Quantcast
Channel: GlobalSCAPE Knowledge Base
Viewing all 785 articles
Browse latest View live

Web Transfer Client Licensing

August 31, 2016, 3:17 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.3.2 and later

DISCUSSION

In version 7.3.2 and later, use of the WTC requires the purchase of a license for each user. WTC licenses are defined across all Sites on EFT. The license count applies to all Sites, Settings Templates, and user accounts defined on EFT for whom the WTC is enabled. That total number has to be less than the WTC Client Access Licenses (CAL) purchased. That is, if 30 user accounts have WTC enabled, you must have purchased and activated at least 30 WTC licenses. If you have more users than licenses, all users will see a warning message when logging in. A best practice recommendation is to move users who don't need to use the WTC to a separate Settings Template and disable the use of the WTC on that Settings Template. 

License Status 

You can view the number of licenses purchased in the EFT administration interface (on the main menu, click Help>About) and on theStatus tab.

When upgrading from an earlier version of EFT, your concurrent WTC licenses will automatically convert to CAL as follows:

  • 5 concurrent = 100 CAL

  • 10 concurrent = 500 CAL

  • 20 concurrent = 5,000 CAL

  • 50 concurrent = 25,000 CAL

  • 100 concurrent = 100,000 CAL

If needed, you can purchase unlimited CAL for a Site.

When the Site is stopped and restarted, the license count is not reset. If the warning banner appears, you need to:

Search

Configuration and Security Best Practices

September 13, 2016, 2:35 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, all versions

DISCUSSION

Below is a collection of suggestions and guidelines for installing, configuring, and deploying EFT in a production environment, includingbest practices for security.

Development Lab Environment

As with any mission-critical software or hardware, it is recommended that a testing, validation, development, or usability lab be established to provide a "sandbox" into which EFT and DMZ Gateway Server software can be deployed. This initial deployment allows for validation of the interoperability with other dependent components as well the validation of expected usage scenarios.

The lab environment should emulate (if not duplicate) the production environment at a network topography and application level. To do this, a clear vision of the production network and the proposed deployment of EFT and DMZ Gateway must exist. Typical deployments of EFT and DMZ Gateway consist of many other components from the enterprise, including Active Directory Server, SQL Server, SMTP Server, and a storage system such as a SAN. For DMZ Gateway, a firewall such as Microsoft ISA might be applicable. Finally, some deployments also include Clustering, in which case various components are replicated to provide clustered resources.

For increased business continuity and risk mitigation, you should use the development lab environment as the starting point for any configuration changes in the system. That is, make the change in development and validate it prior to making the change in production. A good testing tool is CuteFTP.

Configuration Checklist

The installation and configuration of EFT in either a lab or a production environment should be validated by EFT administrators/operators to ensure that the functions are working as expected.

Service

Make sure that the EFT Server service is started on the computer.

Make sure that the service is listening on the expected IP:PORT socket addresses on EFT. (To view the listening sockets, use "netstat -ona" from a command line or an application such as PrcView orTcpView.)

Check the Event Viewer log to ensure that there are no errors in the Application log related to EFT or DMZ Gateway.

Confirm that the administration interface shows the status of the system when it is launched and connected to EFT.

Server User Management

For each Site on EFT, ensure that the expected user accounts exist.

To ensure that authentication is working as expected, attempt to log in to EFT as a user account on the system (using any protocol).

To confirm that permissions for the user account are working as expected, attempt a file transfer.

Protocol/Network

For each protocol enabled on EFT, attempt a connection directly to EFT using a client that supports that protocol.

For each protocol enabled through DMZ Gateway, attempt a connection to the appropriate DMZ Gateway IP:PORT and confirm that this route works as expected.

Auditing/Logging

View the audit traces generated by the validation steps above. 

Confirm that the Auditing and Reporting module database has been populated with appropriate data (using either EFT Reporting interface or direct access to the SQL Server being used).

Confirm that the text log files generated by EFT have been populated with the appropriate data.

Event Rules/Workflow

 Each customer has a unique set of Event Rule/workflow requirements, but these are the general validation steps. Confirm the following are working as expected:

E-mail notifications. Test e-mail notifications by triggering an Event Rule that has an e-mail notification Action to confirm that Event Rules fire and that the SMTP configuration is correct.

PGP operations. Confirm that OpenPGP keys are configured properly.

Move/Copy/Download actions. Initiate Event Rules that perform remote file uploads/copies/download so that connectivity originating from EFT to a remote system is properly configured. In this step, also confirm that a log file is generated that audits outbound connection information (a "cl*.log" file in the designated Server Log File location).

Custom Commands. EFT is responsible for triggering those external commands, so that is what should be validated with respect to EFT. Any actions carried out by those external tools should be validated independently. Confirm that a "CMDOUT.LOG" file is generated as the result of an invoked Custom Command. 

Folder Monitor Rules. Ensure that the Event Rules are properly enabled and responsive to files added to the folder being monitored.

Failover Testing

For failover cluster deployments, the failover and failback operations of the cluster should be confirmed. After a failover/failback, confirm that the newly active server behaves properly; that is, the failover is transparent and the configuration/operation is as expected. This can be summarized by the prior set of tests operating against the newly active node in the cluster.

