GlobalSCAPE Knowledge Base

Changing the load order/delay the start of the Server service

GlobalSCAPE 5 — Thu, 23 May 2013 10:19:24 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Secure FTP Server (All Versions)
EFT Server (All Versions)

QUESTION

How can the EFT Server or Secure FTP Server service loading order be changed/delayed?

ANSWER

Windows 2008 and 2012:

To delay start of the EFT server service on a Windows 2008 server that needs to be very sequence driven, you will need to perform the following steps to use the Windows built-in Delay Start option:

Do one of the following to open the Services Microsoft Management Console (MMC) snap-in:

In Windows 2008: Click Start, type services.msc in the search box, then press ENTER.
In Windows 2012: In the Server Manager, click Tools > Services.

Click to select the EFT Server Enterprise service, then right-click and click Properties. The Properties dialog box appears.
On the General tab, click the Startup type drop down list and change it from Automatic to Automatic (Delayed Start).
Click OK to save the change.

Windows 2003 or earlier:

Follow the steps below to change the load order of the EFT Server or Secure FTP Server service on Window 2003 or earlier:

Caution: The following steps involve editing the Windows registry on the server computer. Incorrectly editing the registry may severely damage your system. These instructions are intended for the advanced user who is prepared to both edit and restore the registry. We recommend that you backup the registry before proceeding.

Start Registry Editor and navigate to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

Double-click on the list entry and add a new value in the list named GlobalSCAPE. Place the new value into the list at the point in the startup sequence where you want the Server service to start. (For example, to configure it so that the Server service starts after all other services, place the GlobalSCAPE value at the end of the list.)
Click OK to close the editing screen.
Navigate to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GlobalSCAPE EFT Server (or Secure FTP Server)

Right-click on the name of the subkey, click New and then click String Value.
For the name, type Group.
Double-click to modify the newly created Group entry and type GlobalSCAPE for the value.
Click OK and then close Registry Editor.

Tuning Windows for TCP/IP performance

GlobalSCAPE 5 — Tue, 21 May 2013 09:07:31 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server (All Versions)
DMZ Gateway (All Windows versions)
Secure FTP Server (All Versions)

DISCUSSION

This topic describes how to tune Windows XP, Windows 2003, and Windows 2008 R1 & R2 operating systems for TCP/IP performance. "Tuning" involves adding several registry keys. To add a key to the registry, you can either edit it directly as described below or create and execute a .reg file. When you have finished adding or editing these registry keys, you must restart the Server. Configure the following settings or variables below according to your specific tuning needs. If necessary, refer to the Globalscape Knowledge Base article Q10411 - HOWTO: Windows Registry Settings, for the procedure for creating/editing keys and creating a .reg file.

These options are for advanced users only. Incorrectly editing the registry can severely damage your system. You should always back up (export a copy of) the registry before you make any changes to it.

REGISTRY KEYS

In all versions of Windows, add the keys described below. Certain keys/values depend on the operating system installed (noted in the Value name column where different).

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters

Value Name DWORD 32-bit)	Value Data (Decimal)	Description
TcpTimedWaitDelay	30	This key determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. This interval between closure and release is known as the TIME_WAIT state or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster and provide more resources for new connections. Adjust this parameter if the running application requires rapid release, the creation of new connections, or an adjustment because of a low throughput caused by multiple connections in the TIME_WAIT state.
MaxUserPort	(minimum) 32768	This key determines the highest port number that TCP/IP can assign when an application requests an available user port from the system.
TcpMaxDataRetransmissions	5 (seconds)	This key determines how many times TCP retransmits an unacknowledged data segment on an existing connection.
TcpNumConnections	16777214	Determines the maximum number of TCP connections that can be open simultaneously. If the value is 0, you cannot open a connection.

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters

Value Name (DWORD 32-bit)	Value Data (Decimal)	Description
EnableDynamicBacklog	00000001	These keys, if many connection attempts are received simultaneously, increase the default number of pending connections that are supported by the operating system. These values request a minimum of 20 and a maximum of 1000 available connections. The number of available connections is increased by 10 each time that there are fewer than the minimum number of available connections.
MinimumDynamicBacklog	00000020
MaximumDynamicBacklog	00001000
DynamicBacklogGrowthDelta	00000010
KeepAliveInterval	1 (second)	This key determines how often TCP repeats keep-alive transmissions when no response is received.

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{Interface GUID}*

* {Interface GUID} is different for every system.

