THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express, version 3.x

DISCUSSION

By default the Mail Express Server is limited to using up to 512MB of system RAM. While idle, the Mail Express Server will typically use far less than the maximum available memory. However, under peak load, the Mail Express Server will attempt to take full advantage of this available memory to maximize performance.

The default setting of 512 MB will typically suffice for average load systems. However, some of the following situations may warrant increasing the maximum memory available to the Mail Express Server:

• A site experiences a higher-than-average number of package transfers per day
• A site experiences transfer of larger-than-average package transfers per day
• The Mail Express Server fails to respond in a timely manner when accessing the various web interfaces
• The Mail Express Server experiences ERROR messages indicating that the Java Virtual Machine has run out of Java Heap Space. Such ERROR messages will typically contain the following text: java.lang.OutOfMemoryError: Java heap space
• There is a large amount of unused system RAM available on the computer of which you would like to take better advantage

To increase the amount of system RAM that may be used by the Mail Express Server use the following instructions:

1. Shut down the Mail Express Server Windows service.
2. In a text editor such as Notepad, open the configuration file <Install Directory>\conf\MailExpressServerService.conf, where <Install Directory> is the installation directory of the Mail Express Server. By default "C:\Program Files\GlobalSCAPE\MailExpress."
3. Locate the following line: wrapper.java.maxmemory=512
4. Change "512" to the number of megabytes (MB) that you would like to make available to the Mail Express Server. For example: wrapper.java.maxmemory=1024 would allow the Mail Express Server to use up to 1024 MB (1 GB) of RAM when under peak load.
5. Save the changes to the configuration file.
6. Start the Mail Express Server Windows service.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express v3.3 and later

DISCUSSION

The "POODLE Vulnerability" (CVE-2014-3566) is a serious vulnerability in the blueprints of SSL v3.0 and thus affects any product following the protocol. This weakness allows stealing the information protected, under normal conditions, by the SSL encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).

Mail Express supports SSL v3 which is vulnerable, however, work is in progress to update the default configuration to mitigate this vulnerability. Customers can manually change their configuration as described below.

WORKAROUND

Turn on use of FIPS 140-2 compliant protocols

1. Log in to the Mail Express administration interface.
2. In the navigation pane, under Configuration, click General. The General Settings page appears.
3. Under Enhanced Communication Security, select the Use only protocols and algorithms approved for use by FIPS 140-2 check box.
4. Click Save. A message appears at the top of the page.
5. Click Restart server now.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express version 3.0 and later

QUESTION

Can I send files to partners outside of my internal network?

ANSWER

Yes! Mail Express allows users to send large email file attachments securely to recipients inside or outside of their organization. Recipients can use the Reply Portal to respond to the email to return files to the sender. For example, you might want to send a client a form to complete. The client can download the file from the Pickup Portal, complete the form, then upload it to Mail Express using the Reply Portal. Attachments are always encrypted in transit. In Mail Express v4.1 and later, the message body is also encrypted.

If the administrator has configured this option, users can also invite external users to create an account in the Drop-Off Portal to send files to internal users.

Refer to the online help for details of sending files to external users, receiving files from external users, and sending invites.

• Sending Files with the Mail Express Outlook Add-In

• Sending Invites in Outlook

• Sending Files Using the Internal Portal

• Sending Invites Using the Internal Portal

• Sending Files Using the Drop-Off Portal

• Sending Files Using the Reply Portal

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

DISCUSSION

This notice is for informational purposes only and is intended to provide you with the latest update from Globalscape regarding the vulnerabilities in OpenSSL. On June 5, 2014, the Open SSL Foundation issued a warning about a new vulnerability in the open source OpenSSL encryption protocol. CVE-2014-0224 (SSL/TLS MITM vulnerability) has been present in the code for 16 years and makes it possible for an attacker to conduct a man-in-the-middle attack on traffic encrypted with OpenSSL. EFT is minimally affected by the newly discovered vulnerability. Globalscape deems the risk posed by this issue to be low, but we strive to be transparent with any issues that may arise. We will be updating EFT’s OpenSSL library to 0.9.8za in EFT version 7, which will be released the first week of July. In the meantime, we have issued private patch build 6.5.18.2 to mitigate this issue in all existing versions of EFT.

Per the link provided below and the fact that the EFT application uses OpenSSL 0.9.8t and OpenSSL 0.9.8m (FIPS SSL) for all client and server secure file transfers, EFT is vulnerable to the SSL/TLS MITM vulnerability. However, please keep in mind that the attack vector requires the malicious man in the middle to have access to the communication channel between the two ends of the file transfer in order to inject malicious payload in a very carefully timed attack on the SSL handshake, leading this to be a very low risk threat for EFT.

