THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server v6.4.x
• DMZ Gateway v.3.3x

SYMPTOM

EFT Server v6.4.x cannot work with DMZ Gateway v3.3.x.

RESOLUTION

To use DMZ Gatewayv3.3.x, you must upgrade to EFT Server v6.5.x. EFT Server v6.4.x only works with DMZ Gateway v3.2.x.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, v3.3 and later
• EFT Server, v6 and later
• Web Transfer Client (WTC)
• Secure Ad Hoc Transfer Client (SAT)

SYMPTOM

Extra Java security warnings appear when trying to run the application.

RESOLUTION

• Contact Support for the updated JAR files. (Installing a new JAR requires clearing the Java cache. Refer to "How do I clear the Java cache" for details.)
• Upgrade to the latest versions of our software as they come available.
• Allow the software to run when presented with the Java security prompt.

For EFT's WTC or SAT:

Do the following depending on whether you have Java 7u45 installed:

• When Java 7u45 is installed with older versions of our software, you can allow the software to run when presented with the Java security prompts. When you install the updated versions of our software or the updated JAR files, you will no longer receive the extra prompt.
• If a version of Java earlier than u45 is installed with any versions of our software, you will need to change the security level as shown below or else the WTC and SAT clients will not run at all.

For Java version older than u45:

1. Click Start > Control Panel > Java. The Java Control Panel appears.
2. Click the Security tab.
3. Set Security Level slider to Medium, then click OK.

For Mail Express:

If you are using a version of Java prior to 7u45, the Java-enabled uploader in Mail Express portals may present this prompt when you attempt to send an email:

If you can update your Java version:

• Click Update and you will no longer see the prompt.

If you do not want to update your Java version:

• Open the Java Control Panel, and on the Advanced tab specify a Mixed code setting:
• Enable – show warnings if needed—With this option set, there is a prompt that asks the user to either block or unblock the email when you attempt to send an email from the upload portal.
• Enable – hide warning and run with protections—This option does not alert the user that there is a discrepancy in the Java software. This second option provides the best user experience.

MORE INFORMATION

As of Java 7u25, the "Permissions" and "Caller-Allowable-Codebase" manifest attributes were added to Java. As of Java 7u45, these attributes are required by the JRE to avoid extra user prompts. These attributes will be added to upcoming versions of our software. Upgrade to the latest versions as they come available.

For more information about the Java update, refer to https://blogs.oracle.com/java-platform-group/entry/updated_security_baseline_7u45_impacts.

"The Java Security Baseline has been increased from 7u25 to 7u45. For versions of Java below 7u45, this means unsigned Java applets or Java applets that depend on Javascript LiveConnect calls will be blocked when using the High Security setting in the Java Control Panel."

Download the current Java version from: http://www.java.com/en/download/manual.jsp.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server versions 5.2.5 and later

QUESTION

Can I turn on/off the Change Password feature for AD users in the Web Transfer Client?

ANSWER

Active Directory (AD) and LDAP Site users can change their AD passwordthrough the Web Transfer Client (WTC). If changing the password is disabledby EFT, the Change Password buttonis not available.

When a user attempts to change the account password, the following errorsare possible. You can customize the error messages by creating text fileswith the following names and saving them in the EFT installation directory\web\public\EFTClient subdirectory(e.g., C:\Program Files\Globalscape\EFTServer Enterprise\web\public\EFTClient):

• Current password is entered incorrectly (PasswordChg_PasswordWrong.txt)

• Network connection error (PasswordChg_NetworkProblem.txt)

• User does not have permission by AD to change the password (PasswordChg_Permission.txt)

• New password does not meet the AD complexity requirements (PasswordChg_PasswordComplexity.txt)

• Current password is about to expire (PasswordChg_PwdWillExpire.txt)

If the text files identified above do not exist when an error occurs,the default text provided within EFT is presented to the user.

The location of these files can be modified by running the PasswordChg_MsgFileLocation.regscript, which is located in the EFT installation directory Clientsubdirectory. You must first edit the PasswordChg_MsgFileLocation.regscript to specify the new location.

The WTC change password capability can be turned on/off through the PasswordChg_NTADLDAP registry key. By default, the password change ability is "off."

• If you have enabled the "User must change password at next logon" feature in AD, you must enable (set to "on") the registry setting below.
• If you have enabled the "User cannot change password" feature in AD, users will not be able to change their passwords.

