the existing Archive subfolders will be unaltered. If processing of subfolders is enabled, notifications and polling for contents of the former Archive subfolders will begin immediately upon applying the Rule changes.
497
EFT v7.2 User Guide
12. Click OK. If the Once all actions check box is selected and an invalid name or no name is given for the Archive subfolder, it will revert to the default name (EFTArchive) and a warning message appears.
13. The If File Change Condition is added automatically to restrict the triggering of the Rule. Click the links in the If File Change Condition to specify whether the Rule should trigger when a file in the folder is or is not renamed, added, or removed. If Folder Sweep (the Scan for files every check box) is enabled (as described above ), the If File Change Condition is forced to does
equal to added because Folder Sweep only applies to files added to a folder or subfolders.
14. Specify any Action/Conditions to occur when this Event is triggered:
• Add an e-mail notification. (Refer to
E-mail Notification Action .)
• Copy or move a file added to the monitored folder to another location. (Refer to
Copy/Move File to Host Action .)
• Add Conditions, such as the If File Change Condition so that the Rule doesn't trigger
again after the file is moved or renamed. (Refer to Using Conditions .)
15. Click Apply to save the changes on EFT.
Folder Monitor Failure
To audit failures of Folder Monitor Rules, use the Folder Monitor Failed Event, then add the
If Folder
Monitored Failure reason Condition .
Click the reason link to specify a failure reason that will trigger the Rule: any failure, archive failure,
health check failed.
Folder Monitor archive folder errors will also trigger this Event and write to the Windows Event log.
File Uploaded Event
Suppose you want to be sent an e-mail each time any user uploads a file to EFT, and you want to include information about the user account that uploaded the file.
Refer to EventRuleExamples.pdf
for another example of defining an Event Rule using the File Uploaded
Event.
To define the Event Rule
1. Create a File Uploaded Event Rule .
2. Add an E-mail Notification Action .
3. In the Message of the e-mail, add the desired user variables , such as %USER.LOGIN%,
%USER.EMAIL%, and %USER.PHONE%. For example:
498
4. Click Apply.
Event Rules (Automation)
With this very simple Rule, an e-mail is sent whenever any user uploads a file to EFT. You can further customize the Rule to suit your needs:
• If you only want to know when a specific user uploads a file, add the Condition "If Logon name is" and select the username.
• If you only want to know when someone in a specific Group uploads a file, add the Condition "If
User Groups" and select the Group.
Defining the E-Mail with User Details
The default e-mail body contains a table. If you can edit HTML and if the account that the e-mail is sent to accepts HTML e-mails, you can format the e-mail to suit your needs. Review your tags carefully, however, since no HTML code verification is performed by EFT.
Using the example code above, when a user with the username jbite uploads a file, the following e-mail might be sent:
This message was sent to you automatically by EFT on the following Event: File Uploaded.
Server Local Time: 12/5/2007 14:00:00
E-mail Address: [email protected]
Account Expiration Date: 12/1/2008 11:59:59
File Name: file.txt
Folder: C:\InetPub\EFTRoot\Standard\Usr\jbite
IP Added to Ban List Event
This Event is triggered when an IP address is added to the ban list by the system (not manually by an administrator). Administrators can configure Event Rules to capture this Event and send notifications or write to logs.
To define an IP Added to Ban List Event
1. Follow the procedures in Defining Event Rules .
2. In the Create New Rule dialog box, under Site Events, click IP Added to Ban List, and then click OK. The new Rule appears in the Rule Builder.
3. Add any (optional) Conditions (e.g., If Event Reason, If Remote IP, If Server Running, etc.) and
one or more Actions (e.g., Send notification email).
• The possible Event Reasons include DoS/Flood prevention trigger (permanent or temporary), Invalid password attempts exceeded, and Invalid username attempts exceeded.
4. Click Apply to save the Rule. The Rule appears similar to the Rule below.
By default, IP Access-related Event Rules are limited to 1000 rules.
499
EFT v7.2 User Guide
Execute a Command (Run a Process)
You can configure EFT to run executables, batch files, and scripts automatically when specific events occur. EFT calls these Commands. When the Event Rule is triggered, EFT executes the specified custom command and attributes.
To execute a Command from EFT’s Event Rule system
1. Identify the Command you want to execute with the Event Rule or create a new custom
Command using the procedure in Creating a Command . Or you can create a new Command later
from within the Event Rule (in step 6 below).
2. Open the Event Rule with which you want to execute the Command or create a new Event Rule using the procedure in Defining Event Rules .
3. (Optional) If you need to apply any conditional behavior, click it in the Conditions list.
4. In the Actions list, double-click Execute command in folder. The Action is added to the Event in the Rule Builder.
Links in the Rule Builder indicate parameters that must be defined to save the Rule.
5. In the Rule Builder, click one of the underlined text links. The Execute Command dialog box appears.
500
6. In the Choose an existing or create a new Command list, click the list to select the command.
(If you did not create the Command in step 1, click New to create the Command now.)
Event Rules (Automation)
7. The Executable path and Executable switches and/or parameters boxes display the path and switches for the selected Command. (If you want to change anything, you will have to close this dialog box, apply any changes to the Event Rule, go edit the Command, then reopen the Event
Rule to continue defining it.)
8. In the Working directory box, type the path or click the folder icon to specify the folder in which the script or executable resides e.g., C:\EFTscripts. For mapped drives, use their UNC path. (File browse operations are disabled when you are connected remotely. You can't click the folder icon and browse, but you can type a path that is relevant to the EFT computer, not the remote interface).
9. (Optional) In the Command parameters box, include any parameters for the command.
You can select items in the Context variables list to add them as parameters. For example, suppose you want to run a script on a file that was uploaded and triggered the Event Rule. You would type the script name and the tag %FS.FILE_NAME%, as shown below: dosomethingwithfile.vbs -file %FS.FILE_NAME%
Refer to Variables for details of available variables and how to use them.
EFT passes the complete variable along to the Command; however, due to limitations of some command-line applications, they may not be able to interpret the Command properly. In certain instances, such as when there is a semicolon in a file name, you may need to enclose the variable in quotation marks in the Command Parameters box after you insert it from the Context variables box.
10. Click OK to save the Command.
11. Add other Actions as needed, and then click Apply to save the Event Rule.
Creating Workflows for Use in Event Rules
(The Advanced Workflow Engine is available as an add-on module in EFT Enterprise. Refer to Advanced
Workflow Engine (AWE) 8 for more information.) Similar to Commands, Workflows are used in Event
Rules as Actions or triggers. When you create a Workflow, the Advanced Workflow Engine creates a file with an extension of .aml and saves it in EFT's AWE folder (by default,
C:\ProgramData\Globalscape\EFT Enterprise\AWE). The filename is the name of the workflow, prepended with an underscore and the name of the Site. For example, if you create a Workflow called
FTP on a Site called Boston, the Workflow's filename is Boston_FTP.aml.
During the AWE trial, when a new Workflow is created, a message appears (prior to the Create a Workflow dialog box) informing you that the Advanced Workflow module is an optional module and that the 30-day trial begins when the first Workflow is created.
To create a Workflow
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Advanced Workflows node.
3. In the right pane, the Advanced Workflows tab appears.
501
EFT v7.2 User Guide
4. In the right pane, click New. The Create a Workflow dialog box appears.
5. In the What do you want to call this workflow box, specify a name for the Workflow. When you add the workflow to Event Rules, the name you specify here appears in the Rule.
6. (Optional) Provide a description of the Workflow, and then click OK. The Workflow Task Builder appears.
502
Event Rules (Automation)
7. The tree in the left pane lists the steps that you can add to the Workflow. The right pane displays the steps in the Workflow.
8. Drag items from the Available Actions list to the Steps pane to create your Workflow.
9. Use the Run icon on the Debug toolbar to test the steps. You can run it all at once, run only a selected step, or the whole Workflow starting with a step other than the first step.
The Output pane displays the result of each step. For example:
Executing line 5
Starting Input Box with message "What is your name?"...
Creating message box "What is your name?"... >
Populating variable "theUserName"...
Finished Input Box "What is your name?".
The step was okay.
10. After you have created your Workflow, click Save and Close. The Workflow appears in the
Advanced Workflows node of the Site tree and is ready to be used in Event Rules.
503
EFT v7.2 User Guide
11. (Optional) In the Advanced Options area, select the Terminate the process check box and specify the number of seconds after which to terminate the Workflow if it fails to execute.
12. (Optional) Specify the level of debug logging in the Debug log level box, None, Minimal,
Normal, or Verbose (None is the default). Click View log folder to view the CSV logs created by this workflow, saved in <installation_folder>\AWE\Temp. If you enable the logging, you should manually delete the files after you're done with them or create a Scheduled event in EFT to delete them automatically.
Your Workflow is now ready to insert into an Event Rule . The Auditing and Reporting module Event Rule reports will show the AWE Workflow task name.
Backing Up AWE Workflows
(The Advanced Workflow Engine (AWE) 8 is available as an add-on module in EFT Enterprise) If you plan to edit the sample Workflows and/or create custom Workflows, you should create an Event Rule to periodically back up (save a copy of) the Workflows.
To backup the Workflows
1. Define a Timer Rule . Specify the frequency depending on how often you create new Workflows.
2. Add the Copy/Move (push) file to host Action to the Rule.
3. In the Source path box, specify the location of the Workflow (.aml) files. For example, to copy all of the Workflows for the Site named "MyGSSite," in the Source box type
C:\ProgramData\Globalscape\EFT Server Enterprise\AWE\MyGSSite_?.*
. If you use *, you will backup everything in that folder. (Do NOT select the Delete source file check box!)
4. In the Destination path box, specify a location on a remote drive (in case the local drive fails).
5. Click Apply.
Using a Command in an Event Rule to Copy Files
If you want to copy EFT's files to another location based on the date (e.g., all log files created on a specified date), you can create a custom Command that points to the Windows XCopy command. The executable is (by default) in c:\windows\system32\xcopy.exe. Numerous switches are available for this command. (You can see all of the options by typing xcopy /? at a command prompt.) You must type the
source path and the destination path.
You can add a switch, /d:mm-dd-yy, to copy files that were changed on or after a specified date. If no date is provided (just the /d with no date), it copies all source files that are newer than existing destination files. That is, it will not copy a file with the same name/same date or same name/older date.
504
Event Rules (Automation)
To define an Event Rule to copy files, assuming that EFT has permissions to access the files, you can create a Folder Monitor Rule and specify that if the Condition "If File Change does equal to added" exists, then execute the Command to xcopy the newer files to the destination location.
To define an Event Rule to copy log files
1. Create a custom command to execute the Windows Xcopy command. The executable is (by default) in c:\windows\system32\xcopy.exe.
2. In the Working directory box, type the path or click the folder icon to specify the folder in which the script or custom command executable resides (C:\windows\system32\).
3. In the Parameters box, type the source folder (the location of the log files), the destination folder
(the location to which to copy the files), and any other Xcopy parameters you need. For example, type:
"C:\ProgramData\Globalscape\EFT\Logs\*.log" "C:\Temp\" /d
The parameters tell the Xcopy command to copy all .log files in the EFT\Logs directory to
C:\Temp. The parameter /d (with no date) copies all source files that are newer than destination files.
4. Create a Folder Monitor Event Rule.
5. Add the Condition If File Change equal to operation, and then click operation to change it to
added.
6. Add the Execute command in folder Action to the Rule, and then click select. The Execute
Command dialog box appears.
7. In the Choose an existing or create a new Command box, click the XCopy Command that you defined in step 1.
8. Click OK to close the Command Configuration dialog box, and then click Apply to save the
Rule on EFT.
The Rule is now defined to copy log files from the monitored folder
(C:\ProgramData\Globalscape\EFT\Logs) to the new location (C:\Temp\). (Note that they are copied, not moved.)
You could also add an E-mail Notification Action to let you know when the Command is executed.
Always use caution when giving program access to your system32 directory (especially an FTP server).
Copying or Moving a File Triggered on Monitor Folder Event and Renamed
(Available in EFT Enterprise) You can configure an Event Rule triggered by a Folder Monitor Event to copy or move files in the folder and save them with a different name. Refer to Copy/Move File to Host
Action for details of defining an Event Rule using the Copy/Move file to host Action.
IMPORTANT: If you want to move a modified (renamed) file, use the DST-based variables (e.g.,
%FS.DST_FILE_NAME%
) because they contain the modified values.
505
EFT v7.2 User Guide
For example, when you configure an Event Rule to copy/move a file that is triggered on a Monitor Folder
Event with a Condition of If file change does equal to rename, use the following variables:
• %FS.DST_PATH% instead of %FS.PATH%
• %FS.DST_FILE_NAME% instead of %FS.FILE_NAME%.
If the file is renamed, the new name context is lost to FS.PATH and FS.FILE_NAME, which retain the old path/name, but the new path/name is passed to %FS.DST_PATH% and %FS.DST_FILE_NAME%.
For example, suppose the monitored folder contained a file called Robert.txt and you rename the file Bob.txt.
%FS.DST_FILE_NAME%
contains the new value Bob.txt, but %FS.FILE_NAME% contains the old value
Robert.txt
.
For details of the Copy/Move Action, refer to Copy or Move File to Host Action .
The client offload/download RENAME and the Folder Monitor RENAME are two different events/stimulus. The
Folder Monitor RENAME uses the DST variables, whereas the client download/offload RENAME uses the
SOURCE FILE NAME-related variables .
Copying Folder Structure When Offloading Files
In a Monitor Folder Event Rule, you can move a file that is added to the monitored folder. If you use the variables %FS.VIRTUAL_FOLDER_NAME%\%FS.FILE_NAME% as the Destination Folder path, the Event
Rule will copy all of the files and folders and keep the folder structure. VIRTUAL_FOLDER contains the structure of the folders under the monitored folder.
The Event Rule in the illustration below will copy all of the files and keep their folder structure.
Refer to Monitoring Folders for details of creating a Folder Monitor Rule. Refer to Copy/Move (push) File to Host Action for details of using the Copy/Move Action.
Routing Outbound Traffic through a Proxy
You can connect to EFT through a proxy. DMZ Gateway can also be configured as an outbound proxy.
There are several places in the administration interface in which you can configure proxy settings. Each of the configurations use the Proxy Settings dialog box .
Outbound connections that originate from EFT will route through normal network mechanisms to reach the destination. However, it is possible to configure EFT's Event Rules using the Copy/Move file to host
Action to use a remote proxy.
To configure an Event Rule to route outbound traffic through a proxy
1. Create an Event Rule, such as a Scheduler (Timer) Event .
2. Add the Copy/Move File to Host Action, and follow the procedures in Copy/Move File to Host
Action to complete the Rule.
For the procedure for using a SOCKS proxy server, refer to Using a SOCKS Proxy Server .
506
Event Rules (Automation)
Using a SOCKS Proxy Server
When you create an Event Rule that uses a Copy/Move File to Host Action , you can specify a SOCKS proxy server for the connection to the remote server. You can also specify a SOCKS server in AWE's
HTTP Download and HTTP Post Actions.
If you enable the use of DMZ Gateway as the proxy in the Proxy Settings dialog box, SOCKS options are disabled. EFT does not support the use of DMZ Gateway as a proxy and SOCKS settings in combination; however, the combination of FTP or HTTP proxy and SOCKS is allowed.
To use a SOCKS proxy server
1. Create an Event Rule with a Copy/Move File to Host Action .
2. In the Event Rule Action, click %FS.PATH%. The Offload Action wizard appears.
3. Click Socks. The SOCKS Settings dialog box appears.
4. Select the Use SOCKS settings check box to enable the Socks Type options.
5. In the Socks Type area, specify a SOCKS server type of either SOCKS4 or SOCKS5.
• When SOCKS4 is specified, Use authentication is disabled.
• When SOCKS 5 is specified, Use authentication can be enabled, allowing you to provide a username and password for the SOCKS connection. If you selected SOCKS5 and the Use authentication check box, specify the Username and Password required to connect to the SOCKS server.
6. Click OK to save the SOCKS options.
7. Continue with the wizard to complete the File Offload Configuration .
Too Many Connections per Site
You can define an Event Rule to send you an e-mail when a user login fails because there are too many
Client.
To define the Event Rule
1. Define an Event Rule using the User Login Failed Event trigger. The Event trigger appears in the Rule Builder.
507
EFT v7.2 User Guide
2. In the Conditions list, double-click if Event Reason (or click it, and then click Add Condition) to add it to the Rule.
3. In the Rule Builder, click the linked text [specific reason]. The Event Reason dialog box appears.
4. Click the Specify the event reason drop-down menu to specify a reason that will trigger the
Event Rule:
• Account Disabled
• Account Locked Out
• Invalid password
• Protocol not supported
• Restricted IP
• Too many connections per IP
• Too many connections per Site
• Too many connections per user
For this example, click Too many connections per Site.
5. Click OK.
6. In the Actions list, double-click Send notification email (or click it, and then click Add action) to add it to the Rule.
7. In the Rule Builder, click the linked text [select] and configure an e-mail to send yourself a
notification (or link to your defined e-mail template ) then click OK.
8. Click Apply to save the changes on EFT.
Moving an Uploaded File Based on Filename
Suppose every Friday the manager of Engineering uploads a status report named status<date>.doc to EFT. You want the manager of Marketing to have access to that file, but not to any other files in the
Engineering manager's folder. The example below describes how to create an Event Rule so that when a file with "status" in the name is uploaded to EFT, EFT makes a copy of it in another user's folder.
To move an uploaded file based on the filename
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, expand the Site you want to configure, and then click Event Rules. In the right pane, click New. The Create New Event Rule dialog box appears.
3. In the Create New Rule dialog box, click Folder Monitor, and then click Create. The new Rule appears in the Rule Builder and includes the If File Change Condition.
4. In the Rule Builder, in the Monitor folder Event, click [select]. The Monitor Folder dialog box appears.
508
Event Rules (Automation)
5. Define the Monitor Folder trigger. If necessary, refer to Monitoring Folders for details of creating a
Monitor Folder Rule. Note that if you create a Monitor Folder Rule to monitor a folder that is already being monitored by another Monitor Folder Rule, a warning message appears because the two Monitor Folder Rules can cause a race condition that may result in errors or undesirable results. If that is the case, you can add the new Conditions and Actions to the existing Rule.
6. Click the If File Change Condition in the Rule Builder to select it, then in the Conditions list, double-click the If File Name Condition. The If File Name Condition appears in the Rule Builder on the same line as the If File Change Condition. (See the screen shot in step 9 below.)
7. In the If File Name Condition, click the [path mask] link. The Choose File Names dialog box appears.
8. In the Specify comparison value box, specify the file name and/or a wildcard mask, click Add, and then click OK. For example, to filter for a Word document whose filename starts with "status,
" type: status?.doc
9. Next, you must specify the Action to occur when this Event is triggered. In the right pane, in the
Actions list, click Copy/Move (push) file to host. The Action is added to the Rule Builder.
10. Click one of the undefined parameters (e.g., '%FS.PATH%'). The Offload Action Wizard appears.
11. In the Offload method box, specify a protocol type for the connection. For this example, we will choose Local (Local Files or LAN). (Refer to Copy/Move (push) File to Host Action for other protocol types.)
12. Click Next. The Source File Path page appears.
13. In the Source path box, type %FS.PATH% (or you can leave it blank).
14. If you want to Delete source file after it has been offloaded, select the check box. (If the file is marked read-only, it will not be deleted.)
15. Click Next. The Destination File Path page appears.
16. In the Destination path box, click the folder icon and specify the location in which to save the offloaded file. (No validation is performed.) In this example, we specified a user's folder.
17. Click Finish then click Apply to save the changes on EFT. (You could also add other Actions, such as e-mail notifications.)
Now when a user uploads a file called status?.doc, EFT will move it to the destination folder specified.
509
EFT v7.2 User Guide
If you are copying or moving the file to another location, and the file upload is a regularly occurring Event with a file of the same name, in the Offload Action wizard, you can add the variables
%EVENT.DATESTAMP%
and/or %EVENT.TIMESTAMP% to the path so that the date (YYYYMMDD) and/or time (HHMMSS) are added to the filename when it is moved/copied.
Do not use %EVENT.TIME%, because the colon (e.g., 28 Aug 07 10:01:56) makes it invalid for file naming.
For example, type:
C:\Documents and Settings\Administrator\My
Documents\upload\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%_%FS.FILE_NAME%
With this path and variables, when a file is uploaded to the monitored folder, the file is moved to \My
Documents\upload and the date and time are prepended to the filename (for example,
20080422_101212_mydailyprogress.doc).
Applying a Rule to a Specific User or Group
You can use the If User is a member of Condition to apply the Event Rule to one or more specific
Groups (By default, all Rules apply to all users.) For example, suppose the Engineering department has its own user administrator for EFT and you want the administrator to get an e-mail when one of the user accounts exceeds its quota. You would set up a User Quota Exceeded Event with an If User Groups
Condition and a Send notification email Action, as described below.
To create the Rule
1. Define an Event Rule using the User Quota Exceeded Event trigger.
2. Add the If User Groups Condition.
3. In the Rule Builder, click the specific group(s) link. The Event Target Users and Groups dialog box appears.
510
4. Clear the All Users check box and select the check box of one or more Groups to which you want this Rule to apply, and then click OK.
5. Add the Send notification e-mail Action to the Rule and provide the e-mail address of the user administrator and anyone else you want to receive the e-mail.
6. Click Apply. The Rule appears similar to the following example:
Event Rules (Automation)
Generate Report Action
When the Auditing and Reporting module is activated, you can configure an Event Rule to generate a report, then e-mail it or save it to a file. If you add the Generate Report Action to a Rule, you must also tell
EFT what to do with the report (save it or e-mail it or both). When a report is generated by the Generate
Report Action, a temporary, enumerated copy of the report is created and stored locally in the EFT installation folder. The temporary copy is deleted once the Event Rule context is out of scope.
Security-related configuration and functions. The report is converted to HTML and then e-mailed or saved to a file specified by the EFT administrator.
The automatic Generate Report Action never prompts for parameters because it will be run from the service on a timer, and thus does not allow interaction by a user. Reports that require parameters but do not have sufficient administrator-defined parameters will not run.
Example of a Report Event:
To create an Event Rule with the Generate Report Action
1. Follow the procedure in Creating Event Rules to create a new Rule, or select the Rule to which you want to add the Action.
2. In the Actions list, double-click Generate Report, or click it, and then click Add Action. The
Report Action dialog box appears.
3. In the Run the following report box, click the down arrow to select a report from the Reports
directory. (Custom reports also appear in the list.) Refer to Descriptions of Preconfigured Reports
for a description of the Globalscape-defined reports.
511
EFT v7.2 User Guide
4. Click Custom range to specify a custom date range in the From and To boxes or click Report
date range and click the drop-down list to specify one of the following options:
• Include all dates. If the selected dates include future transactions (e.g., if the ending date for the report is today's date), the future transactions will not appear in the report.
• Today. From 00:00:00 to the current time.
• Yesterday. The previous day from 00:00:00 to 00:00:00.
• Last 24 hours. The previous 24 hours from the current time.
• Month to date; Quarter to date; Year to date. Starting from the first day of this month, quarter, or year, and ending today. (Quarters begin January 1, April 1, July 1, and
October 1.)
• Current week; Current month (default); Current quarter; Current year. Starting from the first day of this week, month, quarter, or year, and ending with the last day of this week, month, quarter, or year. (Quarters begin January 1, April 1, July 1, and October 1.)
• Last week; Last month; Last quarter; Last year. Starting from the first day of last week, month, quarter, or year, and ending with the last day of last week, month, quarter, or year. (Quarters begin January 1, April 1, July 1, and October 1.)
• Last 30 days. Starting from 30 days ago, and ending with today's date.
• Last 12 months. Starting 12 months ago from today’s date, and ending with today's date. For example, if today is July 2, 2007 and this date range is selected, the report would run from July 2, 2006 through July 2, 2007.
5. In the Report output format area, specify the format of the report output: HTML, PDF, or VP
(report file).
6. In the Advanced Options area, specify Optional parameters (separated by semicolons) for the
report, which are evaluated from left to right. You can specify Event Rule variables . For example,
if the report definition chosen in the Run the following report box requires two parameters for filename and username (in that order in the report definition), then the Optional parameters box can be populated with *.txt;myname to specify a filename parameter of *.txt and a username parameter of myname.
7. In the Report Filters area, specify filters with AND or OR. Available filters depend on report selected. (If you test the report and do not see the desired results, adjust your filters.)
8. To run the report in real time to verify that the Action was configured correctly, click Run and
display report now (Test).
9. Next, you should create an e-mail Action and include the %FS.REPORT_CONTENT% variable or create a Copy/Move Action and use the %FS.REPORT_FILE% variable to place a copy of the report on a shared drive after the report has been generated.
The variable %FS.REPORT_CONTENT% can be added to e-mail notifications. When
%FS.REPORT_CONTENT% is added to the body of e-mail notifications, the content is displayed inline in the e-mail in HTML format, regardless of the format chosen in the Report Action dialog box.
The variable %FS.REPORT_FILE% can be used in copy/move, OpenPGP, and Custom Command Actions that are executed synchronously (i.e., Custom Commands that have a failure Event defined), but should not be used for Actions that are executed asynchronously (e.g., Custom Commands that do not have a failure
Event defined). Instead, use %FS.REPORT_CONTENT% for e-mail notifications, because this variable represents a copy of the contents of the file rather than a link to the file, which is only good so long as the file
exists. For a complete list of EFT variables, see Variables .
Do not use %FS.REPORT_FILE% in e-mail notifications.
512
Event Rules (Automation)
AS2 Events
For information about AS2 Event Rules, refer to AS2 Events, Conditions, Actions, and Variables .
Workspaces Events
Use Workspaces Events in Event Rules if you want to be notified or cause other Actions to occur when a
Workspace is create or deleted, when a use is invited to join or joins a Workspace, or when a user is removed from a Workspace.
Example
Suppose you want to know when a user joins a Workspace. You would create an Event Rule using the
User Joins Workspace Event, and add the Email Notification Message. In the email, you could add the variables Workspace Physical Path, Workspace Name, Workspace Participants List, and Workspace
Owner. Then, whenever a user joins a Workspace, you would get an email telling you all the information you would need to know about the Workspace, including the information about the user who joined the
Workspace. You could also create a custom report and define the Event Rule to generate a report
automatically once per month that lists each of the Workspaces and their participants.
Conditions
These topics provide information regarding defining and using Event Rule Conditions.
Using Conditions
Conditions allow you to define more narrowly the trigger for an Event Rule. Conditions are optional; you do not have to define a Condition on an Event Rule to make it trigger an Action, but Conditions allow fine control over when an Action can take place.
513
EFT v7.2 User Guide
You can further fine-tune each Event trigger to execute only if certain Conditions are met. These optional
Conditions act like filters or compound IF statements so that IF a specific Event occurs and IF a Condition is met, then an Action is executed. For example, an Event trigger that is called whenever a file is uploaded can be fine-tuned to trigger only if that file’s extension is .txt and nothing else.
To add a Condition to a Rule
1. Create the Rule . In the Conditions list, the Conditions available for the selected Event appear.
When applicable to the Rule, the Else option also appears.
2. Double-click a Condition in the list or click the Condition, and then click Add Condition.
3. Complete the Rule by adding one or more Action s, and then click Apply to save the Rule.
Refer to the List of Conditions for the Conditions supported by EFT. Conditions that require you to specify a value or parameter have further instructions with their description in the List of Conditions .
Conditions are NOT REQUIRED for an Event Rule to work. In its base form, the Event trigger itself is a sort of
Condition, therefore you can execute Actions when/if an Event triggers, without adding any additional
Conditions.
Condition Placement
Where Conditions are placed within the Rule Builder when they are added depends on which item is selected in the Rule Builder.
• When the Event Rule trigger (the very first item in the Rule Builder) is selected and a Condition is added, the Condition is placed directly beneath the Event Rule Trigger. This is considered a
"root" level condition.
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" ) //a root level condition. No action added yet
{
}
}
• When an Action inside another Condition is the selected item and a new Condition is added, that new Condition is placed directly beneath the Action and to the left, or outside of the container
Condition. Otherwise, it would become a nested Condition, which EFT does not support.
ON FILE UPLOAD
{
if ( %FS.FILE_NAME% = "*.pgp" )
{
PGP Decrypt %FS.FILE_PATH%
} if ( %FS.FILE_NAME% = "" ) //new condition added placed at root level
{
}
}
514
Event Rules (Automation)
• When an Action (that is not contained within a Condition) is the selected item, and a new
Condition is added, the new Condition is placed immediately beneath that Action, at the same root level (see above example).
• When a Condition is the currently selected item and another Condition is added, the new
Condition is ANDed to the selected Condition. If the Condition being added is the same Condition as the one selected, the new Condition is ORed to the selected condition. Using this method, you
can create compound Conditions .
ON FILE UPLOAD
{
if (%FS.FILE_NAME% = "*.pgp" ) AND (%FS.FILE_SIZE% <300,000b) //a compound condition
{
PGP Decrypt %FS.FILE_PATH%
}
}
Changing Condition Placement
Conditions can be moved using the up/down arrows next to the Condition or at the bottom of the dialog box, or by using copy/paste. When a Condition is moved, the Condition and any actions inside of that
Condition also move. If a Condition has an else statement under it, the else statement is also moved. This is because the Condition, any actions inside that Condition, and any attached Else clauses are considered a conditional block, and the entire block is moved.
Example:
Condition A
Action 1
Action 2
Condition B
Action 3
Click the Condition A down arrow ONCE, and Condition A and its child Actions are moved as a block:
Condition B
Action 3
Condition A
Action 1
Action 2
move one of the Conditions inside of a compound Condition down (or up), and, therefore, outside of that conditional block, you need to click on one of the Condition’s up/down arrows:
Condition C1 and C2
Action 1
Action 2
Condition C3
Action 3
To move C1 down, click on the down arrow to the right of C1:
Condition C2
Action 1
Action 2
Condition C1
Condition C3
Action 3
515
EFT v7.2 User Guide
To move a compound Condition, you need to select the ENTIRE Condition by clicking and dragging the
Condition icon at the far left of the Condition, or select the line and then click the blue down arrow at the bottom of the dialog box (not the down arrow to the right of the Condition). A page icon appears if you drag it to an applicable location.
Condition Evaluation
Regardless of placement, ALL Conditions are evaluated, because all Conditions exist at the root level.
For example:
ON FILE UPLOAD
{
if (%FS.FILE_NAME% = "*.pgp") //if filename extension is PGP then decrypt it
{
PGP Decrypt %FS.FILE_PATH%
}
if (%FS.FILE_NAME% = "*.zip") //even if the prior condition was true, still evaluate this condition.
{
UNZIP %FS.FILE_PATH% to "%FS.FILE_PATH%\%EVENT.DATE%_%EVENT.TIME%\"
}
}
Else Clauses
(Available in EFT Enterprise) The Else clause or statement is a type of Condition and appears in the
Conditions list box when at least one Condition has been added to the Rule Builder. The Else clause executes if the Condition preceding the Else statement is not met.
This is your typical Else statement as part of an IF/THEN/ELSE block:
If A Then
{ Run B }
Else >
{ Run C }
An Else statement must always follow a Condition. Else statements cannot be moved around independently. If you want to move the else statement, you need to move the entire conditional block or delete the else statement and re-create it elsewhere.
Below is an Event Rule example of using an Else clause.
Only the last Condition is considered before the ELSE statement is evaluated. That is, the ELSE statement will be TRUE only if the last Condition is FALSE, even if the preceding Conditions are TRUE.
516
Event Rules (Automation)
Logical Operators
When a Condition is added to another compound conditional statement , the newly added Condition will
be ANDed to the Condition already present:
Example 1:
If Filename = bob.txt
Now add another Condition:
If Filename = bob.txt and If Filesize < 100 MB
When the second Condition being added is the SAME Condition type as the previous one, the newly added Condition will be ORed to the previous Condition.
If Filesize < 200 MB
Now add another same Condition:
If Filesize < 200 MB or If Filesize > 500 MB
If there are more than two Conditions already existing in a compound Conditional line, and another
Condition is added (regardless of Condition type), the new Condition will use the same logical operators that are already present for that compound statement.
If Filesize < 200 MB or If Filesize > 500 MB
Now add another same Condition:
If Filesize < 200 MB or If Filesize < 400 MB or If FileName = rob.txt
You can change the AND and OR operator values by clicking the and or the or hyperlink. Please note that logical operators separating conditional statements must be the SAME across the entire compound statement. You cannot mix and match AND and OR statements. When changing the logical operator for a compound conditional statement, ALL subsequent logical operators for that statement also change to match that operator. This is necessary to prevent problems with evaluation precedence, especially in conditional blocks with more than 2 conditional expressions to
evaluate. There are ways around this limitation, discussed in Evaluating Expressions .
Example 2:
If Filename = bob.txt
Now add another Condition:
If Filename = Bob.txt and If Filesize < 100 MB
Now add another Condition:
If Filename = Bob.txt and If Filesize <100 MB and If group is one of Admins
Now click one of the AND hyperlinks to change it to OR. The Conditions change to:
If Filename = Bob.txt OR If Filesize <100 MB OR If group is one of Admins
Example 3:
If Filesize is < 200 MB
Now add another Condition:
If Filesize < 200 MB or If Filesize > 500 MB
Now click the OR hyperlinks to change it to AND. The Conditions change to:
If Filesize < 200 MB and If Filesize > 500 MB
517
EFT v7.2 User Guide
With the AND in this example, the statement will never evaluate to true. You must change the comparison types or the comparison values, or switch back to the OR logical operator to avoid creating expressions that can never evaluate to true.
Evaluating Expressions in Event Rules
EFT will always evaluate expressions from left to right, regardless of how many conditional checks there are within that same expression. One exception to this is described below.
Certain Conditions are able to test multiple values, such as the If User is Member of Condition or the If
Filename is one of Condition. These Conditions are evaluated first and independently, with the resulting atomic unit evaluated as part of the complete expression.
For example, the If User is Member of Condition allows you to select from a list of Server Groups, therefore, the If User is member of expression is evaluated first, after which the rest of the expression is evaluated from left to right.
Compound Conditional Statement
If Filename (F)= Bob.txt AND If User is Member of Admins (MA), Users (U), Power
Users (PU)
If this expression were evaluated from left to right, the results would not match our expectations:
If (((F and MA) or U) or PU)
Instead, EFT evaluates the conditional statement first as its own atomic unit and then evaluates the resulting expression from left to right:
If (F and (MA or U or PU))
This allows you to create expressions that contain order-of-precedence grouping without having to use parentheses. The evaluative OR statement is hidden inside the conditional statement, as long as that conditional statement can evaluate against multiple criteria.
Only the following Conditions can evaluate against multiple criteria (strings):
• If User is Member of
• If Login name
• If Virtual Path
• If Physical Path
• If Physical Folder Name
• If Physical Destination Path
• If Physical Destination Folder Name
• If Destination File Name
• If Virtual Destination Path
• If Filename
To define multiple criteria for a Condition
1. Double-click a Condition in the list to add it to the Rule Builder. (To learn more about available conditions, refer to Conditions .)
2. If you are adding an additional Condition, highlight the existing Condition in the Rule Builder, then in the Conditions list, double-click the Condition you want to add. The Condition appends to the existing one and adds a logical operand (AND/OR).
3. Click the logical operand to change it.
You can insert multiple Conditions. That is, you can have Condition 1 AND Condition 2 OR
Condition 3.
518
Event Rules (Automation)
If you need to use more complex criteria using AND and OR, you can use wildcard logic to create any logic that wildcards support. For example, if you add the File Name Condition to the Rule Builder, you can then define the path mask using complex logic with wildcards.
List of Conditions
Conditions allow you narrow the trigger definition for an Event Rule. Conditions are optional; you do not have to define a Condition on an Event Rule to make it trigger an Action. Conditions allow more control over when an Action can take place. For example, you might create an Event Rule using the User
Logged In Event, then add the If Logon Name Condition to trigger the Rule only when a specific user logs in.
Conditions are organized by type:
•
Workspaces-related Conditions folder owner.
—Event is triggered based on Workspace variables, such as
•
AS2-related Conditions —Event is triggered based on criteria such as protocol or AS2 ID.
•
Connection Conditions —Event is triggered based on connection information such as remote IP or if user connected via the Java-enabled Web Transfer Client
•
File System Conditions —Event is triggered based on criteria such as file size or virtual path.
•
Server Conditions —Event is triggered based on criteria such as whether EFT is running or log name.
•
Site Conditions —Event is triggered based on whether the Site is started or stopped.
•
User Conditions —Event is triggered based on criteria such as whether the user account has a particular protocol enabled or login name.
•
Event Properties —Event is triggered based on a specific Event reason.
•
Context Variable Condition —(EFT Enterprise only) Event is triggered when a context variable equals or doesn't equal a specified string.
Each of the available Conditions and which Events they can be used with is described below. There are no Conditions available for the Site Stopped or Site Started Events.
Context Variable Condition
The Context Variable Condition allow you to add context variables to Event Rules if
%Context_Variable% does/does not equal/less than/greater than/contain/start with a specified value.
519
EFT v7.2 User Guide
Workspaces Conditions
You can apply these Conditions to File Uploaded events.
• If Workspace Physical Path - Tests whether the physical path does or does not match a path mask. (wildcards can be used)
• If Workspace Virtual Path - Tests whether the virtual path does or does not match a path mask.
(wildcards can be used)
• If Workspace Name - Tests whether the folder name does or does not match a mask. (wildcards can be used)
• If Workspace Participants List - Tests whether the participant list does or does not contain a specified string.
• If Workspace Owner - Tests whether the Workspace Owner is or is not one of a list of specified users.
AS2 Conditions
You can apply these Conditions to File Uploaded
and AS2-related events . (AS2 available with EFT
Enterprise)
• If AS2 Content Type. Tests whether the AS2 content matches the specified content type.
1.
2. In the Rule Builder, click the linked text to specify whether the content type does/does
not equal to [specific AS2 content type]. Click [specific AS2 content type] to open the
Select Content Type dialog box.
520
Event Rules (Automation)
3. Click the Select Content Type drop-down list to specify a (X12, EDIFACT, XML, EDI
Consent, Binary, Plaintext).
4. Click OK.
• If AS2 Partner ID. Tests whether the AS2 Partner ID matches the specified mask.
1.
2. In the Rule Builder, click the linked text to specify whether the partner ID does/does not equal to [specific AS2 Partner ID]. Click [specific AS2 Partner ID] to open the Partner
Identifier dialog box.
3. Click the Select AS2 partner ID drop-down list to specify a partner.
4. Click OK.
You can also specify the AS2 protocol with the If Protocol Condition described below.
Connection Conditions
You can apply these Conditions to Connection
Events, and certain User Events.
By default, IP Access-related Event
Rules are limited to 1000 rules.
• If Remote IP—a connection is made from a remote IP address that matches/does not match an
IP address or IP mask.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the remote IP address does or
does not match [ip mask].
3. Click [ip mask] to open the Edit Value dialog box.
4. Specify an IP address or and/or wildcards, and then click OK to add the Condition to the
Event trigger.
521
EFT v7.2 User Guide
• If Local IP—a connection is made to a local IP address that matches/does not match an IP address or IP mask.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the local IP address does or
does not match [ip mask].
3. Click [ip mask] to open the Edit Value dialog box.
4. Specify an IP address or and/or wildcards, and then click OK to add the Condition to the
Event trigger.
• If Local Port—a connection is made/not made on a port/range of ports.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the port number does/does
not equal to, greater than or equal to, less than, less than or equal to [value].
3. Click [value] to open the Edit Value dialog box.
522
4. Specify a port number, and then click OK to add the Condition to the Event trigger.
• If Protocol—Trigger the Rule when a specific protocol is used or not used.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the protocol does/does not
equal to [ftp/ssl/tls/sftp/http/https/as2/adhoc].
3. Click [ftp/ssl/tls/sftp/http/https/as2/adhoc] to open the Connection Protocol dialog box.
4. Click the Select connection protocol drop-down list to select the protocol (or specify
Any Protocol).
5. Click OK.
Event Rules (Automation)
• If Using Web Transfer Client—the user connected/did not connect via the Java-enabled Web
Transfer Client. (Does not work with the HTML5 version of the WTC for downloads.)
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the WTC does/does not equal to yes/no.
Site Conditions
You can apply this Condition only to the User Account Disabled, User Password Changed, User
Account Created Events.
• If Site running—The Site is started or stopped.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the Site Running does/does
not equal to yes/no.
File System Conditions
You can apply these Conditions only to File system Events and the
Folder Monitor Event.
• If File Change—a file is/is not added, removed, or renamed in a folder. This Condition is added automatically when you create a Folder Monitor Event.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the file change does/does not equal to added, removed, or renamed.
• If Virtual Path—the file or folder exists, does not exist at a virtual location and/or wildcard.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not
match/start with [path mask].
3. Click [path mask] to open the Choose Virtual Path dialog box.
4. Specify a path or wildcard, then click Add to move the path to the right text box.
5. To remove a path, in the right text box, click the path or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Physical Path—the file or folder exists, does not exist at a physical location (the full folder path including the file name or wildcard).
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not
match/start with [path mask].
523
EFT v7.2 User Guide
3. Click [path mask] to open the Choose Physical Paths dialog box.
4. Specify a path or wildcard, then click Add to move the path to the right text box. You can add multiple paths.
5. To remove a path or wildcard, in the right text box, click the path or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Physical Folder Name—the file or folder exists, does not exist in a physical folder (the folder path or wildcard without a file name).
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not
match/start with [path mask].
3. Click [path mask] to open the Choose Folder Names dialog box.
524
4. Specify a folder name or wildcard, then click Add to move the folder name or wildcard to the right text box. You can add multiple folders.
5. To remove a folder name or wildcard, in the right text box, click the folder name or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Virtual Folder Name—the file or folder exists, does not exist in a virtual folder.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual folder name
does/does not match/start with [path mask].
3. Click [path mask] to open the Choose Virtual Folder Names dialog box.
Event Rules (Automation)
4. Specify a folder name or wildcard, and then click Add to move the folder name or wildcard to the right text box. You can add multiple folders.
5. To remove a folder name or wildcard, in the right text box, click the folder name or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If File Name—the file name matches/does not match a string of characters and/or wildcard.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not match [path mask].
3. Click [path mask] to open the Choose File Names dialog box.
4. Specify a file name or wildcard, then click Add to move the file name or wildcard to the right text box. You can add multiple file names.
5. To remove a path, in the right text box, click the file name or wildcard, and then click
Remove.
6. Click OK to add the Condition to the Event trigger.
• If Base File Name—The portion of the filename to the left of the right most period; provided as a way to support rename. For example, if a file is downloaded as SomeFile.ext.tmp, the Base File
Name is: SomeFile.ext.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not match [mask].
3. Click [mask] to open the Choose File Names dialog box.
525
EFT v7.2 User Guide
4. Specify a file name or wildcard, then click Add to move the file name or wildcard to the right text box. You can add multiple file names.
5. To remove a file name or wildcard, in the right text box, click the file name or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If File Size—the file size is or is not less than, equal to, or greater than a specified number of bytes.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the file size is/is not equal to,
greater than or equal to, less than, less than or equal to [size (B)]. Click [size (B)] to open the Edit Value dialog box.
3. Specify a file size in bytes, and then click OK.
• If Physical Destination Path—(for File Moved Event) the file or folder exists, does not exist at a physical location and/or wildcard.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not
match/start with [path mask].
3. Click [path mask] to open the Choose Physical Paths dialog box.
526
Event Rules (Automation)
4. Specify a path or wildcard, then click Add to move the path or wildcard to the right text box. You can add multiple paths.
5. To remove a path or wildcard, in the right text box, click the path or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Virtual Destination Path—(for File Moved Event) the file or folder exists, does not exist at a virtual location (the full folder path including the file name and/or wildcard).
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not
match/start with [path mask].
3. Click [path mask] to open the Choose Virtual Paths dialog box.
4. Specify a path or wildcard, then click Add to move the path to the right text box. You can add multiple paths.
5. To remove a path or wildcard, in the right text box, click the path or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Physical Destination Folder Name—(for File Moved Event) the physical folder name matches/does not match a physical folder name and/or wildcard.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not
match/start with [path mask].
3. Click [path mask] to open the Choose Folder Names dialog box.
527
EFT v7.2 User Guide
4. Specify a folder name or wildcard, then click Add to move the folder name or wildcard to the right text box. You can add multiple names.
5. To remove a folder name or wildcard, in the right text box, click the folder name or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Destination File Name—(for File Moved Event) the destination file name matches/does not match a string of characters and/or wildcard.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the virtual path does/does not match [path mask].
3. Click [path mask] to open the Choose File Names dialog box.
4. Specify a file name or wildcard, then click Add to move the file name or wildcard to the right text box. You can add multiple names.
5. To remove a file name or wildcard, in the right text box, click the file name or wildcard, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
Server Conditions
You can apply these conditions to certain Server
Events, Operating System Events, File System Events,
and the IP Added to Ban List Site Event.
• If Server Running—The EFT service is currently running.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the Server does/does not equal to Yes/No.
528
Event Rules (Automation)
• If Log Type—The log type is/is not a specific type.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the log type does/does not equal to [specific type].
3. Click [specific type] to open the Select Log Type dialog box.
4. Specify a Log Type, and then click OK.
• If Log Location—The log location matches a specific path.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the log location does/does not match [path].
3. Click [path] to open the Edit Value dialog box.
4. Specify a path or wildcard, and then click OK.
• If Node Name—EFT name matches/does not match a specific character string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the node name does/does not equal to [name].
3. Click [name] to open the Edit Value dialog box.
4. Specify a name or wildcard, and then click OK.
• If Old Log File Path—(Used with the Log Rotated Event only) The old log file path matches a specific path.
1.
Add the Condition to the Event Rule .
529
EFT v7.2 User Guide
2. In the Rule Builder, click the linked text to specify whether the old log location does/does
not match [path].
3. Click [path] to open the Edit Value dialog box.
4. Specify a path or wildcard, and then click OK.
• If New Log File Path—(Used with the Log Rotated Event only) The new log file path matches a specific path.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the new log location
does/does not match [path].
3. Click [path] to open the Edit Value dialog box.
4. Specify a path or wildcard, and then click OK.
• If Old Log File Name—(Used with the Log Rotated Event only) The old log file name matches a specific name.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the old log location does/does
not match [path].
3. Click [path] to open the Edit Value dialog box.
530
4. Specify a path or wildcard, and then click OK.
• If New Log File Name—(Used with the Log Rotated Event only) The new log file name matches a specific name.
1.
Add the Condition to the Event Rule .
Event Rules (Automation)
2. In the Rule Builder, click the linked text to specify whether the new log location
does/does not match [path].
3. Click [path] to open the Edit Value dialog box.
4. Specify a path or wildcard, and then click OK.
User Conditions
You can apply user conditions to User
Events and File system Events.
• If User Groups—the user account is or not a member of one or more Groups.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the user group is/is not a member of [specific group(s)].
3. Click [specific group(s)] to open the Event Target Users and Groups dialog box.
4. Select the check box of the users/groups that will trigger the Event and clear the All
Users check box if you don't want the Condition to apply to all users.
5. Click OK to add the Condition to the Event trigger.
• If Logon Name—the user's username matches/does not match a specific username.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the logon name is/is not one of [specified name(s)].
3. Click [specified name(s)] to open the Event Target Users and Groups dialog box.
531
EFT v7.2 User Guide
4. Select the check box of the users/groups that will trigger the Event and clear the All
Users check box if you don't want the Condition to apply to all users.
5. Click OK to add the Condition to the Event trigger.
• If Logon Password—the user's password matches/does not match a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the logon password is/is not one of [specified password(s)].
3. Click [specified password(s)] to open the Choose Passwords dialog box.
532
4. Specify a password, and then click Add to move the password to the right text box.
5. To remove a password, in the right text box, click the password, and then click Remove.
6. Click OK to add the Condition to the Event trigger.
• If Account Enabled—the user account is enable or not enabled
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the account does/does not equal to Yes/No.
• If Settings Template—the user belongs/does not belong to a Settings Template.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the Settings Template
does/does not equal to [Settings Template].
Event Rules (Automation)
3. Click [Settings Template] to open the Select Settings Template dialog box.
4. Specify a Settings Template, then click OK. (Even if there is only one Settings Template, you still have to click OK in the Select Settings Template dialog box to complete the
Condition.)
• If Full Name—a user's name matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the user account name
does/does not equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
4. In the Edit Value dialog box, specify a string, and then click OK.
• If Description—the user's description matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the description does/does not
equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
4. In the Edit Value dialog box, specify a word, and then click OK.
• If Comment—the user's comment matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the comment does/does not
equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
533
EFT v7.2 User Guide
4. In the Edit Value dialog box, specify a string, and then click OK.
• If EMail Address—the user's e-mail address matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the email address does/does
not equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
4. In the Edit Value dialog box, specify a string, and then click OK.
• If Phone Number—the user's phone number matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the phone number does/does
not equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
534
4. In the Edit Value dialog box, specify a string, and then click OK.
• If Pager Number—the user's pager number matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the pager number does/does
not equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
Event Rules (Automation)
4. In the Edit Value dialog box, specify a string, and then click OK.
• If Fax Number—the user's fax number matches/does not match, contains/equals a specific string.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the fax number does/does not
equal to/contain [specific word].
3. Click [name] to open the Edit Value dialog box.
4. In the Edit Value dialog box, specify a string, and then click OK.
• If Home Folder—the location of a user's home folder matches/does not match a physical location.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the home folder does/does
not match [path].
3. Click [path] to open the Edit Value dialog box.
4. Specify a virtual path, and then click OK.
• If Home Folder is root—the user's home folder is/is not their root directory.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether home folder root does/does
not equal to [yes/no].
535
EFT v7.2 User Guide
• If Quota Max—the user's account has a size limit less than/equal to/not less than/not equal to a size in megabytes.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the maximum quota
does/does not equal to [size (MB)].
3. Click [size (MB)] to open the Edit Value dialog box.
4. Specify the maximum quota, and then click OK.
• If Quota Used—the user's filled disk space is/is not less than/equal to/greater than an amount of allowed disk space.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the home folder is/is not
equal to, greater than or equal to, less than, less than or equal to [size (MB)].
3. Click [size (MB)] to open the Edit Value dialog box.
4. In the Edit Value dialog box, specify a value, and then click OK.
• If Invalid login attempts—the user's failed login attempts are/are not less than, equal to, greater than a number.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether invalid login attempts is/is not
equal to, greater than or equal to, less than, less than or equal to [number].
3. Click [number] to open the Edit Value dialog box.
536
4. In the Edit Value dialog box, specify a string, and then click OK.
Event Rules (Automation)
• If User can change password—the user has/does not have permission to change the login password.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether user can change password
does/does not equal to [yes/no].
• If Home IP—the user's allowed IP address matches/does not match an IP address or set of IP addresses.
By default, IP Access-related Event Rules are limited to 1000 rules.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the home IP does/does not match [ip mask].
3. Click [ip mask] to open the Edit Value dialog box.
4. In the Edit Value dialog box, specify a string, and then click OK.
• If User can connect using SSL—the user has/does not have SSL enabled.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether user can connect using SSL
does/does not equal to [yes/no].
• If User can connect using FTP—the user has/does not have FTP enabled.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether user can connect using FTP
does/does not equal to [yes/no].
• If User can connect using SFTP—the user has/does not have SFTP enabled.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether user can connect using SFTP
does/does not equal to [yes/no].
Event Properties
• If Folder Monitor Failure reason—Available only with the Folder Monitor Failed Event.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the Failure reason does/does
not equal to [reason].
3. Click the [reason] link to specify which sort of failure to trigger on: any failure, archive
failed, or health check failed.
537
EFT v7.2 User Guide
• If Event Reason—The Event was triggered by one of the reasons in the table below. Available reasons depend on the Event trigger (User Connect Failed, User Login Failed, User Logged
Out, Download Failed, Upload Failed, Verified Upload Failed, Verified Download Failed).
For example, IP address was rejected can apply to the User Connect Failed Event; but cannot apply to any other Event triggers.
1.
Add the Condition to the Event Rule .
2. In the Rule Builder, click the linked text to specify whether the Event Reason does/does
not equal to [specific reason].
3. Click the [specific reason] link to specify which sort of failure to trigger on (refer to table below for Event Reasons).
Event Reason
Aborted by user
Access denied
Account Disabled
Account Locked Out (v6.1 and later)
Client SSL Certificate was rejected
Connection closed
File is banned
File not found
FTP Session was closed because of error
FTP Session was closed by timeout
FTP Session was closed by user (QUIT)
Invalid password
IP address was banned
IP address was rejected
IP address was rejected and banned
Max incorrect password attempts reached
Protocol not supported
Quota exceeded
Restricted IP
TCP/IP connections was closed by peer
Too many connections per IP
Too many connections per Site
Too many connections per user
User was kicked by administrator
X
X
X
X
X
Event Trigger
User
Connect
Failed
User
Login
Failed
User
Logged
Out
Download
Failed
Upload
Failed
Verified
Upload
Failed
Verified
Download
Failed
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
538
Event Rules (Automation)
Actions
These topics provide information regarding defining and using Event Rule Actions.
• Perform file operation - Create, rename, or delete specified file. Optionally use specified credentials.
Once an Event Rule is triggered
, assuming all Conditions are met, EFT can launch one or more of the
following user-definable Actions:
•
Execute command in folder - The custom command in a specific location is triggered.
•
Execute Advanced Workflow - (available only in EFT Enterprise) An Advanced Workflow is triggered.
•
Send notification e-mail - An e-mail message is sent to the address specified.
•
Copy/Move (push) file to host - (available only in EFT Enterprise) The designated file is automatically moved to another location.
•
Download (pull) file from host - (available only in EFT Enterprise) Downloads a specified file
•
Perform folder operation - Create, rename, or delete specified folder. Optionally use specified
credentials.
•
Perform file operation - Create, rename, or delete specified file. Optionally use specified
credentials.
•
OpenPGP operations - The designated cryptographic action is performed on the file.
•
Cleanup in folder - Cleans up a specified folder
•
Generate Report - A report is generated and e-mailed or saved to a file at a specific date and time.
•
AS2 Send file to host Action - (available only in EFT Enterprise) You can send files via AS2 to a partner that does not have inbound access defined in EFT’s account management system. For details of the AS2 Send file to host Action, refer to Sending Files to an AS2 Partner .
•
Backup Server Configuration Action - Automatically backs up Server configuration for use in
disaster recovery or Server migration.
•
Write to Windows Event Log Action - (available only in EFT Enterprise) Defines the parameters to
display in the Windows Event Log when the Event is triggered.
•
Stop processing - If the previous trigger or Condition occurs, stop processing this Rule (default),
more Rules, or this Rule and more Rules: o
this rule - this Rule is not processed. o
more rules - this is Rule is processed but no further Rules are processed. o
this and more rules - no more Rules are processed.
•
Scan file using Content Integrity Control - (available only in EFT Enterprise) Used to send a file to an antivirus or data loss prevention scanner for processing.
•
De/Compress file to/from target file - Compress or decompress file in the format of Zip, 7Zip,
Gzip, Bzip2, Tar, Tar and Gzip, or ZCompress. You can also add context variables to the Action.
•
Invoke Web Service from URL - GET, POST, PUT, DELETE at a specific URL and save the
response to a specific file. This new Event Rule Action for invoking Web Services will extend the ability for EFT to integrate with backend systems.For details of adding Actions to Rules, see the examples at the links above.
539
Which Actions are Available with Which Event Triggers?
When EFT performs a copy/move Action, the folder from which the files are moved remains and is emptied, but not deleted.
Certain Actions (Execute Advanced Workflow, Copy/move (push) file to host, Download (pull) file from host, and AS2 Send file to host) are available only in
EFT Enterprise. The Actions are visible, but unavailable (grayed out) in EFT SMB.
("X" in the indicates the Action is available for that Event; gray indicates the Action is not available for that Event.)
The EFT service must be running for an Event Rule to fire .Certain Actions are only available with certain triggers, as shown in the table below.
For example, the User Disconnected event trigger has no reason to trigger the Cleanup Folder Action.
Event
Triggers
Actions
(The Actions Execute command in folder , Execute Advanced Workflow , Send notification email
, and Stop processing more rules are
available for every event.)
Copy/mo ve file to host
Downloa d file from host
OpenPG
P
Encrypt,
Encrypt
+ Sign,
Decrypt
Cleanup folder
Generate
Report
AS2
Send file to host
Write to
WEL
Content
Integrity
Control
Perform folder operatio n
Perform file operatio n
De/Com press file to/from target file
Invoke
Web
Service from
URL
Scheduler
(Timer)
Folder
Monitor
Folder
Monitor
Failed
X
X
X
X
X
X
X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X X X X X
X X
X
File Uploaded
File
Downloaded
Verified
Upload
Succeeded
Verified
Download
Succeeded
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
File Renamed
X X X X X X X X X X X
540
Event Rules (Automation)
Event
Triggers
File Moved
File Deleted
Folder
Created
Folder
Deleted
Folder
Changed
Upload Failed
Download
Failed
Actions
(The Actions Execute command in folder , Execute Advanced Workflow , Send notification email
, and Stop processing more rules are
available for every event.)
Copy/mo ve file to host
Downloa d file from host
OpenPG
P
Encrypt,
Encrypt
+ Sign,
Decrypt
Cleanup folder
Generate
Report
AS2
Send file to host
Write to
WEL
Content
Integrity
Control
Perform folder operatio n
Perform file operatio n
De/Com press file to/from target file
Invoke
Web
Service from
URL
X
X
X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Verified
Upload Failed
Verified
Download
Failed
Before
Download
Workspace
Created
Workspace
Deleted
Before
Workspace
Deleted
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
541
EFT v7.2 User Guide
Event
Triggers
User Invited to Workspace
User Joins
Workspace
User
Removed
From
Workspace
Service
Stopped
Service
Started
Log Rotated
Site Stop
Actions
(The Actions Execute command in folder , Execute Advanced Workflow , Send notification email
, and Stop processing more rules are
available for every event.)
Copy/mo ve file to host
Downloa d file from host
OpenPG
P
Encrypt,
Encrypt
+ Sign,
Decrypt
Cleanup folder
Generate
Report
AS2
Send file to host
Write to
WEL
Content
Integrity
Control
Perform folder operatio n
Perform file operatio n
De/Com press file to/from target file
Invoke
Web
Service from
URL
X X X X X X X X
X
X
X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Site Started
IP Added to
Ban List
User Account
Enabled
User Account
Disabled
User Account
Locked
User Quota
Exceeded
X
X
X
X
X
X
X
X
X X
X
X
X
X
X
X
X X
X
X
X
X
X
X
X X
X
X
X
X
X
X
X
X
X
X
X
542
Event Rules (Automation)
Event
Triggers
User Logged
Out
User Logged
In
User Login
Failed
User
Password
Changed
User Account
Created
Actions
(The Actions Execute command in folder , Execute Advanced Workflow , Send notification email
, and Stop processing more rules are
available for every event.)
Copy/mo ve file to host
Downloa d file from host
OpenPG
P
Encrypt,
Encrypt
+ Sign,
Decrypt
Cleanup folder
Generate
Report
AS2
Send file to host
Write to
WEL
Content
Integrity
Control
Perform folder operatio n
Perform file operatio n
De/Com press file to/from target file
Invoke
Web
Service from
URL
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User Account
Deleted
User
Connected
User Connect
Failed
User
Disconnected
AS2 Inbound
Transaction
Succeeded
AS2 Inbound
Transaction
Failed
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
543
EFT v7.2 User Guide
Event
Triggers
AS2
Outbound
Transaction
Succeeded
AS2
Outbound
Transaction
Failed
Actions
(The Actions Execute command in folder , Execute Advanced Workflow , Send notification email
, and Stop processing more rules are
available for every event.)
Copy/mo ve file to host
Downloa d file from host
OpenPG
P
Encrypt,
Encrypt
+ Sign,
Decrypt
Cleanup folder
Generate
Report
AS2
Send file to host
Write to
WEL
Content
Integrity
Control
Perform folder operatio n
Perform file operatio n
De/Com press file to/from target file
Invoke
Web
Service from
URL
X
X
X
X
X
X
X
X
544
Adding an Action to an Event Rule
procedure below to add one or more Actions to the Rule.
To add an Action to a Rule
1. In the right pane, in the Actions list, double-click an Action or click it, and then click Add Action.
The Action appears in the Event in the Rule Builder.
2. Select the linked text (blue or red) to specify parameters for the Action. For example, when you click the linked text in the Copy Action, the File Offload Configuration wizard appears.
Execute a Command (Run a Process)
You can configure EFT to run executables, batch files, and scripts automatically when specific events occur. EFT calls these Commands. When the Event Rule is triggered, EFT executes the specified custom command and attributes.
To execute a Command from EFT’s Event Rule system
1. Identify the Command you want to execute with the Event Rule or create a new custom
Command using the procedure in Creating a Command . Or you can create a new Command later
from within the Event Rule (in step 6 below).
2. Open the Event Rule with which you want to execute the Command or create a new Event Rule using the procedure in Defining Event Rules .
3. (Optional) If you need to apply any conditional behavior, click it in the Conditions list.
4. In the Actions list, double-click Execute command in folder. The Action is added to the Event in the Rule Builder.
Links in the Rule Builder indicate parameters that must be defined to save the Rule.
5. In the Rule Builder, click one of the underlined text links. The Execute Command dialog box appears.
545
EFT v7.2 User Guide
546
6. In the Choose an existing or create a new Command list, click the list to select the command.
(If you did not create the Command in step 1, click New to create the Command now.)
7. The Executable path and Executable switches and/or parameters boxes display the path and switches for the selected Command. (If you want to change anything, you will have to close this dialog box, apply any changes to the Event Rule, go edit the Command, then reopen the Event
Rule to continue defining it.)
8. In the Working directory box, type the path or click the folder icon to specify the folder in which the script or executable resides e.g., C:\EFTscripts. For mapped drives, use their UNC path. (File browse operations are disabled when you are connected remotely. You can't click the folder icon and browse, but you can type a path that is relevant to the EFT computer, not the remote interface).
9. (Optional) In the Command parameters box, include any parameters for the command.
You can select items in the Context variables list to add them as parameters. For example, suppose you want to run a script on a file that was uploaded and triggered the Event Rule. You would type the script name and the tag %FS.FILE_NAME%, as shown below: dosomethingwithfile.vbs -file %FS.FILE_NAME%
Refer to Variables for details of available variables and how to use them.
EFT passes the complete variable along to the Command; however, due to limitations of some command-line applications, they may not be able to interpret the Command properly. In certain instances, such as when there is a semicolon in a file name, you may need to enclose the variable in quotation marks in the Command Parameters box after you insert it from the Context variables box.
10. Click OK to save the Command.
11. Add other Actions as needed, and then click Apply to save the Event Rule.
Event Rules (Automation)
Execute Advanced Workflow Action
(Requires the Advanced Workflow Engine module, available in EFT Enterprise.) Advanced Workflow
Actions execute asynchronously, which means that EFT does not wait for a reply before returning control to the Event Rule thread, unless an "if failed" Action was specified, such as Stop Processing this Rule, in which case the Action waits for a return message indicating success or failure from the invoked process.
To add a Workflow to an Event Rule
1. Create a Workflow .
2. Create an Event Rule .
3. In the Actions list, click Execute Advanced Workflow. The Action is added to the Rule.
4. In the Rule Builder, double-click the Advanced Workflow link. The Advanced Workflow dialog box appears.
5. The defined Workflows appear in alphabetical order in the Choose a workflow to execute list (at the top of the Advanced Workflow dialog box). Click the down arrow to select a Workflow.
6. (Optional) Specify custom parameters to pass to the Workflow in the Name and Value columns, and then click Add.
7. Click OK. The Advanced Workflow link in the Rule Builder updates with the name of the
Workflow.
8. Add other Actions as needed, and then click Apply to save the changes on EFT.
Send Notification E-Mail Action
You can create an e-mail notification Action for Event Rule and AS2 Transaction success/failure
notifications. To save time, you can create an e-mail notification template .
Refer to EventRuleExamples.pdf
for examples of defining an Event Rule using the Send notification e-
mail Action.
547
EFT v7.2 User Guide
On Sites using AD Authentication, the EFT must have "Log On as a domain user" permission for e-mail notifications to work.
To customize an Event Rule e-mail message
1. Follow the procedure in Creating Event Rules to create a new Rule or select an existing Rule to which you want to add the Action.
If you want to copy the involved user when the Event is triggered, the Rule must be based on a User
Event.
2. In the Actions list, double-click Send notification email or click it, and then click Add Action.
3. Click the [select] link. The E-Mail Notification Message dialog box appears. The To box
displays the first e-mail address defined in EFT address book on the SMTP tab, but you can
change that, if needed. If you want to specify a different address than the prepopulated one from the SMTP tab, select the Override 'From' field check box, then specify the address.
4. Type the e-mail address of other recipients in the To, Cc, and Bcc boxes or click To, Cc, or Bcc to open the Select Names dialog box, which is populated with names and e-mail addresses
defined on EFT in the User Account Details of each user account and on the SMTP tab. In the
Select Names dialog box, you can type a name in the Type Name or Select from List box (not case sensitive) to find it in a heavily populated list. Select one or more recipients, and then click
To, CC, or BCC. If you double-click a recipient, it is added to the To box. For multiple selections, press SHIFT (contiguous) or CTRL (non-contiguous). Click OK to save the changes.
You can use the variable %USER.EMAIL% in the To, Cc, and Bcc boxes (%USER.EMAIL% is the email address of the logged-in user who is uploading a file, for example, if defined in the User
Account Details dialog box).
5. In the Subject box, type a descriptive "title" for the e-mail to indicate to the recipient the purpose of the e-mail. You can also add variables. For example, if you want to see the reason an Event was triggered without opening the e-mail, add the variable %EVENT.REASON% to the Subject line.
For example, if you add the following text and variables to the Subject Line:
EFT Notification: %EVENT.NAME%: %USER.LOGIN%, %EVENT.REASON% when username jbite uses the wrong password, an e-mail is sent with the following Subject line:
Globalscape EFT Notification: User Login Failed: jbite, Invalid password
%EVENT.NAME% is the Server-defined name for the Event (e.g., File Renamed);
%EVENT.EVENTNAME% is the user-defined name for the Event (e.g., My File Renamed Event
Rule). Also, be aware that your recipient might get hundreds of e-mails every day; therefore, "Here's the info you wanted" might not be descriptive enough.
6. In the Message box, type the text of the e-mail. You can use HTML tags within the body of the e-
the account to which the e-mail is sent accepts HTML-formatted e-mail, you can format the e-mail to suit your needs; you are only limited by your knowledge of HTML. (If the recipient's e-mail server does not accept HTML e-mail, the recipient will see the e-mail in plain text.)
7. In the Variables box, click a property that you want to insert in the e-mail message. The text
surrounded by percent signs, the context variable, is inserted into the body of the e-mail, and will be replaced by EFT with specific information about the Event when the e-mail is sent. Review the
available Variables when deciding which variables to add, because some variables cannot be
used in e-mail notifications.
548
Event Rules (Automation)
• If you want only the information contained to the variable in your e-mail message, click the context variable in the right column of the Variables box. (For example, if you select
%EVENT.TIME%
in the right column, the time will be displayed without a text label.)
• If you want the information and a label, click the text in the left column of the Variables box. (For example, if you click Event Time, the label and the time appear in the e-mail).
8. If this is a User Event and you want to send a copy of the message to the involved user, select the Send copy to user check box.
9. Click OK.
10. Click Apply. When the Event is triggered, the e-mail notification is sent.
Creating an E-mail Notification Template
The Conditions and Actions for every Event Rule you create, including e-mail notifications, is saved in
EFT's configuration file. Each time the administration interface connects, it reads in the configuration file.
