Upgrading Secure FTP Server v3.3 to EFT Server v6.x

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Upgrading Secure FTP Server version 3.3.10 to EFT Server (SMB) version 6.2.31

**Secure FTP Server is no longer a supported product, and is not compatible with Windows 2008 or later.

Also refer to article #10359, Moving Secure FTP Server from One Computer to Another Computer.

Note: If you are running a version of Secure FTP Serverversion 3 earlier than v3.3.10, you must first upgrade to v3.3.10 beforeupgrading to EFT Server. EFT Server 6.x.x installer is expecting SecureFTP Server to be version 3.3.10. For this reason we strongly recommendthat you upgrade to Secure FTP Server 3.3.10, if you are not already onthat version. You can download Secure FTP Server v3.3.10 at ftp://ftp.globalscape.com/pub/gsftps/archive/gsftps33.exe. Refer to the procedure at the bottom of this article for details of upgrading Secure FTP Server.

DISCUSSION

The process for migrating a Secure FTP Server 3.3.10 configuration toa new server running EFT Server 6, which includes all Event Rules, useraccounts, keys, etc., is straight forward and should only take about 20to 45 minutes. (It is not necessary for EFT Server to have beeninstalled on the old server; EFT Server v6 will properly convert thefiles for Secure FTP Server 3.3.10 **. Nor is it necessary for the OS tobe the same version on the new server as on the old server; the newinstallation of EFT Server will correctly conform itself to the newserver OS.) While it used to be possible to do a migrating upgrade fromSecure FTP Server 3.3.10 directly to the latest version of EFT Server 6,and this process continues to be successful in some situations, therehave been sufficient problems caused by this extreme jump that we nowstrongly recommend performing a stepping upgrade through EFT Server6.2.31. To obtain the installer for EFT Server 6.2.31, browse to theReplacement Software Downloads page [http://www.globalscape.com/support/reg.aspx]of our website. Once the installer is downloaded, use the migrationguide below to move the Secure FTP Server 3.3.10 configuration to thenew server running a straight installation of EFT Server 6.2.31. Afterverifying that the configuration is working properly for EFT Server6.2.31, please use the upgrade instructions to upgrade to EFT Server 6.4.x; then you can upgrade to v6.5 or later. (Upgrades are supported only within 2 version numbers.)

Please note that per Globalscape policy for liability reasons,Support does not upgrade or migrate the servers of our clients,but provides instructions or guidance for accomplishing the process.While Support does not upgrade or migrate servers for our clients, it ispossible to acquire an upgrade package from our Professional Servicesteam to have them personally handle the process.

Migration from Secure FTP Server 3.3.10 to EFT Server 6.2.31

Prepare:

1. Ensure that EFT Server 6 is compatible with your server by checking here: http://help.globalscape.com/help/eft6-2/system_requirements_for_server.htm. (Remember, you can only upgrade Secure FTP Server to EFT v6.2.31. After installing v6.2.31, you can upgrade to v6.4. Upgrades are supported only within 2 version numbers.)

2. Request and receive a new EFT Server 6 licenses (if you have a Secure FTP Server or EFT Server 4 or 5 serial numbers) and a new DMZ 3 licenses (if you have a DMZ Gateway 1 or 2 serial number) from your account representative.

3. Download EFT Server 6.2.31 from http://www.globalscape.com/support/reg.aspx, making certain to specify correctly the installer that corresponds with the EFT Server license. (You must have the EFT Server (SMB) installer for an EFT Server (SMB) serial number and the EFT Server Enterprise installer for the EFT Server Enterprise serial number].

4. Ensure that the account used to log in to Secure FTP Server 3 is a unique account within Secure FTP Server (this is critical) and not a local server or domain account. During the upgrade process, all local server or domain accounts will be locked out of EFT Server unless you own the High Security Module (HSM); use this article if you need assistance changing it: http://help.globalscape.com/help/secureserver3/Change_global_administration_password.htm.

5. Stop the Secure FTP Server 3 service to ensure all settings are preserved; once the ftp://ftp.cfg/ copy is complete, the service can be restarted.