Value Name
(DWORD 32-bit)

Value Data
Decimal)

Description

TcpNoDelay
(Windows 2008 R1 & R2 only)

0 to enable Nagle's algorithm, 1 to disable, not present by default

TcpAckFrequency
(Windows XP, Windows 2003, and Windows 2008 R1 & R2)

TCP/IP can be the source of some significant remote method delays. You can increase TCP performance by immediately acknowledging incoming TCP segments, in all situations.

NOTE: Some documentation states that this value may be placed directly under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip or HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. After testing, it was determined that the setting only takes effect when placed under the actual {Interface GUID} key.

Your .reg file for Windows 2008 would look something like this:

Remember to reboot the server computer after making the registry changes.

On Windows 2008 (R1&R2), you must also disable autotuning:

Open a command prompt and execute the following command:

netsh int tcp set global autotuninglevel=disabled
The default level is "normal." The possible settings include:

disabled: uses a fixed value for the tcp receive window. Limits it to 64KB (limited at 65535).

highlyrestricted: allows the receive window to grow beyond its default value, very conservatively

restricted: somewhat restricted growth of the tcp receive window beyond its default value

normal: default value, allows the receive window to grow to accommodate most conditions

experimental: allows the receive window to grow to accommodate extreme scenarios (not recommended as it can degrade performance in common scenarios; only intended for research purposes. It enables RWIN values of over 16 MB)

Java Security Warning prompt appears while the WTC/SAT is loading

GlobalSCAPE 5 — Tue, 14 May 2013 10:29:29 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.x and later

SYMPTOM

Java Security Warning prompt appears while the Web Transfer Client (WTC) or the Secure Ad Hoc Transfer (SAT) module is loading.

RESOLUTION

Click Don’t Block. The WTC/SAT will finish loading and be fully functional.

Application: eftclient = WTC
Application: fileupload = SAT

A fix is expected in an upcoming release of EFT Server.

MORE INFORMATION

As of Java update 7u21, Java has started warning users of potentially unsafe code when web applications they are about to run contain JavaScript code that is used with trusted Java components. A dialog, shown above, gives the user the option to block the application or to keep going.

Java provides a mechanism for keeping the user from being prompted and it has been implemented for the WTC/SAT. However, until the fix has been propagated to EFT Server, there is a temporary workaround to avoid displaying the prompt every time the WTC/SAT is started. You can disable the prompt in the Java Control Panel.

To disable the prompt

Click Start > Control Panel, then click the Java icon. (Or click Start > Run, type/paste: c:\Program Files (x86)\Java\jre6\bin\javacpl.exe, then click OK. This is the default path; your path may differ.)
In the Java Control Panel, click the Advanced tab, and scroll toward the bottom of the dialog box.
In the Mixed code area, click Enable - hide warning and run with protections.

Click OK.

This should be considered a temporary solution as hiding this prompt may allow malicious software to have access to the client and server systems.

For more information about the Mixed code options, refer to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/mixed_code.html#jcp

Section 508 Compliance - Voluntary Product Accessibility

GlobalSCAPE 5 — Tue, 30 Apr 2013 09:56:21 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

All GlobalSCAPE products, all versions

DISCUSSION

The attached PDF provides information regarding Section 508 Compliance Voluntary Product Accessibility.

For more information about Section 508 compliance, refer to http://www.section508.gov/.

Installing the Mail Express Add-in Prerequisites

mcoburn — Thu, 18 Apr 2013 11:15:18 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, v3.3.2 and later

DESCRIPTION

The Mail Express Outlook Add-in has several dependencies which the help guide details and provides installation information for. This KB article describes special case scenarios to consider that supplement the information in the help guide.

Microsoft Outlook 2013 Primary Interop Assembly

The Microsoft Office 2013 Primary Interop Assemblies Redistributable (PIA) is not yet available to download from Microsoft’s web site. This means that the Outlook 2013 Add-in Bootstrapper will not install this dependency as there is no installation package for the PIA yet. The PIA is a dependency that the add-in requires in order to function. By default, when Microsoft Office is installed, the Outlook PIA is also installed if .NET was installed beforehand on the system. If needed, the PIA can be installed using the Microsoft Office Installer.

The steps to install the PIA after Microsoft Outlook is installed are as follows:

From the Windows Control Panel choose “Programs and Features.”
Select “Microsoft Office 2013” from the list of installed programs.
Press the “Change” button, select the “Add or Remove Features” radio button, and then press the “Continue” button.
Expand the “Microsoft Outlook” node and then choose the “Run from My Computer” menu option for the “.NET Programmability Support” feature and finally press the “Continue” button.