Multiple Event Rules and e-mail notifications can grow the configuration file quite large. If you expect to have numerous e-mail notifications that are basically the same (e.g., you have default text that you always want to appear in the body of the e-mail), you can define the body of the e-mail in an HTML file, then reference it in the Message box of the E-mail Notification Message.
To create an e-mail notification template
1. Create an HTML document that contains the text that will be the body of the e-mail notification.
You can include any HTML tags and EFT variables. For example:
<HTML>
<BODY>
<P>This message was sent to you automatically by Globalscape EFT on the following event: %EVENT.NAME%.</p>
<HR>
<P><B>Server Local Time:</B> %EVENT.TIME%</P>
<P><B>Logon Name:</B> %USER.LOGIN%</P>
<P><B>E-mail Address:</B> %USER.EMAIL%</P>
<P><B>Home Folder:</B> %USER.HOME_FOLDER%</P>
</BODY>
</HTML>
2. Define the e-mail adding each of the variables that you want. You can add your custom EFT administrator signature, your company's logo, any information that you need to pass on to the user, and so on. Be sure to include the opening and closing <html> and <body> tags. Use the interface to add variables and labels to the message.
3. Copy and paste the message into a text file, and save it with an .htm extension.
Review your tags carefully, however, since no HTML-code verification is performed. As a test, you can copy and paste the text into Notepad, save it with an .htm extension, and then open it in your browser.
4. Save the file in a location that can be accessed by EFT. (If you are logging into EFT on an Active
Directory-authenticated Site, the Event Rule engine is running as that logged-in user, so the user account must have access to the template.)
5. Define the Event Rule and add the e-mail notification.
549
EFT v7.2 User Guide
6. In the Message box of the E-Mail Notification Message dialog box, type file:// and the path to the e-mail template, and then click OK. For example, type: file://C:\Documents and Settings\All Users\Application
Data\Globalscape\EFT Server Enterprise\MailActionTemplate.htm
IMPORTANT: There can be no spaces or line breaks before or after the link!
7. Click OK to add the notification to the Event Rule.
The referenced HTML file will appear in the body of the e-mail that is triggered by EFT. It is highly recommended that you do a test to be sure you get the results you want.
Transferring Files with Event Rules
You can configure EFT's Event Rules to copy, move, download, upload, or offload one file or a group of files automatically based on filename, username, location, folder changes, date or time of day, or many other variables. You can copy an entire folder structure when you offload (copy/move) files.
• For details of copying or moving (offloading/pushing) a file to a specific server (host), refer to
Copy/Move (push) File to Host Action .
• For details of downloading (pulling) a file from a specific server (host), refer to
Download (pull)
File from Host Action .
Copy/Move (Push) File to Host Action
(Available in EFT Enterprise) You can configure EFT to copy or move (also known as "offload") files to a specific location using a particular protocol whenever certain Events occur, such as when a report is created. You must provide EFT with connection information (protocol and login details) and file information (source path and destination path). The copy/move Action can be applied to all File System
Events; the User Events "User Quota Exceeded," "User Logged In," and "User Logged Out"; and the
Server Events "Timer" and "Log Rotated."
550
Event Rules (Automation)
• If you create an Upload Rule that sends a file transfer activity report, the file transfer that triggered the Rule is not included in the report.
• When you add a Copy/Move file to host or Download file from host Action to a Rule, the Client
FTP offload engine performs retries upon failures (network failures is the typical example) based upon the settings in the Advanced Options dialog box. Be aware that the Copy/Move file to host or Download file from host Action takes place synchronously; that is, EFT follows the logic of doing the transfer, including all retries, before moving on to the next Action, such as an e-mail notification. A long-running transfer that also retries numerous times with large delays will cause the Event Rule to take a long time to complete.
• If you are using Secure Ad Hoc Transfer, and if EFT and IIS are installed on the same computer, when creating the Event Rule for Upload notifications, create an additional Condition for
"REMOTE IP does not match 127.0.0.1." The Event Rule Conditions should be something like the following example:
• A Move Action over the local file system updates the variables FS.PATH, FS.FILE_NAME, and
FS.FOLDER_NAME
to match the NEW file location.
• When EFT opens a file for copy, it uses
FILE_SHARE_READ sharing mode . This mode ensures that a file cannot be changed by another process while EFT copies it, preventing corruption of the file.
Refer to EventRuleExamples.pdf
for examples of defining an Event Rule using the Copy/Move File to
Host Action.
To configure EFT to copy/move files
1. Follow the procedure in Creating Event Rules , or select the Rule to which you want to add the
Action. For example, create a Scheduler (Timer) Event .
2. In the right pane, in the Actions list, double-click Copy/Move (push) file to host.
3. In the Rule Builder, click Copy to toggle between Copy and Move to choose the Action you want for this Rule.
4. In the Rule Builder, click one of the undefined parameters (e.g., '/%SOURCE.FILE_NAME%').
551
EFT v7.2 User Guide
The Offload Action Wizard appears.
552
5. In the Connection Profile box, specify a connection profile for this Event. If none is specified,
you will need to configure the Connection details as described below.
6. On the Offload method box, specify a protocol type for the connection: Local (Local File or
LAN), FTP (standard File Transfer Protocol), FTP SSL/TLS (AUTH TLS), FTP with SSL
(Explicit encryption), FTP with SSL (Implicit encryption), SFTP using SSH2 (Secure Shell),
HTTP (HyperText Transfer Protocol), HTTPS (Secure HTTP access), .
7. (Optional) If you selected Local (Local Files or LAN), under Optional credentials override, provide the Windows account username and Password for connecting to remote shares (not local folders).
These credentials are used only if/when a resource cannot be accessed using the credentials under which the EFT service is running. The Optional credentials override feature allows you to specify an alternate set of logon credentials for accessing remote network shares to which the
EFT service account may not have access (due to security constraints). If alternate credentials are specified, EFT will use its current security token (associated with the “Log on as” account specified in the EFT service settings) for local folder access and then new security token
(associated with the alternate logon credentials) for the remote destination folder accessed over network connections (e.g. network shares).
8. If you chose anything but Local do the following; if you chose Local, skip to the Source File Path page step. a. In the Host address box, type the IP address. b. The Port number for the selected protocol changes automatically based on the offload method. Provide a different port number, if necessary. c. Provide the Username and Password needed to establish the connection.
9. Select the Use connected client's login credentials to authenticate check box if you want to use the local system account to authenticate. The availability of this check box is controlled by the
Persist username and password credentials for use in Event Rule context variables check box on
the Site's Security tab.
10. If you chose SFTP, provide the client SFTP certificate information.
Event Rules (Automation)
11. If you chose a protocol that uses SSL (FTPS or HTTPS), provide the client SSL certificate information.
12. If are connecting to a remote host through a SOCKS server, click SOCKS. a. Specify the Socks Type (SOCKS4 or SOCKS5). b. Specify the Host name and Port. c. If you specified SOCKS5 and the server requires authentication, select the Use
Authentication check box, then provide a Username and Password. d. Click OK.
13. If you are connecting to a remote host through a proxy, click Proxy. The Proxy Settings dialog box appears. a. Specify the Proxy type, Host name, Port, Username, and Password.
Using the DMZ Gateway as proxy is available only in the Enterprise edition of EFT and only if DMZ Gateway is configured and connected to EFT. Contact your system administrator for the proper host name, port, username, password, and proxy type, as well as any required advanced authentication methods.
553
EFT v7.2 User Guide b. To specify an Authentication Type and login sequence, click Advanced. You must select FTP Proxy or HTTP Proxy to specify advanced settings. (Advanced proxy settings are not available when using the DMZ Gateway as the outbound proxy.)
554 c. Specify one of the following Authentication Types:
USER user@site if your proxy server requires the USER command followed by your user name and the Site name to allow connection with a remote Site. You can change the @ symbol if a different separator is required by your proxy server.
SITE site if your proxy server requires the SITE command followed by the address of the remote FTP site to allow a connection.
USER with logon if your proxy server requires the USER command followed by a user name and password to allow connection with a remote Site.
USER/PASS/ACCT if your proxy server requires all three commands before allowing a connection to a remote Site.
OPEN site if your proxy server requires the OPEN command followed by the Site name before allowing connection to the Site.
Custom if your proxy server requires a login sequence different from those above. Refer to the procedure below for details of creating a custom authentication method (login sequence).
To create a custom authentication method for a proxy server
i. In the Advanced Proxy Settings dialog box, click Custom, then specify the login sequence in the text box using the following variables: %host%,
% user%, %pass%, %port%, %fire_pass%, %fire_user%. Be sure to type each variable with percent signs before and after, and press ENTER to separate commands. ii. Type any other commands and variables, separating commands with a line break (press ENTER). iii. Click OK to accept the changes and close the Advanced Proxy
Settings dialog box. d. Click OK to accept the changes and close the Proxy Settings dialog box.
Event Rules (Automation)
14. To specify transfer options and time stamps, in the Offload wizard, click Advanced. The
Advanced Options dialog box appears. a. In the General transfer options area, you can provide more control over Max
concurrent transfer threads, Connection timeout, Connection retry attempts, and
Delay between retries. When files are being transferred with Event Rules (copy/move), if there are connection problems (e.g., the network is unavailable), the server will attempt to establish a connection the number of times specified in Connection retry attempts.
When EFT is able to re-establish the connection, it continues to transfer the file even if there are multiple interruptions. b. In the Use the following local IP for outbound connections box, click the down arrow to specify an IP address. If the computer has multiple IP addresses available and/or both
IPv4 and IPv6 addresses, you can let EFT choose which IP address to use or you can specify which one it is to use. c. Select the Validate file integrity after transfer check box to specify that EFT should double check binary files to ensure the files downloaded completely and correctly. (Not applicable to SFTP.) d. In the Data port mode box, click the drop-down list and select one of the following (not applicable to SFTP):
• Auto—When Auto is selected, EFT initially makes connections in PASV mode. If the PASV connection fails, EFT attempts to connect in PORT mode automatically.
555
EFT v7.2 User Guide
• Active—When Active mode is selected, EFT opens an additional port and tells the remote server to connect to <IP:PORT_RANGE> to establish a data connection. This is useful when the server is behind a firewall that closes all unnecessary ports. If you select this mode, specify the port range from which the client will choose. (For security best practices, Active mode is not allowed when brokering outbound connections through DMZ Gateway.)
• Passive—When Passive mode is selected, EFT tells the remote server to provide <IP:PORT> to which EFT can connect to establish a data connection.
This is useful when a client is behind a firewall that closes all unnecessary ports.
Helps avoid conflicts with security systems. e. Select the Clear command channel check box to send FTP commands in clear text.
(Only available when FTPS is specified.) f. Select the Clear data channel check box to transfer files without encryption. (Only available when FTPS is specified.) g. In the Filename encoding area, specify whether the filename is encoded as UTF-8 or
ASCII.
• To conserve Unicode file names, the remote server must support UTF-8 and advertise UTF-8 in its FEAT command.
• To conserve Unicode file content you must transfer the file using binary transfer mode or save the file using UTF-8 encoding before offloading it in ASCII mode.
(Refer to Knowledgebase article #11113 for more information.)
• To enforce binary transfer mode for text files with UTF-8 encoded content, you should remove all the extensions from the ASCII transfer mode area in the next step or transfer files with extensions that don’t match those on the ASCII types list.
• Text (ASCII) files transferred in binary mode will retain their carriage return (CR) and line feed (LN) hidden characters which are not supported by *nix systems by default. h. In the ASCII transfer mode area, specify the file types that can be transferred. Use a comma and a space between extensions. If you use only a comma with no space, then the Rule will not recognize the extension/file type. TXT, INF, HTML, and HTM are specified by default. If an asterisk (*) is specified, all files are downloaded in ASCII mode, even if that file doesn't have an extension. (To conserve Unicode file content, you must transfer the file using binary transfer mode. To force download in binary, clear the file types box.) i. In the Time stamps area, select one of the following:
• Select the Preserve remote time stamp for downloaded files check box to keep the time stamp the same on the destination file as it is on remote file.
• Select the Preserve the local time stamp for uploaded files if the server
allows MDTM check box to keep an uploaded file's time stamp the same on remote server as it is on the source file system. (Not applicable to SFTP.) j. Click OK.
15. (optional) To define commands to occur before and after this operation, click Pre/Post.
556
Event Rules (Automation)
16. In the Pre/post commands dialog, you can specify one of the following operations to occur before and after the Copy/Move Action. o
Not Chosen o
Create Folder o
Remove Folder o
Rename Folder o
Delete File o
Mainframe Support - Used to specify information that may be required when sending a file/dataset to a mainframe computer.
When you choose the Mainframe Support operation, then click Configure, the Configure
Mainframe Support dialog box appears.
Select the applicable check boxes and provide the parameters:
LRECL = Logical Record Length; By default, Windows creates files with a logical record length of 256, at which point the line wraps. You can specify a different length in this box.
BLKSIZE = Block Size of the data set; Normally a multiple of LRCEL.
RECFM = Record Format; Specifies the characteristics of the records in the data set as:
F - Fixed record length
V - Variable record length
U - Undefined record length
B - Blocked records
S - Spanned records
A - Records contain ISO/ANSI control characters
557
EFT v7.2 User Guide
M - Records contain machine code control characters
17. Click Next. The Source File Path page appears.
558
18. In the Source path box, provide the path to the file(s) that you want to offload. (No validation is performed.) For example, type:
C:\Staging\*.dat or \\mydomain\common\jsmith\file.txt
You can leave Source path blank or use %FS.PATH% to offload the files associated with the Event that triggered the Action. In a Timer Event, there is no context variable available for the path, so you must specify a filename.
19. Select the Delete source file after it has been offloaded check box if you want to delete the file after it is copied/moved. (If the file is marked read-only, it will not be deleted.) o
Select the Except when ... check box if you do not want to delete the source file after it is offloaded if the offload was skipped.
20. Select the If the source file is missing treat as success check box if you want the Action to be considered successful even if the source file is missing.
21. Click Next. The Destination File Path page appears.
Event Rules (Automation)
22. In the Destination path box, specify the location in which to save the offloaded file. (No validation is performed when you type a path; the Folder icon is only available for local transfers.)
If you type a path to a folder that does not exist, the Event Rule will fail. Be sure you have the path defined correctly, e.g., make sure to use the proper slash. In general, forward slashes / are used in remote paths, and backward slashes \ are used in local Windows paths. Do not use both.
• You can specify variables, such as \pub\usr\%USER.LOGIN%\%FS.FILE.NAME%.
• In the Variables box, double-click the variable(s) that you want to add to the path.
• In Move Actions over the LOCAL FILE SYSTEM, the %FS.PATH%, %FS.FILE_NAME%, and %FS.FOLDER_NAME% context variables are updated to match the new file location.
• In the Matching filenames box, specify whether to Overwrite, Skip, Smart Overwrite,
or Numerate files that exist with the same name. (Refer to Smart Overwrite for more
information about Smart Overwrite.) This setting only applies to the initial transfer, not when the transfer is interrupted and then resumed. When resuming, EFT will follow the
Smart Overwrite settings (i.e., performs a CRC match for the files; if the files are identical,
the destination file is not overwritten). o
Overwrite—Overwrite any existing file with the same name. o
Skip—Skip the offload if a file with the same name exists in the destination directory. o
Smart Overwrite—EFT performs a CRC match for the files. If the files are
identical, the destination file is not overwritten. Refer to Smart Overwrite for more
information about this feature.
559
EFT v7.2 User Guide o
Numerate—If a file in the destination folder has the same name as the file you are transferring, EFT renames the transferred file to "Copy of file.txt." If the same transfer occurs again, EFT renames the transferred file to "Copy (2) of file.txt" and so on.
• If you want to rename the file, select the Rename transferred file to box and specify a new name. o
You can rename the file when it is transferred. For example, when "myfile.doc" is uploaded, you might want to save it as "status_%EVENT.DATESTAMP%.doc" or something else more identifiable. o
You can also use variables in the Rename transferred file to box. For example,
/%FS.FILE_NAME%.%EVENT.TIMESTAMP% o
For LAN renames, you must include the full path to the file. o
EFT executes a RNFR + RNTO sequence for FTP transfers on the remote server. If the remote server supports cross-folder rename (as EFT does), it is possible for Rename-Pathname-Filename variable to point to a different folder than the Offload Destination folder. o
The Offload transaction status will be FAILED if the rename fails, even though the file was transferred. o
The Status Viewer will display the Rename-To value in the Remote Path field for Offload.
23. Click Finish then click Apply to save the changes on EFT and/or add other Actions and
Conditions to the Rule.
If you are copying or moving the file to another location, and the file upload is a regularly occurring Event with a file of the same name, in the Offload Action wizard, add the variables
%EVENT.DATESTAMP%
and/or %EVENT.TIMESTAMP% to the path so that the date (YYYYMMDD) and/or time (HHMMSS) are added to the filename when it is moved/copied. Do not use
%EVENT.TIME%
, because the colon (e.g., 28 Aug 07 10:01:56) makes it unsuitable for file naming.
For example, in the Offload Action wizard, in the Destination path box, provide the path and variables. For example, type:
C:\Documents and Settings\Administrator\My
Documents\upload\%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%_%FS.FILE_NAME%
With this path and variables, when a file is uploaded to the monitored folder, the file is moved to
\My Documents\upload and the date and time are prepended to the filename. For example,
20080422_101212_mydailyprogress.doc.
Download (Pull) File from Host Action
(Available in EFT Enterprise) You can configure an Event Rule to copy or download from a specific location to a specified local folder using a particular protocol when an Event occurs. You must provide
EFT with connection information (protocol and login details) and file information (source path and destination path).The Download Action is available with all Events except Site Stopped and Service
Stopped.
• When you add a Download file from host Action to a Rule, the Client FTP offload engine performs retries upon failures (network failures is the typical example) based upon the settings in the Advanced Options dialog box. Be aware that the Download file from host Action takes place synchronously; that is, EFT follows the logic of doing the transfer, including all retries, before moving on to the next Action, such as an e-mail notification. A long-running transfer that also retries numerous times with large delays will cause the Event Rule to take a long time to complete.
560
Event Rules (Automation)
Refer to EventRuleExamples.pdf
for an example of defining an Event Rule using the Download file from host Action.
To set up EFT to download files
1. Follow the procedure in Creating Event Rules or select the Rule to which you want to add the
Action.
2. In the Actions list, click Download (pull) file from host. The Rule parameters are added to the
Rule in the Rule Builder.
3. Click one of the undefined parameters where the parameters are listed in the Rule Builder. The
Download Action wizard appears.
4. In the Connection Profile box, specify a connection profile for this Event. If none is specified,
you will need to configure the Connection details as described below.
5. Click the list to specify a Download method for the connection: Local (Local File or LAN), FTP
(standard File Transfer Protocol), FTP SSL/TLS (AUTH TLS), FTP with SSL (Explicit
encryption), FTP with SSL (Implicit encryption), SFTP using SSH2 (Secure Shell), HTTP
(HyperText Transfer Protocol), HTTPS (Secure HTTP access), .
6. (Optional) If you selected Local (Local Files or LAN), provide the Windows account username and Password for connecting to remote shares (not local folders).
561
EFT v7.2 User Guide
These credentials are used only if/when a resource cannot be accessed using the credentials under which the EFT service is running. The Optional credentials override feature allows you to specify an alternate set of logon credentials for accessing remote network shares to which the
EFT service account may not have access (due to security constraints). If alternate credentials are specified, EFT will use its current security token (associated with the “Log on as” account specified in the EFT service settings) for local folder access and then new security token
(associated with the alternate logon credentials) for the remote source folder accessed over network connections (e.g. network shares).
7. If you chose anything but Local do the following; otherwise, skip to the Source File page step . a. In the Host address box, type the IP or host address of the EFT to which you want to connect. b. The Port number for the selected protocol changes automatically based on the offload method. Provide a different port number, if necessary. c. In the Username and Password boxes, type the username and password used to authenticate.
8. Select the Use connected client's login credentials to authenticate check box if you want to use the local system account to authenticate. The availability of this check box is controlled by the
Persist username and password credentials for use in Event Rule context variables check box on
the Site's Security tab.
9. If you chose SFTP, provide the client SFTP certificate information.
10. If you chose a protocol that uses SSL (FTPS or HTTPS), provide the client SSL certificate information.
11. If you connect to EFT through a proxy server, click Proxy. The Proxy Settings dialog box appears.
562 a. Specify the Proxy type, Host name, Port, Username, and Password.
Using the DMZ Gateway as proxy is available only in the Enterprise edition of EFT. For security best practices, selecting PORT mode in the Advanced Options dialog box below is not allowed when brokering outbound connections through DMZ Gateway.
b. To specify an Authentication Type and login sequence, click Advanced. You must select FTP Proxy or HTTP Proxy to specify advanced settings.
Event Rules (Automation) c. Specify one of the following Authentication Types:
• USER user@site if your proxy server requires the USER command followed by your user name and the Site name to allow connection with a remote Site. You can change the @ symbol if a different separator is required by your proxy server.
• SITE site if your proxy server requires the SITE command followed by the address of the remote FTP site to allow a connection.
• USER with logon if your proxy server requires the USER command followed by a user name and password to allow connection with a remote Site.
• USER/PASS/ACCT if your proxy server requires all three commands before allowing a connection to a remote Site.
• OPEN site if your proxy server requires the OPEN command followed by the Site name before allowing connection to the Site.
• Custom if your proxy server requires a login sequence different from those above. Refer to the procedure below for details of creating a custom authentication method (login sequence).
To create a custom authentication method for a proxy server
i. In the Advanced Proxy Settings dialog box, click Custom, then specify the login sequence in the text box using the following variables: %host%,
% user%, %pass%, %port%, %fire_pass%, %fire_user%. Be sure to type each variable with percent signs before and after, and press ENTER to separate commands. ii. Type any other commands and variables, separating commands with a line break (press ENTER). iii. Click OK to accept the changes and close the Advanced Proxy
Settings dialog box.
Contact your system administrator for the proper Host name, Port, User name, Password, and proxy type, as well as any required advanced authentication methods.
12. Click OK to accept the changes and close the Advanced Proxy Settings dialog box.
13. If you connect to EFT through a Socks server, click SOCKS.
563
EFT v7.2 User Guide a. Specify the Socks Type (SOCKS4 or SOCKS5). b. Specify the Host name and Port. c. If you specified SOCKS5 and the server requires authentication, select the Use
Authentication check box, then provide a Username and Password. d. Click OK to save the changes and close the SOCKS Settings dialog box.
14. To configure advanced transfer options, in the Download Action wizard, click Advanced. The
Advanced Options dialog box appears.
564
Event Rules (Automation) a. In the General transfer options area, you can provide more control over Max
concurrent transfer threads, Connection timeout, Connection retry attempts, and
Delay between retries. When files are being transferred with Event Rules (copy/move), if there are connection problems (e.g., the network is unavailable), EFT will attempt to establish a connection the number of times specified in Connection retry attempts.
When EFT is able to re-establish the connection, it continues to transfer the file even if there are multiple interruptions. b. In the Use the following local IP for outbound connections box, click the menu to specify an IP address. If the computer has multiple IP addresses available and/or both
IPv4 and IPv6 addresses, you can let EFT choose which IP address to use or you can specify which one it is to use. c. Select the Validate file integrity after transfer check box to specify that EFT should double check binary files to ensure the files downloaded completely and correctly. (Not applicable to SFTP.) d. In the Data port mode box, click the drop-down list and select one of the following (not applicable to SFTP):
• Auto—When Auto is selected, EFT initially makes connections in PASV mode. If the PASV connection fails, EFT attempts to connect in PORT mode automatically.
• Port—When Port mode is selected, EFT opens an additional port and tells the remote server to connect to <IP:PORT_RANGE> to establish a data connection.
This is useful when the server is behind a firewall that closes all unnecessary ports. If you select this mode, specify the port range from which the client will choose.
• Pasv—When Pasv mode is selected, EFT tells the remote server to provide
<IP:PORT> to which EFT can connect to establish a data connection. This is useful when a client is behind a firewall that closes all unnecessary ports. Helps avoid conflicts with security systems e. Select the Clear command channel check box to send FTP commands in clear text.
(Only available when FTPS is specified.) f. Select the Clear data channel check box to transfer files without encryption. (Only available when FTPS is specified.) g. In the ASCII transfer mode area, specify the file types that can be transferred. TXT, INF,
HTML, and HTM are specified by default. If an asterisk (*) is specified, all files are downloaded in ASCII mode, even if that file doesn't have an extension. (To conserve
Unicode file content, you must transfer the file using binary transfer mode. To force download in binary, clear the file types box.) h. In the Time stamps area, select one of the following:
• Select the Preserve remote time stamp for downloaded files check box to keep the time stamp the same on the destination file as it is on remote file.
• Select the Preserve the local time stamp for uploaded files if the server allows MDTM check box to keep the time stamp the same on the remote file as it is on the source file. (Not applicable to SFTP.) i. Click OK to accept the changes and close the Advanced Options dialog box.
15. Click Next. The Source File Path page appears.
565
EFT v7.2 User Guide
566
16. In the Source path box, provide the path to the file(s) that you want to download. For example, type:
/pub/usr/jsmith/file.txt or \\mydomain\common\jsmith\file.txt
If you type a path to a remote folder that does not exist, the Event Rule will fail.
17. Select the Delete source file after it is downloaded check box if you want to delete the file after it is retrieved. (If the file is marked read-only, it will not be deleted.) o
Select the Except when ... check box if you do not want to delete the source file after it is downloaded if the download was skipped.
18. For LAN/local transfers only, select the If the source file is missing treat as success check box if you want the Action to be considered successful even if the source file is missing.
19. Click Next. The Destination File Folder page appears.
Event Rules (Automation)
20. In the Destination folder box, click the folder icon and specify the location in which to save the downloaded file. You can insert variables by double-clicking them in the box below the
Destination folder box.
If you type a path to a remote folder that does not exist, the Event Rule will fail.
• In the Matching filenames box, specify whether to Overwrite, Skip, or Numerate files that exist with the same name. If Overwrite is selected, EFT performs a CRC match for the files.
21. Click Finish, then click Apply to save the changes on EFT and/or add other Actions and
Conditions to the Rule.
Smart Overwrite
On the Destination File Path page of the Copy/Move Action wizard , you can specify what EFT is to do if the file you are copying or moving has the same file name as a file in the destination path. Depending on what it detects, Smart Overwrite can overwrite the file in the destination path, skip the copy/move, numerate the copied/moved file, or overwrite the destination file after performing a CRC match of the files.
• Overwrite = Overwrite any existing file with the same name.
• Skip = Skip the offload if a file with the same name exists in the destination directory.
• Numerate = If a file in the destination folder has the same name as the file you are transferring,
EFT renames the transferred file to "Copy of file.txt." If the same transfer occurs again, EFT renames the transferred file to "Copy (2) of file.txt" and so on.
• Smart Overwrite = EFT performs a CRC match of the files.
567
EFT v7.2 User Guide
• If the destination and source file sizes are the same, then the CRC determines whether it should skip the file or overwrite the file. If the file contents are identical, the destination file is not overwritten.
• If the destination size is smaller than the source size (meaning a partial file likely exists in the destination file path), then EFT will perform CRC on the portion of the source file that matches the length of the destination file. If the contents match, then EFT resumes the download. If they do not match, then the file is overwritten.
• If the destination file size is larger than the source file, then EFT overwrites the file without performing CRC first.
568
Event Rules (Automation)
Cleanup in Folder Action
(Available in EFT Enterprise) When you create your first Site, a Timer Rule is created that runs the
Backup Server Configuration Action once each day at midnight, using all defaults for naming and backup location (\backup\Server Configuration Backup [Month] [Day] [Year].bak). The Rule includes a
Cleanup in folder Action to delete backup files (*.bak) older than 30 days in that same folder and another
Cleanup in folder Action to remove old log files. This Backup and Cleanup Rule is enabled by default, but you can disable it and edit it as necessary.
The Clean up in Folder Action is available only with the On Timer Server Event. At the interval that you specify, EFT compares the filter parameters of the Cleanup in folder Action to the files in the designated folder, then determines the creation or modification time of the file and deletes ("cleans up") files that match the cleanup parameters. For example, if you specify to cleanup files that are older than 7 days named dailyreport*.doc in the folder D:\WorkFolder\Sales\Daily Reports, any Microsoft Word files in that folder with dailyreport in the file name are deleted after 7 days. However, if you create a Cleanup in folder Action and set a file to be cleaned after 7 days, but then modify the file on the 6th day, the file will not be deleted until 7 days after the modification date.
Refer to EventRuleExamples.pdf
for an example of defining an Event Rule using the Cleanup in folder
Action.
To configure EFT to cleanup files automatically
1. Follow the procedure in Creating Event Rules to create a Scheduler (Timer) Event. The Event
Rule appears in the Rule Builder.
2. In the Actions list, double-click Cleanup in folder. The Action is added to the Rule in the Rule
Builder.
3. In the Rule Builder, click the '[select]' link. The File Cleanup Action Parameters dialog box appears.
4. In the Delete file(s) older than <n> box, specify the minimum age of a file to delete from the folder. The default is 7 days.
5. In the Folder box, click the folder icon to specify the folder that you want to clean up.
6. To clean up subfolders in the specified folder, select the Include sub-folders check box.
569
EFT v7.2 User Guide
7. If you don't want to delete all of the files older than a certain age, create a File delete filter mask.
In the Filenames box, an asterisk appears by default, which means delete all files. You can
Include or Exclude specific files from the Cleanup in folder Action, and/or use wildcards for file types, partial names, and so on.
For example, the Backup and Cleanup Event Rule that is defined automatically in EFT
Enterprise is configured to delete all *.bak files in C:\ProgramData\Globalscape\EFT Server
Enterprise\Backup that are older than 30 days.
Or, maybe you want delete everything in the folder except for the files with "new" in the file name.
To do that, you would click Exclude and then in the Filenames box, type *new*.
8. Click OK to close the dialog box.
9. Click Apply to save the changes on EFT.
Sending Files to an AS2 Partner via Event Rules
(Available in EFT Enterprise) You can send files via AS2 to a partner for whom you have not previously provisioned an outbound profile by manually specifying that partner’s profile in the AS2 Send File Event
Rule Action. Alternatively, if the AS2 partner has an outbound profile defined, you can select that profile when you define the AS2 Send File options.
For example, you could define a Rule with a Timer Event
so that every Monday at 8 a.m., all files in a certain folder are sent either to a partner that already has a profile defined on the Server or to a partner that you will define "on the fly" in the AS2 Send File dialog box.
The AS2 Send File to host Action is a synchronous Event even if asynchronous MDN receipts are requested. Synchronous means that the Event Rule executes Actions sequentially from top to bottom; when
EFT encounters an AS2 outbound Action, it performs the transfer, and then if MDN is synchronous, EFT waits for the result before moving to the next Action (with success/failure set appropriately). If MDN is asynchronous, EFT proceeds to the next Action based only on the HTTP result of the SEND operation, NOT the result of the asynchronous MDN receipt.
The AS2 Send File to host Action can be used for Folder Monitor, Timer, and all file-based Events.
UTF-8 filenames/non-ASCII characters are not supported over the AS2 protocol. It is the responsibility of the trading partners to determine the file-naming limits imposed by their trading environments. Refer to RFC
2183 , section 2.3 for details of filename parameters.
When triggered, the AS2 Send File to host Action offloads one or more user-defined files or one or more context files. Depending on the AS2 Send File to host Action’s retry configuration, the Action fails if any error occurs when attempting to send the AS2 payload. Those errors may include any connection, authentication, transport, or navigation errors; receipting errors or failures; payload errors, including transfer errors or integrity mismatch errors or failures; server communicated errors; and unknown or undefined errors, such as:
• No receipt was provided
• The receipt was not signed
• The MIC value returned did not match the original file/message MIC
• EFT was unable to: o verify the receipt signature o establish a connection to the remote host o upload the file to the remote host o send an the receipt asynchronously o send the receipt synchronously
570
Event Rules (Automation)
To send files using the AS2 Send File to host Action
1. Create a new Event Rule, such as a Scheduler (Timer) Event . (Refer to Creating Event Rules for details of creating Event Rules, if necessary.)
2. Add the AS2 Send file to host Action to the Rule.
3. Click one of the underlined text links. The AS2 Send File dialog box appears.
4. In the File(s) to upload box, type the path or click the folder icon to specify the file to send to this partner. Include the entire path to the file. You can also use File System context variables such as %FS.PATH% or wildcard masks. For example, to send all files in a folder, type the folder path and *.*. (The files will not be sent all at once; each file will have a unique message
ID.)
571
EFT v7.2 User Guide
5. In the Partner Configuration area, specify the AS2 Partner profile using one of the following methods:
• In the Partner profile box, select a defined AS2 outbound partner profile. The fields in the AS2 connection details area is completed automatically.
• Provide the connection details in the AS2 connection details area. (Refer to
AS2 Send
File Dialog Box Fields below for details of each field.)
• Click Setup Wizard to use the wizard to set up the profile.
The Partner profile box is linked to the selected profile configuration. If you are using
Globalscape authentication, if the profile is updated, the information in the AS2 Send File dialog box is updated also; if a referenced profile is deleted, disabled, or not allowed to use
AS2, any Event Rule using the profile will fail.
When you use AD, LDAP, or ODBC authenticated accounts as AS2 partners, if the account in the external database is changed, deleted, or disabled, any Event Rule or Command that references the account will fail. For example, if an AD user SSmith is renamed SJones, you will have to update any Event Rule or Command manually to reflect the new name of the account.
6. To test the configuration, click Test.
7. To configure a proxy server for this partner, click Proxy.
8. To clear all of the partner connection details and start over, click Clear All.
9. Click OK to save the AS2 Partner profile in the Event Rule.
10. Add other Conditions and/or Actions, as needed (e.g., add an e-mail notification).
11. Click Apply to save the Event Rule on EFT.
AS2 Send File Dialog Box Fields
The AS2 Send File dialog box can be used in Folder Monitor, Timer, and file-based Event Rules. The table below describes each field in the AS2 Send File dialog box.
Field
File(s) to upload
Partner profile
Delete source
Host address
Port
Required/Optional Description
Optional
Required
Used to specify the file(s) to upload to the partner.
Can be variables or paths. e.g. c:\temp\robert.txt or (if relative path)
\rob.txt
Defaults to %FS.FILE_NAME%; same as if blank. Accepts FS.FILE variables and path strings to drive or UNC paths or relative path where applicable (e.g., if using a Folder Monitor Rule).
Used to select a defined partner profile or left blank (the default) if the partner profile is not defined. If blank, complete the fields in the AS2
Partner profile area.
Required
Required
Required
Used to indicate whether to delete sources files after sending them to the destination, after the MDN is received and verified from the remote AS2 host. Select the check box to delete source files after the MDN is received and verified from the remote AS2 host.
AS2 outbound host address. Requires protocol prefix in URL (http://
or https://). Specified in AS2 Partner Access wizard.
AS2 Outbound port. Range is 1-65K
572
Event Rules (Automation)
Compress message
Encrypt message
Sign message
Your certificate
Partner certificate
Your AS2 identifier
Partner AS2 identifier
Receipt policy
Field
Path (inbox, outbox, or mailbox)
Username
Password
Message subject
Content type
Required/Optional Description
Optional Relative path (similar to User Home Folder); forward slash ( / ) by default
Optional
Optional
Optional
Required
User login name
Password
AS2 message subject
Required
Required
Required
Required
Required
Required
AS2 content type. Options include:
•
X12 - Format used by many healthcare, insurance, government, transportation, and finance organizations.
•
EDIFACT - Format adopted by the International Organization for
Standardization (ISO) as the ISO standard ISO 9735.
•
•
XML - File format used for structured documents.
EDI Consent - Provides a standard mechanism for "wrapping" the EDI objects but does not specify any details about those objects.
•
Binary (default) - e.g., executables, word processing files, database, spreadsheet, and multimedia files
•
Plaintext - e.g., text and HTML files
When selected, specifies that the AS2 message should be compressed when sent. (Cleared by default.)
When selected, specifies that outbound AS2 messages should be encrypted. (Selected by default.)
When selected, specifies that outbound AS2 messages should be signed. (Selected by default.)
Displays the AS2 certificate public key path to use for signing, copied from the Site. (Can be on a drive or UNC path.)
Specifies the AS2 certificate to use for encrypting outbound transactions and for validating signed MDN receipts. (Can be on a drive or UNC path.)
Used to apply a unique AS2-From ID to outbound messages.
Required
Required
Used to apply a unique AS2-To ID to outbound messages.
Receipt delivery
Required
Used to request an MDN receipt. Options include:
•
Request a signed receipt (default)
•
Don’t request a receipt
•
Request an unsigned receipt
Specifies receipt delivery method
•
Synchronous (default)
•
Asynchronous
Asynchronous receipts will be returned to the domain name specified on the Site's Connection tab using the standard or secure listener port specified on that same page (depending on whether you specified HTTP or HTTPS for the remote host value).
573
EFT v7.2 User Guide
The following fields are used to determine whether a message send attempt has failed due to a timeout, error, synchronous MDN receipt failure, or other error, after which EFT will attempt to resend the same message at regular intervals, if specified.
Field Required/Optional Description
Message send attempt timeout (seconds)
Optional Specifies the timeout after which a message send attempt is considered a failure if no response or errors are received from the remote server. Range: 0-600, 60 by default, 0 means no timeout
Message send attempt retries
Optional Number of times to reattempt to send the message. Range: 0 (no retry) to 999, 10 is the default.
Retries do not include the initial attempt. That is, 3 retries means
3 in addition to the first attempt (4 total).
Send attempt delay between retries
Optional
Asynchronous receipt timeout
Optional
Specifies the time to wait between retries if the send attempt was unsuccessful, in seconds. 30 seconds is the default.
Specifies the time to wait for receipt before timing out, in minutes. The default is 7200 minutes (2 hours).
Backup Server Configuration Action
(Available in EFT Enterprise) A Backup Server Configuration Event Rule is defined and enabled by default to back up EFT configuration automatically on a recurring schedule. You can also run the wizard manually. For more information about the Migration wizard, refer to Backup Server Configuration Wizard .
When you create your first Site, a new Timer Rule is created that runs the Backup Server Configuration
Action once a day at midnight, using all defaults for naming and backup location (\backup\Server
Configuration Backup [Month] [Day] [Year].bak). The default Rule includes a Cleanup Action to delete backup files (*.bak) older than 30 days in that same folder. The Rule is created and enabled when EFT
Enterprise is installed, but you can disable it and edit it as necessary.
It is a good idea to save the backup on a drive other than on the one on which the EFT is installed. If EFT's hard drive fails, you will want to use the backup to restore configuration.
The default folder for Backups, C:\ProgramData\Globalscape\EFT Enterprise\Backup, is a hidden folder. In
Windows Explorer, click Organize > Folder and search options, click the View tab, then click Show hidden
files, folders, and drives.
To create (or edit) the Backup Server Configuration Event Rule
1. Create a Rule using the Timer , Service Stopped, or Service Started Events. If you are using the
Timer Event, click the "Due <link>" hyperlink to define the backup schedule in the Timer Event dialog box. Refer to Scheduler (Timer) Event for details, if necessary.
2. Double-click the Backup Server Configuration Action or click it, and then click Add. The Action is added to the Rule.
3. Click the hyperlink in the Backup Server Configuration Action. The Browse for Folder dialog box appears in which you can specify where to save the backup file. (Use a UNC path.) By default, the backup file is saved to the EFT's Application Data folder (e.g.,
C:\ProgramData\Globalscape\EFT Enterprise\Backup). You should change this location to a hard drive other than the one on which EFT is installed.
4. Click the folder icon to select the folder in which to save the backup file, and then click OK.
5. (Optional) Add the Cleanup Action to removed old backups. Refer to Clean-Up Action for details, if necessary. The default Rule is configured to delete .bak files that are older than 30 days. You can delete backups manually, if desired. Be sure to point to the location where the backup file is saved.
6. Add other Actions as needed, such as e-mail notifications .
7. Click Apply to save the changes on EFT.
574
8. If you used the Timer Event, you can click Run Now to test the Rule.
Event Rules (Automation)
The Backup server configuration Event Rule also includes a Cleanup in folder Action to clean up the Logs folder. If you do not want to save logs created by LAN transfers, you can disable the logs using a registry entry. For more information about the registry entry and these logs, refer to
The Client Log (Event Rule Logging) .
Be sure to change the paths if yours are different from the defaults.
Stop Processing
The Stop Processing Action is added automatically with each of the Actions except for the
Send notification email Action, or you can add it after an Event or Condition. The Stop Processing Action ends processing of Event Rules, depending on your selection:
• this rule—The current Rule is aborted, and the next Rule in order is started. That is, it only affects subsequent Actions for THIS Rule. Other matching Rules will continue to process.
• more rules—The current Rule continues executing, the next Rules in order are not started. That is, it allows the current Rule to complete its processing, but no further matching Rules will continue to process.
• this and more rules—The current Rule is aborted, and the next Rules in order are not started.
That is, stop any subsequent Actions for this Rule and don’t process any subsequent matching
Rules.
Some exceptions/clarifications to consider:
• Folder Monitor and Timer Rules are not ordered, because there is only one Rule corresponding to a specific Folder Monitor/Timer (“one Event - one Rule” correspondence); only “Stop processing this Rule” is available for them. Certain “server-wide” Events (“Monitor Folder Failed,” “Service started,” “Service stopped,” “Log rotated”) allow “Stop processing this Rule” behavior only.
• The Stop Action affects only the current Event; when a client uploads the next file (i.e., when the next “File Uploaded” Event happens), EFT will execute all Rules (from first to last) again.
The example below shows three Rules that are triggered with an On Upload Event. "Stop processing this and more Rules" causes the other two processes in this example to stop:
575
EFT v7.2 User Guide
Based on these Rules, cserpent's file will be moved, but uploaded files will not be encrypted, nor will cserpent receive an e-mail notification when a file is uploaded.
A recurring Timer does not stop recurring if the Rule Actions fail; it will recur as scheduled until you disable or delete the Rule. In the case of Timer Rules, "Stop processing this rule" means "do not execute any further
Actions with this Rule" (such as sending an e-mail), but it does NOT mean that the Timer will stop. For example, if you have defined the Rule to run every hour, an Action in the Rule could fail (such as downloading a file from a remote computer), but the Timer will run again the next hour, and the next hour, and so on, until you tell it to stop (by manually disabling it).
OpenPGP Event Rule Action
You can configure EFT’s OpenPGP Event Rule Action to do things like encrypt, sign, and decrypt, even on files larger than 2GB. The OpenPGP Action is available with Server Events (the On Timer and On
Rotate Log events), certain File System Events (File Upload, File Move, and File Rename), and a User
Event (User Logout). To use this Action, the Site must be configured for OpenPGP and the appropriate
OpenPGP keys must be generated.
Using the OpenPGP Encryption/Decryption Action in Event Rules
When OpenPGP is used with a Folder Monitor Rule, OpenPGP operations will result in the creation of new files that will trigger the Folder Monitor Rule a second time. Although EFT provides an implicit filter that will ignore .pgp, .sig, .asc or .gpg file extensions for encrypt operations, you should still add an Event Rule
Condition that provides an explicit exclusion next to the “If File Change does equal to added” Condition that is created by default when the Folder Monitor Rule is first created.
•
•
•
When encrypting a file: "If File Name does not match *.pgp"
•
When decrypting a file: "If File Name does match *.pgp"
•
When verifying the signature: "If File Name does match *.sig"
•
When signing a file "If File Name does not match *.sig'"
When verifying signature only: "If File Name does match *.pgp"
When signing: "If File Name does not match *.pgp"
One limitation is that you cannot "Encrypt and Sign" and then "Verify Only"; that will fail. The scenarios below are valid:
576
Event Rules (Automation)
PGP Source
Encrypt+Sign
Encrypt+Sign
Sign Only
PGP Receiver
Decrypt+Verify
Decrypt
Verify Only
Refer to EventRuleExamples.pdf
for an example of defining an Event Rule using the OpenPGP Action.
To set up EFT to use OpenPGP for particular Event Rules
1. Follow the procedure in Creating Event Rules or select the Rule to which you want to add the
Action.
2. In the right pane, in the Actions list, double-click OpenPGP Encrypt, Encrypt + Sign, Decrypt.
The Action appears in the Event in the Rule Builder.
3. In the Rule Builder, select either of the underlined elements (links). The OpenPGP Action dialog box appears.
4. Specify the OpenPGP operation (Encrypt, Encrypt and Sign, Sign Only, Self-Decrypting Archive
(SDA), Decrypt, Decrypt and Verify Signature, Verify Signature Only).
5. The options that appear in the dialog box depend on what you select in the OpenPGP operation box: a. If you designated a default key for the Site, that key is displayed in the Encrypt or
decrypt using (right) pane. If there is no default key, the right pane will be blank. Use the arrow icons to add or remove keys between the Your keyring pane and the Encrypt or
decrypt using pane, or double-click the key in the list.
577
EFT v7.2 User Guide
If you would like to encrypt a single file such that multiple recipients will be capable of decrypting it, add the individual keys of the intended recipients to the list of keys to use for the encryption Action to the Encrypt or decrypt using (right) pane. This prevents you from having to create multiple copies of a file and then encrypt and manage each file separately for each intended recipient.
Example Use Cases:
• You have a report containing sensitive data in PDF format. You want to encrypt and send that report to three people. In this case you would configure the "Encrypt" or
"Encrypt and Sign" Action with all three public keys that correspond to those individuals. You can then send a copy of that one file to each of the recipients, and they can each decrypt the file with their private key in order to view the report in their
PDF reader.
• You are required to keep an archived copy of all outbound files, including any encrypted files. If you encrypt with only the intended recipient's key, then the resulting encrypted file will not be acceptable for archival since you will not be able to decrypt it later. Therefore, you encrypt the file with not only the public key of the intended recipient but also the public key to which you have the corresponding private key. Not only will the recipient be able to decrypt the file as usual, but you will also be able to decrypt the archived copy of that file, if needed.
a. To specify ASCII-Armored output, select the check box. (Per RFC 2440 , "when
OpenPGP encodes data into ASCII Armor, it puts specific headers around the data, so
OpenPGP can reconstruct the data later. OpenPGP informs the user what kind of data is encoded in the ASCII armor through the use of the headers." b. Select the Enable compression check box, and then click the down arrow to specify a level of compression, from 1 (least compression, fastest) to 9 (max compression, slowest). The default is 6 (medium compression, default). c. In the Output To box, click the down arrow to specify an option: Output signature to target file (.pgp), Output signature to target file ASCII armored (*asc), Output signature to separate file (*.sig), Output signature to separate file ASCII armored (*.asc). d. In the Signing key box, click the down arrow to specify the signing key. e. In the Signing hash box, click the down arrow to specify a hash: Use default (MD5 or
SHA-256), MD5, SHA-1, RIPEMD160, SHA-256, SHA-384, or SHA-1512. The default value depends on the version of the key used to sign the message. For version 3 keys
(RSA Legacy keys), MD5 is used as default value. For all other keys, SHA-256 is used. f. In the File to process box, specify the file or folder to process. The default target file is selected. Alternatively, click a variable to add it to the File to process box or use actual file/folder names. Use the folder icon to browse to a file or folder.
7. Click OK to close the dialog box and apply the parameters.
8. Click Apply to save the changes on EFT.
Using Wildcards with Event Rule Actions
The OpenPGP Action, the Copy/Move Action, and the File Name Condition support the use of wildcards.
This is useful for Event Rules that batch process groups of files. Standard Windows/DOS format wildcards are used, such as *.file extension, search term .???, search term ?.*, *.*, and so on. This functionality is particularly useful with the Timer Event.
Wildcards with OpenPGP
In the OpenPGP Action configuration dialog, the File to Process field supports wildcards. Each matching file is acted upon according to the Action definition.
578
Event Rules (Automation)
Wildcards with Copy/Move
In the Offload Action wizard, the Source path field on the Target File tab supports wildcards.
When a wildcard is specified here, the Destination path field specifies the target folder to which each matching file is moved or copied. The files moved or copied into the destination file are given the same name as the files from the source. For example:
Source: c:\test\*.txt
Destination:
/%FS.FILENAME%
Here, each "*.txt" file that is uploaded goes to "/", with a matching file name. Note that the destination file name is not overwritten.
Configuration Notes
• If the source of an Action is specified as a wildcard without any path information, the path defaults to the folder with the Event Rule that triggered this Action (for example, there is a
"%FS.PATH%" variable for an On Upload Event.) If there is no folder like that available (for example, if the Event is an On Timer Event) the current working directory of the application is set as the source of the wildcard patterns. Typically, that is the installation directory of the application.
• When you define a wildcard in the source path for a Copy/Move Action and the protocol type is set to Local (Local Files or LAN), EFT respects Windows path syntax:
For example:
Source: c:\Work\Today\*.*
Destination: g:\Backup\Work\Today\
You can also use \\Work, if appropriate.
• The Destination Path (Upload Event target file as:) ignores any path information you enter after the trailing backslash. So if you type: g:\Backup\Work\Today
EFT disregards "Today" and executes the move/copy into: g:\Backup\Work\
Test an Event Rule using a wildcard before you deploy it to ensure it works as expected and does not cause any unwanted behavior. For example, if you do not define the source path appropriately when a wildcard is used, it is possible to set up an Action that moves all the files out of a user's c:\windows directory, which is most likely an undesired result.
Using Login Credentials in Event Rules
User name and password variables are used by Event Rules to use a single Event Rule to support multiple users with a single Copy/Move Action. This allows EFT to store user name and password variables in memory for the duration of a client session. You can enable or disable this feature on the
Site. The default is disabled. For more information on using this in an Event Rule, refer to
Copy/Move
File to Host Action .
579
EFT v7.2 User Guide
To persist login credentials in memory for use in Event Rules
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Security tab.
4. Select the Persist username and password credentials for use in Event Rule context
variables check box.
5. Click Apply to save the changes on EFT.
Allowing user name and password replacement variables introduces a potential security vulnerability, because it allows passwords to reside in memory on EFT. The risk is low, but should be avoided unless you require the variables for an Event Rule.
Write to Windows Event Log (WEL)
(Available in EFT Enterprise) The Write to Windows Event Log Action is available for all Event
Triggers.
When you add the Write to Windows Event Log Action to the Rule Builder and then click the hyperlink in the Action, the Write to Windows Event Log dialog box appears. Use this dialog box to specify the
WEL message parameters.
Refer to EventRuleExamples.pdf
for an example of defining an Event Rule using the Write to Event Log
Action.
To configure the WEL message
1. In the Type box, click the down arrow and specify whether the message is an Information,
Warning, or Error message.
2. In the Event ID* box, click the up or down arrows to specify a number to assign to the Event, from
1 to 99,999 (defaults to 2).
3. In the Description box, provide a text description that will appear in the WEL when the Event is triggered, up to up to 2048 characters.
4. (Optional) In the Variable list box, click an EFT context variable to appear in the message. You can add multiple variables. The value of the variable will appear in the message when the Event is triggered.
5. Click OK to save the parameters in the Action.
To view the Windows Event Log
1. Click Start > Run.
2. Type eventvwr.msc, then press ENTER. The Event Viewer appears.
3. Click Windows Logs > Application. Double-click an EFT Enterprise (Source) event. The
General description and Details of the Event appear.
580
Event Rules (Automation)
-
4. Notice that the description area displays the values of the variables that you provided in the
Windows Event Log Message dialog box. In this example, we used the Event Name, Physical
Path, and File Change variables. (Date and time are provided in the Event Viewer.)
Content Integrity Control Action
(Available in EFT Enterprise) The Content Integrity Control Action is used to send a file to an antivirus or data loss prevention scanner for processing. When this Action is added, a file that triggers the Event
Rule is sent to an ICAP server for scanning. When the file passes the scan, other Actions can occur, such as moving the file to another location. If the file fails the scan, processing can stop, or other Actions can occur, such as sending an email notification.
You can create a custom CIC profile as you need it, as described below. To create reusable profiles, refer
to Content Integrity Control Tab of a Server
. See also Sending Files to an Antivirus or DLP Server .
To scan a file using the Content Integrity Control Action
1. Create a new Event Rule .
2.
3. Add the Content Integrity Control Action.
4. In the Action, click either of the underlined/linked items. The Content Integrity Control dialog box appears.
581
EFT v7.2 User Guide
582
6. CIC profile - If you are using a defined profile, click the drop-down list to select it; otherwise, select <Custom>.
7. File Path - Physical location of the file to send to the ICAP server; %FS.PATH% is the default.
You can specify another variable or drive and UNC paths. Wildcards are unsupported.
• % - Click the drop-down list if you want to specify other context variables:
Event Rules (Automation)
8. Host, Path, Port - These settings depend on settings in the antivirus or DLP (ICAP) server.
• The Host field cannot be blank.
• By default, the port is set to 1344.
9. Mode - Specify one of the following:
• Request modification (REQMOD) - - Request modification mode: Embeds file contents in an HTTP PUT request body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded request, or a new HTTP response. The ICAP response will depend on your ICAP server’s implementation.
• Response modification (RESPMOD) - Response modification mode: Embeds file contents in an HTTP 200 OK response body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded response. The ICAP response will depend on your ICAP server’s implementation.
10. Limit scans to first - (Optional) Specify the number of bytes to scan. Some antivirus solutions only require a subset of a file's contents to test against their database of malware signatures. To keep from transferring large files in their entirety when we only need the first X bytes, you can specify how many bytes are sent to the ICAP server. When this check box is cleared, the entire file is transferred to the ICAP server. If the file is smaller than the Max scan size, the entire file will be transferred for scanning.
11. Test Connection - After you specify the connection to the ICAP server, test the connection. If connection fails, verify these settings match the settings defined in the antivirus or DLP solution.
12. Text in ICAP response headers - (Optional) Specify text to search for in the ICAP response header.
13. Text in ICAP response body - (Optional) Specify text to search for in the ICAP response body text.
14. Treat any violation as non-blocking (audit and continue) - Leave this check box cleared if you want violations to stop processing.
583
EFT v7.2 User Guide
15. Always audit these ICAP response "X-" headers - (Optional) Specify “X-“ headers for auditing using ARM. If this option is enabled and no “X-“ headers are specified, all “X-“ headers will be audited. Use semicolons between multiple items. Note this check box only affects whether the specified headers are audited by ARM, regardless of success or failure.
16. Click OK to save the changes in the Event Rule. The name of the profile appears in the Event
Rule Action.
De/Compress Action
(EFT Enterprise only) Occasionally, users might upload or download files that need to be compressed
(e.g., zipped) or decompressed (e.g., unzipped) before transferring. The Compress/Decompress Action can be used to compress and decompress files. You can compress/decompress the following formats:
ZIP, 7Zip, GZip, BZip2, Tar, Tar and GZIP, and ZCompress.
The source and destination file path specifications are limited to physical paths only – virtual paths will not work for these fields.
To ensure maximum compatibility with third-party archival tools, Unicode passwords should be avoided.
To compress or decompress files using Event Rules
1. Add the Event to the Event Rule (e.g., File Downloaded).
2. Add any (optional) Conditions.
3. Add the De/Compress file to/from target file Action.
4. Click any links in the Action to open the Compress/ Decompress Action dialog box.
584
5. In the Action list, click the desired Action: Compress or Decompress.
6. In the Format box, specify the format in/from which to compress or decompress the file: ZIP,
7Zip, GZip, BZip2, Tar, Tar and GZIP, and ZCompress.
7. If the Compress Action is specified, in the Method list, specify the Method: Deflate or PPMd.
8. If the Compress Action is specified, in the Level list, specify a level of compression to apply, from 0 - fastest to 6 - densest.
9. If the Decompress Action is specified, the Method and Level lists are unavailable.
Event Rules (Automation)
10. In the Files area, specify the Source and Destination paths. (As noted above, only physical paths should be specified; virtual path will not work.) o
Select the variable drop-down list (percent sign %) to specify a context variable. You can specify more than one and use wildcards, as shown in the examples. o
Select the folder icon to browse to a folder.
11. In the Options area, the Overwrite options (Never, Always, If Newer) are available when the
Decompress Action is specified.
12. Select the check boxes to specify whether to Include subfolders (for Compress Action),
Overwrite read-only files (for Decompress Action), and/or Remove source files after decompressing or compressing the file.
13. If encryption is desired, select the Encrypt check box and then specify and confirm the password.
Select the Show check box to see if you've entered the password correctly.
Invoke Web Service from URL Action
(EFT Enterprise only) The Invoke Web Service from URL Action can be used to integrate with an external server or application, such as auditing external systems. See an example below.
To define the Invoke Web Service Action
1. Add the Event to the Event Rule (e.g., File Downloaded).
2. Add any (optional) Conditions.
3. Add the Invoke Web Service Action.
4. Click any links in the Action to open the Invoke Web Service dialog box.
5. In the URL box, provide the URL on which to perform the Invoke Web Service Action.
6. Select the drop-down list to specify GET, POST, PUT, or DELETE.
585
EFT v7.2 User Guide
7. In the Username and Password boxes, provide the credentials needed to log in to the URL.
• Select the Force basic authentication check box, if needed.
8. If you connect to the URL through a proxy server, click Proxy and then specify the Proxy type,
Host name, Port, Username, and Password.
Using the DMZ Gateway as proxy is available only in the Enterprise edition of EFT. For security best
practices, selecting PORT mode in the Advanced Options dialog box below is not allowed when
brokering outbound connections through DMZ Gateway.
9. (Optional) To specify an Authentication Type and login sequence, in the Proxy Settings dialog box, click Advanced. You must have selected FTP Proxy or HTTP Proxy in the Proxy Settings dialog box to specify advanced settings.
586
10. Specify one of the following Authentication Types:
• USER user@site if your proxy server requires the USER command followed by your user name and the Site name to allow connection with a remote Site. You can change the @ symbol if a different separator is required by your proxy server.
• SITE site if your proxy server requires the SITE command followed by the address of the remote FTP site to allow a connection.
Event Rules (Automation)
• USER with logon if your proxy server requires the USER command followed by a user name and password to allow connection with a remote Site.
• USER/PASS/ACCT if your proxy server requires all three commands before allowing a connection to a remote Site.
• OPEN site if your proxy server requires the OPEN command followed by the Site name before allowing connection to the Site.
• Custom if your proxy server requires a login sequence different from those above. Refer to the procedure below for details of creating a custom authentication method (login sequence).
To create a custom authentication method for a proxy server
i. In the Advanced Proxy Settings dialog box, click Custom, then specify the login sequence in the text box using the following variables: %host%, % user%,
%pass%, %port%, %fire_pass%, %fire_user%. Be sure to type each variable with percent signs before and after, and press ENTER to separate commands. ii. Type any other commands and variables, separating commands with a line break
(press ENTER). iii. Click OK to accept the changes and close the Advanced Proxy Settings dialog box.
Contact your system administrator for the proper Host name, Port, User name, Password, and proxy type, as well as any required advanced authentication methods.
11. Click OK to accept the changes and close the Advanced Proxy Settings dialog box.
12. (Optional) If you connect to the URL through a Socks server, click SOCKS. a. Specify the Socks Type (SOCKS4 or SOCKS5). b. Specify the Host name and Port. c. If you specified SOCKS5 and the server requires authentication, select the Use
Authentication check box, then provide a Username and Password. d. Click OK to save the changes and close the SOCKS Settings dialog box.
13. (Optional) To configure advanced transfer options, in the Connection Profile, click Advanced.
The Advanced Options dialog box appears.
587
EFT v7.2 User Guide
588 a. In the General transfer options area, you can provide more control over Max
concurrent transfer threads, Connection timeout, Connection retry attempts, and
Delay between retries. When files are being transferred with Event Rules (copy/move), if there are connection problems (e.g., the network is unavailable), EFT will attempt to establish a connection the number of times specified in Connection retry attempts.
When EFT is able to re-establish the connection, it continues to transfer the file even if there are multiple interruptions. b. In the Use the following local IP for outbound connections box, click the menu to specify an IP address. If the computer has multiple IP addresses available and/or both
IPv4 and IPv6 addresses, you can let EFT choose which IP address to use or you can specify which one it is to use. c. Select the Validate file integrity after transfer check box to specify that EFT should double check binary files to ensure the files downloaded completely and correctly. (Not applicable to SFTP.) d. In the Data port mode box, click the drop-down list and select one of the following (not applicable to SFTP):
• Auto—When Auto is selected, EFT initially makes connections in PASV mode. If the PASV connection fails, EFT attempts to connect in PORT mode automatically.
• Port—When Port mode is selected, EFT opens an additional port and tells the remote server to connect to <IP:PORT_RANGE> to establish a data connection.
This is useful when the server is behind a firewall that closes all unnecessary ports. If you select this mode, specify the port range from which the client will choose.
Event Rules (Automation)
• Pasv—When Pasv mode is selected, EFT tells the remote server to provide
<IP:PORT> to which EFT can connect to establish a data connection. This is useful when a client is behind a firewall that closes all unnecessary ports. Helps avoid conflicts with security systems e. Select the Clear command channel check box to send FTP commands in clear text.
(Only available when FTPS is specified.) f. Select the Clear data channel check box to transfer files without encryption. (Only available when FTPS is specified.) g. In the ASCII transfer mode area, specify the file types that can be transferred. TXT, INF,
HTML, and HTM are specified by default. If an asterisk (*) is specified, all files are downloaded in ASCII mode, even if that file doesn't have an extension. (To conserve
Unicode file content, you must transfer the file using binary transfer mode. To force download in binary, clear the file types box.) h. In the Time stamps area, select one of the following:
• Select the Preserve remote time stamp for downloaded files check box to keep the time stamp the same on the destination file as it is on remote file.
• Select the Preserve the local time stamp for uploaded files if the server allows MDTM check box to keep the time stamp the same on the remote file as it is on the source file. (Not applicable to SFTP.) i. Click OK to accept the changes and close the Advanced Options dialog box.
14. In the HTTP Request Header area, do the following: o
Click Cookies, then click Add to create a new cookie, provide a name for the cookie, then click OK. o
Click Headers, then click Add to create a new header, provide a name for the header, then click OK.
15. In the HTTP Request Body area, do one of the following:
16. Select From text file, then specify the text file from which to use the text.
17. Select Edit Body, the specify the text to use in the body of the HTTP Request.
18. In the Save response to area: o
Select the File check box, then specify the name and path to the file, or click the folder icon to specify it. o
Select the Variable check box, then specify the variable in the box. This variable can be anything you want, to be used in other places, such as the Windows Event Log.
19. Click OK.
589
EFT v7.2 User Guide
Example:
Below, the default value of WEB_SERVICE_RESPONSE is changed to get_test_users_workspaces.
You can use this variable within the same Event Rule call, such as to write to the Windows Event Log:
590
Event Rules (Automation)
As shown below, when the Event is triggered, the Log reports the value of the response variable get_test_users_workspaces
.
591
EFT v7.2 User Guide
Perform Folder Operation Action
(EFT Enterprise only) The Perform Folder Operation Action is used to create, rename, or delete a folder.
To create, rename, or delete a folder
1. Add the Perform folder operation Action to the rule, then click the link in the rule to open the
Folder Action dialog box.
2. In the Operation list, click Create, Rename, or Delete.
3. Select the Use the following credentials to access the file system check box, then provide the username and password needed to log in to create, rename, or delete the folder.
4. In the Path box, provide the path where the folder is that you want to delete, or the location of the folder that you want to create or rename. You can use physical or UNC paths, but not wildcards.
You an also click the folder icon to browse to a path, and click the the % drop-down to add a variable.
5. Click OK to save the Action.
592
Event Rules (Automation)
Perform File Operation Action
(EFT Enterprise only) The Perform File Operation Action is used to create, rename, or delete a file.
To create, rename, or delete a file
1. Add the Perform file operation Action to the rule, then click the link in the rule to open the File
Action dialog box.
2. In the Operation list, click Create, Rename, or Delete.
3. Select the Use the following credentials to access the file system check box, then provide the username and password needed to log in to create, rename, or delete the folder.
4. In the Path box, provide the path where the folder is that you want to delete, or the location of the folder that you want to create or rename. You can use physical or UNC paths, but not wildcards.
You an also click the folder icon to browse to a path, and click the % drop-down to add a variable.
5. Click OK to save the Action.
Client Log
When EFT’s Download and Copy/Move Action offloads or downloads files, the outbound session is recorded to a log file that is named cl[yymmdd].log (e.g., cl060312.log) and saved in the EFT installation folder (C:\ProgramData\Globalscape\EFT Server Enterprise\Logs\logging.cfg). The log file is formatted as follows:
Time; Protocol; Host Name:Port; User Name; Local Path; Remote Path; Operation; GetLastCode
For example:
2006-03-06 10:11:03; ftp; 192.168.20.171:21; ClientA; C:\test1.txt; /test1.txt; download; 226;
593
EFT v7.2 User Guide
A tenth column can be added to the CL log by defining a registry entry. The tenth column indicates status of the Event, Success (0) or Failure (1). To enable the tenth column, create the DWORD
Enable10ColumnInClientLog
at the following path:
32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape Inc.\EFT 4.0
64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape Inc.\EFT 4.0
Value:
0 or not present = disabled
1 = enabled
With the tenth column enabled, the CL log columns are:
TIME; PROT: HOST:PORT; USER; LOCAL_PATH; REMOTE_PATH; OPERATION;
LAST_RESULT_CODE; ACTION_RESULT
When ACTION_RESULT = 1, the transfer failed and the "IF FAILED" Action in the Event Rule will be executed.
When ACTION_RESULT = 0, the transfer succeeded and the "IF FAILED" Action in the Event Rule is not executed.
The log can be used for troubleshooting connection and transfer errors. The "GetLastCode" value returns the protocol success or error code or socket error. For example, trying to connect to a non-existent website will result in the socket error code 10060, connection timeout. For example, if EFT was unable to make a connection to a remote host, a code that could appear in the cl log is 10061 (connection refused).
Windows Sockets Error Codes " in the Microsoft Developer Network for a complete list of common socket error codes.
In addition to the standard socket error codes, EFT defines the socket error codes described below.
# Description
0 Success (connected OK)
1 General socks failure
2 Socket connection not allowed by ruleset
3 The network is unreachable
4 The host is unreachable
5 The remote server actively refused the connection
6 The Time To Live (TTL) expired. This could indicate a network problem.
7 The command was not supported by the remote host. Also a catchall error code.
8 The address type or format is not supported
10 Illegal socks name
11 Socks5 authentication failure (username/password incorrect)
12 Can't connect to socks server
2000 Internal timeout error code (multiple reasons, such as firewall blocking connection, etc.)
FTP and FTP over SSL only return protocol-level success and error codes. For example, a successful transfer would return 226 or a bad login password would return 530. Refer to RFC 959 for a complete list of FTP/S return codes.
594
Event Rules (Automation)
SFTP (SSH2) returns the following success and error codes:
# Description
-1
Undefined or unknown error (not enough information to determine exactly why it failed)
When an OpenSSH client disconnects from EFT, it reports that the exit status is -1. The default return code is -1, unless an optional message is returned from the server. EFT does not return the optional message, so the exit status is always -1.
0 The operation completed successfully
1 The operation failed because of trying to read at end of file
2 The requested file does not exist
3 Insufficient privileges to perform the operation
4 The requested operation failed for some other reason
5
A badly formatted message was received. This indicates an error or incompatibility in the protocol implementation
6 Connection has not been established (yet) and a timeout occurred
7 Connection to the server was lost, and the operation could not be performed
8 A timeout occurred
EFT Web Service
In EFT Enterprise edition, the Web Service allows you to initiate EFT workflow from an external application such as an enterprise scheduler. The WebService interface follows the model of ASP.NET
Web services, providing a page for the services definition document (WSDL) and an HTML form that can
be used to test available service methods. Access to Web Service requires authentication with a COM-
401 Unauthorized HTTP error
to the requestor.
