THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT version 7.x and later

SYMPTOM

EFT banning load balancer IP address

RESOLUTION

1. Set an IP access rule to allow the load balancer IP on EFT
2. Turn off DoS/Flood protection on EFT.
3. Turn off ban IP address in Login Security settings.

MORE INFORMATION

The default EFT options for DoS/Flood Protection and Login Security settings are designed for each IP to have a single user’s activity. These settings can cause EFT to ban the load balancer’s IP or intermittently block its activity when all user connections are using the load balancer’s IP.

These settings should be disabled when using a load balancer. It’s also a good idea to set an IP access rule to allow the load balancer IP on EFT just in case the settings are accidentally enabled later.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.x and later
• DMZ Gateway^®, v3.0 and later

DISCUSSION

The flood protection property can be edited in the DMZ Gateway configuration file (<InstallDir>\conf\DMZGatewayServerService.conf) to fine tune your DMZ Gateway deployment for specific situations.(In this case, EFT HA mode can be affected if the flood protection setting is enabled.)

Property: DEnableConnFloodProtection

Units: boolean

Valid Range: true or false

Default: TRUE

Description: Enables or disables the connection flood protection. Disabling allows larger number of connections to be accepted at the same time.

In the section labeled # Additional Java parameters, add the flood protection property at the bottom of the section. For example:

# Additional Java parameters. Add parameters as needed starting from 1.
# By default, use the server Virtual Machine.
wrapper.java.additional.1=-server
wrapper.java.additional.2=-DDMZSharedConfigurationDirectory=%DMZ_SHARED_CONFIG_DIRECTORY%
wrapper.java.additional.2.stripquotes=TRUE
wrapper.java.additional.3=-Djava.ext.dirs=bin/jre1.8.0_45/lib/ext
wrapper.java.additional.4=-Dfile.encoding=UTF-8
wrapper.java.additional.5=-DDMZBufferPoolBufferSize=262144
wrapper.java.additional.6=-DEnableConnFloodProtection=False

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7 and later

DISCUSSION

EFT can be installed in an active-passive cluster for failover clustering or (in v7 and later) an active-active cluster for "always on" high availability (HA) service.

For instructions for installing or upgrading EFT in an active-passive cluster, refer to KB #11146.

• Installing EFT in an active-active HA cluster
• Upgrading EFT in an active-active HA cluster (v7 and later only)

(TIP: Print this topic and check off the steps as they are completed.)

If needed, refer to EFT installation instructions in the online help at http://help.globalscape.com/help/eft7-2/mergedprojects/eft/installingserveradministratormodules.htm (or for your version, if different).

EFT upgrades are supported for up to two major version numbers based on the product life cycle. For example, you can upgrade EFT Enterprise 7.0.x or 7.1.x to EFT Enterprise 7.2.x.

See also Upgrading EFT.

Installing EFT v7 and later in an Active-Active HA cluster

Before beginning, for important information about your HA deployment, please also refer to the following help documentation:

• EFT HA (active-active) Deployment: http://help.globalscape.com/help/eft7-2/mergedprojects/eft/eft_ha_%28active-active%29_deployment.htm
  

• Multicast on an L2 device: http://kb.globalscape.com/KnowledgebaseArticle11222.aspx

• Instructions for installing EFT: http://help.globalscape.com/help/eft7-2/mergedprojects/eft/toc_installing_and_activating_the_software.htm

Upgrading EFT v7 and later in an active-active HA Cluster

If you need to revert after upgrading EFT in an HA cluster

1. Stop both EFT nodes
2. Uninstall from both EFT nodes.
3. Reinstall old version of EFT to both nodes using silent installer. Verify paths are correct.
4. Start both nodes and confirm successful installation.
5. Stop both EFT nodes.
6. Copy contents of pre-upgrade shared configuration path back into shared configuration path.
7. Start node one. Verify that pre-upgrade configuration exists.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7 and later

DISCUSSION

EFT, together with the Automated Workflow Engine, can be leveraged to ensure that submitted or uploaded files are transformed into a format that is suitable for some mainframe systems.