A similar approach can be taken to install the PIA when installing Outlook for the first time.

MORE INFORMATION

For versions of Outlook prior to Outlook 2013, the PIA can be downloaded from Microsoft’s web site or can be installed via the Mail Express Add-in Bootstrapper. Please consult the Mail Express help guide for more information.

Can EFT make my organization compliant with the PCI DSS? How can I validate whether my organization is compliant?

GlobalSCAPE 5 — Wed, 10 Apr 2013 03:46:12 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.x and later

QUESTION #1

Can EFT make my organization compliant with the PCI DSS?

ANSWER #1

GlobalSCAPE’s products can facilitate compliance with several PCI DSS requirements, but Globalscape’s products themselves do not "make" an organization compliant. EFT provides features that warn you when a setting does not meet certain PCI DSS requirements, which you can then choose to address or not.

QUESTION #2

How can I validate whether my organization is PCI DSS compliant?

ANSWER #2

Validation requirements for PCI DSS compliance depend on the merchant or organization’s tier. Some tiers require only that the organization complete a self-assessment questionnaire. Organizations that process many transactions will typically pay a Qualified Security Assessor (QSA) to evaluate whether the organization complies with all requirements for systems in PCI DSS scope as part of a mandatory quarterly scan. To further complicate matters there is no black-and-white standard by which a QSA will assess an organization; it’s up to the QSA to interpret the PCI DSS requirements the way they understand them. This can result in situations where two different QSAs will come up with different assessments even for the same organization! Interestingly, the final authority on compliance is still the payment card vendors (Visa, MC, Amex, etc.) who reserve the right to overrule a QSA’s assessment. The self-assessment questionnaire (in the PCI DSS Quick Reference Guide) is a good start to determine how far out of compliance you might be and what it will take to get you into compliance.

MORE INFORMATION

For more information about the PCI DSS, refer to the PCI SSC Data Security Standards Overview. On that page, click the PCI Data Security Standard (PCI DSS) link to access numerous downloadable PDFs about the standard.

For information about how EFT 2013 can help you get into and stay in compliance with the PCI DSS and other security standards, refer to the EFT High Security-PCI Add-on Module fact sheet.

COM method throws MX Error: 52 (0x00000034)

GlobalSCAPE 5 — Tue, 09 Apr 2013 05:30:28 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.x

SYMPTOM

Call to a COM method throws an "MX Error: 52 (0x00000034)."

RESOLUTION

"MX Error: 52 (0x00000034)" means that the COM object needs to refreshed. That is, you must invoke the ICIServer method RefreshSettings().

How to Use TappIn with the OneDisk iPhone App

GlobalSCAPE 5 — Tue, 09 Apr 2013 05:04:31 GMT

This article applies to:

This article outlines how to use the OneDisk iPhone App from Readdle Software and the TappIn remote access and file sharing service. OneDisk is a file management tool that turns any Apple iPhone device into a wireless-accessible storage device. In addition, it can access file servers over the Internet.The value of using OneDisk with TappIn is that you can have simultaneous access to all your digital files and media while connected to other cloud storage or servers on the Internet. Using both solutions in this way provides one app, OneDisk, to provide file management between the home and cloud storage or other servers such as FTP or other WebDAV accessible services.

Getting Started: TappIn’s remote access and file sharing service offers safe and easy access to all your digital content. Readdle’s OneDisk iPhone app is a universal WebDAV client that can be used to access all your personal content that resides within your home network orcomputers, when configured to work with TappIn services.

A TappIn account is required prior to setting up and using OneDisk. To register for a TappIn account, go to: www.tappin.com Here is a short checklist on how to setup TappIn:

Launch your Web browser to www.tappin.com.
Register by entering an email address and password.
Click “Sign Up!”
Log into your email account and click the activation link to the TappIn Desktop App.
Install the TappIn Desktop App on at least one computer. By default, your personal directory will be securely accessible over the TappIn network.

Get the OneDisk App. Purchase OneDisk through the iTunes AppStore and install the app on your device. OneDisk Help is built directly into the app so feel free to reference OneDisk Help along the way to make sure you understand exactly how OneDisk works.

Once installed, launch the application by tapping the OneDisk icon.