Load Testing

If you expect high volumes of traffic or back-end processing within EFT, you should verify that the resource utilization levels on the Server are within acceptable tolerances. There are numerous load-testing tools available, ranging from simple batch files running command-line FTP to highly complex synthetic transaction generators. Globalscape's Quality Assurance team performs load testing of our servers as part of our standard validation process for releasing software.

Numerous other features can be validated within EFT. The above set represents the key elements that are most often used and are the most critical to successful operation in a production environment.

Security Best Practices Checklist

The following settings are recommended for increased security.

Administration Security

Create a specific AD account on which EFT’s service is to run with the minimum necessary permissions.

Create an Event Rule to back up the entire Server configuration to a separate drive at least daily.

Do not use any default administrator names (e.g., "admin").

Do not use the default administration port (1100).

Only turn on remote administration if necessary. If remote administration is needed, then ban all IPs except those trusted IPs necessary to access the server for administration.

Turn on SSL if using remote administration.

Create sub-administrator accounts with the least amount of privileges necessary for help desk or operational administrators.

Do not give sub-administrators access to COM or the ARM (report) module unless absolutely necessary

If giving ARM (report) access to a sub-administrator, use the ReportsConnectionString registry override to define an alternate (least privileged) database connection string for database queries.

Set administrator passwords to expire every 90 days (or according to internal best practices/policies).

Set a complex security scheme for administrator passwords.

Lockout administrators for an extended period after multiple failed login attempts.

Run a PCI DSS report to detect any lax security configuration settings (either manually or on a schedule with an Event Rule).

Periodically check the Globalscape support site for the latest version and upgrade accordingly. One more high priority bug fixes or fixes for security vulnerabilities are often included.

User/Password Security

Expire accounts that are non-active for a specified period.

Set user passwords to expire every 60 or 90 days.

Define complex password security scheme for users.

Prohibit password reuse/history.

When using HTTP/S and/or SFTP protocols, require that the user reset their password upon initial use (requires KIA support by the SFTP client. FTP/S protocol does not support password reset upon initial login).

Briefly lockout users after repeated failed logins.

Automatically ban IP addresses with repeated failed username attempts.

E-mail user login credentials separately or only send username and communicate password via phone or other means (i.e., out-of-band delivery).

File System Security

Segregate user’s folders. (Do not share folders/resources across users when possible.)

Restrict users to their home folders and set the home folder as ROOT for that user.

Use Settings Templates to inherit user permissions rather than modifying them for each user.

Use Groups to simplify control over user access to resources.

Limit resource permissions to the minimum necessary.

Specify a maximum disk space (quota) for each user (or Settings Template).

Auditing Security

Enable verbose logging (Log Type).

Rotate logs daily and encrypt+sign using an Event Rule.

Always use extended auditing (ARM).

Examine audit logs at least weekly for anomalous behavior

Data Security

Encrypt data at rest using EFS encryption, OpenPGP, or 3rd-party encryption.

Keep data separate (DAS/SAN/NAS).

Define data recovery procedures in case of data corruption/loss/theft.

Scan uploaded files for viruses (3rd-party tool required).

Never store data in the DMZ, even temporarily. (Use DMZ Gateway instead.)

Create a legacy data clean-up rule according to your company policy.

Enable data wiping for sanitizing deleted data.

Add a banned file type rule and disallow all extensions except those required by the business.

Protocols Security

Be extremely selective when choosing which IPv4 or IPv6 addresses to bind to for a specific Site (listener). Only bind to IPv6 addresses if your organization is aware of and mitigating against IPv6-specific attacks at the edge of your network.

If possible, allow only secure protocols (SSL, SSH, HTTPS, AS2).

Disable all unused services or features that may adversely affect security, including Web Services, any unused protocol listeners, and using username and password credentials for use in Event Rule context variables, if not needed by any Event Rule.

Always choose the strongest ciphers, hashes, and key lengths; however to mitigate the BEAST exploit, move RC4 (a lesser strength but non-CBC cipher) to the top of the SSL cipher priority list, followed by AES 256, then AES128, etc.

Allow only TLS 1.0 if possible, SSL 3 only if necessary, for Server-wide SSL Security settings. Do not enable Clear Command Channel (CCC) nor unprotected data channel (PROT C).

Disallow site-to-site (FXP) support for FTP/S protocol listeners, and block client anti-timeout attempts.

Have your server’s SSL certificate signed by Certificate Authority (CA).

If possible, require that the connecting clients provide a certificate proving their identify in addition to their authentication credentials.

 

Mask the server's identity by using generic banner messages.

 

Specify a maximum limit for connections and transfers for each user/template.

 

Enable EFT’s Denial of service settings, disconnecting and banning users that issue an excessive numbers of invalid commands (weighted over a given period) and permanently banning IP addresses that exceed the server's Flood/hammer value. Non HTTP/S setups should set the Flood/hammer slider to Very High, vs. the default Medium setting.

 

Specify allowed IP address ranges for user/partner connections when possible, denying connections from all other IP addresses.

Prescriptive Guidance for Maintenance

The following are guidelines for maintaining the good health of an EFT and DMZ Gateway deployment, and reducing long-term costs of maintenance and operation.

  • Configuration Backup - For disaster recovery and business continuity, it is important to keep backups of the Server and DMZ Gateway configuration. Backing up the configuration can be accomplished with a variety of tools such as Symantec Backup Exec, Ghost / VMWare to make images of the system, Globalscape Continuous Data Protection (CDP), or even a simple script file.

  • Database Backup and Truncation - If you are using the Auditing and Reporting module (ARM), the database to which the audit records are stored should include EFT ARM tables as part of the typical database maintenance plan. This includes proper monitoring of the tables and transaction logs, backing up the data and having a retention policy to archive (or purge) old data.

  • Data Archival and Retention - You should put into place and enforce a policy by which old data is periodically archived and/or purged, because no disk is limitless and performance can degenerate as more files are added to EFT. Therefore, a storage management policy should include regular inspection of available hard disk space and health (error count, fragmentation, etc.) as well as archiving and/or purging user data and Server Log Files (CMDOUT.log found in the application folder, and all other logs found in the Log folder specified on the Server).

  • Restarting Services - Given the facility of the Microsoft Cluster in failing over and failing back while providing high resource availability, it is recommended that you design a maintenance schedule in which the EFT service is cycled at least once per quarter to once per month. Failing over to the backup node, restarting the service, then failing back and restarting the other node would suffice in re-establishing a baseline state of the EFT service to ensure optimal health.

  • Event Log Alerting - EFT will log error conditions to the standard Windows Event Viewer. It is recommended that the operations team for an enterprise include EFT error checks in their monitoring techniques, looking for an ERROR event generated with a source of "EFT," "EFT Enterprise," or "Globalscape."

Procedure for Cold Standby Setup

Below are few recommendations for achieving a backup server image that is ready to be turned on quickly and accept "real" traffic.

In all situations, if you are copying a configuration file from one system to another, care must be taken with hardware-specific resources, such as IP addresses, physical paths/partitions, and so on. If possible, it is recommended that the EFT configuration use the generic "All Incoming" IP Address for incoming socket connections so that differences in computer IP addresses do not prevent proper operation of the system if the Cold Standby comes online.

Furthermore, you must take care with the connections and IP-access restriction lists between EFT and DMZ Gateway. If DMZ Gateway is configured to allow only one EFT IP address to connect to it, then the Cold Standby server must have the same IP address to connect; alternately, the DMZ Gateway IP access list must include all possible IP addresses (possibly a Class C subnet) so that multiple servers from the approved network segment may connect.

  • Virtualization Software - A great solution from a cost- and resource-saving standpoint, virtualization software is also quite easy to manage due to the "software" nature of the solution. The approach would be to create an image within a virtual system (using a tool such as VMWare or Microsoft Virtual PC) by installing and activating the EFT or DMZ Gateway software. Once this is done, the steps required to bring the system online include first copying the configuration files (which were backed up using a process described above), then bringing the virtual image online and starting the service.

  • System Backup Software - Another quick and easy option is to create a disk or system image of a configured EFT or DMZ Gateway (using a product such as Norton Ghost); when a Cold standby needs to be "stood up" and made hot, the image can be installed on a computer, backup configuration copied, and the service started.

  • Periodic Backup to Cold Standby Machine - If resources permit, the quickest way to get a "Cold" computer to become "Hot" is to have a computer dedicated to this function. It should have EFT and/or DMZ Gateway installed and activated, but the service should be stopped. A process to copy the configuration periodically from the "Hot" server to the "Cold" server would keep the two in synch, and if the "Hot" system goes down, the "Cold" system can simply start the service.

Can I prevent LDAP users from being synchronized until they log in?

April 12, 2017, 8:13 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, version 7.2 and later

QUESTION

Can I prevent LDAP users from loaded into EFT until they log in?

ANSWER

Create registry setting below to specify whether to load whole LDAP user database into EFT at once or to pull users one-by-one after successful logins.

HKEY_LOCAL_MACHINE\Software\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.0\

Name: IgnoreNeverLoggedInLDAPUsers

Type: BOOL

Values: 0 = load all users (default); 1 = pull users one at a time as they log in

Cached: yes

Backup/Restore: yes

Set the OpenPGP cipher algorithm

April 13, 2017, 7:38 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.2 and later

DISCUSSION

The following registry setting can be used to set the OpenPGP cipher algorithm.

Acceptable values are "CAST5", "3DES", "AES256", "AES192", "AES128", "BLOWFISH", "TWOFISH", and "IDEA". The string values ARE case-insensitive. PGPEncryptingAlgorithm string registry value is reset only if AutoSelectPGPCiphers is set to 0. When set to 0, it will turn off auto-select ciphers. When AutoSelectPGPCiphers is 0 defaults to AES128.

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.2\

 PGPEncryptingAlgorithm

Type: TEXT

Default Value: CAST5

Cached: yes

Backup/Restore: yes

AutoSelectPGPCiphers

Description: Enables or disables auto-select PGP ciphers.

Type: bool

Default Value: 1

Cached: yes

Backup/Restore: yes

"MAC check failed" error when connecting to TIBCO Internet Server 7.3.1 using HMAC512.

April 19, 2017, 2:16 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, version 7.2.1 and later

SYMPTOM

EFT logs "MAC check failed" error when connecting to TIBCO Internet Server 7.3.1 using HMAC512.

RESOLUTION

This is not an EFT issue, but an issue with the TIBCO implementation of the SHA2-HMAC-512 algorithm.

To resolve this issue, apply the TIBCO hot fix 7.3.1HF3, which you can request from TIBCO support.

Google issued "Intent to Deprecate and Remove" trust in existing Symantec-issued Certificates

April 19, 2017, 6:37 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v6 and later

DISCUSSION

Google has issued an "Intent to Deprecate and Remove" trust in existing Symantec-issued Certificates, requiring that, over time, they be replaced with new, fully revalidated certificates. All newly-issued certificates must have validity periods of no greater than 9 months (279 days) to be trusted in Google Chrome version 61 and later. All Symantec-issued certificates are affected, including GeoTrust and Thawte, which are CAs operated by Symantec. Therefore, in the future, if EFT uses a Symantec-issued certificate, Google Chrome will not trust it. According to Google, "Assessing the compatibility risk with both Edge and Safari is difficult, because neither Microsoft nor Apple communicate publicly about their changes in trust prior to enacting them."

Refer to the following web pages for details of this issue:

Do you have a compatibility list of mobile browsers that support EFT?

April 19, 2017, 8:36 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT™ version 6.5.16 and later

QUESTION

As we want to enable our users to be able to use a mobile browser to access EFT too, I’d like to know if you have a compatibility list of mobile browsers that support EFT?

ANSWER

We provide a secure, native mobile app that works with EFT, called Mobile Transfer Client (MTC), which is available in the Apple and Google mobile app stores.

MORE INFORMATION

We do not formally support any of the native mobile web browsers as most of those do NOT implement the entire HTML 5 spec. If you visit html5test.com in your mobile browser and run the test, the points scored are much lower than when you run the test in your desktop browser. This crippling of html 5 breaks most web apps on such features as the FileSystem API, which will prevent apps like the EFT Web Transfer Client from working perfectly in mobile browsers.

SYSTEM REQUIREMENTS

The MTC was testing on the following mobile operating systems:

  • Android 2.3 or later for general operations
  • Android 3.0 or later, if encrypted data store is required
  • iOS 10 or later 
  • Licensed per user

What is the difference between EFT Event Rules and AWE?

April 19, 2017, 8:59 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT™ version 6 and later

QUESTION

What is the difference between EFT Event Rules and AWE?

ANSWER

The EFT Event Rule system is the automation engine in EFT with which you can send email notifications, copy and move files automatically, monitor folder changes, and more than 30 other event triggers and 17 different actions. The Advanced Workflow Engine (AWE) is simply another Event Rule Action that can be added to an Event Rule. The AWE Action provides more advanced and more extensive automation that otherwise would be done in EFT using complex scripting.

Here are just a few of the ways that AWE can automate your business processes:

  • AWE can send an email using Event Rules, and included an attachment, such as a report.
  • AWE can “append” information to a file.
  • AWE can write data into reports in a variety of formats and send the reports to stakeholders.
  • AWE is useful for user provisioning, such as setting up accounts in Active Directory, Exchange, etc. 
  • AWE can manage HR onboarding tasks like collecting data from employee paperwork and sending information to payroll.
  • AWE can automate data extraction from unstructured sources, and other database automation tasks

Refer to https://www.globalscape.com/blog/data-transfer-automation-and-managed-file-transfer to read more about automation in EFT.

Search

Specify OpenPGP compression method

April 19, 2017, 9:25 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT 7.2.9.x, v7.3.6 and later

DISCUSSION

The following registry setting can be used to specify the OpenPGP compression method. This advanced property allows you to default back to the legacy setting of "ZLIB." 

Acceptable values are "ZIP","ZLIB". The string values are case-insensitive. Values other than these will result in no compression taking place. 

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.2\

Type: TEXT

Value name: PGPCompressionMethod

Default Value: ZIP

Maximum Length: 255 characters

Cached: yes

Backup/Restore: yes

 

EFT needs to use POST in CIC HTTP requests

April 20, 2017, 7:41 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT version 7.0.3 later

DISCUSSION

When using the Content Integrity Control module with EFT to with AV and DLP tools, EFT needs to use POST in CIC HTTP requests. The advanced property below is used to specify whether to use PUT(0; default) or POST(1) in CIC HTTP requests. Set the value to 1 to use POST in CIC HTTP requests. 

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.0\

Type: DWORD

Value name: ICAPUsePOST

Default Value: 0 

Maximum Value: 4294967295

Cached: yes

Backup/Restore: yes

Service Restart required: Yes

 

How Does Accelerate Licensing Work?

April 24, 2017, 8:35 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT™, v7.3 and later

QUESTION

How Does Accelerate Licensing Work?

ANSWER

EFT identifies scClient connections by a unique UserAgent string; based upon a successful login via such a client, EFT creates a cookie-based session for that scClient interacting with EFT.

  • Each such client ties up one available scClient session.

  • During the Trial, you are allowed up to 5 concurrent scClient sessions.

  • When licensed, the serial number for scClient indicates how many concurrent scClient sessions are available.

  • The number of concurrent accelerated transfers is limited by the DEI library, and locked in at DEI license Binding time; our EFT use of DEI doubles the amount of channels in use. So, for example, 128 concurrent accelerated channels on the DEI side means that we can do 64 concurrent accelerated EFT transfers.

  • Each scClient can run up to 6 concurrent tasks (hardcoded). If all of those are Accelerated transfers, then each client can tie up 6 of the available server-side concurrent transfer limit. Thus, if we sold you a license that said “EFT will support up to 50 concurrent accelerated transfers,” then that server can support a limit of 8 scClients performing maximum number of concurrent accelerated transfers (i.e., 8 x 6 = 48).

The Accelerate module is available and fully functional in trial mode for 30 days. After the trial expires, you must provide a serial number to continue using it. (EFT must have access to the Internet to reach our registration server.)

Licensing DMZ Gateway for EFT Enterprise with the Accelerate Module

When licensing DMZ Gateway for EFT Enterprise with the Accelerate module:

  1. Activate DMZ Gateway and the Accelerate module in EFT Enterprise
  2. Install a license file in the DMZ Gateway installation directory 

To activate DMZ Gateway (and the Accelerate module) in EFT Enterprise

  1. Start the administration interface and provide your EFT administrator credentials (created at installation). The Welcome message appears.

  2. Click Enter Serial Number. The Registration Wizard appears.

  3. On the main menu click the product you need to activate and then follow the prompts in the Registration wizard.

To activate DMZ Gateways for EFT Enterprise with the Accelerate module

  1. Provide to your Globalscape point of contact the Listening IP for Acceleration defined in the DMZ Gateway administration interface.

  2. In return, you will receive two files derived from the supplied IP address:

    • DeiLicense.dat

    • FastImpl.dll

  3. On the DMZ Gateway computer, stop the DMZ Gateway server service.

  4. In the \lib folder of the DMZ Gateway installation folder (e.g., C:\Program Files\GlobalSCAPE\DMZ Gateway\lib), replace the file FastImpl.dll with a new version provided by Globalscape.

  5. In the \conf folder of the DMZ Gateway installation folder (e.g., C:\Program Files\GlobalSCAPE\DMZ Gateway\conf), paste your license file (e.g., DeiLicense.dat).

  6. Start the DMZ Gateway server service.

    • DMZ Gateway will log the attempted registration and record its success or failure.

    • Registration is maintained upon upgrade or repair.

    • If the DMZ Gateway's host IP changes, you will need to request a new FastImpl.dll from Globalscape.

Can I customize scClient?

April 24, 2017, 8:46 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT™, v7.3 and later

QUESTION

Can I customize scClient?

ANSWER

The EFT administrator can customize the scClient interface graphics separately for each Site on which it is available. The customizable files include:

  • app.ico - This is the small icon that appears in the corner of the title bar. 

  • login-top-image.bmp - This is the Globalscape graphic at the top of the login page.

To customize scClient

(The directory path listed below is the default EFT installation path, \ProgramData\Globalscape\EFT Server Enterprise. Your EFT installation path may be different.)

  1. Use the existing graphics as a "template" to create your own. (That is, make them the same size.)

  2. Create a folder in \ProgramData\Globalscape\EFT Server Enterprise\scClient\ called scClient-site_name. That is, if your Site is called MySite, the folder should be called scClient_MySite. This should be the Site on which you are enabling Accelerate.

  3. Copy the \ProgramData\Globalscape\EFT Server Enterprise\scClient\src\ directory to your new folder.

  4. Copy your customized image files to \ProgramData\Globalscape\EFT Server Enterprise\scClient\scClient_[site’s name]\src\images.

  5. On the Site's Gateway tab, disable Accelerate (clear the check box), and then click Apply. This causes EFT to rebundle scClient files into scClient.exe, a self-extracting archive.

  6. Enable Accelerate (select the check box), and click Apply. This will recompile the scClient.exe module with the new images.

  7. To verify your changes, copy the scClient.exe link to the Clipboard, then paste into your browser and download it. (The DMZ Gateway and the Accelerate module must be activated and enabled.)

To restore original images for the scClient

(The directory path listed below is the default EFT installation path; your EFT installation path may be different.)

  1. Do one of the following:

    1. Copy the backup images (that were made earlier) into the folder C:\ProgramData\Globalscape\EFT Server Enterprise\scClient\scClient_MySite\src\images\

      - or -

    2. Copy images from the following directory:  C:\ProgramData\Globalscape\EFT Server Enterprise\scClient\scClientMaster\src\images

  2. In the EFT administration interface, click on the Site's Gateway tab and disable Accelerated Transfers (clear the check box).

  3. Click Apply, select the check box to turn it back on, and click to Apply again. This will recompile the scClient.exe module with the new images.

  4. Download the latest scClient from EFT using the link provided.

What is stored in the EFT configuration directory?

May 9, 2017, 2:19 am
$
0
0
THE INFORMATION IN THIS ARTICLE APPLIES TO:
  • EFT v7 and later

QUESTION

What is stored in the EFT configuration directory?

ANSWER

The configuration directory for EFT is used to store parameters and settings for running EFT. The EFT server service reads the configuration file when the service starts. The configuration directory, by default is C:\ProgramData\GlobalSCAPE\EFT Server\. (Remember, the ProgramData file is hidden by default, so you have to enable View > Hidden Items in Windows Explorer to make it visible.)

If EFT was not installed in the default installation directory, then you can find the path in the administration interface or the registry:

In the EFT administration interface, in the left pane, click the Server tab > Server node, then in the right pane, click the General tab. In the General Settings area, the path is displayed in Server configuration settings.

The Authentication Provider path can be found by clicking the Server tab > Server node, then in the right pane, click the General tab. Next to User auth manager, click Configure. The Authentication Provider Options dialog box appears and displays the path to the user database.

In the registry, you can see the path to the Config location by expanding HKEY_LOCAL_MACHINE > Software > Wow6432Node > GlobalCAPE, Inc. > EFT Sever 4.0 > Config.

The following files are stored in the configuration directory:

  • FTP.cfg - This file is the main configuration file for EFT. It is an encrypted file that stores the EFT admin username/passwords, Admin socket listener IP/port, ARM database settings, Site names, Site root folder path assignment, Site IP/port assignments, SSL cert/key assignment and location, SFTP key assignment and location, SFTP/SSL key manager (imported keys/certs), IP access/ban list entries, user settings template assignments, user home folder assignments, misc user info (e-mail, full name, description, etc), virtual folder paths, permissions, group assignments, custom commands, Event Rules, AWE task references, and DMZ Gateway configurations. Some of this information has been shifted to the *.db files in 7.3.3.21 and later.
  • Ftp.bak– Automatic backup of the FTP.cfg file.
  • *.aud– Prior to 7.3.3.21, usernames and passwords were stored in this file for Globalscape Authenticated sites. Generally these are stored in the configuration directory, however the path can be changed in the configuration settings for your Globalscape authenticated site.
  • *.clients.db– For 7.3.3.21 and later, usernames and passwords are stored in these database files. These files have a GUID that is associated with a particular site. It is only possible to retrieve this GUID with the COM API. This also contains information on Settings Templates, Site level AS2 settings, and Group settings.
  • EventRules.db– Contains information on the Event Rules that are configured on all Sites.
  • MetaData.db– Stores comments on files in the Web Transfer Client. May be used for more information in later versions.
  • NotificationsDigest.db– Stores information on file uploads for later notification.
  • SiteSettings.db– Stores information on Accelerate and SAML settings. May be used for more information in later versions.
  • Workspaces.db– Stores information on Workspaces such as invitations, files uploaded, per site Workspace settings, and Workspace-specific settings.
  • EFT.log– This file logs information about what is occurring with EFT. It can be configured with the logging.cfg file, which is also in the configuration directory. The location of this log can be changed with logging.cfg, although this is unlikely.
  • Logging.cfg– Changes the behavior of EFT.log, by default it will capture all INFO logging on the server. It includes comments that detail how to change the logging functionality.
  • Dictionary.txt– A dictionary file used to defend against dictionary attacks with the High Security Module.
  • CredentialsEmail.tpl– A template file used to send credentials to users when their accounts are made or their password is changed by an administrator.
  • PasswordResetConfirm.html– A template used when a password reset is requested from the Web Transfer Client login page.
  • UsernameResend.txt– Message sent out by the “forgot username” box on the Web Transfer Client login page.
  • PasswordResetMsg.html– A message sent to a user when their password expires.
  • PasswordResetReminderMsg.html– A message sent to a user when their password reminder period has passed and their password is nearly expired.
  • WorkspaceNotification.txt – Sends a notification to the Workspace owner when an action is taken within the Workspace.
  • WorkspacesAdminAddedParticipantMsg.html– When an internal user is added to a Workspace, this message is sent to notify them that they have been added.
  • WorkspacesInviteRegisterMsg.html– When an external user is added to a Workspace, this is the message that is sent to allow them to register an account in EFT.
  • WorkspacesInviteVerifyMsg.html– This message is sent after an external user registers an account, asking them to verify before they log in and view the shared folder.
  • WorkspacesOAIEmail.html / WorkspacesOAIEmail.txt– This message is sent to a user when the Workspaces send functionality is used to send them a file.
  • Pubring.pgp– Stores the public keys for PGP keys on your keyring.
  • Secring.pgp– Stores the private keys for PGP keys on your keyring.
  • /HTTPMessages– Allows for customization of HTTP error messages emitted by the Web Transfer Client.
  • /Logs– By default, stores the client-side activity logs that are created by event rules, the server side activity logs that are generated when users access EFT via any protocol, and the TED6 logs, which show more detailed information for client-side activity. Only failures are stored for TED6 logs unless a registry edit is made.
  • /Oracle– Contains files for creating, upgrading, modifying the database to use an ODBC data source for authentication, and purging Oracle databases for use with the Auditing and Reporting module.
  • /SQL Server– Contains the files for Microsoft SQL Server for the above tasks.
  • /scClient– Stores files related to the Accelerate module. When a client is generated for use with Accelerate, it will be put here.
  • /Reports– Stores files for the Reports tab in EFT, for use with the Auditing and Reporting Module. These are XML files that are used with the VSReport utility to create PDF and HTML output of useful information from the ARM database.
  • /GeneratedReports– Generated reports are stored here.
  • /Backup– Automatically created “Backup and Cleanup” rule files are stored here.
  • /AWE– Stores AWE .aml files. /Temp in this folder is where the AWE logging is saved, by default.

There may be folders created with an EFT version then “Configuration Backup” and the date as their title. (For example, EFT Server Enterprise 7.3.6.17 Configuration Backup 05-08-2017_10_53_10) These folders contain some files that are backed up automatically when an upgrade or restore is performed.

Can scClient transfer more than one file at a time?

July 5, 2017, 1:55 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT™ version 7.3 and later,

QUESTION

Can scClient transfer more than one file at a time?

ANSWER

Yes, scClient can open multiple concurrent connections, and each connection ties up a license on the server to which it connects. The client side (scClient or Event Rules) of Acceleration has no limits; it is all server-side limits.

Each scClient can run up to 6 concurrent tasks. This limit is hardcoded (i.e., not configurable). If all of those tasks are accelerated transfers, then each client can tie up all 6 of the available server-side concurrent transfer limit. Thus, if you had a license that said “EFT will support up to 50 concurrent accelerated transfers,” then that server can support a limit of 8 scClients, each performing a maximum number of concurrent accelerated transfers (i.e., 8 x 6 = 48). The acceleration client will perform, at most, 6 concurrent transfers at a time. All other transfers are added to a queue and must await one of the 6 slots to become available for transfer. scClient has some logic built in to only accelerate large file transfers (not directory listings nor files less than 1MB). Each Event Rule accelerate offload connection ties up a license on the server to which it connects.

See also How Does Accelerate Licensing Work?

Reading the Event Rules XML files

August 7, 2017, 8:53 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.2 and later

DISCUSSION

EFT version 7.2 and later provide the ability to export and import Event Rules. The Event Rules are imported and exported as XML files. You can open XML files in any text editor, such as Notepad, a browser, or applications specially made for viewing XML files.

NOTE: EFT does not offer a way to create a report of all of the Event Rules that you have defined. The reports that we have defined in EFT are for activity, not for configuration. If necessary, you can engage Globalscape Professional Services to see if they have a solution for you.

XML is similar to HTML in that they both use a beginning and an ending tag around some text. For example, in HTML, you would see <h2>This is my title</h2> to apply a specific heading format to the text between the tags. In XML, the tags aren't for formatting but for identifying the content between the tags. In Event Rules, the XML tags tell EFT what the Event Rule is supposed to do. For example, in an exported Event Rule, if you see <EventType>FileUploaded</EventType> , that means that this is a "File Uploaded" Event Rule.

XML tags are often grouped together between <item></item> tags. The tags generally have intuitive names. For example, the "Failed Actions" Action needs to know:

  • What type of Failed Action it is: <Type>Stop</Type>
  • What the result of that Failed Action should be: <Result>StopThisRule</Result>
  • Whether it is enabled <Enabled>false</Enabled>.

They are all grouped between <item> tags within the <FailedActions> tags as shown:

<FailActions>
     <item>
          <Type>Stop</Type>
          <Result>StopThisRule</Result>
          <Enabled>false</Enabled>
     </item>
</FailActions>

As you might imagine, the XML file can get quite lengthy for complicated Event Rules, such as the default "Backup and Cleanup" Event Rule in EFT Enterprise. For that reason, it is not usually recommended that you view or edit the XML files outside of EFT. However, if you want to edit the file before importing it into another EFT, it is important to make backup copies and to understand what it is that you are editing. It's very easy to accidentally delete a closing bracket of a tag or forget to close a tag. After you import an Event Rule, it is very easily edited within the Rule Builder, which is the recommended procedure to avoid errors.

For help regarding importing and exporting Event Rules, refer to "Exporting and Importing Event Rules" in your version of EFT help, or contact Support.

 

 

Search

Triggers in EFT Folder Monitor rules will not work with Hitachi NAS devices

August 8, 2017, 2:38 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, all versions

SYMPTOM

Hitachi Network-Attached Storage (HNAS) devices do not support file change notifications over the Server Message Block (SMB) protocol. The HNAS device does not return a list of changes under its subdirectories. Instead it returns an empty response with “ERR_NOTIFY_ENUM_DIR,” which is intended to indicate to the client that it needs to enumerate the directory and discover the changes for itself.

For this reason, Folder Monitor Triggers in EFT Event rules will not work with Hitachi NAS devices.

WORKAROUND

Refer to the links below for information about using the HNAS-level auditing as a workaround for the desired audit information.

MORE INFORMATION

For more information about file system auditing, refer to the following links in the Hitachi knowledgebase:

File System auditing

Management Auditing Events

Can EFT help me comply with HIPAA rules?

August 10, 2017, 9:41 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT™ version 7 and later

QUESTION

Can EFT help me comply with HIPAA rules?

ANSWER

Yes, EFT can address the HIPAA Technical Safeguards. The Administrative Safeguards, Physical Safeguards, and any policies, procedures, or training require measures external to EFT. For a detailed HIPAA checklist, refer to IHS HIPAA Security Checklist. The Technical Safeguards are listed below.

HIPAA Security RuleSafeguardHow EFT Addresses the Rule
164.312(a)(1)Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights
164.312(a)(2)(i)Have you assigned a unique name and/or number for identifying and tracking user identity? EFT enforces unique usernames for users and administrators, provides granular administrative controls over user provisioning and authorization allows user and admin account revocation, provides automatic removal of inactive users after 90 days, includes controls for temporarily enabling/disabling users, auto-locks users after six failed login attempts either for a period of time or permanently until the admin unbans the IP address.
164.312(a)(2)(ii)Have you established (and implemented as needed) procedures for obtaining for obtaining necessary EPHI during an emergency?Requires measures external to EFT
164.312(a)(2)(iii)Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity?EFT automatically expires session after a set period of inactivity
164.312(a)(2)(iv)Have you implemented a mechanism to encrypt and decrypt EPHI?Encrypt EPHI or other sensitive data using the EFT OpenPGP encryption module or third-party encryption utilities. Secure protocols such as SSL, TLS, and SFTP (SSH2) are provided for data transmission.
164.312(b)Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI?Reports of all activity (including administrator actions) within EFT can be generated on demand with the Auditing and Reporting Module. EFT will audit all user access to data, and all administrator changes to configuration settings. Access to audit trails, invalid logical access, authentication mechanisms, object creation, and initialization of audit log is managed at the database server. EFT audits user identity, type of transaction, date and time of transaction, transaction result, remote and local IP, and objects affected.
164.312(c)(1)Integrity: Implement policies and procedures to protect EPHI from improper alteration or destruction. 
164.312(c)(2)Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner?    
The Content Integrity Control module is used in EFT Event Rules to send a file to an antivirus or data loss prevention scanner for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for scanning. When the file passes the scan, other Actions can occur, such as moving the file to another location. If the file fails the scan, processing can stop, or other Actions can occur, such as sending an email notification.
164.312(d) Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed?EFT supports various combinations of password, certificate, two-factor, and public-key authentication mechanisms, secures passwords during transmission (assumes SSL or SSH), and storage (with a one way [uniquely salted] hash), verifies identify before allowing password reset or lost username retrieval according to OWASP guidelines, includes minimum length and a number of complexity options, expires and forces password change after 90 days , disallows password re-use, internal dictionary match, or username match, and can force first time use password reset.
164.312(e)(1) Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.
164.312(e)(2)(i)Have you implemented security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of? The Content Integrity Control module is used in EFT Event Rules to send a file to an antivirus or data loss prevention scanner for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for scanning. When the file passes the scan, other Actions can occur, such as moving the file to another location. If the file fails the scan, processing can stop, or other Actions can occur, such as sending an email notification. The EFT Auditing and Reporting Module logs, tracks, and reports on all file transfers, access, admin activity, and user activity
164.312(e)(2)(ii)Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate?EFT provides FIPS-compliant ciphers for encrypted transfers. Encrypt EPHI or other sensitive data using the EFT OpenPGP encryption module or third-party encryption utilities. Secure protocols such as SSL, TLS, and SFTP (SSH2) are provided for data transmission.

 


Clients uploading thousands of files/folders to EFT can be adversely affect the performance and stability of the server.

August 29, 2017, 2:54 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, v7.4 and later

SYMPTOM

Clients uploading thousands of files/folders to EFT can be adversely affect the performance and stability of the server.

  • Low impact - Clients begin to experience sluggish response times (slow listings, client takes a while to load, etc).

  • Moderate impact - The large directories and listings cause an impact in the File System I/O and/or consume excess network utilization.

  • High Impact - Repeat listings of large directories are requested faster than EFT can respond, causing high memory consumption and crashing

WORKAROUND

EFT's File System logging is configurable so that an WARN level log can be written if the number of files/folders in a listing exceeds a certain threshold. This threshold is configurable via the following registry override:

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Type: DWORD

Value name: FileSystemItemThreshold

Default Value: 5000

Cached: yes

Backup/Restore: yes

MORE INFORMATION

Beginning in EFT v7.2.8, new File System logging was introduced to track numerous file system operations, such as:

Operation: "CheckPermissions"
Operation: "FolderExists"
Operation: "GetFolderListing"
Operation: "GetListingEntry"
Operation: "GetRealPath"
Operation: "GetFileSize"
Operation: "LockFile"
Operation: "OpenFile"
Operation: "UnlockFile"

This logging is helpful in diagnosing many types of issues and can help identify and resolve issues related to lock/unlock operations that are causing unresponsive servers. Because EFT is capturing the number of items in the listing, EFT can use this information to preemptively WARN the admin of large listings before they become a larger problem.

Workspace invitation sender's email address

September 13, 2017, 1:59 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.3.7 and later

DISCUSSION

When inviting someone to a Workspace in EFT v7.3.7 and later, the invitee receives the email from the sender's address, rather than from the email address set as the default in EFT SMTP settings. This can be controlled via registry.

HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 7.2\WSInviteFromAddrUseOwnerEmail=1

0 = disabled, 1 = enabled (use sender's email address)

Ignore Modify date/time command in FTP/S and SFTP to prevent users from modifying date/timestamp of files

September 13, 2017, 2:04 am
$
0
0

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.3.7 and later

DISCUSSION

In EFT v7.3.7, we added an option to disregard the "Modify Date/time" command in FTP/S and SFTP to prevent users from modifying date/timestamp of files. This can be activated via registry entries as shown below.

HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 7.3\FTPDiscardClientTimestamp=0

HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 7.3\SFTPDiscardClientTimestamp=0

0 = disabled, 1 = enabled (disregard command)

Viewing all 785 articles
Browse latest View live
Search