The Web Service requires an SSL certificate, because EFT sends the HTTP Web Service requests via
HTTPS. EFT allows you to turn on Web Service without selecting the HTTPS check box, but it checks for an SSL certificate, because it will automatically redirect HTTP to HTTPS. Even when the HTTPS check box is not selected, Web Service requests are handled by the HTTPS engine (port 443 listener, by default), but other HTTPS requests will still get the 503 Service unavailable response.
procedure for enabling the Web Service on the Site.
Requests to any /WebService URL are logged to the text log and ARM database just as any other HTTP request. A request that does not match the /WebService/InvokeEventRule URL or that does not include the required parameters, results in a 400 Bad Request HTTP error.
The /WebService page displays a list of Web services available with EFT. This page is generated from an HTML page in EFT installation folder, in a subfolder called WebService.
By default, the following files are installed in:
C:\Program Files\Globalscape\EFT\web\public\EFTClient\WebService
• \EFTWebServices_MAIN.html - Used to define the Web Services landing page; provides a link to InvokeEventRule.html.
• \InvokeEventRule\EFTWebServices_InvokeEventRule.html - Used to define the Web interface from which you can remotely invoke Event Rules on EFT.
595
EFT v7.2 User Guide
• \InvokeEventRule\EFTWebServices.wsdl - Web Services Description Language (WSDL) configuration file. (For details of how WSDL files are used, refer to the World Wide Web
Consortium documentation at http://www.w3.org/TR/wsdl .)
EFT uses a template for the WSDL to construct the final WSDL. External tools can use the WSDL by pointing to the URL that deploys the WSDL file at
http://localhost/WebService/InvokeEventRule?wsdl, where "localhost" is the IP address, computer name, or DNS name that points to the EFT service that is hosting the web service.
How EFT Supports Web Service
EFT supports both POST and GET HTTP requests to "/WebService/InvokeEventRule" with two parameters "EventRuleName" and "EventParams" and triggers an Event Rule that is specified in the
"EventName" as a synchronous operation. The Web Service supports the REST invocation model, supporting both POST and GET methods for invocation.
1. If an input is missing any of "EventRuleName" or "EventParams" it returns an HTTP 400 error.
2. If both "EventRuleName" and "EventParams" are presented but: a. "EventRuleName" is wrong (no Event Rule exists with such name), it returns .xml with result code of -1. b. "EventParams" are incorrect (wrong variable names, too many, too few), EFT looks for
Rule variables in the input and replaces those values with found ones. All additional variables are ignored. If a Rule variable is not found in URL then it will be set to "N/A."
The result code in .xml will be the Event execution result code.
Requests to any /WebService URL is logged to the text log and ARM system just as any other HTTP request.
HTTP GET
The following is a sample HTTP GET request and response. Replace the
placeholders
with actual values.
GET /WebService/InvokeEventRule?EventRuleName=
string
&EventParams=
string
HTTP/1.1 Host: localhost
HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: length
<?xml version="1.0" encoding="utf-8"?> <int xmlns="http://mydomain/ ">int</int>
HTTP POST
The following is a sample HTTP POST request and response. Replace the
placeholders
with actual values.
POST /WebService/InvokeEventRule HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length:
length
EventRuleName=
string
&EventParams=
string
HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: length
<?xml version="1.0" encoding="utf-8"?> <int xmlns="http://mudomain/ ">int</int>
Web Service Timeout
The Web Service timeout is set to 60 seconds. You can change the timeout value with the following registry setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape Inc.\EFT 4.0]
"WebServiceTimeout"=dword:<value, in seconds>
596
Event Rules (Automation)
If this value is absent, the default is 60 seconds. This value is checked for each Web Service connection, so the EFT service does not need to be restarted for this setting to take effect.
Executing Event Rules Using Web Service
In EFT Enterprise edition, the Web Service allows you to initiate EFT Event Rules via a browser.
For more information about how EFT supports Web Service, refer to EFT Web Service .
(or sub-URLs). User admin, Change Password Admin, and Template Settings Admin accounts cannot invoke web services. Site admin accounts must have privileges to the Site on which the Event Rule is hosted; Event
Rule admin accounts must have Execute permission on the Event Rule that you are attempting to invoke.
To execute an Event Rule using WebService
1. Open a browser and navigate to EFT URL appended with /WebService. The WebService page appears.
2. Click InvokeEventRule. Another Web page, /WebService/InvokeEventRule, displays a form for invoking an Event Rule.
597
EFT v7.2 User Guide
3. In the EventRuleName box, type the name of the Event Rule.
4. In the EventParams box, type one or more variables, separated by semicolons.
5. Click Invoke. The Event Rule is executed.
All WebService responses use the Site's domain name as the namespace for the WebService.
After the Event Rule finishes dispatching, the Web service responds with an XML document that consists of a single "Result" element. The Result Code can be any one of the following:
• 0 indicates failure
• 1 indicates success
• -1 indicates EFT could not find the Event Rule (e.g., the requested EventName does not exist or was not typed correctly)
Using Web Services
Folder Monitor
598
Event Rules (Automation)
EventParams=FS.PATH=C:\test\inbound\test.txt;FS.MONITOR_OPERATION=added
As you can see, the FS.MONITOR_OPERATION is part of the Condition and must be passed along with the variable of choice; in this case it is FS.PATH or any other variable that is created.
EventParams=FS.PATH=C:\test\inbound\test.txt;FS.MONITOR_OPERATION=added;FILEBOB=tes t.filebob.txt
As you can see above, the variable is a custom variable applied to this event rule, outside of the EFT variables.
Timer Event
EventParams=FILEBOB=test.filebob.txt
The Timer Event is the least used Event Rule in EFT to download files, move them, or to automate an
AWE Script/custom command. Using the Web Services allows you to manipulate custom variables for the specific environment or file that needs to be processed. In the case above, the Timer event is being used as a transmission only, triggered by a remote process using “wget”.
Passing the URL to WebServices
As the HTTP GET states:
GET /WebService/InvokeEventRule?EventRuleName=string&EventParams=string HTTP/1.1
599
EFT v7.2 User Guide
Based on this information, the URL should contain the following:
• EventRuleName=ProcessTestFileName
• EventParams=FS.PATH=C:\test\inbound\test.txt;
• FS.MONITOR_OPERATION=added
Combine the parameters:
http://localhost/WebService/InvokeEventRule?EventRuleName=ProcessTestFileName&Event
Params=FS.PATH=C:\test\inbound\test.txt;FS.MONITOR_OPERATION=added
**Note: the “&” is used to separate the EventRuleName and EventParams, but you will use the semicolon (;) to separate more than 1 EventParams that is required to make the Event Rule work correctly.
Changing the Number of Concurrent Threads Used by Event Rules
Q: Is there a thread limit as to how many files can be transferred via the same Event Rule?
A: The Event Rule Monitor Folder process is limited to 3 concurrent threads by default. This means that if you have 5 Folder Monitor Event Rules monitoring the same folder, and a file is added to the monitored folder, only 3 of the 5 Rules will fire, as determined by the operating system. The 4th and then 5th Rule execute only when one or more of the first three threads are done firing and executing any Actions. If you have, for example, 100 concurrent Monitor Folder Event Rules, they are not all triggered simultaneously.
For details of overriding the default "concurrent threads" settings in the registry, refer to the
Knowlegebase article, Changing the Number of Concurrent Threads Used by Event Rules .
SAT Event Rules
When you install the Secure Ad Hoc Transfer (SAT) module, the following Event Rules are created by the installer. (If you are using a 64-bit system, the Event Rules and Command need to be updated to reflect the 64-bit paths.)
See below for a description of the AdHocRunCommand Custom Command.
• SAT - Capture Uploads for Subsequent Notify—If the Settings Template is "EFTAdhoc" and if the remote IP address does not match *.*.*.* (All Incoming), execute the
AdHocRunCommand custom Command in C:\Program Files\Globalscape\EFT
Enterprise\SATScripts to run the SendUploadNotification.wsf script.
600
Event Rules (Automation)
If end users are uploading with the Java-enabled Web Transfer Client, add a second Rule using the
"Verified Upload Succeeded" Event and add the Condition "If Using Web Transfer client does equal to
Yes." Also add the "If Using Web Transfer client does equal to No" Condition to the Rule above.
• SAT - Delete Expired Users—Every day, execute the AdHocRunCommand custom Command in C:\Program Files\Globalscape\EFT Enterprise\SATScripts to run the
EFTDeleteExpiredUsers.wsf script.
• SAT - Notify Sender of Upload(s) Received—Each minute, execute the
AdHocRunCommand custom Command in C:\Program Files\Globalscape\EFT
Enterprise\SATScripts to run the SendUploadNotification.wsf script.
These Event Rules automatically perform tasks that you had to configure manually in previous versions of
SAT. The SAT Event Rules are enabled by default. You can edit the Rules and disable them as needed.
Refer to Event Rules for details of managing Event Rules.
AdHocRunCommand Custom Command
The AdHocRunCommand Custom Command is created in EFT when the SAT module is installed.
AdHocRunCommand executes C:\windows\system32\cscript.exe (or
C:\windows\syswow64\cscript.exe on 64-bit systems) and includes some custom Command
parameters for executing the SAT scripts in the default SAT Event Rules.
601
EFT v7.2 User Guide
• In the SAT - Notify Sender of Upload(s) Received Event Rule, AdHocRunCommand includes
SendUploadNotification.wsf //JOB:ON_TIMER
in the Command parameters box.
• In the SAT - Delete Expired Users Event Rule, AdHocRunCommand includes
EFTDeleteExpiredUsers.wsf //JOB:DELETE_USERS
in the Command parameters box.
If you edit the custom Command, you might introduce errors, causing the script to not execute as designed. Instead, you should create a separate command, if necessary, and then you can add it as a subsequent Action to the Rule.
Using Ciphers for Outbound (Event Rule) SSL Connections
EFT uses the following ciphers for outbound SSL (HTTPS and FTPS) connections from the Server. The table below lists available EFT client (Event Rule) outbound algorithms, for TLS only.
Default Cipher List (FIPS not enabled)
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
DHE-RSA-CAMELLIA128-SHA
Cipher list when FIPS is enabled
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
602
Event Rules (Automation)
Default Cipher List (FIPS not enabled)
DHE-DSS-CAMELLIA128-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
DHE-DSS-RC4-SHA
RC4-SHA
RC4-MD5
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC4-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
Cipher list when FIPS is enabled
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
For the procedure for inbound SSL connections on EFT, refer to Using Ciphers for Inbound SSL
Event Rule Load Balancing
When two or more EFTs are configured in an active-active cluster, which of the EFT nodes executes a
Timer or Folder Monitor Event Rule is determined by load balancing. Timer and Folder Monitor Event
Rules have a "high availability" hyperlink with which you can specify if the rule will be load balanced.
Clicking the hyperlink allows you to specify which node will run the Event Rule. The rule is load balanced based on which specified node is next available.
• In v7.0.3 and later, administrators can set a server-wide default policy for load balancing Event
Rule execution across the cluster. You can override this default policy in individual Event Rules.
• If a specified node is offline, that node is skipped, and the rule is assigned to the next node specified in the node list. If none of the nodes specified in the list are online, an error is logged to the Windows Event Viewer.
• If you want to have a particular node handle more of the load, then you can enter that node more than once in the node list. For example, if the list is NODE1, NODE1, NODE2, NODE5, node 1 is sent Event Rules more frequently than nodes 2 or 5.
• If no nodes are specified, the rule will run in "Classic" (non-HA) mode in which the event runs on
ALL nodes and is not load balanced. For example, a Timer rule configured to run daily at 1 pm will run on ALL nodes the cluster every day at 1 pm.
• Server Message Block (SMB) caching can cause load-balanced Folder Monitor events to fail to process files under an HA (active-active) clustered environment. To prevent this from happening, you need to create the following registry settings.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Param eters]
"FileInfoCacheLifetime"=dword:00000000
"FileNotFoundCacheLifetime"=dword:00000000
"DirectoryCacheLifetime"=dword:00000000
603
EFT v7.2 User Guide
To specify nodes for Event Rule load balancing
1. In the Rule Builder, in the Timer or Folder Monitor event, click the high availability link.
The Run on One of dialog box appears.
2. Specify the nodes that are to run the rule (using the computer name), then click Add. Computer names are case sensitive. If you want a certain node to handle more of the load, list it more than once in the node list (e.g., NODE1, NODE2, NODE2, NODE2, NODE 3...) In v7.0.2 and later, you can specify nodes by IP Address (both IPv4 and IPv6).
3. Click OK to save your changes in the rule.
Related topics
•
High Availability Message Queuing
•
EFT HA (Active-Active) Deployment
•
High Availability Tab of a Server
•
Scheduler (Timer) Event
•
Folder Monitor Event
604
Event Rules (Automation)
Sending Files to an Antivirus or DLP Server
EFT, through the Event Rules, acts as an ICAP client, sending files to antivirus or data leak prevention
(DLP) servers that detect file pass/fail based upon user-defined rules. Users can configure rules on a DLP server to send a reply to EFT with access denied if the file contains social security numbers (SSNs) or credit card numbers (CCNs), for example. Antivirus servers scan the files for viruses and return a response to EFT whether a virus was found or not.
The Internet Content Adaptation Protocol (ICAP) is an HTTP-like protocol that is used for virus scanning and content filtering. According to RFC 3507 :
ICAP is, in essence, a lightweight protocol for executing a "remote procedure call" on HTTP messages. It allows ICAP clients to pass HTTP messages to ICAP servers for some sort of transformation or other processing ("adaptation"). The server executes its transformation service on messages and sends back responses to the client, usually with modified messages. Typically, the adapted messages are either HTTP requests or HTTP responses.
On a DLP server, you can define rules to search files for SSNs or CCNs. For example, if you send a file containing a valid CCN, the DLP server will flag it and return a denied message to EFT. (To test this rule, you can put the universal test credit card number 4111 1111 1111 1111 in a text file and send it through the DLP via an EFT Event Rule.)
On an antivirus server, you can specify violation text in ICAP response headers: “X-Virus-ID:INFECTED” or ”X-Response-Info:blocked” or both (semicolon-separated).
EFT does not return an error or any type of indicator from the Content Integrity Control Action if a file isn't completely processed/analyzed by an antivirus or DLP server due to the size of the file being larger than what is supported by that particular server. For example, MyDLP will process a maximum of 10 MB of data; if a flag is embedded in a file that is after the 10 MB limit, MyDLP will not detect the policy violation.
For example:
• EFT sends an 11 MB file to myDLP, which has a max processing capacity of 10 MB. The myDLP server has a policy to return a failure for any files containing credit card numbers. The 11 MB file has a credit card number embedded at the end of file. As a result, the myDLP server would return to EFT that the Action was a success, because the myDLP server did not process the credit card number.
Content Integrity Control Actions are also captured in the EFT log, after you enable
Events.SecureDataFlow=TRACE
Below is a diagram demonstrating EFT's decision points for Content Integrity Control (ICAP) success or failure.
605
EFT v7.2 User Guide
606
Transferring Files To and From EFT
This chapter describes how to transfer files to and from EFT.
•
•
•
•
•
•
Integrated Windows Authentication for Single Sign On (SSO)
See also:
•
•
Viewing Transfers To and From the Site
•
Any user from anywhere in the world who has a computer with Internet browser or FTP client can access
EFT and transfer files—provided the computer on which the user is attempting to connect to EFT is allowed access and network access, and the user has an account defined on EFT. The user account itself or the group to which it belongs must have the appropriate permissions (upload, download, create
they connect only to their home folders and cannot browse above their home folders.
EFT allows the following methods through which you can transfer files to and from EFT:
•
Web Transfer Client (WTC) - A separately licensed module, the WTC is a browser-based file
transfer client that allows users to transfer files over HTTP or HTTPS. The WTC can resume transfers and can send multiple files concurrently. It also has drag-and-drop support, integrity validation, a transfer queue, and no file-size limit. (If the user is trying to connect to the WTC with an older, unsupported browser, or if the Java applet version is selected, but Java is not enabled, a "plain text" client appears instead of the WTC.)
•
(MTC) - An application (app), MTC, provides a way for iOS and Android
phone and tablet users to securely connect to EFT and upload and download files while providing a number of centrally managed security controls for safeguarding your corporate data. Refer to
Mobile Transfer Client (MTC) for details.
• Globalscape's CuteFTP
®
or a similar "FTP client" - Any FTP client can be used to connect to
EFT and transfer files. For more information about CuteFTP, refer to its product page, http://www.cuteftp.com
or online help.
• Windows Explorer - When logged in to the EFT computer, administrators can manage files on
EFT using Windows Explorer. By default, user files are stored in the C:\Inetpub\EFTRoot\ folder in the Usr folder under the Site on which their account is defined. In the illustration below, user
imauser, defined on GSSite, stores files in the imauser folder. Anyone with the proper permissions on the EFT computer can drag and drop, copy and paste, and create and delete files and folders, just like in Windows Explorer. For example, suppose user imauser has gone over her quota and can no longer upload any files. Instead of increasing the quota for the folder, you can delete files from the imauser folder that imauser no longer wants, or move them to some other accessible storage.
607
EFT v7.2 User Guide
• Command Prompt - At a command prompt, you can enable an FTP session and transfer files, if you are familiar with the basic DOS commands. Refer to the KB article " Can I use a Windows
Command Prompt to send FTP commands to a server?
" for list of common commands. To allow an FTP session via a command line to accept double slashes // when navigating paths, in EFT v7.2 and later, you must enable the following registry setting on the EFT server:
HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server
7.2\FixDoubleSlashInPathsForFTP
0 = disabled; 1 = enabled
Related Topic
•
•
Viewing Transfers To and From the Site
File-Naming Conventions
EFT follows the standard Windows naming conventions, with a few exceptions. (Please refer to Unicode
and Unicode Exceptions for details of using Unicode characters.)
For example:
• You can name files using almost any character for a name, except for the following reserved characters:
< > : " / \ | ? * %
• The maximum length for a path is 255 characters. This limitation includes the drive letter, colon, backslash, directories, subdirectories, filename, and extension. If the relative path is too long, a warning message appears.
• Characters that are valid for naming files, folders, or shortcuts include any combination of letters
(A-Z) and numbers (0-9), plus the following special characters.
608
Transferring Files To and From EFT
^ Accent circumflex (caret)
& Ampersand
' Apostrophe (single quotation mark)
@ At symbol
{ Brace left
} Brace right
[ Bracket opening
] Bracket closing
$
€
=
,
!
-
Dollar symbol
Euro symbol
Equal sign
Comma
Exclamation point
Hyphen
# Number sign
% Percent
(
)
.
+
~
_
Parenthesis opening
Parenthesis closing
Period
Plus
Tilde
Underscore
For more information regarding file-naming conventions, refer to the Microsoft Windows Developer
Network article Naming a File and the Microsoft TechNet article How NTFS Works .
End-User (Client) Login to EFT
The EFT administrator should inform end users which IP address, port, username, and password should be used to log in to a Site. Because many users are unfamiliar with <IP address:Port> formatting, be sure to provide users with the exact URL that they should access to log in, whether they are accessing a Site from the Web Transfer Client, "plain-text" client, a command line, CuteFTP, or any other FTP client. For example, you could provide a link in an e-mail or tell your users:
In the address box of Internet Explorer, type https://wtc.mycompany.com:4434
To log in to EFT to transfer files
1. Open a web browser to the address provided by the EFT administrator. For example,
https://mycompany.com/EFTClient/Account/Login.htm. The login page appears.
• If you do not want to use the Java-enabled version, clear the Java
®
enabled version check box.
2. Provide your EFT Username and Password, and then click Log In.
• If you have forgotten your username or password, click the applicable link. You will be asked for your email address to which the reset information will be sent.
• If the Java
®
enabled version check box is selected and the proper version of the Java
Runtime is not installed, a prompt appears asking you if you want to install it. Click Install and follow the Java installation wizard.
• If the Web Transfer Client is not enabled , a less-featured version of the WTC appears.
• If a security prompt appears asking you to accept the website's certificate, select the
Always trust check box, and then click Yes.
• If the browser is not supported or if the Java applet-enabled version was selected, but
Java is not enabled, then the "plain-text" client is displayed.
3. Refer to Transferring Files with the WTC
(Java-enabled version) or Web Transfer Client (WTC)
for details of transferring files.
609
EFT v7.2 User Guide
Form-Based Authentication versus Basic Authentication
EFT uses form-based authentication for users that connect over a browser. It is important to note that a browser is defined merely by what is contained in the "user-agent" attribute provided in the HTTP headers. If EFT doesn’t recognize the user-agent (such as when connecting with a client application
CuteFTP), then EFT will fall back to "basic authentication." There is nothing inherently wrong with basic authentication, especially if it is SSL encrypted, but form-based is considered superior because it facilitates true session management. However, there is another option, which is NTLM authentication, in which EFT attempts to reuse the user’s AD credentials as supplied by the browser (assuming the browser supports NTLM), resulting in a single-sign-on (SSO) experience. For example, the user authenticates on the company portal, and those credentials are reused by EFT without having to ask the user to re-enter them. The downside to NTLM-based authentication is that, like basic authentication, it does not support true sessions, so it is up to the users to close their browsers at the end of their sessions to truly log out.
Another drawback is that when using NTLM, the end user won’t be able to choose between loading the
Web Transfer Client or the Plain Text Client, won’t be able to access the lost username/password forms, and won’t see any of the custom branding. Each of these would be available to the user if they had used the default form-based authentication. Even in the case where NTLM is enabled, SSO will only apply for
Active Directory-based sites (because we are talking about AD credentials), and the browser has to be a recognizable user-agent; otherwise, it will default to basic authentication (for non-browser) or form-based authentication (for non-AD sites), even if NTLM is turned on in the registry.
• If NTLM is off (by default), then EFT will use form-based authentication for recognized useragents and basic-authentication for all others
• If NTLM is on ( registry enabled ), then EFT will use NTLM authentication for AD sites +
recognized user-agent, form based authentication for non-AD sites + recognized user agent, and basic authentication for all others (non-recognized user agents).
Single-Click Authentication
If EFT users send files using Mail Express, the notification e-mail to recipients can include a hyperlink to log the recipient in automatically to download the files that were sent. (Refer to the Mail Express documentation for details.)
Integrated Windows Authentication for Single Sign On (SSO)
EFT allows for Single Sign-On (SSO) support for HTTP/S connections when Integrated Windows
Authentication (IWA) is explicitly enabled. The change will apply to all Sites in EFT that use Active
Directory authentication. Currently, Internet Explorer (IE) is the only browser that fully supports
IWA. Users connecting with other browsers must still go through the normal login page.
Form-based login as implemented in the normal login page is generally considered superior for interactive user connections because it facilitates true session management. However, IWA is a legitimate alternative for use within internal corporate networks. With IWA enabled, EFT defers the user authentication to Active Directory and IE, resulting in a single sign-on user experience. Users whose credentials are accepted by AD are not prompted for a username and password, and are instead logged directly into the EFT client web interface without any further input.
The downside to IWA is that in skipping the normal login page, the user misses out on a few of the functions accessed from that page, such as providing alternate credentials or choosing whether to load the Web Transfer Client (WTC). (An administrator may still disable WTC access for an individual user or entire Settings Template, if necessary.) Additionally, the user must close their browser to end the session rather than using a logout button. In an environment where SSO is a requirement, these functions may not be important or even desired.
NOTES:
• When IWA is enabled, the SSO functionality only applies to AD Sites for interactive users connecting with IE. No other scenario is affected.
• When navigating to the WTC, the fully qualified domain name of the EFT host must be used.
610
Transferring Files To and From EFT
• EFT must be added as a Trusted Site in the browser.
• User Authentication\Logon in the security settings for Trusted Sites (in IE) must be set to
Automatic logon with current user name and password. (By default, Automatic logon only
in Intranet zone is selected, but using this setting will cause Windows to prompt the user for their
AD credentials before going on to the WTC.)
To enable this functionality, the following registry entries must be created and set appropriately:
32 bit:
HKLM/SOFTWARE/Globalscape Inc./EFT 4.0/EFTClient/
64 bit:
HKLM/SOFTWARE/Wow6432Node/Globalscape Inc./EFT 4.0/EFTClient/
DWORD: use_registry
1 = enabled
32 bit:
HKLM/SOFTWARE/Globalscape Inc./EFT 4.0/EFTClient/
64 bit:
HKLM/SOFTWARE/Wow6432Node/Globalscape Inc./EFT 4.0/EFTClient/
DWORD: enable_iwa
1 = enabled
611
EFT v7.2 User Guide
Unicode File Transfers
EFT’s support for UTF-8 encoded Unicode characters extends to:
Inbound protocols:
• HTTP/S
• SFTP
Event Rules:
• Copy/Move and Download action wizards (all protocols) when specifying "UTF-8" as the filename encoding , and when using wildcards for the source filename, e.g. (*.dat, or *.*)
• Advanced Workflow Engine when passed filename-related context variables (e.g., %FS.PATH%,
%FS.FILE_NAME%, etc.)
Auditing:
• EFT’s summary Client Log (CL)
• EFT’s extended client logs (e.g. LAN copy, FTP extended, and SFTP debug logs)
• EFT’s debug log (Log4Cplus)
Exclusions*:
• FTP protocol (inbound)
• All Event Rule actions that process a filename related context variables (e.g. %FS.PATH%,
%FS.FILE_NAME%, etc.); the only exception is Advanced Workflow Engine actions
• Folder Monitor events. Windows will notify EFT when a Unicode file is dropped into a monitored folder, but EFT cannot (at present) pass the UTF-8 encoded filename context variable off to
Event Rule actions for processing. The only exception being when the action is an AWE action, in which case UTF-8 encoding is preserved. Do not be tempted to use wildcards as the source filename for Folder Monitor rules (even if polling only is used), as this will lead to race conditions and other problems. Wildcards should only be used rules that don’t use filename context variables, such as Timer, user, or system related events.
• ARM database and all logs not explicitly mentioned above
• No User Interface (UI) components. This means you cannot specify Unicode characters in Event
Rules or anywhere else in the administration interface
• No COM API support for Unicode
• EFT does not support UTF-8 filenames over AS2
*UTF-8 will be more comprehensive in a future version. Refer to Unicode Exceptions for more
information.
Unicode FAQs
The FAQs below are provided to answer questions you may have regarding EFT's Unicode support.
Q. What is Unicode?
A. Unicode is a standard that provides a unique number for every character, regardless of platform, program, or language. Systems that don’t support Unicode and without the proper ANSI code page will render characters such as 大きい魚 ???????. or .
Q. Does EFT support Unicode?
A. EFT partially supports Unicode and is moving towards full support.
612
Transferring Files To and From EFT
Q. What about UTF-8?
A. UTF-8 is simply a popular mechanism for encoding Unicode characters using one or more bytes. Prior to supporting UTF-8, EFT used ANSI code pages to view filenames in the intended format (on the target system when browsing with the WTC or PTC).
Q. What other mechanisms for encoding Unicode characters does EFT support?
A. EFT uses full double byte UCS-2 encoding at the file system (I/O) level, UTF-8 encoding within EFT, and ASCII everywhere Unicode is not yet supported.
Q. Does EFT support UTF-8 for file transfers?
A. EFT preserves UTF-8 encoded filenames when transferring files over HTTP and SFTP when acting as a server, and over all supported protocols when acting as a client, when certain conditions are met
(see next question).
Q. What about EFT’s Event Rules?
A. EFT’s Copy/Move and Download Action wizards (across all protocols) support Unicode when you specify “UTF-8” as the filename encoding method (radio button in the wizard), and when using wildcards for the source filename, e.g. (*.dat, or *.*). However, UTF-8 is not supported for these
Actions if you use %FS.PATH% or any other variable for the source filename, which means the Folder
Monitor Event cannot be used to offload files and conserve their Unicode format. In fact, the only
Action that supports UTF-8-encoded filenames through context variables is an AWE workflow task.
Q. Which client applications can I use to see Unicode filenames when I transfer files to EFT?
A. EFT's Web Transfer Client (WTC) supports UTF-8. For file transfer applications that do NOT support
UTF-8, Unicode filenames will appear as "???????.exe" when using them to transfer files to/from EFT.
CuteFTP v9 supports UTF-8.
Q. Can EFT audit or log filenames or other data with Unicode characters?
A. EFT’s summary Client Log (CL), extended client logs (LAN transfer logs, FTP logs, SFTP debug logs), and debug log (eft.log), and AWE’s logs all support Unicode characters. EFT’s EX logs, cmd out logs, and ARM (both auditing and reporting) do NOT support Unicode characters.
Q. If this filename: 梅雨右折車線_XYZ.ISO is transferred to EFT, how will it appear on disk? In
reports? In EFT’s Event Rules?
A. EFT will store the file to disk and conserve the original Unicode filename. The filename will be audited properly to EFT’s eft.log, but will be down converted to ASCII when audited to the EX log and to the
ARM database, resulting in a filename that may look like this: ??????_XYZ.iso, which is also how it appears in EFT’s reports. The reason the last three characters and file extension are conserved is that
UTF-8 and ASCII characters are identical for English characters (A-Z). So there is no loss of meaning
(fidelity) after performing a UTF-8-to-ASCII conversion. This same UTF-8-to-ASCII conversion applies when EFT hands off the filename to the Event Rule dispatcher, except where an AWE action exists, in which case the filename context variable will retain the original UTF-8 encoded filename. Thus if data integration of UTF-8 encoded filenames is needed, you should consider deploying AWE tasks alongside EFT’s Event Rules.
Q How do Unicode filenames appear in EFT’s administration interface?
A. EFT’s administration interface (AI) does not support Unicode characters. UTF-8 is always down converted to ASCII in the AI. This means you can’t specify a unique UTF-8 encoded filename in EFT’s offload wizard, a UTF-8 encoded username, path, or anything else for that matter. The ONLY way to process Unicode filenames in the Copy/Move and Download Actions is to use wildcards (*.*, *.dat, etc.) as the source filename, instead of using a specific filename such as梅雨右折車線.ISO.
613
EFT v7.2 User Guide
Q. Will Unicode encoded filenames be preserved in EFT Server’s context variables, such as
FS.FILENAME or FS.PATH?
A. Yes and no. For all Event Rule Events, Conditions, and Actions EFT will down convert the UTF-8 characters into ASCII. The only exception is when those variables are passed to AWE. In that case alone, EFT conserves the UTF-8 encoded filename, so that AWE can consume the original UTF-8 encoded filename, as AWE is fully UTF-8 compliant.
Q. Does EFT’s internal handling of the file differ depending on whether the file was received in
ASCII or Unicode?
A. In the guts of EFT it handles everything in Unicode. Conversion back to ASCII occurs only when working with a system or capability that doesn’t support Unicode.
Related Topics
•
•
614
Configuring the Web Transfer Client in EFT
This section describes how to configure EFT to allow Web Transfer Client connections/transfers.
Enabling User Access to the Web Transfer Client
Before users can log in to EFT using the Web Transfer Client (WTC), EFT administrator must configure
EFT to allow connections from the WTC. Active Directory domain users must have logon permission on
EFT computer in order to log on to EFT through the WTC. This is accomplished by adding AD domain users to the "Allow log on locally" list on EFT computer. If an AD domain user is not in this list, logging on to EFT through the WTC will fail and an error message appears informing the user that Local login access is required to log on to EFT.
If a user has multiple sessions open and you want to make the licenses available to other users, stop and restart the Site. Stopping and restarting the Site resets the license count and disconnects everybody who is connected; users must reestablish their session.
To configure EFT to allow Web Transfer Client Connections
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user.
3. In the right pane, click the Connections tab.
4. In the Protocols area, select the Allow Web Transfer Client over HTTP/S check box. If this
check box is not available, you have not activated the Web Transfer Client or the trial has
expired.
5. Click Apply.
WTC Versions
EFT offers three different Web Transfer Client (WTC) versions (WTC Basic, WTC Advanced, WTC
Applet) in addition to a "plain text" client (PTC). Which version appears after login depends on several factors:
• If a license is available
• If the user's WTC access is enabled
• If the Java applet version was selected
615
EFT v7.2 User Guide
• If Java is enabled
• If the browser is supported
The flow chart below illustrates when WTC Basic, WTC Advanced, WTC Applet, or PTC is displayed upon login.
616
Configuring the Web Transfer Client in EFT
Web Transfer Client Licensing
With the Web Transfer Client (WTC), users can transfer folders, files, and groups of folders and files to
using the WTC.)
Use of the WTC requires the purchase of a license. Licenses for the WTC are for concurrent users; any number can have access, but only the number specified by the license can use the WTC concurrently.
Session use is cookie based.
The WTC is available for use during 30-day trials of EFT. The trial allows up to 5 concurrent sessions.
After the trial has expired, a license must be purchased to resume use of the WTC.
You can view the number of licenses available in the EFT administration interface (on the main menu,
click Help > About) and on the Status tab .
To activate the Web Transfer Client
1. In the administration interface, click Help > Activate Web Transfer Client. The Registration wizard appears.
2. Follow the instructions in the wizard or refer to Activating the Software , if necessary.
Rebranding (Customizing) the Web Transfer Client
Before you make any changes to the Web Transfer Client (WTC) files, make a backup copy of any files and images that you plan to edit. Deleting or incorrectly editing the WTC files can render the client unusable. When you upgrade to a new version of EFT, copy the *changes* to the new files; do not overwrite the new files with your custom files as numerous updates will have been made.
Copy and then edit the files only in the /custom folder as described in the procedure
When upgrading EFT, the \web\custom\ and \web\public\ folders are backed up and renamed with the date and time (e.g., \customBackup_9-28-2010_16-18\ and \publicBackup_9-28-2010_16-18\). The new versions of the files may have some updated content, so rather than overwriting the new files with your old files, you should manually copy your customizations to the new files after upgrading.
EFT provides for custom branding of the per-Site and per-Server login page, WTC interface, Plain-Text
Client (PTC), Account Management interface, and AS2 Management interface. Save the edited files in the \custom\ directory for the Site and\or Server. Each file is searched for independently, so you could have some files branded on the Server (under \custom\EFTClient\), others branded on the Site (under
\custom\MySite\EFTClient\), and the rest left as they were originally installed (under
\public\EFTClient\).
EFT first looks in the Site's custom (branded) directory \web\custom\MySite\EFTClient and loads any branded files. For files that are not present in the Site's \custom\ directory, EFT checks the Server's
\custom\ directory, \web\custom\EFTClient\, and then loads the files that it finds there. Finally, for any other files, it will load the default files from \web\public\EFTClient\. Branded files that are Site-specific override any Server-wide branded and default files, while branded files that are Server-wide override the default (Globalscape-branded) files provided by the installer.
Upon initial installation, this \custom\ directory is empty. You must create the directory structure for any
Server (\custom\EFTClient\) or Site (\custom\MySite\EFTClient\) branded files. If you have multiple
Sites, each Site can have different branding (e.g., one can be in English and one in French).
• The best practice is to have only customized files in the \custom\ folder and to leave the default files unmodified in the \web\public\EFTClient folder.
• The Site folder \web\custom\[SiteName]\EFTClient\ should hold just those files that contain customizations for that Site.
• The Server folder \web\custom\EFTClient\ should hold just those files that contain customizations for the Server.
617
EFT v7.2 User Guide
• The Server-branded files will apply to all Sites defined on the Server, but any Site-branded files will override the Server-branded files.
• It is not necessary to restart the Site or Server to see your changes, but you will have to refresh or close and reopen your browser.
Below is an illustration of the folder hierarchy:
To customize files on the Site
1. Create a directory structure in the form [SiteName]\EFTClient\ in the \custom\ folder.
2. It is not necessary to copy all of the default files from public to custom. Copy the default files that you want to edit (rebrand) into the \custom\SiteName\EFTClient folder that you created.
3. Edit the copy of the file and save it in the \custom\SiteName\EFTClient\ folder.
When upgrading, the \custom\ and \public\ folders are backed up and renamed with the date and time
(e.g., \customBackup_9-28-2010_16-18\ and \publicBackup_9-28-2010_16-18\).
• If you lack the resources to edit CSS and HTML pages yourself, Globalscape's
Professional
Services group can create custom web pages for you.
618
Configuring the Web Transfer Client in EFT
• For information about HTML and CSS files, refer to the MSDN reference at http://msdn.microsoft.com/en-us/library/aa155133.aspx
.
To customize files on the Server
1. In the \web\custom\ folder, create a folder named EFTClient.
2. Copy only the default files that you want to edit (rebrand) for the Server into the
\web\custom\EFTClient\ folder that you created. (It is not necessary to copy all of the default files.)
3. Make all customizations in the \custom\EFTClient\ folder following the instructions below or contact Globalscape Professional Services to request detailed customization services.
To rebrand the PTC from English to French in the Java-Enabled version:
1. Copy the EFTWebClientPlainText.htm file from \web\public\EFTClient\ptc to
\web\custom\EFTClient\ptc. (If you wanted to make only one of your Sites French, you would copy the file to \web\custom\
SiteName
\EFTClient\ptc INSTEAD of
\web\custom\EFTClient\ptc.)
2. Edit the copy of the file to rename the buttons from English to French. For example, change the word "Upload" in:
<button class="fg-button ui-state-default fg-button-icon-left ui-corner-left fg-button-toggleable" type="button" id="uploadButton" title="Upload" ><span class="ui-icon ui-icon-circle-arrow-n"></span> Upload </button> to "Envoyer":
<button class="fg-button ui-state-default fg-button-icon-left ui-corner-left fg-button-toggleable" type="button" id="uploadButton" title="Upload" ><span class="ui-icon ui-icon-circle-arrow-n"></span> Envoyer </button>
3. Save the file, then reload the PTC browser page. Your buttons are now in French!
Customizing the WTC (HTML5 version)
You can customize the look and feel of the Web Transfer Client (HTML5 version) to suit your organization. The style sheets (CSS files) and index.html file are available in the installation folder (e.g.,
C:\Program Files (x86)\Globalscape\EFT Server Enterprise\web\public\EFTClient\jument\). The index.html file contains the links to the CSS files.
To alter CSS files (styles)
1. Navigate to \web\custom\EFTClient\jument\styles\defaults\styles. The CSS files are located in
\styles\defaults\styles\. o vendor.css – the default css from bootstrap and fancytree libraries (You should never have to remove the vendor.css reference from index.html) o themes.css – the "override" files of these vendor defaults o main.css – most of the CSS
2. Modify styling.
3. Copy all contents of the defaults folder from \web\custom\EFTClient\jument\styles\ to
\web\custom\EFTClient\jument\
4. If dialogs appear asking if you want to merge folders or replace existing files click Replace or
Yes.
To replace the Globalscape logo with your logo
1. Make a copy of *.header_logo.png (there are numbers in place of the asterisk) and paste it back into the same folder to make a copy.
619
EFT v7.2 User Guide
2. Create your logo, sized 329 px by 68 px, and save it with the same name as the default logo.
3. Replace \web\custom\EFTClient\jument\images\*.header_logo.jpg with your logo.
4. Close and then reopen the browser to load the changes.
To replace the Web Transfer Client logo with your logo
1. Make a copy of *-App-Logo.png (there are numbers in place of the asterisk) and paste it back into the same folder to make a copy.
2. Create your logo, sized 245 px by 32 px, and save it with the same name as the default logo.
3. Replace \web\custom\EFTClient\jument\images\*-App-Logo.png with your logo.
4. Close and then reopen the browser to load the changes.
To replace the logo on the login page
1. Create your logo, sized 400 px by 120 px, and save it with the same name as the default logo.
2. Replace \web\public\EFTClient\Shared\images\gs-logo-lg.png with your logo. Maintain the same file name.
3. Close and then reopen the browser to load the changes.
To replace the English text with another language
NOTE: Subsequent versions are expected to allow for multiple languages. Meanwhile, in the Google
Chrome browser, if your browser is set for a language other than English, Chrome will ask if you want to translate the page into your default language.
1. In ..\web\custom\EFTClient\jument\il8n\, open main_en.json in a text editor to change the
English text in the interface to the language that you want displayed. Save a copy of the file before making any changes.
620
Configuring the Web Transfer Client in EFT
2. In ..\web\custom\EFTClient\Account\, open the HTML files in a text editor to change the English text in messages to the language that you want displayed. Be careful to not change any tags in the file. Save a copy of the file before making any changes.
3. Close and then reopen the browser to load the changes.
Session Status
EFT's administration interface displays the number of session licenses currently in use and how many remain available.
Sessions disconnect after 5 minutes of inactivity. User actions such as transfers, browsing the remote server, creation, deletion, or the renaming of remote files are seen as activity by the server for keeping the session current.
To check Web Transfer Client status
1. In the EFT administration interface, connect to EFT and click the Server tab.
2. Click the Site you want to monitor, and then click the Status tab.
3. The number of Web Transfer Client sessions in use (active) and the number available (remaining) are displayed in the right pane.
(The "Users Connected" field indicates users connected via FTP. Refer to Status Tab in the EFT
help for more information.)
In Internet Explorer, a message appears when the user has been disconnected from EFT.
Java-Enabled Version:
• The WTC will automatically retry interrupted transfers up to the number of times specified in the
WTC's Transfer retry limit setting . Incomplete transfers will resume from where they left off. o
If a user’s session has timed out and an action is attempted that requires the server, the dialog shown below will be displayed. Clicking the X in the upper right corner closes the dialog and allows the user to continue performing actions (i.e., browse, rename, delete, file move, folder creation) on the local file system; however, any action requiring the
Server will result in the Session Expired dialog being displayed. Clicking OK redirects the user to the login page.
621
EFT v7.2 User Guide o
The Web Transfer Client is licensed by concurrent use. If the user logs into multiple browser windows, it will tie up a license seat for every browser instance that is logged in.
You may want to inform your users not to use more seats than they need. o
Clicking the browser Refresh button will always log out the user and redirect to the login page.
Session Timeout
By default, if the Web Transfer Client (WTC) sits idle for 5 minutes, the session is released so that others can use one of the concurrent licenses.
(Java-Enabled Version) You may want the session time to be longer or shorter, depending upon expected usage. You can control this with a Windows registry setting by creating a new DWORD value that specifies the number of minutes that you want the WTC session to be active, but idle, before the session is released. Refer to Web Transfer Client/Plain Text Client Session Timeout in the Globalscape
Knowledgebase for details of this setting.
Editing the Number of Files Displayed
(Java-Enabled Version) By default, the Web Transfer Client (WTC) is designed to automatically filter the file list and display only the first 500 files and folders. Limiting the file list to 500 files helps avoid performance issues when browsing folders that contain very large numbers of files and folders.
Depending upon the size of the folder and the capabilities of the computer running the browser, performance of the system can degrade significantly when more data is displayed. Once that limit is reached, the WTC will prompt the user to use the FILTER feature to find the files that they want. Filtering the Filesystem List is the best way to find the files and folders that you are looking for.
Refer to Knowledgebase article #10371 " Web Transfer Client File List Shows a Maximum of 500 Files and Folders " for the latest information.
Changing an AD Password via the Java-Enabled Web Transfer Client
Active Directory (AD) and LDAP Site users can change their AD password through the Web Transfer
Client (WTC). If changing the password is disabled by EFT, the Change Password button is not available.
Two registry scripts are provided to enable/disable the password change feature. These registry scripts are located in the EFT Server installation directory \web\public\EFTClientsubdirectory.
Refer to the Knowledgebase article " Changing a User Password on AD/LDAP Sites " for details.
622
Configuring the Web Transfer Client in EFT
"CRC failed - file locked" Status When Transferring a File with the
Web Transfer Client
(Java-Enabled Version) If a user receives a "CRC failed - file locked" status after transferring a file with
the Web Transfer Client, examine your Event Rules .
The integrity check (XCRC) occurs when the browser client finishes the upload with a request to EFT to verify the integrity of the file. If your "File Uploaded" Event Rule has a rename or move Action , EFT cannot perform the integrity check, because the file is no longer in the location where it was uploaded or was renamed.
You can use the "Verified Upload Succeeded" Event Rule to handle the post-upload processing when files are uploaded using the Web Transfer Client (WTC). This means that WTC will be able to verify integrity, after which the Event Rule triggers.
If you allow uploads with other clients (not just WTC), then you need a separate "File Uploaded" Rule; however, on that Event Rule, add the "If Using Web Transfer Client Equals No" Condition so that the
Event Rule does NOT trigger for WTC uploads.
(Refer to Event Rules for details of
defining Event Rules
Actions .)
Unsigned JAR Files
(Java-Enabled Version) The JAR files in ..\web\public\EFTClient\wtc\lib have been signed using
Globalscape's certificate. If you want Web Transfer Client (WTC) users to authenticate against another certificate instead of Globalscape's, unsigned JAR files are provided in the ..\web\UnsignedJars folder so that they can be signed with another certificate, enabling applet authentication based on that certificate instead of Globalscape's.
After you have signed the JAR files with your certificate, place the signed files in
..\web\custom\EFTClient\wtc\lib, or the custom Site counterpart of this folder, such as
..\web\custom\MySite\EFTClient\wtc\lib.
the WTC.
Terms and Conditions
Web Transfer Client (HTML5 version) users can be asked to accept or decline a Terms and Conditions page before continuing to the WTC. It is not available by default.
To enable the Terms and Conditions page
1. Copy the \EFTClient\ folder from \web\public\ to \web\custom\. (Refer to Customizing the WTC
for information about customizations.)
2. Create a file names terms.html.
3. Save the file in \web\custom\EFTClient\jument.
To view an example Terms and Conditions file, go to the EFT online help at http://help.globalscape.com/help/eft7/mergedProjects/wtc7/Terms_and_conditions.htm
. You may use this example for your Terms and Conditions page, making sure to review and revise for your company. Be sure to save the file as terms.html in the appropriate folder as explained above.
623
EFT v7.2 User Guide
When creating your terms.html file, you do not need the <html> and <body> tags, because the file will be inserted into a frame in the WTC. You do, however, need to use HTML tags for formatting things like headings, paragraphs, and quotation marks, as shown below:
<h3>Web Transfer Client Terms and Conditions</h3>
<p> In using this website you are deemed to have read and agreed to the following terms and conditions:</p>
<p> The following terminology applies to these Terms and Conditions, Privacy
Statement and Disclaimer Notice and any or all Agreements:
"Client", “You” and “Your” refers to you, the person accessing this website and accepting the Company’s terms and conditions. "The Company", “Ourselves”,
“We” and "Us", refers to our Company.
“Party”, “Parties”, or “Us”, refers to both the Client and ourselves, or either the Client or ourselves. All terms refer to the offer, acceptance and consideration of payment necessary to undertake the process of our assistance to the Client in the most appropriate manner, whether by formal meetings of a fixed duration, or any other means, for the express purpose of meeting the Client’s needs in respect of provision of the Company’s stated services/products, in accordance with and subject to, prevailing English Law. Any use of the above terminology or other words in the singular, plural, capitalization and/or he/she or they, are taken as interchangeable and therefore as referring to same.</p>
<h4> Privacy Statement</h4>
If you are not familiar with HTML code, Globalscape's Professional Services team offers a range of professional services to complement your product solution.
Upgrading the Web Transfer Client (HTML5 version)
The HTML 5 version of the Web Transfer Client (WTC) has a separate upgrade wizard from EFT, so that you can upgrade the Web Transfer Client as changes are made available without reinstalling all of EFT.
You can verify the current version by logging in to the WTC and clicking About.
To upgrade the WTC
1. Copy the installer (eft-wtc-installer.exe) to the EFT computer and double-click it. The WTC upgrader installer opens.
624
2. Click Next. The license agreement appears.
Configuring the Web Transfer Client in EFT
3. Scroll to read the agreement, then click I Agree. The WTC is upgraded.
4. Click Show details to view the process of updating.
5. After the upgrade is complete, click Close.
Disabling "Update Your Browser" Prompts
If end users do not have the necessary permissions to install an updated browser that supports certain features (such as folder uploads in Internet Explorer), administrators can enable a prompt that tells the user to update the browser, similar to the following prompt:
To disable prompts
1. In the /scripts/ folder, open adminConfig.js (in the format of HHHHHHHH.adminConfig.js, where H is a hex value) in a text editor. The file contains JavaScript similar to the following text:
'use strict';
/* global gsb */
625
EFT v7.2 User Guide gsb.config.disableSiteInitPopups = false;
2. Edit the last line to change it from false to true: gsb.config.disableSiteInitPopups = false ;
3. Save changes to the file.
Disable CRC
The Web Transfer Client (WTC) can validate the integrity of files transferred to and from EFT. Cyclical
Redundancy Check (CRC32) is enabled on the WTC by default. The EFT administrator must have enabled CRC in its FTP configuration to take advantage of this feature.
With CRC enabled, when the WTC transfers a file to or from EFT, it automatically queries EFT for the
CRC value of the file, then compares it to the CRC value for the local file. If they match, the transfer is reported as successful. If they do not match, the system reports a "CRC Failure." The user can then retry the transfer, if necessary. The client does not automatically retry the transfer if they do not match.
If upload verifications are not required, you can disable CRC in the WTC configuration file.
To disable CRC
1. In C:\Program Files (x86)\Globalscape\EFT Server Enterprise\web\public\EFTClient\jument\scripts, find the adminConfig.js file. (There is a number in front of the name.)
2. Open the configuration file in a text editor, such as Notepad++ . (It may be necessary to change the extension from JS to TXT to view it properly.)
3. At the very bottom of the file, find the following text: gsb.config.crcVerifications = true;
4. Change true to false, then save the file.
5. If you changed the name of the file to edit it, be sure to change it back.
6. Now transfers will be processed without CRC.
Localization (Language) Settings
The EFT administrator can specify which language is the default by editing the WTC configuration file.
However, the end-user's browser settings take precedence over the default language setting. English is used if the browser and the default languages are not available.
For example, if the browser is set to German, it will automatically use German, no matter what is in the configuration file. You can also add other languages by translating the language file and adding it to the configuration file.
The language files, e.g., main_en.json, are saved in C:\Program Files (x86)\Globalscape\EFT Server
Enterprise\web\public\EFTClient\jument\i18n. Be sure to not edit any of the code, just edit the display text. That is, in the example below, you would only change the highlighted text between the quotation marks.
626
Configuring the Web Transfer Client in EFT
Be sure to make a copy of the file and then edit the copy, so you can revert, if necessary. The language file must be named main_<country code>.json. A list of ISO 2-letter codes can be found online, such as http://www.nationsonline.org/oneworld/country_code_list.htm
.
For example, a French language file would be named main_fr.json, and the code in the configuration file would be:
{
code: 'fr',
name: 'Française',
region: 'France'
},
To specify the default language setting
1. In C:\Program Files (x86)\Globalscape\EFT Server Enterprise\web\public\EFTClient\jument\scripts, find the adminConfig.js file. (There is a number in front of the name.)
2. Open the configuration file in a text editor, such as Notepad++ .
3. Look for the "Defines the languages available" section and the following text: gsb.config.languages = [
{
code: 'en',
name: 'English',
region: 'United States'
},
{
code: 'nl',
name: 'Nederland',
region: 'Nederland'
},
{
code: 'de',
name: 'Deutsche',
region: 'Deutschland'
}
];
4. The default language appears first. For example, if you want German (Deutsche) to be the default language, move it to the top.
5. If you create your own language file, add it to the language section in the configuration file.
627
EFT v7.2 User Guide
628
Web Transfer Client (non-Java version)
The procedures for configuring and using the Web Transfer Client are described in the topics below.
Refer to the EFT help for information about configuring the Web Transfer Client on EFT.
Overview of the Web Transfer Client
The Web Transfer Client (WTC) is a browser-based file transfer client that allows you to transfer files over
HTTPS to and from a server. WTC Advanced is available if a license is available and if the client is enabled for the user on the server. If a license is not available, the advanced WTC features are not available, such as uploading an entire folder and the transfer queue. You can still upload and download
with the "Basic" version of the WTC. (Refer to Web Transfer Client Advanced vs. Basic for more
information.)
Web Transfer Client Advanced vs. Basic
The Web Transfer Client is available in two editions, Web Transfer Client (WTC) Advanced and Basic.
WTC Advanced offers the extended features such as the ability to drag a file from your desktop to the client, moving files between folders, and so on. The Basic version is displayed when all licenses for WTC
Advanced are in use and when the user is not authorized to use the WTC. (Refer to Web Transfer Client
Licensing for details of how WTC is licensed.)
Features
Upload files using File > Upload
WTC Basic
Yes
WTC Advanced
Yes
629
EFT v7.2 User Guide
Features
Download files
Rename files
Move files
Delete files
Create sub folders
Change view (thumbnails, list)
Sort the File Name list by name, size, or date
Filter File Name, Size, and Date panes
Change password
Upload files up to 2GB in size
Upload files larger than 2GB in size
Drag and drop files onto the Transfer pane
Pause and resume transfers
View completed, in progress, and pending transfers
Concurrent file transfers
Upload entire folder structure (currently available in Chrome only)
WTC Basic
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
Yes
Yes
Yes
No
System Requirements for the Web Transfer Client
• The browser running the client must have cookies enabled. (Note that cookies work on IP addresses (e.g., 127.0.0.0) or full domain names (e.g., yourcompany.org), not Localhost.)
• The Web Transfer Client has been tested for use with the following browsers: o
Internet Explorer - v10 or later o
Firefox - v29 or later o
Safari - Mac, v6 or later o
Chrome - v34 or later
(unsupported browsers may force the use of the " plain-text client ," even if WTC licenses are
available)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
WTC Advanced
Yes
Yes
Yes
Yes
Yes
Yes
Yes
630
Web Transfer Client (non-Java version)
Enabling JavaScript in the Browser
Many web pages use JavaScript (an entirely different language than Java) to make the user experience more dynamic. The Web Transfer Client uses JavaScript for this very reason. For the Web Transfer Client to work, JavaScript must be enabled in the browser.
Refer to the procedure below to edit the browser’s security settings to allow you to use JavaScript. See also Checking Java Runtime Versions .
You might not have the appropriate permissions to access these settings. If necessary, contact your system administrator for assistance.
To edit the browser settings
In Internet Explorer:
1. Click Tools > Internet Options. The Internet Options dialog box appears.
2. Click the Security tab, and then click Custom Level.
3. In the Security Settings dialog box, scroll down to the Scripting area, then under Active
scripting, click Enable.
4. Click OK to close the Security Settings dialog box, and then click OK to close the Internet
Options dialog box.
In Firefox:
1. In the address bar, type about:config.
2. Scroll down to or search for javascript.enabled.
3. Ensure that the Value column says "true." If it says, "false," double-click the line to change it to
"true."
In Chrome:
1. In the upper-right corner, click Customize and Control Google Chrome (the icon with 3 horizontal lines), then click Settings.
2. In the Settings page, scroll to the bottom and click Show advanced settings.
3. Under Privacy, click Content settings. The Content settings dialog box appears.
4. Under JavaScript, click Allow all sites to run JavaScript, then click Done.
Checking Java Runtime Versions
Java Runtime Environment (JRE), installed on most computers to allow applications to run in Internet pages, must be installed on the computer on which the Java-enabled version of the Web Transfer Client is used. You can download the current JRE version at http://www.java.com/en/download/manual.jsp
.
You might not have the appropriate permissions to access these dialogs. If necessary, contact your system administrator for assistance.
To view the currently installed version
1. Open the Windows Control Panel (Start > Run, type control, press ENTER), double-click the
Java icon. (If there is no Java icon, Java is not installed.)
2. On the Java Control Panel, click the Java tab.
3. In the Java Runtime Environment Settings area, click View. The Java Runtime Environment
Settings dialog box appears.
631
EFT v7.2 User Guide
The installed versions appear in the table.
Logging In to the WTC
URL (web address) and your login information.
To log in to the server
1. Open the web browser.
2. Type or click the web address provided to you by your system administrator. For example, type https://www.ourfileserver.com.
The login page appears.
632 o
If you don't know your username, click Forgot Username. In the Lost Username dialog box, provide your email address and then click Submit. o
If you don't know your password, click Forgot Password. In the Lost Password dialog box, provide your Username and Email address, then click Submit.
Web Transfer Client (non-Java version)
Your request is sent to the server and an automated response will email you your username.
3. Provide your Username and Password, then click Log In. When the credentials are accepted by the server, the Web Transfer Client (WTC) appears.
The WTC uses concurrent licensing, which means that a limited number of licenses are available. If a license is not available when you log in, the less featured version of WTC is displayed. You can still upload and download files, but advanced features such as uploading entire folder structures, drag-anddrop, and the Transfer pane are not available. You will also be automatically logged out after a period of inactivity to free up licenses for other users.
Logging Out of the WTC
The server ends the session after a period of inactivity. When the session is ended, the directory listing and any other personal information is cleared, and the login page is displayed.
To log out of the WTC
• Click Account > Logout. The WTC closes and the Log In page appears.
Automatic Log Out
After a period of inactivity (approximately 10 minutes), a message appears warning that you are about to be logged out. You can click Continue to stay connected.
WTC Logging
log to send to the administrator for troubleshooting.
To view the log
1. Click Tools > Log.
The log appears:
633
EFT v7.2 User Guide
To export the log
1. Click the Export icon in the title of the log window. The log is exported to an HTML file in your browser.
2. Click anywhere in the HTML page of the log, and then: o
In a Windows operating system: Press CTRL+A to select all, then CTRL+C to copy the contents that are selected. Then, click in an email or text file and press CTRL+V to paste it into the email or text file. o
In a Mac operating system: Press Command+A to select all, then Command+C to copy the contents that are selected. Then, click in the email or text file and press Command+V to paste it into the email or text file.
To change logging settings
1. Click Tools > Log Options.
The Log Options dialog box appears.
634
Web Transfer Client (non-Java version)
2. The default logging level is INFO. to increase or decrease the level of logging, click the desired level. Not that each logging level will include the logging levels below it. For example, INFO includes all WARN, ERROR, and FATAL messages. o
Click OFF if you want to turn logging off. It is a good idea to leave logging on at the default level in case of errors for which the administrator needs to review the logs.
3. Click OK to accept your changes and close the dialog box.
Uploading Files and Folders
You can upload files and folders from your local computer to a remote server on which you have upload permission.
To upload files between your local system and the server
• Do one of the following: o
To transfer files to the server, click File > File Upload. o
To transfer folders to the server, click File > Folder Upload.
Folder uploads are available in Chrome or Opera browser only. If you want to upload folders in other browsers, you must compress them (make a ZIP file) and upload the ZIP file. o
Click and drag one or more files or folders from your local file system to the file list.
(Empty folders will be ignored and not transferred.) o
In the Upload Manager (formerly, the Transfers pane), click the UPLOAD icon, then select the files and folders that you want to upload.
The File Name pane will refresh automatically after the upload is complete.
The Upload Manager (Transfers pane) displays the completed transfers, in-progress transfers
(up to 5 at once), and pending transfers. The Upload Manager (Transfers pane) is cleared when the session ends or you log out.
635
EFT v7.2 User Guide
• The PAUSE icon allows you to pause an in-progress transfer. If you want to clear the Transfer queue, you can click the CANCEL icon for each transfer or click the CANCEL icon at the top to clear all of the transfers.
Notes:
• When the file is transferred, if there is a file with a duplicate name already in your folder on the server, the server will run a comparison on the contents. If the file contents are the same, the file is not uploaded.
• You can upload multiple selected files at once by dragging and dropping from your local system to the WTC Upload Manager (Transfers pane), or by clicking File > Upload and then selecting multiple files. (WTC Advanced only)
• If you have exceeded your allowed disk quota on the server, a message appears when you attempt to upload more files. To continue to upload files, you must delete some of your old files from the server or ask your administrator to increase your allowed disk quota.
• Before users can log in to the server using the WTC, the administrator must configure the server to allow WTC connections with your account. The server allows users concurrent access to the
WTC up to the number of available licenses. If you attempt to access the client when the
maximum number of licenses is in use, WTC Basic appears instead.
• If network connectivity is lost while the WTC is transferring files, you can retry transfers that previously failed or were incomplete. If a file partially transferred before the connection went down, the transfer will be resumed from the point that it left off.
Downloading Files
You can download files from the server to your local computer on which you have download permission.
The mechanism for downloading files is browser dependent.
To download files
• In the file list, select the check box of one or more files that you want to download, then click the download icon on the toolbar.
• The file will download to the folder defined in your browser's configuration (e.g.,
C:\Users\myname\Downloads).
To open your browser's Downloads folder:
• In Chrome, click the Settings icon, then click Downloads (or press CTRL+J).
636
Web Transfer Client (non-Java version)
• In Internet Explorer, click the Settings icon, then click View Downloads (or press CTRL+J).
• In Firefox, click green down-facing arrow to view most recent downloads, or type about:downloads
in the address bar to view all downloads.
Canceling a Transfer
Most files that you transfer will transfer so quickly, you won't even notice. Larger files, however, will show progress in the In Progress area of the Upload Manager (formerly, the Transfers pane). (In WTC
Advanced only.) You can cancel an in-progress transfer.
To cancel a transfer
1. In the Upload Manager (formerly, the Transfers pane), while the transfer is in progress, click the
PAUSE icon.
2. Click the Cancel icon to stop the transfer.
Clearing the Transfers pane
The Upload Manager (formerly, the Transfers pane) uploads that are completed, in progress, and pending. The pane will clear automatically when you log out of the Web Transfer Client. (Removing the list of files from the pane only removes it from the display; the file is still saved in the folder into which you transferred it.)
637
EFT v7.2 User Guide
To clear the Upload Manager (Transfers pane)
• In version 1.1.3: After a transfer is completed, the file moves from the In Progress queue to
Completed. Click the DELETE icon to remove all completed transfers from the queue.
• In version 1.1: After a transfer is completed, it appears in the pane with an icon next to it. Click the icon to remove the transfer from the queue.
Resuming Transfers
A file transfer can be interrupted for various reasons, such as a network glitch, or you might pause the transfer yourself. When a transfer is interrupted because of errors, it will resume automatically after network connection is reestablished (up to 10 retry attempts over a 5-minute period).
To resume a paused transfer
1. Transfers that have been interrupted appear in the In Progress queue.
2. Next to the paused file, click the PLAY icon. The transfer will resume where it left off.
Filtering and Sorting the File Name Pane
You can filter the display of the files to display only the files that you want, by name, file type, size, and/or date modified to limit the display to specific files and folders. Additionally, you can sort the File Name,
Size, and Date panes by clicking the arrows in the pane header.
To filter the File Name pane
1. Click the funnel icon in the header of the File Name, Size, or Date pane or next to the Search box. The Filter dialog box appears.
638
Web Transfer Client (non-Java version)
2. Provide filter criteria such as name, size, or date, then click Apply Filter.
• To search for a specific size, click Greater than or Less than and provide a size to search for.
3. To clear your filter and show all files, in the Filter dialog box, click Remove Filter.
Searching for Files
by name, size, or date, or typing text in the Search box to find the file.
The Search box merely matches the text string that you type. For example, it doesn't know the difference between a PDF file and a PNG file (however, if you type png, the search results will show all files with png in the file name, including the extension). It is not case sensitive. Certain wildcards will return matching results. For example, w*n displays results that have a w, one or more other characters, and then an n, such as WEB_VPN_Instructions.docx and WindowsClustering.pdf. Wildcards are useful, for example, for finding files when you aren't sure how they were named.
1. In the search box, type your search term in the box, and then press ENTER, or click the down arrow to do a global search.
2. As you type, the WTC will find matches for what you have typed.
3. Click the found item to navigate to it.
4. Click the icon on the toolbar for what you want to do with the file (download, rename, delete, move, etc.).
639
EFT v7.2 User Guide
Error Messages and File Names
Error messages and prompts appear for a variety of scenarios (e.g., if you attempt to upload a file whose path exceeds the Windows limit; attempt to create a folder when you do not have permission; the path exceeds the Windows limit; a folder with the same name exists; your disk quota is exceeded; and so on).
If you have read the error message/prompt and are unable to resolve the error yourself, provide the text of the message to your system administrator.
The most common error is a problem with a file or folder name. Ensure that you have provided a unique name, you have permission to create the folder, and the path length does not exceed Windows limits, as described below.
WTC File-Naming Conventions
The WTC follows the standard Windows naming conventions, with a few exceptions:
• You can name files using almost any character for a name, except for the following reserved characters:
< > : " / \ | ? *
• The maximum length for a path is 255 characters. This limitation includes the drive letter, colon, backslash, directories, subdirectories, filename, and extension.
• UTF-8-encoded characters that are valid for naming files, folders, or shortcuts, plus the following special characters are allowed:
^ Accent circumflex (caret)
& Ampersand
' Apostrophe (single quotation mark)
@ At symbol
{ Brace left
} Brace right
[ Bracket opening
] Bracket closing
$ Dollar symbol
€ Euro symbol (v6.1 and later)
= Equal sign
, Comma
! Exclamation point
- Hyphen
# Number sign
( Parenthesis opening
) Parenthesis closing
% Percent
. Period
+ Plus
~ Tilde
_ Underscore
For more information regarding file-naming conventions, refer to the Microsoft Windows Developer
Network article Naming a File and the Microsoft TechNet article How NTFS Works .
Creating Folders
When you first log in to the Web Transfer Client (WTC), you are in the top folder that you are allowed to view, called your home folder. You can create sub folders within this folder, and those folders can have subfolders.
To create sub folders
1. In the Folders pane, click to select the folder under which you want to create a subfolder.
2. Do one of the following: o
In v1.1.3, on the toolbar, click the NEW FOLDER icon.
3. Provide a name for the folder, then click OK. (Folder names follow standard Windows file naming conventions.)
4. The new folder appears in the Folders pane. You can now move files between folders and
upload files to the new folder.
640
Web Transfer Client (non-Java version)
Moving Files Between Folders
After you have created subfolders in your home folder, you can move files between the folders.
To move one or more files to another folder
1. Select the check boxes of one or more files that you want to move, then do one of the following: o
In v1.1.3, click the MOVE icon.
2. In the dialog box that appears, select the folder to which you want to move the file(s), then click
OK.
Sharing Folders
Users can share an EFT folder with other EFT users through the Web Transfer Client. Additionally, you can, if the EFT administrator allows it, invite external users to share your folders. Users outside of the
EFT network who were invited to share a Workspace (externally provisioned users) cannot themselves invite new users.
The invitation recipient clicks the link embedded in the email and then either signs in to EFT if an account has previously been created, or creates an account on EFT. (To share folders, the administrator has to have enabled Workspaces in the EFT administration interface on the Workspaces tab of the Site.)
To share a folder
1. Log in to the Web Transfer Client .
2. Select the check box of the folder that you want to share, then click the Share Folder icon or click File > Share Folder.
In the example below, the "WhitePapers" folder is selected and the Share Folder icon appears.
,
The Create a Workspace dialog box appears.
The administrator can specify which check boxes are selected by default, if any. The sharing user
641
EFT v7.2 User Guide
3. Provide up to 10 email addresses of users with whom you want to share the folder. (You can later add more participants, 10 at a time.)
4. Assign permissions by clearing or selecting the check box next to that permission. By default, all permissions are selected (enabled). Clear the check boxes of the permissions that you do not want to assign to the users.
Permissions that the administrator assigns to folders override any permissions that you assign. That is, if the folder that you are sharing does not have rename permission, you cannot assign that permission to the folder.
5. Click Share
The folder icon changes to indicate that the folder is shared .
If you click the folder, a message indicates with whom the folder is shared and allows you to add more participants.
6. To make participant changes for the shared folder, click the link in the message (in this case "4 more").
The Edit Workspace Participants dialog box appears.
642 a. To view a participant's permissions, click the gear icon for that participant.
Web Transfer Client (non-Java version) b. To remove a participant form the list, click the trash can icon for that participant.