Once OneDisk starts, you will be see the OneDisk home screen. The home screen above displays the list of folders and documents you currently have stored inside the local storage area of the OneDisk app. The Edit button at the top allows you to make changes to the local files and folders. At the bottom of the screen there is a three-tab tab bar, the first which is highlighted above shows all of the files and folders that are local and always accessible. The middle tab is used to access remote servers you may define, and this is where your TappIn remote online folders will reside. Finally, the third tab is used to access the application settings.

When you tap the Online tab you will see the Online Storage screen. This screen displays any remotely accessible servers or services that you can from within OneDisk. Your TappIn shares will show, allowing you to access files and folders anywhere, anytime using OneDisk on your mobile device.

Adding TappIn as a WebDAV Server: In order to access your TappIn shared folders using OneDisk, you need to add the TappIn Service using the "Other WebDAV" server option.

To add the server, click the PLUS button in the upper left of the OneDisk Servers screen.
Clicking the + button exposes the list of new server types you can add to make accessible from OneDisk.
When you are at the screen displayed below, you will need to scroll down to the bottom of the list of Services and it should look like this:
Once you arrive at the end of the list, you want to tap Other Server to add the Other Server WebDAV service. Once you done, you can proceed to enter the TappIn configuration information.
The following screen will be displayed once you choose Other Server.
1. Enter a descriptive title for this TappIn share, this is what will show up in the main OnLine list of Services.
2. Enter the URL for the share you want to access. The form of the URL: https://webdav.tappin.com/user@email.com/sharename
3. Enter your TappIn Username. This is the email address you used when registering for TappIn.
4. Optional: Enter your password. If you leave it blank, it will prompt you at connection time.
5. Click Save.
NOTE: Before you tap Save, you should have a screen that looks like this, but with your specific information in each field.
OneDisk takes you back to the Online Storage screen where your new TappIn service share is shown in the list of online storage services you can connect.

That’s it. You can now use your favorite WebDAV client OneDisk with your favorite remote access and online file sharing service — TappIn! You can safely upload, download, view and email any files you have stored back in your home/work computer or personal network.

Establishing a TappIn Folder Share

lgarcia — Thu, 04 Apr 2013 07:55:45 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

QUESTION:
How do I establish a TappIn folder share?

ANSWER:
There are default shares automatically established for user convenience; however, follow the steps below to share out another folder or folders.

Navigate to the TappIn icon on your systray located on the bottom right corner of your screen as shown below:
Click the TappIn icon and choose TappIn folders:
The Libraries / My Files page will appear in the browser window as pictured below:
Click on the gear / cog icon as shown below.
A new screen will appear titled Manage Folders. In the bottom right corner click Make Another Folder Available.
Choose either Drives or Network depending on the location of the folder or item you want to share. Make note of the Windows User Tip as pictured below.
The view will expand and show a more detailed folder structure. Select the file and contents to be shared. Make note of the Folder Path, Folder Name (this can be changed provided the name does not already exist), and Permissions (choose Read-Only or Read-Write). Read-write will allow a remote share holder the ability to change the folder and file contents.
Next click Add. The screen will switch back to Manage Folders, and you should now see your new share listed.
Click Continue at the bottom of the page.
The new TappIn folder share will be setup on the My Files page below Libraries.

Removing a TappIn Folder Share

GlobalSCAPE 5 — Thu, 04 Apr 2013 06:58:32 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

QUESTION:

How do I remove a TappIn folder share?

ANSWER:

Navigate to the TappIn icon on the systray located in the bottom right corner of the screen as shown below:

Click on the TappIn icon and choose TappIn Folders.

A new screen will appear in the browser window under Libraries | My Files.

Click on the gear icon beside the device that the share exists on:

The Manage Folders screen will appear. Locate the folder for which the share will be removed. Click Remove.

A new screen will appear requesting validation. Click Remove.

Click Continue. If this is the correct TappIn folder, then click Remove. A new screen will appear without the TappIn folder share.
Click Continue.
The My Files page will appear with the TappIn folder share no longer listed.

Binding the Mail Express Server to a Specific IP Address

GlobalSCAPE 5 — Wed, 03 Apr 2013 03:21:17 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express version 3.0-3.2

(In Mail Express v3.3, the port bindings can be set/modified in the administration interface. Although you can edit the server.xml file as suggested in this article, when you edit the bindings through the interface, Mail Express overwrites any bindings you may have added manually. Also, version 3.3 listens to localhost:8443 by default, not on port 443.)