Regarding the Anonymous ECDH denial of service vulnerability, EFT does NOT use ECDH ciphers by default. The EFT application defaults to the following SSL ciphers on the server side:
AES256-SHA,CAMELLIA256-SHA,DES-CBC3-SHA,AES128-SHA,IDEA-CBC-SHA,RC4-MD5,!EXP

As a result, it equates to enabling only the following cipher suites, in SSL/TLS specification nomenclature, in this order:

• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• SSL_RSA_WITH_IDEA_CBC_SHA
• SSL_RSA_WITH_RC4_128_MD5

However, if an EFT Admin enables ECDH ciphers that override the SSL/TLS settings with "manually specified ciphers," they can reach out to our Support team and they will assist in verifying and disabling them.

Although the aforementioned vulnerabilities have little to no impact to the EFT application, please know that our Engineering team is working on a solution to address this issue. We should have a patch build available to address this issue soon. Please rest assured we are doing all we can to get in front of this issue.

If you would like more information on the new vulnerabilities in OpenSSL, please view the following link:

https://www.openssl.org/news/secadv_20140605.txt

If you have any further questions or concerns, please do not hesitate to contact Support.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

QUESTION

Where cryptography is employed, what randomness source is used?

ANSWER

For SSL and related cryptography, we use the OpenSSL random number generator (technically, a pseudo-random number generator, or PRNG) which is based upon a seeded cryptographic hash function. This is documented here: https://www.openssl.org/docs/crypto/rand.html.

Our random number generation is FIPS certified when operating in FIPS mode. The same random number generation technique is used in non-FIPS mode, it simply is the library implementation without the certification.

For SSH (SFTP) communications, the Crypto++ library is used, with its PNRG (which is also FIPS compliant and, when operated in the proper mode, FIPS certified).

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server (versions 5.2.3 and later)

QUESTION

Is EFT Server's AS2 module Drummond certified?

ANSWER

Yes. The AS2 component used in EFT Server is /n software's IP*Works EDI v8.3 Engine, in compliance with RFC4130. (The Drummond Group requires you to register your email address on their web site linked above to see their Current Certified Product List.)

In March 2008, GlobalSCAPE announced that EFT Server supports both client (outbound) and server (inbound) AS2 transfers with a Drummond-certified AS2 adapter that has achieved interoperability with other Drummond-certified AS2 servers and clients. The full product's first release was in July 2008 with EFT Server version 5.2.3.

For more information, refer to the EFT Server online help documentation:

• v6.1
• v6.2
• v6.3
• v6.4
• v6.5
• v7

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6.5.11-6.5.x

DISCUSSION

Prior to v6.5 whenever a transfer was skipped because the file already existed at the destination, the source file was always retained.

This behavior was changed in v6.5 so that the source file was deleted when the transfer was skipped. This registry setting allows overriding of the new behavior so that the source file will be retained as was done prior to v6.5. Set "EnableOldSkipBehavior" to 1 to keep the source file after the skipped transfer.

This registry key is only used by EFT versions v6.5.11 - 6.5.x. EFT v7.x and later have made this setting accessible through the administration interface, in the Copy/Move Action wizard.

Registry Key/Value:

32-bit operating system:

[HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0]

64-bit operating system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 4.0]

Type: DWORD

Value = EnableOldSkipBehavior

0 = delete source file on skips (default if not present)

1 = retain source file on skips

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v6 and later

DISCUSSION

EFT can be installed in an active-passive cluster for failover clustering or (in v7 and later) an active-active cluster for "always on" high availability (HA) service.

Separate instructions are provided belowfor:

• Installing EFT in an active-passive failover cluster
• Upgrading EFT in an active-passive failover cluster
• Installing EFT in an active-active HA cluster (At this time, you cannot upgrade any EFT to an HA cluster; it has to be a new installation.)

(TIP:Print this topic and check off the steps as they are completed.)

Installing EFT v7 in an Active-Active HA cluster

Installing EFT in a Failover Cluster Configuration

Upgrading EFT in an ExistingFailover (Active-Passive) Cluster

To upgrade an EFT version 6.4 or later that is alreadyinstalled in a cluster configuration:

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• All Globalscape products

QUESTION

Does the "GHOST" vulnerability affect any Globalscape products?

ANSWER

No, as long as the system on which our product is installed is patched against the vulnerability.

MORE INFORMATION

On 27 January 2015, the United States Department of Homeland Security, via its Computer Emergency Readiness Team (US-CERT), warned organizations about a critical software vulnerability dubbed as “GHOST” that poses a serious risk to computer systems. “GHOST” affects Linux GNU C Library (glibc) versions prior to 2.18. Hackers can exploit this vulnerability via a remote code execution, which can enable them to take control over the affected system and wreak havoc by potentially deleting files, installing malware, and any other activity that can be done via stolen credentials.