The deleted user(s) will no longer have access to that folder. This action does not delete the user from the system nor prevent the user from accessing other Workspace folders on which they have permissions. c. To add more users to the shared folder, click add more participants.
The users with whom you have shared the folder will see the shared folder in their Joined
Workspaces tree.
In the EFT administration interface, on the VFS tab, the shared folder appears in the Workspace
Folder tree, and the administrator can see who has shared the folder, who has access to the folder, and what each participants' permissions are. On the VFS tab, the administrator can add or remove permissions and add/remove users from the share.
643
EFT v7.2 User Guide
7. To stop sharing the folder, thereby removing the folder from Joined Workspaces, click the stop sharing icon in the banner . The Stop Sharing Workspace message appears.
Renaming a File
You can rename files in your home folder and in subfolders. The WTC follows Windows file-naming conventions . That is, the following characters are invalid for file naming:
< > : " / \ | ? * %
To rename a file
1. Select the check box for the file that you want to rename, then do one of the following: o
In v1.1.3, on the toolbar, click the RENAME icon.
2. The Rename dialog box appears. Provide a new name for the file, then click OK.
644
Web Transfer Client (non-Java version)
Changing Your Password
The administrator may have set your password to expire periodically. You can change your password within the Web Transfer Client.
To change your password
1. Do one of the following: o
In v1.1.3, in the upper-right corner, click Account, then click Password.
The Change Password dialog box appears.
2. Provide your Current Password and New Password, and then Confirm Password. If the administrator requires complex passwords, a message will appear if your password does not meet the complex password or reuse password requirements.
3. Click OK/Apply.
Web Transfer Client Limitations
The Web Transfer Client (WTC) for EFT v7 has the following limitations:
• Folder uploads are only available in Chrome or Opera. In EFT v7.1.1.11 and later, you can enable a message to appear that will inform the end user, if applicable, that their browser does not support folder uploads and will suggest zipping the folder prior to uploading. (See details
To enable the message
1. Open the configuration file in a text editor. By default, the file is at:
C:\Program Files (x86)\GlobalSCAPE\EFT Server
Enterprise\web\public\EFTClient\jument\scripts\39ba4de0.adminConfig.js
2. Change gsb.config.showSiteInitPopups = false; to gsb.config.showSiteInitPopups = true;
Example:
\Globalscape\EFT Server
Enterprise\web\public\EFTClient\Jument\scripts\39ba4de0.adminConfig.js
'use strict';
/* global gsb */ on initialization (e.g., browser incompatibility for feature). */ gsb.config.showSiteInitPopups = true;
3. Save the file.
A message similar to the following should appear when using Firefox and Internet Explorer:
645
EFT v7.2 User Guide
4. To upload folders, either compress the entire folder and upload the ZIP file, or switch to the
Chrome browser.
646
Mobile Transfer Client (MTC)
The topics below describe the Mobile Transfer Client (MTC) features and how to use it to access files on
EFT using a mobile device.
Mobile Transfer Client Introduction
The Mobile Transfer Client (MTC) application (app) provides a way for your iOS and Android phone and tablet users to securely connect to EFT and upload and download files while providing a number of centrally managed security controls for safeguarding your corporate data.
Mobile Transfer Client Features
EFT’s Mobile Transfer Client supports the following features:
Security
• Secure communications and transport over HTTPS
• SSL certificate management (accept CA-signed certificates, otherwise prompt)
•
•
Central policy management that controls: o
Profile password storage o
Data caching o
Storing data in an offline repository (vault) o
Sharing files via email o
Opening files in external (third-party) apps
Profile Management
• Multiple profile support
• Single "tap-on" link for automatic profile provisioning
• Dual-stack (IPv4 and IPv6) support
• International Domain Name (IDN) and Punycode support
• Support for non-default ports
• Auto-login to last connected profile on app launch
• Password reset and recover lost username support
• Full support for Unicode characters
Files Listings and Transfers
• View up to 10,000 files in a directory listing
• Transfer files up to 3GB in size
• Transfer multiple files concurrently
• Pause and resume transfers
• Automatic resume of system paused transfers
• Resume partial transfers from point of failure
• Download files to a separate secure repository for offline access
• Download files and open them using the built-in file viewer (Only certain file types are supported.)
• Open text, log, and other ASCII files in the internal text viewer
• Download files then open in an external program
• Download files and share them as email attachments
• Download files, make edits, then upload the modified version
647
EFT v7.2 User Guide
• Automatic and transparent file integrity checking
• Create, rename, and delete folders
• View download progress
• Abort transfers and retry failed transfers
General Settings and Logs
• Clear profile and vault caches
• Specify the maximum cache size
• Enable logging, including verbose logging
• View detailed transaction logs
• Email logs to your administrator
• Clear all logs
• Disallow password saving (global option)
• Custom/branded profile icons (optional)
MTC System Requirements
MTC is supported on Android- or iOS-based mobile devices of varying resolutions.
• EFT v6.5.16 and later, SMB or Enterprise
• Android 2.3 or later for general operations
• Android 3.0 or later if encrypted data store is required
• iOS 6.1 or later (tested on both 6 and 7)
Mobile Transfer Client Licensing
Users with accounts on EFT can use the Mobile Transfer Client (MTC) to connect to EFT during the EFT trial period or if the MTC module has been activated (registered), assuming MTC access is enabled for a particular Site. Users will receive a “503 forbidden” message if they attempt to connect with MTC past the trial period or if MTC has not yet been activated.
To activate the MTC module
Enabling the Mobile Transfer Client
Perhaps the most important feature available to the MTC, aside from an always secure connection, is the
connected to EFT.
Server and Site administrators can also block MTC connections, effectively terminating the connection based on the user-agent string that identifies the client as an MTC client. (This does not prevent other file transfer clients—mobile or desktop—from connecting to EFT.)
MTC's security policy only applies to files in the remote directory. The security policy does not apply to files in the vault, which means that any file downloaded to the vault can be shared or opened in third-party applications. If the EFT administrator doesn't want users to share files or open them in third-party apps, then
EFT should be configured to not allow users to save files to device's vault.
648
Mobile Transfer Client (MTC)
To enable/disable the MTC and configure security controls
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. If not already enabled, enable HTTPS and
create and assign an SSL certificate for the Site.
5. Select the Allow Globalscape Mobile Transfer Client (MTC) over HTTPS check box.
6.
Configure the MTC security controls .
To disable MTC/block MTC connections
• Clear the Enable Globalscape Mobile Transfer Client (MTC) over HTTPS check box.
- or-
HTTPS . (The MTC requires HTTPS.)
Configuring MTC Security
Perhaps the most important feature available to the MTC, aside from an always secure connection, is the centrally managed security controls that dictate what users can and cannot do within the MTC app when connected to EFT.
Server and Site administrators can also block MTC connections , effectively terminating the connection based on the user-agent string that identifies the client as an MTC client. (This does not prevent other file transfer clients—mobile or desktop—from connecting to EFT.)
MTC's security policy only applies to files in the remote directory. The security policy does not apply to files in the vault, which means that any file downloaded to the vault can be shared or opened in third-party applications. If the EFT administrator doesn't want users to share files or open them in third-party apps, then
EFT should be configured to not allow users to save files to device's vault.
To configure MTC security
1. Enable the MTC .
2. Click Configure. The Mobile Transfer Client Security Policy dialog box appears.
3. Each time a user connects or makes specific requests to MTC, their profile is updated with the latest security control settings. Select (enable) or clear (disable) the following check boxes:
649
EFT v7.2 User Guide
• Allow saving of files to the offline vault—The vault in the MTC app is an encrypted storage area* where a user can download a copy of a remote file (from this or possibly another EFT account) for subsequent access, even when offline, and even if the user no longer has an account on EFT. If you disable the ability to store files in the vault then you should also consider disabling Allow file sharing via email attachments and Allow
opening of file in external apps, since in all three instances files essentially leave your control.
• Allow file caching for quicker access—The cache is an account (MTC profile)-specific secure storage area* that MTC uses to keep copies of files that were downloaded. The next time a user taps on a file (to open in the internal PDF viewer, for example), the file will be opened from the device's cache (assuming it isn’t stale data) rather than downloaded again from the server, resulting in a better end-user experience. The cache is semi-permanent in that it will grow as files are downloaded, and is not cleaned up unless space is needed or the user decides to clear the local cache (similar to how a browser's cache works). Disabling this option doesn’t disable file caching altogether, but rather makes caching temporary, cleaning up cached data upon application exit.
• Allow saving of profile passwords—Preventing the user from saving the password forces them to re-type it each time they connect to EFT. Once authenticated, the app will retain the password in memory until the app is exited. If this setting is disabled in EFT, the password field is grayed out in the MTC app (for this profile) and passwords for this profile are removed from the mobile keychain (iOS) or database (Android), if stored there.
If this setting is enabled, then it is up to the user to decide whether to store the password in the MTC app.
• Allow file sharing via email attachments—After downloading a file, an MTC user can optionally share the file as an email attachment with another user (taking the file outside of MTC's control). If this setting is disabled in EFT, then sharing won’t be allowed from within the MTC application. If you disable the ability to share files, then you should also consider disabling Allow opening of file in external apps and Allow saving of files to
the offline vault, since in all three instances files essentially leave your control.
• Allow opening of file in external apps—After downloading a file, an MTC user can optionally open the file in a third-party app, which is often necessary if there is no internal
MTC viewer that can open the particular file extension. When the user performs an "Open
In" operation, the file is decrypted so that the external app can accept the file (which is now outside of MTC's control). This setting provides administrators the ability to block users from opening files in other apps, forcing them to use the in-app viewer (if available) or nothing at all. If you disable the ability to open files, then you should also consider disabling Allow file sharing via email attachments and Allow saving of files to the
offline vault, since in all three instances files essentially leave your control.
*Read the section on data encryption in the MTC FAQ . Also keep in mind that files saved
to disk on Android are not sandboxed as in iOS, thus minimizing the effectiveness of some of the above controls, although MTC does leverage Android’s “Internal Storage” for keeping it segmented and inaccessible to other apps, at the cost of much less available disk space than if the standard physical storage had been used, which is “world shareable” and thus unsuitable for storing corporate data, even if device encryption is enabled. (The third-party app cannot arbitrarily do so; the user must perform an "Open" operation from the other app and select the file located elsewhere in the data folder.)
4. Click Apply to save the changes on EFT.
650
Mobile Transfer Client (MTC)
Onboarding Mobile Transfer Client Users
Typing a host address, username, and complex password on a mobile keyboard can be frustrating. To make the onboarding process easier, EFT generates a single-click hyperlink each time a user is created
(and when the password is reset) and includes that link in the welcome email generated by EFT and sent to the user. This link includes the information necessary to connect to EFT (host address, port, path, username, and password) in encoded format. When the user receives this link and taps (clicks) the link in their mobile or tablet device’s email client, the MTC app is launched (if installed) and automatically provisioned, giving the user access to files.
The link sent from EFT is encoded, but not encrypted. If you don’t want user passwords to be communicated
via email, then modify EFT’s settings to only send the username. You will need to find another way
communicate the user’s password.
To properly onboard users
SMTP settings are properly configured.
• Under the Site’s Security tab you must select the
Enable option to e-mail users their login credentials
• When you create a user (or change their password ) you must select the check box E-mail login
credentials to user.
• The credentials template file (CredentialsEmail.tpl) must include the #MTC_URL section and the MTC_LINK variable, which are present by default.
• The user must have the app installed prior to tapping on the MTC link. (The instructions in the welcome email will include this link.) When the user taps the link, the mobile operating system will associate the link with the MTC app, because it is registered to that particular link format. o
If MTC is not found, the operating system will display an error. o
If MTC is present, it will launch, decode the parameters, create a profile in MTC with those parameters, immediately connect to EFT, and display the user's directory listing.
Decommissioning Mobile Transfer Client Users
User account deactivation is the same for Mobile Transfer Client (MTC) users as for any other user account in EFT. However, there is one more step you can take that will result in removing that decommissioned user’s cached data, effectively wiping your corporate data off the device, insofar as
MTC’s data repository is concerned. Use one of the methods below to clear the user data.
Method 1
Before deactivating the user, delete all the files in the user’s home directory, including sub-folders.
Upon subsequent login, MTC will synchronize with a now empty directory, effectively wiping any cached files stored in that profile’s repository. Once you have verified that the user has completed their final login
(perhaps through an Event Rule notification ), you can disable or remove their account to prevent further logins.
Method 2
If deleting the user’s data is simply not an option, then disable the Allow file caching for quicker access option in MTC's security policy configuration . Upon next login, that user (as well as all other users) will receive the new policy, and next time they close their MTC app, their cached data for that profile will be deleted. As in method 1, you will want to disable or delete their account after that final authentication. It is up to you to decide whether to re-enable the Allow file caching for quicker access option or just keep it turned off, which is arguably more secure, but less user friendly for your mobile users.
651
EFT v7.2 User Guide
Custom Branding of the Mobile Transfer Client Profile
When users connect to an EFT Site using the Mobile Transfer Client (MTC), EFT can optionally deliver a
address book. You can place the custom graphic in the Server folder for use on every Site on which the
MTC is enabled, or you can place custom graphics in individual Site-specific folders if you have different languages on different Sites (for example).
To provide a custom logo or graphic
1. Create a .png file that is 200x200 pixels. o
The file can include alpha transparency. o
Image squares larger than 200x200 will be scaled down, but will use more bandwidth.
Non-square images or square images smaller than 200x200px will be rejected by the client.
2. Save the file as icon.png.
3. On the EFT computer, in the \web\custom\ folder, create a directory structure in the form
[SiteName]\EFTClient\wtc\. You can create a different custom \wtc\ folder for each Site.
4. Do one of the following:
• To use the icon Server wide, copy icon.png to the \wtc\ directory (e.g., C:\Program
Files (x86)\Globalscape\EFT Server Enterprise\web\ custom\
EFTClient\wtc).
Site-specific icon (as opposed to Server wide), then place the icon under
\web\ custom\[SiteName]
\EFTClient\wtc.
To customize files on a Site
1. In the \web\custom\ folder, create a directory structure in the form [SiteName]\EFTClient\wtc\.
2. Copy only the default files that you want to edit (rebrand) from the \web\
public\
EFTClient\wtc folder into the \web\
custom\SiteName
\EFTClient\wtc\ folder that you created. (It is not necessary to copy all of the default files.)
3. Edit the copy of the file in the \custom\SiteName\EFTClient\wtc\ folder, and save it.
When upgrading, the \custom\ and \public\ folders are backed up and renamed with the date and time
(e.g., \customBackup_9-28-2010_16-18\ and \publicBackup_9-28-2010_16-18\).
Upon initial installation, this \custom\ directory is empty. You must create the directory structure for any
Server (\custom\EFTClient\) or Site (\custom\MySite\EFTClient\) branded files. If you have multiple
Sites, each Site can have different branding (e.g., one can be in English and one in French). EFT first looks in the Site's custom (branded) directory \web\custom\MySite\EFTClient and loads any branded files. For files that are not present in the Site's \custom\ directory, EFT checks the Server's \custom\ directory, \web\custom\EFTClient\, and then loads the files that it finds there. Finally, for any other files, it will load the default files from \web\public\EFTClient\. Branded files that are Site-specific override any
Server-wide branded and default files, while branded files that are Server-wide override the default
(Globalscape-branded) files provided by the installer.
• The best practice is to have only customized files in the \custom\ folder and to leave the default files unmodified in the \web\public\EFTClient folder.
• The Site folder \web\custom\[SiteName]\EFTClient\ should hold just those files that contain customizations for that Site.
• The Server folder \web\custom\EFTClient\ should hold just those files that contain customizations for the Server.
• The Server-branded files will apply to all Sites defined on the Server, but any Site-branded files will override the Server-branded files.
• It is not necessary to restart the Site or Server to see your changes, but you will have to refresh or close and reopen your browser.
652
Mobile Transfer Client (MTC)
Obtaining the Mobile Transfer Client Apps
The Mobile Transfer Client (MTC) is available for both Android and iOS devices as an app, also called a native app (as opposed to a browser-based app).
To download the app onto a device
• Go to the iTunes or Google Play store on your device, and search the app store for "Mobile
Transfer Client by Globalscape, Inc." The links to the MTC app are also included in the
Mobile Transfer Client FAQ
Frequently asked questions (FAQ) are answered below.
Does MTC require a certain version of EFT Server?
Yes, MTC will only connect to EFT versions that support the mobilepolicysettings web service call in EFT v6.5.16 and later, SMB or Enterprise.
What protocols does MTC support?
MTC only uses HTTPS. This protocol provides transport security and a rich mechanism (using headers) for communicating with EFT about things like security policies, file checksums, and other advanced features that older protocols such as FTP and SFTP cannot provide. On EFT SMB, the HTTPS module is required.
What if I want to use FTP or SFTP?
There are plenty of free and for-pay FTP and SFTP clients available to iOS and Android; however those apps do not offer the same policy and security controls as provided by MTC.
What authentication mode does MTC use?
MTC relies on Basic Auth over an encrypted HTTPS connection. Session (Form)-based authentication is being considered for a future version.
Why can’t I just use my mobile browser to download files instead of using your native app?
You can to a certain extent if you connect to EFT and bypass the Java-based client option. However, what you can do once you connect is severely limited by the mobile operating system and browser you choose to use, and also lacks the security policy features provided by MTC.
What prevents my users from using a mobile SFTP or FTPS client or third-party browser?
Nothing really; but that is no different from today when it comes to your user’s choice of desktop-based client. As the administrator you can turn off SFTP or FTPS support entirely, or allow these protocols knowing that you can’t control the app your user chooses to use as their client. The benefit of using MTC is that you can set a corporate policy that mandates that users only use the MTC client to interact with
EFT from their mobile device, as MTC provides a level of governance and control due to its centrally managed security policies. EFT logs can demonstrate whether users are using MTC or not based on the protocol used and the http user-agent string (keep in mind user-agent strings can be forged). And organizations with an MDM solution in place can enforce the use of MTC by whitelisting MTC and blacklisting any other file transfer client app that doesn’t meet IT’s security requirements.
653
EFT v7.2 User Guide
Does the MTC app protect (encrypt) data at rest?
Yes. MTC leverages the OS level encryption for encrypting contents at rest. In iOS this means the user
MUST be using a pin code to unlock their device. If the user has not established a pin code then data will not be encrypted while at rest. When the device is unlocked (user enters their pin code), an OS-wide decryption key is created that MTC will leverage when reading files from disk. When a user performs an
"Open In" or "Share as Link" operation, MTC takes a decrypted COPY of the cached file and passes it to the third-party app, assuming those operations are allowed by the security policy. The third-party app may or may not use the encryption class, meaning the file is not guaranteed to be encrypted when saved to disk by the third-party app (e.g. they assign the file to the NSFileProtectionNone class).
Android is a bit more problematic as apps and their data are not completely sandboxed. Starting with
Android 3.0 you can enable whole disk encryption; however, once you enter your pin code, your device is decrypted device-wide, and nothing prevents the user or another app on the device (deliberately run by the user or otherwise) from accessing the data directory for any other app. To prevent this breach of data privacy, MTC leverages Android’s so-called "internal" data storage, a relatively small partition of the overall non-removable physical storage that acts like a data sandbox, preventing both the user and app from accessing files downloaded from EFT into MTC’s cache or offline vault. Contrast this "internal" storage with the so-called "external" storage (not to be confused with the physically inserted SD card) which represents the remainder of the non-removable hard-drive and allows any app on the device to access any other apps’ data. The downside of using internal storage is that it is usually about a tenth or less of the overall non-removable disk space. Using a physically inserted SD for storage is simply out of the question because neither encryption nor data privacy are extended to this truly external, removable storage media type. Below is a graphic that helps illustrate Android’s various partitions and how encryption and privacy (data sandboxing) apply. MTC follows the purely green path. However, keep in mind that data will only be encrypted if the device-wide encryption is enabled on the device.
Are there any restrictions for MTC to work in EFT?
Yes. HTTPS must be enabled and the Site must rely on a single-factor authentication manager (AD,
LDAP, ODBC, or GS Auth). Sites using RSA SecurID, RADIUS 2FA, or CAC-based authentication will result in failed MTC login attempts.
How do I troubleshoot MTC connection problems?
MTC can optionally keep a detailed log of all its transactions including the HTTP transport stream. There is even an option in the MTC log viewer for the user to email the log so that you can review decrypted
HTTPS requests and responses and assist the user in determining why an operation failed. Alternatively,
file (after enabling the HTTP logger) to view decrypted HTTPS sessions. Most
of the time what you are looking for is 401s (authentication failed), 404s (the resource requested was not found), or 503s (insufficient permission for the requested resource).
Does MTC support forced password reset, user-initiated password changing, lost password reset, and username recovery?
Forced password reset upon initial (or next) login is supported by MTC. User-initiated password change is not supported, but they can still do this from their desktop or even mobile browser. MTC also supports lost password reset and lost username recovery.
654
Mobile Transfer Client (MTC)
I have multiple Sites that are accessible to the same set of users. Can MTC accommodate multiple
Sites?
Yes, MTC supports the concepts of Profiles, which are essentially the same as accounts on EFT Sites.
Can my users download a file to their device, make changes to the file, then re-upload the file back to EFT?
Yes, assuming "Allow opening of files in external apps" is enabled. o
On iOS devices, when the user chooses to open a file in a third-party app, MTC checks to see if a local cached copy exists and is fresh. If the file is not in cache or is stale, the file is downloaded from the server and then a copy of the file is passed to the third-party app. Once the user is done making changes in the third-party app (assuming the app can edit that file type) the user would then select the "Open In" or equivalent function in the third-party app and choose MTC as the destination. Files copied back into MTC are placed in the MTC offline vault. Back in MTC, the user can select files in their vault and upload those to EFT, effectively overwriting the original file.
The download, open in third-party app, open back in MTC, then upload, are all separate operations. o
On Android devices, MTC takes on a more active role for file editing. When the user downloads the file, selects the Open In function, and then selects a third-party app, MTC passes a handle to the originally downloaded (and cached) file, rather than a copy of the same. MTC then spawns a file monitoring thread to keep track of changes (saves) made to that file. The user makes their edits in the third-party app, and after saving their changes, they must switch back to the MTC app. Once MTC is in the foreground, it cancels the monitoring thread. If changes were recorded, it immediately uploads the file to the server, overwriting the original file.
Does MTC work with any Mobile Device Management (MDM) technology?
Yes, as long as the MDM solution you have in place provides app management capabilities, meaning the
MDM solution can distribute apps curated from the app store; however keep in mind that MDM managed devices require enrollment, which might be enforceable within the organization, but rarely so for partners or customers or other non-employees who still need to interact with your organization. The good news is that MTC has its own MDM capabilities via EFT Server’s policy controls, removing the need to rely on 3rd party MDM solutions, unless otherwise desired.
Does MTC leverage Good Technology, Mobile Iron, or similar MDM app wrapping or
containerization technology?
No, MTC does not rely on any third-party MDM wrappers or SDKs because MTC provides its own MDM capabilities via EFT Server’s policy controls. These policy controls provide the same containerization benefits as one of the commercial MDM solutions but without the added cost or complexity. EFT’s centrally managed policies control intra-app workflow, password storage and complexity rules, and data storage rules, while ensuring encrypted storage and transmission of data – all without having to force your users (which might not be direct employees of the organization) to adopt an MDM specific version of the application on their device.
Can EFT's security policies for MTC be set per-user?
Security policies must be set on EFT Site wide, affecting all templates and users belonging to that Site. If you need a separate set of policies for certain users, then you could set up a second Site (on a different
IP address or port). Please contact us if you feel that you need template-level or user-level control over
MTC‘s security policies, so we can determine whether to extend more granular control over those policies in a future version release.
Can the security policy for blocking MTC from opening files be specific to certain file types?
When Open In is disallowed, it will affect all files, regardless of extension.
655
EFT v7.2 User Guide
656
AS2 Module
(Available in EFT Enterprise) EFT provides the option of transferring files over AS2 (Applicability
Statement 2), used to exchange structured business data securely using the HTTP or HTTP/S protocol.
These topics provide an overview of AS2 and describe how to configure EFT's AS2 module.
(Available as an optional module in EFT Enterprise) AS2 (Applicability Statement 2) is used to exchange structured business data securely using the HTTP or HTTP/S protocol. Any type of data can be exchanged using AS2, including traditional EDI messages, XML, flat files, spreadsheets, and CAD/CAM data. AS2 is not concerned with the content or validity of the data being sent, but only with the connection and the secure, reliable exchange of data. Data security is achieved using S/MIME through signing and/or encryption.
AS2 offers distinct advantages over plain HTTP, including increased verification and security achieved with receipts and digital signatures. Its transactions and acknowledgements occur in real time, increasing the efficiency of document (data) exchanges. AS2 is also referred to as EDIINT AS2 (EDI over the
Internet AS2). Many organizations are migrating to this protocol to reduce costs, and requiring their trading partners to switch to the AS2 protocol. Sending encrypted payloads over HTTPS ensures that only the sender and receiver can view the data exchanged. The use of a hash algorithm ensures data integrity by detecting whether the document was altered during transmission.
The basic structure of an AS2 message can be compared to an envelope that contains a MIME-formatted message inside an HTTP message with AS2 headers. The Message Disposition Notification (MDN) or receipt is returned in the HTTP response message body or in a new message to an alternate URL specified by the originator. This request/reply transactional interchange can provide secure, reliable, and authenticated transport for data using HTTP as a transfer protocol. The security protocols and structures used also support auditable records of these document data transmissions, acknowledgements, and authentication. In a secure message exchange, one organization sends a signed and encrypted message to another organization and requests a signed receipt, and later the receiving organization returns the signed receipt to the sending organization.
Non-repudiation of receipt (NRR) is a legal event that occurs only when the original sender has verified the signed receipt returned from the recipient of the message, and has verified that the returned message
integrity check (MIC) inside the MDN matches the previously recorded value for the original message.
That is, the sender of the message obtains undeniable proof that the recipient received the message and that the message was not altered in transit. NRR is established when both the original message and the receipt use digital signatures.
EFT uses HTTP/S to exchange data with AS2-ready servers and clients. Extended HTTP header information outlines how data should be handled and whether signed or unsigned receipts are required.
EFT also validates data integrity upon receipt and requests acknowledgement or message disposition
notification (MDN) upon completion of outbound transfers. For technical details of AS2, refer to RFC
4130 .
How EFT Supports AS2
EFT Enterprise edition incorporates a Drummond-certified AS2 adapter to support inbound and outbound
AS2 transfers. Drummond certified means that EFT's AS2 module has achieved interoperability with other
Drummond-certified AS2 servers and clients.
AS2 Optional Profile Supported
EFT supports inbound AS2 Multiple Attachments (MA) for processing a single message with multiple payloads. MA messages are treated the same as normal messages with the exception that multiple files are processed.
EFT also supports the Reliability Profile, which consist of various internal methods for avoiding duplicate file processing standardizes mechanisms for retrying and resending AS2 Messages and MDNs.
657
EFT v7.2 User Guide
What EFT's AS2 module does not support
EFT does not support non-encrypted payloads over plaintext HTTP, asynchronous MDN deliveries via
SMTP for outbound transactions (but does support inbound ones), EDI file content manipulation
(translation, extraction, transformation, loading), or outbound Multiple Attachments (MA). EFT does not determine if the data sent or received is usable; it only transfers the data. The AS2 module is "push only"; that is, EFT does not request files.
For security reasons, if you are transferring files using HTTP, the payload must be encrypted; if the payload is not encrypted, HTTPS must be used. This Rule applies to both inbound and outbound transactions. Encrypting the payload and sending it over HTTPS provides additional protection from
"man-in-the-middle" attacks.
How EFT manages AS2 transmissions
In receiver mode (inbound), EFT examines the HTTP header, then determines whether to process it as a normal file transfer, as an AS2 receipt (MDN), or as an AS2 transmission. If the file is an AS2 transmission, EFT will process the file, and if a receipt was requested, send a receipt back to the originator. Once the file is received, the following Event triggers will apply:
On File Upload Event occurs for each file uploaded in an MA transaction.
AS2 Inbound Transaction Succeeded Event occurs just once per single file or MA transaction
after all files are received and the MDN (if requested) is successfully sent.
AS2 Inbound Transaction Failed Event occurs if an AS2 file upload failed for any reason, such
as bad Message Integrity Check (MIC), no permissions/access, duplicate message ID, or other
AS2 transfer-related error.
In sender mode (outbound), EFT provides granular control over AS2 configuration, such as whether to compress or encrypt the message contents, whether to request a synchronous or asynchronous receipt, and whether to launch one or more post transaction Events:
AS2 Outbound Transaction Succeeded Event occurs after EFT has successfully offloaded a
file to a remote partner and, if a receipt was requested, a valid receipt was received that indicates the transfer was successfully completed.
AS2 Outbound Transaction Failed Event occurs if EFT has failed to offload a file to a remote
partner, an MDN receipt sent by EFT was not received in the specified duration, or the receipt signature or MIC failed.
EFT sends e-mails and executes commands only after the final transaction status (Failure or Success) is
and in the AS2 Status Viewer .
How EFT determines failed AS2 transmissions
AS2 transfers may have more than a simple success or failure outcome. For example, an outbound AS2 file transfer may succeed, but no MDN received from the remote host. This could be considered an outright failure in some cases. Another example of a failure is when a file is successfully sent, but the received MDN’s signature cannot be verified. Not all AS2 systems consider these partial failures an overall failure. For example, a remote host may accept an inbound file even though its signature was bad or had other issues, yet still accept the file.
EFT accepts most AS2 transmissions, even if there is a MIC mismatch or the signature used to sign the payload was not found. However, the overall transaction is not considered a success unless every part of the transmission succeeds. That is, EFT's acceptance of the transmission does not mean that the transmission was successful.
EFT's implementation of AS2 considers the following transmissions permanent failures:
• An inbound unencrypted transmission over plaintext HTTP protocol
• An upload attempt to a folder to which the user does not have write permission
658
AS2 Module
In each of these situations, the transmission is rejected automatically. An error is returned to the client, audited to the database, and can trigger an AS2 transaction failure Event, if configured.
Redirecting AS2 transfers from HTTP to HTTPS
You can configure EFT to redirect HTTP connections to HTTPS . The redirect HTTP to HTTPS option
affects all incoming HTTP transmission including AS2 requests over HTTP. When you have configured redirection, EFT simply tells the connecting client that the resource was moved to the new HTTPS URL.
The connecting client decides whether it will allow the redirect, because the new URL could be on different server. If the connecting AS2 client does not allow redirection to a different port, the connection will fail.
You can also configure EFT to accept AS2 transactions over HTTP/S, but not allow general HTTP and/or
HTTPS transactions. To do this, simply turn off HTTP and/or HTTPS and turn on AS2. The HTTP engine will stay active and only process HTTPS requests that include the AS2 headers.
Are AS2 transfers FIPS compliant?
If FIPS is enabled for SSL in EFT, then AS2 transfers over HTTPS use FIPS-certified encryption for the
SSL/TLS connection through the Internet. Internal processing of the AS2 MIME payload, may use non-
FIPS algorithms or hashes, such as MD5, depending on the content of the AS2 payload or MDN that is received.
Installing and Activating the AS2 Module
The AS2 module is installed when you install EFT. AS2 is available to evaluate during the EFT 30-day trial.
Prerequisites for Using the AS2 Module
• AS2 file transfers must not exceed 20GB.
• You must have .NET installed and configured. During installation, EFT determines whether
.NET framework is installed and, if not installed, prompts you to install it.
Auditing and Reporting module installed. (The ARM trial is installed when you
install EFT.)
If the AS2 module is not activated, the following events occur when the AS2 module trial has expired:
• All incoming AS2 connections are rejected.
• EFT audits the failure in the ARM database as "AS2 evaluation license expired."
• Any Event Rule that contains an AS2 Send File to host Action will not fire, the If Failed Action triggers, and ARM audits the outbound failure in the ARM database as "AS2 evaluation license expired."
• All AS2 configuration is unavailable.
• The AS2 Send File to host Event Rule Action is no longer available for Event Rules.
• EFT writes a message to the Windows Application Event Log.
AS2 Authentication
In "normal" authentication, EFT supports client-authenticated transactions, meaning EFT’s HTTP/S protocol handler requires a username and password at the outset of the HTTP/S-based AS2 transaction.
After it authenticates the partner's login credentials, EFT passes the transaction to its AS2 processor, which performs all message validation and handling. This normal authentication method is secure, but requires the administrator to create and manage partner accounts.
659
EFT v7.2 User Guide
password authentication, not certificate authentication.
Message Level Security (MLS) authentication is a sort of sub-set of normal authentication. MLS requires only two criteria to authenticate on EFT (AS2-From + signature), whereas normal authentication can require up to four criteria (Username + Password + AS2-From + Signature).
To accommodate MLS, instead of immediately rejecting messages that don’t contain the Authentication verb (or an empty value next to the Authentication verb) EFT manually looks for the AS2-From verb, and if present, looks up the partner account that matches the identifier. If that account is found, and if MLS is allowed for that partner, EFT passes the message to its AS2 processor, along with the mandatory
“RequireSign” parameter--one of two mandatory factors used for MLS authentication. The AS2 processor checks for mismatched signatures and properly formatted AS2 messages, and if validated, submits the transaction to the AS2 engine for decryption and processing.
Regardless of whether MLS is enabled for a particular partner account, if a username and password are provided (authentication verb and values present), EFT validates the user account credentials. If those credentials are invalid, the transaction is denied (regardless of whether the AS2-From and signatures match). If the credentials are valid, then the transaction proceeds and is passed to the AS2 processor.
However, if MLS authentication is enabled for that partner, then not only does the AS2-From identifier have to match up with that partner account, but also the RequireSign must be passed to the AS2 processor (and be a valid signature for that account), meaning all four factors must be correct. If, on the other hand, normal authentication mode was specified for the user (rather than MLS), then only the username and password factors are checked, unless AS2-From and signature factors were required by
EFT, as specified in the inbound settings for that particular partner’s account.
Process flow:
If authentication credentials are missing, EFT manually parses the AS2-From ID, and then:
• If not present rejects the transaction
• If present, locates the partner (user) account associated with the AS2-From ID o
If no partner is found, EFT rejects the transaction o
If a partner is found, EFT determines if MLS is allowed for that partner
If MLS is not allowed, EFT rejects the transaction
If MLS is allowed, EFT passes the transaction to the AS2 component for processing, along with the RequireSign parameter set to True
If authentication credentials are present, EFT validates the credentials, and then:
• If invalid, EFT rejects the transaction
• If valid, EFT determines if that account will accept or reject mismatched AS2-From IDs o
If set to reject, then EFT verifies the AS2-From ID provided in the header matches the account profile AS2 From ID
EFT rejects the transaction if they do not match
EFT accepts the transaction if they do match
• If the AS2-From ID is valid, EFT determines whether that account accepts or rejects messages that lack signatures o
If set to reject, EFT sets RequireSign to true o
If set to accept, EFT sets RequireSign to false, then submits the transaction to the AS2 component for processing
660
AS2 Module
To mitigate the risk of DoS attacks and prevent unauthorized transactions, the administrator should employ EFT’s IP address filters
Connections tab.
You can enable Message Level Authentication in the AS2 Partner Inbound Wizard or the AS2 Inbound
Settings dialog box.
Permutations of Valid Authentication Factors
Normal Authentication
Any of the four combinations below will allow the inbound AS2 transaction:
• USERNAME + PASSWORD (“Auth” + “Message not signed” = ACCEPT + “as2-from mismatch” =
ACCEPT)
• USERNAME + PASSWORD + AS2 FROM ID + SIGNATURE (“Auth” + “Message not signed” =
REJECT + “as2-from mismatch” = REJECT)
• USERNAME + PASSWORD + AS2 FROM ID (“Auth” + “Message not signed” = ACCEPT + “as2from mismatch” = REJECT)
• USERNAME + PASSWORD + SIGNATURE (“Auth” + “Message not signed” = REJECT + “as2from mismatch” = ACCEPT)
MLS Authentication
Any of the two combinations below will allow the inbound AS2 transaction:
• AS2 FROM ID + SIGNATURE (“MLS” + “Message not signed” = REJECT + “as2-from mismatch”
= REJECT)
• USERNAME + PASSWORD + AS2 FROM ID + SIGNATURE (“MLS” + “Message not signed” =
REJECT + “as2-from mismatch” = REJECT)
The following table describes possible login scenarios, depending on settings specified in the partner’s
AS2 inbound configuration page (top row column headings), and depending on the verbs and factors provided by the incoming partner in the HTTP headers (left column row headings).
Partner's AS2 Inbound Configuration
Normal authentication +
HTTP Header Information sent from inbound AS2 client to EFT "Auth" = username/password|"Sign"
= certificate signature
MLS
Auth
Allowed
Accept mismatch
AS2-From id +
Do require sign
Reject mismatch
AS2-From id +
Do require sign
Accept mismatch
AS2-From id +
Do require sign
Reject mismatch
AS2-From id +
Do require sign
No Auth, No Sign, AS2ID invalid
No Auth, No Sign, AS2ID valid
No Auth, Sign invalid, As2ID invalid
No Auth, Sign invalid, As2ID valid
No Auth, Sign valid, As2ID invalid
No Auth, Sign valid, As2ID valid
Valid Auth, No Sign, AS2ID invalid
Valid Auth, No Sign, AS2ID valid
Valid Auth, Sign invalid, As2ID invalid fail fail fail fail fail pass fail fail fail fail fail fail fail fail fail pass pass fail fail fail fail fail fail fail fail pass fail fail fail fail fail fail fail fail fail fail fail fail fail fail fail fail fail fail fail
661
EFT v7.2 User Guide
Partner's AS2 Inbound Configuration
Normal authentication +
HTTP Header Information sent from inbound AS2 client to EFT "Auth" = username/password|"Sign"
= certificate signature
MLS
Auth
Allowed
Accept mismatch
AS2-From id +
Do require sign
Reject mismatch
AS2-From id +
Do require sign
Accept mismatch
AS2-From id +
Do require sign
Reject mismatch
AS2-From id +
Do require sign
Valid Auth, Sign invalid, As2ID valid fail fail fail fail fail
Valid Auth, Sign valid, As2ID invalid
Valid Auth, Sign valid, As2ID valid
Invalid Auth, No Sign, AS2ID invalid
Invalid Auth, No Sign, AS2ID valid
Invalid Auth, Sign invalid, As2ID invalid
Invalid Auth, Sign invalid, As2ID valid
Invalid Auth, Sign valid, As2ID invalid
Invalid Auth, Sign valid, As2ID valid fail pass fail fail fail fail fail fail pass pass fail fail fail fail fail fail fail pass fail fail fail fail fail fail pass pass fail fail fail fail fail fail fail pass fail fail fail fail fail fail
From the table above, you can see that:
• If no username/password is provided (No Auth), and the certificate is either not provided (No
Sign) or invalid (Sign invalid), the transaction will fail.
• If the username/password is invalid, no matter what the settings are, the transaction will fail. For example, if you have configured Message Level Security, EFT does not require a username/password. But if an incorrect username/password is provided in the header information, the transaction will fail (to prevent unauthorized transactions).
• The advantage to using MLS authentication is that partners can connect without providing a username/password pair, as long as the certification and AS2 ID are valid.
Configuring the AS2 Module
Configuring the AS2 module involves enabling AS2 on the Site as an allowed protocol, specifying EFT's
AS2 identifier and certificate path, and defining AS2 trading partners (user accounts).
These topics provide details of configuring the AS2 module.
Enabling the AS2 Inbound Listener Service
You can configure EFT as an AS2 Receiver by allowing incoming transactions over the AS2 protocol and providing your AS2 Identifier and encryption and signing certificates to your trading partners. Your trading partners need this information to be able to share files over AS2.
When you configure a new Site, the Site Setup wizard provides options for configuring the protocol. After a Site is created, you can enable AS2 by selecting the AS2 check box on the Site's Connections tab.
You can enable or disable AS2 for partner (user) accounts on the Settings Template or for a partner account, or by selecting AS2 in the New User Creation wizard on the protocol selection page when you create the partner account.
662
AS2 Module
To enable the AS2 inbound listener service, you will need to provide the following information:
• AS2 identifier. There is no standard for the AS2 Identifier. You can use your name, your company's name, or some other unique name. EFT validates the AS2 identifier to determine whether it is unique (not used by another partner on this EFT). If you type an ID that is not unique, the field resets to blank.
EFT's AS2 Identifier can be overridden per account (partner); however, if you change EFT's AS2
Identifier, partners will not be able to connect to you until they update EFT's AS2 identifier on their systems.
• SSL certificate pair path for signing and encrypting AS2 messages. If the SSL certificate pair does not already exist, you are given the option to create one from within the AS2 Server
Configuration dialog box.
If you attempt to apply changes, navigate away from the Connections tab, or click OK in the
Configuration dialog box when AS2 is enabled and no certificate path has been defined, EFT displays an error message. (You can click Cancel to close the dialog box without making changes.)
ARM module must be activated (or trial mode), and the ARM database must be
. You cannot enable the AS2 inbound listener service while in Developer mode .
To enable the AS2 inbound listener service
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. Select the AS2 check box, and then click AS2 Config. The AS2 Setup Wizard appears.
5. Read the Welcome page, and then click Next. The AS2 identifier page appears.
663
EFT v7.2 User Guide
6. In the Your AS2 Identifier box, type the name by which you are to be identified to trading partners. (The AS2 ID cannot contain Unicode characters.)
7. Click Next. The Certificate page appears.
664
8. Do one of the following:
• If you do not yet have a certificate defined, click create. The Create certificate wizard appears. a. Follow the prompts in the wizard to create the certificate. b. Click Finish. The Certificate file path, Private key file path, and masked
Private key Passphrase boxes are completed with the location and file names of the created certificate.
• If you already have a certificate or want to specify a different certificate than the one displayed, specify its location and passphrase as described below: a. In the Certificate file path box, type the path or click the folder icon to select the file. b. In the Private key file path box, type the path or click the folder icon to select the file. (Can also be a combined key, e.g. PKCS#12 (.pfx)). c. In the Private key passphrase box, type the private key passphrase.
9. Click Next. The AS2 portal Web URL page appears.
AS2 Module
10. The AS2 portal Web URL can be provided to trading partners so that they can obtain EFT's AS2 identifier and certificate public key to configure their AS2 client to transact with EFT. (You can also deliver the ID and certificate to your partner in an e-mail.)
11. To save the URL to paste into your website or e-mail, click Copy to clipboard, then click Next.
The final page of the wizard appears.
12. Review the Next steps, then click Finish to save the configuration and close the dialog box.
13. Click Apply to save the changes on EFT.
Refer to the topics below for more information regarding configuring AS2 partners and transfers.
AS2 Certificates
You can create certificate files using EFT's Certificate wizard . If you have a combined certificate from a
third party, use the procedure in Exporting a Certificate from PFX to PEM to extract the public key.
See also: SSL Certificate Compatibility .
665
EFT v7.2 User Guide
Configuring AS2 Partners
EFT's AS2 module allows you to setup AS2 partner profiles as user accounts. The profile includes all necessary information for AS2 connectivity, including a hot folder that can trigger an event when a file is
added using the AS2 profile and send the data that was added. This partner-provisioning orientation
associates AS2 transactions directly to a user profile, rather than to an event trigger for which you would have to specify the user as a Condition of an Event Rule.
For these user (partner) accounts, the AS2 Outbound and AS2 Inbound tabs provide the ability to specify an AS2 inbound and outbound policy (parameters) for the selected partner (user). Your trading partners must provide you with the public key of their certificate and their AS2 Identifier.
You can create the accounts manually on the user account tabs or use the AS2 Partner Access wizard to define trading partners with detailed instructions. If you want to configure an AS2 trading partner manually, you first create or determine the Settings Template under which to define the account, create
parameters of the account. (Refer to the Related Topics below for the procedures.)
Editing AS2 Partner Profiles
• If you use AD, LDAP, or ODBC authentication and using accounts as AS2 partners, if the account in the external database is changed, deleted, or disabled, any Event Rule or Command that references the account will fail. For example, if the AD account SSmith is renamed SJones, you will have to update any Event Rule or Command manually to reflect the new name of the account.
• If you are using
Globalscape authentication and change an account, the Event Rules and
Commands that reference the account will also update. However, if you delete or disable the account, or disallow use of AS2 for the account, any Event Rule or Command that references the account will fail. In this case, you should disable or delete the Event Rule, or change the AS2 partner information to an existing/enabled account.
Configuring AS2 Outbound Partners Using the Wizard
EFT provides an AS2 Partner Access wizard to assist you in configuring AS2 outbound connections.
This wizard is accessible from the AS2 Outbound partner configuration tab and the AS2 Send File to
host Action dialog box (in Event Rules). Once completed, the data in the wizard populates the relevant fields on the AS2 Outbound tab and the AS2 Send File to host Action dialog box. The procedure below describes how to use the wizard to configure outbound AS2 partners. You can also configure the account manually on the AS2 Outbound tabs for each partner.
If you plan to execute a command upon success or failure of AS2 transactions, define the command before configuring your partner access; or you can go back later and edit the AS2 partner manually after you have defined the command.
Notification Template to use in the e-mail Action.
To configure outbound AS2 partners using the wizard
1. In the administration interface, connect to EFT and click the Server tab.
2. Do one of the following:
• On the Server tab, click the user account that you want to configure, then in the right pane, on the account's Connections tab, select the AS2 outbound check box, and then click AS2 Outbound. The AS2 Outbound Settings dialog box appears.
666
AS2 Module
• In an Event Rule, after adding the AS2 send file to host action to a Rule, click select.
The AS2 Send File dialog box appears.
667
EFT v7.2 User Guide
668
3. Click Setup Wizard. The AS2 Partner Outbound Wizard appears.
AS2 Module
4. Click Next. The AS2 partner connection information page appears.
669
EFT v7.2 User Guide a. In the Partner host address or domain area specify the protocol to use (http:// or https://),
IP address/domain name, and Port number used to connect to the AS2 partner. b. In the Path area, provide the path to the inbox, outbox, or mailbox at the AS2 partner location. c. In the Username and Password boxes, provide the logon credentials.
d. If you need to configure a proxy server, click Proxy and then refer to Configuring an AS2
Outbound Proxy for the procedure, if necessary.
5. Click Next. The AS2 certificates page appears.
670 e. In the Your AS2 certificate public key box, the certificate that you specified when you created the Site appears. f. In the Your partner's AS2 certificate public key box, type the path or click the folder icon to select your partner's public key file.
6. Click Next. The AS2 identifier page appears.
AS2 Module g. In the Your AS2 ID (AS2-From) box, your globally defined ID appears. You can use the same ID you defined for EFT when you enabled the AS2 inbound listener or you can define a different ID for each partner. h. In the Your partner’s AS2 ID (AS2-To) box, specify this partner's ID (provided to you by the partner that you are defining).
AS2-From and AS2-To form a pair for identifying the sending and receiving partnership.
That is, they form a composite key for identifying the parties involved in the data exchange.
i. (Optional) In the Message subject box, specify the text that is to appear in the subject line of
AS2 messages to/from this partner. j. In the Content type box, click the list to specify the type of messages to be sent to/from this partner. i. X12 - Format used by many healthcare, insurance, government, transportation, and finance organizations. ii. EDIFACT - Format adopted by the International Organization for Standardization
(ISO) as the ISO standard ISO 9735. iii. XML - File format used for structured documents. iv. EDI Consent - Provides a standard mechanism for "wrapping" the EDI objects but does not specify any details about those objects. v. Binary (default) - e.g., executables, word processing files, database, spreadsheet, and multimedia files vi. Plaintext - e.g., text and HTML files
671
EFT v7.2 User Guide
For information about the various content types, refer to RFC 2046 at http://www.ietf.org/rfc/rfc2046.txt
.
7. Click Next. The message and receipt options page appears.
672 k. In the Message options area, select or clear the check boxes depending on whether the
AS2 message should be encrypted, signed, and/or compressed. l. In the Receipt options area, click the list to specify whether to send a Signed receipt
(Message Disposition Notification (MDN)), an Unsigned receipt, or no receipt (None).
The MDN serves as a receipt, guaranteeing the transaction was successful. The receipt can also be signed, and you can specify whether to return the receipt immediately
(synchronous MDN) or later (asynchronous MDN) if the remote Server must post-process the message prior to acknowledging the received data. m. If you clicked Signed or Unsigned (not None), specify whether to send the receipt in the same session (synchronous) or independently of the session (asynchronous).
Asynchronous receipts will be returned to the domain name specified on the
Site's Connection tab using the standard or secure listener port specified on that same page (depending on whether you specified HTTP or HTTPS for the remote host value).
8. Click Next. The message retry and timeout options page appears.
AS2 Module
• (Optional) EFT can attempt to resubmit failed messages in case of network outage or other temporary (transitive) errors. EFT will resend the same message, payload, and AS2
Message ID. Specify the following retry and timeout values as needed: o
Message send attempt timeout (seconds). The range is 0-600; 0 = no timeout; the default value = 60 seconds. o
Message retry attempts. The range is 0-9999; (0 = no retry); the default value =
3 retries. o
Delay between retries (seconds). The range is 0-9999; (0 = no wait); the default value = 30 seconds. o
Asynchronous receipt timeout (minutes). The range is 0-999,999; (0 = no timeout); the default value = 7200 minutes (5 days). (This option does not appear if you specified synchronous on the previous page.)
9. Click Next. The Transaction success or failure options appear.
673
EFT v7.2 User Guide
674
• (Optional) Specify whether to send an e-mail notification upon transaction success and/or failure and whether to run a command upon transaction success and/or failure. Select the applicable check box, and then click Edit to configure the e-mail or Command .
10. Click Next. The hot folder page appears.
AS2 Module
11. Specifying a folder to monitor is optional. If you specify a folder to monitor, EFT will automatically offload to your partner's AS2 server any files that are added to the specified folder. You can offload all files in the folder or only specific files or types of files. Wildcard masks can be used in the Include mask and Exclude mask boxes.
Click the folder icon to specify a folder or type a path in the Hot folder to monitor box.
If you want to delete the source file(s) after they are successfully sent, select the Delete check box.
If you want to specify only certain files are sent, specify the files to include or exclude in the Include mask and Exclude mask boxes. For example, to exclude all .wav files, type
*.wav in the Exclude box. By default, all files are sent (Include mask = *.*).
12. Click Next. The Test Connection page appears.
675
EFT v7.2 User Guide a. Click Test Connection. The AS2 Test Connection dialog box appears.
676 b. EFT attempts to connect to the AS2 partner and send test data.
• If the test fails, data appears in the AS2 connection log area that you can copy to the clipboard to be pasted in a text file or e-mail for troubleshooting. Click Close, then in the wizard click Back to adjust settings, if necessary.
• If the test is successful, click Close.
13. Click Finish. The information provided in the wizard is updated in the account's AS2 Outbound tab. To make further adjustments to the partner's configuration, you can edit the AS2 Outbound tab directly.
AS2 Module
Configuring AS2 Inbound Partners Using the Wizard
EFT provides an AS2 Partner Access wizard to assist you in configuring AS2 inbound connections. This wizard is accessible from the AS2 Inbound partner configuration tab and the AS2 Send File to host
Action dialog box (in Event Rules). Once completed, the data in the wizard populates the relevant fields on the AS2 Inbound tab and the AS2 Send File to host Action dialog box. The procedure below describes how to use the wizard to configure inbound AS2 partners. You can also configure the account manually on the AS2 Inbound tab for each partner.
If you plan to execute a command upon success or failure of AS2 transactions, define the command before configuring your partner access; or you can go back later and edit the AS2 partner manually after you have defined the command.
Notification Template to use in the e-mail Action.
To configure inbound AS2 partners using the wizard
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user account that you want to configure.
3. In the right pane, click the Connections tab.
If the AS2 features are not available for the user, then AS2 is disabled on the Settings Template or the Site. Enable and configure AS2 on the Site before enabling AS2 on the Settings Template and user accounts.
4. Select the AS2 inbound check box and then click AS2 Inbound. The AS2 Inbound Settings dialog box appears.
677
EFT v7.2 User Guide
678
5. Click Setup Wizard. The AS2 Partner Inbound Wizard appears.
AS2 Module
6. Click Next. The AS2 certificates page appears.
679
EFT v7.2 User Guide a. In the Your AS2 certificate public key box, the certificate that you specified when you created the Site appears. b. In the Your partner's AS2 certificate public key box, type the path or click the folder icon to select your partner's public key file.
7. Click Next. The AS2 identifier page appears.
680 a. In the Your AS2 ID (AS2-To) box, your globally defined ID appears. You can use the same
ID you defined for EFT when you enabled the AS2 inbound listener or you can define a different ID for each partner. b. In the Your partner’s AS2 ID (AS2-From) box, specify this partner's ID (provided to you by the partner that you are defining).
AS2-From and AS2-To form a pair for identifying the sending and receiving partnership.
That is, they form a composite key for identifying the parties involved in the data exchange.
8. Click Next. The authentication page appears.
AS2 Module
• Specify whether this partner must provide a username and password to connect or if EFT
will authorize transactions from this partner using Message Level Security .
9. Click Next. The tolerance options page appears.
681
EFT v7.2 User Guide
682
• (Optional) When a duplicate message ID is identical in all regards to a previous message, including a duplicate payload, EFT will ignore it and reject the transaction. You can tell
EFT to accept or reject duplicate message IDs with unique contents, unique message IDs with duplicate contents, and mismatched AS2-From or AS2-To identifiers. For each option, the default is to reject the transaction. If you specified Message-Level Security
(MLS) authentication on the previous page, the Mismatch AS2-From identifier and
Message not signed options cannot be changed. Specify whether to Accept or Reject messages for each of the following instances: o
Duplicate Message ID (with different contents) o
Duplicate content (with different Message ID) o
Mismatch AS2-From identifier (cannot change to Accept for MLS authentication) o
Mismatch AS2-To identifier o
Message not signed (cannot change to Accept for MLS authentication) o
Message not encrypted
10. Click Next. The resend options page appears.
AS2 Module
11. Specify whether EFT will attempt to resend failed asynchronous MDN in case of network outage or other temporary (transitive) errors. o
Receipt (MDN) send timeout (seconds). Range: 0-600; (0 = no timeout); the default value = 60 seconds o
Receipt (MDN) retry. Range: 0-999; (0 = no retry); the default value = 3 retries. o
Delay between retries (seconds). Range: 0-600; (0 = no wait); the default value = 30 seconds.
12. Click Next. The commands and notifications page appears.
683
EFT v7.2 User Guide
684
• (Optional) EFT can run predefined commands (such as launch a script) or send an e-mail notification upon successful or failed transactions (after all retries have been exhausted or failed to receive the MDN receipt after the specified wait time). Select one or more of the following check boxes, then click Edit to configure the e-mail notification or specify
o
Send e-mail notification on transaction success
o
Send e-mail notification on transaction failure
o
Run command on transaction success
o
Run command on transaction failure
Refer to AS2 Transaction Success and Failure
Notifications for more information.
13. Click Next. The optional post receipts page appears.
AS2 Module
• (Optional) In the Move received file(s) to folder box, specify a location to move received files, including local, shared, or UNC path names. (Leave blank to not move the file.)
• In the Rename file(s) using mask box, provide a name for the file, if you want to change it. (The variable %FS.FILE_NAME% appears in the box by default.)
You can keep the existing filename or use EFT’s extensive variable selection to rename
the file, and add pre- or post-pending dates, times, and other information. For example, if you want to add the date and time to the filename, you would provide the following variables in the Rename file(s) using mask box:
%FS.FILE_NAME%_%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%
14. Click Next. Configuration is complete.
685
EFT v7.2 User Guide
15. Click Finish. Now that you have completed the AS2 inbound partner configuration wizard, you should contact your partner and ask them to connect and transfer a test file. Refer to
Troubleshooting AS2 Connections for details.
The information provided in the wizard is updated in the account's AS2 Inbound tab. To make further adjustments to the partner's configuration, you can edit the AS2 Inbound tab directly.
AS2 Inbound Parameters
For AS2 inbound (receiver) connections for transactions over the HTTP and HTTPS ports, enable AS2 by selecting the AS2 check box on the Site's Connections tab. You can enable or disable AS2 for partner
(user) accounts on the Settings Template and/or for each user, or by selecting AS2 in the New User
Creation wizard on the protocol selection page when you create the partner account. The standard
inheritance rules apply. (AS2 has to be
enabled and configured for the Site before you can enable it for a
Settings Template or user account.)
686
AS2 Module
The parameters in the table below are available in the AS2 Inbound Settings dialog box and can be configured manually or using the setup wizard.
• Click Setup Wizard to
Configure AS2 Inbound Partners Using the Wizard .
• Click Clear All to reset all of the fields to default values. (A confirmation prompt appears.)
Parameter
Your certificate
Partner certificate
Your AS2 identifier
Partner AS2 identifier
Authentication mechanism
Required/Optional Description
Required
Required
Required
Required
Required
Displays the AS2 certificate public key path to be used for signing the MDN and for decryption, copied from the Site. (Can be on a drive or UNC path.)
Specifies the AS2 certificate to be used for verifying signed messages. (Can be on a drive or UNC path.)
Your AS2 identifier.
Your partner's AS2 identifier (must be unique)
Used to specify whether the client is authenticating with username and
password or using Message Level Security (MLS). Refer to AS2
Authentication for more information.
687
EFT v7.2 User Guide
Parameter
Partner AS2 identifier mismatch policy
EFT AS2 identifier mismatch policy
Duplicate
Message ID with different contents
(For duplicate message ID with same contents, refer to
Duplicate
Contents with different
Message ID
Required/Optional Description
Required
Required
Required
Required
Used to accept or reject AS2 transactions where the connecting partner’s
AS2-From ID does not match the AS2 identifier defined for that partner.
•
•
Reject (default) - Disallow the transaction
Accept - Allow the transaction
Used to accept or reject AS2 transactions where the connecting partner’s
AS2-To ID does not match EFT AS2 identifier defined for that partner in that partner’s AS2 Inbound tab.
•
Reject (default) - Disallow the transaction
•
Accept - Allow the transaction
Used to Accept or Reject AS2 transactions with duplicate Message IDs.
•
If an incoming request has the same Message ID and the same payload as a prior incoming message, EFT sends the exact same response from that prior transaction back to the client, and does not extract or process the payload (that is, discards the payload, does not save to file system, does not trigger Event Rules, etc.).
•
If an incoming request has the same Message ID, but the payload is different, EFT processes or discards the message based on the configuration provided by the user.
Options include:
•
Reject (default) - Disallow the transaction
•
Accept - Allow the transaction
Used to overwrite or reject AS2 transactions where the file is a duplicate of an existing file already residing in the upload directory.
•
Reject (default) - Disallow the transaction
•
Overwrite - Overwrite the existing file with the new version
•
Numerate - Add a unique number to the filename
Required Message not signed
Message not encrypted
MDN send attempt timeout
(seconds)
Required
Required
Used to specify whether EFT will Accept or Reject the transaction if it is not signed.
Used to specify whether EFT will Accept or Reject the transaction if it is not encrypted.
Specifies the timeout period after which an asynchronous MDN send attempt shall be considered a failure if no response is received from the remote server. Range: 0-600, 60 seconds is the default. 0 = no timeout.
Asynchronous receipts will be returned to the domain name specified on the Site's Connection tab using the standard or secure listener port specified on that same page (depending on whether you specified HTTP or HTTPS for the remote host value).
MDN send attempt retries
Optional
MDN send attempt delay between retries
(seconds)
Optional
Number of time to attempt to send MDN. Range: 0 (no retry) to 999; 10 is the default.
Retries do not include the initial attempt. That is, 10 retries means 10 in addition to the first attempt (11 total).
Retry interval. Range: 0 (no wait) to - 600 seconds; 30 seconds is the default
Failure only occurs after all attempts to send MDN have failed.
Likewise, success is only after complete transaction has occurred (file received and MDN is sent).
688
AS2 Module
Parameter
Transaction
FAILED notification email*
Transaction
SUCCESS notification email*
Transaction
FAILED run command*
Required/Optional Description
Optional Opens the Edit Mail Template in which you can specify an e-mail notification for failed transaction. (Refer to e-mail Notification Action for details of defining an e-mail notification.)
Optional
Opens the Edit Mail Template in which you can specify an e-mail notification for successful transaction. (Refer to e-mail Notification Action for details of defining an e-mail notification.)
Transaction
SUCCESS run command*
Move received data to folder
Rename file(s) to
HTTP 1.0 mode
(don't send
HTTP/1.1 100
Continue)
Optional
Optional
Optional
Optional
Optional
Opens the Custom Command dialog box in which you can specify a Custom
Command to occur upon failed send. (Refer to Creating a Command to create a command and refer to Using an Event Rule to Execute a Command
(Run a Process) for details of using a Command.)
Opens the Custom Command dialog box in which you can specify a
Custom Command to occur upon successful run. (Refer to Creating a
Command to create a command and refer to Using an Event Rule to Execute a Command (Run a Process) for details of using a Command.)
Specify a folder in which to save received data. (Can be on a drive or UNC path.)
Appends filename to path using specified variables . Preserve filename if
undefined.
This parameter is the same as the Specify relative path and filename field in the Target File tab of the Offload Action wizard in EFT’s
Copy/Move File to Host Action .
"100 Continue" is a part of the HTTP protocol and means "Everything is OK for now, continue this transaction"; many AS2 servers use it to avoid timeouts. It is the client software's responsibility to process this reply properly
(just skip until 200 OK or real HTTP error is received); if the client does not process the reply correctly, you can turn off the "100 Continue" response by selecting the check box. (The check box is cleared by default.) If your AS2 partner receives multiple MDN failures when sending to EFT in HTTPS, select this check box to turn off the "100 Continue" reply.
* EFT sends e-mails and executes commands only after the final transaction status (Failure or Success) is known.
AS2 Outbound (Sender) Parameters
For AS2 outbound (sender) connections for transactions over the HTTP and HTTPS ports, enable AS2 by selecting the AS2 check box on the Site's Connections tab. You can enable or disable AS2 in the
Settings Template and/or for the user account, or by selecting AS2 in the New User Creation wizard on
be enabled and configured for the Site before you can enable it for a Settings Template or user account.)
689
EFT v7.2 User Guide
The parameters in the table below are available in the AS2 Outbound Settings dialog box can be configured manually or using the setup wizard.
• Click Setup Wizard to
Configure AS2 Outbound Partners Using the Wizard .
• Click Test to
Test the connection to the partner.
• Click Proxy to launch the Proxy Settings dialog box. You can forward the connection through the DMZ Gateway (as a SOCKS5 proxy) or an HTTP proxy of your choosing.
• Click Clear All to reset all of the fields to default values. (A confirmation prompt appears.)
Parameter Required/Optional Description
Monitored hot folder
Optional Specifies the monitored folder for added files. If no folder is specified, no folder
monitoring occurs. The partner profile can be invoked from the Event Rules . (Can
be on a drive or UNC path.)
File include mask
File exclude mask
Optional
Optional
Used to include files based on their extension for sending to the destination to the partner’s remote AS2 host. For example, include only .txt files. Defaults to asterisk
(*) to include all files. Blank also means include all files. Accepts wildcard masks; semicolon or comma delimited.
Used to exclude files based on their extension from sending to the destination to the partner’s remote AS2 host. For example, exclude .txt files. Defaults to blank, which means exclude no files. Accepts wildcard masks, semicolon or comma delimited.
690
AS2 Module
Compress message
Encrypt message
Sign message
Your certificate
Partner certificate
Your AS2 identifier
Partner
AS2 identifier
Parameter Required/Optional Description
Delete source after successful offload
(MDN received)
Required Used to delete sources files after sending them to the destination, after the MDN is received and verified from the remote AS2 host. Selected by default.
Host address
Port
Path
Required
Required
Optional
AS2 Outbound host address. Requires protocol prefix in URL (http:// or https://).
Specified in AS2 Partner Access wizard.
AS2 Outbound port. Range is 1-65K; defaults to 80 if host address is preceded by http; 443 if host address is preceded by https.
Relative path to the remote directory, such as, /partnerXYZ,
/partners/mailboxes/xyz, or /192.168.20.16/path
Username
Password
Message subject
Content type
Optional
Optional
Optional
Required
User login name
Password
AS2 message subject
AS2 content type. Options include:
•
X12 - Format used by many healthcare, insurance, government, transportation, and finance organizations.
•
EDIFACT - Format adopted by the International Organization for
Standardization (ISO) as the ISO standard ISO 9735.
•
XML - File format used for structured documents.
•
EDI Consent - Provides a standard mechanism for "wrapping" the EDI objects but does not specify any details about those objects.
•
Binary (default) - e.g., executables, word processing files, database, spreadsheet, and multimedia files
•
Plaintext - e.g., text and HTML files
For information about the various content types, refer to RFC 2046 at http://www.ietf.org/rfc/rfc2046.txt
.
Required
Required
Required
Required
Required
Required
Required
When selected, specifies that the AS2 message should be compressed when sent.
(Cleared by default.)
When selected, specifies that outbound AS2 messages should be encrypted.
(Selected by default.)
When selected, specifies that outbound AS2 messages should be signed.
(Selected by default.)
Displays the AS2 certificate public key path to use for signing, copied from the
Site. (Can be on a drive or UNC path.)
Specifies the AS2 certificate to use for encrypting outbound transactions and for validating signed MDN receipts. (Can be on a drive or UNC path.)
Used to apply a unique AS2-From ID to outbound messages.
Used to apply a unique AS2-To ID to outbound messages.
691
EFT v7.2 User Guide
Parameter Required/Optional Description
Receipt policy
Required Used to request an MDN receipt. Options include:
•
Don’t request a receipt
•
Request a signed receipt (default)
•
Request an unsigned receipt
Receipt delivery
Required Specifies receipt delivery method
•
Synchronous (default)
•
Asynchronous (see Asynchronous receipt timeout, below)
The following fields are used to determine whether a message send attempt has failed due to a timeout, error, or synchronous MDN receipt failure, or other error, after which EFT will attempt to resend the same message at regular intervals, if specified. Because EFT is sending the same content, it will resend the same message, payload, and
AS2 Message ID.
Parameter
Required/
Optional Description
Message send attempt timeout (seconds)
Optional Specifies the timeout after which a message send attempt is considered a failure if no response or error is received from the remote server.
Range: 0-600, 60 by default, 0 means no timeout
Message send attempt retries Optional Number of times to reattempt to send the message. Range: 0 (no retry) to 999, 10 is the default.
Retries do not include the initial attempt. That is, 10 retries means 10 in addition to the first attempt (11 total).
Send attempt delay between retries
Optional Interval between resend attempts. Range: 0 (no wait) to - 600 seconds;
30 seconds is the default
Asynchronous receipt timeout Optional Specifies the timeout after which EFT determines whether an asynchronous receipt was received. Range: 0 (no timeout) to 999,999 minutes; 7200 minutes (5 days) is the default.
If the MDN is received after the timeout expires, the MDN is discarded, EFT returns an HTTP error code to the sender, and triggers the transaction failure event, if defined.
Transaction FAILED notification e-mail*
Transaction SUCCESS notification e-mail*
Transaction FAILED run command*
Transaction SUCCESS run command*
Optional Opens the Edit Mail Template in which you can specify an e-mail notification for failed transaction. (Refer to e-mail Notification Action for details of defining an e-mail notification.)
Optional Opens the Edit Mail Template in which you can specify an e-mail notification for successful transaction. (Refer to e-mail Notification
Action for details of defining an e-mail notification.)
Optional Opens the Custom Command dialog box in which you can specify a
Custom Command to occur upon failed send. (Refer to Creating a
Command to create a command and refer to Using an Event Rule to
Execute a Command (Run a Process) for details of using a Command.)