Mainframes (like the z/OS) support are two main file formats, Variable (V) and Fixed (F) format. They’re often referred to as FB or VB (the B standing for Blocked, which is the most common way of organizing them on physical storage media).

FB files, not surprisingly, have a fixed record length. This means that every record in the file will have exactly the same number of bytes. The file system on the mainframe (the VTOC) stores information on the file, which, among other things, keeps track of this record length. The files can be easily viewed in a text editor on the mainframe like ISPF, as the system knows where to split the file into records based on the fixed record length. There is no delimiter between the records, and no textual or binary data can be stored in the file.

Below is an example AWE script that you can use as is or edit to suit your environment and specific needs.

<AMVARIABLE NAME="targetFilePath" ISPARAMETER="YES">C:\temp</AMVARIABLE>

<AMVARIABLE NAME="targetFileName" ISPARAMETER="YES">target file.txt</AMVARIABLE>

<AMVARIABLE NAME="targetFileWithPath" ISPARAMETER="YES">%targetFilePath%\%targetFileName%</AMVARIABLE>

<AMVARIABLE NAME="outputFile" ISPARAMETER="YES">%targetFilePath%\out_%targetFileName%</AMVARIABLE>

<AMFILEDELETE SOURCE="%outputFile%" AM_ONERROR="CONTINUE" />

<AMVARIABLE NAME="numBytes" ISPARAMETER="YES">94</AMVARIABLE>

<AMVARIABLE NAME="fileSize">0</AMVARIABLE>

<AMGETFILEINFO FILE="%targetFileWithPath%" RESULTVARIABLE="fileSize" FILEPROPERTY="Size" />

<AMVARIABLE NAME="chunks">%Int(fileSize/numBytes)%</AMVARIABLE>

<AMVARIABLE NAME="leftOver">%fileSize MOD numBytes%</AMVARIABLE>

<AMVARIABLE NAME="curData"></AMVARIABLE>

<AMVARIABLE NAME="curIndex"></AMVARIABLE>

<AMVARIABLE NAME="pos">0</AMVARIABLE>

<AMLOOP TOTALLOOPS="%chunks%" RESULTVARIABLE="curIndex">

<AMFILEREAD FILE="%targetFileWithPath%" RESULTVARIABLE="curData" MAXBYTES="%numBytes%" NEWPOSITIONVARIABLE="pos" POSITION="%pos%" />

<AMFILEWRITE FILE="%outputFile%">%curData%</AMFILEWRITE>

</AMLOOP>

<!-- If there are left over bytes, write them. Then pad the rest with spaces up to 94 Bytes (or whatever the numBytes is) -->

<AMIF EXPRESSION="leftOver &gt; 0">

<AMFILEREAD FILE="%targetFile%" RESULTVARIABLE="curData" MAXBYTES="%leftOver%" NEWPOSITIONVARIABLE="pos" POSITION="%pos%" />

<AMFILEWRITE FILE="%outputFile%">%curData%</AMFILEWRITE>

<AMLOOP TOTALLOOPS="%totalBytes-leftOver%" RESULTVARIABLE="curIndex">

<AMFILEWRITE FILE="%outputFile%"> </AMFILEWRITE>

</AMLOOP>

</AMIF>

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

The Advanced Workflow Engine for EFT is able to help in a multitude of automation functions. Many customers, when integrating with diverse environments, find themselves having to contend with crossing the bridge between UNIX-formatted text-based files and DOS-formatted text files. Below is a short script that can help you transform a UNIX-based text file into a DOS-formatted file by transforming the use of the LF to a CRLF.

