Validation requirements for PCI DSS compliance depend on the merchant or organization’s tier. Some tiers require only that the organization complete a self-assessment questionnaire. Organizations that process many transactions will typically pay a Qualified Security Assessor (QSA) to evaluate whether the organization complies with all requirements for systems in PCI DSS scope as part of a mandatory quarterly scan. To further complicate matters there is no black-and-white standard by which a QSA will assess an organization; it’s up to the QSA to interpret the PCI DSS requirements the way they understand them. This can result in situations where two different QSAs will come up with different assessments even for the same organization! Interestingly, the final authority on compliance is still the payment card vendors (Visa, MC, Amex, etc.) who reserve the right to overrule a QSA’s assessment.

The self-assessment questionnaire (in the PCI DSS Quick Reference Guide) is a good start to determine how far out of compliance you might be and what it will take to get you into compliance.

For more information about the PCI DSS, refer to the PCI SSC Data Security Standards Overview. On that page, click the PCI Data Security Standard (PCI DSS) link to access numerous downloadable PDFs about the standard.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server (All Versions)
• DMZ Gateway (All Windows versions)
• Secure FTP Server (All Versions)

DISCUSSION

This topic describes how to tune Windows XP, Windows 2003, and Windows 2008 R1 & R2 operating systems for TCP/IP performance. "Tuning" involves adding several registry keys. To add a key to the registry, you can either edit it directly as described below or create and execute a .reg file. When you have finished adding or editing these registry keys, you must restart the Server. Configure the following settings or variables below according to your specific tuning needs. If necessary, refer to the GlobalSCAPE Knowledge Base article Q10411 - HOWTO: Windows Registry Settings, for the procedure for creating/editing keys and creating a .reg file.

These options are for advanced users only. Incorrectly editing the registry can severely damage your system. You should always back up (export a copy of) the registry before you make any changes to it.

REGISTRY KEYS

In all versions of Windows, add the keys described below. Certain keys/values depend on the operating system installed (noted in the Value name column where different).

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters

Subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{Interface GUID}*

* {Interface GUID} is different for every system.

Your .reg file for Windows 2008 would look something like this:



Remember to reboot the server computer after making the registry changes.

On Windows 2008 (R1&R2), you must also disable autotuning:

• Open a command prompt and execute the following command:

netsh int tcp set global autotuninglevel=disabled

The default level is "normal." The possible settings include:

• disabled: uses a fixed value for the tcp receive window. Limits it to 64KB (limited at 65535).
• highlyrestricted: allows the receive window to grow beyond its default value, very conservatively
• restricted: somewhat restricted growth of the tcp receive window beyond its default value
• normal: default value, allows the receive window to grow to accommodate most conditions
• experimental: allows the receive window to grow to accommodate extreme scenarios (not recommended as it can degrade performance in common scenarios; only intended for research purposes. It enables RWIN values of over 16 MB)

THE INFORMATION IN THIS ARTICLE APPLIES TO:

QUESTION:

How do I remove a TappIn folder share?

ANSWER:

1. Navigate to the TappIn icon on the systray located in the bottom right corner of the screen as shown below:
2. Click on the TappIn icon and choose TappIn Folders.
3. A new screen will appear in the browser window under Libraries | My Files.
4. Click on the gear icon beside the device that the share exists on:
5. The Manage Folders screen will appear. Locate the folder for which the share will be removed. Click Remove.
6. A new screen will appear requesting validation. Click Remove.
7. Click Continue. If this is the correct TappIn folder, then click Remove. A new screen will appear without the TappIn folder share.
8. Click Continue.
9. The My Files page will appear with the TappIn folder share no longer listed.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

QUESTION:
How do I establish a TappIn folder share?

ANSWER:
There are default shares automatically established for user convenience; however, follow the steps below to share out another folder or folders.

1. Navigate to the TappIn icon on your systray located on the bottom right corner of your screen as shown below:

2. Click the TappIn icon and choose TappIn folders:

3. The Libraries / My Files page will appear in the browser window as pictured below:

4. Click on the gear / cog icon as shown below.

5. A new screen will appear titled Manage Folders. In the bottom right corner click Make Another Folder Available.

6. Choose either Drives or Network depending on the location of the folder or item you want to share. Make note of the Windows User Tip as pictured below.

7. The view will expand and show a more detailed folder structure. Select the file and contents to be shared. Make note of the Folder Path, Folder Name (this can be changed provided the name does not already exist), and Permissions (choose Read-Only or Read-Write). Read-write will allow a remote share holder the ability to change the folder and file contents.

8. Next click Add. The screen will switch back to Manage Folders, and you should now see your new share listed.
9. Click Continue at the bottom of the page.
10. The new TappIn folder share will be setup on the My Files page below Libraries.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, version 6.x

SYMPTOM

Call to a COM method throws an "MX Error: 52 (0x00000034)."

RESOLUTION

"MX Error: 52 (0x00000034)" means that the COM object needs to refreshed. That is, you must invoke the ICIServer method RefreshSettings().

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, v3.3.2 and later

DESCRIPTION

The Mail Express Outlook Add-in has several dependencies which the help guide details and provides installation information for. This KB article describes special case scenarios to consider that supplement the information in the help guide.

Microsoft Outlook 2013 Primary Interop Assembly

The steps to install the PIA after Microsoft Outlook is installed are as follows:

• From the Windows Control Panel choose “Programs and Features.”
• Select “Microsoft Office 2013” from the list of installed programs.
• Press the “Change” button, select the “Add or Remove Features” radio button, and then press the “Continue” button.
• Expand the “Microsoft Outlook” node and then choose the “Run from My Computer” menu option for the “.NET Programmability Support” feature and finally press the “Continue” button.

A similar approach can be taken to install the PIA when installing Outlook for the first time.

MORE INFORMATION

For versions of Outlook prior to Outlook 2013, the PIA can be downloaded from Microsoft’s web site or can be installed via the Mail Express Add-in Bootstrapper. Please consult the Mail Express help guide for more information.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, version 6.x and later

SYMPTOM

Java Security Warning prompt appears while the Web Transfer Client (WTC) is loading.

RESOLUTION

Click Don’t Block. The WTC will finish loading and be fully functional.

MORE INFORMATION

As of Java update 7u21, Java has started warning users of potentially unsafe code when web applications they are about to run contain JavaScript code that is used with trusted Java components. A dialog, shown above, gives the user the option to block the application or to keep going.

Java provides a mechanism for keeping the user from being prompted and it has been implemented for the WTC. However, until the fix has been propagated to EFT Server, there is a temporary workaround to avoid displaying the prompt every time the WTC is started. You can disable the prompt in the Java Control Panel.

To disable the prompt

1. Click Start > Control Panel, then click the Java icon. (Or click Start > Run, type/paste: c:\Program Files (x86)\Java\jre6\bin\javacpl.exe, then click OK. This is the default path; your path may differ.)
2. In the Java Control Panel, click the Advanced tab, and scroll toward the bottom of the dialog box.
3. In the Mixed code area, click Enable - hide warning and run with protections.
4. Click OK.

This should be considered a temporary solution as hiding this prompt may allow malicious software to have access to the client and server systems.

For more information about the Mixed code options, refer to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/mixed_code.html#jcp

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• All GlobalSCAPE products, all versions

DISCUSSION

The attached PDF provides information regarding Section 508 Compliance Voluntary Product Accessibility.

For more information about Section 508 compliance, refer to http://www.section508.gov/.

• Secure FTP Server (All Versions)
• EFT Server (All Versions)

QUESTION

How can the EFT Server or Secure FTP Server service loading order be changed/delayed?

ANSWER

Windows 2008 and 2012:

To delay start of the EFT server service on a Windows 2008 server that needs to be very sequence driven, you will need to perform the following steps to use the Windows built-in Delay Start option:

1. Do one of the following to open the Services Microsoft Management Console (MMC) snap-in:

• In Windows 2008: Click Start, type services.msc in the search box, then press ENTER.
• In Windows 2012: In the Server Manager, click Tools > Services.

Windows 2003 or earlier:

Caution: The following steps involve editing the Windows registry on the server computer. Incorrectly editing the registry may severely damage your system. These instructions are intended for the advanced user who is prepared to both edit and restore the registry. We recommend that you backup the registry before proceeding.

1. Start Registry Editor and navigate to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

2. Double-click on the list entry and add a new value in the list named GlobalSCAPE. Place the new value into the list at the point in the startup sequence where you want the Server service to start. (For example, to configure it so that the Server service starts after all other services, place the GlobalSCAPE value at the end of the list.)

3. Click OK to close the editing screen.
4. Navigate to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GlobalSCAPE EFT Server (or Secure FTP Server)

5. Right-click on the name of the subkey, click New and then click String Value.
6. For the name, type Group.
7. Double-click to modify the newly created Group entry and type GlobalSCAPE for the value.
8. Click OK and then close Registry Editor.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• version 6.5 and later

QUESTION

How do I use the COM API to copy (duplicate) Advanced Workflows or import existing Workflow files (.aml)?

ANSWER

To copy and import workflows using the COM API, you can to use the Site methods AddAdvancedWorkflow and GetAdvancedWorkflowParams.

MORE INFORMATION

Review the examples below, or download the attached examples (scroll to the bottom of page for the attachment). Don’t forget to change your admin login credentials in the script and point to the correct Site index (set to Site ‘0’ by default, meaning the first Site created in EFT).

(You can also copy and import AWE workflows in the EFT administration interface.)

Copy Workflow:

Import Workflow:

This article is duplicated (and updated) in article 10666 - Upgrading Secure FTP Server v3.3 to EFT Server v6.x. Please refer to that article for information.

If you have bookmarked this page, please redirect your bookmark to the link above. Sorry for the inconvenience.

• Upgrading Secure FTP Server version 3.3.10 to EFT Server (SMB) version 6.2.31

**Secure FTP Server is no longer a supported product, and is not compatible with Windows 2008.

Also refer to article #10359, Moving Secure FTP Server from One Computer to Another Computer.

Note: If you are running a version of Secure FTP Serverversion 3 earlier than v3.3.10, you must first upgrade to v3.3.10 beforeupgrading to EFT Server. EFT Server 6.x.x installer is expecting SecureFTP Server to be version 3.3.10. For this reason we strongly recommendthat you upgrade to Secure FTP Server 3.3.10, if you are not already onthat version. You can download Secure FTP Server v3.3.10 at ftp://ftp.globalscape.com/pub/gsftps/archive/gsftps33.exe. Refer to the procedure at the bottom of this article for details of upgrading Secure FTP Server.

DISCUSSION

The process for migrating a Secure FTP Server 3.3.10 configuration toa new server running EFT Server 6, which includes all Event Rules, useraccounts, keys, etc., is straight forward and should only take about 20to 45 minutes. (It is not necessary for EFT Server to have beeninstalled on the old server; EFT Server v6 will properly convert thefiles for Secure FTP Server 3.3.10 **. Nor is it necessary for the OS tobe the same version on the new server as on the old server; the newinstallation of EFT Server will correctly conform itself to the newserver OS.) While it used to be possible to do a migrating upgrade fromSecure FTP Server 3.3.10 directly to the latest version of EFT Server 6,and this process continues to be successful in some situations, therehave been sufficient problems caused by this extreme jump that we nowstrongly recommend performing a stepping upgrade through EFT Server6.2.31. To obtain the installer for EFT Server 6.2.31, browse to theReplacement Software Downloads page [http://www.globalscape.com/support/reg.aspx]of our website. Once the installer is downloaded, use the migrationguide below to move the Secure FTP Server 3.3.10 configuration to thenew server running a straight installation of EFT Server 6.2.31. Afterverifying that the configuration is working properly for EFT Server6.2.31, please use the upgrade instructions to upgrade to EFT Server 6.4.x; then you can upgrade to v6.5 or later. (Upgrades are supported only within 2 version numbers.)

Please note that per Globalscape policy for liability reasons,Support does not upgrade or migrate the servers of our clients,but provides instructions or guidance for accomplishing the process.While Support does not upgrade or migrate servers for our clients, it ispossible to acquire an upgrade package from our Professional Servicesteam to have them personally handle the process.

Migration from Secure FTP Server 3.3.10 to EFT Server 6.2.31

Prepare:

1. Ensure that EFT Server 6 is compatible with your server by checking here: http://help.globalscape.com/help/eft6-5/system_requirements_for_server.htm.

2. Request and receive a new EFT Server 6 licenses (if you have a Secure FTP Server or EFT Server 4 or 5 serial numbers) and a new DMZ 3 licenses (if you have a DMZ Gateway 1 or 2 serial number) from your account representative.

3. Download EFT Server 6.2.31 from http://www.globalscape.com/support/reg.aspx, making certain to specify correctly the installer that corresponds with the EFT Server license. (You must have the EFT Server (SMB) installer for an EFT Server (SMB) serial number and the EFT Server Enterprise installer for the EFT Server Enterprise serial number].

4. Ensure that the account used to log in to Secure FTP Server 3 is a unique account within Secure FTP Server (this is critical) and not a local server or domain account. During the upgrade process, all local server or domain accounts will be locked out of EFT Server unless you own the High Security Module (HSM); use this article if you need assistance changing it: http://help.globalscape.com/help/secureserver3/Change_global_administration_password.htm.

5. Stop the Secure FTP Server 3 service to ensure all settings are preserved; once the ftp://ftp.cfg/ copy is complete, the service can be restarted.

6. Create a migration folder on the new server and add the appropriate application data files from C:\Program Files\GlobalSCAPE\Secure FTP Server:

   • FTP.cfg and FTP.bak

   • *.aud

   • All pgp keys (*.skr, *.pkr)

   • All SSL certificate files (*.cer, *crt)

   • All SSH key files (*.pvk, *.pub)

   • Any scripts or .bat files

   • Any custom reports

7. Ensure that the Secure FTP Server 3.3.10 site data folders are copied to the new server (default location is C:\inetpub\EFTRoot) using the exact same folder structure as exists on the old one (e.g., if it is D:\EFTRoot on the old server, make certain it is D:\EFTRoot on the new server). Otherwise, it will be necessary to point each Site to the correct location and potentially set the folder permissions. [Instructions for moving the Site Root can be provided upon request.]

Migrate:

1. Use the installer to install only EFT Server, without the ARM Database module, on the new server (uncheck the box to start the service) [Installing EFT Server: http://help.globalscape.com/help/eft6-4/mergedprojects/eft/installingserveradministratormodules.htm]

2. Add the EFT Server service account to run the EFT Server service. [Our best practice is to have a windows or domain account that starts the windows service (services.msc) for the EFT Server.]

3. Ensure that the EFT Server service account has full rights to the application data directory and the Site data directory.

4. Copy the application data files from the migration folder to the correct places, overwriting any files, as needed. If the EFT Server was installed to the default location, copy the files to this folder:

   Windows Server 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server

   Windows Server 2008: C:\ProgramData\GlobalSCAPE\EFT Server

5. Start the EFT Server service and log in to the administration interface.

6. Register EFT Server and all modules, including the DMZ Gateway 3 serial number.

7. On the Server's (Local Host) Administration tab:

   • Set the Listening IP address correctly

   • Click the Configure button for the Require SSL for remote administration and point to the SSL certificate.

8. On the Server's Security tab:

   • Set the Allowed SSL versions to Defined and clear the SSL 2.0 option. [This protocol is no longer secure.]

   • In the Allowed ciphers field, move RC4 128 bit cipher up to first in the Priority list. [This works around the SSL Beast exploit.]

9. On the Server's Logs tab, point Folder in which to save log files to the correct directory path. [This typically consists of pointing to the new Logs folder in the application data directory, such as C:\ProgramData\GlobalSCAPE\EFT Server.]

10. On each Site's Connections tab:

    • Set the Listening IP address correctly

    • Click SFTP Config and specify the SFTP private key location.

    • Click Configure for SSL Certificate settings and specify the Certificate and Private key locations.

11. On each Site's Security tab:

    • Click Configure for Invalid login options, and set Ban IP address after to 12. [This eliminates the ability of end users to get themselves banned but does not compromise security against attackers.]

    • Click Count both ‘incorrect username’ and ‘correct username + incorrect password'. [This provides stronger security against attackers.]

12. Verify that the Site is working properly by testing connections, Event Rules, and reports.

Upgrading EFT Server 6.2.31 to v6.3.x or 6.4.x

Prepare:

[**Pleasenote that the installer for EFT Server or EFT Server Enterprise withthe SQL Server Express for ARM database is only needed for the firsttime the ARM module is installed and then only if the free SQL ServerExpress 2008 is to be used instead of a full licensed version of SQLServer. Following the initial installation this larger installer willnot be needed as both versions will successfully setup and/or upgradethe ARM module.]

1. Download EFT Server [and the DMZ Gateway module if needed] from one of the following:

   • EFT Server (without SQL Server Express for ARM database): http://globalscape.com/support/srv.aspx

   • EFT Server Enterprise (without SQL Server Express for ARM database): http://globalscape.com/support/eft.aspx

2. Stop the EFT Server service (this must be done to ensure all settings are preserved; once the ftp://ftp.cfg/ copy is complete, the service can be restarted).

3. Create a backup of the EFT Server application configuration:

   • If running EFT Server Enterprise, run the Backup and Restore wizard as explained here, and then proceed to step 4:

     http://help.globalscape.com/help/eft6-4/mergedprojects/eft/backing_up_or_restoring_server_configuration.htm

   • If the EFT Server was installed to the default location, then copy the following files:

     • ftp://ftp.cfg/ and ftp://ftp.bak/

     • *.aud

     • Any custom AWE *.awl files

     to a backup folder:

     Windows 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server

     Windows 2008: C:\ProgramData\GlobalSCAPE\EFT Server

4. Create a backup of the registry.

Upgrade:

1. Use the new EFT Server installer to upgrade EFT Server 6.2.31 and, if using ARM, install/update the database. Before clicking finish, clear the Start the Server service check box.

2. Add/verify that an EFT Server Service account is set to run the EFT Server Service. [Our best practice is to have a Windows or domain account that starts the Windows service (services.msc) for EFT Server.] Ensure that the EFT Service account has full rights to the application data directory and the Site data directory.

3. Start the EFT Server service.

4. If you use or will be using the Secure Ad Hoc Transfer (SAT) Module or DMZ Gateway Module, use the corresponding installers and the following instructions to install or upgrade.

   • Installing/Configuring ARM: http://help.globalscape.com/help/eft6-4/mergedprojects/arm/installingandconfiguringarm.htm

   • Installing/Upgrading SAT http://help.globalscape.com/help/SAT3/toc_installingsecure_ad_hoc_transfer.htm

   • Install/Upgrade DMZ Gateway: http://help.globalscape.com/help/dmz3/toc_installing_dmz_gateway.htm

5. Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports

   • For EFT Server Enterprise 6.3.x and later, all Event Rule syntax is strictly enforced; entries in EFT Server Enterprise 6.2 for Events Rules where the Source or Destination virtual paths worked without a “/” at the beginning will fail. Instead each virtual path must look like this /rootfolder/ or this /rootfolder/subfolder/.

   • Additionally, in EFT Server Enterprise 6.4.x and later, all outbound connection Event Rules use the IP address specified in the Event Rule. (Refer to http://help.globalscape.com/help/eft6-4/mergedprojects/eft/copy_move_file_to_host_action_help.htm item 15b.)

   • For EFT Server 6.3.x and later, all rebranding done in prior versions will not work with the newer versions it will be necessary to brand the WTC, PTC, etc. using the new rebranding instructions.

Rollback:

1. Uninstall the newer EFT Server version.

2. If nothing else changed between the newer EFT Server install and rollback process, restore the registry.

3. Install the previous EFT Server version, skipping the ARM portion. (Before clicking finish, clear the Start the service check box.)

   • If running EFT Server SMB, paste the backup of the previous EFT Server version folder over the default location, the start the Server service.

     Windows 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server

     Windows 2008: C:\ProgramData\GlobalSCAPE\EFT Server

   • If running EFT Server Enterprise, start the EFT Server Service, then log in to the administration interface and run the Restore wizard (http://help.globalscape.com/help/eft6-4/mergedprojects/eft/backing_up_or_restoring_server_configuration.htm.)

4. If the Auditing and Reporting Module (ARM) was active, restore the ARM Database. (The reports will not function until the restore is complete.)

5. Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports.

Upgrading Secure FTP Server v3.x to v3.3.10

Prepare:

1. Create a backup of the Secure FTP Server 3.x.x application configuration: (Windows 2003) C:\Program Files\GlobalSCAPE\Secure FTP Server.
2. Copy the following items to a backup folder: ftp.cfg, ftp.bak, and *.aud
3. Create a backup of the registry.
4. If the Auditing and Reporting Module (ARM) is active, create a back-up of the database.

Upgrade:

1. Download Secure FTP Server 3.3.10: ftp://ftp.globalscape.com/pub/gsftps/archive/gsftps33.exe.
2. Use the Secure FTP Server 3.3.10 installer to upgrade Secure FTP Server. [http://help.globalscape.com/help/secureserver3/Upgrading_the_Software.htm]
3. Add the Secure FTP Server Service account to run the Secure FTP Server Service.
4. Ensure that the Secure FTP Server Service account has full rights to the application data directory and the Site data directory.
5. Start the Secure FTP Server service.
6. Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports.

Rollback:

1. Stop the Secure FTP Server service.
2. Paste the backed up Secure FTP Server folder over the new installation (default=C:\Program Files\GlobalSCAPE\Secure FTP\).
3. Start the Secure FTP Service.
4. Verify that the Secure FTP sites are working properly by testing connections, Event Rules, and reports

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• CuteFTP, all versions

SYMPTOM

"Automatically detect remote Server time zone" doesn't work for SFTP or HTTP/S protocols; The remote file time stamps are not converted to local time.

RESOLUTION

When using SFTP or HTTP/S manually configure the remote time zone instead of using the "automatically detect" feature.

MORE INFORMATION

The Site Property > Type option "Automatically detect"check box causes the remote pane to display remote file times converted to the remote server's local time zone. Currently no remote time zone conversion is being done with this configuration if the protocol selected is SFTP or HTTP/S. This feature applies only to FTP sites.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, v3.1 and later

SYMPTOM

When a potential Internal user picks up a Mail Express package before creating an Internal account, both an Internal and External account are created.

RESOLUTION

To avoid both accounts being created, create a script that can be deployed (via Group Policy or other management system) when a user logs in to the network to automatically open Internet Explorer (IE), navigate to the Mail Express Internal Portal (thereby creating the Internal User via Single-Sign-On), and then close IE.

Note: Active Directory and Kerberos authentication must be configured and enabled in Mail Express for SSO to work.

Example script:

start /MIN /d "C:\Program Files\Internet Explorer" iexplore.exe <internal portal URL>
PING -n 10 localhost >NUL
"C:\Windows\System32\taskkill.exe" /f /t /im iexplore.exe

MORE INFORMATION

Mail Express has three types of standard users: Internal, External, and Pick-up Only. Internal accounts are created either by connecting with an Outlook Add-in, logging in to the Internal Portal (using AD credentials), or an administrator manually creating an account. External accounts are created either by the Invite process, Pick-up authentication process, or an administrator manually creating an account. When a user receives a file via Mail Express that requires authentication to download, they are asked to either log in with credentials that have already been created or they must create a new account. If they need to create a new account, that account with be either External or Pick-up Only (depending on what the sender has specified). If that recipient also has the ability to create an Internal account, but has not yet created one, an Internal and External (or Pick-up) account could both be created.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, version 6.x

SYMPTOM

When using Tunnelier SFTP client, EFT allows the user to change the password to initial the password even though EFT settings prohibit doing so. (i.e., Allow users to reset their passwords, Force user to change their first-time password immediately upon first use, and Prohibit reuse of previous check boxes are all selected.)

RESOLUTION

Use CuteFTP^®.

MORE INFORMATION

This is not a defect in EFT, but occurs because of the way that Tunnelier handles password changes. Specifically, after EFT requests a password change, Tunnelier (v4.60) responds by first sending EFT a new blank password, regardless of the password entered by the user. Tunnelier then sends the initial password provided by the user. From the user’s perspective, this appears as if EFT has allowed the user to bypass the "Prevent use of previous" setting. In actuality, the password was first changed to the blank password and then back to the initial password and thus is not applicable to the "Prevent use of previous" setting.

Our testing with other SFTP clients such as CuteFTP 9 and WinSCP 5.15 was unable to reproduce the issue, which seems to indicate that this behavior is unique to Tunnelier.

For details of EFT's password complexity settings, refer to Enforcing Complex Passwords on the Site.

• EFT Server (All Versions)

How can I purge EFT data from my SQL database?

ANSWER

Use the procedure in http://help.globalscape.com/help/eft6-5/mergedprojects/arm/purging_data_from_the_database.htm to purge EFT data from your SQL database.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• CuteFTP, all versions

DISCUSSION

You can make changes to various settings in CuteFTP for optimum performance when transferring a large number of files at the same time. Making a few adjustments to the settings in CuteFTP's Global Options can prevent the initial connection from being used for transfers and/or improve the responsive of CuteFTP. Refer to http://help.globalscape.com/help/cuteftp9/improving_cuteftp_performance.htm for detailed instructions.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• CuteFTP Pro^® (All Versions)
• CuteFTP v9 and later

DISCUSSION

You can automate file transfers using CuteFTP in the following ways:

• You can interact with the Transfer Engine directly using common programming languages such as Visual Basic or in another scripting language supported by the Windows Scripting Host. Or you can create a script using CuteFTP itself. To create a new script file, you need to have some familiarity with programming concepts and ideally, some experience with Visual Basic or Java. For additional information on using scripts see the help file topic titled Using Scripts to Transfer Files.
• You can use the Folder Monitor feature, which will automatically upload any new or modified files or folders added to a specific local folder. The upload will occur automatically or you can choose to have the folder checked every n seconds. For additional information see the help file topic titled Monitoring a Local Folder for Changes Using the Folder Monitor Wizard.
• You can also use the Synchronize Folders tool to automatically make the contents of a remote and local folder exactly the same on a scheduled basis. For example, to upload all new or changed files in a particular folder on the local system from the local system to a remote system set this to Mirror Local which keeps the local folder the same and changes the remote folder to match. Other mirroring options are also available. For additional information see the help file topic titled Synchronizing Folders Using the Folder Synchronization Wizard.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, version 6.x

SYMPTOM

Cannot connect to EFT using LDAPv2

RESOLUTION

Modify the default MaxPageSize in ADSIEDIT.MSC or GPO, and the advanced LDAP settings in EFT.

In ADSI EDIT:

In EFT (on the LDAP Site's General tab), edit the Override search page size setting:

MORE INFORMATION

If you try to log in using an AD account that doesn't show up in EFT, it denies the authentication. Increasing the search page size allows the accounts to appear.

From http://support.microsoft.com/kb/315071: MaxPageSize - This value controls the maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control. This is to group the returned results in groups that are no larger than the MaxPageSize value. To summarize, MaxPageSize controls the number of objects that are returned in a single search result.The default value is 1,000.

For more information about MaxPageSize, refer to http://searchwindowsserver.techtarget.com/tip/Limiting-LDAP-searches-with-MaxPageSize.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, all versions

DISCUSSION

Following is an explanation of firewall rules needed for each protocol/mode to work:

For information about defining a range of ports, refer to"Specifying a PASV IP or Port Range" in the help documentation.

The ideal scenario is to support both Implicit SSL and Explicit SSL, when possible. From the server side, this support would look like this:

• INBOUND ports 21 from ANY
• INBOUND ports 990 from ANY
• INBOUND ports 28000-30000 from ANY
• OUTBOUND ports from source port 20 to ANY
• OUTBOUND from source port 989 to ANY

From the client view point:

• It is far simpler, easier, more secure, and more fool-proof to use Implicit SSL in PASV mode.
• Only OUTBOUND connections from their trusted network need to be allowed at that point. This reduces the security risk, avoids the need to set up complex firewall or NAT rules to maintain and conflicts to resolve, and it is encrypted from the moment the socket is opened.

Explicit SSL in PASV mode is the second-best choice. Sometimes Explicit SSL is the only FTPS type supported by some older legacy platforms, so there may not be any getting around that. But if Explicit SSL is used, then it is important to remember that Explicit SSL works by the client opening a socket and briefly communicating with in clear-text FTP mode, then issuing the AUTH_SSL or AUTH_TLS command to make the switch to SSL-encrypted FTP. This can cause problems withsome firewall/NAT devices. These devices recognize, and latch onto clear-text FTP connection, and then have no idea how to react during the SSL negotiations. It can often react by blocking any further communication that does not confirm to its idea of standard FTP. This is an exception, not the rule, but it is not rare, so be on the lookout for that.

PORT mode applies equally to both Explicit and Implicit SSL. The problem is that they have clients capable of being configured to issue public IP address and specific ports if client is behind NAT, as is always the case, as a part of the PORT command. It is a rare feature to have. But, they must also manage their firewall/NAT devices so as to appropriately allow direct incoming traffic from the untrusted public internet. This is rarely desirable, and it is never preferable when compared to PASV mode. It is not necessarily impossible, just potentially more painful and require intricate management and maintenance by administrators on the client side, deepening the furrows in the firewall and security personnel's collective brow. Usually this is only done when absolutely necessary due to legacy applications that have limitations wich simply cannot be addressed in any other manner.

Note: The ports listed above are the default port configurations for EFT. These ports can be configured for alternate ports within the application.