Optional Opens the Custom Command dialog box in which you can specify a
Custom Command to occur upon successful send. (Refer to Creating a
Command to create a command and refer to Using an Event Rule to
Execute a Command (Run a Process) for details of using a Command.)
* EFT sends e-mails and executes commands only after the final transaction status (Failure or Success) is known.
692
AS2 Module
Configuring an AS2 Outbound Proxy
If you need to configure a proxy server for outbound AS2 transmissions, the option is available on the
AS2 Outbound tab.
To configure an outbound proxy
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user (trading partner) you want to configure.
3. In the right pane, click the Connections tab.
4. Click AS2 Outbound. The AS2 Outbound Settings dialog box appears.
5. Click Proxy. The Proxy Settings dialog box appears.
6. Select the Use proxy settings below when connecting to remote host check box. The Proxy
type options become available.
7. Click one of the following:
• Use EFT's DMZ Gateway as the proxy to use DMZ Gateway as a SOCKS5 proxy.
• HTTP proxy to use another proxy via HTTP, and specify the Host name, Port,
Username, and Password.
8. Click OK to save the settings and return to the AS2 Outbound tab.
9. Click Apply.
Initiating AS2 Outbound Transactions
EFT’s AS2 module provides the ability to initiate outbound AS2 transactions as an AS2 client; that is, an
AS2 Sender. The Server provides two methods for initiating AS2 outbound transactions, described below:
• Partner Profile method. A
Folder Monitor Event trigger mapped directly to a user account’s
(trading partner's) AS2 profile can monitor a specified folder for files added and, when triggered, send those files to the specified partner AS2 profile. This Event is neither visible nor editable in the Event Rules node.
• Event Rules. The
AS2 Send file to host Event Rule Action can be triggered using the Scheduler
(Timer) Event, Folder Monitor Event, or any file-based Event trigger. When triggered, the AS2
Send file to host Action uses the provided configuration data to send the context or manually specified file(s) to the specified partner AS2 profile. (Refer to Sending Files to an AS2 Partner via
Event Rules for details.)
693
EFT v7.2 User Guide
To use the Partner Profile method
1. In the administration interface, connect to EFT and click the Server tab.
2.
Configure a reusable AS2 partner profile . (Create a new user or modify an existing user account.)
3. In the left pane, click the user (trading partner) you want to configure.
4. In the right pane, click the Connections tab.
5. Click AS2 Outbound. The AS2 Outbound Settings dialog box appears.
6. In the Monitored hot folder box, click the open icon to specify a folder that is tied to that partner profile/user account (e.g., the user's Home folder).
7. Click OK to close the Browse for Folder dialog box.
8. Click OK to close the AS2 Outbound Settings dialog box.
9. Click Apply to save the changes on EFT.
EFT verifies whether the selected folder exists and, if not, displays an error message. If a file is added to the hot folder, it is immediately sent to the predefined remote AS2 host and (optionally) deleted from the source location after a confirmed send (MDN received and verified). This method creates a hidden Folder
Monitor Event Rule with an "If user is" Conditional statement that triggers an AS2 Send File to host Action when files are added to the folder.
Moving Files Received from AS2 Partners
You can configure AS2 inbound transfers to move and/or rename files after they are received. These
settings, combined with setting Duplicate Contents with different Message ID to Reject will prevent received files of the same name and extension from being overwritten.
To move received files
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user (trading partner) you want to configure.
3. In the right pane, click the Connections tab.
4. Click AS2 Inbound. The AS2 Inbound Settings dialog box appears.
5. To specify the folder in which to move all received files, in the Move received data to folder box, click the folder icon . The Browse for folder dialog box appears.
6. Click a folder or click Make New Folder to create a new folder, and then click OK. The folder path appears in the Move received data to folder box.
7. Click OK to close the AS2 Inbound Settings dialog box.
8. Click Apply to save the changes on EFT.
Renaming Files Received from AS2 Partners
You can configure AS2 inbound transfers to move and/or rename files after they are received. These
settings, combined with setting Duplicate Contents with different Message ID to Reject will prevent received files of the same name and extension from being overwritten.
To rename received files
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the user (trading partner) you want to configure.
3. In the right pane, click the Connections tab.
4. Click AS2 Inbound. The AS2 Inbound Settings dialog box appears.
694
AS2 Module
5. In the Rename file(s) to box, click in the far right to activate the text box, then provide the characters and/or variables with which to change the name of received files. Use
%EVENT.DATESTAMP%
and %EVENT.TIMESTAMP% to add the date and time to the file name. Use
%FS.FILE_NAME%
for the name of the file.
For example, if you type:
%EVENT.DATESTAMP%_%EVENT.TIMESTAMP%_%FS.FILE_NAME%
A file transferred as dailyprogress.doc on May 3, 2008 at 10:56:26 would be renamed to
05032008_105626_dailyprogress.doc
.
6. Click OK to close the AS2 Inbound Settings dialog box.
7. Click Apply to save the changes on EFT.
AS2 Account Information Web Page
EFT provides an AS2 Web page at the reserved path of /as2. On this page, partners can access the following information:
• EFT’s public AS2 certificate (https://localhost/as2/certificate)
• The Site's AS2 Global Identifier (Refer to
Enabling the AS2 Inbound Listener Service for details of specifying the AS2 ID.)
• The destination folder (inbox/mailbox). (The destination folder is the partner's/user's Home
Folder , configured on the General tab of the partner/user account.)
Your trading partners can access EFT's AS2 certificate from the AS2 Account Information page. Provide your trading partners with the URL of the page (e.g., https://mycompanyAS2website/as2), then instruct them as described below. (Instructions are also provided on the Web page.)
To open the AS2 Account Information page
1. Open a browser and go to the URL provided to you by the EFT administrator (e.g., https://mycompanyAS2website/as2). A log in page appears.
2. Log in with your EFT credentials. The AS2 Account Information page appears.
To download the Server's AS2 certificate
• Do one of the following: o
Right-click the Download EFT AS2 certificate link, click Save Target As, specify a location for the certificate, then click Save. The file is saved as certificate.txt. To use the file for EFT, change the extension to .crt.
695
EFT v7.2 User Guide o
Click the Download link. The certificate contents display in the browser. o
Copy and paste the contents of the page into your AS2 application's certificate box.
(Include BEGIN CERTIFICATE and END CERTIFICATE.)
Specifying a Temporary Folder for AS2 Transfers
If you don't want to use the EFT installation folder for temporary files or you want better visibility into your
AS2 transfers, you can add the registry setting below to specify a location for files with AS2 POST requests for both the sending and receiving sides.
32-bit OS:
HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\EFT Server 4.0\Config
"AS2TempFolderPath" = path
64-bit OS:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\GlobalSCAPE Inc.\EFT Server 4.0\Config
"AS2TempFolderPath" = path
(If the path does not already exist, it will be created.)
Allowing AS2 Connections to a Site
configured on EFT
before you can enable AS2 connections in the Site, Settings
AS2 is a separately licensed product. It is available during the trial period; however, when EFT trial expires, the AS2 module trial also expires.
To allow AS2 connections to a Site
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site that you want to configure.
3. In the right pane, click the Connections tab.
4. In the Listener Settings area, select the AS2 check box.
5. Click AS2 Config. Refer to Enabling the AS2 Inbound Listener Service for details of AS2 configuration.
6. Click Apply to save the changes on EFT.
696
AS2 Module
Allowing AS2 Connections in the Settings Template or User Account
AS2 connections must be configured on the Site before you can enable AS2 connections in the Settings
Template or user account.
To allow AS2 connections for Settings Templates or user accounts
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Settings Template or user account that you want to configure.
3. In the right pane, click the
4. In the Protocols area, select the AS2 check box.
5. Click AS2 Inbound to configure inbound connections ; click AS2 Outbound to configure outbound connections .
6. Click Apply to save the changes on EFT.
AS2 Events, Conditions, Actions, and Variables
These topics provide information and procedures for defining Event Rules to automate AS2 transfer activities. For details of defining Event Rules, refer to Creating Event Rules .
Introduction to AS2 Events, Conditions, Actions, and Variables
AS2 transfers can have more than a simple success or failure outcome. For example, an outbound AS2 file transfer may succeed, but no MDN is received from the remote host. This could be considered an outright failure in some cases. Another example may include a successful file send followed by MDN received, but the received MDN’s signature cannot be verified. Some AS2 systems do not consider these failures as an overall failure, but others will. For example, a remote host may accept an inbound file and log that the signature is bad, yet still accept the file. Likewise, EFT by default accepts most AS2 transmissions, even if there is a MIC mismatch or the signature used to sign the payload was not found; however, the overall transaction is not considered a success unless every part of the transmission succeeds.
EFT always rejects inbound unencrypted transmissions over plaintext HTTP protocol, and upload attempts to a folder to which the user has no write permissions. EFT considers these overall permanent failures.
For details of the AS2 Send File Action, refer to Sending Files to an AS2 Partner in the Event Rules chapter.
Sending Files to an AS2 Partner via Event Rules
(Available in EFT Enterprise) You can send files via AS2 to a partner for whom you have not previously provisioned an outbound profile by manually specifying that partner’s profile in the AS2 Send File Event
Rule Action. Alternatively, if the AS2 partner has an outbound profile defined, you can select that profile when you define the AS2 Send File options.
For example, you could define a Rule with a Timer Event so that every Monday at 8 a.m., all files in a certain folder are sent either to a partner that already has a profile defined on the Server or to a partner that you will define "on the fly" in the AS2 Send File dialog box.
The AS2 Send File to host Action is a synchronous Event even if asynchronous MDN receipts are requested. Synchronous means that the Event Rule executes Actions sequentially from top to bottom; when
EFT encounters an AS2 outbound Action, it performs the transfer, and then if MDN is synchronous, EFT waits for the result before moving to the next Action (with success/failure set appropriately). If MDN is asynchronous, EFT proceeds to the next Action based only on the HTTP result of the SEND operation, NOT the result of the asynchronous MDN receipt.
697
EFT v7.2 User Guide
The AS2 Send File to host Action can be used for Folder Monitor, Timer, and all file-based Events.
UTF-8 filenames/non-ASCII characters are not supported over the AS2 protocol. It is the responsibility of the trading partners to determine the file-naming limits imposed by their trading environments. Refer to RFC
2183 , section 2.3 for details of filename parameters.
When triggered, the AS2 Send File to host Action offloads one or more user-defined files or one or more context files. Depending on the AS2 Send File to host Action’s retry configuration, the Action fails if any error occurs when attempting to send the AS2 payload. Those errors may include any connection, authentication, transport, or navigation errors; receipting errors or failures; payload errors, including transfer errors or integrity mismatch errors or failures; server communicated errors; and unknown or undefined errors, such as:
• No receipt was provided
• The receipt was not signed
• The MIC value returned did not match the original file/message MIC
• EFT was unable to: o verify the receipt signature o establish a connection to the remote host o upload the file to the remote host o send an the receipt asynchronously o send the receipt synchronously
To send files using the AS2 Send File to host Action
1. Create a new Event Rule, such as a Scheduler (Timer) Event . (Refer to Creating Event Rules for details of creating Event Rules, if necessary.)
2. Add the AS2 Send file to host Action to the Rule.
3. Click one of the underlined text links. The AS2 Send File dialog box appears.
698
AS2 Module
4. In the File(s) to upload box, type the path or click the folder icon to specify the file to send to this partner. Include the entire path to the file. You can also use File System context variables such as %FS.PATH% or wildcard masks. For example, to send all files in a folder, type the folder path and *.*. (The files will not be sent all at once; each file will have a unique message
ID.)
5. In the Partner Configuration area, specify the AS2 Partner profile using one of the following methods:
• In the Partner profile box, select a defined AS2 outbound partner profile. The fields in the AS2 connection details area is completed automatically.
• Provide the connection details in the AS2 connection details area. (Refer to
AS2 Send
File Dialog Box Fields below for details of each field.)
• Click Setup Wizard to use the wizard to set up the profile.
699
EFT v7.2 User Guide
The Partner profile box is linked to the selected profile configuration. If you are using Globalscape authentication, if the profile is updated, the information in the AS2 Send File dialog box is updated also; if a referenced profile is deleted, disabled, or not allowed to use AS2, any Event Rule using the profile will fail.
When you use AD, LDAP, or ODBC authenticated accounts as AS2 partners, if the account in the external database is changed, deleted, or disabled, any Event Rule or Command that references the account will fail.
For example, if an AD user SSmith is renamed SJones, you will have to update any Event Rule or Command manually to reflect the new name of the account.
6. To test the configuration, click Test.
7. To configure a proxy server for this partner, click Proxy.
8. To clear all of the partner connection details and start over, click Clear All.
9. Click OK to save the AS2 Partner profile in the Event Rule.
10. Add other Conditions and/or Actions, as needed (e.g., add an e-mail notification).
11. Click Apply to save the Event Rule on EFT.
AS2 Send File Dialog Box Fields
The AS2 Send File dialog box can be used in Folder Monitor, Timer, and file-based Event Rules. The table below describes each field in the AS2 Send File dialog box.
Field
File(s) to upload
Partner profile
Delete source
Host address
Required/Optional Description
Optional Used to specify the file(s) to upload to the partner.
Can be variables or paths. e.g. c:\temp\robert.txt or (if relative path)
\rob.txt
Defaults to %FS.FILE_NAME%; same as if blank. Accepts FS.FILE variables and path strings to drive or UNC paths or relative path where applicable (e.g., if using a Folder Monitor Rule).
Required Used to select a defined partner profile or left blank (the default) if the partner profile is not defined. If blank, complete the fields in the AS2
Partner profile area.
Required
Required
Required
Optional
Used to indicate whether to delete sources files after sending them to the destination, after the MDN is received and verified from the remote AS2 host. Select the check box to delete source files after the MDN is received and verified from the remote AS2 host.
AS2 outbound host address. Requires protocol prefix in URL (http://
or https://). Specified in AS2 Partner Access wizard.
AS2 Outbound port. Range is 1-65K
Relative path (similar to User Home Folder); forward slash ( / ) by default
Port
Path (inbox, outbox, or mailbox)
Username
Password
Message subject
Optional
Optional
Optional
User login name
Password
AS2 message subject
700
AS2 Module
Compress message
Encrypt message
Sign message
Your certificate
Partner certificate
Your AS2 identifier
Partner AS2 identifier
Receipt policy
Field
Content type
Required/Optional Description
Required AS2 content type. Options include:
•
X12 - Format used by many healthcare, insurance, government, transportation, and finance organizations.
•
EDIFACT - Format adopted by the International Organization for
Standardization (ISO) as the ISO standard ISO 9735.
•
XML - File format used for structured documents.
•
EDI Consent - Provides a standard mechanism for "wrapping" the EDI objects but does not specify any details about those objects.
•
Binary (default) - e.g., executables, word processing files, database, spreadsheet, and multimedia files
•
Plaintext - e.g., text and HTML files
Required
Required
Required
Required
Required
Required
When selected, specifies that the AS2 message should be compressed when sent. (Cleared by default.)
When selected, specifies that outbound AS2 messages should be encrypted. (Selected by default.)
When selected, specifies that outbound AS2 messages should be signed. (Selected by default.)
Displays the AS2 certificate public key path to use for signing, copied from the Site. (Can be on a drive or UNC path.)
Specifies the AS2 certificate to use for encrypting outbound transactions and for validating signed MDN receipts. (Can be on a drive or UNC path.)
Used to apply a unique AS2-From ID to outbound messages.
Required
Required
Used to apply a unique AS2-To ID to outbound messages.
Receipt delivery
Required
Used to request an MDN receipt. Options include:
•
Request a signed receipt (default)
•
Don’t request a receipt
•
Request an unsigned receipt
Specifies receipt delivery method
•
Synchronous (default)
•
Asynchronous
Asynchronous receipts will be returned to the domain name specified on the Site's Connection tab using the standard or secure listener port specified on that same page (depending on whether you specified HTTP or HTTPS for the remote host value).
701
EFT v7.2 User Guide
The following fields are used to determine whether a message send attempt has failed due to a timeout, error, synchronous MDN receipt failure, or other error, after which EFT will attempt to resend the same message at regular intervals, if specified.
Field Required/Optional Description
Message send attempt timeout (seconds)
Optional Specifies the timeout after which a message send attempt is considered a failure if no response or errors are received from the remote server. Range: 0-600, 60 by default, 0 means no timeout
Message send attempt retries
Optional Number of times to reattempt to send the message. Range: 0 (no retry) to 999, 10 is the default.
Retries do not include the initial attempt. That is, 3 retries means
3 in addition to the first attempt (4 total).
Send attempt delay between retries
Optional
Asynchronous receipt timeout
Optional
Specifies the time to wait between retries if the send attempt was unsuccessful, in seconds. 30 seconds is the default.
Specifies the time to wait for receipt before timing out, in minutes. The default is 7200 minutes (2 hours).
AS2 Transaction Auditing and Monitoring
These topics provide information about monitoring AS2 transfer activities.
Introduction to AS2 Transaction Auditing and Monitoring
The AS2 module provides the following tools to track, monitor, audit, and report on AS2 transactions:
•
Transfers - AS2 (status viewer) - A node on EFT’s Status tab displays a summary of in-progress
and recent AS2 transaction history.
•
Auditing and Reporting Module (ARM) reports - Predefined AS2 reports provide a summary or
details of AS2 transactions. You can also define custom reports.
AS2 Information in the Database
The Auditing and Reporting module (ARM) must be installed to use the AS2 module. If the ARM database is not configured properly, AS2 functionality is not available.
702
AS2 Module
The following information is audited to the ARM database and provided in AS2 reports
• Date/Time
• Raw HTTP Headers
• File name
• MDN
• MIC*
• Content Type
• Message-ID
• Remote/Local File path (mailbox)
• Remote/Local Host (hidden by default)
• Status: Success (S), Failure (F), or
In Progress (IP)
• Direction: Inbound or Outbound
• EFT AS2 ID
• Partner AS2 ID
• Error (only if Failure) occurred, the verbose error. Otherwise "None".
• Action: o
Inbound Connection (S, F, IP) o
Outbound Connection (S, F, IP) o o
Send File (S, F, IP) o
Send Receipt Asynchronous (S,F,IP) o
Send Receipt Synchronous (S,F,IP) o
Receive Receipt (S,F, IP) o
Receive File (S, F, IP)
Receipt Verification (S,F)
*EFT calculates the AS2 MIC using SHA-1. (Refer to RFC 3335 for details.) You can ignore the words
"MD5" that appear in the MIC column of the AS2-related reports (tbl_AS2Transactions column).
AS2 Transaction Reports
The Auditing and Reporting module (ARM) gathers AS2 data
and provides the data in the Transfers -
and in predefined AS2 reports. You can also define your own custom reports .
• AS2 Transactions (Summary) report - A transaction report that displays more detailed information than what is shown on the Transfers – AS2 node. The report queries all AS2 transactions for the dates specified, grouped by Site, sorted by date, and listed in reverse chronological order. You can add Report Filters for the following data: o
StartTime o
MessageID o
FileName o
TransactionID o
FromAS2ID o
ToAS2ID o
TransactionStatus (rolled up transaction status)
Success - File was received/sent MDN successfully received/sent
Failure - Transaction failed to receive/send after all retries or MDN not received/sent after all retries
In Progress - Transaction started or is in progress (transferring or waiting for next retry or waiting for MDN, etc.)
703
EFT v7.2 User Guide
• AS2 Transactions (Detailed) report - A verbose AS2 file transfer report that provides the information necessary for troubleshooting problem transactions. You can add Report Filters for the following data: o
StartTime o
MessageID o
FileName o
TransactionID o
FromAS2ID o
ToAS2ID o
TransactionStatus o
Sitename o
Error (Displays None if there are no errors)
Transfers - AS2 Status Viewer
EFT provides a sub-node on the Status tab that displays a history of AS2 transactions (retrieved from
EFT’s ARM database).
The Transfers - AS2 node displays the history of AS2 inbound and outbound transfers, including the result from the MDN. For example, if a file transaction attempt fails 10 times in a row, but succeeds on the
11th attempt and the MDN is sent, the Transfers - AS2 node reports the transaction as a success. If all of the transaction’s file transfer retries fail, then the Transfers - AS2 node reports the transaction as a failure. If retries are still occurring at the time the Transfers - AS2 node is invoked, the transaction will be marked as In Progress. You can view details of each transaction by clicking its Status column. EFT will query and then display (in the default text editor) the details surrounding that transaction as obtained from the ARM database.
704
AS2 Module
When the Transfers - AS2 node is selected, the last 7 days of transaction summaries are displayed in reverse chronological order. You can change the default of 7 days to display from 1 to 999,999 days of data. Click Refresh to display all transactions that may have occurred since the last opening or refresh of the Transfers - AS2 node.
The node displays the following information:
• Date and Time - Last recorded status for the transaction
• Message ID - From AS2 header
• File - Name of file transferred
If multiple files are transferred, each file is on a separate row, but with the same Message ID.
• File Path - Local inbox or outbox; this column is hidden by default
• Remote Host Address - Host address of the sender (Inbound)/receiver (Outbound). This column
• Status - Contains a hyperlink that, when clicked, pulls the AS2 Detailed report for that transaction. The report displays transaction details, which is most helpful for in-progress or failed transactions. o
Success - Transaction completed and MDN successfully received/sent o
Failure - Transaction failed to send after all retries or MDN not received/sent o
In Progress - Transaction started or in progress (transferring or waiting for next retry or waiting for MDN, etc.)
• Direction - Inbound or Outbound
• From - Server's AS2 ID or the Partner ID (depends on direction)
• To - Server's AS2 ID or the Partner ID (depends on direction)
The Resubmit icon , to the left of failed transactions, allows you to resubmit the file(s) and/or MDN(s).
You can also resubmit a file, or group of files by multi-selecting failed transaction rows, then right-clicking and clicking Resubmit. If you resubmit a file that is a part of multi-file transaction, all of the files will be resubmitted. You can only resubmit failed transactions. You cannot resubmit in-progress or successful transactions.
Customizing the Display
You can customize the Transfers - AS2 status viewer to suit your needs:
• Choose the columns to display or hide by right-clicking on a column header, then selecting/clearing the column name in the submenu.
• Sort by a specific column in ascending or descending order by clicking the column header.
• Define filters to display or hide rows based on Status, Message-ID, or File Name. o
To filter the display based on status, select or clear the Show successes, Show
failures, and Show in progress check boxes, and then click Refresh o
To filter the display based on the message-ID, in the Message-ID box, type the message
ID, and then click Refresh. o
To filter the display based on the filename, type a name in the Filename box, and then click Refresh. o
To change the number of days of history to display, in the Pull records from last <n>
days box, type the number of days, from 1 to 9999.
• Refresh or clear the display by right-clicking an empty row, and then clicking Refresh, or in the filter area, click Refresh.
705
EFT v7.2 User Guide
Resubmitting AS2 Transmissions
In the Transfers - AS2 node, the Resubmit icon to the left of failed transactions allows you to resubmit the file(s) and/or MDN(s). You can only resubmit failed transmissions. You cannot resubmit inprogress or successful transmissions.
• Outbound. If a failure was an outbound transaction (failed after all retries and the MDN was never received), you can attempt to send the same file again.
• Inbound. When an inbound transaction fails, resubmit is allowed only when the failure was due to a failure in sending the receipt (MDN). (EFT cannot resubmit the file, because it did not send it to begin with.) The resubmit action attempts to resend the MDN receipt.
To resubmit a failed transmission
1. In the administration interface, connect to EFT , and click the Status tab.
2. Expand the Server and Site nodes, and then click the AS2 Transactions node. The Site's AS2 transactions appear in the right pane.
706
3. Click in the row of the failed transaction to select it, and then click the Resubmit icon . A confirmation prompt appears.
4. Click Yes. The transaction is resubmitted and appears in a new row. The resubmitted transaction populates a new row in the Transfers – AS2 node with the new transaction and new message
ID.
There can be multiple rows (other transmissions) between the failed transmission and the resubmitted transmission.
AS2 Module
AS2 Transaction Success and Failure Notification
EFT can execute a command or send an e-mail to notify you of the success or failure of AS2 transactions. The e-mail or Command is triggered when all message send attempts have been attempted or the asynchronous MDN wait time has expired (if applicable).
The e-mail notification and custom command are configured by clicking the applicable link in the
AS2
Inbound
and
AS2 Outbound
tabs or in the AS2 Partner Access wizard .
• Clicking the Transaction FAILED/SUCCESS notification e-mail link, [Add], opens the
Edit Mail
Template dialog box.
• Clicking the Transaction FAILED/SUCCESS send command link, [Add], opens the
Custom
Command dialog box. (You will have to define the custom command before using it in the notification.)
• Each of the fields are optional
Field
Transaction FAILED notification e-mail
Transaction SUCCESS notification e-mail
Transaction FAILED run command
Transaction SUCCESS run command
Description
Opens the Edit Mail dialog box in which you can specify an e-mail notification for failed transaction.
Opens the Edit Mail dialog box in which you can specify an e-mail notification for successful transaction.
Opens the Custom Command dialog box in which you can specify a Command to run upon failed transaction.
Opens the Custom Command dialog box in which you can specify a Command to run upon successful transaction.
• Refer to
E-mail Notification Action for details of defining an e-mail notification.
• Refer to
Creating a Command to create a command and refer to Using an Event Rule to Execute a Command (Run a Process) for details of using a Command.
Testing the AS2 Outbound Connection
You can validate the AS2 partner configuration details by sending a test file to the remote partner. This provides immediate feedback as to whether an outbound connection was configured properly.
On the AS2 Outbound tab or in the AS2 Send File to host Event Rule Action, click Test to send a test file to the AS2 host specified. The AS2 Test Connection dialog box appears.
707
EFT v7.2 User Guide
EFT attempts to send a test file using the parameters supplied, and displays a success or failure message along with the entire log. The test determines success of the following parameters:
• Presence of certificates necessary to sign and/or verify signatures
• Connection to the host and navigation to the correct path
• Upload of the test file
• Receipt and verification of the MDN receipt
• Transaction completed
A blue check indicates success; a red X indicates failure. The HTTP request and response headers are displayed in the AS2 connection log below the success/failure list. You can copy the log to a text file or e-mail for troubleshooting.
If you click Close before the test is complete, the test ends and no results are displayed or saved.
To copy the log for troubleshooting/e-mailing
1. After the test complete, click Copy Log. The log is copied to Windows Clipboard.
2. In the document or e-mail, click Paste.
In the Auditing and Reporting database, the filenames are clearly test files (e.g., tes1.tmp) to indicate that an audited transaction is a test. However, test transactions are treated the same as any other AS2 transaction and appear in the database the same as any other AS2 transaction.
Troubleshooting AS2 Issues
The AS2 module provides monitoring tools that can assist you in troubleshooting AS2 connections to
EFT. Below are some important things to consider when troubleshooting failed AS2 connections.
• Ensure that your partner-provided information (AS2 ID, certificates, host information) is
accurate and that your provider has configured your account correctly on the remote server.
• Provide your certificate file (public key) to your partner and obtain your partner's public
key (unless your partner will be sending you non-encrypted, non-signed messages that do not request an MDN).
•
Send a test file to your partner . The Test button on the AS2 Configuration wizard sends a test file to a defined AS2 partner to verify connection. The success or failure results are displayed in a prompt that contains each stage of the transfer. The stages include the presence of certificates necessary to sign and/or verify signatures, connection to the host and navigation to the correct path, upload of the test file, and receipt and verification of the MDN receipt. The complete HTTP sent and received headers are captured and displayed in a list box under the success/failure stages. You can select and copy the text of this log for analysis. The maximum allowed file size for AS2 transfers is 20GB.
• Contact your partner and ask them to connect and transfer a test file to EFT. If the test is not successful, examine reports and the Transfers - AS2 node in EFT:
•
ARM report - AS2 Transactions (Detailed) - Review the report to determine why the
problem transaction occurred.
•
Transfers - AS2 node - Review the sub-node on the Status tab to view recent AS2
transactions (retrieved from EFT’s ARM database) to identify possible configuration errors.
• AS2 partner receives multiple MDN failures when sending to EFT in HTTPS. Turn off the
"100 Continue" reply by selecting the HTTP 1.0 mode check box in the AS2 Inbound Settings dialog box for the partner's account. Refer to AS2 Inbound Parameters for more information about "100 Continue."
708
AS2 Module
• EFT does not support UTF-8 filenames over AS2.
• EFT is sending multiple success messages. If the ID and payload are the same as a prior incoming message, EFT will reject the payload but will send a "success" message back to the client. So if a client resends a package for some reason, EFT will resend the success message.
Below is a diagram that demonstrates how EFT manages incoming messages.
AS2 and the Auditing and Reporting Module
You must have the Auditing and Reporting module installed to use the AS2 module. If the ARM database
is not installed, configured properly, or fails, AS2 functionality is not available.
If ARM is not installed, configured, or connected:
• For outbound AS2 transactions, the transaction is cancelled, and EFT sends e-mails, execute commands, and triggers events. (This includes any outbound transaction, whether initiated by
AS2 Send File Action or by folder monitor specified in partner AS2 outbound tab.)
• For inbound transaction, EFT replies to the partner with "500 Internal server error: database failure," then sends e-mails, executes commands, and triggers events.
709
EFT v7.2 User Guide
AS2 Error Warnings and Prompts
EFT provides error warnings and prompts when you are configuring the AS2 module and when you are sending/receiving files using AS2.
AS2 Configuration Errors
EFT presents a prompt and disallows changes to AS2 configuration in the following instances:
• Settings are enabled that require a partner AS2 certificate and no certificate has been defined for that partner
• Settings are enabled that require EFT’s AS2 certificate and no certificate has been defined for
EFT
• Settings are enabled that require the partner’s or the Server’s identifier and no identifier has been defined for the partner or EFT
• The chosen certificate is set to expire in 30 days or fewer
• A certificate being imported is a combined certificate
• You open the AS2 Send File dialog box and click OK or Apply without specifying a partner profile.
AS2 Transfer Errors
EFT provides the following transfer error messages. When you receive one of these errors, you should examine your AS2 configuration and other Site/User settings. Certain messages are simply an indication that the configuration is working as designed. For example, if your AS2 outbound configuration has a filter mask to ban files with a .zip extension or if the Site's configuration bans files of this type on the Server, you will receive a banned file message when a user attempts to send files of this type.
Error
A network error occurred
Error decoding certificate
Possible Cause/Solution
Verify AS2 server address and port; ensure there is a connection between the two servers and nothing is blocking the connection; require SSL certificates from connected clients might be enabled; SSL negotiation failed; retry transfer
AS2 module cannot decode EFT's or partner's certificate.
Make sure the certificate is not corrupt or is of an unsupported format. Also check that the certificate is a single certificate and not multiple certificates inside of a certificate.
Incorrect certificate used for EFT or partner certificate The receipt was unsigned and a signed receipt was expected
Incorrect AS2-From field
Incorrect AS2-To field
RSA Error: Inadequate amount of padding in encrypted message
Timeout occurred while sending MDN
File already exists, Message with duplicate
ID and different payload was received.
Quota exceeded
Incorrect "Your AS2 identifier"
Incorrect "Partner AS2 identifier"
AS2 module cannot verify signature of signed incoming message; possible problem with identifiers; sender might be using incorrect identifier; AS2 MDN cannot be verified
Firewall blocking receipt send (MDN blocked)
(Tried to overwrite existing file and corresponding policy is set to Reject.) AS2 configuration does not allow overwriting files of same name; change AS2 configuration to Accept these files or move/rename files after they are received.
File is too large. User configuration does not accept files of this
size; change user quota allowance or compress/split file.
710
Error
File is banned
Use encryption or HTTPS
Unable to decrypt message, RSA Error
HTTP error: 400 Bad Request
HTTP error: 401 Unauthorized
HTTP error: 403 Forbidden
AS2 Module
Possible Cause/Solution
(Uploaded file meets Site’s "Ban" mask) Site configuration does not accept files of this type/name. Change Site's ban settings or let your partner know that files of that type cannot be uploaded to EFT.
(Tried to use "plain" AS2 without encryption.) AS2 configuration must be set to use encrypted HTTP or HTTPS.
Or use redirection; refer to Redirecting HTTP to HTTPS for
details of redirection.
Inadequate amount of padding in encrypted message. AS2 module cannot decrypt encrypted incoming message.
Receiver/sender has incorrect or missing certificate;
Connection problem of some kind
Authentication failed for username/password; IP address is blocked
Incorrect folder location, Mailbox path; do not have permission to remote folder/path; AS2 is not enabled/supported on receiving side
711
EFT v7.2 User Guide
712
Auditing and Reporting Module (ARM)
These topics provide the procedures for configuring and using the Auditing and Reporting module (ARM) with EFT.
The Auditing and Reporting Module (ARM) captures the transactions passing through EFT and provides an interface in the administration interface where you can use preconfigured reports or create your own custom reports to query, filter, and view transaction data. Data is stored in a relational database and can be analyzed in real time.
The ARM comes with a number of preconfigured reports to help you start analyzing data right away. The built-in reports were designed to respond to the most common data analysis requests.
Auditing and Reporting Module Interface
The Report tab of the administration interface is the interface for the Auditing and Reporting module
(ARM).
• When you click the Report tab in the left pane, the right pane displays the report. Using the
controls in the right pane, you can view, edit, print, and save
the report or create a new report .
713
EFT v7.2 User Guide
• When you define a new report template , it appears in the Custom Reports node of the tree.
, and Custom Reports for details of running,
managing, and defining reports.
Descriptions of Preconfigured Reports for descriptions of the report templates in the
Globalscape Reports node of the tree.
Installing and Configuring the Auditing and Reporting Module
These topics provide the procedures for installing and configuring the Auditing and Reporting module.
not install it when you installed EFT, you can run the installer again, choose Modify, and then select the
Auditing and Reporting check box. (Leave the EFT and EFT Admin Interface check boxes selected; clearing the check boxes will uninstall them.)
Installing EFT, Administrator, and Modules
for the procedure for installing ARM using the EFT
installer.
Auditing and Reporting Module (ARM) Requirements
• Microsoft
®
ActiveX Data Objects (ADO)
• Microsoft SQL Server 2008 R2 Native Client is installed automatically, regardless of whether SQL
Server will be used (so that ADO will work with IPv6).
• 3GB minimum hard drive space for the initial database size. Space requirements for transactions depend on estimated EFT activity, number of users, installed modules. A general estimate is 3MB to 5 MB per 1000 files uploaded. (Refer to the Knowledgebase article " How much disk space should I allocate for the Auditing and Reporting module (ARM)?
" for more information.)
• PDF-viewing software (such as Adobe Reader) to view PDFs of reports.
• Microsoft .NET Framework 4.0, for ARM upgrades
• Access to a SQL Server or an Oracle database. o
The installer includes SQL Server 2008 R2 Express for both 32- and 64-bit operating systems (intended for evaluation purposes only). For SQL Server system requirements, refer to http://www.microsoft.com/sqlserver/en/us/learning-center/resources.aspx
. EFT is supported with the following SQL Server versions:
SQL Server 2008 R2 Express
SQL Server 2008 R2
SQL Server 2012 o
Oracle is supported for use with EFT Enterprise only; refer to Oracle's documentation regarding Oracle system requirements . Be sure to reboot after you install the Oracle Data
Access Components (ODAC). You need to use the 32-bit ODAC, even if EFT Enterprise is installed on a 64-bit operating system. EFT Enterprise is supported with the following
Oracle versions:
Oracle Database 11g Release 1: 11.1.0.6–11.1.0.7 (patchset as of September
2008)
Oracle Database 11g Release 2: 11.2.0.1–11.2.0.3 (patchset as of September
2011) o
A good database maintenance plan is important to keeping space requirements to a minimum (aging/archiving/warehousing/truncating old data).
714
Auditing and Reporting Module (ARM) o
For better database performance, follow the standard SQL/Oracle tuning guidelines in
their user documentation. See also Purging Data from the Database .
o
If you are using SQL Server 2008 Developer and Enterprise editions for your EFT database, refer to the MSDN article Creating Compressed Tables and Indexes .
For EFT to connect to any database, the proper drivers need to be installed on the EFT computer. If the right client-side software (driver) is installed on the EFT computer, the Advanced Workflow
Engine can make the database connection string to get to that database.
Installation and configuration of the module consists of:
1.
installer again and choose Modify. On the ARM page of the installer, click Configure Auditing
and Reporting. (Follow the procedure in Installing the Server, Administrator, and Modules .)
During installation, EFT needs full DB Owner access to the auditing database to set up the schema.
During updates or upgrades, EFT needs full DB Owner access to update the schema. Once it is set up, EFT only needs to be able to read, write, and execute stored procedures.
When upgrading to EFT v6.4.x, if you upgrade the ARM database with the installer, the default schema name is changed to dbo.
2.
Activating the software with a serial number that includes ARM
3.
How does EFT know which TCP/IP port it should use to connect to SQL Server?
When the SQL Server browser service (installed with SQL Server) starts up, it searches the registry for any "named instances" of SQL Server and which TCP ports they're listening on. When a client wants to connect to a named instance, it asks the browser service (on UDP port 1434) on which TCP/IP port is that instance listening. This is how Microsoft implemented support for multiple instances of SQL Server on the same computer. The default instance listens on TCP port 1433. If you have a named instance, the TCP port is dynamically configured.
This is standard SQL Server functionality and doesn't require special port syntax in the EFT connection string or host name. It's all abstracted by the API used, which looks at the host string and figures out whether you're trying to connect to a named instance or a default instance (by determining whether host\instance or just host was specified).
The SQL Server TCP settings are stored in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
Server\MSSQL10.<InstanceName>\MSSQLServer\SuperSocketNetLib\TCP\
For details of how to view/change the TCP information in the SQL Server Configuration Manager, refer to the following MSDN article: http://msdn.microsoft.com/en-us/library/ms177440%28SQL.90%29.aspx
Refer to the following Microsoft topics for more information:
• http://support.microsoft.com/kb/287932
• http://msdn.microsoft.com/en-us/library/ms175483.aspx
• http://msdn.microsoft.com/en-us/library/ms181087.aspx
715
EFT v7.2 User Guide
EFT Database Utility
A command line utility is included in the installer that is capable of performing various database-related tasks. This same utility is used by the EFT installer to handle upgrades of existing databases. Typically, all common database tasks are handled by the EFT installer. However, on occasion it may be useful to use the command-line utility to verify the status of a database or perform an upgrade independent of the
EFT installation process.
The database utility (DBUtility.exe) is included as part of the core EFT installation. Once installed it is located in the "DBUtility" sub-directory of the EFT program files installation directory. Typically this will be
C:\Program Files (x86)\Globalscape\EFT Enterprise\DBUtility.
Requirements
• The utility requires the .NET Framework 4 (Full version)
• When operating against an Oracle database, the utility requires the 32-bit version of the Oracle
Data Access Components (ODAC)
Capabilities
The database utility is capable of performing the following tasks:
• Check the version of the database to see if it is up to date. This may be used to see if an upgrade must be performed on a database before it is ready to be used by EFT.
• Generate an SQL script that may be used to create a new database schema (tables, views, etc.) manually within an existing database.
• Generate an SQL script that may be used to upgrade an existing database schema manually.
• Analyze an existing database prior to performing an upgrade. The analysis will verify prerequisites, display information about the database, and display the SQL that will be used to upgrade the database.
• Upgrade an existing database schema to the latest version.
Logging
The utility is capable of outputting various levels of information ranging from errors to debug/trace level information.
By default, the utility will output errors, warnings, and informational messages to the command window. If the "-verbose" command line parameter is specified, the utility will also output more fined-grained debug/trace level messages to the command window.
The utility may also optionally output to a log file as specified using the "-logfile" command line option.
The output to the log file will include all levels of messages from errors to debug/trace level information.
SQL Scripts
The utility requires the presence of various SQL Scripts located in database-specific subdirectories to perform its actions. These subdirectories contain scripts such as:
• create_* - scripts used for creating new, clean database schemas for use by the EFT application
• Purge* - scripts that may be used for purging data from the database
• *ODBC - scripts that may be used to create the necessary tables to use an ODBC data source for user authentication
• upgrade_* - upgrade scripts for upgrading various versions of the database
By default, the utility will look for the "SQL Server" and "Oracle" directories under its current working directory. During installation of the Database utility, these script directories will be created under the
<InstallDir>\DBUtility directory, so the scripts will be available to the utility.
716
Auditing and Reporting Module (ARM)
If the utility is unable to locate these subdirectories, it will also attempt to consult the registry for the EFT
"AppData" path and then look for the subdirectories under that location.
Additionally, the user may specify an alternate parent directory using the "-scripts" command line parameter.
Usage
The database utility is a command line utility and may be executed by opening a Windows Command
Prompt and navigating to the "DBUtility" subdirectory of the EFT installation folder (e.g., C:\Program
Files (x86)\Globalscape\EFT Enterprise\DBUtility) and running the command "DBUtility.exe."
Help
The utility includes built-in help documentation. Additionally, the utility will provide feedback on incorrect or missing command line parameters.
The built-in help documentation for the utility may be accessed using the command:
DBUtility.exe -help
More detailed help for the various top-level actions may be accessed using the command:
DBUtility.exe -help -action <Action ID>
Where <Action ID> is one of:
• CheckVersion - checks the version of the database to see if it is up to date
• CreateScript - generates a SQL script that may be used to manually create a new database schema
• UpgradePreview - used prior to upgrading a database. This action will generate and display useful pre-upgrade information as well as the actual SQL that will be used to upgrade the database
• UpgradeSchema - upgrades the database, if needed
• UpgradeScript - generates a script that may be used to manually upgrade a database
Examples
Example executions for each of the actions supported by the utility may be viewed in the command line help for each action.
DBUtility Command Line Parameters
The following section describes each of the command line parameters for the utility. Depending on the action performed, only a subset of the parameters will be applicable or required.
For the command line parameters that accept a value, the value should be enclosed in double-quotes if the value contains spaces. For example,
-logfile="C:\My Logs\MyLogFile.txt"
Parameter Definitions
• -help o
Description: Display help on the command line. Refer to the "Help" section above for additional information.
• -logfile=<file> o
Description: When specified the utility will log output of the execution to the specified log file. o
Default: None o
Example:
-logfile="C:\My Logs\MyLogFile.txt"
717
EFT v7.2 User Guide
• -optionsfile=<file> o
Description: When specified the utility will load command line parameters from the file.
The file should specify parameters in a "parameter=value" pair with one pair specified per line. Parameters specified on the command line override parameters specified in the file. o
Default: None o
Example:
-optionsfile="C:\My Scripts\MyOptionsFile.txt"
• -scriptfile=<file> o
Description: For actions that generate output SQL scripts this parameter defines the file to which the script should be written. o
Default: None o
Example:
-scriptfile="C:\My Scripts\MySQLScript.sql"
• -errorfile=<file> o
Description: When specified the utility will log terminal errors to the specified file. Mainly used for error handling when the utility is called by the EFT installer. o
Default: None o
Example:
-errorfile="C:\My Scripts\MyErrorFile.txt"
• - resultfile=<file> o
Description: When specified the utility will output result status codes for the execution to the file. Mainly used for state handling when the utility is called by the EFT installer. o
Default: None o
Example:
=resultfile="C:\My Scripts\MyResultFile.txt"
• -pause o
Description: When specified the utility will pause at the end of the execution. Useful when executing the utility through a shortcut to keep the console window from closing before the user has a chance to review the results. o
Default: None
• -verbose o
Description: When specified the utility will output additional debug level logging. o
Default: None
• -action=<id> o
Description: Specifies the overall action to be performed by the utility. o
Valid values:
CheckVersion - checks the version of the database to see if it is up to date
CreateScript - generates a SQL script that may be used to manually create a new database schema
UpgradePreview - used prior to upgrading a database. This action will generate and display useful pre-upgrade information as well as the actual SQL that will be used to upgrade the database
UpgradeSchema - upgrades the database, if needed
UpgradeScript - generates a script that may be used to manually upgrade a database o
Default: None o
Example:
718
Auditing and Reporting Module (ARM)
-action=UpgradeSchema
• -type=<type> o
Description: The dialect of the database. o
Valid values:
SQLServer - a SQL Server/SQL Server Express database
Oracle - an Oracle database o
Default: None o
Example:
-type=SQLServer
• -server=<server> o
Description: The database server host or IP address o
Default: None o
Example:
-server="Jupiter"
• -port=<port> o
Description: The listener port for the database on the database server/host. o
Default: None o
Example:
-port=1433
• -instance=<instance> o
Description: The database server instance name. o
Default: None o
Example:
-instance="MSSQLSERVER"
• -database=<database> o
Description: The name of the database. o
Default: None o
Example:
-database="GLOBALSCAPE"
• -timeout=<timeout> o
Description: The timeout, in seconds, to continue trying to connect to the database. A value of 0 causes the utility to wait indefinitely and should be used with caution. o
Default: 30 seconds o
Example:
-timeout=5
• -auth=<auth> o
Description: The type of authentication to use when connecting to a SQL Server database. o
Valid values:
SQLServer - Use SQL Server authentication which requires specification of the username and password.
Windows - Use Windows authentication which will use the currently logged in user account. o
Default: None o
Example:
-auth=SQLServer
719
EFT v7.2 User Guide
• -user=<user> o
Description: The login name to use when connecting to the database. o
Default: None o
Example:
-user="eftdbuser"
• -pass=<pass> o
Description: The password to use when connecting to the database. o
Default: None o
Example:
-pass=“3qym9NCebHDJ”
• -scripts=<dir> o
Description: Parent directory containing the SQL Server and Oracle SQL Scripts subdirectories. Refer to the "SQL Scripts" section above for additional information. o
Default: Refer to the "SQL Scripts" section above for additional information. o
Example:
-scripts="C:\ProgramData\Globalscape\EFT Server Enterprise"
Advanced Parameter Definitions
The following parameters are typically reserved for use by the EFT installer and will normally not be useful to end users. However, they are documented here for completeness.
• -conn=<connection string> o
Description: When specified this string will be used as the full connection string to the database rather than constructing the string based on the distinct parts. o
Default: None o
Example:
-conn="Data
Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=mthoracle)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=orastart)));Persist
Security Info=true;User Id=eftdbuser;Password=3qym9NCebHDJ"
• -app=<application name> o
Description: The application name to present to the database for use when identifying connections. o
Default: None o
Example:
-app="EFT Database Utility"
• -installerdir=<directory> o
Description: The directory containing the EFT Installer. May be used during some upgrades for accessing or storing additional files. o
Default: None o
Example:
-installerdir="C:\Users\Administrator\AppData\Local\Temp\nsdB57C.tmp"
• -installationdir=<directory> o
Description: The directory where EFT is installed or will be installed. May be used during some upgrades for accessing or storing additional files. o
Default: None o
Example:
-installationdir="C:\Program Files (x86)\Globalscape\EFT Server
Enterprise"
720
Auditing and Reporting Module (ARM)
• -appdatadir=<dir> o
Description: The directory that will be used for the EFT application data. May be used during some upgrades for accessing or storing additional files. o
Default: None o
Example:
-appdatadir="C:\ProgramData\Globalscape\EFT Server Enterprise"
• -backupdir=<dir> o
Description: The directory in which to store backup data. May be used during some upgrades. o
Default: None o
Example:
-backupdir="C:\ProgramData\Globalscape\EFT Server Enterprise\Backup"
Database User Account Privileges
The database user account used by EFT must have certain privileges within the database for the application to function correctly. Additionally, a different set of privileges are needed for Installation,
Upgrade, and Runtime, as described below.
Installation—When creating a new database, the EFT installer is capable of creating the database user account for you. Alternatively, you may create the database user account ahead of time. Either way, the
EFT database user account must have certain privileges during the creation process. Once the creation process is complete, the privileges may be reduced to those necessary for runtime operation. (Refer to
• SQL Server—The database user account must have the "db_owner" database role membership.
• Oracle—The database user account must have the following privileges:
• CREATE SESSION
• CREATE TABLE
• CREATE TRIGGER
• CREATE SEQUENCE
• CREATE PROCEDURE
• CREATE VIEW
Upgrade—When upgrading the ARM database, either through the EFT Installer or the Database Utility
(DBUtility.exe), you should use the EFT database user account to connect to the database to perform the upgrade. The upgrade process may temporarily require that additional privileges be temporarily given to the EFT database user account. The actual set of privileges depends on the version of the database schema being upgraded. Before upgrading the database, the EFT Installer will perform an analysis of the database. Additionally, the "UpgradePreview" action may be used with the Database Utility to perform the analysis. Part of this analysis will verify that the database user account possesses the necessary privileges to perform the upgrade. The analysis results will display any privileges that the account is lacking. You will need to grant the appropriate privileges to the account temporarily before
proceeding with the upgrade. These privileges may be revoked once the upgrade process is complete.
minimize the chance of encountering missing privileges, you should grant the privileges described in
Installation , above, before performing the upgrade preview analysis.
Runtime—During normal operations, the EFT only manipulates the data within the database while auditing, and so requires less powerful privileges. EFT does not modify the database schema during normal operation. If you want to lock down the EFT database user accounts during normal operation, ensure that the following minimal privileges, or their equivalents, are granted to the account:
721
EFT v7.2 User Guide
• SQL Server—When operating against SQL Server, the EFT database user account only needs to be able to read data, write data, and execute stored procedures. The following permissions are required during normal operation:
• CONNECT
• DELETE
• EXECUTE
• INSERT
• SELECT
• UPDATE
• Oracle—During normal operation, the EFT database operates only within its own schema.
Additionally, it has no need to create objects during runtime. Only the following privilege is required during normal operations:
• CREATE SESSION
Activating the Auditing and Reporting Module
The Auditing and Reporting Module (ARM) is an add-on to EFT that comes with a unique activation serial number.
• If you are upgrading, follow the upgrade process.
Upgrading the EFT Database
This introduction describes in general how an EFT database upgrade works.
Before upgrading the ARM database for EFT v6.5, please refer to
A Database Utility (DBUtility.exe) is used to upgrade the database, when applicable. You have the option of either upgrading the database during the upgrade process within the EFT Installer or choose to upgrade the database "out of band" later using the Database Utility. Because the EFT installer uses the same Database Utility internally to perform the upgrade, the methods are synonymous.
As part of this new approach to upgrading the ARM database, the database schema maintains an independent version number. This version is used to determine if the database schema and data require an upgrade across various releases of the EFT application. This version number is maintained in a new table called "TBL_SCHEMA_VERSION." This new table is created as part of the initial ARM upgrade process when upgrading EFT.
During the upgrade, you will be prompted to provide the user credentials that should be used when connecting to the database. You must provide the credentials for the EFT database user account, as
opposed to the super-user accounts such as "sa" or "sys", because the upgrade process assumes it
is operating as the database account that owns the schema to be upgraded. (Refer to Database User
to successfully upgrade.)
When upgrading from within the EFT installation process, the installer will analyze the database prior to performing the actual upgrade. The results of this analysis are displayed in an upgrade preview page of the installer. Administrators are urged to read the results carefully prior to continuing with the upgrade.
(EFT's upgrader does not check the database for fragmentation.)
722
Auditing and Reporting Module (ARM)
The analysis step will determine whether the database requires an upgrade by examining the version number in the new version table. Across many builds and releases of the EFT application, the ARM database may not require any changes. As such, the version number for the database may not change as often as the EFT version. If the database does not require an upgrade, then the installer will state this and essentially skip the ARM upgrade process.
As with the database upgrade, the database analysis process used in the EFT installer is actually performed by the Database Utility and is equivalent to running the utility with the "action=PreviewUpgrade" command line option. In addition to checking the database version number, the installer/utility will also check for various prerequisites needed to perform the upgrade. Prerequisites that have been met will be displayed with a "PASS" status. Any prerequisites that have not been met will be displayed with a "FAIL" or "WARN" status. These issues should be researched and rectified prior to proceeding with the upgrade.
Recommendations are provided along with any failed prerequisites suggesting how to resolve the issue.
After remedying any errors, you can run the analysis again by clicking Reanalyze.
The analysis will also display information about the database such as the approximate size of the user data as well as the age of the user data within the database. Additionally, the SQL script that will subsequently be used to perform the actual upgrade will be displayed.
You may decide to upgrade the database later. If so, you can retain the upgrade script by clicking View to open the database analysis results in a text editor and then save to a file of your choosing.
Alternatively, you can run the EFT installer in maintenance mode or run the Database Utility using the "action=UpgradeSchema" option to upgrade the database another time.
Upgrading the EFT ARM Database for the 6.5 Release
For EFT version 6.5, existing ARM databases must be modified to allow for storage and retrieval of
Unicode data. This upgrade process is much more significant with respect to time and storage space than past upgrades.
Please refer to the following information before upgrading the ARM database. An upgrade checklist is also provided below.
User Account Permission/Privilege Requirements
When upgrading the ARM Database, either through the EFT Installer or the Database Utility, you should use the EFT Database user account to connect to the database to perform the upgrade. This is as opposed to using one of the more privileged system accounts such as the "sa" account on SQL Server or the "sys" or "system" accounts on Oracle.
SQL Server
The user account used to upgrade the database should have the "db_owner" privilege. This is the default for the user account created for, and used by, the EFT. As such, no action is required on your part prior to upgrading.
Oracle
As of EFT version 6.5, the ARM module makes use of database views. In previous releases, the database user account created for use by the EFT was not granted the ability to create views. As such, prior to upgrading an Oracle ARM database, you must grant this privilege to the EFT database user account manually. This is done by granting the "CREATE VIEW" privilege to the account using a more privileged account such as the "sys" or "system" account.
One method of granting the privilege is to connect to the database using the Oracle command line "SQL
Plus" utility. On the computer where Oracle is installed, launch the SQL Plus utility:
723
EFT v7.2 User Guide
• Click the SQL Plus Start menu shortcut (e.g., Start Menu > All Programs > Oracle -
OraDb11g_home1 > Application Development > SQL Plus)
• If the utility is available on the system path, then open a Windows command prompt (e.g., Start >
Run > cmd.exe), type sqlplus at the command prompt, and then press ENTER.
Once SQL Plus has started, you will be prompted for login credentials. Connect using a privileged account such as "sys" or "system". Be aware that when connecting as the "sys" account you must provide the "as sysdba" option; for example: sys as sysdba
Complete the login process by providing the password.
Use the following command to grant the "CREATE VIEW" privilege to the EFT database user account:
GRANT CREATE VIEW TO <User>;
Where <User> is the name of the EFT database user account. For example:
GRANT CREATE VIEW TO EFTDBUSER;
Exit the SQL Plus tool by typing Exit and pressing ENTER.
724
Auditing and Reporting Module (ARM)
Time Requirements
The EFT v6.5 ARM upgrade process can take significantly longer than past upgrades. The time it takes to perform the upgrade depends both on the size of the database and the performance characteristics of the computer on which the database resides.
Our internal testing has shown that the database upgrade can take as little as 15 minutes for a moderately sized database of 5GB, up to 3 hours or longer for larger databases of 30GB or more.
Because the time it takes to perform the upgrade is greatly dependent on CPU and Disk I/O speed, it is difficult to provide an exact time for any given situation.
For additional information related to upgrading large databases please refer to Upgrading Large
Refer to Upgrade Paths below for a discussion of the available upgrade paths that may be used to
minimize down time.
Disk Space Requirements
The size of the database will grow as part of the upgrade because of changes in the data types used for storing character-based data.
Our internal testing indicates that, on average, the size of user data in the database will increase by approximately 31% as part of the upgrade process. For example, if your database consumes 10GB before upgrading, then it will use approximately 13GB after upgrading.
If disk space is limited, you should consider purging older data from the database prior to upgrading. For
information on purging data from the ARM database, refer to Purging Data from the Database .
SQL Server Considerations
If you have limited disk space and are using SQL Server, it may be possible to reduce the size of the database prior to proceeding with the upgrade. This may be accomplished by "shrinking" the database, which will reclaim unused space.
For information and considerations on shrinking a SQL Server database, please refer to the Shrink a
Database topic on the Microsoft Developer Network site.
During the upgrade process, the increase in size of the user data will be reflected by an increase in the size of the database's MDF file by approximately 31%.
Additionally, the database transaction log file, the LDF file, may temporarily grow in size. In testing, the
LDF file typically increased to between 1% and 3% of the starting size of the corresponding MDF file. For example, if your MDF file is 10GB in size, then the LDF file could be expected to grow temporarily to approximately 300 MB in size.
Oracle Considerations
When upgrading Oracle databases you must ensure that not only is the appropriate amount of disk space available, but that the USERS tablespace is capable of growing to accommodate the additional storage requirements. You may consider allowing the USERS tablespace data files to auto extend during the upgrade process. Additionally it may be necessary or desirable to create additional data files for use with the USERS tablespace.
Upgrade Paths
Depending on the size of the ARM database and the time constraints on performing the upgrade of EFT, you may choose to consider alternate methods of upgrading the ARM database. Described below are pros and cons of two alternate methods of upgrading the database, when each method is appropriate, and how to perform the upgrade using each method.
725
EFT v7.2 User Guide
Method 1: During the EFT upgrade
This is the typical method of upgrading the ARM database. When running the EFT installer, you can upgrade the ARM database as part of the full upgrade process.
Pros
• Simplest method, requiring minimal manual steps
Cons
• The EFT will be unavailable for the time it takes to perform the entire upgrade
Appropriate When
• The ARM database is relatively small or the computer running the database is sufficiently powerful
• The ARM database is large, but a few hours of downtime is acceptable
How to Perform
• When upgrading using the EFT installer, on the EFT Enterprise Auditing and
Reporting database configuration page of the wizard, click Configure Auditing and
Reporting and proceed accordingly.
Method 2: Out of band
With this method, EFT may be upgraded independent of the ARM Database. Specifically, you would upgrade EFT using the EFT installer application, but choose to skip upgrading the ARM database at that time. Once the EFT application has been upgraded, it may be restarted and will thus be available to service end users. During the time that the ARM Database has not yet been upgraded, the EFT application can temporarily store audit information to disk.
You can then upgrade the ARM database using the Database Utility. Once the upgrade has completed, the EFT will then be able to reconnect to the database as normal.
Pros
• Allows for minimal downtime of the main EFT facilities
Cons
• EFT Reporting capabilities will be temporarily unavailable
• Requires additional steps to perform the upgrade
Appropriate When
• Upgrading very large database and the necessary downtime of the main EFT facilities is unacceptable
How to Perform
• Prior to starting the upgrade process, configure the EFT application to audit to a folder
while disconnected from the database. Refer to Audit Database Settings for information
about this functionality.
• Upgrade the EFT application using the EFT installer. On the EFT Enterprise Auditing
and Reporting database configuration page of the installer, click Skip Auditing and
Reporting configuration and proceed accordingly.
• After EFT has been upgraded, restart the EFT service.
726
Auditing and Reporting Module (ARM)
• Upgrade the ARM database using the Database Utility. o
First, perform a preview upgrade using the "-action=UpgradePreview" option of the utility. This will verify that the appropriate requirements for upgrading the database have been met. o
After the requirements have been verified, use the "-action=UpgradeSchema" option to perform the actual upgrade. Optionally you may instead generate an upgrade script using the "-action=UpgradeScript" option and manually upgrade the database using vendor tools such as SQL Server Development Studio or
SQL Plus. o
Refer to EFT Database Utility for additional information.
ARM Upgrade Checklist
SQL Server
Ensure a current backup of the database is available
If necessary/desired, purge older data from the database
Ensure the necessary disk space is available to perform the upgrade
Remove any custom schema modifications made to the database
Follow the desired upgrade method
Recreate any custom schema modifications
Oracle
Ensure a current backup of the database is available
If necessary/desired, purge older data from the database
Ensure the necessary disk space is available to perform the upgrade
Ensure the USERS tablespace and associated data files are configured to allow for the necessary data growth
Remove any custom schema modifications made to the database
Grant the "CREATE VIEW" privilege to the EFT database user account
Follow the desired upgrade method
Recreate any custom schema modifications
Upgrading Large Databases
The majority of the modifications performed on the ARM database when upgraded take only minutes to complete. Occasionally, more modifications are needed when upgrading the database schema. These upgrades may take a long time, especially when they require modifications to the data stored within the database. As such, the time it takes to perform the upgrade may increase with the size of the database.
Depending on the size of the database, such upgrades take hours instead of minutes.
The database upgrade preview process includes the age of the oldest data in the database as well as a rough estimate of the database size. Administrators should use this data to assess the current state of the database when deciding how and when to proceed with the database upgrade.
Administrators of large databases should consider the following options to ensure a smooth upgrade process:
• Administrators should consider purging older data from the database prior to upgrading. (Refer to
Purging Data from the Database for details.)
727
EFT v7.2 User Guide
• The database should be backed up prior to any upgrade to allow for quick recovery in case of errors.
• Administrators should consider making a copy of the ARM database and performing a test upgrade of the database. The script necessary to perform the test upgrade may be obtained by proceeding through the EFT Installer's upgrade process and choosing to upgrade the ARM
Database. When prompted for the database credentials, specify the test database credentials. On the Upgrade Preview page of the installer, click View, save a copy of the upgrade script, and then cancel the EFT installer. You may now use the SQL script to upgrade the database manually. Alternatively, you can install a clean copy of EFT on another computer and use the
Database Utility (DBUtility.exe) to perform the test upgrade.
• Administrators should consider upgrading the database out-of-band from upgrading the EFT installation. This may be done by skipping the ARM database upgrade in the EFT Installer when performing the initial EFT upgrade. The updated version of the EFT will temporarily audit database transactions to disk until the ARM database has been upgraded.
To perform an out-of-band upgrade of ARM
1. If desired, prior to upgrading the EFT, enable the ARM audit-to-folder feature .
2. Use the installer to upgrade the EFT, but skip the ARM upgrade process, then do one of the following:
• Rerun the installer in maintenance mode later to upgrade the ARM database.
• Use the Database Utility (DBUtility.exe) to perform the upgrade.
• Manually upgrade using the SQL scripts generated by DBUtility.exe.
EFT will then import any database transactions that were audited to disk in the interim.
Manually Creating the ARM Database in SQL Server
This procedure should only be used if you have not already created the ARM database using the EFT installer. All tables will be created in the schema regardless of which features and/or modules are actually in use.
The following instructions use the SQL Server Management Studio application from Microsoft. Optionally, users may prefer to use command line tools such as oSQL to create the database. The oSQL utility allows you to execute Transact-SQL statements, system procedures, and scripts for creating and maintaining the database. For additional information on the oSQL utility, including common script samples, refer to osql Utility on microsoft.com.
First you will create the database
, then create the database user account ,
EFT to connect to the database , and then test the connection .
Create the Database
To create the database
1. Using the SQL Server Management Studio application, connect to the SQL Server instance using an account that has the privileges necessary to create user accounts and databases. Typically the "sa" account will suffice.
2. In the left pane, right-click Databases, then click New Database.
728
Auditing and Reporting Module (ARM)
3. The New Database dialog box appears. Name the database eftdb. (You can use a different database name, but be sure to use the name you chose throughout this procedure.)
4. In the Database files table, change the Initial size value to 10 MB for the eftdb logical name (first row). Leave the eftdb_log row as is. The dialog box should resemble the following screen shot:
5. Click OK to finalize creation of the database.
Create the Database User Account
During installation, EFT needs full DB Owner access to the auditing database to set up the schema. During updates or upgrades, EFT needs full DB Owner access to update the schema. Once it is set up, EFT only needs to be able to read, write, and execute stored procedures. For more information on the required database
privileges please refer to Database User Account Privileges .
729
EFT v7.2 User Guide
To create the database user account
1. Using the SQL Server Management Studio application, connect to the SQL Server instance using an account that has the privilege to create user accounts and databases. Typically the "sa" account will suffice.
2. In the left hand pane, expand the Security node, right-click Logins, and then click New Login.
The New Login dialog box appears.
3. Create a new user called eftuser and then click SQL Server Authentication. (You can use a different user name, but be sure to use the name you chose throughout the procedure.)
If SQL Server Authentication is not available as a choice, verify that the SQL Server has been configured to support mixed mode.
4. In the Password and Confirm password boxes, provide a complex password consisting of an alphanumeric and symbol mix of at least 8 characters.
5. Ensure the Enforce Password Policy check box is selected.
6. Ensure the Enforce password expiration check box is not selected. (Optionally, you can enable this setting, but be aware that the eftuser account password will need to be changed periodically to prevent expiration.)
7. Ensure the User must change password at next login check box is not selected.
8. Set the Default database to the eftdb database created earlier.
9. In Default language, click the list to select your language or leave it set to the <default> setting.
The dialog box should resemble the following screen shot:
730
Auditing and Reporting Module (ARM)
10. Select the User Mapping node in the left pane.
11. In the Users mapped to this login table, locate the entry for the eftdb database created earlier.
12. Select the check box in the Map column for the eftdb row and set the Default Schema to dbo.
13. While the eftdb row is selected, in the Database role membership for table, select the
dbo_owner check box. The dialog box should now resemble the following screen shot:
731
EFT v7.2 User Guide
14. Click OK to finalize the user creation.
Create the Schema
During installation of the EFT, the installer will place a set of database creation SQL scripts in the
GlobalSCAPE\EFT Server Enterprise\SQL Server subfolder of the system Program Data folder.
(Typically, C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\SQL Server.) The database creation scripts use the "create_#_" filename prefix. The # in the filename represents the order in which each script must be executed.
You will use these scripts to create the schema using the procedure below.
To create the schema
1. Using the SQL Server Management Studio application, connect to the SQL Server instance using an account that has the privilege to create user accounts and databases. Typically the "sa" account will suffice.
2. In the left pane, expand the Databases node, right-click on the eftdb node, and click New Query.
A blank screen appears in the right pane in which you can type in a SQL query.
732
Auditing and Reporting Module (ARM)
3. Execute each creation script in the specified order by copying/pasting the script file contents into the left pane and clicking Execute. A message appears each time you click Execute indicating whether the query was able to complete successfully.
4. In the left pane, expand Databases, then eftdb, then Tables. Verify that the database has populated correctly. (The tables defined in the script should have been created.)
Configure EFT
To configure EFT to connect to the newly created database
Test Your Connection
To test the connection
1. Create a test connection with your FTP client to EFT and upload and download a few files.
2. In SQL Server Management Studio select the dbo.tbl_ProtocolCommands table under the
eftdb database icon. It should return several rows with the commands issued by your client from the test connection.
3. You can now pull reports directly from EFT against data audited to SQL Server.
If you are running the administration interface, you must have an entry in that system's DNS for the name of the
SQL Server, otherwise the administration interface will not be able to connect to the SQL Server when attempting to pull reports.
Manually Creating the ARM Database in Oracle
This procedure should only be used if you have not already created the ARM database using the EFT installer.
All tables will be created in the schema regardless of which features and/or modules are actually in use.
The following instructions assume you have already installed the Oracle database software and that an
Oracle database is available. These instructions will make us of the Oracle SQLPlus command line utility to execute SQL against the Oracle database. Optionally, users may use an alternate utility of their preference.
Create the Database User Account
During installation and upgrade, EFT needs creation privileges within the database. Once it is set up, EFT only needs to be able to read, write, and execute stored procedures. For the specific set of privileges required, please refer to Database User Account Privileges .
To create the database user account
1. Using SQLPlus connect to the Oracle database using an account that has the privileges necessary to create user accounts and grant privileges. Typically the "sys" or "system" account will suffice. Note that when connecting as the "sys" account you will typically need to specify the
"as sysdba" option.
733
EFT v7.2 User Guide
2. Create the database user account by executing the following statement in SQLPlus, replacing
<username>
with the desired database user account name, such as eftuser, and
<password>
with the desired password.