DISCUSSION

The Mail Express Server is, in essence, a fully functioning Web Server that hosts the Mail Express Server web application. The Mail Express system requires the use of port 443 on thecomputer running the Mail Express Server. By default the Mail Express Server will attempt to listen on all IP addresses.

This may present difficulties when installing on acomputer running other applications that are using port 443, such as EFT Server or the Internet Information Services (IIS) web server. Running the Mail Express Server on a separate computerfrom these applications will avoid resource contention and simplifies network routing.However, running the Mail Express Server on the same computer as another application that uses port 443 may be unavoidable.

If this is the case, then the Mail Express Server and the competing application(s) must be configured to bind to port 443 on separate IP addresses. The following instructions describe how to configure the Mail Express Server to listen on a specific IP addressinstead of all IP addresses on the computer. (To specify an IP address in EFT Server, refer to Changing a Site's IP Address or Port in the EFT Server documentation for your version of EFT Server. To configure other applications to use a specific IP address, refer to their documentation.)

To configure the Mail Express Server to bind to port 443 on a specific IP Address:

Shut down the Mail Express Server Windows service.
Using a text editor such as Notepad, edit the configuration file “<Mail Express Server Installation Directory>\conf \server.xml”
Locate the SSL Connector definition XML Element by searching for the text port=”443”. The element will be similar to:

	<Connector 			port="443"			protocol="HTTP/1.1"			connectionTimeout="20000"			keepAliveTimeout="20000"			enableLookups="true" 			disableUploadTimeout="true"			acceptCount="100"			maxThreads="200"			scheme="https"			secure="true"			SSLEnabled="true"			SSLProtocol="all"			SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"			SSLCertificateFile="${catalina.home}\conf\MailExpress.crt" 			SSLCertificateKeyFile="${catalina.home}\conf\MailExpress.key"			SSLPassword="mailexpress"			SSLVerifyClient="none"			SSLVerifyDepth="10"/>

Add an “address” attribute by inserting the following line into the “Connector” definition:

address="<IP Address>"

Where<IP Address>is the explicit IP address on which to listen on port 443. Theresulting Connector definition should resemble the following example:

	<Connector			address="192.168.1.58"			port="443"			protocol="HTTP/1.1"			connectionTimeout="20000"			keepAliveTimeout="20000"			enableLookups="true" 			disableUploadTimeout="true"			acceptCount="100"			maxThreads="200"			scheme="https"			secure="true"			SSLEnabled="true"			SSLProtocol="all"			SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"			SSLCertificateFile="${catalina.home}\conf\MailExpress.crt" 			SSLCertificateKeyFile="${catalina.home}\conf\MailExpress.key"			SSLPassword="mailexpress"			SSLVerifyClient="none"			SSLVerifyDepth="10"/>

Save the changes to the file.
Start the Mail Express Server Windows service.
Verify the Mail Express Server is listening on the specified IP address and port by navigating a web browser to that address and port.

PTC file downloads over SSL (HTTPS) do not work with the cache control headers in IE8

GlobalSCAPE 5 — Thu, 28 Mar 2013 08:36:08 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.5 and later

SYMPTOM

In Internet Explorer 8 and earlier, downloads over HTTPS fail when using the Plain-Text Client

RESOLUTION

The registry override from Microsoft (http://support.microsoft.com/kb/323308) described below will bypass the HTTPS cache check so that files can be downloaded directly from the remote site. Alternatively, upgrading to IE9, or using a current web browser will resolve the issue.

To resolve this issue in Internet Explorer 7 and 8:

Start the Registry Editor.
For a per-user setting, locate the following registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

For a per-computer setting, locate the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

On the Edit menu, click Add Value.
To override the directive for HTTPS connections, add the following registry value:

"BypassSSLNoCacheCheck"=Dword:00000001

To override the directive for HTTP connections, add the following registry value:

"BypassHTTPNoCacheCheck"=Dword:00000001

Close the Registry Editor.

MORE INFORMATION

When connecting to EFT v6.5 via the Plain Text Client using Internet Explorer 8, Windows Internet explorer receives the following error:

“Unable to download [filename] from [host address]

Unable to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.”

When connecting to EFT v6.5.0, Internet Explorer 8 tries to permanently cache secure files on the client computer, which by current security standards should not be allowed. A bug in Internet Explorer prevents active downloads over the secure socket layer unless files are cached on the client computers.