<AMVARIABLE NAME="targetFile">C:\temp\test_lf2.TXT</AMVARIABLE>

<AMVARIABLE NAME="newData"></AMVARIABLE>

<AMVARIABLE NAME="filePart"></AMVARIABLE>

<AMLOOP TYPE="FILECONTENTS" FILE="%targetFile%" RESULTVARIABLE="filePart" DELIMITER="%Chr(10)%" ENCODING="utf-8">

<AMSET VARIABLENAME="newData">%newData &amp; filePart &amp; Chr(13) &amp; Chr(10)%</AMSET>

</AMLOOP>

<AMFILEWRITE FILE="C:\temp\test_lf2_translated.txt" APPEND="NO">%newData%</AMFILEWRITE>

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

The attached VB script automates the EFT Enterprise restore function and allows you to change/set the DMZ Gateway IP address. This script is particularly useful when moving the EFT Enterprise configuration from a primary/production site to a warm/secondary site (when EFT HA is not enabled).

Note: The restore action requires a stop/start of the EFT Enterprise service. It is recommended for use on a ‘warm’ or ‘DR’ site where service interruption will not affect production traffic.

To use the script

1. Create an Event Rule on the production server to copy the nightly EFT Enterprise backup file to the remote server. Rename the file to something static, such as ServerConfig.bak.
2. Create a Windows Scheduled Task to invoke the RestoreConfig.vbs after the ServerConfig.bak is copied to the remote server.
3. Test remote server configuration to verify that user accounts/event rules/workflows are correct.

The script allows for using either EFT Authentication (EFTLogin) or Integrated Windows Authentication (IWALogin) when accessing the EFT COM API. (Note: IWA will only work if the HSM module licensed in EFT.)

For more detailed information about how to use the EFT COM API, refer to the online help at http://help.globalscape.com/help/gs_com_api/com_using_the_com_interface.htm

After downloading the script file, rename it with the VBS extension.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.2 and later

DISCUSSION

Globalscape engineers had the opportunity to test EFT HA against a Cisco Nexus 5672 and a Cisco Nexus 9396PX switch running NX OS version 7.0(3)I2(1). The test consisted of two laptops running EFT in HA with each laptop connected to a port on the Nexus switch being tested. With the switch running a fresh out-of-the-box configuration, we enabled debugging on the switch for IGMP so that we could see the traffic, and then we initiated our test.

For the first few minutes everything worked as designed and PGM traffic was being sent across the two nodes, but at the 210-second mark the switch logged the following message:

Noquerier timer expired, remove all the groups in this vlan

IGMP snooping is enabled by default on the Nexus OS, but since there wasn’t a Querier (normally a router or a switch is configured to perform this duty) to manage IGMP requests, the timer expires and the packets are no longer sent across the nodes. With the help of a Cisco engineer, we were able to make a small configuration change to solve the problem.

Globalscape recommends to our customers that they create a VLAN for EFT peer notification, create a virtual interface for that VLAN, and then configure the virtual interface to be the IGMP querier for that VLAN. That way, they contain all traffic to that VLAN and they don’t have to change the way IGMP traffic is treated for the rest of the network. Below is the configuration that we used for a successful test of EFT with HA and a Cisco switch:

#Setup an SVI by entering config mode and enabling the feature
config t
feature interface-vlan
#Specify the VLAN that you created for EFT; in our example it’s VLAN 199
interface vlan 199
#Assign an IP address and subnet to the SVI
ip address 192.168.27.254 255.255.255.0
#Enter VLAN configuration for the EFT VLAN which in our example is VLAN 199
vlan configuration 199
#Enable IGMP snooping for the VLAN
ip igmp snooping
#Set the IGMP querier for the VLAN to be the IP address of the SVI which in our example is 192.168.27.254
ip igmp snooping querier 192.168.27.254
#Exit Config Mode and Save your changes
end

Below is how it would look like as entered in a switch:

switch(config)# feature interface-vlan
switch(config)# interface vlan 199
switch(config-if)# ip address 192.168.27.254 255.255.255.0
switch(config-if)# vlan configuration 199
switch(config-vlan-config)# ip igmp snooping
switch(config-vlan-config)# ip igmp snooping querier 192.168.27.254
switch(config-vlan-config)# end

Be sure to exit Config Mode and Save your changes.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, version 7.1 and later (with Workspaces)

QUESTION

In the WTC help topic Sharing Folders, it says I can only share a Workspace with 10 email addresses at a time. Is there a way to remove that limitation?

ANSWER

Yes. The EFT administrator can edit the client-side JavaScript, as described below.

To change the number of email address that you can add at one time

1. Go the folder <EFTINSTALLPATH>\web\public\EFTClient\jument\scripts.
2. In a text editor, open <number>.main.js.
3. Search for the following text:

{var b="";return a.length>10&&(b=$.t("errorMoreThanTenEmails")),b}

4. Replace 10 with a larger number, such as 100.
5. Save the file.
6. Clear the browser cache to see the changes.

You might also want to change the "More than Ten Emails" message, located in C:\Program Files (x86)\Globalscape\EFT Server Enterprise\web\public\EFTClient\jument\i18n\. The file is main_en.json (or main_de.json, main_nl.json, or other language).

To edit the error message

1. In a text editor, open main_en.json.
2. Search for the following text:

"errorMoreThanTenEmails": "A maximum of 10 participants can be added to this Workspace at a time. Please shorten your email list and try again."

3. Edit the message to change the "maximum of 10" to the number you changed it to. Be sure that you do not change "errorMoreThanTenEmails": just the text that follows, within the quotation marks.
4. Save the file.

Note that is good practice to make a copy of each of the files that you want to edit before you edit them, in case you want to revert your changes.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express v4.x and later

DISCUSSION

This article describes the process to change specific cosmetic features of the Mail Express Internal Login Page. You are not changing the actual functionality.

If you are not familiar with Mail Express or how to edit HTML files, please seek guidance from the Globalscape Professional Services team.

Be sure to back up any files that you plan to edit.

When you go to the Mail Express Internal Portal Login page, the default screen look like this:

In this example, the client has requested that they do not want the Internal users to see the “Lost Password” link or the RESET button.

To remove the Lost Password link and Reset button

1. The first thing we are going to do is locate the 2 HTM files we will be working with:

• BaseSignInPanel.html
• MailExpressSignInPanel.html

NOTE - Please pay careful attention to the location of these files, as there are different directories that contain the same-named files.

%SystemDrive%\Program Files\GlobalSCAPE\Mail Express\webapps\ROOT\WEB-INF\classes\com\globalscape\mailexpress\web\components

Your specific installation may be different, however it is important to notice from where \Mail Express is installed, and locate the above referenced directory.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.3
• DMZ Gateway, v3.4
• Accelerate module

QUESTION

How do I activate the Accelerate module in EFT and DMZ?

ANSWER

The Accelerate module requires that a special file be installed on DMZ Gateway, in addition to the usual registration process in EFT.

In the EFT administration interface:

Refer to http://help.globalscape.com/help/eft7-3/activatingthesoftware.htm for the procedure for activating EFT and its modules.

In DMZ Gateway:

1. Provide your DMZ Gateway server host’s public-facing / forward-facing Internet Protocol (IP) address to your Globalscape point of contact.

• In return, you will receive a DeiLicense.dat and FastImpl.dll derived from the supplied IP address.

• DMZ Gateway will log the attempted registration and record its success or failure

• Registration is maintained upon upgrade or repair

• If the DMZ Gateway's host IP changes, you will need to request a new FastImpl.dll from Globalscape.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

Using EFT's COM API to enforce specific settings inside of EFT so that they are enforced at all times

DISCUSSION

Often changing a setting in EFT is forgotten after it is saved and done. Wouldn’t it be helpful to enforce settings at all times to prevent security issues with folders or home folders?

Configure COM API

COM API is required for the any type of script to run and affect settings in EFT.

1. Remote Admin must be enabled on the EFT server.
2. Either the EFT administration interface must be installed or the DLLs must be on the system where the script is being run: C:\Program Files (x86)\Common Files\Globalscape\SFTPCOMInterface\
3. User ID can be either a GS administrator account or AD auth can be used (if you have HSM module).

So how do we use the script to enforce settings?

Let’s start by breaking down the script.

Connecting to EFT:

CRLF = (Chr(13)& Chr(10))

txtServer = "localhost"

txtPort = "1100"

txtAdminUserName = "test"

txtPassword = "test"

txtSiteName = "EFT FTP"

txtSettingsLevel = "Default Settings"

Modify Security Settings:

In this case, let’s modify the 2 settings that need to be enforced.

oUser.SetHomeDir(-2) 'use home folder from Settings Template

oUser.SetHomeDirIsRoot(-2) 'use Treat home folder from Settings Template

*Note: it is very important to identify the Settings template that will be enforced. It is possible to enforce other templates using copies of the script.

From the above, the Home Directory and the Root Directory are being affected. A setting of -2 usually corresponds with the following behavior:

abFalse = 0

abInherited = -2

abTrue = 1

This means that both settings will be pulled from the PARENT, which is the Settings Template called “Default Settings.”

Why do you need to do this?

In all honesty, this isn’t required, however, it is recommended. This helps ENFORCE settings even if an admin "breaks" security by changing a setting. Using a PowerShell (not included) or a VB script like the one offered in this article allows you to create a very specific group policy for EFT. It is possible to enforce these settings with GS Auth, AD Auth/LDAP Auth, or even ODBC auth.

Please see the following link for more areas that can be enforced via COM API:

http://help.globalscape.com/help/gs_com_api/com_iciclientsettingsinterface.htm

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Enterprise, all versions

What to ask for when an employee or dept. has a requirement to transfer files from the EFT server

DISCUSSION

Most customers usually create tickets with specific information for file transfers, but struggle with understanding what information should be requested to transfer a file from external clients or to external clients.

Below is an example of a request form showing the sort of information that should be included in a request. Feel free to make it your own.

A Word doc with form fields is attached to this article.

Business Process Request Form

Business Need

Completion and Signoff

Note: All parties must approve this form prior to any rule going live in the production environment.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

User data is different than User configuration and is not in the ARM module. Only metrics from the user accounts who upload and download files are in the ARM database.

There are two ways to extract information from EFT

1. The easiest and the best way is using the COM API included in EFT. It does require some skillset in VB script and/or Powershell.
2. EFT Migration and Sync Tool. This is not a free utility, but allows any person to extract data and configuration from EFT without any coding skills.

Configuring COM API

COM API is required for the any type of script to run and affect settings in EFT. This is true for EFT Migration and Sync Tool. It also requires the same functionality as VB scripting/Powershell when connecting to the service.

1. Remote administration must be enabled on EFT.
2. Either the EFT administration interface must be installed or the DLL’s must be on the system where the script is run: C:\Program Files (x86)\Common Files\Globalscape\SFTPCOMInterface\
3. User ID of either a GS administrator account or AD auth (if you have HSM module).

So how do we use the EFT Migration and Sync Tool to extract and run reports on the configuration from EFT?

1. You will need to have a copy of the EFT Migration and Sync Tool tool, and it must be of the same version as that of the EFT service. That is, if you are running EFT v7.2, then you will need the EFT Migration and Sync Tool version for EFT v7.2.
2. A database on a SQL server running anything above 2008 R2.
3. Read and Write ability to the database.
4. Ability to run EFTSettingsCreate.sql (included in the ZIP file with EFT Migration and Sync Tool.)
5. Ability to create or compile reports from a SQL query or the help from a DBA who can write the queries for you.

Modifying the EFT Migration and Sync Tool configuration:

1. Open EFTutils.exe.config
2. Look for <connectionStrings>
3. connectionString="Server=localhost;Port=1100;Integrated Security=False;UserId=admin;password=admin;" />

(There will be 2 of these^, 1 above the SQL portion and 1 below the SQL portion.)

4. connectionString="Data Source=.\SQLEXPRESS;Initial Catalog=EFTSettings;Integrated Security=True"
5. Replace .\SQLEXPRESS with your instance of SQL that has the new EFT Migration and Sync Tool database.
6. Create a Export.cmd batch process and include the following:

• eftutils.exe export ALL "Mysite"
• It is important to remove /XML if you are familiar with the tool. The XML will not allow you to export it to the database.

*Note: The above process will generate a more indepth result than the built-in search feature in the EFT administration interface.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

User data is different than User Configuration and is not in the ARM module. Only metrics from users who upload and downloads files are in the ARM database.

(Refer to KB#11283 for details of using the EFT Migration and Sync Tool instead of scripting.)

Configuring COM API

COM API is required for the any type of script to run and affect settings in EFT. This is true for EFT Migration and Sync Tool. It also requires the same functionality as VB scripting/Powershell when connecting to the service.

1. Remote administration must be enabled on EFT.
2. Either the EFT administration interface must be installed or the DLL’s must be on the system where the script is run: C:\Program Files (x86)\Common Files\Globalscape\SFTPCOMInterface\
3. User ID of either a GS administrator account or AD auth (if you have HSM module).

How do we use the script to enforce settings?

Let’s start by breaking down the script.

Connecting to EFT:

CRLF = (Chr(13)& Chr(10))

txtServer = "localhost"

txtPort = "1100"

txtAdminUserName = "test"

txtPassword = "test"

txtSiteName = "EFT FTP"

txtSettingsLevel = "Default Settings"

Modify Security Settings:

In this case, no modification is required of the actual logic of the script.

For each name in users

set userSettings = site.GetUserSettings(name)

Fullname = userSettings.Fullname

Locked = userSettings.IsLocked

Phone = userSettings.Phone

Fax = userSettings.Fax

Pager = userSettings.Pager

Email = userSettings.Email

Custom1 = userSettings.Custom1

Custom2 = userSettings.Custom2

Custom3 = userSettings.Custom3

Comment = userSettings.Comment

PhysHomeDir = site.GetPhysicalPath(name)

HomeDirString = userSettings.GetHomeDirString

lastModifiedBy = userSettings.LastModifiedBy

lastModifiedTime = FormatDateTime(userSettings.LastModificationTime, 1)

lastconnectionTime = FormatDateTime(userSettings.LastConnectionTime, 1)

accountCreationTime = FormatDateTime(userSettings.AccountCreationTime, 1)

As you see, the script will loop through ALL users on the EFT Site (specified from above section) and will find all details relating to that user accounts.

The generated file from the run will create an “output_users.csv” file that can now be imported into Excel or any other product.

*Note: This process is only about extracting information from the EFT system for documentation and not about importing information from a RAW comma delimited text file.

Refer to the following link for more areas that can be exported via COM API:

http://help.globalscape.com/help/gs_com_api/com_iciclientsettingsinterface.htm

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

The Advanced Workflow Engine, AWE, has numerous actions from which you can create an advanced workflow and insert it into an Event Rule to perform actions on files as they are transferred through EFT. This example workflow can be used to remove NULL characters from a file.

Of course, you'll want to edit the values in the variables to match your environment/needs:

Files are attached to this article to assist you with creating and testing the AWE workflow. Rename the file AWE Training Site_AWE Remove NULL Characters_renameToAML. TXT to AWE Training Site_AWE Remove NULL Characters.AML Then you can import the AML file into EFT and use it as a template to create your own workflow.

For details of importing, creating, and using AWE workflows, refer to the EFT help for your version of EFT.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, version 6.4.3 and later

QUESTION

What is Common Access Card authentication?

ANSWER

A CAC is about the size of and has a magnetic stripe on the back like a credit card. It is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It can be used to enable physical access to buildings and computer networks and systems. Common Access Card (CAC) Authentication is available in EFT Enterprise for LDAP Sites with SSL (HTTPS or FTPS) enabled.

When CAC is enabled on EFT Enterprise, clients are required to provide a certificate when connecting. Once the user’s certificate is validated, EFT Enterprise uses the Principal Name (UPN) taken from the Subject Alternative Name (SAN) field of the Signature Certificate to search for the user in LDAP and allow or deny access based on the information found. The certificate provisioned via the web browser must have an Electronic Data Interchange Personal Identifier (EDI/PI). If the EDI/PI is not found or otherwise cannot be validated, the connection is denied. If the EDI/PI is found, EFT Enterprise maps the corresponding fields in LDAP using the appropriate LDAP query string. If the user is found in LDAP, if a certificate is assigned to that user, and if the certificate exactly matches the one provided by the client, the user is allowed access.

The user certificate must contain the Subject Alternative Name fieldOther Name: Principal Name= so that the UPN (User Principal Name) can be properly authenticated against LDAP (as shown below). Currently, all other SAN fields are ignored by EFT Enterprise. Certificates using exclusively "RFC822 Name=" are not sufficient. EFT Enterprise needs the Principal Name value.

The certificate lookup process looks like this:

1. EFT Enterprise looks for UPN entry in SAN field of certificate (i.e., the OID).

2. EFT Enterprise performs an LDAP lookup using the LDAP Auth Manager specifications, searching against the user login attribute for the value found in the UPN entry of SAN.

3. This lookup returns 0 or more "userCertificate" properties of the matched object, if found.

4. For each returned userCertificate, EFT Enterprise does a cryptographically strong comparison of the LDAP-provided certificate and the one supplied by the CAC.

CAC and WTC

When CAC is enabled and HTTPS connection is made, the Logout and Change Password buttons on the Java-enabled Web Transfer Client (WTC) are hidden. To log out, you must close the browser and remove your CAC card. WTC sessions will timeout immediately when the browser is closed. If a user navigates away from the WTC instead of closing the browser, and then goes back to the WTC page, the previous session is expired and a new session ID is generated. This prevents the WTC licenses from being locked when no one is using them.

• The Account Management page is not available when CAC is enabled or necessary; there is no concept of logging out or changing passwords when using CAC.

• CAC is only available on EFT Enterprise with an LDAP-authenticated Site.

• CAC is incompatible with RADIUS, RSA, PCI DSS, ODBC, NT authentication, AD authentication, and Globalscape authentication. PCI DSS Compliance reports do not report on CAC-enabled Sites.

When CAC is enabled on a Site:

• The WTC uses the JSE instead of the Apache client. The JSE HTTP client provides NTLM v2 proxy authentication support.

• Any attempt to access any of the account management pages causes a "page not found" error.

• When HTTP and HTTPS are both enabled, the Redirect HTTP to HTTPS check box is selected and disabled, forcing redirection of HTTP traffic to HTTPS.

• When FTPS is enabled, the username and password provided are ignored; the authentication is provided by the certificate.

• The method EnableCAC can be used to enable CAC via the COM API.

• The following major events are logged:

• Could not find proper SAN field in certificate

• The value received from the SAN field

• If user had no certificates in LDAP

• If certificates were present but no certificate matched

• More than one user was retrieved when LDAP was queried (authentication is only attempted against the first one)

Refer to Defining Connections (Sites) (or your version of EFT Enterprise) for details of creating an LDAP-authenticated Site that uses CAC.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.1 and later

SYMPTOM

Error: "Connection profile does not exist on the other server"

WORKAROUND

To prevent this error

1. Create an Event Rule with a Connection Profile on the destination Site.
2. Export the Event Rule that you just created.
3. Open the Event Rule in a text editor and copy the Connection Profile GUID from the exported Event Rule.
4. Open the Event Rule that you are trying to import in a text editor and paste the GUID from the new Event Rule into the old Event Rule.
5. Import the old Event Rule into the new Site.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.1 and later

SYMPTOM

On guest (external user) accounts, the value in Last Modified by field is "[ws-invite]".

WORKAROUND

This behavior is as designed.

MORE INFORMATION

After an external user is invited, accepts the invitation, and then verifies their account on the server, a user account is created under the Default User Settings Template. The Last Modified value for the guest account is "[ws-invite]".

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, version 7.2.1 and later

QUESTION

Does EFT support SHA-2 cryptographic algorithms?

ANSWER

Yes. SHA256 is part of SHA-2, and EFT supports SHA256 for certificate verification.

MORE INFORMATION

To determine which type of certificate you are using, click the certificate details to find the "Signature Algorithm." Beginning February 14, 2017, browsers will no longer treat SHA-1-signed TLS certificates as trusted. All certificates used to secure browser-based communications need to be replaced.

For details of the deadline, refer to http://www.infoworld.com/article/3064654/security/tick-tock-time-is-running-out-to-move-from-sha-1-to-sha-2.html.

Contact your certificate vendor, such as Geotrust and Verisign, to update your certificates to SHA-2.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

In order for support to properly determine root cause of a crash or hang of EFT Server, the client must be able to provide a crash dump or a hang dump. This article describes the following procedures:

1. How to use Microsoft ADPlus to capture hang and crash logs.
2. Collect a hang/crash dump.
3. Create and submit a case to support.

IMPORTANT: Use of ADPlus to monitor crashes requires an active login on the system. Logging off will kill the ADPlus application. This can run while the server is locked, but user must NOT log off while using this. You will also need to disable any automatic restarting of the EFT service to ensure that the dump files can be collected properly.

Confirm if you are experiencing a Hang or a Crash

• A Hang is when the process (cftpstes.exe) is still running in task Manager but EFT does not respond to FTP/SSH/HTTP connections. It may also not respond to Administrator requests through COM or through the Administrator Interface.
• A Crash is when the process (cftpstes.exe) is no longer running in Task Manager.

Download ADPlus

Download the 32-bit version of ADPlus from the URL below to capture the Crash or Hang dump.

http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.11.1.404.msi

**Although there is a 64-bit version of ADPLUS, you MUST use the 32-bit version regardless of OS, as EFT is a 32-bit process**

Install ADPLUS

Install ADPLUS, choosing the "custom" option, in the following folder: C:\dbtools

Once ADP is installed, create the following folder: C:\ADPlusOutput

For an Application Hang

If you are investigating a hang, then the adplus.bat file should only be run when the system is hanging.

Create and adplus.bat file, and then run the script. (**To run the batch file, right-click and "Run as Administrator"**)

The batch file should look like this:

SET _CSCRIPT=C:\Windows\SysWOW64\cscript.exe

SET _DTFWPath=C:\dbtools

SET _OUTPUT=C:\ADPlusOutput

"%_CSCRIPT%" "%_DTFWPath%\adplus.vbs" -quiet -hang -pn cftpstes.exe -o "%_OUTPUT%"

It will run then close itself out when finished. At that point go to the C:\ADPlusOutput folder and look for a folder with the name "Hang" and make sure there is a DMP file in it. (If there isn't, then you didn't catch the hang.)

For an Application Crash

If you are dealing with a crash, then you can simply start the batch file, it will stay running. Do not log out of the system, as the user must remain logged in.

Create and adplus.bat file, and then run the script. (**To run the batch file, right-click and "Run as Administrator"**)

The batch file should look like this:

SET _CSCRIPT=C:\Windows\SysWOW64\cscript.exe

SET _DTFWPath=C:\dbtools

SET _OUTPUT=C:\ADPlusOutput

"%_CSCRIPT%" "%_DTFWPath%\adplus.vbs" -quiet -crash -pn cftpstes.exe -o "%_OUTPUT%"

If the system crashes, go to the folder C:\ADPlusOutput, look for a folder with the name "Crash," and make sure there is a DMP file it.

Submit a Ticket to Support

Once you have collected the hang dump or crash dump file, create a Support case and the Globalscape Support team will provide a drop off location for you to upload your files to along with any other necessary documentation.