CREATE USER <username>
IDENTIFIED BY <password>
DEFAULT TABLESPACE USERS
QUOTA UNLIMITED ON USERS
TEMPORARY TABLESPACE temp QUOTA 5M ON system
/
For example:
734
3. Grant the necessary privileges to the database user account by executing the following statements in SQLPlus, replacing <username> with the username of the account you just created, such as eftuser.
GRANT CREATE SESSION TO <username>
/
GRANT CREATE TABLE TO <username>
/
GRANT CREATE TRIGGER TO <username>
/
GRANT CREATE SEQUENCE TO <username>
/
GRANT CREATE PROCEDURE TO <username>
/
GRANT CREATE VIEW TO <username>
Auditing and Reporting Module (ARM)
/
For example:
4. To exit SQLPlus, type exit and press ENTER.
Create the Database Objects
During installation of the EFT the installer will place a set of database creation SQL scripts in the
GlobalSCAPE\EFT Server Enterprise\Oracle subfolder of the system's Program Data folder. (Typically,
C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\Oracle.)
The database creation scripts use the "create_#_" filename prefix. The # in the filename represents the order in which each script must be executed.
To create the database objects
1. Using SQLPlus connect to the Oracle database using the EFT database user account created above.
735
EFT v7.2 User Guide
2. In SQLPlus, execute each database creation SQL Script in the correct order using the command, replacing <Script File Path> with the full path and filename of the script.
@"<Script File Path>"
For example:
3. Once you have executed all of the creation scripts you may exit SQLPlus by typing exit and pressing ENTER.
Configure EFT
To configure EFT to connect to the newly created database
736
Auditing and Reporting Module (ARM)
Test Your Connection
To test your connection
1. Create a test connection with your FTP client to EFT and upload and download a few files.
2. Using SQLPlus, connect to the Oracle database using the EFT database user account. For example:
3. Retrieve the number of rows in the TBL_PROTOCOLCOMMANDS table by executing the following statement in SQLPlus:
SELECT COUNT(*) FROM TBL_PROTOCOLCOMMANDS;
For example:
The above query should return a count of more than 0.
4. To exit SQLPlus, type exit and press ENTER.
5. You can now pull reports directly from EFT against data audited to Oracle.
737
EFT v7.2 User Guide
If you are running the administration interface, you must have an entry in that system's DNS for the name of the Oracle database computer, otherwise the administration interface will not be able to connect to the database when attempting to pull reports.
ARM Schema
Changes in v7.1
The following table was changed:
The length of the Version column was increased to 20:
tbl_Schema_Version
[Id] [smallint] IDENTITY(1,1) NOT NULL,
[Version] [nchar](20) NOT NULL,
The following tables were added:
• tbl_WorkspaceActions – Logs actions performed to Workspaces
• tbl_WorkspaceParticipants – Logs details about Workspace participants
• lu_WorkspaceActions – Lookup table for workspace action values
• lu_WorkspacesParticipantStates – Lookup table for workspace participant states
(Refer to ARM Schema Tables below for details.)
Changes in version 7.0
The following changes were made to the schema:
• A NodeName column has been added to tbl_Transactions, tbl_AS2Transactions,
tbl_SAT_Transactions
• A Time_Stamp_End column has been added to tbl_Actions
ARM Schema Tables
The tables created during installation are listed below. Because all of EFT's modules and features are available during the trial, all of the tables below are created, even if you do not activate that module/feature.
Please refer to the online help to see the ARM schema tables .
738
Auditing and Reporting Module (ARM)
Auditing
These topics provide information about auditing EFT activity with the Auditing and Reporting module.
Audit Database Settings
When you run the Server Setup wizard , you are offered the opportunity to enable auditing and reporting and configure the connection information. If you chose to do that later or if you want to edit the database information, you can do so on the Logs tab in the Audit Database Settings area.
To enable and configure auditing and reporting
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Server node you want to configure.
3. In the right pane, click the Logs tab .
4. In the Audit Database Settings area, select the Enable Auditing and Reporting check box to enable communication with the database; clear the check box to disable auditing and reporting.
5. In the Database type area, select SQL Server or Oracle. (Oracle is available in EFT Enterprise only.)
6. In the Database host address[\Instance Name] box, specify the host or database instance name of the database to which you want EFT to connect, or provide a DSN or DSN-less
connection string. Refer to Establishing a System Data Source Name (DSN)
Less Connection with ODBC Authentication
, if you are using ODBC Authentication for your Site.
7. In the Database Name box, provide the name of the database or leave the box empty if you provided a connection string in the Database host address[\Instance Name] box.
8. For SQL Server databases, in the Authentication box, specify whether the database is to use
Windows Authentication or SQL Server Authentication.
9. In the Database username and Password boxes, provide the username and password needed to connect to the database or leave the box empty if you provided a connection string in the
Database host address[\Instance Name] box or if you are using Windows Authentication.
10. In the When a database error occurs area, specify whether you want to audit database errors to a folder:
• If you do want to audit errors, or to stop it temporarily, click Stop auditing.
• To Audit to folder, click the option, then specify the path to the folder in the box.
11. To automatically try to reconnect after an error occurs, select the Attempt to reconnect every check box and specify the frequency in seconds, from once every 7 seconds to once every
86,400 seconds (once per day).
12. In the E-mail notification area, select the On disconnect check box and/or the On reconnect check box, and then in Recipient list specify one or more e-mail addresses that you want to receive error notifications in case of database failure. Multiple e-mail addresses must be separated by semicolons (;). When auditing is enabled, this e-mail is sent any time that EFT cannot reach the database.
13. If you make any changes to the database audit settings, click Apply to save the changes on EFT.
739
EFT v7.2 User Guide
14. To verify the connection information, click Test Connection. The status of the database connection appears above the Reconnect button. If the database is not connected, click
Reconnect to reconnect to the database.
• Test Connection - EFT attempts a connection using the supplied parameters without applying the changes.
• Reconnect - EFT applies the settings (a prompt appears if you made changes and did not click Apply) and attempts to connect to ARM with the new settings.
Auditing Database Recovery
If the auditing database has failed and EFT has been disconnected from the database for a while, you can prevent a loss of data by automatically saving auditing data to a text file when EFT is disconnected from the database. If EFT is configured to save auditing information to a text file, before reconnecting EFT to the database, repair the database, and then insert the data from the text file into the database. Then you can reconnect EFT to the database as described below.
The SQL statements logged in the text file must be loaded into the database before any reports are run.
If EFT is disconnected from the database and is configured to save auditing information to the log file, do the following:
1. Solve the connection problem.
2. Repair the database, and insert the data from the text file into the database. Be sure to insert the data only once, otherwise the auditing data will be corrupted.
3. In the administration interface, connect to EFT and click the Server tab.
4. On the Server tab, click the Server that you want to configure.
5. In the right pane, click the Logs tab and review the database connection information.
6. If you make any changes to the database host address, instance name, database name, etc., click Apply to apply these changes to EFT.)
7. Click Test Connection to test the status of the database connection.
8. The Connection status area indicates whether EFT is communicating with the database. To reconnect to the database, click Reconnect.
How EFT Handles SQL Data
EFT truncates data values within each audited SQL transaction to ensure the data value fits within the corresponding database field.
The special characters (as defined by the SQL interpreter) within each data value of an audit SQL event are escaped to ensure the data value is stored and retrieved properly from the database. The following special characters are escaped by EFT during generation of SQL statements prior to submission to the database engine:
• Single quote - %
• Open brace - [
• Percent - %
• Underscore - _
740
Auditing and Reporting Module (ARM)
Auditing Advanced Workflow Engine (AWE) Actions
(The Advanced Workflow Engine is available in EFT Enterprise.) As with other Event Rule Actions,
Advanced Workflow Actions are audited to the Auditing and Reporting Module (ARM) database. For all
Event Actions, the following items are audited:
• Time stamp
• Site Name
• Event Name
• Action Types such as move, copy, OpenPGP, and send e-mail.
• Action Parameters* - These are runtime values passed to the Action, not the replacement variables.
• Failed Action Flag - This is captured if this Action is the result of a FAILURE sequence on a prior
Action.
• Action Result Code
• Result
*For AWE Actions, this is the path to the temporary file associated with the Workflow that was executed. This file contains more detailed debug logging if enabled for that particular workflow.
Auditing Administrator Changes to the ARM Database
(Requires High Security Module
in addition to ARM) Administrators often need to know when and
what changes were made to EFT and who made them. The Administrator Actions Log report provides information about administrator changes.
EFT logs the following changes made to EFT to the ARM database:
• The Date the action occurred, in MM/DD/YYYY HH:MM:SS format.
• The affected feature or Function. (Refer to
• The type of Action (created, added, removed, modified, enabled, disabled, started, and stopped).
• The Affected Area (Server, Site, Settings Template, User Account, Event Rule, Command,
Group, VFS, Report).
• The name of the affected object, Affected Name (Server Name, Site Name, Settings Template
Name, User or Admin Account Name, Event Rule Name, Command Name, Group Name, Folder
Name, Report Name).
• The name of the administrator that made the change, Change Originator.
The data in the preconfigured report is arranged in columns, Date, Function, Action, Affected Area,
Affected Name, and Change Originator, grouped by Site name, and sorted in reverse chronological order (newest change at the top).
741
EFT v7.2 User Guide
Functions Audited
When the following functions are created, added, removed, modified, enabled, disabled, started, or stopped, the action is logged to the database. Many possible actions are grouped together. For example, modifying SSL cipher selection, changing SSL clear command channel values, or modifying SSL connection string all fall under "SSL settings." Also, intermediate states are not audited (e.g., a toggle was checked, but later unchecked, rendering the transaction moot). Instead, only committed states are captured (once the administrator applies changes).
• SFTP protocol
• SFTP settings
• SFTP key
• SFTP authentication settings
• SSL protocol
• SSL settings
• SSL require client certificate
• SSL certificate
• SSL authentication settings
• FIPS mode for SSL
• FIPS mode for SSH
• HTTPS protocol
• HTTPS settings
• HTTP protocol
• FTP Implicit Protocol
• FTP Explicit Protocol
• FTP protocol
• FTP settings
• AS2 protocol
• AS2 settings
• PASV port mode settings
• Streaming repository encryption (EFS)
• OpenPGP settings
• OpenPGP key
• Web Transfer Client
• Password
• Password complexity
• Password reset
• Password expiration
• Password History
• Password initial reset
• Invalid login settings
• Inactive account settings
• Account expiration settings
• Connection limits
• Transfer limits
• Disk limits
• File type limits
• IP address ban list
• Group assignment
• Group (Permission)
• Data sanitization
(wiping)
• DMZ Gateway
• DMZ Gateway settings
• Authentication settings
• Remote administration
• Auditing settings
• Log settings
• Default Configuration
File Path
• Default User Database
Refresh Interval
• SMTP settings
• DoS prevention settings
• Delegated
Administrators
• Server
• Site
• Settings Template
• User Account
• Real-time monitoring
• User kicked
• Web Services Interface
• Site root folder
• Site listening IP
• Custom command
• Event Rule
• Physical folder
• Virtual folder
• Folder permissions
• Administrator
• Database refresh
• Server service settings
• Show Time In
UTC/GMT
• Ban On Invalid Login
Settings
• AWE Task
• Account details
742
Auditing and Reporting Module (ARM)
Purging Data from the Database
Space requirements for transactions in the ARM Database depend on the estimated EFT activity, number of users, and installed modules. A general estimate is 3MB to 5MB of per 1000 files uploaded. A minimum of 3GB hard drive space is recommended for the initial database size, with additional space required for growth over time. For more detailed information on sizing estimates, refer to Knowledgebase article #10684: How much disk space should I allocate for the Auditing and Reporting module (ARM)?
A good database maintenance plan is important for keeping space requirements to a minimum. Such a plan should include periodic archiving or purging of older database. Users should follow standard SQL
Server/Oracle tuning guidelines provided in the database vendor documentation to maintain a healthy database.
The following procedure describes how to use the provided SQL script to purge older data from the EFT
ARM database. The script allows for customization of the following parameters:
• The age of data to be purged. The script purges all transactions earlier than the desired data. By default, the script will purge all data older than 60 days.
• The number of transactions to delete at one time. By default the script will attempt to remove older transactions in "chunks" of 100,000 rows. If purging from an active database, it may be necessary to purge the records in smaller "chunks" such as 10,000 or 1,000 so as to not adversely affect the responsiveness of database for new transactions. The chunk size should be adjusted based on the load of the system at the time of purging and the average amount of data being purged.
Purge Script
Database-specific purge scripts are installed with the EFT. By default, the scripts will be under the "SQL
Server" and "Oracle" sub-directories of the C:\ProgramData\Globalscape\EFT Server Enterprise\ directory.
It is recommended that the purge script be configured and run on a periodic basis to ensure the database size does not grow uncontrollably. The script may be run manually or automatically using the operating system scheduler, scheduling functionality within the database, or using a Scheduler (Timer) Event within the EFT. It may be useful to add the script execution as an additional step to the default "Backup and
Cleanup" Scheduler (Timer) Event in EFT.
SQL Server Purge Script
The default SQL Server purge script is <EFT>\SQL Server\PurgeSQLEFTData.sql.
1. If you need to change the database name, "chunk" size, or age at which to purge transactions, make a copy of the script, open the script in a text editor, and then edit the following values: a. If the database name is not EFTDB, modify the following line with the name of the database:
USE EFTDB
For example, if your database name is "EFTDB_001" you would change the line to:
USE EFTDB_001 b. To change the "chunk" size from the default value of 100,000, modify the following line with the desired chunk size:
EXEC sp_PurgeEFTTransactions NULL, NULL, 100000, 1
For example, if you wish to purge in chunks of 10,000, you would change the line to:
EXEC sp_PurgeEFTTransactions NULL, NULL, 10000, 1
743
EFT v7.2 User Guide c. By default, the script will purge all transactions older than 60 days. To specify an alternate age, modify the following line with the desired age by dates:
SET @stopTime = DATEADD(DAY, -60, GETDATE())
For example, if you wish to purge transactions older than 30 days, you would change the line to:
SET @stopTime = DATEADD(DAY, -30, GETDATE())
2. Save your changes to the file.
3. Use a command line tool such as "oSQL" to connect to the database and execute the script. The example below assumes you have kept the same name for the file. a. Open a command prompt (click Start > Run, type cmd, then press ENTER). b. Type the following to execute the SQL script:
<PATH>\oSQL.exe -S [server address] -U [username] -P [password] -i
"<PATH>\PurgeSQLEFTData.sql"
For example, type:
"C:\Program Files\Microsoft SQL Server\80\Tools\Binn\oSQL.exe" -S
192.168.19.17 -U iuser -P asd123!f$s1 -i
"C:\ProgramData\GlobalSCAPE\EFT Enterprise\SQL
Server\PurgeSQLEftData.sql"
For additional information on the oSQL utility, including common script samples, refer to osql Utility on microsoft.com
.
Oracle Purge Script
The default Oracle purge script is <EFT>\Oracle\PurgeOracleEFTData.sql.
1. If you need to change the "chunk" size or age at which to purge transactions, make a copy of the script, open the script in a text editor, and then edit the following values: a. To change the "chunk" size from the default value of 100,000, modify the following line with the desired chunk size:
CALL sp_PurgeEFTTransactions(NULL, NULL, 100000, 1);
For example, if you wish to purge in chunks of 10,000, you would change the line to:
CALL sp_PurgeEFTTransactions(NULL, NULL, 10000, 1); b. By default, the script will purge all transactions older than 60 days. To specify an alternate age, modify the following line with the desired age by dates: pEndTime := sysdate - 60;
For example, if you wish to purge transactions older than 30 days, you would change the line to: pEndTime := sysdate - 30;
2. Save your changes to the file.
3. Use a command-line tool such as "sqlplus" to connect to the database and execute the script.
(sqlplus.exe may be obtained by installing the Oracle Data Access Components (ODAC) on the system at which the script will be executed. sqlplus.exe may require your tnsnames.ora file to be properly configured to connect to the EFT database. The example below assumes you have kept the same name for the file.) a. Open a command prompt (click Start > Run, type cmd, then press ENTER).
744
Auditing and Reporting Module (ARM) b. Type the following to execute the file:
<PATH>\sqlplus.exe <EFT>/<EFT>@<EFT>
For example, type:
"C:\app\Administrator\product\11.2.0\client_1\sqlplus.exe" iuser/ asd123!f$s1@EFTDB c. The sqlplus console starts. At the prompt type the following, then press Enter:
@<PATH>\PurgeOracleEFTData.sql
For example, type:
@C:\MyScripts\PurgeOracleEFTData.sql
For additional information on the sqlplus utility refer to SQL*Plus User's Guide and Reference on oracle.com
.
Result IDs
The ARM captures the following transaction information from EFT, which can appear in reports:
Actions
ResultID Description
0 If the Event Action is successfully executed
1
2
4
If the Event Action fails
If STOP Processing this rule is selected as Action.
If STOP processing more rules is selected as Action
Result Const
EAR_SUCCESS
EAR_FAIL
EAR_STOP_RULE
EAR_STOP_ALL
Stop processing this rule and Stop processing more rules can be combined, in which case the value is the sum of the two individual values, that is, 6.
SocketConnection
ResultID Description
0 When socket successfully created
Result Const
ER_NONE
8 ER_CONNECT_FAILED_TOO_MANY_CONNECTIONS_PER_SITE
9
Per Site socket connection limit exceeded
Max connections per IP address limit exceeded
ER_CONNECT_FAILED_TOO_MANY_CONNECTIONS_PER_IP
10 EFT denied the connection because the IP address was in the ban list or it is a remote IP address and EFT is in developer mode
ER_CONNECT_FAILED_RESTRICTED_IP
11 EFT denied the connection (failed) and added the IP address to the auto-ban list
ER_CONNECT_FAILED_BANNED_IP
745
EFT v7.2 User Guide
Authentications
ResultID Description
0 Authentication successful
1
2
3
Incorrect password
If user account is disabled
4
5
Result Const
LR_OK
LR_PASSWORD_NOT_ACCEPTED
LR_ACCOUNT_DISABLED
Max connections per Site limit exceeded
LR_TOO_MANY_CONNECTIONS_PER_SITE
LR_TOO_MANY_CONNECTIONS_PER_USER Max connections per user limit exceeded
User per- IP address connection limit exceeded
LR_TOO_MANY_CONNECTIONS_PER_IP
6 LR_PROTOCOL_NOT_SUPPORTED
7
8
If given protocol is not supported
Connection on restricted IP address
If service is unavailable
LR_RESTRICTED_IP
LR_SERVICE_UNAVAILABLE
ClientOperations
ResultID Description
1 If copy/move/download operation is successful
0 If copy/move/download operation fails
Result Const
TRUE
FALSE
CustomCommands
ResultID Description
0 Command executed successfully
1 Command executed with socket output
Access is denied 2
3
4
5
6
Command is not found
Could not launch the selected process
Command is disabled
Result Const
CER_OK
CER_SYNC
CER_ACCESS_DENIED
CER_COMMAND_NOT_FOUND
CER_PROCESS_FAILED
CER_COMMAND_DISABLED
Errors in parameters passed to the custom command
CER_ERROR_IN_PARAMS
ProtocolCommands
ProtocolCommands are the same as FTP result codes . Below is a brief general description.
ResultID Description
1xx
Expected another reply before proceeding with a new command
2xx Requested action completed successfully
3xx On hold pending receipt of further information
4xx Temporary failure
5xx Permanent failure
746
Auditing and Reporting Module (ARM)
Auditing Database Errors and Logging
EFT detects errors that occur while trying to connect to the ARM database and can detect errors returned from the database while attempting to perform transactions. If an error is detected while connecting to the database or when performing a transaction on the database (SQL INSERT, UPDATE, etc.) you can configure EFT to log the error to a file and to send a notification to a specified e-mail address.
By default, database errors are logged to \Logs\ in the format
EFT_ARM_<YYYY_MM_DD_HH_MM_SS>.sql. (By default, C:\ProgramData\Globalscape\EFT Server
Enterprise\Logs.) You can specify a different path or choose not to log the errors to a file.
For details of the Log Settings area, refer to Log Settings .
EFT also generates a Windows Event Log entry when there is an ARM database error. The log entry indicates whether auditing has stopped or if the auditing data is being stored to a log file.
If database access is lost because of a connection error or transaction error (INSERT or UPDATE), resumption of auditing to the database requires a restart of EFT or a RECONNECT request by the administrator. If EFT is configured to stop auditing, the administrator must repair the database, and then
restart EFT or use RECONNECT to resume auditing to the database.
Logging to a Text File
In the When a database error occurs area of the Server's Logs tab , you can configure EFT to log the
SQL statements to a text file. EFT continues to use the text file until either EFT is restarted or until a
RECONNECT request is made by the administrator. EFT then notifies you by e-mail that the logging has been saved to the text file. You can then repair the database, resume auditing to the database, and load the recorded text file SQL statements into the database. To ensure the completeness of the audit data, the SQL statements in the text file must be loaded into the database before executing reports over the time that SQL transactions were logged to the text file.
If you click Reconnect to resume auditing to the database, and EFT is recording auditing information to the text file, EFT continues to log EFT file transfers and/or user sessions that are in progress to that text file. New file transfers and new user sessions will continue to be logged in the database, but any inprocess transfers/user sessions are logged to the text file to ensure that they can be inserted and linked appropriately in the database.
Logs tab.
Reporting
The Auditing and Reporting module provides numerous predefined reports which you can use as is, edit to your needs, or use as templates to create new reports. You can also define custom reports using the built-in Report Designer.
Descriptions of Preconfigured Reports
The Auditing and Reporting module comes with a number of preconfigured reports that allow you to start analyzing data right away. The report templates are .xml files and are installed in
%systemroot%\ProgramData\Globalscape\EFT Server Enterprise\Reports or \EFT Server\Reports.
If you plan to edit the default templates, it is a good idea to save a backup of them first. (Note: On
Windows Server 2003 and earlier, the files are in ..\Documents and Settings\All Users\Application
Data\Globalscape\EFT Enterprise\Reports or \EFT Server\Reports.) You can also use these reports
as templates to create your own custom reports .
The preconfigured reports fall into the following categories:
747
EFT v7.2 User Guide
• Billing: If you need to bill your customers for file transfer services and need to supply accurate reports to customers and for your own invoicing purposes, these reports allow you to query and produce reports based on multiple criteria such as a specific client, a group of clients or all clients, a particular date range, and a specific file or all files transferred for that user.
• Non-repudiation: If you need to audit transactions throughout their life cycle and determine whether a particular Event occurred and when it occurred, these reports allow you to search for all activity for a specific user for a specific date or to locate a transaction within a date range for auditing purposes, and allow you to show conclusively whether something happened, when it happened, and who was responsible for making it happen.
• Statistics: Gathering statistical data allows you to take preventive measures (such as scale to meet increasing demand), to establish trends, create general usage reports for stakeholders, and to query and analyze trends and server usage (peak usage times, most active customers, etc.).
• Technical troubleshooting: Granular auditing of all socket, protocol, authentication, and transaction information allows the administrator to quickly locate and solve problem scenarios.
The preconfigured reports described below are provided with the Auditing and Reporting module. You can run the reports as is or edit them to suit your specific needs.
• Activity-Ad Hoc (Detailed) - This report displays activity for ad hoc file transfer activity, sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. (For Mail Express reports, the Temporary User Name column is blank.)
• Activity-Ad Hoc (Summary) - This report displays all ad hoc file transfer activity, grouped by username, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. (For Mail Express reports, the Temporary User Name column is blank.)
• Activity-Ad Hoc by File (Detailed) - This report displays all ad hoc file transfer activity for a specified file name, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. (For Mail Express reports, the Temporary User
Name column is blank.)
• Activity-Ad Hoc By Recipient (Detailed) - This report displays all ad hoc file transfer activity for a specified recipient's e-mail address, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. When you click Show Report, the
Enter Report Parameters dialog box appears. Provide the entire e-mail address. (For Mail
Express reports, the Temporary User Name column is blank.)
• Activity-Ad Hoc by Sender (Detailed) - This report displays all ad hoc file transfer activity for a specified sender's e-mail address, and sorted by date in reverse chronological order. If a user sent multiple files on one e-mail, each file is listed in the report. When you click Show Report, the
Enter Report Parameters dialog box appears. Provide the entire e-mail address. (For Mail
Express reports, the Temporary User Name column is blank.)
• Activity - All File Transfers - This report displays all file transfers as server, client, and LANcopy event. Displays date and time, target path, account, direction, IP address, size in KB, code, and result (success/failure).
• Activity - All File Transfers (as Server) - This report displays all file transfers as server.
• Activity - All Groups (Detailed) - This report displays the various Actions performed by all the groups, such as Administrator, All users, and Guests, and it displays Date/Time, Remote IP address, protocol, Action, filename, folder, bytes transferred, and the result.
• Activity - All Users (Summary) - This report displays the transfer activity (total number of uploads and downloads) for all users who logged on to EFT during the date range specified, grouped by username, subgrouped by date, sorted by username, then transfer direction, and date, in ascending order.
748
Auditing and Reporting Module (ARM)
• Activity - All Users (Detailed) - This report displays all folders and files created and the delete activity for all users who logged on to EFT during a particular period, grouped by username, and sorted in reverse chronological order. The report includes the time stamp, remote IP address of the user, protocol, Action, file name, folder, KB transferred, and the result.
• Activity - By File - This report displays all the activities related to a specified file, based on wildcard masks, grouped by Site name, subgrouped by matching filename, sorted in chronological order. The report displays the time stamp, user name, remote IP address, and protocol. To generate this report, you have to specify the report parameters, such as .txt to view only txt files or *.* to view all files.
• Activity - By Group (Detailed) - This report displays the folder and file create and delete activity during a specified period for a specific group, grouped by group name, and sorted by date in reverse chronological order. The report displays the remote IP address, protocol, Action, time stamp, file name, folder, bytes transferred, and result. When you click Show Report, the Report
Parameters dialog box appears asking for the group name.
• Activity - By User (Detailed) - This report displays the folder and file create and delete activity during a specified period for a specific user, grouped by username, and sorted by date in reverse chronological order. When you click Show Report, the Report Parameters dialog box appears asking for the name of the user.
• Activity - By User (Detailed) - Group by Username-Action - This report displays the folder and file create and delete activity during a specified period for specific users, grouped by username, subgrouped by Action, and sorted by date in reverse chronological order. That is, the report displays all files created under the Created Action and all files that are sent are displayed under the Sent Action. When you click Show Report, the Report Parameters dialog box appears asking for the name of the user.
• Activity - By User (Summary) - This report displays the transfer activity for specifics users, grouped by username, subgrouped by date, sorted by username, transfer direction, and date, in descending order.
• Admin Actions - (Requires High Security Module in addition to ARM) This report displays all
EFT administrator activity for the specified range. Columns displayed in the report and available
report filters include Date/Time (Timestamp), Function (e.g., User Account, Site, Database
Refresh, SMTP Settings), Action (e.g., Created, Enabled, Disconnected, Modified, Started,
Renamed), Affected Area (e.g., User Account, Site, Server, Administration), Affected Name
(username), ChangeOriginator (administrator username), SiteName (e.g., MySite).
• Admin Activity (Summary) - This report displays all administrative connections (successes and failures) to EFT.
• AS2 Transactions Detailed - A verbose AS2 file transfer report that provides the information necessary for troubleshooting problem transactions.
• AS2 Transactions Overview - A transaction report that displays the same information as shown on the Transfers - AS2 node. The report queries all AS2 transactions for the dates specified, grouped by site, sorted by date, and listed in reverse chronological order.
• Content Integrity Control - Actions (detailed) - A report showing all Event Rules with CIC actions, grouped by site name, sub-grouped by the user-defined event name, sorted by the unique event ID (not shown) in descending order. Includes Parameters, Begin and End
Date\Time, and Result.
• Event Rules - Actions (Summary) - This report summarizes all Event Rules with their corresponding Actions, grouped by Site name, subgrouped by the user-defined Event name, sorted by the unique Event ID (not shown in report) in descending order.
749
EFT v7.2 User Guide
• Event Rules - Activity (Detailed) - This report displays the Event Rule activity by user-defined
Event name, grouped by Site name, subgrouped by the Event type, sorted by date in reverse chronological order.
• Event Rules - Activity (Summary) - This report summarizes the Event Rule activity by userdefined Event name, grouped by Site name, sub-grouped by the Event type, sorted by date in reverse chronological order.
• Event Rules - Inbound-Outbound By Date - This report details all offload and download
Actions, grouped by Site subgrouped by Action, sorted by date in reverse chronological order.
• Event Rules - Inbound-Outbound By User - This report details all offload and download
Actions, grouped by Site name, then by remote host IP address, then by username, sorted in reverse chronological order.
• Executive Summary Report - This report summarizes the following information for the period specified: o
Average transfer speed o
Total number of downloads, uploads o
Total bytes transferred (inbound/outbound) o
Top 5 users (by # of connections) o
Top 5 users (by bytes transferred)
• Security - Failed Logins - This report displays the number of users who could not connect to
EFT. It displays the user name, remote IP address, protocol used, date, time, remote IP address, port number, and result.
• Traffic - Average Transfer Rates by User - This report displays the average transfer rate for specific users, grouped by username, subgrouped by date, sorted by username, transfer direction, and date, in descending order.
• Traffic - Connections Summary - This report details connections to EFT (IP address or user connections) and bytes transferred by date, grouped by Site name, sorted by date in reverse chronological order.
• Traffic - Datewise-Hourly Bytes Transferred - This report details the connections and bytes transferred sorted by date and hour, in chronological order.
• Traffic - Datewise-IPwise bytes transferred - This report displays the connections established by remote IP addresses and total bytes transferred.
• Traffic - IPwise Connections (Summary) - This report displays the connections established by remote IP addresses and total bytes transferred.
• Traffic - Monthwise-IP-wise Bytes transferred - This report displays the connections established by various remote IP addresses each month. It displays the Site name, month name, remote IP address, connections, and total bytes transferred.
• Traffic - Most Active IPs - Connections - This report displays the most active IP addresses; that is, the IP addresses of the users who frequently log on to EFT. It displays the data transferred,
Site name, remote IP address, and bytes transferred. This report can be used to determine
Denial of Service (DoS) attacks against EFT.
• Traffic - Most Active IPs - Data Transferred - This report displays the IP addresses of users who log on to EFT frequently; the number of connections established by various users. It displays the information on the total bytes transferred, number of connections, remote IP address, and
Site name.
750
Auditing and Reporting Module (ARM)
• Traffic - Most Active Users - Connections - This report displays the connections established by the most active users.
• Traffic - Most Active Users - Data Transferred - This report displays the usernames of users who log on to EFT frequently, the number of connections established by various users, and number of bytes transferred.
• Traffic - Protocolwise Connections (Summary) - This report displays the connections established by various users and the protocol used by the users to transfer the data, that is, whether the users have used FTP, HTTP, or any other protocol to upload or download the files.
• Traffic - Sitewise-Hourly by User - This report displays the total number of connection established by various users on a particular Site each hour.
• Troubleshooting - Connection Errors - This report displays the number of connection errors occurred while connecting to a site.
• Troubleshooting - Event Rules Failures - This report displays failures related to the Event
Rules.
• Troubleshooting - IP Address Activity (Detailed) - This report displays the details of the user, the date/Time on which the user logged on EFT; other details such as local port, socket result ID, protocol, password, physical folder name, virtual folder name, and so on are also displayed. To view this report, you must specify the IP address in the Enter Report Parameters dialog box that opens when you click Show Report.
• Troubleshooting - Operation Errors - This report displays protocol error codes and corresponding commands, sorted in reverse chronological order. The report includes the date and time the error occurred, remote IP address, protocol used, username, command, filename, virtual folder, and result (e.g., transfer completed).
• Web Service- Invoke Event Rules (Detailed) - This report is used to view detailed activity for invoking Event Rules through Web Service, grouped by username, and sorted by date in reverse chronological order.
• Workspaces Activity - Shows shared Workspaces invitation activity on EFT for a given period by Site. Displays date, Workspace, path, owner, action (status), and participant (permission).
(Refer to Winsock Error Codes for a list of Socket ID error codes.)
Generating a Report
The ARM comes with a number of preconfigured reports to help you start analyzing data right away. The built-in reports were designed to respond to the most common data analysis requests. Refer to
Preconfigured Reports for a list of available reports.
If you are using SQL Express as your database, you may not be able to generate a report remotely, unless the connecting account is a trusted SQL Server connection (i.e., if SQL Server and the remote computer are in the same domain, or if SQL Server is configured to allow "mixed authentication.")
To generate a report
1. In the administration interface, connect to EFT
and the reports database , and then click the
Reports tab.
2. In the left pane, click the desired report.
3. In the right pane, specify any filters .
4. Specify a date range from which you want pull data.
5. Type the appropriate parameters/wildcards for the search if the following reports are used:
• Activity By File - Type the file name.
751
EFT v7.2 User Guide
• Activity By Group - Type the group name.
• Troubleshooting IP address Activity - Type the IP address.
6. Click Show Report. The ARM connects to the auditing database and displays the data in the right pane.
ARM displays the first page of the report as soon as the data is ready, then continues to load additional pages. You can monitor the progress of loading by watching the current page/total pages indicator on the report filter bar.
If you want to stop a report from loading, click another report in the left pane.
Using Report Filters
You can filter the fields in a report based on various conditions to display only the data that meet the filtering criteria.
The Report Filters area contains two sets of combo boxes, operands (AND, OR), and a text box.
Use the second set of filters to further define the report using AND or OR.
752
Auditing and Reporting Module (ARM)
For example, suppose you have generated a report like the one below:
To show only changes made by TommyToad and June.Bug, set the following filters:
1. In the first combo box, click Change Originator.
2. In the second combo box, click the equals sign ( = ).
3. Type June.Bug in the text box.
4. Click OR.
5. In the bottom filter, click Change Originator, equals, and type TommyToad.
6. Specify a date range, and then click Show Report.
7. The report now displays only changes made by administrators TommyToad or June.Bug.
753
EFT v7.2 User Guide
(If you had clicked AND instead of OR, nothing would appear, because no changes can be made by 2 administrators at the same time.)
Defining Custom Reports
These topics provide information regarding creating custom reports of EFT activity in the administration interface.
VSReport Designer
Querying, sorting, filtering, and reporting on EFT data can be accomplished by editing one of the existing reports or creating a new report in the provided report editor. This tool can be launched from within the administration interface.
The report editor tool bundled with ARM is a robust report designer licensed from Component One.
During EFT evaluation period, VSReport Designer is available for use as a fully functional 30-day trial. A license for VSReport Designer is included with each purchase of ARM. After the 30-day trial, ARM must be activated along with EFT to continue using VSReport Designer. Most of the main functions of the report designer are described in this help file; however, the VSReport Designer has its own Help file, accessed by clicking Help on the report designer's main menu.
In VSReport Designer, you can work on existing report templates, change field locations and properties, add various levels of grouping, sorting, and so on. You can also create new reports and select ARM’s database tables from which to retrieve data fields or paste in SQL code for advanced queries of the data source, giving customers complete freedom in designing their report. Styles for the report (colors, fonts, background logo images, etc.) can all be manipulated from within the designer. You can also import report definitions from Microsoft Access files (MDB, ADP) and VSReport Designer files (VSR) from within the Report Designer.
Translation of Access reports requires that Microsoft Access is installed. Once the report is imported into the
Designer, Access is no longer required.
754
Auditing and Reporting Module (ARM)
The main Designer dialog box includes the following:
• Report list - The left pane of the Report Designer lists all report templates contained in the current report definition file. (A report can contain multiple report templates.) You can double-click a report name to preview or edit the report. You can also right-click in the list to rename, copy, and delete report templates.
• Preview/Design pane - The right pane is the main working area of VSReport Designer. In preview mode, it displays the current report. In design mode, it shows the report's sections and fields and allows you to change the report definition.
• Main Menu - The main menu is used to access submenus, load and save report definition files, import report definitions, and print reports.
• Shortcut toolbar - Shortcuts are used to access the most common menu functions: new file, open, import, save, print, undo/redo, cut/copy/paste, create/delete report, and help.
• View toolbar - The View toolbar allows you to easily switch between preview and design modes, activate the design grid, and display the property and grouping panes.
• Toolbox - The Toolbox provides tools for creating report fields. This toolbar is enabled only in design mode.
• Formatting toolbar - The Formatting toolbar provides shortcuts to tools for aligning, sizing, and spacing report fields. This toolbar is enabled only in design mode.
• Status bar - The Status bar at the bottom of the Report Designer displays information about what VSReport Designer is working on (e.g., loading, saving, printing, rendering, importing, etc.).
755
EFT v7.2 User Guide
Opening VSReport Designer
When you create a new report, you create it manually or use the Report Wizard. Both methods are provided in the VSReport Designer, as described below.
To open VSReport Designer
1. In the administration interface, connect to EFT , then do one of the following:
• On the toolbar, click the click New Report icon .
• On the main menu, click Reports > New Report.
• Click the Reports tab, and then click the New Report icon at the bottom of the right pane.
The New Report dialog box appears.
2. Type a title for the new report, and then click Create. The Report Designer appears.
756
3. Do one of the following to create a report:
• Manually define the report: click the report name in the left pane, click the Design icon
, then continue with the instructions in Using Design Mode ,
Changing Field, Section, and Report Properties ,
Adding, Editing, and Deleting Fields in the Report
, and Grouping and Sorting Data .
•
Use the Report Wizard : In the Report Designer, click File > New Report or click the New
Report icon on the toolbar.
Auditing and Reporting Module (ARM)
Creating a Report with the Report Wizard
The easiest way to start a new report is to use the Report Wizard. The Report Wizard will help you create a basic report, specify the data source, fields to include in the report, layout of the report, and styles or labels to use in the report.
To use the Report Wizard
1. In the administration interface, connect to EFT , then do one of the following:
• On the toolbar, click the click New Report icon .
• On the main menu, click Reports > New Report.
• Click the Reports tab, and then click the New Reports icon on the bottom toolbar.
The New Report dialog box appears.
2. Type a title for the new report, and then click Create. The Report Designer appears.
3. Click File > New Report or click the New Report icon on the toolbar. The New Report
Wizard appears.
757
EFT v7.2 User Guide
758
4. By default, the ConnectionString box displays information for the database that you specified when you installed the Auditing and Reporting module. Click Next and go to step 5 or, if necessary, you can type a different string that is used to connect to the data source. a. Click to define the connection string. The Data Link Properties dialog box appears. b. On the Provider tab, click Microsoft OLE DB Provider for SQL Server as the provider to connect to the SQL Server database, and then click Next. The Connection tab appears. c. In Select or enter a server name, click the arrow to select a name or type the name of
EFT. d. In Enter information to log on to EFT, click an authentication option to log on to EFT:
• Use Windows NT Integrated security - Your computer automatically picks up the credentials from your computer and connects you to the database.
• Use a specific user name and password - Specify the user name and the password to be used to log on to EFT. Select the Allow saving password check box to save the password in the connection string.
Select the Blank password check box if EFT requires a blank password to log on the database server. Even if you do not type any password when you create a user account on a database server, you can select the Allow saving password check box. In this case, EFT takes a dummy password value and saves that value in the connection string. Selecting the Blank password check box disables the password field.
e. Click one of the following:
• Select the database on EFT, and then click a database in the list.
• Attach a database file as a database name - Click the ellipsis icon
to browse for the SQL Server database file (*.mdf). The Select SQL Server Database File dialog box appears. Select a file, then click Open. The path to the file appears in the Using the filename box. f. Click OK in the Data Link Properties dialog box to return to the New Report Wizard.
Auditing and Reporting Module (ARM)
5. Click one of the following: o
Table to select a database table, such as tbl_EventRules. o
SQL Statement to type a SQL query in the bottom box, such as SELECT * FROM tbl_EventRules
.
6. Click Next. The fields that appear in the Available list depend on your selection in the previous step. For example, if you selected tbl_EventRules, the fields for Event Rules appear.
7. Double-click a field, click it and use the arrows, or drag and drop one or more field to the Groups list. Group fields define how the data is sorted and summarized. The information in the Detail list is grouped according to the group name. The Detail list displays the details for each group. Detail fields define the information you want to appear in the report. For example, if you move SiteName to the Groups list and Time_stamp, EventName, and so on to the Detail list, then the report displays the time stamp and events under the respective Sites, considering different Sites as different groups.
You can also drag and drop the available fields into the Groups or Detail section.
8. Click Next. The layout options appear.
9. Click a layout for the report. When you select a layout, a thumbnail preview appears on the left to give you an idea of how the layout will appear on the page. There are two groups of layouts. The first is for the reports with no groups defined and other is for the reports with group fields defined.
759
EFT v7.2 User Guide
• If you did not define the Group field, the following options are available:
Columnar
Tabular
Justified
Labels. The Labels layout option is used to print Avery-style labels, available in a variety of sizes, blank or preprinted. If you select this option, the next page offers options for the type of label for your report.
• If you defined the Group field, the following options are available:
Stepped
Outline
Aligned
10. If you selected any option other than Labels, click the report orientation from the following options. If you select the Labels option, the Orientation options are disabled.
• Portrait
• Landscape
11. Select the Adjust fields to fit page check box to adjust fields in a way that they fit the page.
12. Click Next.
13. Do one of the following:
• If you specified Labels, click a type of label in the Labels list, then specify the Units,
Metric or English, and the paper type, Sheet Feed (single sheet) or Continuous
(continuous paper).
760
• If you specified anything other than Labels, specify a style for the report title.
Auditing and Reporting Module (ARM)
14. Click Next.
15. Type a title for the report.
16. Do one of the following:
• To view the report, click the Preview the report.
• To modify the report in Design view, click the Modify the report's design.
17. Click Finish. Your new report name appears in the left pane of the Report Designer. The right pane displays a preview of the report or the design view, depending on your selection in the previous step.
18. Click Save to save the report.
19. Click File > Close to close VSReport Designer. The report appears on the Reports tab.
20. Use Design mode to add/remove fields, resize fields, add graphics, and so on.
Creating a Report in Design Mode
The New Report Wizard is used to specify a data source and a basic framework for the report. To get
exactly the report you want, you can adjust and enhance the data fields and layout. The Report Designer provides the options to modify the report to fit your needs.
To use the Report Designer design mode
1. In the administration interface, click the Reports tab, then do one of the following:
761
EFT v7.2 User Guide
• Click the report that you want to modify, and then click Edit Report.
• Create a new report. (Refer to
Creating a Report with the Report Wizard for instructions.)
The report appears in the Report Designer.
2. The left pane of the Report Designer lists all report templates contained in the current report definition file. Click the report that you want to modify, and then click the Design icon on the
View toolbar, or on the main menu, click View > Design. The right pane switches from Review mode to Design mode, and displays the controls and fields that make up the report.
The Report Sections
The report is divided into sections, labeled Header, Page Header, Detail, and Page Footer, containing fields that hold the labels, variables, and expressions that you want in the generated report. The sections determine the appearance of the beginning and end of the report, and each page and group. The table below describes where each section appears in the report and the sort of data that typically appears in each section.
Section
Report
Header
Page
Header
Group
Header
Detail
Group
Footer
Page
Footer
Report
Footer
Appears
Once per report
Once per page
Once per group
Once per record
Once per group
Once per page
Once per report
Typically Contains
The report title and summary information for the whole report
Labels that describe detail fields and/or page numbers
Fields that identify the current group and possibly aggregate values for the group (e.g. total, percentage of the grand total)
Fields containing data from the source record set
Aggregate values for the group
Page number, page count, date printed, report name
Summary information for the entire report
You cannot directly add and delete sections. The number of groups determines the number of sections in a report. Each report has exactly five fixed sections (Report Header/Footer, Page Header/Footer, and
Detail) plus two sections per group (a Header and a Footer).
762
Auditing and Reporting Module (ARM)
To hide sections that you do not want to display
1. Right-click the field, click Properties. The Field Properties dialog box appears.
2. Change the property of Visible to False.
To resize a section
1. Click and hold the border of the section and drag it to the position where you want it.
The rulers on the left and on top of the design dialog box show the size of each section (excluding the page margins). You cannot make the section smaller than the height and width required to contain the fields in it. To reduce the size of a section beyond that, move or resize the fields in the section first, then resize the section.
2. Press and hold SHIFT, and then click fields to toggle their selection status.
3. Press and hold CTRL, then drag the cursor to copy a selection.
4. Click on the corners of a field to resize it.
5. Press TAB to move the selection to the next field.
6. Press the arrow keys to move selected fields.
7. Press DELETE to remove selected fields.
If you make any mistakes while moving or editing the fields, click Undo and/or Redo .
When multiple fields are selected, you can use the buttons on the Format toolbar to align, resize, and space them.
You can control the design grid using the Show Grid and Snap To Grid icons.
Changing Field, Section, and Report Properties
You can view and edit the properties of the objects inserted in a report.
• When more than one field is selected, the Field Properties dialog box displays only the properties and values that all selected fields have in common and leaves the other properties blank.
• If no fields are selected and you click a section (or on the bar above a section), the selected section's properties are displayed.
• If you click the gray area in the background, the Report properties are displayed.
To view and edit an object's properties
• Double-click the object or select the object, then do one of the following: o
Click Property Window. o
Press F4 o
Right-click, and then click Properties.
The Field Properties dialog box appears.
In the example below, the Activity - All Group (Detailed) label in the Header section is selected. The
Field Properties dialog box displays the properties of the selected field.
763
EFT v7.2 User Guide
In the Field Properties dialog box, you can change a property by changing its value. For example, you can change the text color by changing the ForeColor property. You can change the field's position and dimensions by typing new values for the Left, Top, Width, and Height properties.
The property dialog box expresses all measurements in twips (the native unit used by the ComponentOne report designer), but you can type in values in other units and they will be automatically converted into twips. For example, if you set the field's Height property to "0.5in," the property dialog box will convert it into 720 twips.
Adding, Editing, and Deleting Fields in the Report
VSReport Designer only has one type of field object; the icons in the Toolbox simply set the properties of the field to make it look and act in a certain way.
To add, edit, or delete fields in a report
1. In the Report Designer, click View > Design or click the Design icon on the toolbar. The report opens in the design mode.
2. Use the ToolBox to add fields to your report. Follow the procedures below depending on the fields that you want to add, edit, or delete.
Each icon creates a field and initializes the field's properties as follows:
Icon Name
Label field
Bound field
Expression
Field
Description
Creates a field that displays static text.
Creates a field that is bound to the source recordset. When you click this button, a menu appears and you can select the recordset field. Bound Fields are not limited to displaying raw data from the database. You can edit their Text property and use any VBScript expression.
Creates a calculated field. When you click this button, the code editor dialog will appear so you can enter the VBScript expression whose value you want to display.
764
Auditing and Reporting Module (ARM)
Icon Name
Check box
Field
Unbound
Picture field
Bound
Picture field
Line field
Rectangle field
Subreport field
Description
Creates a bound field that displays a Boolean value as a check box. By default, the check box displays a regular check mark. You can change it into a radio button or cross mark by changing the value of the field's Checkbox property after it has been created.
Creates a field that displays a static picture, such as a logo. When you click this button, a dialog box will appear to prompt you for a picture file to insert in the report.
A copy is made of the picture you select and is placed in the same directory as the report file. You must distribute this file with the application unless you embed the report file in the application. When you embed a report file in your application, any unbound picture files are embedded too.
Creates a field that displays a picture (or object) stored in the recordset. When you click this button, a menu appears so you can select a picture field in the source recordset (if there is one; not all recordsets contain this type of field).
Creates a line. Lines are often used as separators.
Creates a rectangle. Rectangles are often used to highlight groups of fields or to create tables and grids.
Creates a field that displays another report. When you click this button, a menu appears and you can select other reports that are contained in the same report definition file.
Creates a field that inserts a page break. Page Break field
After you click any of these icons, drag the mouse over the report and the cursor will change into a crosshair. Click and drag to define a space that the new field will occupy, and then release the button to create the new field. If you change your mind, press ESC or click the arrow button to cancel the operation.
You can also add fields by copying and pasting existing fields, or by holding down the control key and dragging a field or group of fields to a new position to create a copy.
To draw a line
• Click Line
, then drag the cursor where you want to draw a line.
To draw a rectangle
• Click Rectangle
, then drag the cursor where you want to draw a rectangle.
765
EFT v7.2 User Guide
To add or edit text
1. Insert a rectangle, or double-click or right-click an existing rectangle, and then click Properties.
The Field Properties dialog box appears.
2. Scroll to Text in the Property column, click the Value column, then type the text; press ENTER.
To add labels
• Click Label
, then drag the pointer to draw a box in the report at the place you want to add a label. Name the label, then specify its font, color, and other properties. You can click and drag the label to adjust its placement in the report.
To add data fields
• Click Data field
, then draw a box on the report. Change the properties of the data field by right-clicking it, and then clicking Properties.
766
Auditing and Reporting Module (ARM)
To create a VBScript expression
1. Click Calculated field on the toolbar. The VBScript Editor appears.
2. Type the VBScript expression. For example, type:
=count (Transaction ID)
3. Click OK.
4. Drag the pointer and place it under the respective field where you want the result to display.
5. Click the Preview icon on the toolbar to view the result.
To insert images
1. Click Picture . The Open dialog box appears.
2. Click an image, and then click Open.
3. Drag the cursor to draw a box where you want the image to appear.
To delete fields
• Click the field, then press DELETE.
Changing the Data Source
The data source is defined when you installed the ARM database. If you have more than one data source available, you can specify a different source.
To change the data source for a report
1. View the report in Design mode .
2. Click the DataSource icon . The wizard appears.
767
EFT v7.2 User Guide
• The title bar displays the name of the report.
• The ConnectionString box is populated with the string that was defined when you installed ARM (e.g.,
"provider=sqloledb;server=K2003VM\GLOBALSCAPE;database=EFTDB;Trusted_Conne ction=yes;").
• The box below the ConnectionString displays the table or SQL Statement used to populate the report.
3. To specify a different data source, click the browse icon . The Data Link Properties dialog box appears.
768
4. In the OLE DB Provider(s) list, click the data source server (e.g., Microsoft OLE DB Provider
for SQL Server), and then click Next. The Connection tab appears.
Auditing and Reporting Module (ARM)
5. In the Select or enter a server name box, click the down arrow, and then click the database host\instance name. If the server you want does not appear in the list, click Refresh. (If you still do not see the ARM database server, verify EFT's connection to the database on the Server's
Logs tab.)
6. In the Enter information to log on to the server area, do one of the following:
• Click use Windows NT Integrated security. The system will use the logged-in user's account for database connections.
• Click Use a specific user name and password, then specify the username and password.
7. In the Select the database on the server box, click the down arrow and select the ARM database name.
769
EFT v7.2 User Guide
8. Click OK. The wizard displays the data from the specified source.
9. Click OK to close the data source wizard.
Grouping and Sorting Data
After designing the basic layout, you may decide to group the records by certain fields or other criteria to make the report easier to read. Grouping allows you to separate groups of records visually and display introductory and summary data for each group. The group break is based on a grouping expression. This expression is usually based on one or more recordset fields, but it can be as complex as you like.
Groups are also used for sorting the data, even if you do not plan to show the Group Header and Footer sections.
The bar across the top of each section (Page Header, Group Header, Detail) contains some useful tools and information about the section.
The indented box with a minus sign or a plus sign to the left of the section is used to collapse and expand the section. This feature is useful when you are designing the report to allow you to see a group's header and footer on the same screen without scrolling. Collapsing or expanding a section has no effect on how it is rendered in the report.
• An indented circle indicates that the section currently has zero height. You can drag the divider line down to increase the section's Height property.
• The triangle to the left of Group Header indicates the group's sorting order. You can click this icon to open the Sorting and Grouping dialog box.
• The labels to the right of the icons are the section name and, for group headers, the value of the group's GroupBy property (in this example, Country).
770
Auditing and Reporting Module (ARM)
To add, edit, reorder, or delete groups in the report
1. Click the Sorting and Grouping icon , click View > Grouping Window, or click the triangle to the left of the group header. The Sorting and Grouping dialog box appears.
2. Use this dialog box to create, edit, reorder, and delete groups.
To create a new grouping condition
1. In the Group On column, click an empty row and type a name. For complex grouping, type an expression instead of a simple field name. For example, you could use "Country" to group by country or "Left(Country, 1)" to group by country initial.
2. In the Sort column, click the arrow to select the sort order you want to use for grouping the data
(Ascending, Descending, or None).
3. In the Header, Footer, and Keep Together columns, specify whether the new group will have visible Header and Footer sections, and whether the group should be rendered together (No,
With first detail, or Whole Group) on a page.
You cannot use memo or binary (object) fields for grouping and sorting. This is a limitation imposed by OLEDB.
4. After you enter some data for the first group, a new blank row is appended to the list, so you can keep creating new groups. If you add more groups, you can change their order by clicking on the left-most gray cell in the row and dragging the row to a new position. This will automatically adjust the position of the Group Header and Footer sections in the report.
5. To delete a field in the group, select it, then press DELETE.
6. Click OK. The changes appear in the Designer.
Example: Creating a Custom Report
Below is an example of using the Report Wizard to create a custom Administrator Actions report sorted by
Site Name. The example assumes you have installed ARM with SQL Server Express and have performed
required for administrator actions reporting.)
To create the report
1. In the administration interface, connect to EFT , click the Site on which you want to create the report, then do one of the following:
• On the toolbar, click the click New Reports icon .
• On the main menu, click Reports > New Report.
771
EFT v7.2 User Guide
• Click the Reports tab, and then click the New Report icon toolbar.
The Create New Report dialog box appears. on the bottom
2. Type a title for the new report, and then click Create. The Report Designer appears.
So far, all you have done is opened the VSReport Designer, which allows you to open the New
Report Wizard, which we will do next. You will delete this "template" later.
3. Click File > New Report or click the New Report icon on the VSReport Designer toolbar.
The New Report Wizard appears.
772
4. By default, the ConnectionString box displays information for the database that you specified when you installed the Auditing and Reporting module (e.g.,
provider=SQLNCLI10;server=localhost\GLOBALSCAPE;database=EFTDB;Trusted_Connec
tion=yes;). Click Next and go to step 5 or, if necessary, you can type a different string that is used to connect to the data source: a. Click to define the connection string. The Data Link Properties dialog box appears. b. On the Provider tab, click Microsoft OLE DB Provider for SQL Server as the provider to connect to the SQL Server database, and then click Next. The Connection tab appears. c. In Select or enter a server name, click the arrow to select or type the name of EFT. d. In Enter information to log on to EFT, click an authentication option to log on to EFT:
• Use Windows NT Integrated security - Your computer automatically picks up the credentials from your computer and connects you to the database.
• Use a specific user name and password - Specify the user name and the password to be used to log on to EFT. Select the Allow saving password check box to save the password in the connection string.
Auditing and Reporting Module (ARM)
Select the Blank password check box if EFT requires a blank password to log on the database server. Even if you do not type any password when you create a user account on a database server, you can select the Allow
saving password check box. In this case, EFT takes a dummy password value and saves that value in the connection string. Selecting the Blank password check box disables the password field.
e. Click one of the following:
• Select the database on EFT, and then click a database in the list.
• Attach a database file as a database name - Click the ellipsis icon
to browse for the SQL Server database file (*.mdf). The Select SQL Server Database File dialog box appears. Select a file, then click Open. The path to the file appears in the Using the filename box. f. Click OK in the Data Link Properties dialog box to return to the New Report Wizard.
5. Click Table, then click tbl_AdminActions.
6. Click Next. The fields that appear in the Available list are from the table you selected in the previous step.
7. Click and drag SiteName to the Groups field, then click and drag each of the other fields, except
ID and TransactionID, into the Detail box. (If you click the right-facing arrows, every field will move to the Detail area. Then you can individually move back the fields you do not want.)
773
EFT v7.2 User Guide
8. Click Next. The layout options appear.
9. Keep the default settings and click Next on each wizard page until you get to the last step. (For
details of using the report wizard to define layout options, refer to Creating a Report with the
Report Wizard . For this example, we used the default options.)
774
10. Type a title for the report, and then click Finish.
• The left pane of the Report Designer displays the report's name (and the report template that was created in step 2).
• The right pane displays a preview of the report.
• The title bar displays the name of the report and an asterisk, indicating that you have not yet saved the report.
11. Let's get rid of that "new" template that was created when you opened the VSReport Designer. In the left pane, click the name of the template you want to remove, and then click the delete icon on the toolbar. Click OK to dismiss the warning message.
12. Click File > Save or click the Save icon on the toolbar.
13. Click File > Exit to close VSReport Designer.
14. On the Reports tab, expand the Custom Reports node. The new report appears in the tree.
15. In the Custom Reports node, click to select the new report.
Auditing and Reporting Module (ARM)
16. In the right pane, click Show Report. The report appears in the preview pane.
You can filter the results , such as show results only for certain Sites, a specific administrator
account, or a certain date.
17. Click Save As to save the report. The report displays EFT administrator actions sorted by Site
Name and Server.
775
EFT v7.2 User Guide
Managing Reports
These topics provide information regarding managing the reports of EFT activity.
Saving a Report
You can save reports to a file and export them in the following formats: HTML (.htm), VSPrinter (.vp),
Portable Document Format (.pdf), Rich-Text Format (RTF), or plain text (.txt). (See Exporting and
Publishing Reports in the Report Designer for a description of the various formats.)
To export a report
1. In the administration interface, connect to EFT
and the reports database , and click the Report
tab.
2. With the report displayed in the right pane, click Save As.
3. In the Save as dialog box, specify the format and location to save the report, then click Save.
Exporting Reports in XML Format
You can save (export) EFT reports in XML format, and they can be imported in that format.
To export the report
1. In the administration interface, connect to EFT and click the Report tab.
2. In the left pane, click the report.
3. On the main menu, click Reports > Export Report or right-click the report and click Export
Report. The Save As dialog box appears.
4. Specify a name (if you want to save it with a different name), location to save the report, and the file type to save it as (XML), and then click Save.
776
Auditing and Reporting Module (ARM)
Exporting and Publishing Reports in the Report Designer
Instead of printing the report, you may want to export it into a file and distribute it electronically to your clients or coworkers. VSReport Designer supports several export formats, listed below:
Format
Paged HTML
Drill-Down
HTML
Plain MILT
VSPrinter
Text
Description
Creates one HTML file for each page in the report. The HTML pages contain links that let the user navigate the report.
Creates a single HTML file with sections that can be collapsed and expanded by the user by clicking on them.
Creates a single, plain HTML file.
Creates a PDF file that can be viewed on any computer equipped with Adobe's Acrobat viewer or browser plug-ins.
Creates a file using the VSPrinter control's native format. The file can be loaded, viewed, and printed from a VSPrinter control within an application or Web page.
Creates a plain text file.
To create an export file
1. In the administration interface, connect to EFT and click the Report tab.
2. In the left pane, click the desired report.
3. In the right pane, click Edit Report . The report opens in the Report Designer.
4. In the left pane of the Report Designer, click the report that you want to export.
5. Click File > Export. The Save As dialog box appears.
6. Specify the type of file you want to create, its name (if you want to give it a different name), and its location, then click Save.
777
EFT v7.2 User Guide
Importing Reports
You can add reports to EFT by importing the XML reports from the local drive to EFT.
To import reports into EFT
1. In the administration interface, connect to EFT and click the Report tab.
2. On the main menu, click Report > Import or right-click the Reports node and click Import
Report from the shortcut menu. The Open dialog box appears.
3. Click the XML file you want to import, and then click Open.
4. The report is added in the left pane under Reports.
Deleting a Report
You can delete any reports that you no longer use. You cannot recover the report unless you previously
To delete reports
1. In the administration interface, connect to EFT and click the Report tab.
2. In the left pane, click the report, then do one of the following:
• On the main menu, click Reports > Delete Report.
• Right-click the report and click Delete Report.
• Click Remove .
A confirmation message appears.
3. Click Yes to delete the report. The selected report is deleted and is not recoverable.
Saving Report Outputs
The report can be saved HTML, PDF, and XML.
To save reports in different formats
1. In the administration interface, connect to EFT and click the Report tab.
2. In the left pane, click the report, then do one of the following:
778
Auditing and Reporting Module (ARM)
• On the main menu, click Reports > Save Report As.
• Right-click the report, and then click Save Report Output As.
The Save As dialog box appears.
3. Navigate to the folder in which you want to save the report.
4. In the File name box, type a name for the report.
5. In the Save as type box, click a format, and then click Save.
Renaming a Report
You can rename the preconfigured reports and your custom reports, but you can't just type a new name in the tree. You have to open the Report Designer to rename the report.
To rename a report
1. In the administration interface, connect to EFT and click the Reports tab.
2. Click the report you want to rename, then click Edit Report . The report designer appears.
779
EFT v7.2 User Guide
3. In the left pane of the report designer, click the report name to make it editable, type your changes, then press ENTER or click away from the edit box.
4. On the toolbar, click the Save icon , then close the Report Designer.
The new name does not immediately update in the Reports tree of the administration interface. If you click or double-click the report in the tree, the name will update.
780
High Security Module (HSM)
These topics provide information regarding the High Security (HS) module.
The High Security module (HSM) helps achieve or exceed security practices mandated by the most rigorous standards, including PCI DSS, FIPS 140-2 Validation, HIPAA, and Sarbanes-Oxley. Visit our website for a more detailed introduction to the HSM.
Features of the High Security Module
The optional features exclusive to the HSM are listed below:
•
FIPS-compliant protocols and ciphers
• Enables auditing of administrator changes (PCI DSS 102.2.2)
•
Automatically redirects HTTP to HTTPS (PCI DSS 2.2.3)
• Forces password reset on initial use (PCI DSS 8.2.6)
• Expires user and/or Admin passwords after =>90 days (PCI DSS 8.2.4)
• Enables password expiration reminders (e-mail, banner)
•
Removes old data automatically (Data sanitization (wiping)) (PCI DSS 9)
•
Removes inactive accounts after 90 days or more (PCI DSS 8.1.4)
• Hides or disables non-allowed ciphers or SSL versions, key lengths <128 bits, anonymous
account type, and warns when importing certificates with weak keys (PCI DSS 4.1)
•
Warns if password complexity is disabled (PCI DSS 8.2.3)
• Warns if insecure protocols are in use (PCI DSS 2.2.2)
• Warns if user disk quota is not set (PCI DSS 3.1)
• Warns if secure remote administration not set (PCI DSS 2.3)
Encrypting File System (EFS) in use (PCI DSS 3.4.1)
or SFTP keys are in use (PCI DSS 3.6.1)
SSL versions and ciphers are in use (PCI DSS 4.1)
• Warns if
DoS and flood settings are too low (PCI DSS 2.2.4)
• Warns if vendor defaults remain unchanged (PCI DSS 2.1)
• Warns if expired keys present (PCI DSS 3.6.5)
• Warns if multiple administrator roles present (PCI DSS 7.1)
• Warns if anonymous account type in use (PCI DSS 8.5)
• Causes idle sessions to automatically timeout (PCI DSS 8.1.8)
• Limits repeated invalid login attempts (PCI DSS 8.1.6)
• Provides a configuration wizard for creating PCI DSS compliant Sites
• Monitors and reports on configuration changes that result in
PCI DSS violations (PCI DSS 12)
• Produces automatic daily PCI DSS Compliance reports (PCI DSS 12)
• Enables Active Directory and Local Windows accounts for EFT administrator authentication
(default Administrator accounts are maintained by EFT).
781
EFT v7.2 User Guide
Payment Card Industry (PCI) Data Security Standard (DSS)
In 1999, Visa USA developed the Cardholder Information Security Program (CISP). The goal of this program was to assure cardholders that their account information was safe, regardless of where it was offered for payment. Originally intended to secure credit card transactions over the Internet, the CISP was expanded and mandated in June 2001 to apply to all payment channels, including retail (brick and mortar), mail/telephone order, and e-commerce. To achieve CISP compliance, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS, the result of collaboration between Visa and MasterCard, is designed to create common industry security requirements that incorporate the CISP requirements. Visa, MasterCard, American Express, Diner’s Club,
Discover, and JCB USA have each endorsed the CISP and PCI DSS. If a member, merchant, or service provider does not comply with the security requirements or fails to rectify a security issue, they could face fines of up to US$500,000 per incident, or restrictions imposed by the credit card companies, including denying the member's, merchant's, or service provider's ability to accept or process credit card transactions.
Who Must Comply with PCI?
Any organization that stores, processes, or transmits Primary Account Number (PAN) data must comply with PCI DSS requirements. However, even organizations that do not store or transmit PAN data may decide to use the PCI DSS requirement document as an internal security best practice guideline by which they measure and implement their own data security standards.
Refer to PCI DSS Requirements for information about specific PCI DSS requirements addressed in EFT.
• For more information regarding PCI Security Standards, including downloading a PDF of the standard, visit https://www.pcisecuritystandards.org/index.htm
.
• For a list of terms and acronyms used in the standard, refer to https://www.pcisecuritystandards.org/tech/glossary.htm
.
How EFT Addresses PCI DSS Requirements
The High Security module (HSM) facilitates enforcing high security and compliance with the PCI Data
Security Standard (PCI DSS), which provides detailed security compliance guidelines that can be used to provide hardened security for EFT, no matter which rules or standards by which your organization is measured. Each requirement and a description of how the HSM helps comply with the requirements is
described in PCI DSS Requirements Addressed .
Compensating Controls
From the PCI DSS Security Auditing Procedures document:
Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.
When EFT warns you of a non-compliant setting, you will be given the choice to fix the problem or proceed with the non-compliant setting. If you choose to proceed in violation of the PCI DSS you will be asked to specify a compensating control, i.e. an alternate hardware, software, or internal policy that satisfies the requirement in some other way (ref. Appendix B: Compensating Controls in the PCI DSS for
can provide to Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), individuals who are certified by the PCI Security Standards Council as being qualified to validate compliance to the
PCI DSS.
782
OpenPGP Module
PCI DSS Requirements Addressed
EFT facilitates compliance with applicable PCI DSS requirements. The PCI DSS requirements related to physical security and cardholder database security are not applicable to EFT; however, you should place the Server computer in a secured area, such as a locked server room or network operations center.
Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data
PCI DSS Requirement How Requirement is Addressed with EFT
Requires measures external to EFT. 1.1 Establish and implement firewall and router configuration standards.
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Requires measures external to EFT; however EFT also provides a robust set of IP access filters to control access to EFT and/or the DMZ Gateway.
Storing cardholder in the DMZ or other untrusted network is expressly prohibited by PCI DSS (1.3.7). And for security best practices you should not allow inbound connections to originate from untrusted into trusted zones.
EFT’s optional DMZ Gateway module solves both of
these problems. Refer to http://www.globalscape.com/mft/dmz-gateway.aspx
for details of DMZ Gateway.
EFT in combination with the DMZ Gateway module facilitates compliance with this requirement.
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the
Internet and the cardholder data environment.
1.3.4 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
When EFT is used in combination with the DMZ
Gateway, no internal inbound ports need be opened into the trusted network, hence all inbound traffic will be restricted to IP addresses within the DMZ.
The need for inbound connections between the DMZ and the internal network is eliminated when using EFT in combination with the DMZ Gateway module.
Requires measures external to EFT.
EFT can be configured* to use the DMZ Gateway as a
SOCKS5 proxy for outbound traffic. Offloading files using
EFT though the DMZ Gateway means your internal IP address won’t be exposed (1.3.48). Additional steps may be required to fulfill this requirement, such as DLP and deep content inspection tools, before files are submitted to EFT for offloading. *Requires DMZ Gateway.
Requires measures external to EFT. 1.3.6 Implement stateful inspection, also known as dynamic packet filtering.
1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the
DMZ and other untrusted networks.
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
EFT, when combined with the DMZ Gateway, eliminates the need to store data in the DMZ.
Your internal IP addressing scheme is never exposed when EFT is used in combination with the DMZ Gateway
.