In version 6.2 and later, two registry scripts are provided to enable/disable the password change feature. These registry scripts are located in the EFT Server installation directory \web\public\EFTClientsubdirectory.

• PasswordChg_NTADLDAP_On.reg
• PasswordChg_NTADLDAP_Off.reg

For the changes to take effect, after running the scripts you must restart the service. You may need to edit the scripts, depending on whether you have a 32-bit or 64-bit operating system.

32-bit:

[HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\EFTClient]

"PasswordChg_NTADLDAP"="on"

64-bit:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GlobalSCAPE Inc.\EFTServer 4.0\EFTClient]

"PasswordChg_NTADLDAP"="on"

NOTE: This is a string, not a Dword. Use "on" (1 or true) or "off" (0 or false) only.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, versions 3.3.0 - 3.3.5.x

SYMPTOM

Attaching a file to an email may cause Outlook 2013 or the system to hang under certain circumstances. This may happen when the focus is taken away from an Outlook window at the moment a file is being attached to an email.

CAUSE

Microsoft Outlook 2013 has a bug whereby parts of an inline response body may get removed when programmatically attaching a file. The only known workaround unfortunately can lead to the symptoms mentioned in this KB article. We have opened a support ticket with Microsoft and they are actively working on a fix.

RESOLUTION

Install Mail Express v3.3.6 or later, which addresses this problem as follows:

To resolve this issue, we have temporarily removed our email-specific buttons from the primary Outlook window (Explorer window) and have limited the extent to which the add-in extends the behavior of that window’s built-in Attach File button. This means that if you are composing an inline response on the main window, you will need to “pop out” the email into a separate window in order to use any email-specific Mail Express buttons.

Alternatively, you may configure Outlook to open replies and forwards in a new window, as Outlook 2010 and earlier do. See the “More Information” section below for steps to enable that option.

You will also need to follow either method if you intend to attach files that exceed Exchange’s size limits. Once Microsoft has provided a fix in a subsequent service pack, we will update the add-in to restore the email-specific functionality for inline responses.

MORE INFORMATION

To configure Outlook 2013 to open replies and forwards in a new window

1. In Outlook, click File > Options.
2. In the left pane, click Mail.
3. In the Replies and forwards section, select the Open replies and forwards in a new window check box.
4. Click OK.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• version 6.5 and later

QUESTION

How do I use the COM API to copy (duplicate) Advanced Workflows or import existing Workflow files (.aml)?

ANSWER

To copy and import workflows using the COM API, you can to use the Site methods AddAdvancedWorkflow and GetAdvancedWorkflowParams.

MORE INFORMATION

Review the examples below, or download the attached examples (scroll to the bottom of page for the attachment). Don’t forget to change your admin login credentials in the script and point to the correct Site index (set to Site ‘0’ by default, meaning the first Site created in EFT).

(You can also copy and import AWE workflows in the EFT administration interface.)

Copy Workflow:

Import Workflow:

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express version 3.x and later

QUESTION

Can I use Mail Express with Office 365?

ANSWER

Yes. You will need to set up an SMTP relay in Office 365.

MORE INFORMATION

Refer to the following articles for instructions:

• Microsoft Support article: How to set up SMTP relay in Office 365. This article describes how to set up Microsoft Exchange Online as an SMTP relay to send email messages to remote domains and to users in your Office 365 organization.
• Office 365 community article: How to setup an SMTP relay in Office 365. This method of relaying allows Exchange Online Protection to relay your mail authenticated only by your IP address.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Secure FTP Server (All Versions)
• EFT Server (All Versions)
• CuteFTP Pro (All Versions)
• CuteZip (All Versions)

QUESTION

Can GlobalSCAPE products be exported from the United States?

ANSWER

Secure FTP Server has been classified as CCATS #G042680 and #G024963, under ECCN 5D002 of the Commerce Control List, and is eligible for export to almost all foreign destinations without an export license under authority of license exception ENC.

EFT Server has been classified as CCATS #G039017, under ECCN 5D002 of the Commerce Control List, and is eligible for export to almost all foreign destinations without an export license under authority of license exception ENC.

CuteFTP Pro has been classified as CCATS #G019473, and #G024963, under ECCN 5D002 of the Commerce Control List, and is eligible for export to almost all foreign destinations without an export license under authority of license exception ENC.