Any Linux system running a vulnerable version of the glibc should be patched.

Refer to https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability for more information.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, versions 6.3 and later

DISCUSSION

Please read the following information before upgrading. Several of the caveats below could adversely affect the success of your upgrade if not heeded.

• The EFT installer detects and prevents upgrades of more than two versions prior to the current version. That is, upgrading is supported from:
  • EFT SMB 6.2.x or 6.3.x to EFT SMB 6.4.x
  • EFT SMB 6.3.x or 6.4.x to EFT SMB 6.5.x
  • EFT SMB6.4.x or 6.5.x to EFT SMB 7.x
  • EFT Enterprise v6.2.x or v6.3.x to EFT Enterprise v6.4.x
  • EFT Enterprise v6.3.x or v6.4.x to EFT Enterprise v6.5.x
  • EFT Enterprise v6.4.x or v6.5.x to EFT Enterprise v7.x
• You can upgrade from EFT SMB to EFT Enterprise within the same version
  • EFT SMB v6.3 to EFT Enterprise v6.3 (requires purchase of Enterprise license)
  • EFT SMB v6.4 to EFT Enterprise v6.4 (requires purchase of Enterprise license)
  • EFT SMB v6.5 to EFT Enterprise v6.5 (requires purchase of Enterprise license)
  • EFT SMBv7 to EFT Enterprise v7 (requires purchase of Enterprise license)
• If you are upgrading from EFT SMB edition to EFT Enterprise, you may have to update the path to the .aud file in the Authentication Options dialog box for each Site. Refer to Globalscape Authentication or Changing and Testing LDAP Authentication Options for instructions, depending on the authentication type. When the EFT service starts, it looks for a .cfg file. If the .cfg file is not found, corrupted, or not compatible, EFT creates a new .cfg file in the default location. If the .cfg file is corrupted or the wrong version, the bad .cfg file is backed up and an error is written to the Event log. The .cfg file points to the Sites' .aud files. EFT searches for the .aud file near the ftp.cfg file if the path to the .aud file appears to be incorrect. You cannot edit the .cfg file. (If you have installed the previous version for the sole purpose of upgrading, you must create at least a Server object in the administration interface to create a .cfg file before you can upgrade.)
• If you are adding any modules, you may receive a new activation serial number. If so, then it may be necessary to activate the software when you start it for the first time.
• Contact the Support to obtain a new registration serial number or to determine your eligibility for an upgrade. If you are moving an EFT from one computer to another, contact the Globalscape customer service team or your account manager so that we can adjust your account on our activation and registration server. Activation on the new computer will not be possible until the adjustment is made. If you want to test or verify an update prior to introduction into your production environment, do not use your production serial number for testing purposes.
• If you are upgrading a cluster, refer to Installing or Upgrading EFT in a Cluster. (You cannot upgrade EFT in an active-active cluster.)
• If you are upgrading from Secure FTP Server, refer to: Upgrading Secure FTP Server v3.3 to EFT Server v6.x
• DMZ Gateway:
  • If you are also upgrading DMZ Gateway, upgrade DMZ Gateway first, then upgrade EFT.
• ARM:
  • In v6.5 and later, a more sophisticated process is used to upgrade the ARM database. Refer to "Upgrading the EFT Database," "Upgrading Large Databases," and "ARM Database Schema Change Tracking" in the help documentation for your version of EFT for important information.
  • When upgrading from versions prior to EFT v6.4, if you upgrade the SQL Server ARM database with the installer, the default schema name is now dbo.
  • During updates or upgrades, EFT Server needs full DB Owner access to update the schema. Once it is set up, EFT Server only needs to be able to read, write, and execute stored procedures. Refer to the Knowledgebase article "Configuring EFT Server Permissions in SQL Server" for more information.
• API:
  • In v6.5 and later, COM API resources including SFTPCOMInterface.DLL and associated files are saved in C:\Program Files\Common Files\Globalscape\SFTPCOMInterface so that they can be shared with other Globalscape applications, such as Mail Express, ensuring that each application is using the same DLL.
  • Any older scripts that use the v6.2 COM API for Timer Events must be manually updated to the new API.
  • The IP Access/IP Ban has increased functionality, and the COM interface has been modified to match the new functionality.
• WTC:
  • (Java-enabled version) When upgrading the WTC, workstations might receive a Java error, but then the WTC will load and be functional. Refer to KB article#10654 for details.
  • When upgrading, the \web\custom\ and \web\public\ folders are backed up and renamed with the date and time (e.g., \customBackup_9-28-2010_16-18\ and \publicBackup_9-28-2010_16-18\). The new versions of the files may have some updated content, so rather than overwriting the new files with your old files, you should manually copy your customizations to the new files after upgrading. This applies to any edits for the per-Site and per-Server login pages, Web Transfer Client (WTC) interface, Account Management interface, and AS2 Management interface.
  • End users will need to clear their browser cache: refer to KB http://kb.globalscape.com/KnowledgebaseArticle10654.aspx for more information.
  • FTP requires UPLOAD permission in addition to APPEND to resume a partial file transfer.
  • In v7.0.3 and later, you can upgrade the WTC as improvements are made, without having to upgrade the entire EFT platform.
  • In v7 and later, the WTC no longer logs you out when you refresh or close the browser; the session still times out as normal.
• Event Rules:
  • In v6.4 and later, the Folder Monitor Event Rule trigger provides better reliability for the handling of file events. The current Folder Monitor algorithm uses more resources (threads) than the v6.2 algorithm. An EFT with more than 250 Folder Monitor Rules should use the v6.2 algorithm, which uses fewer resources. The 6.2 Folder Monitor algorithm can be selected via a registry key.
  • The Event Rule file Copy/Move wizard provides control for overwrite options. The overwrite options were set in earlier versions using registry keys. Any associated registry keys will now be ignored and you should update your Event Rule Actions with the desired overwrite option.
  • EFT supports PORT mode when using the SOCKS protocol to the outbound gateway/proxy. Event Rules that were configured for SOCKS PORT mode in v6.2, will switch from acting as a PASV mode connection to a PORT mode connection in later versions.
  • During the upgrade, if a non file-trigger rule contains an %FS.FILE_NAME% variable, it will be converted to %SOURCE.FILE_NAME% and a WARNING will record the change in the EFT.log. Refer to Variables (List) for more information about the %SOURCE.FILE_NAME% variable.
  • By default, IP Access-related Event Rules are limited to 1000 rules. If you upgrade with more than 1000 denied IP addresses, the rule count overflows and you cannot create new rules. Refer to Knowledgebase article "Cannot create new Event Rules after upgrading" for a registry fix.
• EFT v6.5 uses UTF-8 for RADIUS/RSA. When upgrading to v6.5, in cases where ASCII strings with >127 characters were used for RADIUS in the prior version, there is some risk of loss of fidelity when converting to UTF-8 (depending on the code page) for v6.5 or later. You may need to re-enter values, disable and then re-enable RADIUS, or restart the Site to refresh the values.
• If a Site uses the LDAP Authentication Manager, and if the users are allowed to change their passwords, LDAP calls are used to make the password changes. In v6.2, Active Directory calls were used to make the password changes. With the switch to LDAP in v6.3 and later, LDAP over SSL should be used to protect the password changes. LDAP over SSL can be difficult to configure, so the registry setting in http://kb.globalscape.com/KnowledgebaseArticle10659.aspx allows you to continue using the Active Directory API for the password changes, which also provides security for the communication path.

• If NTLM v2 proxy authentication support is needed, the default HTTP client must be changed from the Apache HTTP client to the Java JSE HTTP client. The JSE HTTP client does not properly set the Content-Length for files > 2GB, so a custom X-Header is used to communicate the file size. Any HTTP proxy that is in the path between the browser and EFT must properly pass the custom X-Header. Refer to Accessing EFT Through a Proxy for details.
• It is a good idea to read the Release Notes before you begin.

To upgrade the software

1. Document the administrator user name and password for the existing product. If you are also upgrading the database files, you will need the ARM database name, username, and password.
2. Close the administration interface and stop the EFT service.
3. As a precaution, back up the existing installation directories and any other files you may have installed elsewhere. If you are upgrading EFT Enterprise, run a backup and save that backup file in an easily accessed location or removable media.
4. Launch the installer. The Choose an installer page appears.
5. Click EFT or EFT Enterprise. The installer loads the required components, then the Welcome page appears.
6. Click Next. The license agreement appears.
7. Scroll or page down to review the agreement, then click I Agree to continue. The license agreement is also saved in the EFT installation folder as "license.txt" if you want to read or print it later.

The installer will detect the existing installation of EFT.

8. Click Upgrade to upgrade the existing configuration and copy your existing Sites, users, etc. to the new installation. (If you are upgrading a cluster, refer to Installing or Upgrading EFT in a Cluster. If this is a New install, refer to Installing the Server, Administrator, and Modules.)
9. Click Next. If a message appears stating that the SFTPCOMInterface.dll will be upgraded, click OK to dismiss the message.
10. Click Next. The Choose Components page appears.
11. To upgrade EFT and the Admin Interface, leave both check boxes selected.

• To upgrade only the administration interface, for remote management of the server, clear the EFT check box and refer to Installing the Administration Interface Remotely.

The database configuration page appears.

• If you do not want to configure auditing and reporting, click Skip auditing and reporting configuration, and then click Next and the selected components will be updated.
• If you want to configure auditing and reporting, click Configure auditing and reporting, and then click Next.

If you are using a local SQL Server Express database, the wizard will find the database and prompt you to upgrade it. When using a SQL Server or Oracle database, a page appears in which you can provide the database connection information and credentials. The installer will test the database connection, if configured, then the Confirm Database Upgrade page appears.

• Start the administration interface - If you do not want to open the interface, clear the check box. You can also open the interface from the Start menu.
• Create a desktop shortcut - An administration interface shortcut is created on the desktop by default. If you do not want to create a shortcut, clear the check box.
• Show version history - If you want to read the release notes, select the Show Version History check box. If you want to read it later, the release notes file, notes.txt, is installed in the EFT installation directory.
• Show installation log - If you want to review the installation log now, select the check box. If you want to review it later, it is saved in a temporary folder, C:\Program Files\GlobalSCAPE\EFT Server Enterprise (or EFT Server)\Installer.log.
• Start the EFT Service - Clear the check box if you do not want to start the service yet. Select the check box if you want to start the service when you click Finish. The service is configured to start automatically when the computer starts. If you do not want the service to start automatically, you will have to configure it in Windows to start manually.

The EFT service Log On as account will be set to Local System account by default. If necessary, you can edit this in the service's Properties dialog box, on the Log on tab. (Start > Run >services.msc.)

If you are upgrading from EFT SMB to EFT Enterprise

After you have finished installing EFT Enterprise, uninstall EFT SMB. When you launch the administrator interface, the following error message might appear:
“Cannot find report definition file. File Missing....”
and lists several files.

To resolve the issue

1. Close the interface.
2. Execute the following commands in the C:\Program Files\Globalscape\EFT Enterprise directory:

Regsvr32.exe vsflex8l.ocx

Regsvr32.exe vsprint8.ocx

Regsvr32.exe vsrpt8.ocx

3. Reopen the interface; the message should no longer appear.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, version

QUESTION

Can EFT be installed "silently" using a script/batch file?

ANSWER

Yes, you can install EFT silently, including when EFT is deployed in an active-active, high availability configuration.

Refer to the attached PDF for details.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• version 7.0.3.16 and later

QUESTION

Does EFT support older SFTP clients that don't provide for Keyboard Interactive Authentication (KIA)?

ANSWER

EFT provides the KIA feature used by modern SFTP clients. If you need to allow older SFTP clients to connect that do not support KIA, you can disable that feature in EFT with the following registry setting.

To disable Keyboard Interactive Authentication

Registry Path:

32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\Config

64-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 4.0\Config

Type: bool

AllowMethodKIA

1 = allow (the default)

0 = disable

Cached: no

Backup/Restore: yes

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express^®, all versions

SYMPTOM

Mail Express Outlook Add-In fails to load when opening Microsoft Outlook.

RESOLUTION

Use the following workaround

1. Enable cached mode.
2. Restart Outlook.

MORE INFORMATION

Recent Microsoft updates have caused this issue for various Office applications, including the Mail Express Outlook Add-In.

Refer to the following articles for more information:

• KB2956128
• Infoworld article describing failed patch
• KB2956203

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• Mail Express version 3.x

For installing the Mail Express v4.x add-in, please refer to http://help.globalscape.com/help/me4/desktop/installing_the_outlook_add-in.htm.

DISCUSSION

The attached Mail Express Outlook Add-In Deployment Guide is designed to assist in the setup, configuration, and deployment of the Mail Express Outlook Add-in and the prerequisite software it requires in a remote or “silent” installation. This document describes one method for deploying the Outlook Add-In; however, deployment is not limited to this method. Hyperlinks provide additional detailed information in the online help files or download locations. An installation of Outlook 2007 is assumed for all examples in this guide.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.0 and later

SYMPTOM

When an admin logs into the administration interface, a message appears stating that the node is out of sync and that the service needs to be restarted.

RESOLUTION

Restart EFT the EFT service.

MORE INFORMATION/WORKAROUND

HA nodes running on systems with more than one network interface card can get into a state in which the nodes get out of sync.

To prevent this from occurring

Bind your MSMQ listener to a specific static adapter by adding the following registry string value:

HKLM\software\Microsoft\MSMQ\Parameters\MulticastBindIP

with the IP address of the adapter you want to bind to.

EFT Server maintains/supports the following certifications and compliance standards:

• FIPS 140-2 certified SSH and SSL cryptographic module; independently certified as meeting U.S. NIST FIPS 140-2 security standards
• PCI DSS 2.0 compliant; including inline PCI DSS compliance validation and reporting
• Adherence to OWASP security standards for password reset and username retrieval
• RSA certified; Secured by RSA^® Certified Partner (v6.3 and later)
• Microsoft "Works with Windows Server 2008 R2" certified
• Drummond-Certified AS2 library (certified under IP*Works)
• IPv6 compliance in accordance with RFC 2460, 2428, and others (v6.4 and later)
• OpenPGP compliance in accordance with RFC 2440
• FTP/S, SFTP, and HTTP/S in accordance with numerous RFCs

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server Enterprise version 6.0 and later

(no changes to COM were made for 6.4.10)

DISCUSSION

The attached spreadsheet lists which of the interfaces, properties, methods, and enums in the COM API were added or modified. Use this reference to guide you when you upgrade EFT Server to verify your scripts and make changes, if any. Refer to the COM API Reference for details of the changes:
http://help.globalscape.com/help/gs_com_api/index.htm.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server Enterprise version 6.4 and later

DISCUSSION

By default, IP Access-related Event Rules are limited to 1000 rules. When clients upgrade and have 1000+ denied IP addresses, it immediately overflows the rule count and they cannot create new rules.

You can add the following registry entries to allow you to increase this limit so you can edit the existing rule set.

32-bit: HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\EFT Server 4.0

64-bit: HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 4.0

DWORD: IPRulesLimit

Accepts values from 0 to 60000; default is 5000

and

DWORD:AutobanLimit

Accepts values from 0 to 60000; default is 10000

It is not necessary to restart the server for the changes to take effect.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.x and later

SYMPTOM

Unable to use backslashes (\) as directory separator in paths, causing a "501 Syntax error in parameters or arguments" error message.

RESOLUTION

Create the registry entries described below.

32-bit:

HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\EFT Server 7.0\

64-bit:

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.0\

ReplaceBackslashWithSlashInPathsForFTP

ReplaceBackslashWithSlashInPathsForSFTP

Values:

1 = enabled; that is, backslashes (\) in paths are replaced with forward slashes (/)

0 = disabled

Default = 0

It is not necessary to restart the EFT server service; the change takes effect immediately.

MORE INFORMATION

The SFTP specification (https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02) says: "File names are assumed to use the slash ('/') character as a directory separator." EFT v6.5 does not precisely follow the RFC in this regard and allows using a backward slash ('\') as directory separator.

EFT 7.0 and later work according to the RFC. We've implemented this registry key to make EFT v7.x and later work the same way as v6.5 for backward compatibility.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server version 4.x and later and EFT Server Enterprise version 6 and later

DISCUSSION

EFT Server stores its configuration information in the Windows Registry, which contains profiles for each user of the computer and information about system hardware, installed programs, and property settings. EFT Server modifies the system registry as needed, and continually references this information during operation.

To add a key to the registry, you can either edit it directly or create and execute a .reg file. When you add or edit these registry keys, you will need to restart EFT Server.

These options are for advanced users only. Incorrectly editing the registry can severely damage your system. You should always back up (export a copy of) the registry before you make any changes to it. Some paths are HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 3.0\, and others are HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\. Do NOT change the path to match your version of EFT Server.

The registry keys described at the links below are available in EFT Server for advanced system administration.

• #10076: Server service will not start (ImagePath)
• #10220: Monitor Folder Event Rule triggering an SFTP offload can cause files to be created in the monitored folder, then some (or none) of the intended files are offloaded. (ASCIIFileExts and DefaultTransferType)
• #10023: Changing the ping interval (gw_keepalive)
• #10262: Adding tenth column to the CL log (Enable10ColumnInClientLog)
• #10270: Changing the load order of the server service (ServiceGroupOrder)
• #10371: How can I display more than 499 files or folders in the WTC? (use_registry)
• #10438: Tuning Windows for TCP-IP
• #10470: WTC Customizations (EFTClient)
• #10478: Copy/Move Event Rule with *.* wildcard does not generate an error if no files exist (WildcardFailMode)
• #10485: Override Outbound on Listen IP (LegacyListenIP)
• #10486: LDAP "Groups Lost" Fix (UserDatabaseSynchronizationMode and IgnoreZeroUsersResult)
• #10487: Pass the Client's IP Address to the Authentication Request (PasswordContainsClientIP)
• #10488: Sending EFT Server's Logs to the Windows Application Event Log (LogToWindowsEventViewer)
• #10489: Buffered CFG Writes (UseBufferedArchiveWriter)
• #10490: Enable Oracle (DBType)
• #10491: Ignore Active Directory Home Directories (IgnoreADHomeDirs)
• #10492: ClientFTP.DLL Enable Logging Override (EnableLogging)
• #10493: Disable COMB Command (DisableCOMBCommand)
• #10494: Redirect Custom Command Output to Connected FTP Clients (FileUploadEventResult)
• #10495: Folder Monitor Change Filter Override (FolderMonitorFilterValue)
• #10496: HTTP Engine Use Server Time Zone (UseServerTimeZone)
• #10497: Legacy SMTP Send Behavior (LegacySMTPSendBehavior)
• #10498: Maintain Password History for "Change Password" Validation (PasswordHistoryLimit)
• #10499: ODBC Auth Manager (EnableODBCSettingsLevelField)
• #10500: Upload Throttling (UploadsPerClient and UploadsPerClientInterval)
• #10501: HTTP->HTTPS Redirection (RedirectHTTPtoHTTPS)
• #10502: Reverse Banned File Logic (RestrictionByFileNameOnUpload)
• #10503: EFT Server Transfer Engine Stub (PASVMode)
• #10504: Web Transfer Client Session Timeout (WTCTimeout)
• #10505: Overriding the Hard-Coded Location of Web Transfer Client Files (path to WTC files)
• #10506: Enable Alternative Permission Logic (UplReqDel)
• #10508: Kill EAS Service on Startup (KillEASServersAtStartup)
• #10509: Specify Location of FTP.CFG (Path=<path_to_config_file>)
• #10516: Turning On/Off the Change Password Feature for AD/LDAP Users in the Web Transfer Client (PasswordChg_NTADLDAP)
• #10537: Allow Server to Accept ODBC Database Passwords that are MD5 Hashed (UseMD5PasswordHash)
• #10553: Web Services Timeout Setting (WebServiceTimeout)
• #10574: Can I use the old version of the HTML Listing and Upload form (Plain-Text Client) that doesn't use JavaScript?
• #10575: Enabling OpenPGP Signature Requirement (PGPVerifySignature)
• #10579: How does EFT Server determine a file's age for the Event Rule file cleanup? (CleanupDateType)
• #10581: Advanced Workflows affect system performance (RunningTaskLimit and GSAWEObjectsPerServerInstance)
• #10594: Could not send “On Error” email for AWE action; default mail server not defined (TaskService)
• #10601: Can I specify the system type so that I can switch from UNIX to Windows NT? (FTPSYSTResponse)
• #10604: Editing the EFT Server Registry Entries on a 64-bit Operating System
• #10626: Long Delay When Returning Directory Listing in EFT Server (LegacyDirListBehavior)
• #10627: Overriding the default time to execute an ARM report (DBTimeout)
• #10648: Folder monitor rules randomly stop working (Windows OS keys)
• #10659: Changing of user password not allowed on LDAP Site if the Site is hosted on a foreign domain (ChangePassByAD)
• #10660: Make the authentication manager read from disk instead of internal memory for load balancing (ReloadAUDOnSync)
• #10661: Disabling the SQL log auto-import function in ARM (DisableARMFileImporter)
• #10662: Use the Apache HTTP client instead of the default JSE HTTP client library (WTC) (use_JSE_HTTP_Client)
• #10669: Reverting to v6.2 Folder Monitor algorithm (FolderMonitorUseIOCP)
• #10681: Changing the amount of time EFT Server waits between reconnect attempts (FolderMonitorWaitBeforeReconnect)
• #10682: Changing the amount of time EFT Server waits for the notification from Windows when a Folder Monitor health check file is created (FolderMonitorHealthCheckTimeout)
• #10683: Force use of Web Transfer Client for browser-based uploads (disable use of PTC) (applet_only)
• #10692: Folder Monitor Interactive Login Override(FolderMonitorUseNonInteractiveLogon)
• #10693: Ignore Client Certificate Requests During SSL Handshake (IgnoreClientCertificateRequests)
• #10696: Enforcing only one health check on Folder Monitor Event Rules (FirstHealthCheckOnly)
• #10705: Uploads to EFT Server fail if file with same name exists during RENAME operation (ReplaceExistingOnRename)
• #10706: EFT Server is unable to upload or download a file to a subfolder (RemoveLeadingSlash)
• #10707: FTPS file transfers fail (SterlingConnectServerCCCLogic)
• #10708: Disable auto redirection to HTTPS for login and account management (DisableHTTPAccountSecurity)
• #10861: Set Event Rule Timer Stack Size (TimerStackSize)
• #10872: Controlling the filename and frequency for creation of a new PGP log file (PGPLogSuffixTemplate)
• #10873: Disable X-frame options for WTC and PTC (disable_xframeoptions)
• #10877: Cannot create new Event Rule after upgrading (IPRulesLimit)
• #10878: Changing the PGP Timeout (PGPTaskExecutionTimeout)
• #10910: Transform incoming file names from ASCII to UTF8 and outgoing filenames from UTF8 to ASCII (ForceASCIIinSFTP)
• #11005: AD users are able to delete virtual folders (AllowDeleteVFSFolders)
• #11009: The Logs folder fills quickly with log files (EnableXferLog)
• #11010: Connection problems when attempting outbound SFTP (WaitForServerVersion and DelayBeforeVersionString)
• #11012: Specifying an Alternate Reporting Connection String (ReportsConnectionString)
• #11032: Edit the number of days and frequency to send notifications (PasswordChg_EmailInterval)
• #11033: HTTP Request Logging (log_request)
• #11034: Using the Custom User Details Fields in HTTP Headers (enable_x_headers)
• #11035: Single Sign-On Support for the WTC (enable_iwa, use_registry)
• #11036: Changing the Number of Concurrent Threads Used by Event Rules (MaxNumberConnections)
• #11099: Adjusting the ARM Queue Behavior (ARMLogMinStalledThreads, ARMQueueSize, ARMLogStalledThreadMinDuration)
• #11120: Does EFT Server allow multipart transfers (COMB)? (MultipartValue, EnableMultipart)
• #11135: PTC file downloads over SSL (HTTPS) do not work with the cache control headers in IE8 (BypassHTTPNoCacheCheck, BypassSSLNoCacheCheck)
• #11172: Enabling FIPS-Compliant Mode for OpenPGP (OpenPGPFIPSCompliantAlgorithmsOnly)
• #11175: Load balanced Folder Monitor events fail to process files in an HA clustered environment (FileInfoCacheLifetime, FileNotFoundCacheLifetime, DirectoryCacheLifetime)
• #11189: Does EFT support older SFTP clients that don't provide for Keyboard Interactive Authentication (AllowMethodKIA)
• #11192: Keep source file after transfer skipped (EnableOldSkipBehavior)
• #11200: Unable to use backslashes (\) as directory separator in paths; 501 Syntax error in parameters or arguments (ReplaceBackslashWithSlashInPathsForFTP, ReplaceBackslashWithSlashInPathsForSFTP)

The instructions below are provided only as a reminder for advanced users.

To backup the registry

1. Click Start, then click Run. The Run dialog box appears.
2. In the Open box, type regedit, then press ENTER. The Registry Editor appears.
3. Do one of the following:
   • To backup the entire registry, click My Computer.
   • To backup a specific group of keys or a specific key, click the folder or key.
4. On the main menu, click File, then click Export. The Export Registry File dialog box appears.
5. Specify a name and location for the file, then click Save. The export process begins.

   If you are exporting the entire registry, it can take a few minutes, and the file size can be up to 100 MB or more. If you are exporting just one key, the file size is approximately 1 KB.

6. After you edit the registry, if you are experiencing problems caused by editing the registry, you can import the backed up file:
   1. On the main menu, click File, then click Import. The Import Registry File dialog box appears.
   2. Click the .reg file to import, then click Open. The import process begins. If you are importing the entire registry, it can take a few minutes.

To create a .reg file

1. In a text editor, such as Notepad, type or paste the following text on the first line:

   Windows Registry Editor Version 5.00

2. On the second line, type or paste the key path. For example, type:

   [HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\EventRules]

   (include brackets)

3. On the third line, type or paste the name of the key and the value (DWORD) for the key. For example, type:

   "FolderMonitorWorkerThreadCount"=dword:00000100

   (include quotation marks)

4. Close the file and save it with a .reg extension. For example, type:

   threadcount.reg

5. Double-click the file and follow the prompts to install the key into the registry. If you receive an error, open the file to verify the information was typed correctly. The .reg file can be transported to and used on other computers.

To create the key manually

1. Click Start, then click Run. The Run dialog box appears.
2. In the Open box, type regedit, then press ENTER. The Registry Editor appears.
3. Expand the My Computer node, the HKEY_LOCAL_MACHINE node, and the SOFTWARE node to find the GlobalSCAPE nodes.
4. Click the applicable GlobalSCAPE node (as described below), then right-click it, point to New, then click Key. This makes a new folder under the GlobalSCAPE node.
5. Type a name for the key based on the instructions below, then press ENTER.
6. Right-click the key, point to New, then click DWORD Value.
7. Type a name for the DWORD value based on the instructions below, then press ENTER.
8. Double-click the DWORD. The Edit DWORD Value dialog box appears.
9. In the Value data box, type an integer, based on the instructions below, then click OK.
10. Close the registry, then restart the Server service.