6. Create a migration folder on the new server and add the appropriate application data files from C:\Program Files\GlobalSCAPE\Secure FTP Server:

   • FTP.cfg and FTP.bak

   • *.aud

   • All pgp keys (*.skr, *.pkr)

   • All SSL certificate files (*.cer, *crt)

   • All SSH key files (*.pvk, *.pub)

   • Any scripts or .bat files

   • Any custom reports

7. Ensure that the Secure FTP Server 3.3.10 site data folders are copied to the new server (default location is C:\inetpub\EFTRoot) using the exact same folder structure as exists on the old one (e.g., if it is D:\EFTRoot on the old server, make certain it is D:\EFTRoot on the new server). Otherwise, it will be necessary to point each Site to the correct location and potentially set the folder permissions. [Instructions for moving the Site Root can be provided upon request.]

Migrate:

1. Use the installer to install only EFT Server, without the ARM Database module, on the new server (clear the check box to start the service) [Installing EFT Server: http://help.globalscape.com/help/eft6-2/mergedprojects/eft/installingserveradministratormodules.htm]

2. Add the EFT Server service account to run the EFT Server service. [Our best practice is to have a windows or domain account that starts the windows service (services.msc) for the EFT Server.]

3. Ensure that the EFT Server service account has full rights to the application data directory and the Site data directory.

4. Copy the application data files from the migration folder to the correct places, overwriting any files, as needed. If the EFT Server was installed to the default location, copy the files to this folder:

   Windows Server 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server

   Windows Server 2008: C:\ProgramData\GlobalSCAPE\EFT Server

5. Start the EFT Server service and log in to the administration interface.

6. Register EFT Server and all modules, including the DMZ Gateway 3 serial number.

7. On the Server's (Local Host) Administration tab:

   • Set the Listening IP address correctly

   • Click the Configure button for the Require SSL for remote administration and point to the SSL certificate.

8. On the Server's Security tab:

   • Set the Allowed SSL versions to Defined and clear the SSL 2.0 option. [This protocol is no longer secure.]

   • In the Allowed ciphers field, move RC4 128 bit cipher up to first in the Priority list. [This works around the SSL Beast exploit.]

9. On the Server's Logs tab, point Folder in which to save log files to the correct directory path. [This typically consists of pointing to the new Logs folder in the application data directory, such as C:\ProgramData\GlobalSCAPE\EFT Server.]

10. On each Site's Connections tab:

    • Set the Listening IP address correctly

    • Click SFTP Config and specify the SFTP private key location.

    • Click Configure for SSL Certificate settings and specify the Certificate and Private key locations.

11. On each Site's Security tab:

    • Click Configure for Invalid login options, and set Ban IP address after to 12. [This eliminates the ability of end users to get themselves banned but does not compromise security against attackers.]

    • Click Count both ‘incorrect username’ and ‘correct username + incorrect password'. [This provides stronger security against attackers.]

12. Verify that the Site is working properly by testing connections, Event Rules, and reports.

Upgrading EFT Server 6.2.31 to v6.3.x or 6.4.x

Prepare for upgrade:

[**Pleasenote that the installer for EFT Server or EFT Server Enterprise withthe SQL Server Express for ARM database is only needed for the firsttime the ARM module is installed and then only if the free SQL ServerExpress 2008 is to be used instead of a full licensed version of SQLServer. Following the initial installation this larger installer willnot be needed as both versions will successfully setup and/or upgradethe ARM module.]

1. Download EFT Server [and the DMZ Gateway module if needed] from one of the following:

   • EFT Server (without SQL Server Express for ARM database): http://globalscape.com/support/srv.aspx

   • EFT Server Enterprise (without SQL Server Express for ARM database): http://globalscape.com/support/eft.aspx

2. Stop the EFT Server service (this must be done to ensure all settings are preserved; once the ftp://ftp.cfg/ copy is complete, the service can be restarted).

3. Create a backup of the EFT Server application configuration:

   • If running EFT Server Enterprise, run the Backup and Restore wizard as explained here, and then proceed to step 4:

     http://help.globalscape.com/help/eft6-2/mergedprojects/eft/backing_up_or_restoring_server_configuration.htm

   • If the EFT Server was installed to the default location, then copy the following files:

     • ftp://ftp.cfg/ and ftp://ftp.bak/

     • *.aud

     • Any custom AWE *.awl files

     to a backup folder:

     Windows 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server

     Windows 2008: C:\ProgramData\GlobalSCAPE\EFT Server

4. Create a backup of the registry.

Upgrade:

1. Use the new EFT Server installer to upgrade EFT Server 6.2.31 and, if using ARM, install/update the database. Before clicking finish, clear the Start the Server service check box.