783
EFT v7.2 User Guide
PCI DSS Requirement
1.4 Install personal firewall software on any mobile and/or employee-owned computers
How Requirement is Addressed with EFT
Requires measures external to EFT.
1.5 Document policies and procedures Requires measures external to EFT.
Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security
Parameters
PCI DSS Requirement How Requirement is Addressed with EFT
2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
With the HSM and a high security-enabled Site, EFT detects whether any default values are specified for
Admin login port
(1100), DMZ Gateway port (44500),
will prompt you to change them. No default passwords, usernames, certificates, or keys are used.
Refer to the specific sub-requirements below. 2.2 Develop configuration standards for all system components.
2.2.1 Implement only one primary function per server
2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
EFT’s primary function is File Transfer. It is up to the administrator to segregate servers.
It is up to the administrator to determine whether an enabled protocol is necessary. No protocol is enabled by default.
Any unsecure protocols such as plaintext FTP or HTTP are automatically detected* and you are prompted to change them or present a compensating control.
*Requires HSM and creation of a PCI DSS Site.
2.2.4 Configure system security parameters to prevent misuse.
2.2.5 Remove all unnecessary functionality
2.3 Encrypt all non-console administrative access using strong cryptography.
With the HSM and a PCI DSS Site, EFT monitors and warns when
o User login credentials not-persisted in memory beyond the absolute minimum time
necessary (some configurations require this when reusing credentials for secondary connections) o Flood and DoS prevention settings set too low o
FTP Anti-timeout prevention scheme disabled
or FXP (site-to-site) permitted
It is up to the administrator to remove any scripts, custom commands, AWE workflows or similar usercreated files that are no longer in use.
The status of non-console (remote) access settings are monitored* and you are warned if SSL is not enabled and given the option to either disable remote administration
or enable SSL . *Requires HSM and
creation of a PCI DSS Site
Requires measures external to EFT. 2.4 - 2.6 Inventory maintenance, policy documentation and enforcement, and shared hosting requirements
784
OpenPGP Module
Requirement 3: Protect Stored Cardholder Data
PCI DSS Requirement
3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes.
3.2 Do not store sensitive authentication data after authorization (even if encrypted).
3.3 Mask PAN when displayed
3.4 Render PAN, at minimum, unreadable anywhere it is stored.
How Requirement is Addressed with EFT
EFT provides a scheduled, automatic Clean-up Action
*.
Deleted files can be purged ** by writing over the initial data using encrypted and/or pseudorandom data (PCI
DSS 9.8). Disk quotas can be set to limit data storage.
*Requires EFT Enterprise. **Requires HSM
3.2.1-3 Refers to card sensitive authentication data
(SAD), which should never be stored on the server. Use a third-party DLP or similar tool to detect and prevent
SAD storage.
Not applicable to EFT, because EFT cannot display that data.
Encrypt PAN or other sensitive data using EFT’s optional OpenPGP encryption module or third-party encryption utilities.
EFT will detect and warn if Microsoft Encrypting File
System (EFS) is being used.
(Requires HSM and creation of a PCI DSS Site.)
3.4.1 If disk encryption is used, logical access must be managed independently of native operating system authentication and access control mechanisms.
3.5 Document and implement procedures to protect keys
Mostly requires measures external to EFT; however access to keys through the administrator interface is limited to administrator roles with Site or Server access only.
3.6 Fully document and implement all key management processes and procedures
Mostly requires measures external to EFT; however, per
3.6.1 EFT will disallow creation of 512 or lesser certificate/key bit lengths. Default bit-length is set to
2048 bits for new keys. When importing SSL or SFTP keys, a warning will appear if a weak key is imported.
*Requires HSM and creation of a PCI DSS Site
3.7 Document policies and procedures Requires measures external to EFT.
Requirement 4: Encrypt Transmission of Cardholder Data across Open, Public Networks
PCI DSS Requirement How Requirement is Addressed with EFT
4.1 Use strong cryptography and security protocols Secure protocols such as SSL, TLS, and SFTP
(SSH2) are provided for data transmission. For high security-enabled sites, SSL is restricted* to versions
v3 or higher, and ciphers to minimum of 128 bits.
Secure data transmission is enforced* by
automatically redirecting incoming HTTP traffic to
HTTPS. *Requires HSM
Requires measures external to EFT. 4.2 - 4.3 Never send unprotected PANs by end-user messaging technologies; document security policies and procedures
Requirement 5: Use and Regularly Update Anti-Virus Software
PCI DSS Requirement How Requirement is Addressed with EFT
5.1 - 5.4 Anti-virus requirements. Requires measures external to EFT
785
EFT v7.2 User Guide
Requirement 6: Develop and Maintain Secure Systems and Applications
PCI DSS Requirement How Requirement is Addressed with EFT
6.1 Establish a process to identify security vulnerabilities
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
6.3 Develop internal and external software applications securely.
Globalscape has formal processes for dealing with potential security vulnerabilities discovered in EFT, including an escalation process, a risk assessment that includes
Common Vulnerability Scoring System (CVSS) risk ranking, and a process for notifying customers of critical patches or workarounds.
The latest version of EFT is always available from the
Globalscape website. Customers are automatically notified upon critical patch availability. It is up to the customer to install the patch within the designated one-month window.
Globalscape takes a number steps to develop secure software, as documented here: http://kb.globalscape.com/KnowledgebaseArticle11061.aspx
.
Only applies to Professional Services engagements and should be verified prior to deployment.
6.3.1 Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers
6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
6.4 Follow change control procedures for all changes to system components.
6.5 Address common coding vulnerabilities in software-development processes
Only applies to Professional Services engagements and should be verified prior to deployment.
Requires measures external to EFT.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis.
Globalscape takes a number steps to develop secure software, as documented here: http://kb.globalscape.com/KnowledgebaseArticle11061.aspx
.
Requires customer to run a security scan. However,
Globalscape also performs routine third-party security scans of EFT’s public-facing web interfaces as part of its quality assurance process.
6.7 Document policies and procedures Requires measures external to EFT.
Requirement 7: Restrict Access to Cardholder Data by Business Need-to-Know
PCI DSS Requirement How Requirement is Addressed with EFT
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
7.3 Document policies and procedures.
EFT provides complete control administrator and user access to resources, with administrator accounts completely segregated from user accounts.
Segregation and control of user access is achieved using unique accounts, permission groups, virtual folders, and settings templates . Segregation and control of administrator access is accomplished via
delegated, role-based administrator accounts
Requires measures external to EFT.
786
OpenPGP Module
Requirement 8: Assign a Unique ID to Each Person with Computer Access
PCI DSS Requirement How Requirement is Addressed with EFT
8.1 Define and implement policies and procedures to ensure proper user identification management
8.2 In addition to assigning a unique ID, ensure proper user authentication.
8.3 Incorporate two-factor authentication for remote network access.
EFT enforces unique usernames for both users and administrators (8.1.1), provides granular administrative controls over user provisioning and authorization (8.1.2), allows user and admin account revocation (8.1.3), provides automatic removal of inactive users after 90 days (8.1.4), includes controls for temporarily enabling/disabling users (8.1.5), autolocks users after six failed login attempts (8.1.6), either for a period of time or permanently until the admin unbans (8.1.7), and automatically expires sessions after 15 minutes of inactivity (8.1.8)
EFT supports various combinations of password, certificate, two-factor, and public-key authentication mechanisms (8.2), secures passwords during transmission (assumes SSL or SSH), and storage
(with a one way [uniquely salted] hash)(8.2.1), verifies identify before allowing password reset or lost username retrieval according to OWASP guidelines
(8.2.2), includes minimum length and a number of complexity options (8.2.3), expires and forces password change after 90 days (8.2.4), disallows password re-use, internal dictionary match, or username match (8.2.5), and can force first time use password reset (8.2.6).
Although EFT supports 2FA, this requirement is about
network access, such as what is normally done over a
VPN.
Requires measures external to EFT. 8.4 Document and communicate authentication procedures and policies
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods
8.6 Requirements for unique and controlled access using non-standard authentication mechanisms.
8.7 All access to any database containing cardholder data is restricted.
8.8 Document policies and procedures.
The "Anonymous" password type is disallowed on a high-security-enabled Site (Requires HSM). To comply with 8.5.1 you will need to create unique accounts for service provider access, should there ever be a need to provide such access.
Requires measures external to EFT as most of these are physically provisioned to the user.
EFT provides granular controls over which administrators can access EFT’s reports from within the EFT Server console; however controls over access to the database (including the data) itself requires measures external to EFT.
Requires measures external to EFT
787
EFT v7.2 User Guide
Requirement 9: Restrict Physical Access to Cardholder Data
PCI DSS Requirement How Requirement is Addressed with EFT
9.1 - 9.7 Requirements related to physical access to the cardholder environment.
9.8 Cardholder data on electronic media must be rendered unrecoverable via a secure wipe program
9.9 Protect devices that capture payment card data via direct physical interaction
Requires measures external to EFT.
EFT includes a data-wiping algorithm for sanitizing deleted data on disk. (Requires HSM.)
Requires measures external to EFT
9.10 Document policies and procedures. Requires measures external to EFT
Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
PCI DSS Requirement How Requirement is Addressed with EFT
10.1 Implement audit trails to link all access to system components to each individual user
10.2 Implement automated audit trails for all system components
Preconfigured reports of all activity (including administrator actions*) within
EFT can be generated on demand with the Auditing and Reporting
Module (ARM) *Requires ARM and HSM.
10.3 Record audit trail entries for all system components
EFT will audit* all user access to data (10.2.1), and all administrator changes** to configuration settings (10.2.2). Access to audit trails, invalid logical access, authentication mechanisms, object creation, and initialization of audit logs (10.2.3-2.7) is managed at the database server.
*Requires ARM and HSM
EFT audits* user identity (10.3.1), type of transaction (10.3.2), date and time of transaction (10.3.3), transaction result (10.3.4), remote and local IP
(10.3.5), and objects affected (10.3.6). *Requires ARM
Requires measures external to EFT. 10.4 Synchronize critical system clocks and times
10.5 Secure audit trails so that they cannot be altered.
10.6 Review log sand security events for all system components (10.6.1) at least daily
10.7 Retain audit trail history for at least one year
Audited data integrity depends on the chosen database solution and authentication architecture. EFT supports auditing* to a central SQL or
Oracle** server. *Requires ARM **Requires EFT Enterprise
A daily PCI DSS Compliance report can be generated by EFT and sent via email to the appropriate recipient(s). Administrators can also attach any other canned or administrator created report to the daily email. (Requires both ARM and HSM.)
Requires measures external to EFT.
10.8 Document policies and procedures
Requires measures external to EFT
Requirement 11: Regularly Test Security Systems and Processes
PCI DSS Requirement How Requirement is Addressed with EFT
11.1 - 11.6 Requirements relating to regular testing of security systems and processes.
Requires measures external to EFT.
Requirement 12: Maintain a Policy that Addresses Information Security
PCI DSS Requirement How Requirement is Addressed with EFT
Requires measures external to EFT 12.1 - 12.10 Maintain a policy that addresses information security for all personnel
788
OpenPGP Module
Creating a High Security-Enabled Site
and/or warn on compliance violations.
Prerequisites:
•
•
Constraints:
• Certificate (SSL) or Key (SFTP)-only authentication not allowed
If your company does not require PCI DSS compliance, then choose "default security settings"’ when you create a Site—you can manually enable advanced security options later, if needed, and you can run the PCI
DSS Compliance report even for non-high security-enabled Sites.
For details of configuring Servers and Sites, and enabling ARM on EFT, refer to the following topics:
•
Server Setup Wizard
•
Configuring the Auditing and Reporting Module
You will need the following information to create and configure a high security-enabled Site:
• Listening IP address for the Site
• Site root folder path (location)
• User authentication provider type
• DMZ Gateway IP address and port if applicable
• The e-mail address for e-mailing the
• SSL certificate pair and SFTP key pair if applicable
The wizard performs several checks and asks you to provide information or make changes based on the results of those checks, including:
• If not in trial period, is the module activated ?
• Which authentication method are you using to authenticate users?
• Is remote administration enabled?
SSL enabled for remote administration?
• Are password security options for delegated administration set?
• Is the daily PCI DSS report enabled ?
• Is the default banner for SFTP used?
The wizard is quite intuitive and provides instructions where necessary. The wizard pages change based on your selections. The procedure below walks you through the most common scenarios.
789
EFT v7.2 User Guide
To configure a high security-enabled Site
1. Do one of the following:
• After Server setup is complete, the Site Setup wizard appears.
• In the administration interface, click Configuration > New Site.
The Site Setup wizard Welcome page appears.
790
2. Click Strict security settings, and then click Next. The Site name page appears.
OpenPGP Module
3. In the Site name box, type a name a unique name for the Site. The default name is MySite, but you change it to anything you want. The name you provide here will appear in EFT tree in the left pane of the administration interface and in reports and messages.
4. Next to the Listening IPs box, click Configure. The Listening IP Settings dialog box appears.
5. Select one of the All Incoming check boxes, or one or more specific IP addresses on which this
Site should listen for incoming connections, and then click OK.
6. Click Next. The Site Root Folder page appears.
791
EFT v7.2 User Guide
792
7. In the Site root box, leave the default or click Browse to specify the root folder.
8. In the Additional site root folder options area, select or clear the check boxes as needed:
• Select the Automatically create UNIX-style subfolders check box to create Usr, Pub,
Bin, and Incoming folders with appropriate permissions under the Site root folder. This is only necessary if you are trying to mimic a typical default *nix Server setup, but the check box is selected by default.
• Select the Automatically create and assign home folders to newly created users to create a user folder automatically under \Site Root\Usr\ when a new user is added.
9. Click Next. The User Authentication page appears.
OpenPGP Module
10. In the Authentication type list, specify one of the following authentication methods that this Site will use to authenticate user connections:
• Globalscape Server Authentication
• Windows Active Directory Authentication - If you are using this method, also refer to
Windows Active Directory Authentication .
• LDAP Authentication - If you are using this method, also refer to
• ODBC authentication - If you are using ODBC authentication, also refer to
When you create a high security-enabled Site that uses AD or LDAP authentication, the following states will not be audited for user accounts but will be audited for non-AD administrator accounts:
•
Password complexity and length requirements
•
Password history requirements
•
Password reset requirements
•
Password expiration requirements
•
Password anonymous requirements
•
Password e-mailing to user requirements
The same PCI DSS requirement checks are skipped when RADIUS or RSA SecurID is used, and compensating controls are shown in their place.
11. Under Advanced Authentication Options, specify whether this Site will use RADIUS, RSA
SecurID, or the default of None. (Common Access Card (CAC) authentication is not allowed for high security-enabled Sites.) o
If RADIUS or RSA SecurID is selected, click Configure, then:
793
EFT v7.2 User Guide
RADIUS : Specify the RADIUS authentication settings, and then click OK.
RSA SecurID : Specify the location of the RSA Server configuration file
(sdconf.rec), then click OK. (Note that SecurID files will reside in this location.
Node secret and sdstatus.12 files will be generated at this location.)
12. Click Next. The EFT Authentication page appears.
794
13. The default path to store the user database appears in the box
(C:\ProgramData\Globalscape\EFT Server Enterprise\MyPCIDSSSite.aud). If you want to store the user database in a different location, click the Browse icon or type the path in the box.
14. Click Next. The Perimeter Network Security page appears.
OpenPGP Module
15. If you are using the DMZ Gateway module , provide the IP address and port to connect the Site to
DMZ Gateway, then click Test Connection to verify that the Site can connect to DMZ Gateway. If the Site is unable to connect, you can continue without enabling DMZ Gateway and enable it later.
• If you choose not to connect to DMZ Gateway or have not yet installed DMZ Gateway, click in the text box and provide a reason (compensating control) for not using DMZ
Gateway. (The reason will appear in the Description box of the PCI DSS Compliance report .)
16. Click Next. If you specified a default port for DMZ Gateway, the Vendor Defaults page appears.
795
EFT v7.2 User Guide
796
17. Change the port number to a non-default number, or provide a reason for keeping the default
port. (The reason will appear in the Description box of the PCI DSS Compliance report .)
18. Click Next. If EFT was configured with the default Administrator port of 1100, the Vendor
Defaults page appears for you to change the Administrator port or provide justification for using the default.
19. Click Next. The Data Retention and Disposal page appears.
OpenPGP Module
20. Do one of the following:
• Click Each day, delete file older than n days matching these extensions from this
folder, then specify the file extensions to be deleted, the frequency, and the folder from which to delete them. Select the Include subfolders check box to delete the files from the subfolders.
• Click Don't set a data retention and disposal policy, then, in the text box, provide the justification and compensating control. (The reason will appear in the Description box of
the PCI DSS Compliance report .) Refer to
Specifying File Deletion Options for more data wiping options. You can always setup a clean-up policy later.
21. Click Next. The Administrator Account Password Security page appears.
797
EFT v7.2 User Guide
798
22. Keep the default of Enable options identified above for all administrator accounts (password security settings) or click Continue without changing administrator account password
security settings, then provide the justification and compensating control. (The reason will
appear in the Description box of the PCI DSS Compliance report .) You can specify these
password security settings individually after you create the Site.
23. Click Next. The Daily PCI DSS Audit Report page appears.
OpenPGP Module
24. Do one of the following:
• Click Audit and send daily report, then provide the recipient's e-mail address. (The
SMTP settings were configured during Server setup.)
• Click Do not generate daily report and type a reason for not generating the report automatically. For example, you can manually generate the report as needed in the
administration interface. (The reason will appear in the Description box of the PCI DSS
25. Click Next. The Data Sanitization page appears.
799
EFT v7.2 User Guide
800
26. Do one of the following:
• Click Enable data wiping, then, in the Data sanitization method box, click which method EFT is to use to wipe data.
• Click Windows default (no wipe) and type a reason for not specifying a data sanitization method for EFT to use. For example, you might be using a third-party tool for sanitization.
(The reason will appear in the Description box of the PCI DSS Compliance report .)
27. Click Next. The Connection Protocols page appears.
OpenPGP Module
28. Select one or more protocol check boxes and specify the port numbers that this Site will use to connect to EFT.
If you specify plain text FTP or HTTP, after you click Next, EFT will prompt you to disable these insecure protocols or continue and supply justification.
• If you choose SSL, click SSL options and SSL certs for further configuration. o
Click SSL options to define the allowed SSL versions and ciphers.
Some Web browsers do not have TLS turned on by default, which causes things like redirecting to the password reset page to fail, because the browser cannot make the SSL connection, and it returns an error. For this reason, default SSL security options for a high security-enabled Site include SSL 3.0 in addition to TLS
1.0.
o
Click SSL certs to define the SSL certificate to use for this Site.
Refer to Creating Certificates
and Importing a Certificate into the Trusted
Certificate Database for information regarding certificates.
Regarding SSL certificate-based login , compliance with PCI DSS requires that
users change their password upon initial login. Because SSL certificate-only login does not use a password, it potentially violates the PCI DSS and is, therefore, not available with high security-enabled Sites.
• If you choose SFTP, click SFTP options and SFTP keys for further configuration .
Because the SFTP Public key only method does not use a password, it potentially violates
the PCI DSS and is, therefore, not available with high security-enabled Sites. However, you can use the Public Key and Password authentication method.
801
EFT v7.2 User Guide
• If you choose AS2 over HTTP/S, click Configure to specify your AS2 identifier and certificate information .
29. Click Next. If the default SFTP banner message is used on EFT, the Vendor Default warning page appears. Do one of the following:
• Click Change SFTP message banner to, then provide the software version and, optionally, comments.
• Click Continue without making any changes, then type the reason for keeping the default banner message.
30. Click Next. The Site Setup Completed page appears.
31. You are offered the option of continuing to the User Creation wizard or quitting the wizard. Click an option, and then click Finish. The high security-enabled Site appears in the tree on the Server tab.
• If you chose Run New User Creation wizard, the
User Creation wizard Welcome page appears.
Warnings for PCI DSS Violations
When EFT warns you of a non-compliant setting, if you do not specify a setting that meets the PCI DSS requirement, you can specify the compensating controls (hardware, software, or policy) you are using to
Compliance Report , which you can provide to Qualified Security Assessors (QSAs) or Approved
Scanning Vendors (ASVs), individuals who are certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS requirements.
cause EFT to no longer meet PCI DSS requirements, when you click Apply to save the changes on EFT,
EFT does not commit the change, and a warning message appears that describes one or more violations.
If you do not activate the HSM , this feature is disabled when the 30-day trial is expired.
For each violation identified in the PCI DSS Violations dialog box, you can accept the non-compliant setting (Apply this change anyway) and provide a reason for accepting each setting (e.g., if you are using an alternate solution) or you can discard the change (Don't apply this change). If you accept the
change and provide a reason, the warning and the reason that you provided appear in the PCI DSS
Related settings are audited and reported on as a group (e.g., all of the SSL-related settings or all of the account-related settings). For example, suppose that on Monday you disable the account lockout settings for a user and specified in the PCI DSS Violations dialog box your reason for allowing this non-compliant setting. Then on Wednesday, you change a complex password setting. The PCI DSS Violations dialog box appears and displays both of these settings, as well as others for which you provided a reason, and you will be required to allow the change and specify a reason or discard the changes for each of the noncompliant settings before EFT commits the changes. (That is, the allow or discard flag is separate, but they are audited and reported on as a group.) This functionality is designed to remind you of the noncompliant settings in case you want to bring them into compliance in EFT.
If PCI DSS Violations are detected
1. Click a violation in the list, then do one of the following for each of the violations listed: o
If you want to correct the violation, click Don't apply this change, click Continue, correct the setting, and then click Apply.
802
OpenPGP Module o
If you want to keep the non-compliant setting, click Apply this change anyway, then in the Provide justification and describe compensating control box, type the reason for keeping the non-compliant setting. The description will appear in the PCI DSS
Compliance report.
2. Click Continue. You must address each violation in the list before you can click Continue.
Reporting of failed items occurs at the highest level of failure only, except in the case of an explicit setting that violates compliance. For example:
• If a Site failed compliance because Enforce strong (complex) passwords was disabled (check box cleared), the report is generated for the entire Site.
• If Enforce strong (complex) passwords was enabled for the Site, but was disabled for a
Settings Template, the report is generated for the Settings Template.
• If Enforce strong (complex) passwords was enabled for the Site and Settings Template, but disabled for some users, EFT reports for each of those users.
• If Enforce strong (complex) passwords was disabled for the Site, enabled for the Settings
Template, and disabled for a user, the warning appears for the Site violation and for the user account that is in violation.
EFT stores PCI DSS compensating controls information provided in its auditing database (ARM). If ARM is disabled, violations are still identified in the report; however, the justifications that you type when you accept a non-compliant setting are not recorded in the database. You can still run the report, but the justifications that you provide will not appear in the report. When settings are changed via the COM API that violate PCI DSS
COM API user guide for details of the COM API.
Security Auditing
Review these topics for details of generating a daily PCI DSS Compliance report.
requirements. EFT scans all PCI DSS requirements addressed in EFT, and then reports on the
failed requirements , the report presents a reason the noncompliant setting was used, if you provided one at the time that particular setting was disabled/changed.
To generate the PCI DSS Compliance report
• To generate the report in real time, do one of the following: o
On the main menu, click Report > PCI DSS Compliance Report. A report is generated for each high security-enabled Site. o
In the Site's Event Rule node, click Report Event. In the right pane, click Run Now. The report is e-mailed to the e-mail address defined in the Rule.
• To generate the report on a recurring schedule, define a Scheduler Timer Event Rule with the
Generate Report Action . In the Event Rule, you can define whether to e-mail the report and/or save the report to a file. A report is generated specific to the Site on which the Event Rule is configured.
For a description of each PCI DSS requirement covered in the report, refer to Possible PCI DSS
For details of generating reports, refer to Generating a Report .
803
EFT v7.2 User Guide
Automating the PCI DSS Compliance Report
When you create a high security-enabled Site , EFT creates a
Report Event Rule automatically. The
Report Event Rule generates a PCI DSS Compliance Report once per week using the
Generate Report
Action. The report is converted to HTML and then e-mailed using the Send notification email Action and the %FS.REPORT_CONTENT% variable. You can edit the Rule to specify when to generate the report and to whom to send the report.
Optionally, you can run the PCI DSS Compliance Report "on the fly" by clicking Reports > Run PCI DSS
Compliance Report on the administration interface main menu. If the HSM is not activated
Compliance Report is not available.
PCI DSS Possible Compliance Report Outcomes
The PCI DSS Compliance Report displays the requirement name, status (PASSED, FAILED, WARNING),
description of the requirement, notes that you typed in the Warning box (explanation, justification, or compensating control), report name, and date the report was generated, and description of the report.
The report is grouped by and sorted by PCI DSS Requirement.
If the report is generated after the HSM trial has expired, the report contains the following statement instead of the standard report:
The HSM has expired. Please contact your Globalscape sales representative or visit http://www.globalscape.com/eft for more details.
The status of audited PCI DSS requirements appears in the report. The following PCI DSS requirements are checked:
• 1.x – DMZ Gateway disabled or no connectivity
• 2.x – Remote administrator enabled by not secure, vendor defaults in use, insecure protocols in use (FTP, HTTP) or insecure settings (NOOP and FXP), auto-ban/flood detection set too low or disabled, and login credential persistence enabled.
• 3.x – Disk quotas not present for limiting storage amounts, missing clean-up rule for data retention and disposal compliance.
• 4.x – Weak cryptography in use (SSL version, cipher strength, manually specified ciphers, weak
HMACs), insecure settings such as SSL clear command clear data channel in use.
• 5.x – No checks
• 6.x – No checks
• 7.x – Presence of more than one full-control admin account
804
OpenPGP Module
• 8.x – Password length or complexity not enforced, password reuse allowed, idle session timeout disabled or set to high, inactive accounts not disabled or removed after 90 days, failed logins not resulting in account lockout after six (or less) attempts, password reset not allowed, password reset not forced on initial login, anonymous accounts present, and passwords not expiring after
90 days or sooner.
• 9.x – Secure wiping of deleted data not enabled
• 10.x – ARM not enabled or no connectivity
• 11.x – No checks
• 12.x – No checks
Refer to How EFT Addresses PCI DSS Requirements for details of each requirement.
Using the HSM with the Secure Ad Hoc Transfer (SAT) Module
Certain security features in the HSM (e.g., password expiration and forced reset) are not compatible with the Secure Ad Hoc Transfer (SAT) module. If you are using the HSM and the SAT module with EFT, do one of the following:
• Create a separate, non-high security-enabled Site that is used only for the Secure Ad Hoc
Transfer module.
• Create a Site with strict security settings for PCI DSS, but disable the features that are not compatible (which would take the Site out of compliance with the PCI DSS) and document any compensating controls.
Password expiration and forced password reset on initial login are features that help your Site remain in compliance with the PCI DSS; however, those same features can cause problems with the SAT module.
If the administrator password expires or changes, the value stored in the SAT module's configuration file is no longer valid. Because the value stored in the configuration file is not plaintext, you cannot change it by typing the new password in the file.
The SAT module uses a temporary user account to upload files from the IIS computer to the temporary user's home directory on EFT. With a high security-enabled Site, a file cannot be uploaded using the temporary user account, because the password has not been reset on first logon, as required for PCI
DSS compliance.
The recommended configuration is to create a non-high security-enabled Site for exclusive use by the
SAT module and disable the password expiration and forced reset options for the SAT administrator account. As always, if you have any questions or concerns regarding installing and configuring EFT for use with any of the modules, contact Globalscape Technical Support .
Activating the HSM
the start of EFT trial.
When the trial is expired, unless you activate the module, the HSM features are unavailable. (For a full
list of features, refer to Features of the High Security Module .)
To activate the HSM
1. In the administration interface, click Help > Activate High Security Module. The Online
Registration dialog box appears.
2. Refer to Activating the Software for details.
805
EFT v7.2 User Guide
806
OpenPGP Module
OpenPGP Module
EFT employs industry-standard OpenPGP (based on the open source implementation of Pretty Good
Privacy) technology to safeguard data at rest. In contrast to symmetric encryption technologies that rely on a single password or shared secret for encryption and decryption, OpenPGP uses a public/private key pair and a password. Although widespread, dual-factor encryption technologies such as OpenPGP are not universally employed throughout the industry, because of the complexities involved in key creation, management, and distribution, as well as the application of public-key infrastructure technologies.
Another drawback is the fact that the entire file must be present for OpenPGP encryption to work, resulting in a very brief period of time whereby data is stored "in the clear," until the encryption process is completed and the source (unprotected) file is deleted.
EFT adheres to the OpenPGP standard and is RFC 2440 compliant. OpenPGP is a standard and has no version. Refer to RFC 2440 for details.
How OpenPGP Encrypt/Decrypt Works
Below are illustrations of how OpenPGP encryption and decryption works.
Encryption:
Decryption:
data files are treated in a particular context. OpenPGP uses a public key and a private key to encrypt data and maintain security. These two components are considered a key pair and are associated with a particular Site. The key pair is stored on the OpenPGP Key Ring, which is the management tool for public keys and key pairs. The OpenPGP Key Ring contains all key information and allows import, export, creation, and deletion of keys.
New key pairs are created using the OpenPGP Key Generation wizard. The wizard prompts you for key parameters and creation of a passphrase. Once the new key pair is generated, you must determine if the new key pair will be the default for the entire Site. Allowing assignment of a default key pair will automatically select this key when configuring an Event Rule using OpenPGP encryption.
The example below shows how a trigger Event (On Upload) is used to initiate OpenPGP encryption.
807
EFT v7.2 User Guide
In an Event Rule, when a selected event occurs (e.g., a file is uploaded to EFT), if the specified Condition exists (e.g., user is member of group A), then the selected actions occur (e.g., encrypt the file).
OpenPGP encryption is only available for certain Events:
• On Upload - when a file is uploaded to a location.
• On Rotate Log - when a log file is closed out and a new log initiated.
• On Timer - an Event that occurs once or according to a schedule.
Below is a simplified example of the file transfer process in which EFT uses OpenPGP to encrypt uploaded data and the off-load capabilities of EFT to move the file to another location.
Creating Key Pairs for OpenPGP
You can create new key pairs for OpenPGP encryption using the OpenPGP Key Generation Wizard.
The key pair file is saved in the EFT installation directory (e.g., C:\ProgramData\Globalscape\EFT
Server Enterprise).
EFT can create the following types of keys for OpenPGP:
• RSA: If you select RSA, the library generates the new standard RSA key pair format by default-keys that are compatible with newer OpenPGP clients. The new RSA key format supports features previously available only to DSS/DH keys. The new RSA key format enables you to have a primary key for signing and a subkey to encrypt data. In addition, the encryption key (the subkey) can be revoked or have a different expiration date as its primary key. A new subkey can always be added to a primary key and be used for encrypting data. New RSA keys are compatible with newer versions of OpenPGP. The library generates the new and improved RSA key format by default. These keys are not compatible with older PGP clients that are not compliant with RFC 2440 such as PGP 2.6.x.
• RSA Legacy: In EFT, the OpenPGP library gives you the option to generate RSA Legacy keys that are compatible with older versions of OpenPGP. Old OpenPGP clients are compliant with
RFC 1991 only, not RFC 2440.
For information about Diffie-Hellman key exchange, refer to http://en.wikipedia.org/wiki/Diffie-Hellman .
For information about RSA, refer to http://en.wikipedia.org/wiki/RSA .
808
OpenPGP Module
To access the Key Ring Manager and use the OpenPGP Key Generation Wizard
If you have made any configuration changes, click Apply and/or Refresh before creating the key pair; otherwise, key creation will fail.
If you attempt remote management of keys, you may encounter unexpected behavior.
1. In the administration interface, connect to EFT and click the Server tab.
2. On the Server tab, click the Site you want to configure.
3. In the right pane, click the Security tab.
4. In the Data Security area at the bottom of the tab, next to OpenPGP security, click Configure.
The OpenPGP Security dialog box appears.
5. Click Create. The OpenPGP Key Generation Wizard appears. (Or you can click Tools > Create
OpenPGP Key.)
6. Read the instructions on the welcome page, and then click Next. The Parameters page appears.
809
EFT v7.2 User Guide
7. In the Full name box, provide your name or another contact's name.
8. In the E-mail address box, provide an e-mail address.
9. In the Key cipher box, click the list to specify a cipher to use: IDEA, 3-DES (the default), CAST5,
AES128, AES192, AES256, or TWOFISH.
10. In the Key type box, click Diffie-Hellman/DSS, RSA, or RSA legacy.
11. Specify the Key length (1024, 2048, 3072, or 4096). Larger bit sizes increase security, but increase encryption time.
12. Specify the Key expiration date, or never.
13. Click Next. The passphrase page appears.
810
14. Type your passphrase in the Passphrase and Confirmation boxes. The passphrase is case sensitive and must contain a minimum of 8 characters. For better security, the passphrase should contain a mix of alphanumeric (both upper and lower case) and non-alphanumeric characters.
Select the Hide typing check box to display asterisks instead of the passphrase.
15. Click Next. The Site page appears.
OpenPGP Module
16. Clear the Use this key pair as default key pair for this Site check box if the key is for a client or you do not want this key pair to be the default for the Site. Otherwise, select the check box and click the list to specify the Site, if different from the one displayed in the box.
17. Click Finish to generate the key pair. A message appears informing you that it might take several minutes to generate the key pair.
18. Click OK to close the notification dialog box. A message appears indicating successful generation of the key and addition to EFT key ring.
19. Click OK to close the notification dialog box. If you selected the Use this key pair check box, the new key pair appears in the OpenPGP Security dialog box.
20. If you want to enable debug logging for this key, select the check box and specify a logging level and the log file path.
21. Click OK to save your changes and close the OpenPGP Security dialog box.
22. Click Apply to save the changes on EFT.
The OpenPGP Keyring Manager
Use the OpenPGP Keyring manager to create
, delete , import, and export OpenPGP key pairs. You can
also view or change key pair path settings.
To open the OpenPGP Keyring manager
1. In the administration interface, connect to EFT .
2. Do one of the following:
• On the toolbar, click the Open OpenPGP Keyring icon
.
• On the main menu, click Tools > Manage OpenPGP Keys.
• On the Server tab, click the Site you want to configure, then in the right pane, click the
Security tab. In the Data Security area, next to OpenPGP Security, click Configure.
The OpenPGP Security dialog box appears. Click Manage. The OpenPGP Keyring manager appears.
The OpenPGP Keyring manager appears.
811
EFT v7.2 User Guide
For each keyring, the OpenPGP Keyring manager displays its name, the date it was created, the expiration date, the size, a hexadecimal ID number, and a description.
3. For instructions for each of the features of the OpenPGP Keyring manager, refer to the following topics:
Importing and Exporting Key Pairs for OpenPGP
• New:
Creating Key Pairs for OpenPGP
Deleting Key Pairs for OpenPGP
• Settings:
Viewing and Changing Key Pair Path Settings
4. Click Close to close the dialog box.
Deleting Key Pairs for OpenPGP
To delete a key pair
1. Open the OpenPGP Keyring dialog box .
2. Select the key pair that you want to delete, then click Remove. A confirmation message appears.
3. Click Yes.
4. Click Close to exit.
Importing and Exporting Key Pairs
The OpenPGP KeyRing manager can be used to view, Import, and Export keys. You can also sort the
Keyring by clicking the column headers.
To import a key
1. Open the OpenPGP Keyring dialog box .
2. Click Import to begin the key import process. (You can only import one key at a time.)
3. Click the file containing the key to be imported (*.asc) then click Open. The Import OpenPGP
Key dialog box closes, the imported file is added to the Key Ring list, the imported key is highlighted in the list, and a message box appears with the key details.
4. Click OK to dismiss the message box.
812
OpenPGP Module
To export a key
1. Open the OpenPGP Keyring dialog box .
2. Select the file to be exported, and then click Export. The Save As dialog box appears.
3. Click the folder in which you want to save the new key file.
Select the check box to include the private key in the export. Do not select the check box if you are exporting the key to provide to a client. (Do not share your private key.)
4. Click Save to export the file.
Viewing and Changing Key Pair Path Settings
The default key pair path settings can be viewed and edited in the OpenPGP Settings dialog box.
To view the OpenPGP Settings
1. Do one of the following:
• On the main menu, click Tools > OpenPGP Keyring Settings.
•
Open the OpenPGP Keyring dialog box , click the key you want to view, and then click
Settings.
The Public and Private keyring file paths appear in the OpenPGP Settings dialog box.
813
EFT v7.2 User Guide
2. To change keyring file path settings, in the OpenPGP Settings dialog box, click the folder icon
. The Choose Public Keyring File dialog box appears.
3. Click the key ring file to be changed, and then click Open.
When key paths are changed, the key list is automatically refreshed.
4. Click OK to close the OpenPGP Settings dialog box, and then click Close on the OpenPGP
Keyring dialog box.
OpenPGP in Event Rules
Refer to OpenPGP Event Rule Action for details.
814
API Reference
You can interact directly with EFT from your own custom applications using any COM-enabled programming language such as Visual Basic (VB), Java, or C++. You can create a script with the development IDE of your choice. To create a new script file, you must be familiar with programming concepts and should have experience with COM-enabled programming languages.
Advanced Workflows
(Available in EFT Enterprise) With EFT's Event Rules, you can configure EFT to perform an Action automatically when a specific Event occurs. You can use Automated Workflows to design scripts, batch files, macros, or any other code-intensive process using an easy drag-and-drop interface, and add the
Workflow to Event Rules. AWE Workflow Task names can appear in reports and logs.\
DMZ Gateway Module (DMZ), v3
The DMZ Gateway® module version 3 is designed to reside in the demilitarized zone and provide secure communication with EFT behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ.
Mail Express Module
Mail Express allows you to send large email file attachments to recipients inside or outside of your organization quickly, reliably, and securely, while reducing the load on your mail server. Mail Express also allows your recipients to send large email file attachments to you through a Web portal. You can send files using a Microsoft Outlook Add-In, a Web portal, or both, using secure authentication and auditing capabilities. The Mail Express system will offload file attachments to an independent server and can notify recipients that the files are available for pickup.
Mail Express integration with EFT only works with the 32-bit version of Mail Express. If you have the 64bit installer, the EFT integration options will not be available, because the COM calls required for integration will not work. The EFT installer provides the 32-bit Mail Express installer.
815
EFT v7.2 User Guide
816
Index
3
3DES 168 ....................................................... 329
A
ABOR ............................................................. 313
About ................................................................ 34
Access .................................................... 241, 376
Account ................................. 116, 119, 140, 399
Account Configuration ................................ 281
Account Details ........................................... 287
Account Enabled ........................................ 486
Account Expiration Date ............................. 486
Account Locked Out ................................... 505
Account Management URL ........................ 486
Account Policy ............................................ 140
Account Security .. 98, 112, 116, 119, 140, 399
ACCOUNT_MANAGEMENT_URL ............. 486
ACCT .......................................................... 313 disable account ........................................... 116 lock out account .......................................... 116
Options ....................................................... 385
Settings .......................................137, 138, 140
Account Security Settings Dialog Box ............ 140
Action .................................... 537, 543, 576, 695
Adding................................................. 465, 543 list ............................................................... 543
Parameters ................................................. 739
Result Code ................................................ 739
Types .......................................................... 739
Activating ..................... 37, 73, 75, 615, 657, 720
ARM ...................................................... 73, 720
AS2 Module .......................................... 73, 657
AWE Module ................................................. 73
DMZ Gateway ......................................... 73, 75
EFT ......................................................... 37, 73
High Security Module ........................... 73, 803
HTTP ............................................................ 73
OpenPGP Module ........................................ 73
SFTP Module ................................................ 73
Software........................................................ 73
Web Transfer Client .............................. 73, 615
Activating the Software .................................... 73
Active Directory ............. 129, 289, 394, 608, 620
Active Directory-Based Administration ........... 129
Activity ............................................................ 270
AD ......... 129, 223, 226, 289, 291, 394, 608, 620
AD Authentication ............................... 223, 225
AD Authentication site ................................ 291
AD Group .................................................... 225
AD password ...................................... 394, 620
Change Password Feature ................. 394, 620
AD Password Expiration ................................ 394
Add New EFT ................................................. 171
Adding a User or Group to VFS Permissions 409
Adding an Action to an Event Rule ................ 543
Adding Editing and Deleting Fields in the Report
.................................................................... 762
Adding EFT Administrators ............................ 130
Adding or Removing Users to or from a Group
.................................................................... 408
AdHocRunCommand ..................................... 598
Admin ............................................. 123, 137, 139
Admin Account Names ....... 126, 130, 134, 739 administering ...................... 120, 126, 165, 183
Administration 30, 97, 120, 123, 126, 130, 134,
137, 141, 183
Administration Interface ...... 87, 120, 121, 123,
130, 141, 181
Administration Tab ....................................... 97
Administrator Access ................................. 130
Administrator Account ........ 130, 132, 136, 137 adding ..................................................... 130 creating ................................................... 130
Expiring ................................................... 137 lockout .................................................... 137
Administrator Account Security .................. 137
Administrator Account's Access Rights ...... 135
Administrator Actions Log .................. 165, 739
Administrator Changes ............................... 739
Administrator Permission Matrix ................ 126 delegated administration ............................ 130
Server Tab .................................................... 93
Administering the EFT Service ...................... 183
Administration Interface ................................... 87
Administration Interface Session Timeout ..... 120
Administration Tab of EFT ............................... 97
Administrator Account Permissions ............... 126
Administrator Account's Access Rights ......... 135 advanced LDAP filtering ................................ 231
Advanced LDAP Filtering ............................... 231
Advanced Workflow ............................... 537, 813
Advanced Workflow Actions .......................... 545
Advanced Workflow Engine ........................... 813
AES ................................................................ 329
AES 128 ......................................................... 329
AES 256 ......................................................... 329
AES128 .......................................................... 806
AES128-SHA ......................................... 329, 600
AES192 .......................................................... 806
AES256 .......................................................... 806
AES256-SHA ......................................... 329, 600
All Incoming ........................................... 141, 264
ALLO .............................................................. 313
Allow Web Transfer Client ............. 303, 360, 613
ALLOW_FTP .................................................. 486
817
EFT v7.2 User Guide
ALLOW_SFTP ............................................... 486
ALLOW_SSL .................................................. 486
Allowed MACs ................................................ 349
Allowing .................................................. 308, 310
Allowing the EFT Service Administrative
Rights ........................................................ 79
MODE Z ...................................................... 312
Multipart Transfers ...................................... 308
NOOP ......................................................... 308
XCRC Command ........................................ 310
Allowing AS2 Connections ............................. 695
Allowing AS2 Connections to a Site ............... 694
Allowing Multipart Transfers (COMB Command)
.................................................................... 308
Allowing or Disallowing the NOOP Command
.................................................................... 308
Allowing or Enforcing Password Reset at the
User Level................................................... 385
Allowing or Forcing Password Reset at the Site
Level ........................................................... 385
Allowing Site-to-Site Transfers (Site) ............. 307
Allowing the Mode Z Command for a Settings
Template ..................................................... 312
AML ................................................................ 499
Anonymous User Accounts ............................ 286
Anonymous Users .......................................... 286
ANONYMOUS_EMAIL ................................... 244
APP_DAT_PATH ........................................... 189
APPDATA......................................................... 85
APPE .............................................................. 313
Application Data ......................................... 73, 85
Applying a Rule to a Specific User or Group . 508
ARM ..... 711, 712, 719, 720, 725, 739, 741, 743,
745, 749, 752, 769
ARM Database . 193, 719, 720, 725, 726, 737,
739, 741, 745, 765
ARM requirements ........................................ 30
ARM Schema ............................................. 726
ARM tables ......................................... 726, 736
ARM Upgrade Checklist ............................. 720 installing ...................................................... 712 report designer ........................................... 752
ARM Schema ................................................. 736
Armored.................................................. 574, 812
AS2 ........ 568, 655, 657, 660, 687, 695, 701, 708
AS2 Account Information ............................ 693
AS2 Config ......................................... 660, 694
AS2 Configuration ......................657, 706, 708
AS2 Configuration Errors ............................ 708
AS2 Connections ........................694, 695, 706
AS2 Content Type ...................................... 486
AS2 Direction .............................................. 486
AS2 EFT ID ................................................ 486
AS2 Error Warnings .................................... 708
AS2 Events .................................486, 511, 695
AS2 file .......................................486, 655, 695
818
AS2 From ................................................... 657
AS2 FROM ID ............................................ 657
AS2 Host .................................................... 486
AS2 ID ........................ 657, 664, 675, 693, 706
AS2 Identifier ...................................... 660, 664
AS2 Inbound ....... 664, 675, 684, 692, 695, 705
AS2 Inbound Listener Service .................... 660
AS2 Inbound Parameters ........................... 684
AS2 Inbound Partners Using ...................... 675
AS2 Inbound Settings ........................ 675, 692
AS2 Inbound Settings dialog ...................... 706
AS2 Local MIC ........................................... 486
AS2 MDN ........................................... 486, 708
AS2 Message ID ........................ 486, 664, 687
AS2 Messages ........................................... 655
AS2 MIME .................................................. 655
AS2 Module ................................ 655, 657, 660
AS2 Multiple Attachments .......................... 655
AS2 Optional Profile Supported ................. 655
AS2 Outbound .... 568, 664, 691, 695, 705, 708
AS2 Outbound Connection ........................ 705
AS2 Outbound Proxy ................................. 691
AS2 Outbound Settings .............. 664, 687, 691
AS2 Outbound Transactions ...................... 691
AS2 Partner Access .. 568, 664, 675, 687, 695,
705
AS2 Partner ID ........................................... 486
AS2 Partner Inbound Wizard ..................... 675
AS2 Partner Outbound Wizard ................... 664
AS2 Partner Profiles ................................... 664
AS2 Partner via Event Rules .............. 568, 695
AS2 Partners ...................... 568, 664, 692, 695
AS2 Payload ............................................... 486
AS2 Properties ........................................... 486
AS2 protocol ....................................... 655, 660
AS2 Receiver ............................................. 660
AS2 Remote MIC ....................................... 486
AS2 requirements......................................... 30
AS2 Send File ... 568, 664, 675, 691, 695, 705,
708
AS2 Send File Action ................................. 706
AS2 Send File dialog .................................. 708
AS2 Sender ................................................ 691
AS2 Server Configuration .......................... 660
AS2 Setup .................................................. 660
AS2 Setup Wizard ...................................... 660
AS2 Status Viewer ..................................... 702
AS2 Test Connection ......................... 664, 705
AS2 Transaction Auditing ........................... 700
AS2 Transaction Error ................................ 486
AS2 Transaction Result ............................. 486
AS2 Transaction Success .......................... 705
AS2 Transaction Verbose .......................... 486
AS2 Transactions ............... 657, 700, 701, 706
AS2 Transfer Errors ................................... 708
AS2 Variables ............................................. 477
AS2-From ...................................657, 664, 675
AS2-From and AS2 ............................ 664, 675
AS2-From ID ............................................... 657
AS2ID ......................................................... 657
As2ID invalid ............................................... 657 as2page.css ............................................... 693
AS2-Related Context Variables .................. 477
AS2TempFolderPath .................................. 694
AS2-To................................................ 664, 675
Introduction ................................................. 655
Troubleshooting .......................................... 706
AS2 Account Information Page ...................... 693
AS2 Account Management Web Page .......... 693
AS2 Authentication ......................................... 657
AS2 Certificates ............................................. 663
AS2 Configuration Wizard .............................. 675
AS2 Error Warnings and Prompts .................. 708
AS2 Events Conditions Actions and Variables
.................................................................... 695
AS2 Events_ Conditions_ Actions_ and
Variables ..................................................... 486
AS2 Information in the Database ................... 700
AS2 Module .................................................... 655
AS2 Outbound ................................................ 687
AS2 Outbound (Sender) Mode ...................... 691
AS2 Send File Dialog Box ...................... 568, 695
AS2 Transaction Auditing and Monitoring ...... 700
AS2 Transaction Reports ............................... 701
AS2 Transaction Success and Failure
Notifications ................................................ 705
AS2 Transactions Node ................................. 702
ASA Carriage Control ..................................... 313
ASCII ............................. 200, 306, 313, 574, 812
ASCII ONLY ............................................... 200
ASCII-Armored ................................... 574, 812
ASP.NET .......................................................... 83 aspnet_regiis.exe ............................................. 83
Assign PASV .......................................... 102, 307
Assigning a Certificate ................................... 328
Attack ............................................................. 380
AUD ................................................................ 233
Audit Database Settings .................193, 212, 737
Auditing 193, 509, 701, 711, 712, 719, 720, 737,
738, 739, 745, 769
Activating .................................................... 720
Administrator Changes ............................... 739
Advanced Workflow Engine........................ 739
Audit failure ................................................. 189
Configuring ................................................. 712
Auditing Administrator Changes to the ARM
Database .................................................... 739
Auditing and Reporting Module ...................... 711
Auditing and Reporting Module Interface ....... 711
Auditing and Reporting Result Codes ............ 743
Auditing AWE Actions .................................... 739
Auditing Database Errors and Logging .......... 745
Index
Auditing Database Recovery ......................... 738
AUTH ............................................................. 313
AUTH SSL ..................................................... 320
Authentication ........ 141, 241, 247, 345, 608, 657
AS2 ............................................................. 657 authenticate ................................ 225, 251, 345
Authenticated Site .............................. 237, 243
Authenticated Users ................................... 291
Authentication key list ................................ 345
Authentication Options ............................... 243
Authentication Provider Options ......... 219, 241 authentication requests .............................. 380
ODBC ......................................................... 241
RADIUS ...................................................... 247
Autoban List ........................................... 163, 376
Automated Workflows .................................... 813
Automatic Refresh ......................................... 266
Automatically Creating a Home Folder for New
Users (Site) ................................................ 399
Automatically Updating the User Authentication
Database .................................................... 218
Automating the Compliance Report ............... 802
Available Actions.................................... 465, 537
Available Variables ........................................ 486
Average Download Speed ............................. 269
Average Upload Speed .................................. 269
AWE ....................................... 499, 502, 739, 813
AWE Actions .................................................. 739
AWE Workflow ....................................... 499, 813
B
Backing Up AWE Workflows .......................... 502
Backing Up or Restoring Server Configuration
.................................................................... 173
Backup ........................................... 141, 567, 572
Backup Server Configuration ................. 173, 572
Backup Server Configuration Action ...... 567, 572
Backup Server Configuration Event Rule ...... 572
Bad Request .................................................. 708
Ban ......................................................... 376, 380
Ban IP ................................................. 380, 389
Ban IPs ....................................................... 380
Ban List ...................................... 379, 380, 497
Banned file ................................................. 400
Banned File Types ..................................... 400
Banner ........................................................... 312
Banner message ........................................ 189 connection .................................................. 312
FTP ............................................................. 312
Banning an IP Address that Uses an Invalid
Account ...................................................... 389
Banning Unwanted File Types ....................... 400
Base File Name ............................................. 486
BASE_FILE_NAME ....................................... 486
Base64 Encoded X509 .................................. 333
BaseDN .......................................................... 233
819
EFT v7.2 User Guide
Before Download ............................................ 486
Best Practices for Configuration and Validation
...................................................................... 45 blocking .......................................................... 380
Browse VFS dialog ......................................... 289
Bytes Transferred ........................................... 270
C
CAC ........................................................ 237, 238
CAC Authentication .................................... 238
CAMELLIA128-SHA ....................................... 600
CAMELLIA256-SHA ............................... 329, 600
CAN_CHANGE_PASSWORD ....................... 486
Canceling a Transfer ...................................... 635
Cardholder Information Security Program ..... 780
CAST5 ............................................................ 806
CCC ................................................................ 313
CDUP ............................................................. 313 cer .................................................................. 324 certificate ........................................................ 328
Certificate ...... 321, 324, 330, 333, 334, 339, 663
AS2 ............................................................. 663
Certificate Creation Wizard......................... 324
Certificate Format ....................................... 324
Certificate Manager ....................332, 333, 334
Certificate Manager Export ......................... 323
Certificate Manager Import ......................... 323
Certificate Signing Request 317, 324, 330, 333
Certificate Signing Request file .................. 330
Certificate Signing Utility ............................. 330
Exporting..................................................... 334
Certificate Chaining ........................................ 332
Change ........................................................... 486
Change Administrator Password Account .. 134
Change Password ......................391, 394, 620
Change Password Admin ........................... 130
Change Password dialog............................ 385
Change User Account Password ............... 391
Change User Password .............................. 392
ChangePassByAD ........................................ 81
Changing Key Pair Path Settings ............... 811
Changing Your Password ........................... 643
Changing a Site's IP Address or Port............. 264
Changing a Site's Root Folder ....................... 263
Changing a User's Password ......................... 391
Changing an AD Password via the Web Transfer
Client ................................................... 394, 620
Changing an Administrator Password or Access
Rights .......................................................... 134
Changing and Testing LDAP Authentication
Options ....................................................... 234
Changing Condition Placement ..................... 513
Changing EFT Listening IP Address and Port
.................................................................... 161
Changing Field Section and Report Properties
.................................................................... 761
820
Changing ODBC Authentication Options ....... 243
Changing the Data Source ............................ 765
Changing the Number of Concurrent Threads
Used by Event Rules .................................. 598
Changing the User Database Refresh Rate for a
Site ............................................................. 266
Changing Windows NT Authentication Options
.................................................................... 221
Choose Public Keyring File ............................ 811
Cipher List .............................................. 329, 600 ciphers ................................................... 329, 600
SSL ............................................................. 329
CISP ............................................................... 780
CL log ..................................................... 207, 591
Cleanup .......................................... 173, 567, 572
Cleanup Action ....................................... 567, 572
Clean-Up Action ............................................. 567
Cleanup Rule ......................................... 173, 567
Clear Command Channel .............................. 212
Clearing the Transfers pane .......................... 635
Client access .......................................... 360, 613 client log ................................................. 207, 591
Client Log ............................................... 207, 591
Closing the Administrator ............................... 121 cmd ................................................................ 180 cn ................................................................... 233
COM ............................................................... 813
COMB .................................................... 308, 313
Command Line Login ..................................... 180
Commands .... 313, 439, 443, 445, 447, 448, 498,
502, 543
COMB Command ....................................... 308
Command Configuration ............................ 502 command line login .................................... 180
Command Parameters ............... 448, 498, 543
Command Settings ..................................... 443
Commands List .......................................... 447 configure ..................................................... 445 create ......................................... 448, 498, 543
Creating .............................................. 439, 445 define .......................................................... 445
Editing ........................................................ 443 example ...................................................... 445
Execute ...................... 439, 448, 498, 502, 543
Executing .................................................... 445 existing ....................................................... 439 parameters ................................................. 443
COMMENT .................................................... 486
Common Access Card ........................... 237, 238
Common Access Card Authentication 237, 238
Common Name ...................................... 226, 233 complex passwords ............................... 132, 386
Compliance Report ........................................ 801
Component One............................................. 752
Compound Conditional Statement ................. 516
Compress/Decompress Action ...................... 582
Compression .................................................. 312
Compute CRC32 ............................................ 313
Concurrent Threads Used .............................. 598
Condition Evaluation ...................................... 514
Conditions .... 465, 511, 512, 514, 516, 517, 568,
695 adding ................................................. 465, 511
Placement ........................................... 512, 513
Configuration Checklist .............................. 30, 45 configure. 37, 102, 121, 123, 141, 194, 233, 238,
250, 287, 303, 305, 312, 329, 336, 344, 345,
354, 365, 405, 439, 443, 445, 574, 613, 660,
664, 675, 691, 708, 712, 719, 812
ARM Database .................. 712, 719, 720, 725
AS2 .................................... 660, 664, 675, 708
AS2 Module ................................................ 660
AS2 Outbound Partners Using ................... 664
AS2 Outbound Proxy .................................. 691
AS2 Partners .............................................. 664
Auditing ....................................................... 712
Command ........................................... 443, 445
Common Access Card ................................ 238
Configuring MTC Security .......................... 647 decryption ........................................... 574, 812
EFT ....................................................... 37, 141 encryption ........................................... 574, 812
Exit Prompts ............................................... 121
First EFT Connection .................................. 141
FTP ............................................................. 305
FTP Connection Banner ............................. 312
FTP Custom Command Specific ................ 439
Groups ........................................................ 405
HTTP .......................................................... 354
LDAP Site ................................................... 233
Perimeter Network Security ........................ 102
RSA SecurID .............................................. 250
Server ......................................................... 141
Server Administrators ................................. 123
SFTP ........................................................... 344
SFTP Authentication Options ..................... 345
Site .............................................................. 141
SMTP .......................................................... 194
SMTP Server Settings ................................ 194
SSL .................................... 303, 329, 336, 365
User Account Details .................................. 287
Configuring an AS2 Outbound Proxy ............. 691
Configuring AS2 Inbound Parameters ........... 684
Configuring AS2 Outbound Parameters ........ 687
Configuring AS2 Outbound Partners Using the
Wizard ......................................................... 664
Configuring AS2 Partners .............................. 664
Configuring Authentication Options ............... 243
Configuring EFT ............................................. 141
Configuring Groups ........................................ 405
Configuring HTTP or HTTPS Transfers on the
Site .............................................................. 354
Index
Configuring HTTPS Transfers on the Site ..... 354
Configuring ODBC Authentication Options .... 243
Configuring Perimeter Network Security (DMZ)
.................................................................... 102
Configuring RSA SecurID or RADIUS Support on an Existing Site...................................... 250
Configuring Server Administrators ................. 123
Configuring SFTP for a Settings Template or
User Account .............................................. 345
Configuring SFTP for a Site ........................... 344
Configuring SMTP Server Settings ................ 194
Configuring SSL for a Settings Template or User
Account ...................................................... 336
Configuring the AS2 Module .......................... 660
Configuring the SMTP E-Mail Notification ..... 194
Configuring the Web Transfer Client ............. 613
Configuring User Account Details .................. 287
Configuring User Disk Quotas ....................... 293
Connecting to an LDAP Server ...................... 233
Connection .... 111, 115, 118, 184, 233, 303, 312,
372, 373, 374, 380, 486, 694, 695 banner ................................................ 312, 695 blocking ...................................................... 380
Conditions .................................................. 517 connection string ........................................ 769
Connections Tab ........................ 111, 115, 118
Events ........................................................ 486 limits ........................... 371, 372, 373, 374, 375
Properties ................................................... 486
Type ........................................................... 269
Variables .................................................... 477
Connection Banner Message ........................ 312
Connection Problems .................................... 184
Connections Tab (User Node) ....................... 118
Connections Tab of a Site ............................. 111
Connections Tab of the Settings Template ... 115
Content Integrity Control Action ..................... 579
Content Integrity Control Tab of a Server .. 103
CONTENT_TYPE .......................................... 486
Continue Trial button ....................................... 73
Controlling ...................................................... 163
IP Access ........................................... 163, 376
Controlling Access to the Site by IP Address 376
Controlling IP Access for Remote Administration
.................................................................... 163
Convert Keys ................................................. 339
Coordinated Universal Time .......................... 195
Copy ....................................................... 486, 548
Copy Action ................................ 486, 503, 543
Copy Files .......................... 502, 503, 504, 548
Copy/Move ......................... 187, 503, 504, 548
Copy or Move File to Host Action .................. 548
Copy/Move File to Host on SOCKS Proxy
Server ......................................................... 505
Copying Folder Structure When Offloading Files
.................................................................... 504
821
EFT v7.2 User Guide
Copying or Moving a File Triggered on Folder
Monitor Event and Renamed ...................... 503
Copying Server Configuration to Several
Computers .................................................. 187
CR .................................................................. 313
CRC ........................................................ 486, 621
CRC failed ...................................................... 621
Create ..... 79, 141, 172, 244, 277, 281, 324, 347,
407, 414, 415, 445, 448, 498, 499, 543, 759,
761, 769, 787, 806
Command .......................... 445, 448, 498, 543
Create Administrator Account .................... 130
Create Certificate ........................................ 321
Create EFT Database Tables ............. 719, 736
Create Folder .............................................. 414
Create New Event Rule .............................. 465
Create New Group .............................. 172, 407
Create New Report ............................. 752, 769
Create New Settings Template .................. 277
Create New User ........................................ 281
Create Private Certificate ........................... 323
Create Public Certificate ............................. 323
Create SSH2 Key ....................................... 347
Create SSH2 Public .................................... 347
Create SSL Certificate ........................ 321, 324
Creating Folders ......................................... 638
Creation Date ............................................. 486
Creation Time ............................................. 486
Custom Report ........................................... 769
Event Rule .................................................. 543
Groups ........................................................ 172
Key Pairs .................................................... 806
New Physical Folder ................................... 414
New Virtual Folder ...................................... 415
PCI DSS Site .............................................. 787
Permission Groups ..................................... 407
Report ......................................................... 759
Reports ....................................................... 761
Servers ....................................................... 141
SSH Key Pair .............................................. 347
SSL Certificates .......................................... 324
Tables ......................................................... 244
User Account .............................................. 281
Windows User Account ................................ 79
Creating a Command ..................................... 443
Creating a Custom Report ............................. 769
Creating a New Physical Folder ..................... 414
Creating a New Virtual Folder ........................ 415
Creating a PCI DSS-Enabled Site ................. 787
Creating a Report in Design Mode ................. 759
Creating a Report with the Report Wizard ..... 755
Creating an E-Mail Notification Template ...... 547
Creating an SSH Key Pair .............................. 347
Creating Certificates ....................................... 324
Creating Event Rules ..................................... 465
Creating Key Pairs for OpenPGP .................. 806
822
Creating Permission Groups .......................... 407
Creating Renaming and Deleting Server Groups
.................................................................... 172
Creating Settings Templates ......................... 277
Creating SFTP Algorithms ............................. 349
Creating SSL Certificates .............................. 324
Creating Tables for your ODBC Data Source 244
Creating Users ............................................... 281
Creating Workflows for use in Event Rules ... 499 csr .................................. 317, 324, 330, 332, 333 csr file ..................................................... 317, 332
Custom Branding of the Mobile Transfer Client
Profile ......................................................... 650
Custom Command dialog .............................. 443
Custom Command Wizard ......................... 439
Custom Commands... 439, 443, 445, 447, 448,
498, 543
Custom Command Example .......................... 445
Custom Reports ..................................... 711, 752
Customizable HTTP Error Messages ............ 357
Customizing ........................................... 615, 693
CWD .............................................................. 313
CWD remote .................................................. 313
D
Daily PCI DSS Audit Report .......................... 787
Data Link Properties .............................. 765, 769
Data Sanitation .............................................. 402
Data Security ................... 45, 400, 402, 806, 809
Data Security Settings ................................... 400
Data Security Standard .................................. 780
Data Source Name ........................................ 239
Data Sources ................................. 239, 244, 765
Data Transferred ............................................ 270
Data Type ...................................................... 244
DATABASE .... 193, 241, 266, 719, 720, 737, 741 refresh ........................................................ 266
Database Audit Settings ........................ 193, 737
Database Errors ............................................. 745
Database Name ..................... 193, 712, 736, 737
Database Recovery ....................................... 738 database requirements .............................. 42, 45
Database Utility .............................. 714, 719, 720
DATESTAMP ................................................. 486
DAV Header ................................................... 357
Db_owner ............................................... 719, 720 dbo ................................................................. 719
DBUtility ................................................. 714, 720
DBUtility.exe .................................. 714, 719, 720
DD .................................................................. 313 debug logging .................................................. 86
Decrypt ................................................... 574, 812
Decrypt+Verify ....................................... 574, 812
Decrypting Archive ................................. 574, 812
Decryption Action ................................... 574, 812
Default Paths ................................................. 191
Default Server Group ..................................... 172
Default Time Stamp ....................................... 195 define ..... 347, 445, 465, 511, 568, 660, 695, 752
AS2 ............................................................. 660
AS2 Send File ..................................... 568, 695
Command ................................................... 445
Condition..................................................... 511
Custom Reports .......................................... 752
SSH key ...................................................... 347
Defining Event Rules ...................................... 465
DELE .............................................................. 313
Delegated Administration ............................... 123
Deleting 172, 186, 277, 286, 407, 415, 416, 447,
465, 468, 486, 776, 810
Commands ................................................. 447
Delete Folder .............................................. 415
Delete Report ............................................. 776
Deleting Client Keys ................................... 350
Deleting Commands ................................... 447
Deleting Settings Templates ...................... 277
Event Rule .................................................. 468
Groups ........................................................ 407
Key Pairs .................................................... 810
Physical Folder ........................................... 415
Report ......................................................... 776
Rule ............................................................ 465
Server ......................................................... 186
Server Group .............................................. 172
User Account .............................................. 286
User Settings Template .............................. 277
Virtual Folder .............................................. 416
Deleting a Physical Folder ............................. 415
Deleting a Report ........................................... 776
Deleting a Site ................................................ 274
Deleting a User Account ................................ 286
Deleting a Virtual Folder ................................. 416
Deleting Groups ............................................. 407
Deleting Key Pairs for OpenPGP ................... 810
Denial ..................................................... 379, 380
DER ........................................................ 323, 333
DER Encoded ................................................ 333
DER Encoded X509 ....................................... 333
DES ................................................................ 806
DES-CBC3-SHA .................................... 329, 600
DES-CBC-SHA .............................................. 600
DESCRIPTION ............................................... 486
Descriptions of Preconfigured Reports .. 435, 745
Designer dialog .............................................. 752
Destination File Name .................................... 486
Developer Mode ......................................... 73, 84
DHE-DSS-AES128-SHA ................................ 600
DHE-DSS-AES256-SHA ................................ 600
DHE-DSS-CAMELLIA128-SHA ..................... 600
DHE-DSS-CAMELLIA256-SHA ..................... 600
DHE-DSS-RC4-SHA ...................................... 600
DHE-RSA-AES128-SHA ................................ 600
Index
DHE-RSA-AES256-SHA ................................ 600
DHE-RSA-CAMELLIA128-SHA ..................... 600
DHE-RSA-CAMELLIA256-SHA ..................... 600
DIRECTION ................................................... 486
Disable ................................... 119, 279, 303, 448
Command ................................................... 448
Disabling Inactive User Accounts ............... 399
Disabling RADIUS ...................................... 251
Disabling RSA Authentication via RADIUS 251
Event Rule .................................................. 468
Settings Template ...................................... 279
SFTP .......................................................... 303
SSL ............................................................. 337 user account ............................................... 119
Disabling ........................................................ 623
Disabling an Account after a Defined Number of
Incorrect Login ............................................ 397
Disabling Inheritance in the VFS ................... 414
Disabling or Locking Out an Account at the Site
Level ........................................................... 397
Disabling SSL Connections ........................... 337 disallow .......................................................... 308
NOOP ......................................................... 308
Disconnecting ................................................ 375
Disconnecting Users after a Defined Number of
Invalid Commands...................................... 379
Disconnecting Users on Timeout ................... 375
Disconnecting Users Timeout ........................ 375
Display Name ................................................. 226
DMZ Gateway .......................... 75, 102, 504, 813
Activating ...................................................... 75
DMZ Gateway IP ........................................ 102
DNs ........................................................ 199, 233
Domain Name ........................................ 199, 233 domain.username .......................................... 226
DoS ........................................................ 111, 380
DoS/Flood .................................................. 376
DoS/Flood prevention permanent ban ....... 163
DoS/Flood prevention temporary ban ........ 163
Download Action .................................... 486, 558
Download Failed ............................................ 486
Download Size ............................................... 376
Downloaded ................................................... 486
Downloading a File ........................................ 634
DRIVER ......................................................... 241
Drummond ..................................................... 655
DSN ............................................................... 241
DST_FILE_NAME .......................................... 486
DST_FOLDER_NAME ................................... 486
DST_PATH .................................................... 486
DST_VIRTUAL_PATH ................................... 486
Duplicate Contents......................................... 684
Duplicate Message ID ............................ 675, 684
E
EBCDIC ......................................................... 317
823
EFT v7.2 User Guide
EDH-DSS-DES-CBC3-SHA ........................... 600
EDH-DSS-DES-CBC-SHA ............................. 600
EDH-RSA-DES-CBC3-SHA ........................... 600
EDH-RSA-DES-CBC-SHA ............................. 600
EDI ......................................................... 655, 664
EDI Consent .......................... 568, 664, 687, 695
EDI file ............................................................ 655
EDIFACT ............................... 568, 664, 687, 695
Editing ........... 297, 298, 443, 468, 664, 675, 693
AS2 ............................................................. 675
AS2 Partner Profiles ................................... 664
Command ................................................... 443
CSS ............................................................ 693
Edit Administrator Account ......................... 130
Edit Custom Commands ............................. 445
Edit Mail Template ...................................... 547
Edit Report .......................................... 759, 775
Editing the Username Resend Message .... 297
Event Rule .................................................. 468
User Login Credentials Message ............... 298
Username Resend Message ...................... 297
Editing a Command ........................................ 443
Editing the Number of Files Displayed in the
Client ........................................................... 620
Editing the Password Reset Messages ......... 299
Editing the User Login Credentials Message . 298
EFT ........................ 21, 37, 78, 79, 141, 181, 313 activating....................................................... 37 configuration ............................................... 141 configuring .................................................... 37
Introduction ................................................... 21
Logging Out ................................................ 181
Set Windows NT Permissions ...................... 79
Uninstalling ................................................... 78
EFT Administrator .................................. 123, 139
EFT Authentication ......................................... 130
EFT Configuration .................................. 140, 141
EFT database ................................................. 719
EFT Database Utility ...................................... 714
EFT Deployment Scenarios ............................. 37
EFT Feature Comparison ................................. 25
EFT HA (Active-Active) Deployment ................ 38
EFT in the Windows Event Viewer ................. 217
EFT License Information .................................. 34
EFT Listening IP Address .............................. 161
Changing .................................................... 161
EFT Logging ...................................207, 209, 212
EFT Messaging .............................................. 189
EFT requirements ...................................... 42, 45
EFT Service.................................................... 183
EFT Service Administrative Rights .................. 79
EFT SFTP Key Support ................................. 340
EFT Specifications ........................................... 44
EFT SSH Key Formats ................................... 342
EFT Support for EBCDIC ............................... 317
EFT Web Services ......................................... 593
824
EFT Web Transfer Client Licensing ............... 615
EFT.log .................................................. 200, 209
EFT.log File .................................................... 209
EFT_ID ........................................................... 486
EFTAdhoc ...................................................... 598
Eftdbuser ........................................................ 714
EFTDeleteExpiredUsers ................................ 598
EFT's COM API ............................................. 813
EFTServer ........................................................ 79 eftserver-ent.exe .............................................. 85 eftserver-ent-nodb.exe ..................................... 85
EFTUser ........................................................... 79
EFTWebService ............................................. 361
EFTWebServices ........................................... 593
EFTWebServices_InvokeEventRule.............. 593
EFTWebServices_MAIN ................................ 593
Else ................................................................ 514
Else Clauses .................................................. 514
EMAIL ............................................................ 486
Email Address ................................................ 486
E-Mail Notification Action ............................... 545 e-mail notifications ......................................... 486
Emailing Users' Login Credentials ................. 392
Enable ... 247, 279, 327, 335, 344, 354, 365, 366,
448, 468, 593, 608, 660
32BitAppOnWin64 ........................................ 83
AS2 ............................................................. 660
Auditing .............................................. 193, 737
Automatic Refresh ...................................... 266
Command ................................................... 448
Enable and Configure EFT WorkSpaces .. 275,
424 enable_iwa ........................................... 81, 608
Enable10ColumnInClientLog ....................... 81
Enable32BitAppOnWin64 ............................ 83
Enabling JavaScript in the Browser ........... 629
Enabling or Disabling a User Account........ 286
Enabling the Mobile Transfer Client ........... 646
Event Rule .................................................. 468
FIPS Mode ......................................... 365, 366
FTPS .......................................................... 335
HTTP Connections ..................................... 354
JavaScript ................................................... 629
Multipart ................................................ 81, 308
RADIUS .............................................. 247, 250
RSA SecurID .............................................. 250
Settings Template ...................................... 279
SFTP .................................................. 344, 366
SSL ............................................. 327, 335, 365
SSO ............................................................ 608
Timeout ...................................................... 120
User account .............................................. 286
Web Services ............................................. 593
ENABLED ...................................................... 486
Enabling and Disabling Commands............... 448
Enabling FIPS Mode for SSH Connections ... 366
Enabling FIPS Mode for SSL Connections .... 365
Enabling FTPS and HTTPS (SSL) at the Site
Level ........................................................... 335
Enabling Java in the Browser......................... 629
Enabling or Disabling a Settings Template or
User ............................................................ 279
Enabling or Disabling a User Account ........... 286
Enabling or Disabling RADIUS for a User
Account ....................................................... 251
Enabling Password History for Administrators
.................................................................... 135
Enabling Protocols at the Site Level .............. 335
Enabling SSL on EFT ..................................... 327
Enabling the Account-Management Page ..... 359
Enabling the AS2 Inbound Listener Service .. 660
Enabling User Access to the Web Transfer
Client ................................................... 360, 613
Enabling Web Services .................................. 361
Encoding ................................................ 306, 352
FTP ............................................................. 306
SFTP Transfers .......................................... 352
Encoding for FTP Transfers (Site) ................. 306