These products have been classified as an "unrestricted" encryption item (formerly a "retail encryption item") under section 740.17(b)(3) of the Export Administration Regulations, and, as such, are eligible for export to governmental and non-government end-users in all eligible countries. They may not be exported to any country that is embargoed by, or has been designated as a terrorist supporting country by, the U.S. Government. Those restricted countries currently include Cuba, Iran, Libya, North Korea, Sudan, and Syria.

Refer to the Bureau of Industry and Security U.S. Department of Commerce website for a current copy of the Entity List*, found in Supplement No. 4 to Part 744 of the Export Administration Regulations (EAR).

*The "Entity List" is a PDF of names of certain foreign persons—including businesses, research institutions, government and private organizations, individuals, and other types of legal persons—that are subject to specific license requirements for the export, reexport, and/or transfer (in-country) of specified items.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• CuteBackup, all versions

DISCUSSION

After careful consideration, we have discontinued CuteBackup. We will continue support for existing CuteBackup customers through the remainder of your support agreement. No new versions or updates will be released.

Globalscape wants to continue its relationship with you into the future and we regret any inconvenience this may cause. For all questions concerning this End-of-Life notice, please contact Globalscape Customer Support at (210) 366-3993.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6.5 and later
• Mail Express v3.3 and later

QUESTION

Are EFT and Mail Express certified for use with Windows Server 2012?

ANSWER

Yes. Both EFT and Mail Express are certified for use with Windows Server 2012 R1 and R2, Datacenter, Standard, and Essentials editions.

MORE INFORMATION

Globalscape is listed in the Windows Server Catalog.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, versions 4.0 and later

SYMPTOM

On Windows XP, the Outlook Add-In (OAI) cannot connect to Mail Express via the DMZ Gateway.

RESOLUTION

Windows XP does not support any of the Mail Express server-approved ciphers for FIPS 140-2 compliance.

• If you need to use the OAI, connect directly to Mail Express, not through DMZ Gateway, or upgrade your operating system
• If you can use the web portal, use a browser that supports the Mail Express server-approved ciphers for FIPS 140-2 compliance, such as Chrome.

MORE INFORMATION

Windows XP Pro SP3 has support for a cipher that is FIPS compliant, however, the JSSE for Java 7 doesn't provide an implementation for this cipher, which Mail Express uses for the DMZ Gateway connection.

Resources:

• XP Documentation on FIPS compliance
• Java 7 JSSE-Supported Ciphers

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server Enterprise versions prior to v6.2

***The registry key below should not be used starting with EFT Server Enterprise v6.2, because that feature has been added to the interface. You can stop using this registry key when you upgrade to 6.2. ***

DISCUSSION

The procedure below allows EFT Server Enterprise to use SSL certificates on an out-going Event Rule. (For example, when a remote server requires an SSL certificate for authentication.)

For this procedure, CuteFTP must be installed on the server running EFT Server Enterprise.

Allowing EFT Server to use SSL certificates on an out-going Event Rule requires a registry edit that will copy a registry entry from one place to another.

1. Create the certificate in CuteFTP

1. Install CuteFTP on the EFT Server computer.
2. Click Tools > Global Options.
3. Expand the Security node, then click SSL Security.
4. Select the Use SSL certificate when authenticating check box.
5. Click Create a Certificate and follow the instructions in the wizard.
6. In the wizard, select the Set up CuteFTP to use the generated certificate check box.
7. Click OK to close the Global Options dialog box.

For more information about using CuteFTP, refer to http://help.globalscape.com/help/cuteftppro8/index.html (CuteFTP Professional) or http://help.globalscape.com/help/cuteftp8/index.html (CuteFTP Home).

2. Export the Registry Key that you just created

[HKEY_USERS\S-1-5-21-1863128455-877948412-1050887974-2356\Software\GlobalSCAPE\CuteFTP 8 Professional\Settings\SecuritySSL]
"SSLCertificate"="C:\\Documents and Settings\\<username>\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\8.0\\Security\\cername.crt"
"SSLPrivateKey"="C:\\Documents and Settings\\<username>\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\8.0\\Security\\certname.key"
"UseSSLCertificate"=dword:00000001
"UseSSLCertPassphrase"=dword:00000001
"ReuseSSLData"=dword:00000000
"WarnWhenToNonSecure"=dword:00000001
"DataTransportMethod"=dword:00000001
"CertTrustCheck"=dword:00000000
"SSLCertPassphrase"="encrypted_passphrase"

3. Import the Registry Key for EFT Server<TED 6>

The key below will transfer the settings from CuteFTP to TED 6, enabling the same feature in EFT Server for Event Rules.

[HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\TED 6\Settings\SecuritySSL]
"SSLCertificate"="C:\\Documents and Settings\\<username>\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\8.0\\Security\\certname.crt"
"SSLPrivateKey"="C:\\Documents and Settings\\<username>\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\8.0\\Security\\certname.key"
"UseSSLCertificate"=dword:00000001
"UseSSLCertPassphrase"=dword:00000001
"ReuseSSLData"=dword:00000000
"WarnWhenToNonSecure"=dword:00000001
"DataTransportMethod"=dword:00000001
"CertTrustCheck"=dword:00000000
"SSLCertPassphrase"encrypted_passphrase

4. Test and Complete Configuration

You can test the Event Rule to verify that it pushes the SSL certificate to the Server. Try using a Loop Back connection or CuteFTP for testing.

The system should fail the first time, because the certificate must be approved/added to the Trusted Certificates list in EFT Server after it is pushed to the Server.

1. In EFT Server, click Tools > Certificate Manager. The Certificate Manager appears.
2. In the Pending Certificates list, click the certificate that you imported, then click Make Trusted. The certificate moves to the Trusted Certificates list.
3. Test the connection again to verify the certificate was accepted by the remote server.

This will be different in other applications; however, you can use this method to test the Event Rule and the registry fix.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server™, all versions
• CuteFTP Pro^®, all versions

QUESTION

Do EFT Server and CuteFTP Pro support TLS 1.2?

ANSWER

Neither EFT Server nor CuteFTP Pro currently support TLS 1.2. It is expected that EFT Server will support it in the future, when/if OpenSSL does.

MORE INFORMATION

When you use CuteFTP to connect securely to a server that supports SSL or TLS (SSL v3), the two computers pass a sequence of commands to create a secure connection.

EFT Server uses TLS 1.0, SSL 2.0, or SSL 3.0

• EFT Server version 6.4 uses OpenSSL 0.9.8r; FIPS SSL is based on OpenSSL 0.9.8m
• EFT Server version 6.3 uses OpenSSL 0.9.8o; FIPS SSL is based on OpenSSL 0.9.7m
• EFT Server version 6.2 uses OpenSSL 0.9.8l (L)
• EFT Server version 6.1 and earlier use Open SSL 0.9.8a

For information about Using Ciphers for SSL connections with EFT Server, refer to http://help.globalscape.com/help/eft6-4/index.htm#mergedprojects/eft/using_ciphers_for_ssl_connections_with_server.htm

Refer to Knowledgebase article #11003: What is GlobalSCAPE's response to the SSL/TLS BEAST exploit for details of configuring SSL security settings in EFT Server.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, all versions (Server Only)
• EFT Server Enterprise, all versions (Client and Server)
• CuteFTP, all versions (Client Only)

DISCUSSION

Following is an explanation of firewall rules needed for each protocol/mode to work:

For information about defining a range of ports, refer to"Specifying a PASV IP or Port Range" in the help documentation.

The ideal scenario is to support both Implicit SSL and Explicit SSL, when possible. From the server side, this support would look like this:

• INBOUND ports 21 from ANY
• INBOUND ports 990 from ANY
• INBOUND ports 28000-30000 from ANY
• OUTBOUND ports from source port 20 to ANY
• OUTBOUND from source port 989 to ANY

From the client view point:

• It is far simpler, easier, more secure, and more fool-proof to use Implicit SSL in PASV mode.
• Only OUTBOUND connections from their trusted network need to be allowed at that point. This reduces the security risk, avoids the need to set up complex firewall or NAT rules to maintain and conflicts to resolve, and it is encrypted from the moment the socket is opened.

Explicit SSL in PASV mode is the second-best choice. Sometimes Explicit SSL is the only FTPS type supported by some older legacy platforms, so there may not be any getting around that. But if Explicit SSL is used, then it is important to remember that Explicit SSL works by the client opening a socket and briefly communicating with in clear-text FTP mode, then issuing the AUTH_SSL or AUTH_TLS command to make the switch to SSL-encrypted FTP. This can cause problems withsome firewall/NAT devices. These devices recognize, and latch onto clear-text FTP connection, and then have no idea how to react during the SSL negotiations. It can often react by blocking any further communication that does not confirm to its idea of standard FTP. This is an exception, not the rule, but it is not rare, so be on the lookout for that.

PORT mode applies equally to both Explicit and Implicit SSL. The problem is that they have clients capable of being configured to issue public IP address and specific ports if client is behind NAT, as is always the case, as a part of the PORT command. It is a rare feature to have. But, they must also manage their firewall/NAT devices so as to appropriately allow direct incoming traffic from the untrusted public internet. This is rarely desirable, and it is never preferable when compared to PASV mode. It is not necessarily impossible, just potentially more painful and require intricate management and maintenance by administrators on the client side, deepening the furrows in the firewall and security personnel's collective brow. Usually this is only done when absolutely necessary due to legacy applications that have limitations wich simply cannot be addressed in any other manner.

Note: The ports listed above are the default port configurations for EFT. These ports can be configured for alternate ports within the application.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• WAFS v4.3

DISCUSSION

In WAFS v4.3 and later, you can schedule metadata cleanup to run at a specific time (preferably outside of business hours) with the registry key described below.

To schedule cleanup, create the following key

32-bit:

HKEY_LOCAL_MACHINE\SOFTWARE\Availl\AvailClient\Settings

64-bit:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Availl\AvailClient\Settings

DWORD: MetadataCleanupTimer

Configured in milliseconds: 3,600,000 milliseconds = 1 hour. Therefore, 3600000 = 1 AM

0 (or undefined) = midnight

3600000 = 1 AM

7200000 = 2 AM

108000000 = 3 AM, and so on

With logging set to TRACE for category Dev, you should see the following text in the log when the cleanup occurs:

Metadata Cleanup: checking

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• WAFS v4.3 and later

DISCUSSION

In WAFS v4.3 and later, you can configure the Vault to compress the files and folders in the M directory for a Job (e.g., C:\Vault Data\<jobname>\M\) upon startup. Compressing the M directory will provide more space on the Vault drive.

To configure compression, create the following key

32-bit:

HKEY_LOCAL_MACHINE\SOFTWARE\Availl\Availl Server\V\<jobname>\

64-bit:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Availl\Availl Server\V\<jobname>\

DWORD: NTFSCompressDeltas

1=compress files; 0= uncompress files

In the server log (c:\vault data\_Logs\Srv_*.txt) you should see entries similar to the following when compression occurs:

11 | 19:59:34.312 | INFO | MAPPING | [P_E] NTFSCompressDeltas false with attributes: 0X2010

If the directory is already compressed, you will see an additional line:

11 | 19:59:34.312 | INFO | MAPPING | [C:\Vault Data\P_E\M\] not changing compression

If NTFSCompressDeltas is 0 or doesn't exist (and the directory isn't alread compressed) you will see this something like:

11 | 19:59:34.312 | INFO | MAPPING | [P_E] NTFSCompressDeltas false with attributes: 0X2010
11 | 19:59:34.312 | INFO | MAPPING | [C:\Vault Data\P_E\M\] not changing compression

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, v3.0 and later

DISCUSSION

Mail Express uses the "mail" LDAP attribute from Active Directory to populate the email address property for internal users. If you want to use an alternative LDAP attribute to define a user’s email address, you must do so by modifying a value in the staticConfig.xml file, as described below.

To use an alternative LDAP attribute to define an internal user's email address

1. Stop the Mail Express service.
2. In the Mail Express installation directory, open the META-INF directory (e.g., \Program Files\GlobalSCAPE\Mail Express\webapps\ROOT\WEB-INF\classes\META-INF or \Program Files (x86)\GlobalSCAPE\Mail Express\webapps\ROOT\WEB-INF\classes\META-INF).
3. Locate the file staticConfig.xml and open it in a text editor.
4. Locate MailExpressLDAP.attributeNameMail.
5. Change value="mail" to value="description".
6. Save and close the file.
7. Start the Mail Express service.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• All products, all versions

QUESTION

Does Globalscape release security patches for products separate from general version releases?

ANSWER

YES, absolutely! Globalscape has a security vulnerability discovery, remediation, and messaging process that formally defines how Globalscape:

• Escalates reports of a security vulnerability (provided by customer or third-party security assessor)
• Gauges the risk level and assigns a severity rating to reported vulnerabilities, using the Common Vulnerability Scoring System (CVSS)
• Prioritizes and assigns resources to duplicate and remediate the problem according to the threat level
• Prepares timely, effective, and consistent external communications
• Handles internal and external dissemination of approved communications, including:
• Public patches to all customers for critical vulnerabilities
• Private patches to individual customers (situation dependent)
• No patch -> rolled up into next major version (low CVSS score or security best practice only)

As of March 2010, Globalscape has only encountered a single critical vulnerability (SFTP-based vulnerability with a CVSS score of 8.5), which was announced publicly via emailto all EFT customers on September 3, 2009, along with a link to a patch. On several occasions Globalscape has released private patches to select customers to address low-scoring security vulnerabilities that were important to those specific customers. Those fixes are typically rolled up into the next public maintenance (minor) or major release, which typically include other general bug fixes and/or feature enhancements.

Not all potential vulnerabilities reported to Globalscape are considered security vulnerabilities. Application bugs or flaws that result in undesirable behavior during normal operations, including memory leaks or even crashes, while potentially business impacting, are not considered security vulnerabilities. Security best practices, such as use of HttpOnly header or use of the Secure flag for web session cookies, are not considered vulnerabilities, although Globalscape strives to implement as many security best practices as possible.

Security vulnerabilities can be categorized as application flaws or bugs that, if exploited, may result in the ability for a remote (or local) attacker to compromise the Confidentiality, Availability, or Integrity (CIA) of a server. For example:

• Execute commands as another user (pose as another entity)
• Access, modify, or destroy data that is contrary to the specified access restrictions for that data
• Deny normally authorized access either completely or partially (Denial of Service)
• Result in a back door, Trojan, or worm that may compromise a system or an entire network.

Upon validation of high-rated security issues (according to CVSS 2.0 scoring) on the software and/or service (including security loopholes), Licensor shall notify Licensee, by mail, fax, or other written means within 72 hours in advance, and provide corresponding solutions (including security patches) to Licensee through a formal release channel. Public notification will happen according to Responsible Disclosure guidelines developed by OIS.

To report a potential security vulnerability, please contact your account representative or technical support. Globalscape’s internal processes for handling potential security vulnerabilitiesinvolves rapid escalation to engineering and product management, usually providing a preliminary response to the customer inquiry with one or at most two business days.

Further reference: EFT Server’sSecurity Best Practices.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express v3.3 and later

DISCUSSION

The "Heartbleed Bug" (CVE-2014-0160) is a serious vulnerability in the popular OpenSSL cryptographic software library (v1.0.1 before 1.0.1g). This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Functionality Explanation:

Mail Express uses two secure communication implementations, OpenSSL and JSSE, depending on the communication path being used. The OpenSSL implementation in Mail Express uses v1.0.1c, which has been identified as a vulnerable version. Work is in progress for updating the OpenSSL library to eliminate this vulnerability. Until a patch is released, the workarounds below can be used to remediate the issue.

Workarounds:

• Use Globalscape^® DMZ Gateway^® in conjunction with Mail Express.
• Mail Express uses a different SSL library for its communication with DMZ Gateway and therefore is not susceptible to this vulnerability.
• Pass traffic through a Threat Management Gateway, such as Microsoft Forefront.
• Only Microsoft Forefront has been tested and found to prevent the issue. Results with other applications may vary depending on how they handle the SSL communication.
• Convert all of your current Mail Express connectors in the server.xml file to use JSSE*.
• Note 1: Some systems may see minor performance degradation due to this change.
• Note 2: The “FIPS 140-2 approved protocol” setting will be unavailable when using this configuration. Please contact Globalscape customer support to re-enable this.
• Note3 : You’ll want to match the ciphers and SSLEnabledProtocols attributes to your DMZ connector .
• Refer to Tomcat documentation to configure the JSSE connector

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT version 6.x and later (including MIX/Hosted)

QUESTION

Is the Mix environment FERPA compliant (Family Educational Rights and Privacy Act of 1974)?

ANSWER

Our Managed Information Exchange solutions are all built upon the Globalscape EFT framework, which facilitates the highest levels of compliance with governmentand corporate security policies and privacy regulations, including PCI DSS, FIPS-140-2, HIPAA, and SOX.

While FERPA is not one of the acts that EFT is specifically tested against, an examination of the FERPA requirements outlines that EFT more than meets the compliance requirements for FERPA in how it is built and operates; however, the specific way the data is handled by authorized users is a more applicable question.

Users that are defined on the system need to be educated on the policies and procedures required for them to follow, and it needs to be ensured that all users have only access to the area of files they require access to. The system will maintain compliance with FERPA as long as the correct user permissions are applied to the files and folders, and the users treat the content they have access to with the appropriate care. A full auditing and reporting capability is built into MIX such that you can tell at any time if improper handling of information has occurred.

MORE INFORMATION

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

For details of FERPA, refer to http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.