2. Add/verify that an EFT Server Service account is set to run the EFT Server Service. [Our best practice is to have a Windows or domain account that starts the Windows service (services.msc) for EFT Server.] Ensure that the EFT Service account has full rights to the application data directory and the Site data directory.

3. Start the EFT Server service.

4. If you use or will be using the Secure Ad Hoc Transfer (SAT) Module or DMZ Gateway Module, use the corresponding installers and the following instructions to install or upgrade.

   • Installing/Configuring ARM: http://help.globalscape.com/help/eft6-4/mergedprojects/arm/installingandconfiguringarm.htm

   • Installing/Upgrading SAT http://help.globalscape.com/help/SAT3/toc_installingsecure_ad_hoc_transfer.htm

   • Install/Upgrade DMZ Gateway: http://help.globalscape.com/help/dmz3/toc_installing_dmz_gateway.htm

5. Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports

   • For EFT Server Enterprise 6.3.x and later, all Event Rule syntax is strictly enforced; entries in EFT Server Enterprise 6.2 for Events Rules where the Source or Destination virtual paths worked without a “/” at the beginning will fail. Instead each virtual path must look like this /rootfolder/ or this /rootfolder/subfolder/.

   • Additionally, in EFT Server Enterprise 6.4.x and later, all outbound connection Event Rules use the IP address specified in the Event Rule. (Refer to http://help.globalscape.com/help/eft6-4/mergedprojects/eft/copy_move_file_to_host_action_help.htm item 15b.)

   • For EFT Server 6.3.x and later, all rebranding done in prior versions will not work with the newer versions it will be necessary to brand the WTC, PTC, etc. using the new rebranding instructions.

You can now upgrade to EFT v6.5 or later.

Rollback:

1. Uninstall the newer EFT Server version.

2. If nothing else changed between the newer EFT Server install and rollback process, restore the registry.

3. Install the previous EFT Server version, skipping the ARM portion. (Before clicking finish, clear the Start the service check box.)

   • If running EFT Server SMB, paste the backup of the previous EFT Server version folder over the default location, the start the Server service.

     Windows 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server

     Windows 2008: C:\ProgramData\GlobalSCAPE\EFT Server

   • If running EFT Server Enterprise, start the EFT Server Service, then log in to the administration interface and run the Restore wizard (http://help.globalscape.com/help/eft6-4/mergedprojects/eft/backing_up_or_restoring_server_configuration.htm.)

4. If the Auditing and Reporting Module (ARM) was active, restore the ARM Database. (The reports will not function until the restore is complete.)

5. Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports.

Upgrading Secure FTP Server v3.x to v3.3.10

Prepare:

1. Create a backup of the Secure FTP Server 3.x.x application configuration: (Windows 2003) C:\Program Files\GlobalSCAPE\Secure FTP Server.
2. Copy the following items to a backup folder: ftp.cfg, ftp.bak, and *.aud
3. Create a backup of the registry.
4. If the Auditing and Reporting Module (ARM) is active, create a back-up of the database.

Upgrade:

1. Download Secure FTP Server 3.3.10: ftp://ftp.globalscape.com/pub/gsftps/archive/gsftps33.exe.
2. Use the Secure FTP Server 3.3.10 installer to upgrade Secure FTP Server. [http://help.globalscape.com/help/secureserver3/Upgrading_the_Software.htm]
3. Add the Secure FTP Server Service account to run the Secure FTP Server Service.
4. Ensure that the Secure FTP Server Service account has full rights to the application data directory and the Site data directory.
5. Start the Secure FTP Server service.
6. Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports.

Rollback:

1. Stop the Secure FTP Server service.
2. Paste the backed up Secure FTP Server folder over the new installation (default=C:\Program Files\GlobalSCAPE\Secure FTP\).
3. Start the Secure FTP Service.
4. Verify that the Secure FTP sites are working properly by testing connections, Event Rules, and reports