Encoding for SFTP Transfers......................... 352
Encrypt ................................................... 574, 812 encrypt Actions ....................................... 574, 812
Encrypt+Sign .......................................... 574, 812
Encrypting Passwords .................................... 398
End-User Login In .......................................... 607
End-User Login In to EFT .............................. 607
Enforce Strong Passwords..................... 119, 391 user account ............................................... 119
Enforcing Complex Passwords at the Site Level
.................................................................... 386
Enforcing Complex Passwords for Admin
Accounts ..................................................... 132
Enforcing Password Reset at the Site Level .. 385
Enforcing Password Reset for Administrator
Accounts ..................................................... 136
Enter Trial Extension Response ...................... 84
Erasing EFT Configuration ............................. 140
Error Codes ............................................ 313, 357
Error in ASP.NET Registration ......................... 83 error message ................................................ 708
AS2 ............................................................. 708
Error Messages .............................................. 638
Error Messages and File Names ................... 638
Establishing a System Data Source Name
(DSN) .......................................................... 239 evaluating ................................................... 73, 84
Evaluating Expressions .................................. 516
Event ID.......................................................... 578
Event Rule Actions ......................................... 537
Event Rule Conditions .................................... 511
Event Rule Examples ..................................... 486
Event Rule Order of Execution....................... 461
Event Rule Permissions ................................. 470
Index
Event Rules ... 398, 448, 459, 461, 465, 468, 486,
498, 499, 508, 511, 537, 543, 548, 568, 573,
577, 598, 695, 813
Conditions .......................................... 511, 517
Defining ...................................................... 465 delete .......................................................... 468 disable ........................................................ 468 edit .............................................................. 468 enable ......................................................... 468
EVENT ....................................................... 486
Event Date Stamp ...................................... 486
Event Full Name ......................................... 486
Event Name ................................................ 486
Event Properties ................................. 486, 517
Event Reason ............................................. 486
Event Rule Actions ............................. 576, 739
Event Rule Load Balancing ........................ 601
Event Rule Order........................................ 461
Event Rule Sequence for Matching Event
Rules ....................................................... 461
Event Rule Sequence for Matching Folder
Monitor Rules.......................................... 461
Event Rule Sequence for Matching Timer or
Folder Monitor Rules .............................. 461
Managing .................................................... 468 processing .................................................. 573 rename ....................................................... 468 reorder ........................................................ 461
SAT Rules .................................................. 598 triggered ..................................... 448, 498, 543
Event Rules Change Log ............................... 473
Event Rules Folders....................................... 472
Event Time ..................................................... 486
Event Time Stamp ......................................... 486
Event Viewer .................................................. 578
EventID .......................................................... 736
EVENTNAME ................................................. 486
EventParams ................................................. 361
EventRuleName ............................................. 361
EventRuleName Value .................................. 361
Events and Available Variables ..................... 486
Example
Command Action Followed by PGP Action 461
Creating a Custom Report ......................... 769
Executable ..................................................... 443
Execute Advanced Workflow Action .............. 545
Execute Command ........ 443, 448, 498, 502, 543
Existing LDAP Site ......................................... 250
Exit Administrator dialog ................................ 121
Exit Messages ................................................ 313
Exit Prompts ................................................... 121
EXP1024-DES-CBC-SHA .............................. 600
EXP1024-DHE-DSS-DES-CBC-SHA ............ 600
EXP1024-DHE-DSS-RC4-SHA ..................... 600
EXP1024-RC4-SHA ....................................... 600
EXP-DES-CBC-SHA ...................................... 600
825
EFT v7.2 User Guide
EXP-EDH-DSS-DES-CBC-SHA..................... 600
EXP-EDH-RSA-DES-CBC-SHA..................... 600
Expiration Dates ............................................. 395
EXPIRATION_DATE ...................................... 486
Expire ..................................................... 137, 287
Administrator .............................................. 137
Expire password .........................137, 385, 393
Expired User Accounts ............................... 395
User Account .............................................. 287
Expiring a User Account ................................. 287
Expiring Administrator Passwords ................. 137
Expiring Passwords at the User Level ........... 393
Explicit Security .............................................. 320
Explicit Versus Implicit SSL............................ 320
Exporting ........................................334, 338, 774
Certificate............................................ 334, 338
Export Report ............................................. 774
Exporting Key Pairs ............................ 775, 810
Reports ....................................................... 774
Exporting a Certificate .................................... 334
Exporting a Certificate from PFX to PEM ....... 338
Exporting and Importing Event Rules ............ 475
Exporting and Publishing Reports in the Report
Designer ..................................................... 775
Exporting Reports in XML Format .................. 774
EXP-RC2-CBC-MD5 ...................................... 600
EXP-RC4-MD5 ............................................... 600
Expressions .................................................... 516
Extending the Trial ........................................... 84
Extracting the Public SFTP Key ..................... 351
F
Failed Action Flag .......................................... 739
FAX ................................................................ 486
Fax Number.................................................... 486
FEAT .............................................................. 313
Feature Comparison ........................................ 25
Federal Information Processing Standard .... 364,
365, 366
FF ................................................................... 313
File Cleanup Action Parameters .................... 567
File Deletion Options ...................................... 402
File Downloaded Event .................................. 486
File Integrity Checking .................................... 310
File Location Changes ..................................... 73 file locked ....................................................... 621
File System Conditions .................................. 517
File Uploaded ......................................... 486, 496
File Uploaded Event User Details .................. 496
FILE_CRC ...................................................... 486
FILE_CREATE_DATE ................................... 486
FILE_CREATE_TIME .................................... 486
FILE_NAME ................................................... 486
FILE_SIZE ...................................................... 486
File-Naming Conventions ............................... 606
Files Received ................................................ 692
826 filter ........................................ 231, 234, 270, 750
Filtering and Sorting the File List ................... 636
Filtering the Filesystem List ........................... 636
Finding Information in the Help ........................ 31
FIPS ............................................... 364, 365, 366 enabling .............................................. 365, 366
FIPS 140 .................................................... 366
FIPS Mode ......................................... 365, 366
FIPS Mode Events ..................................... 366
FIPS Mode Messages ................................ 366
FIPS protocols ............................................ 366
FIPS Mode Event Messages ......................... 366
FIPS-Certified Libraries ................................. 364
Firewall ................................................... 102, 813
Flood ...................................................... 379, 380
Flood Sensitivity ............................................. 380
Flooding and Denial of Service Prevention ... 380
Folder Changed ............................................. 486
Folder Created ............................................... 486
Folder Deleted ............................................... 486
Folder Locations for WTC Users ................... 421
Folder Monitor ................................................ 491
Folder Monitor Event ..................................... 503
Folder Monitor Failed ..................................... 486
Folder Monitor Failure Reason ...................... 486
Folder Monitor Health .................................... 486
Folder Monitor RENAME ............................... 503
Folder Options ................................................. 73
Folder Sweep ................................................. 491
FOLDER_NAME ............................................ 486
FolderMonitorWorkerThreadCount .......... 81, 598
ForceSynchronizeUserDatabase ................... 218
Forcibly Logging a User Off EFT ................... 294
Forcibly Logging a User Off the Server ......... 294
Forcing Password Reset ................................ 385
Foreign Groups .............................................. 225
FS.FILE_NAME ............................................. 503
FTP ........................................................ 305, 306
Encoding .................................................... 306
FTP Commands Supported ....................... 313
FTP Config ................. 305, 307, 308, 310, 312
FTP Connection Banner ............................. 312
FTP Custom Command Specific ........ 439, 443
FTP QUIT ................................................... 313
FTP Settings ....... 305, 307, 308, 310, 312, 313
FTP Status ................................................. 313
FTP SYST .................................................. 316
FTP Settings for the Site ................................ 305
FTP SYST Command .................................... 316
FTPS protocol .................................................. 98
FTPS Protocol Specific .................................... 98
FTPS_AUTH_TLS ......................................... 803
FTPS_EXPLICIT ............................................ 803
FTPS_IMPLICIT ............................................. 803 ftpserver_ids .................................................. 244 ftpserver_users .............................................. 244
ftpserver_users.ID .......................................... 244
FTPSYSTResponse ................................. 81, 316
Full Name ....................................................... 486
G
Gateway ......................................................... 102
General Tab ............................ 96, 109, 114, 116
Server Node ................................................. 96
Settings Template ....................................... 114
Site .............................................................. 109
General Tab of a Site ..................................... 109
General Tab of a User Node .......................... 116
General Tab of EFT ......................................... 96
General Tab of the Settings Template ........... 114
Generate Report Action ................................. 509
Generating
Generate Report ......................................... 509
Generating SSH Key Pair ........................... 347
Generating a List of Expired User Accounts and
Expiration Dates ......................................... 395
Generating a Report ....................................... 749
Getting Help ..................................................... 31
Getting Started with EFT .................................. 30
Globalscape Cryptographic Module ............... 364
Globalscape Customer Support ....................... 34
GlobalSCAPE EFT Authentication ................. 219
GMT ............................................................... 195
Greenwich Mean Time ................................... 195
Group Membership ................................ 119, 408
Group_ID ........................................................ 244
Grouping and Sorting Data ............................ 768
Groups ... 119, 296, 405, 407, 408, 409, 411, 486
Configuring ................................................. 405
Deleting....................................................... 407 managing .................................................... 405 permissions ................................................ 296
Renaming ................................................... 409
Groups list ...................................................... 409
GSCM ............................................................. 364
H
Hammer Settings ................................... 379, 380
Hash Message Authentication Code .............. 349
HELP ........................................................ 31, 313
Help File ........................................................... 31
Searching...................................................... 31
Help Topic ........................................................ 31
Printing.......................................................... 31
High Availability Message Queuing ............... 206
High Availability Tab of a Server .................... 101
High Security .................................................. 779
High Security Module ..................................... 779
HIPAA ............................................................. 779
History ............................................................ 135
HMAC ............................................................. 349
Home Folder ................. 289, 290, 291, 399, 486
Index
Automatically Creating ............................... 399
Home IP ......................................................... 486
HOME_FOLDER ............................................ 486
HOME_IP ....................................................... 486
HOME_IS_ROOT .......................................... 486
HOMEDIRECTORY ....................................... 244
HOST ............................................................. 486
How Do I Transfer Files? ............................... 605
How EFT Handles SQL Data ......................... 738
How EFT Supports AS2 ................................. 655
How PCI DSS Requirements Addressed with
EFT ............................................................. 780
How VFS Permissions Work .......................... 412
HS Module ..................................................... 779
HSM ....................................................... 779, 803
HTTP ..... 303, 305, 308, 353, 354, 355, 357, 360,
486, 613
Configuring ................................................. 354
HTTP Error ................................................. 357
HTTP Limitations ........................................ 353
HTTP request logging ................................ 209
HTTP Status ............................................... 357
HTTPMessages .......................................... 357
HTTPS ....... 303, 308, 321, 335, 353, 354, 355,
360, 613
HTTPS Overview........................................ 353
HTTPS Transfers ....................................... 354
HTTPS URL ............................................... 355
Redirecting ................................................. 355
HTTP and HTTPS .......................................... 353
HTTP and HTTPS Overview .......................... 353
Hybrid Configuration ........................................ 37
I
IDEA ....................................................... 329, 806
IDEA 128 ........................................................ 329
IDEA-CBC-SHA ..................................... 329, 600
IDN ................................................................. 199
IF 514
If Users are Unable to Upload or Download to
Home Directory .......................................... 292
IIS ..................................................................... 82
IIS 6.0 ............................................................... 83
Implicit Security .............................................. 320
Implicit SSL .................................................... 320
Importing ................................................ 333, 776
Certificate ................................................... 333
Import OpenPGP Key dialog ...................... 810
Importing Client Keys ................................. 350
Reports ....................................................... 776
Importing a Certificate .................................... 333
Importing a Certificate into the Trusted
Certificate Database ................................... 333
Importing and Exporting Key Pairs for OpenPGP
.................................................................... 810
Importing Reports .......................................... 776
827
EFT v7.2 User Guide
Inactive Administrator Accounts ..................... 138
Inactive user account ..................................... 399
Index ................................................................. 31
Inherit ..................................................... 113, 414
Inherit Permission .......................................... 412
Inheritance.............................................. 279, 414
Initiating .......................................................... 691
AS2 ............................................................. 691
Initiating AS2 Outbound Transactions ........... 691
INSTALL_DIRECTORY ................................. 486
INSTALL_SQLEXPR ........................................ 85
Installation .................................................. 51, 86
Install Directory ........................................... 486
Installation Logging ............................... 86, 207
Installer.log ................................................... 86
Silient installation .................................. 85, 180
Installing and Activating the AS2 Module ....... 657
Installing and Activating the Software .............. 37
Installing and Configuring the Auditing and
Reporting Module ....................................... 712
Installing EFT Administrator and Modules ....... 51
Installing the Administration Interface Remotely
...................................................................... 65
Integrated Windows Authentication ............... 608
Single Sign On ............................................ 608 interface.................................................. 109, 711 international domain names ........................... 199
Introduction to Connection Profiles ................ 451
Introduction to Event Rules ............................ 459
Introduction to the Virtual File System (VFS) . 411
Invalid ............................................................. 163
Invalid Account ........................................... 389
Invalid Auth ................................................. 657
Invalid Commands .............................. 379, 380
Invalid login options .................................... 119
Invalid password ......................................... 163
INVALID_LOGINS ...................................... 486
Invoke Web Service from URL Action ............ 583
InvokeEventRule .................................... 361, 593
IP 161, 163, 376, 380 add .............................................................. 163 attacking ..................................................... 380 banning ............................................... 163, 376 bans .................................................... 376, 380 change ........................................................ 161
Controlling........................................... 163, 376 displays ....................................................... 161 find .............................................................. 163
IP Access Restrictions list .................. 376, 380
IP Access Rules ................................. 163, 376
IP Auto ................................................ 163, 376
IP Mask dialog .................................... 163, 376
IPv4 .................................... 163, 196, 264, 376
IPv4 IPs ...................................................... 196
IPv6 ............................ 163, 196, 264, 376, 497 listening....................................................... 161
828 range .......................................................... 163
Setting Maximum Connections per IP for a
Site .......................................................... 374 specify ................................................ 161, 163
IP Added to Ban List ...................................... 497
IWA ........................................................ 607, 608
J
JAR ................................................................ 621
Java ............................................................... 629
JavaScript ...................................................... 629
K
Key Pairs ........................................ 347, 806, 810
Creating ...................................................... 806
Deleting ...................................................... 810
Key Ring list ............................................... 810
Key Ring Manager...................................... 806
Keyring ....................................................... 810 keyring file .................................................. 811
Keyboard Shortcuts ....................................... 120
Kick User ........................................ 269, 293, 294
Knowledgebase ............................................... 34
L
Last Login Date .............................................. 486
LAST_LOGIN ................................................. 486
LDAP ...................................... 231, 233, 234, 237
Connections ............................................... 233
Filtering ....................................................... 231
LDAP Authentication .................................. 231
LDAP Authentication Options ..................... 234
LDAP Authentications ................................ 231
LDAP Search Filters ................................... 231
LDAP Server ...................................... 231, 233
LDAP Site ........................................... 233, 234 query .......................................................... 233
Search filter ................................................ 231
User Home Folders .................................... 237
Licensing Workspaces ................................... 424
Lightweight Directory Access Protocol .......... 231 links .................................................................. 31
LIST ............................................................... 313
List DNs ......................................................... 233
List of Conditions ........................................... 517
Listener Settings ............................ 303, 335, 351
Listening IP ......................................... 161, 264
Listening IP Settings .................................. 161
RADIUS ...................................................... 351
RSA SecurID .............................................. 351
SFTP .......................................................... 351
Local Computer Administrators Group .......... 129
Local IP .......................................................... 486
Local Port ....................................................... 486
Local Security Policy Setting when Using Active
Directory Authentication ............................. 223
LOCAL_IP ...................................................... 486
LOCAL_MIC ................................................... 486
LOCAL_PORT ............................................... 486
Locations .......................................................... 73 lock out ........................................................... 119 user account ............................................... 119
Locking Out ........................... 137, 138, 140, 397
Locking Out an Administrator Account ........... 137
Lockout ...........................................137, 140, 397 log .............. 86, 99, 192, 207, 212, 217, 591, 745
Log Example ............................................... 212
Log File Format .......................................... 212
Log File Name ............................................ 486
Log File Path .............................................. 486
Log File Settings ......................................... 212
Log In .......................................................... 607
Log Location ............................................... 486
Log On Locally ............................................ 223
Log Rotated ................................................ 486
Log Scrollback ............................................ 192
Log Type ..................................................... 486 log_level...................................................... 209
LOG_LOCATION ........................................ 486
LOG_NEW_NAME ..................................... 486
LOG_NEW_PATH ...................................... 486
LOG_OLD_NAME ...................................... 486
LOG_OLD_PATH ....................................... 486 log_request ........................................... 81, 209
LOG_TYPE ................................................. 486 log4cplus..................................................... 209
Log4Cplus logging ...................................... 207
Logfile ........................................................... 86
Logs Tab ....................................................... 99
Log Format_ Type_ and Location .................. 212
Log in to EFT .................................................. 179
Logged On User ............................................. 179
Logging In to the WTC ................................... 630
Logging Out of EFT ........................................ 181
Logging Out of the WTC ................................ 631
Logical Operators ........................................... 515 logins ..................................... 269, 295, 373, 607
Logging ................................................. 86, 207 logging in to EFT ........................................ 607
Logging Out ................................................ 181
LOGIN ......................................................... 486
Login Credentials ........................................ 392 login credentials message .......................... 189
Login Security Options ...............295, 389, 397
Logon Name ............................................... 486
Logs Tab of EFT .............................................. 99
M mail a user a password .................................. 392
Mail Express ................................................... 813
Mail Notification Message dialog ................... 547
MailActionTemplate ........................................ 547
Index
Main Menu ....................................................... 88
Main Menu and Toolbar ................................... 88
Main Tab (USL node) .................................... 114
Main Tab (USL) .............................................. 114
Manage OpenPGP Keys ............................... 809
Manage SSL Certificates ............... 332, 333, 334 manageaccount ............................. 359, 385, 393
Management Page......................................... 359 managing ....................... 123, 405, 465, 468, 774
EFT ............................................................. 123
Event Rules ................................................ 468
Groups ........................................................ 405
Reports ....................................................... 774
Rules .......................................................... 465
Managing Event Rules ................................... 468
Managing Multiple User Accounts ................. 295
Managing Reports.......................................... 774
Managing Workspaces in the VFS ................ 430
Manually Creating the ARM Database in Oracle
.................................................................... 731
Manually Creating the ARM Database in SQL
Server ......................................................... 726
Mapping a Virtual Folder to a Network Drive . 418
Max upload .................................................... 376
Maximum Concurrent Logins ......................... 373
Maximum Concurrent Socket Connections ... 372
Maximum Connections per IP Address ......... 374
Maximum Transfer Size ................................. 376
Maximum Transfer Speeds ............................ 371
Maximum Transfers per Session ................... 375
MaxNumberConnections ......................... 81, 598
MD_ITER ....................................................... 244
MD4 OTP ....................................................... 244
MD5 OTP ....................................................... 244
MDAC ............................................................ 241 mdb ................................................................ 241
MDN ...... 486, 655, 664, 675, 684, 691, 695, 702,
704
MDTM ............................................................ 313
MDX ............................................................... 244
Message Authentication Codes ..................... 349
Message Disposition Notification ................... 664
Message ID ............................ 675, 684, 692, 702
Message IDs .................................................. 684
Message Level Authentication ....................... 657
Message Level Security ......................... 657, 684
MESSAGE_ID ................................................ 486
Messages ............................... 189, 312, 313, 366
AD password expiration e-mail .................. 189 audit failure ................................................. 189 client login error .......................................... 189 connection banner ...................................... 189 e-mail notification ....................................... 189 invalid parameter count .............................. 189 login credentials ......................................... 189 password reset ........................................... 189
829
EFT v7.2 User Guide quit session ................................................. 189 user limit reached ....................................... 189 username resend ........................................ 189
Microsoft Access ............................................ 241
MICs ...............................................486, 655, 695
Mismatch AS2 ................................................ 675 mismatched AS2 ............................................ 657
MKCOL ........................................................... 357
MKD ............................................................... 313
MLS ........................................................ 657, 684
MLS Authentication ........................................ 657
MLSD ............................................................. 313
MLST .............................................................. 313
MM ................................................................. 313
Mobile Transfer Client .................................... 645
Custom Branding of the Mobile Transfer Client
Profile ...................................................... 650
Decommissioning Mobile Transfer Client
Users ....................................................... 649
Enabling the Mobile Transfer Client and
Configuring Security ................................ 646
Mobile Transfer Client App ......................... 651
Mobile Transfer Client FAQ ........................ 651
Mobile Transfer Client Features ................. 645
Mobile Transfer Client Licensing ................ 646
Mobile Transfer Client Overview ................ 645
Mobile Transfer Client Profile Provisioning 649
MTC System Requirements ....................... 646
Onboarding Mobile Transfer Client Users .. 649
MODE ............................................................. 313
Mode Z Command ......................................... 312
Modifying Message Authentication Codes ..... 349
Modifying or Repairing the Software ................ 76
Modifying the SFTP Identification String ........ 350
Monitor Folder ........................................ 491, 503
Monitor Folder Event ...................................... 503
Monitor User ........................................... 192, 269
MONITOR_OPERATION ............................... 486
MONITORFAILUREREASON ........................ 486
MONITORHEALTH ........................................ 486
Monitoring Folders ......................................... 491
Monitoring User Connections ......................... 192
Move ...............................................186, 506, 548
Move Action ........................................... 503, 548
Move file ................................................. 503, 548
Moving a User to a Different Settings Template
.................................................................... 289
Moving an Uploaded File Based on Filename
.................................................................... 506
Moving Files Between Folders ....................... 639
Moving Files Received from AS2 Partners .... 692 multi-part ........................................................ 308
Multipart Transfers ......................................... 308
Multi-Part Transfers ........................................ 308
MultipartValue .......................................... 81, 308
Multiple Attachment ........................................ 655
830 multiple prompts ............................................. 351
Multiple User Accounts .................................. 295
MYSQL .......................................................... 241
N
NAME ............................................................. 486
NAS ................................................................ 247
NAS Identifier ................................................. 247
NAT Routing .................................................. 102
Native RSA SecurID Protocol ........................ 247
Native SecurID Protocol ................................ 247
NET IIS Registration Tool ................................ 83
NET Registration Tool ..................................... 83
NET Web Application ....................................... 83
Network Usage Options ................................. 371
Network Usage ........................................... 371
Network Usage and Limits 371, 372, 373, 374,
376, 379, 380
Network Usage Options for Users .............. 371
Network Usage Settings ............................. 371
Network Usage Settings for a Site ................. 371
New Administrator Connection .............. 141, 171
New Event Rule ............................................. 465
New Folder icon ............................................. 414
New password ............................................... 391
New Permissions Group ................................ 407
New Physical Folder ...................................... 414
New Report ............................................ 755, 769
New Report Wizard ........................................ 755
New Server Group ......................................... 172
New Settings Template .................................. 277
New User ............................................... 281, 392 password .................................................... 392
New User Account Details ............................. 281
New User Account Setup ............................... 392
New User Created ......................................... 486
New User Creation......................................... 281
New Virtual Folder ................................. 415, 421
Next Login ...................................................... 486
NLST .............................................................. 313
No Sign .......................................................... 657
NOAUTOSTART .............................................. 85
NODE_NAME ................................................ 486
Non-repudiation ............................................. 655
NOOP .................................................... 308, 313 allow ........................................................... 308 disallow ....................................................... 308
Normal Authentication ................................... 657
NT .......................................................... 221, 223
NTAD ............................................................. 394
O
ODBC ............................. 239, 241, 243, 244, 245
ODBC Authentication ............................. 241, 243
ODBC Data Source........................................ 239
Offload ................................................... 506, 548
Offload Action ..................................... 506, 548
Offload Action Wizard ......................... 506, 548 offload RENAME ........................................ 503 offloaded file ............................................... 506
OLE DB Provider ............................................ 765
On-Demand Authentication ............................ 247
Open Database Connectivity ......................... 239
Opening VSReport Designer.......................... 754
OpenPGP .............. 401, 574, 805, 806, 810, 812
Open OpenPGP Keyring icon .................... 809
OpenPGP Action ................................ 574, 812
OpenPGP Encrypt .............................. 574, 812
OpenPGP Encryption .................574, 805, 812
OpenPGP key .............................401, 805, 809
OpenPGP Key Generation ......................... 805
OpenPGP Key Generation Wizard ............. 806
OpenPGP Key Ring .................................... 805
OpenPGP Keyring ......................809, 810, 811
OpenPGP Security .....................401, 806, 809
OpenPGP Settings ..................................... 811
PGP ................................... 574, 805, 806, 812
PGP Encrypt ............................................... 805
PGP Receiver ..................................... 574, 812
PGP Source ........................................ 574, 812
PGPVerifySignature ........................... 574, 812
OpenPGP and EFT ........................................ 805
OpenPGP Key Ring Manager ........................ 809
OpenSSH ............................................... 347, 351
OpenSSL ............................... 317, 329, 332, 339 openssl x509 .................................................. 332
Operating System Events ...................... 477, 486
OPTS .............................................................. 313
Order in which Actions are Executed ............. 461
OTP ................................................................ 244
OTP_MD5 ...................................................... 244
OTP_SEED .................................................... 244
Overview of the Web Transfer Client ............. 627
P p12 ................................................................. 339
P12 file ........................................................... 339
PAGER ........................................................... 486
Pager Number ................................................ 486
Partner AS2 ....................................568, 657, 695
Partner Configuration ............................. 568, 695
Partner ID ....................................................... 702
Partner Profile ................................568, 691, 695
PARTNER_ID ................................................ 486
Partner's AS2 Inbound Configuration............. 657
PASS .............................................................. 313
Passphrase .................................................... 321
Password...... 116, 119, 135, 137, 139, 287, 390,
392, 398, 486 complex .............................................. 116, 119 confirmation message ................................ 189 enforce strong password ............................ 116
Index expiration .................................................... 119 expire .......................................... 137, 287, 393 force change ............................................... 116 history ......................................................... 119 invalid login ................................................. 116 password attempts ..................................... 295
Password Changed .................................... 486
Password Complexity Settings ................... 132 password expiration ... 189, 299, 388, 393, 394
Password Expiration Date .......................... 486
Password Expiration Options ..................... 388 password reset ........................... 139, 189, 390
Password Reuse Warnings ........................ 390
Password Security...................................... 397
Password Security Settings ...... 132, 135, 136,
137, 385
PASSWORD_EXPIRATION ...................... 486
PASSWORD_TYPE ................................... 244
PasswordChg_EmailInterval ................ 81, 394
PasswordChg_MsgFileLocation ......... 394, 620
PasswordChg_NetworkProblem ................ 189
PasswordChg_NetworkProblem.txt ... 394, 620
PasswordChg_NTADLDAP .......... 81, 394, 620
PasswordChg_NTADLDAP_Off.reg... 394, 620
PasswordChg_NTADLDAP_On.reg... 394, 620
PasswordChg_PasswordComplexity ......... 189
PasswordChg_PasswordComplexity.txt ... 394,
620
PasswordChg_PasswordWrong ................ 189
PasswordChg_PasswordWrong.txt.... 394, 620
PasswordChg_Permission ......................... 189
PasswordChg_Permission.txt ............ 394, 620
PasswordChg_PwdWillExpire .................... 189
PasswordChg_PwdWillExpire.txt ....... 394, 620
PasswordResetConfirm ............................. 189
PasswordResetMsg ........................... 189, 393
PasswordResetReminderMsg ............ 189, 393
Passwords Admin....................................... 123 prohibit reuse .............................................. 116 reset ................................................... 116, 119 reset required message ............................. 189 resuse ......................................................... 119
Password Reuse (History) ............................. 390
Password Security Settings for a Site............ 385
PASV ..................................................... 307, 313
PASV IP ......................................................... 307
PASV Port Range .......................................... 307
PATH ............................................................. 486
PAYLOAD ...................................................... 486
Payment Card Industry .................................. 780 pb7, DER ....................................................... 324
PBSZ .............................................................. 313
PCI ................................................................. 780
PCI DSS ............. 779, 780, 787, 800, 801, 803
PCI DSS Compliance ................. 780, 800, 801
831
EFT v7.2 User Guide
PCI DSS Compliance Report .... 787, 800, 801,
802
PCI DSS Possible Compliance Report
Outcomes ................................................ 802
PCI DSS Requirement ................................ 780
PCI DSS Requirements Addressed ........... 780
PCI DSS Security Audit Procedures .......... 780
PCI DSS Site ..................... 780, 787, 801, 803
PCI DSS Violations ..................................... 800
PCI Security Standards .............................. 780
PCI Security Standards Council ................. 780
PCI Compliance Report ................................. 801
PCI DSS Requirements ................................. 780
PCI DSS Security Auditing ............................. 801
Peer Notification Channel ................................ 75
PEM ....................... 323, 324, 332, 333, 338, 339
PEM file .......................................................... 339
Pending Certificates ............................... 332, 333
Pending Certificates list .......................... 333, 334
Perform File Operation Action ........................ 591
Perform Folder Operation Action ................... 590
Perimeter Network Security ..................... 75, 102
Perimeter Security .......................................... 102
Permission............................. 296, 405, 407, 409
Permission Groups ................ 296, 405, 407, 409
Creating ...................................................... 407
Persist .................................................... 398, 577
PFX ................................................324, 338, 339 pfx, DER ................................................. 324, 339
PHONE ........................................................... 486
Phone Number ............................................... 486
Physical Destination Folder Name ................. 486
Physical Destination Path .............................. 486
Physical Folder ............................................... 415
Deleting....................................................... 415
Physical Folder Name ................................ 486
Physical Path .............................................. 486
Renaming ................................................... 415
PKCS ..............................................324, 333, 339
PKCS#12........................................................ 339
PKCS10..........................................324, 333, 339 pkcs8 .............................................................. 339
PKI key ........................................................... 339
PNC .................................................................. 75
Port ......................................................... 247, 313
Port Range ................................................. 307
RADIUS Server .......................................... 247
Possible Compliance Report Outcomes ........ 802
Possible PCI Compliance Report Outcomes . 802
POST ...................................................... 357, 605
Preconfigured Reports ........................... 435, 745
Predefined AS2 .............................................. 700
Pretty Good Privacy ....................................... 805
Private key...................................................... 321
Private Key Format ........................................ 324
Private Keypair ............................................... 347
832
Private keyring file.......................................... 811
Process .......................................... 448, 498, 543
Program Files ................................................... 73
ProgramData .................................................... 73
Prohibit ........................................................... 390 password reuse .......................................... 390
Prohibiting ...................................................... 390
Reuse ......................................................... 390
Properties ....................................................... 486
PROPFIND Method ....................................... 357
PROPPATCH Method ................................... 357
PROT ............................................................. 313
PROTOCOL ................................................... 486 protocols ................................ 247, 303, 337, 354
Proxy .............................................................. 691
Proxy Settings ................................................ 505
Public key ....................................... 345, 347, 351 extracting .................................................... 351
Public Key Only .......................................... 345
Public SFTP Key ........................................ 351
Publishing Reports ......................................... 775 punycode ............................................... 199, 200
Punycode encoding ....................................... 199
PurgeSQLEFTData ........................................ 741
Purging ........................................................... 741
Purging Data from the Database ................... 741
PUT ................................................................ 357
PWD ............................................................... 313
Q query .............................................................. 233
LDAP .......................................................... 233
QUIT .............................................................. 313
Quit Session ................................................... 313
Quit Session Message ................................... 313
QUOTA_MAX ................................................ 486
QUOTA_USED .............................................. 486
R
RADIUS ................................. 247, 250, 251, 351 configure ..................................................... 247 disabling ..................................................... 247
RADIUS Access Request ........................... 247
RADIUS Authenticated Settings dialog ...... 247
RADIUS Authentication Settings ........ 247, 250
RADIUS enabled ........................................ 247
RADIUS protocol ........................................ 247
RADIUS Server .................................. 247, 251
RADIUS server for user authentication ...... 247
RADIUS Server Port................................... 247
RADIUS Support ................................ 247, 250
User Authentication .................................... 247
RADIUS for User Authentication .................... 247
RC4 ................................................................ 329
RC4 128 ..................................................... 329
RC4-MD5 ........................................... 329, 600
RC4-SHA .................................................... 600 rearranging ..................................................... 468
Conditions ................................................... 468
Rebranding ..................................................... 615
Rebranding the Web Transfer Client ............. 615
Reconnect .............................................. 193, 737
Redirect .......................................................... 355
HTTP .......................................................... 355
HTTPS ........................................................ 355
Redirecting HTTP to HTTPS .......................... 355
Refresh ........................................................... 218 refresh rate ..................................................... 266 register ............................................................. 83
ASP ............................................................... 83
Registration Wizard .......................................... 73
Registry Settings .............................................. 81
REIN ............................................................... 313
Reinitialize ...................................................... 313
Release Notes .................................................. 76
Reminding Users when Password is About to
Expire .......................................................... 388
Remote Administration ............ 65, 141, 163, 165
Remote Administration FAQ .......................... 165
Remote Authentication Dial In User Service .. 247
Remote Host Address .................................... 702
Remote IP ...................................................... 486
Remote Server ............................................... 171
REMOTE_IP .................................................. 486
REMOTE_MIC ............................................... 486
Remove Server Group ................................... 172
Removing ....................................................... 138
Inactive Administrator Accounts ................. 138
Removing Domain from the User Folder Name
.................................................................... 226
Removing Inactive Administrator Accounts ... 138
Removing or Disabling Inactive User Accounts on a Site...................................................... 399
Renaming ...... 172, 186, 409, 415, 416, 468, 777
Event Rule .................................................. 468
Group .......................................................... 409
Physical Folder ........................................... 415
Renaming a File ......................................... 642
Renaming Client Keys ................................ 350
Renaming Folders ...................................... 415
Report ......................................................... 777
Server ......................................................... 186
Server Group .............................................. 172
Virtual Folder .............................................. 416
Renaming a Group ......................................... 409
Renaming a Physical Folder .......................... 415
Renaming a Report ........................................ 777
Renaming a Virtual Folder ............................. 416
Renaming Deleting and Moving a Server ...... 186
Renaming Files Received from AS2 Partners692
Repairing .......................................................... 76
Installation..................................................... 76
Index
Report Filters ................................................. 750
Report Tab ..................................................... 105
Reporting ...... 105, 435, 701, 711, 712, 737, 745,
749, 752, 754, 755, 759, 762, 769, 774, 775,
776, 777, 801, 802 activating .................................................... 720 designing reports ........................................ 768
Importing .................................................... 776
Managing .................................................... 774
Report Action .............................................. 509
Report Content ........................................... 486
Report Date Range .................................... 711
Report Designer 752, 754, 755, 759, 761, 762,
769, 775, 777
Report File .......................................... 486, 774
Report File Name ....................................... 486
Report Filters ...................................... 701, 711
Report Outputs ........................................... 776
Report Wizard ............................ 754, 755, 769
REPORT_CONTENT ................................. 486
REPORT_FILE ........................................... 486
REPORT_FILENAME ................................ 486
Reporting Interface ..................................... 711
Reporting Module ......... 73, 711, 712, 720, 739
Reporting Result Codes ............................. 743
Reports ....................................................... 768
Reports admin ............................................ 130
Require SSL ........................................... 321, 335
Require SSL certificates from connecting clients
.................................................................... 321 requirements ........................................ 30, 42, 45
RequireSign ................................................... 657
Reset Messages ............................................ 299
RESET_PASSWORD_AT_FIRST_LOGIN ... 486
Resetting ................................................ 136, 418
Administrator Accounts .............................. 136
VFS Folder Permissions ............................ 418
Resetting EFT Administrator Password ......... 139
Resetting Folder Permissions ........................ 418
Resetting the EFT Administrator Password ... 139
Resetting VFS Folder Permissions ................ 418
REST ..................................................... 308, 313 restart ............................................................. 267
Site ............................................................. 267
Restore .......................................................... 173
Restore Options ............................................. 173
Restore Server Configuration ........................ 173
Restoring Server Configuration ..................... 173
Resubmit icon ................................................ 702
Resubmitting AS2 Transmissions .................. 704
ResultID ......................................................... 743
Resuming Transfers....................................... 636
RETR ............................................................. 313
Reuse ............................................................. 390 password change attempt .......................... 390
RFC959 .......................................................... 313
833
EFT v7.2 User Guide
RMD ............................................................... 313
RMD remote ................................................... 313
RNFR ............................................................. 313
RNTO ............................................................. 313
Rotate Log File ............................................... 212
Routing Outbound Traffic through a Proxy .... 504
RSA ................................................247, 329, 351
RSA Authentication .................................... 247
RSA Authentication Manager ............. 247, 251
RSA Native SecurID protocol ..................... 250
RSA SecurID ..............................247, 250, 351
RSA SecurID authentication ....................... 247
RSA SecurID Authentication Settings ........ 247
RSA SecurID Authentication Settings dialog
................................................................ 250
RSA SecurID Protection ............................. 247
RSA SecurID SD800 Token Automation .... 247
RSA SecurID Software Token Automation . 247
RSA SecurID Supported Features ............. 247
RSA SecurID uses ...................................... 247
RSA Security Console ................................ 250
RSA Server ......................................... 247, 250
Rules ..................................... 465, 468, 508, 543
Actions ........................................................ 543 add .............................................................. 468 delete .......................................................... 465 disable ........................................................ 468 manage ....................................................... 465 rename........................................................ 468
Rule Builder ................................448, 498, 543
Rule list ............................................... 465, 468
Rule Priority ................................................ 468 save ............................................................ 465
Run CScript .................................................... 443
Run Now......................................................... 488
Running .......................................................... 486
Running a Microsoft .NET Web Application in
32-bit Mode in IIS 6.0 on a 64-bit Server ...... 83
Running EFT and Microsoft IIS on the Same
Computer ...................................................... 82
S
SAT Event Rules ............................................ 598
Saving ............................................................ 774
Report ......................................................... 774
Saving a Report ............................................. 774
Saving Report Outputs ................................... 776
Scheduler (Timer) Event ................................ 488
Scheduler Timer Event ................................... 488
Script for Creating Necessary ODBC Tables . 245
SDA ........................................................ 574, 812 sdconf ............................................................. 247 sdstatus .......................................................... 247
Searching ....................................................... 273
Site .............................................................. 273
Searching a Site ............................................. 273
834
Searching for Files ......................................... 637
Secondary RADIUS Server Support .............. 247
Secure Deletion ............................................. 402
Secure Hash Algorithm .................................. 349
SecurID .......................................................... 247
SecurID protocol ............................................ 247
Security ... 98, 116, 119, 397, 398, 401, 402, 577,
809
Security Auditing ........................................ 801
Security Best Practices Checklist................. 45
Security Settings ........................ 140, 372, 373
Security Tab ......................... 98, 112, 116, 119
Security Tab of a Site .................................... 112
Security Tab of a User Account ..................... 119
Security Tab of the Settings Template........... 116
Send Notification E-mail ................................ 545
Sending Files to an Antivirus or DLP Server . 603
Sending Files to an AS2 Partner via Event Rules
............................................................ 568, 695
Sending Files via AS2 Partner without Inbound
Access ................................................ 568, 695
SendUploadNotification ................................. 598
Serial Number .................................................. 73
Server ...................... 99, 141, 183, 186, 293, 486 configure ..................................................... 141 creating ....................................................... 141 defined ........................................................ 141 delete .......................................................... 186
Moving ........................................................ 186 rename ....................................................... 186
Server Admin ...................................... 123, 135
Server Administration ... 45, 120, 126, 129, 183
Server Administrators ......................... 123, 130
Server Authentication ................................. 233
Server Cluster .............................................. 37
Server Conditions ....................................... 517
Server config .............................................. 140
Server Configuration .................................. 187
Server Configuration Backup ..... 173, 567, 572
Server Events ............................................. 486
Server Global Settings ............................... 121
Server Groups .................................... 172, 186 delete ...................................................... 172 rename .................................................... 172
Server Node ................................... 96, 97, 100
Administration Tab .................................... 97
General Tab .............................................. 96
SMTP Tab ............................................... 100
Server Properties ....................................... 486 server requirements ............................... 42, 45
Server Running .......................................... 486
Server Service Settings .............................. 183
Server Setup .............................................. 141
Server Statistics ......................................... 184
Server Tab .................................................... 93
Administrator............................................. 93
Server Variables ......................................... 477
Server License Information .............................. 34
Server Setup Wizard ...................................... 141
Server Specifications ....................................... 44
Server SSH Key Formats ............................... 342
Server Tab........................................................ 93
Server's AS2 ID .............................................. 702
Server-to-Server Deployment .......................... 37
Service Manager ............................................ 183
Service Started ............................................... 486
Service Stopped ............................................. 486
Session Expired dialog ................................... 619
Session Status ............................................... 619
Session timeout .............................................. 120
Session Timeout ............................................ 620
Set Windows NT Permissions .......................... 79
Setting ................................... 291, 376, 401, 417
Home Folder ............................................... 291
OpenPGP Security ..................................... 401
VFS Permissions ........................................ 417
Setting a User Disk Quota .............................. 293
Setting Folder Permissions ............................ 417
Setting Maximum Concurrent Logins to a Site
.................................................................... 373
Setting Maximum Concurrent Socket
Connections to a Site ................................. 372
Setting Maximum Connections per IP for a Site
.................................................................... 374
Setting Maximum Connections per User (Site
Level) .......................................................... 373
Setting Maximum Transfer Size for a User .... 376
Setting Maximum Transfer Speeds for a Site 371
Setting Maximum Transfers per Session for a
User ............................................................ 375
Setting OpenPGP Security for the Site .......... 401
Setting the Expired Password Reminder at the
User Level................................................... 388
Setting the Home Folder for AD-Authenticated
Users .......................................................... 291
Setting VFS Folder Permissions .................... 417
Settings Template 113, 114, 115, 237, 251, 277,
279, 289, 305, 310, 336, 486
Connections Tab ........................................ 115 creating ....................................................... 277 disable ........................................................ 279 enable ......................................................... 279
FTP Settings ............................................... 305
RADIUS ...................................................... 251
Settings Template Tabs .............................. 113
SETTINGS_LEVEL .................................... 486
SETTINGSLEVEL ...................................... 244
Settings Template Home Folder .................... 279
SFTP ...... 73, 303, 321, 340, 344, 345, 349, 350,
351, 352, 366, 486
Configuring ................................................. 344 disable ........................................................ 303
Index enabling .............................................. 344, 366
Encoding .................................................... 352
SFTP Algorithms ........................................ 349
SFTP Auth .......................................... 303, 345
SFTP Authentication Options ..................... 345
SFTP Config ....................... 344, 349, 350, 351
SFTP encoding ........................................... 352
SFTP Identification String .......................... 350
SFTP key ............................ 321, 340, 344, 351
SFTP Public Key ................................ 340, 345
SFTP Public Key Select ............................. 345
SFTP Settings .................... 344, 349, 350, 351
SFTP Settings dialog ................................. 344
SFTP Transfers .......................................... 352
SFTP/SSH Keys defined ............................ 350
SHA ................................................................ 349 sharing ............................................................. 31
Sharing Folders ...................................... 431, 639
Show Report .................................................. 749
Show VFS Home Folder ................................ 290
Sign Only ............................................... 574, 812
Sign SSL Certificate ....................................... 330
Signature ........................................................ 657 signed certificate ............................................ 324
Signing a Certificate ....................................... 330
Signing key ............................................ 574, 812 silent ......................................................... 85, 180
Silent Installation .............................................. 85
Single Sign On ............................................... 608
Integrated Windows Authentication ............ 608 single-click ..................................................... 608
Single-Sign-On (SSO) Support for the WTC . 608
Site 109, 111, 112, 233, 267, 273, 274, 305, 313,
344, 352, 354, 371, 385, 399, 486
Account Security ........................................ 399
Connections Tab ........................................ 111
Deleting ...................................................... 274
Forcing Password Reset ............................ 385
FTP ............................................................. 305
General Tab ............................................... 109
HTTPS Transfers ....................................... 354
LDAP .......................................................... 233
Network Usage Settings ............................. 371
Password Security Settings ....................... 385 restart ......................................................... 267
Searching ................................................... 273
Security Tab ............................................... 112
SFTP .......................................................... 344
SFTP encoding ........................................... 352
Site Admin .................................................. 130
Site Conditions ........................................... 517
Site Interface .............................................. 109
Site Setup ................................................... 237
Site Statistics .............................................. 268
Site Status .......................................... 267, 270
Site Transfers ..................................... 270, 307
835
EFT v7.2 User Guide
Site's AS2 Global Identifier ......................... 693
Site's IP Address ........................................ 264
Site's Root Folder ....................................... 263
SIZE ............................................................... 313
Smart Overwrite ............................................. 565
SMNT ............................................................. 313
SMS Authentication ........................................ 251
SMTP ............................................................. 100
SMTP Server Settings .................................... 194
SMTP Tab of EFT .......................................... 100
SOCKS ........................................................... 505
SOCKS Proxy Server ................................. 505
SOCKS Settings ......................................... 505
Socks Type ................................................. 505
SOCKS4 ..................................................... 505
SOCKS5 ............................................. 505, 691
Software ........................................................... 78
Activating ...................................................... 73
Uninstalling ................................................... 78
SOURCE ........................................................ 486
Source Properties .......................................... 486 specifications .................................................... 44 specify .. 141, 191, 195, 279, 289, 307, 327, 344,
345, 349, 376, 402, 421, 574, 660, 664, 693,
812
AS2 ..................................................... 660, 664
AS2 ID ........................................................ 693
Default Paths .............................................. 191
Default Time Stamp .................................... 195
File Deletion Options .................................. 402
IP 376
Listening IPs ............................................... 141
OpenPGP ........................................... 574, 812
PASV .......................................................... 307
PASV IP ...................................................... 307
Settings Template Home Folder ................. 279
SFTP ................................................... 344, 345
SFTP Algorithms ........................................ 349
SMTP .......................................................... 141
SSL ............................................................. 327
User's Home Folder .................................... 289
Virtual Folders ............................................ 421
Specifying a New Local or Remote Host ....... 171
Specifying a PASV IP or PASV Port Range .. 307
Specifying a User's Home Folder ................... 289
Specifying a User's Permission Group........... 296
Specifying File Deletion Options .................... 402 speed .............................................................. 371 maximum transfer speed ............................ 371
SQL Plus tool ................................................. 720
SQL Server............................ 141, 241, 719, 726
SQL Server Authentication............................. 719
SSCN ............................................................. 313
SSH ................. 98, 141, 340, 342, 347, 350, 366
SSH FIPS ................................................... 366
SSH key .............................................. 340, 347
836
SSH Key Formats....................................... 342
SSH Key Manager.............................. 347, 350
SSH Key Pair ............................................. 347
SSH2 .. 141, 303, 344, 345, 349, 350, 351, 366
SSH2 Key Pair Generation Wizard ............ 344 ssh-keygen ................................................. 342
SSH-protoversion-softwareversion SP....... 350 ssh-rsa ........................................................ 342
SSL . 98, 141, 303, 307, 313, 317, 318, 320, 321,
324, 327, 329, 335, 336, 337, 354, 365, 486,
600 ciphers ........................................................ 329 configuring .................................. 327, 329, 336 details ......................................................... 327 disabling ..................................................... 337 enabled ....................................................... 329
Enabling ............................................. 327, 335
Server ......................................................... 317
Site ............................................................. 317
SSL 2.0 ....................................................... 327
SSL 3.0 ....................................................... 327
SSL Auth .................................... 303, 321, 336
SSL Authentication Options ............... 321, 336
SSL Certificate ........... 318, 321, 324, 328, 336
SSL Certificate Options .............................. 141
SSL Certificate Settings ............. 321, 328, 335
SSL Cipher ......................................... 327, 329
SSL Compatibility ....................................... 327
SSL Connections........................ 329, 337, 600
SSL FIPS .................................................... 366
SSLv2 ......................................................... 329
SSLv3 ......................................................... 327
Using Ciphers ............................................. 329
SSL and EFT ................................................. 318
SSL Certificate Compatibility ......................... 323
SSL Certificate-Based Login .......................... 321
SSL Overview ................................................ 317
SSO ....................................................... 607, 608
Started ........................................................... 486
Starting and Stopping EFT ............................ 182
Starting and Stopping EFT Remotely ............ 181
Starting Sites with EFT Running .................... 267
STAT .............................................................. 313
Statistics ......................................................... 295
Status ..... 107, 120, 192, 268, 270, 486, 619, 702 session ....................................................... 619
Status Bar ...................................................... 120
Status Tab ...................................................... 107 status viewer .................................................. 270
Stop ................................................ 181, 267, 486
EFT ............................................................. 181
Site ............................................................. 267
Stop Action ..................................................... 573
Stop Monitor ................................................... 192
Stop Processing ............................................. 573
Stop Processing Action .................................. 573
Stop Server Service ....................................... 181
Stopping EFT ................................................. 182
Stopping EFT Remotely ................................. 181
STOR ............................................................. 313
STOU ............................................................. 313
Streaming Repository Encryption .................. 419
STRU .............................................................. 313
SUCCESS ...................................................... 705
SuperAdmin ................................................... 123
Support for Foreign Groups ........................... 225
Sysdba ........................................................... 720
SYST .............................................................. 313
System Account ....................................... 79, 720
System Data Source Name............................ 239
System DSN ................................................... 239
System Properties .......................................... 486
System Requirements ................................ 30, 42
System Requirements and Specifications ....... 30
System Requirements for EFT ......................... 42
System Requirements for EFT Web Transfer
Client ........................................................... 628
System Requirements for Web Transfer Client
.................................................................... 628 systemroot ........................................................ 73
T tbl_Actions ...................................................... 736 tbl_AdminActions ................................... 736, 769 tbl_AS2Actions ............................................... 736 tbl_AS2Files ................................................... 736 tbl_AS2Transactions ...................................... 736 tbl_Authentications ......................................... 736 tbl_ClientOperations ....................................... 736 tbl_CustomCommands ................................... 736 tbl_EventRules ............................................... 736 tbl_Groups ...................................................... 736 tbl_PCIViolations ............................................ 736 tbl_ProtocolCommands .................................. 736 tbl_SAT_Emails .............................................. 736 tbl_SAT_Files ................................................. 736 tbl_SAT_Transactions .................................... 736 tbl_ServerInternalEvents ................................ 736 tbl_SocketConnections .................................. 736 tbl_Transactions ............................................. 736
Template Settings Admin ....................... 123, 130
Terms and Conditions .................................... 621
Test IP ............................................................ 376
Test IP Connection ................................. 163, 376
Testing the AS2 Outbound Connection ......... 705
The Certificate Manager ................................. 332
The Compound Conditional Statement .......... 516
The Custom Command Wizard ...................... 439
The PCI Data Security Standard .................... 780
The Virtual File System .................................. 411
These Events ................................................. 486
TIME ............................................................... 486
Index
Timeout .......................................... 120, 375, 620
Admin interface .......................................... 120
Timeout Request Header ............................... 357
Timeout Schemes .......................................... 308 timeout setting ................................................ 375
Timer .............................................................. 486
Timer Event .................................................... 488
Timer Rules .................................................... 488
TIMESTAMP .................................................. 486
TIMESTAMP_PRECISE ................................ 486
TLS ........................................................ 317, 327
TLS 1.0 .......................................................... 327
Too Many Connections per Site .................... 505
Toolbar ............................................................. 88
Toolbar Icon ..................................................... 88
Topic Links ....................................................... 31
Sharing ......................................................... 31
Transaction FAILED............................... 684, 705
Transaction Information ................................. 743
Transaction SUCCESS .......................... 684, 705
TRANSACTION_ERROR .............................. 486
TRANSACTION_RESULT ............................. 486
TRANSACTION_VERBOSE .......................... 486
Transfer Files ......................................... 548, 605
Transfer Limits ....................................... 375, 376
Transfer Rate ................................................. 270 transfer status ................................................ 270
Transfer Time ................................................. 270
Transfer-related events .................................. 477
Transferring ............................................ 270, 605
Transferring Files To and From EFT ..... 270, 605
Transferring Files with Event Rules ............... 548
Transferring Files with the Web Transfer Client
.................................................................... 633 transfers ......................................... 270, 371, 548 maximum transfer speed ............................ 371
Transport Layer Security ............................... 317
Trial .................................................................. 84
Trial Extension Request ................................... 84
Trial Extension Request Details ....................... 84
Trial Extension Response ................................ 84
Trusted Certificate list .................................... 324
Trusted Certificates 324, 330, 332, 333, 334, 336
Trusted Certificates Database ....... 333, 335, 336
Two DMZ Gateways ........................................ 37 two-factor ............................................... 247, 351
TWOFISH ...................................................... 806
TYPE .............................................................. 313
U uid .......................................................... 233, 241 unban ............................................................. 376
Understanding LDAP Authentication ............. 231
Unexpected error 0x8ffe2740 occurred ........... 82
Unicode .... 23, 199, 200, 306, 352, 606, 610, 720
Unicode encoded ....................................... 200
837
EFT v7.2 User Guide
Unicode Exceptions .................................... 200
Unicode FAQs ............................................ 610
Unicode Support .........................199, 200, 610
Unicode vs ASCII Support .......................... 610
Uninstall EFT .................................................... 78
Uninstalling ....................................................... 78
Uninstalling the Software ................................. 78 universal ......................................................... 225 universal group ............................................... 225
UNIX Type ...................................................... 313
Unlocking........................................................ 295
User Account .............................................. 295
Unlocking a User Account .............................. 295
Unsigned JAR Files ........................................ 621
Unwanted File Types ..................................... 400
Updating a User Account's E-Mail Address ... 288
UpgradeSchema ............................................ 714 upgrading ................................................. 73, 725
EFT Database ............................................ 720
Large Databases ........................................ 725
Upgrading the Web Transfer Client (HTML5 version) ....................................................... 622
Upload ............................................................ 548
Upload Failed ............................................. 486
Upload Failed Event ................................... 486
Upload Rule ................................................ 548
Uploaded Event .......................................... 496
Upload (Copy/Move) Action ........................... 548
Uploading Files .............................................. 633
Use FIPS ................................................ 365, 366
Use LDAP....................................................... 234
Use RADIUS .................................................. 251
Use SSL ......................................................... 141
Use UTC......................................................... 195 use_registry .............................................. 81, 608 useProtocolForUpload ................................... 803
USER .............................................281, 313, 486
User (Client) Account Configuration .............. 281
User Account ......... 119, 281, 286, 287, 295, 392
AD group name .......................................... 225
Creating ...................................................... 281
Deleting....................................................... 286 disable ........................................................ 119
Disabling ..................................................... 286
Disconnecting ............................................. 375 e-mail .......................................................... 392
Enabling ...................................................... 286
Expiring ....................................................... 287
FTP Settings ............................................... 305 group membership ...................................... 119 lock out ....................................................... 119
Moving ........................................................ 289 password rules ........................................... 119
Unlocking .................................................... 295
User Account Details .................................. 287
User Account Disabled ............................... 486
838
User Account Locked ................................. 486
User Account Privileges ............................. 719
User Admin ......................................... 123, 130
User Authentication Database ................... 218
User Conditions .......................................... 517
User Connect Failed .................................. 486
User Connected ......................................... 486
User Database Refresh Rate ..................... 266
User Details ................................................ 496
User Disabled ............................................. 287
User Disconnected ..................................... 486
User Disk Quota ......................................... 293
User Events ................................................ 486
User Filter ................................................... 233
User Folder Name ...................................... 226
User Login Credentials Message ............... 298
User Login Failed ............................... 486, 505
User Must Change Password .................... 486
User Node .................................................. 116
User Principal Name .................................. 226
User Properties .......................................... 486
User Quota Exceeded ........................ 293, 486
User Rights Assignment ............................... 79
User Settings Template .............................. 277
User Statistics ............................................ 293
User Tabs ................................................... 116
User Variables ............................................ 477
User's Home Folder ........... 237, 243, 289, 290
User's Permission Group ........................... 296
User Home Folders on an LDAP-Authenticated
Site ............................................................. 237
User Home Folders on an ODBC-Authenticated
Site ............................................................. 243
User Icons ...................................................... 120
User Limit Message ....................................... 313
UsernameResend .................................. 189, 297
Using a Command in an Event Rule to Copy
Files ............................................................ 502
Using a DSN-Less Connection with ODBC
Authentication ............................................. 241
Using a SOCKS Proxy Server ....................... 505
Using an Event Rule to Execute a Command
(Run a Process) ......................... 448, 498, 543
Using Ciphers for Outbound (Event Rule) SSL
Connections ............................................... 600
Using Ciphers for SSL Connections with EFT
.................................................................... 329
Using Conditions ............................................ 511
Using Login Credentials ......................... 398, 577
Using Login Credentials in Event Rules 398, 577
Using NT Authentication .................................. 79
Using OpenSSL ............................................. 339
Using OpenSSL to Generate/Convert Keys and
Certificates ................................................. 339
Using oSQL .................... 712, 719, 725, 738, 741
Using Report Filters ....................................... 750
Using SSH with Radius/RSA SecurID ........... 351
Using the HS Module with the Secure Ad Hoc
Transfer Module ......................................... 803
Using the Knowledge Base .............................. 34
Using Web Services ....................................... 361
Using Web Transfer Client ............................. 486
Using WebDAV .............................................. 357
Using WebDAV with EFT ............................... 357
Using Wildcards ............................................. 576
Using Wildcards with Event Rule Actions ...... 576
USING_WEB_TRANSFER_CLIENT ............. 486
Usr .................................................................. 243
UTC ................................................................ 195
UTF ....................................... 200, 306, 352, 610
UTF8 ................................................ 23, 200, 610
UTF-8 ............................................................. 200
UTF-8 ............................................................. 306
UTF-8 ............................................................. 352
UTF-8 ............................................................. 610
UTF-8-encoded ...................................... 200, 610
V
Valid Auth ....................................................... 657
Valid Authentication Factors .......................... 657
Variables ............................... 477, 486, 548, 695
Verified Download Failed ............................... 486
Verified Download Succeeded ....................... 486
Verified Upload Failed .................................... 486
Verified Upload Succeeded............................ 486
Verify AS2 ...................................................... 708
Verify Only .............................................. 574, 812
Verify Signature ...................................... 574, 812
Verify Signature Only ............................. 574, 812
Version History ........................................... 23, 76
VFS ...... 106, 226, 237, 243, 279, 289, 290, 291,
405, 409, 411, 412, 414, 415, 416, 417, 418,
419, 421, 486
VFS Folder Permissions ................................ 418
VFS Permissions ............................409, 412, 417
VFS Tab ......................................................... 106
Viewing .................. 184, 268, 270, 293, 578, 811
OpenPGP Settings ..................................... 811
Server Statistics .......................................... 184
Site Statistics .............................................. 268
Transfers..................................................... 270
User Statistics ............................................. 293
User's Home Folder .................................... 290
Windows Event ........................................... 578
Viewing a User's Home Folder ....................... 290
Viewing and Changing Key Pair Path Settings
.................................................................... 811
Viewing and Removing Commands ............... 447
Viewing Connections to a Site ....................... 269
Viewing Group Membership ........................... 408
Viewing Importing Renaming and Deleting Client
Keys ............................................................ 350
Index
Viewing or Modifying MAC Settings ............... 349
Viewing or Modifying Message Authentication
Codes (MAC) Settings ............................... 349
Viewing Server Statistics ............................... 184
Viewing Site Statistics .................................... 268
Viewing Transfers To and From a Site .......... 270
Viewing User Statistics .................................. 293
Virtual Destination Path ................................. 486
Virtual File System . 106, 226, 237, 243, 411, 414
Virtual Folder .......... 289, 290, 291, 416, 418, 421
Deleting ...................................................... 416
Renaming ................................................... 416
Specifying ................................................... 421
Virtual Folder Name ....................................... 486
Virtual Folders for SAT Users ........................ 421
Virtual Path .................................................... 486
VIRTUAL_FOLDER_NAME ........................... 486
VIRTUAL_PATH ............................................ 486
VSReport Designer ................ 752, 754, 755, 769 vsrpt8 ............................................................. 752
W
Warnings ................................................ 708, 800
AS2 ............................................................. 708
PCI DSS Violations .................................... 800
Warnings for PCI-DSS Violations .................. 800
Web Client Sessions ...................................... 268
Web Services ................................... 81, 361, 593
Web Transfer Client ....................................... 627
Web Transfer Client Access .................. 360, 613
Web Transfer Client Advanced vs. Basic ...... 627
Web Transfer Client Licensing ....................... 615
Web Transfer Client Limitations ..................... 643
WebDAV ........................................................ 357 webservice ..................................................... 361
WebService URL ................................... 361, 593
WebServices .................................................. 593
WebServiceTimeout................................. 81, 593
WEL ............................................................... 578
What's New? .................................................... 23 whitelisted ...................................................... 376
Windows Authentication ........ 130, 141, 179, 225
Windows Authentication Options ................... 221
Windows Event Log ................................. 75, 578
Windows Event Log Action ............................ 578
Windows Event Log Message ....................... 578
Windows Event Viewer .................................. 217
Windows Local Account Permissions ............ 225
Windows Registry ............................................ 81
Workflow Designer ......................................... 499
Workflows ...................... 499, 502, 545, 739, 813 add ............................................................. 499
Create ......................................................... 499 terminate .................................................... 499
Workspaces ................................................... 423
Workspaces Events ....................................... 511
839
EFT v7.2 User Guide
Workspaces Invitations .................................. 425
Workspaces Notifications ............................... 428
Workspaces Permissions ............................... 426
Workspaces Tab of a Site .............................. 113
Write to Windows Event Log .......................... 578
WSDL ............................................................. 593
WTC Logging ................................................. 631
WTC NTAD ............................................ 394, 620
WTC Versions ................................................ 613
WTCTimeout ............................................ 81, 620
X x509 ................................................................ 332 xcopy .............................................................. 502
XCRC ..................................................... 310, 313
XCRC Command ........................................... 310
XCUP ............................................................. 313
XCWD ............................................................ 313
XMKD ............................................................. 313
XML ................................................................ 774
XNOP ............................................................. 313
XPWD ............................................................ 313
XRMD ............................................................ 313
Y
Your ODBC Data Source ............................... 244
840
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement