THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.3.7 and later

DISCUSSION

In EFT 7.3.7, we added a registry setting to prevent the password confirmation email from being sent when a user is not authorized to reset the password, as shown below:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.3​

Type: DWORD

Key: PreventPasswordResetUnauthorizedEmail

Values:

• 0- Default (current) behavior. When the workspace invitation is sent by a user, the recipient receives it from SMTP server, but when a user sends an email using EFT-Send, the recipient receives the mail from the sender's email address
• 1-Recipient receives the mail/workspace invite from SMTP server
• 2-Recipient receives the mail/workspace invite from the sender's email address

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.3.5.4 and later

DISCUSSION

After upgrading from EFT v6.5 to EFT v7.3.5.4, a customer reported that the EFT server service would "randomly crash." Upon researching the issue, it was discovered that when the Site was restarted, the scClient was being re-bundled. After multiple Site restarts, the EFT service would crash due to OOM exception caused by excessive ScClientBundler::BundleThreadProc threads. To address this issue, enable the registry setting described below.

Path:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.3\

Key: LimitscClientBundle

Type: DWORD

Value: Defaults to 0 (Unlimited). Any non-0 value will limit the amount of rebundles attempted.

• EFT v7.3 and later

DISCUSSION

When collecting log files for clusters, it is easy to mix up logs from the different nodes. You can manually rename a file, or a folder can be created for each node to hold its log files. Instead, you can configure the EFT logging system to automatically append the computer name to the log file name.

This can be done entirely through settings in the logging.cfg file by changing the following line:

log4cplus.appender.RootFileAppender.File=${AppDataPath}\EFT.log

to

log4cplus.appender.RootFileAppender.File=${AppDataPath}\EFT-${COMPUTERNAME}.log

This will result in log file names similar to “EFT-COMPA.log”. The rolling file numeration appended to the name will remain the same, e.g., "EFT-COMPA.log.1."

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.2.4 and later

DISCUSSION

The following registry settings are available for EFT to protect against various forms of DDoS attacks in the Workspaces Drop-Off portal.

In HKEY_LOCAL_MACHINE\SOFTWARE\ WOW6432Node \GlobalSCAPE Inc.\EFT Server 7.4\, create the values below:

Create the EFT Server 7.4 key if it's not there.

Captcha:

Type: DWORD

Value name: MaxReCaptchaParallelRequests

Default Value: 30

Cached: yes

Backup/Restore: yes

Max Captcha request timeout in seconds:

Type: DWORD

Value name: MaxReCaptchaRequestTimeoutInSecs

Default Value: 30

Cached: yes

Backup/Restore: yes

Maximum anonymous uploads size in GB.

(Drop-Off send and anonymous reply; Site connection limits and banned file types defined at Site level apply, i.e., Max connections from same IP, Max concurrent socket connections.)

Type: DWORD

Value name: MaxAnonymousAllUploadsSizeInGB

Default Value: 10

Cached: yes

Backup/Restore: yes

In the odd case where MaxAnonymousAllUploadsSizeInGB is set to a value that is smaller than per message max limit, EFT will encounter the "max all message size limit" returning an appropriate error, and then on service startup or on change of "Per message max limit size", EFT will write to eft.log that there is a conflict: "MaxAnonymousAllUploadsSizeInGB is set to value that is LESS than the maximum allowed message size set under drop-off portal settings."

Maximum number of concurrent anonymous delivery requests that can occur on a Site at any one time.

The count of anonymous requests will include all forms of anonymous submissions, including Drop-Off and Reply portals. Also applies to case of anonymous reply. (i.e., where Send portal was used and recipient is anonymous and was granted permission to reply.)

Type: DWORD

Value name: MaxAnonymousRequests

Default Value: 50

Cached: yes

Backup/Restore: yes

Notes:

If WTC/Workspaces tries to upload file(s) greater than MaxAnonymousAllUploadsSizeInGB, EFT doesn't allow the upload based on the registry settings and hence uploads fail.

Maximum concurrent socket connections do not apply to anonymous connections.

(There is no 32-bit version because there is no 32-bit OS supported.)

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v6.4 and later with DMZ Gateway

SYMPTOM

In the IP Access List in EFT, any "banned" IP addresses beyond the first 1000 are not blocked when DMZ Gateway is used. Those addresses would still pass through to EFT.

WORKAROUND

Update the DMZ Gateway configuration to allow more than 1000 banned IP addresses.

To update the DMZ Gateway configuration

1. Open the DMZ Gateway configuration file, <InstallDir>\conf\DMZGatewayServerService.conf in a text editor.
2. Add the following as a new line:

wrapper.java.additional.X=-DNetworkAccessPolicyExceptionLimit=Y

Where X is the next incremental value past the highest existing additional property, and Y is the new limit.

Refer to KB article #11270, which describes a similar configuration option, as the model for passing values to the JVM.

MORE INFORMATION

The DMZ Gateway has an upper limit on the size of the banned IP list that defaults to 1000. When using DMZ Gateway, IP address restrictions are applied at the DMZ Gateway, not on EFT. Therefore, when you have more than 1000 blacklisted (or banned) IP addresses, you must update DMZ Gateway properties to allow it.

See also KB article 10877, Adjust IP Access Rule Count Limit and IP Auto Ban List limit.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.2 and later

DISCUSSION

The following registry settings are available for HA server drain and coherence:

DrainingTimeoutSecs

• Draining timeout in seconds allows you to adjust the time for ongoing event rules and transfers to complete before draining starts.

• Default is 900 seconds (15 minutes).

• Maximum is 86400 seconds (24 hours).

• If set to 0, then immediately shutdown and do not drain.

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\DrainingTimeoutSecs=900

ClusterOutOfSyncHealSecs

• Amount of time in seconds that an HA node will wait for incoming administrative messages to arrive before declaring itself to be out-of-sync with the cluster and initiating draining and restart.

• Default is 30 seconds.

• If out of sync is detected, the node attempts to heal; if it can heal within the timeout period, the system resyncs and continues to operate as expected.

• If out of sync is detected and cannot be repaired within the heal timeout period, the node will enter drain mode and then restart the service.

• If set to 0, then do not attempt to heal; continue to operate the node out of sync.

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\ClusterOutOfSyncHealSecs=30

ClusterCoherenceQueueMsmqType

• By default the MSMQ Broadcasting will be the default. TCP method of broadcasting ftp.cfg changes was developed for environments that do not support multicast (e.g., Azure and vMotion). Although AWS does not support Multicast, this was developed prior to the support of this option and so uses the AWS SQS/SNS services for now.

• To use the TCP instead of MSMQ Broadcasting, set the Advanced Registry key ClusterCoherenceQueueMsmqType to msmq-iterative

• To use MSMQ Broadcasting, either delete the key or set the ClusterCoherenceQueueMsmqType = msmq-broadcasting

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\ClusterCoherenceQueueMsmqType=msmq-multicast

ClusterCoherenceQueueDetectPrivateIP

• Used to explicitly define the IP/Subnet via registry entry/advanced property, localized per node.

• The key should be created in the EFT Server 7.4 registry location

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\ClusterCoherenceQueueDetectPrivateIP=autodetect

• It can either be set to autodetect (which is the default, which causes it to find and use the first private subnet it finds), or it can be set to the prefix of the interface to use (e.g., “192.168.0", "192.168." or "192.168" just the prefix of the subnet, with no quotes).

• Changes made in the registry are recorded in the ActiveNodes.json (located in the HA cluster's Shared configuration folder), which is used automatically by the EFT nodes to pass information between themselves and should not be edited.

• If you do not choose to use the default subnet on a particular EFT node, that node will simply place the IP address you put for the advanced properties key in the “IP” field. That IP address will be the one the other nodes use to try to talk to it.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

SYMPTOM

Copy/Move action does not work correctly when custom credentials are used for Local transfers.

RESOLUTION

If you specify "Local (Local files or LAN)," under the Optional credentials override, provide the Windows account username and Password for connecting to the remote share (not local folders).

• These credentials are used for the remote destination folder ONLY for copy/move actions. The source (Local) folder will still use EFT server service account at all times. (When using Download (PULL) Actions over LAN, the same concept applies, but credentials will be used for the source directory and EFT server service account for the destination.)

• Only if/when a resource cannot be accessed using the credentials under which the EFT service is running do you need to include the optional credentials. The Optional credentials override feature allows you to specify an alternate set of logon credentials for accessing the destination network shares to which the EFT service account may not have access (due to security constraints).

• If alternate credentials are specified, EFT will use its current security token (associated with the "Log on as" account specified in the EFT server service settings) for LOCAL folder access and then a new security token (associated with the alternate logon credentials) for the remote destination folder accessed over network connections (e.g. network shares).

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.4.5.6

SYMPTOM

Specifying a Remote Agent template (e.g., %AgentTemplate%Template) for a user account causes the selected user account to be removed from the UI.

WORKAROUND

Do not select a Remote Agent template for a user account.

MORE INFORMATION

The Remote Agent templates should not be available when selecting Set User Settings Template. This is expected to be fixed in the next release.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• CuteFTP, v9.x

SYMPTOM

"The program can't start because api-ms-win-crt-stdio-l1-1-0.dll is missing from your computer. Try reinstalling the program to fix this problem"

SOLUTION

CuteFTP requires the Visual C++ Redistributable, availble from:

https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• DMZ Gateway, all versions

SYMPTOM

The DMZ Gateway administration interface fails to launch and displays a warning timeout of 90 seconds waiting for JVM to start. On other Linux boxes such as CentOS, RHEL, and Ubuntu the DMZ Gateway administration interface launches without error.

WORKAROUND

On the SuSe Linux operating system, you must be logged in as root to launch the administration interface.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

DISCUSSION

Trying to connect to a remote server using SFTP with EFT and cannot list the folders; upload fails with message "Failed to retrieve folder listing."

To upload to remote servers over SFTP, set the following registry entry to 0:

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 4.0

Type: REG_DWORD

Value name:EnableCreateRemotePathForSFTP

Values: 1 - enable (Default); 0 - disable

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT and EFT Enterprise, all versions

DISCUSSION

The "ROBOT Vulnerability" (CVE-2017-13099) is a serious vulnerability with SSL/TLS. "Bleichenbacher’s Oracle Threat" is an older vulnerability that affected SSL encryption and has recently resurfaced to affect TLS encryption. The vulnerability allows attackers to break the confidentiality of TLS-based connections. What this means for data is that an attacker can record traffic and will later be able to decrypt and view it in plain text.

EFT supports TLS connections for HTTPS and FTPS. The ROBOT vulnerability only affects RSA encryption key exchange. EFT has the ability to independently enable and disable the RSA key exchange so that it can be set across the server. Because of the vulnerability at hand, it is highly recommended that you verify that the RSA key exchange is disabled or disable it if it isn’t already.

WORKAROUND

1. Log in to the EFT administration interface, and click the Server tab.
2. In the left pane, click the server node.
3. In the right pane, click the Security tab.
4. Under SSL Compatibility, Allowed ciphers, expand the Key Exchange node, and clear the check box to disable RSA, if selected.
5. Choose Apply at the bottom to save your changes.
6. You will be prompted to restart all Sites. Click Yes to restart.

The following screenshot shows the section described in the above steps with RSA unselected.

The bottom portion of the above screenshot shows a set of ciphers that will pass when RSA is cleared, although yours may vary.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

SYMPTOM

Event rules logged twice when Folder Monitor Event Rules reconnect after a failed health check.

WORKAROUND

The duplicate logs are created after reconnecting all folder monitors. The reconnecting process can be started from DirectoryWatcher ("classic reconnect") or from ReconnectedNotification ("reconnect all folder monitors") and are executed in parallel. Depending on which process is the first to complete, you will see in the log either a double entry or an error. These duplicates are a side-effect of the current Folder Monitor design, though Folder Monitor itself works correctly. (The duplicate logs is preferable to the risk of server service crash or deadlock.)

See also https://kb.globalscape.com/KnowledgebaseArticle10682.aspx and https://kb.globalscape.com/KnowledgebaseArticle10696.aspx.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT™, v7 and later

QUESTION

How do I configure a firewall for MSMQ access in AWS?

ANSWER

Please refer to the Microsoft Support article How to Configure a Firewall for MSMQ Access

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT™ all versions
• EFT Arcus

QUESTION

Is EFT affected by the recent “Meltdown” and “Spectre” vulnerabilities? If exploited, can attackers gain access to protected information stored in memory? And if patched, what is the impact to performance?

ANSWER

No, EFT itself is not directly affected by the Meltdown or Spectre vulnerabilities. Instead, it they are vulnerabilities affecting hardware components of computers on which EFT runs. However, because vulnerabilities that affect the underlying infrastructure could pose a risk to sensitive data used by EFT, Globalscape does have advice for customers. 

Globalscape’s advice to our customers is that they urgently apply the appropriate operating system (OS) and/or firmware patches to mitigate Spectre and Meltdown attacks. The threat vectors of these vulnerabilities involve running potentially malicious applications on the same machine (physical machine, not just the virtual machine in which EFT operates) which can leverage speculative execution to do side-channel attacks on the cache to steal memory-based information. At some point, EFT necessarily has sensitive information in memory (user login credentials, key materials, file contents, etc.) for very short periods. Even if EFT securely wiped the data in memory (which EFT does key materials, but not for file contents that are streamed through the network stack to disk, but require at least a block of data in memory at any time, between 4K and 64K of data), there are short periods where sensitive data would be exposed, such as immediately upon receiving a login password for an incoming session, and prior to hashing the password in order to perform a lookup.

Aside from patching vulnerable systems, Globalscape’s advice is that customers ensure that only trusted applications can run on the physical hardware on which EFT is running. This means patched Windows OS, trusted third-party applications, services, and drivers (SQL Server or Oracle databases; Windows File Share; etc). Furthermore, customers should ensure that no custom commands nor AWE task executions invoke untrusted third-party applications or scripts. Lastly, customers should not use other applications on the server (Web browsers, office productivity tools, etc.), retaining a “single role” which further limits potential attack vectors. Globalscape's software itself does not execute code unless directed by the configuration (custom commands, AWE tasks) of the server. Therefore, as long as the physical machine on which EFT is running is patched and has known good software running atop it, the risk of Meltdown or Spectre attacks revealing sensitive information is reduced as much as possible.

What about the impact on performance for patched systems? Assessing performance impact is complicated, and highly dependent on your hardware, OS, and workload. Globalscape recommends that customers check with their hardware vendor to assess potential performance impact and mitigation techniques. Depending upon workloads, reports from the industry indicate somewhere between 3% and 30%. Globalscape recommends that customers run on the latest available stable OS to ensure minimal performance loss; however the actual performance impact is heavily dependent upon the deployment and usage patterns of the EFT server, and we recommend that customers review performance characteristics after applying OS updates to ensure appropriate service levels are being met. If services levels fall beneath desired threshold, then customers may want to consider scaling out their EFT deployment with an Active-Active cluster as a way of ensuring high service levels even when any individual machine has performance degradation caused by Spectre and Meltdown patches.

EFT Arcus

EFT Arcus customers were unaffected. Microsoft Azure accelerated their normal planned maintenance schedule and applied the appropriate updates on January 3rd. The majority of Azure customers should not see a noticeable performance impact with this update. Azure has worked to optimize the CPU and disk I/O path and Azure customers are not seeing noticeable performance impact after the fix has been applied. This Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to your Windows or Linux VM images.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• CuteFTP, v9.x

SYMPTOM

Upon upgrading, the following error is presented:

The program can't start because api-ms-win-crt-stdio-l1-1.0.dll is missing from your computer.

WORKAROUND

This error indicates that the C++ redistributable is not installed. This is not a problem that is unique to CuteFTP.

The problem is that the KB2999226 (Universal CRT), which is part of the Visual C++ Redistributable, failed to install. The Universal CRT fails to install if the necessary prerequisites (other updates) have not been installed yet.

1. Install Windows Updates:
1. Right-click the Start icon, then click Settings.
2. In Windows Settings, click Update & Security.
3. Check for updates and install all available updates.
4. After the updates are installed, restart your computer.
2. After the restart repeat the steps above again until no more updates are available.
3. Download the Visual C++ Redistributable:

• For Windows 64-bit: Visual C++ Redistributable for Visual Studio 2017 (64-bit)
• For Windows 32-bit: Visual C++ Redistributable for Visual Studio 2017 (32-bit)

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.x and later

DISCUSSION

The European Commission established the GDPR to ensure that companies follow a set of security and privacy standards that help safeguard the fundamental rights and interests of “data subjects.” Failure to comply with the standard may result in significant fines for organizations based in the EU or with an EU presence. 

Globalscape has examined the scope of GDPR as it relates to on-premises software, self-managed in a public or private cloud, and cloud SaaS offerings, in addition to internal personal data processing and collection. Globalscape’s managed file transfer product offerings, EFT and EFT Arcus, provide the security, auditing, and governance features to help achieve and maintain a GDPR-ready posture.

GDPR’s scope as it pertains to Globalscape’s managed file transfer (MFT) software, EFT, whether it is deployed on-premises, self-managed in a public or private cloud, or in a SaaS-based capacity (EFT Arcus) is as follows:

• Receiver: EFT can receive files, which may contain personal data.
• Storage: EFT can optionally store files on a local or network attached disk upon receipt.
• Sender: EFT can further process received or stored files by transferring them to internal or external applications, systems, or servers, including to non-member states or organizations that may not adhere to GDPR standards.
• Configuration: EFT can optionally store certain personal data associated with authorized login accounts
• Posture: EFT can be deployed by customers on premises or in a SaaS configuration on computer systems or networks that may reside in the EU. 

Please refer to the attached whitepaper for more detailed information about how EFT and EFT Arcus address each of the GDPR articles.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT versions prior to 7.4.x

SYMPTOM

Script error appears when opening help file.

WORKAROUND

A Google Analytics script was causing issues in some browsers; the script has since been removed. This error should not occur in updated versions of EFT.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.7 and later

DISCUSSION

The procedure below describes using EFT Enterprise Cloud Object Storage Copy/Move or Download actions with Google Cloud Storage.

1. Set up Google Cloud Storage project to support interoperability:
1. Login to your Google Cloud Storage account.
2. Click Storage > Settings.
3. Click the Interoperability tab.
4. Click Make <project name> my default project, then click "Create new key.

2. Configure EFT to use AWS S3-compatible connection:
1. Create a Connection Profile or define a connection within any Copy/Move or Download to Cloud Object Storage Action.
2. In the Cloud provider list, click Amazon S3 (compatible).
3. In Endpoint URL, specify the REST API endpoint: https://storage.googleapis.com.
4. In Bucket name, specify the bucket name that you created in your Google Cloud Storage project, then select Path.
5. Specify the Access Key and Secret Key as shown in the Google Cloud Storage console for interoperable storage access keys.
6. Click Apply.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Arcus

DISCUSSION

This article describes how to enable Azure Active Directory Single Sign-on with EFT Arcus and the Web Transfer Client

Prerequisites

• Azure Active Directory (AAD) Premium
• EFT Arcus Site Administrator privileges
• A WTC user in EFT Arcus
• AAD user matching the WTC user in EFT Arcus

Create a new Azure AD SSO application

1. Log into the Azure Portal with a Global Administrator account.
2. Open Azure Active Directory (Figure1) and create a new Enterprise Application.
3. Click Non-gallery application and give the application a display name.
4. Click SAML-based Sign-on on the drop-down list.

You should see a screen like Figure 2:

• Don’t forget to add users to your enterprise application in Azure AD!

Keep this browser open and log into EFT Arcus.

Enable SAML in EFT Arcus

1. Select the EFT Arcus Site on which you will configure SAML.
2. In the General box, under the Advanced Authentication Options, click SAML (webSSO).
3. Click Configure.

The Web SSO SAML configuration dialog box appears.

Configure SAML settings

At the end of these steps you can view an image of the value mapping.

1. In the EFT Arcus Web SSO SAML Configuration dialog box, copy the EntityID value.
2. Copy the value to Azure AD – Identifier (Entity ID).
3. Copy the Reserved Path value to Azure AD – Reply URL.
4. Prepend the value in the Reply URL text box with your unique domain and protocol. In this example, we were issued the domain arc001.arcusapp.globalscape.com. So, our reply URL would look like: https://arc001.arcusapp.globalscape.com/sp/samlv2/sso
5.  In Azure AD, select the User Attributes you’d like to authenticate. In the example provided, we’re using an email address.
6. Download the SAML Signing Certificate using the Certificate (RAW) link
7. (Optional) – Configure an email address to be notified when the certificate is due to expire
8. In Azure, click Configure.
9. In Azure, copy the URL for SAML Single Sign-On Service URL
10. In EFT Arcus, paste this value in the Identity Provider text area in the POST URL text box.
11. In Azure, copy the URL for SAML Entity ID.
12. In EFT Arcus, paste this value in the Identity Provider text area in the Entity ID text box.
13. Upload the public key to EFT Arcus. (At the time of this writing, this can only be done by creating a support ticket as EFT Arcus customers only have Site Admin privileges.)
14. In EFT Arcus, in the Identity Provider text area, fill in the path to the public certificate uploaded in step 14.
15. In EFT Arcus, under the username text area, click Attribute.
16. In the Attribute text box, enter the attribute you’re expecting from Azure AD. We configured this setting in step 6.
17. Note that Azure AD is using full schema URLs as their attribute names. In our example using an email address would look like this: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
18. Click OK and allow the EFT Arcus site to restart.

At this point, you should be able to navigate to your Web Transfer Client. Do not enter any credentials; click SSO sign on.

Don’t forget to add users to your enterprise application in Azure AD!