Is CuteFTP Mac Pro, v3.1.2 supported on Mac OSx 10.8 (Mountain Lion)?

GlobalSCAPE 5 — Tue, 26 Mar 2013 05:37:23 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

CuteFTP Mac Pro, v3.1.2

QUESTION

Is CuteFTP Mac Pro, v3.1.2 supported on Mac OSx 10.8 (Mountain Lion)?

ANSWER

Although it has not been formally tested, users have installed it on Mac OSx 10.8. You may have received an error stating that the CuteFTP installer "is from an unidentified developer."

Before installing CuteFTP Mac Pro, v3.1.2 on Mac OSx 10.8, the following setting must be enabled:

On the Apple menu, click Preferences > Security and Privacy > General, then under Allow applications downloaded from click Anywhere. (The default setting for Gatekeeper in OS X Lion v10.7.5 is Anywhere.)

For more information about CuteFTP Mac Pro, refer to the following links:

Online help: http://help.globalscape.com/help/cuteftpmacpro3/
CuteFTP support: http://www.cuteftp.com/support.aspx

Does GlobalSCAPE release security patches for EFT Server separate from general version releases?

GlobalSCAPE 5 — Fri, 22 Mar 2013 04:36:54 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, all versions

QUESTION

Does Globalscape release security patches for EFT Server separate from general version releases?

ANSWER

YES, absolutely! Globalscape has a security vulnerability discovery, remediation, and messaging process that formally defines how Globalscape:

Escalates reports of a security vulnerability (provided by customer or 3rd party security assessor)
Gauges the risk level and assigns a severity rating to reported vulnerabilities (using the Common Vulnerability Scoring System (CVSS)
Prioritizes and assigns resources to duplicate and remediate the problem according to the threat level
Prepares timely, effective and consistent external communications
Handles internal and external dissemination of approved communications, including:

Public patches to all customers for critical vulnerabilities
Private patches to individual customers (situation dependent)
No patch -> rolled up into next major version (low CVSS score or security best practice only)

As of March 2010, Globalscape has only encountered a single critical vulnerability (SFTP-based vulnerability with a CVSS score of 8.5), which was announced publicly via emailto all EFT Server customers on September 3, 2009, along with a link to a patch. On several occasions Globalscape has released private patches to select customers to address low-scoring security vulnerabilities that were important to those specific customers. Those fixes are typically rolled up into the next public maintenance (minor) or major release, which typically include other general bug fixes and/or feature enhancements.

Not all potential vulnerabilities reported to Globalscape are considered security vulnerabilities. Application bugs or flaws that result in undesirable behavior during normal operations, including memory leaks or even crashes, while potentially business impacting, are not considered security vulnerabilities. Security best practices, such as use of HttpOnly header or use of the Secure flag for web session cookies, are not considered vulnerabilities, although Globalscape strives to implement as many security best practices as possible.

Security vulnerabilities can be categorized as application flaws or bugs that, if exploited, may result in the ability for a remote (or local) attacker to compromise the Confidentiality, Availability, or Integrity (CIA) of a server. For example:

Execute commands as another user (pose as another entity)
Access, modify, or destroy data that is contrary to the specified access restrictions for that data
Deny normally authorized access either completely or partially (Denial of Service)
Result in a back door, Trojan, or worm that may compromise a system or an entire network.

Upon validation of high-rated security issues (according to CVSS 2.0 scoring) on the Software and/or Service (including security loopholes), Licensor shall notify Licensee, by mail, fax, or other written means within 72 hours in advance, and provide corresponding solutions (including security patches) to Licensee through a formal release channel. Public notification will happen according to Responsible Disclosure guidelines developed by OIS.

To report a potential security vulnerability, please contact your account representative or technical support. Globalscape’s internal processes for handling potential security vulnerabilitiesinvolves rapid escalation to engineering and product management, usually providing a preliminary response to the customer inquiry with one or at most two business days.

Further reference: EFT Server’sSecurity Best Practices.

Officially Supported Products and EOL Dates

GlobalSCAPE Support 1 — Wed, 20 Mar 2013 08:24:24 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

All Products

SUPPORTED PRODUCTS

Technical support is provided in accordance with the GlobalSCAPE End of Life (EOL) and Support Life Policy. The following products are supported to the extent specified. Products not listed are no longer supported.

FULL SUPPORT (Provided from the time of GA release until the End of Life or EOL² date.)

EFT Server 6.5 (GA release was Feb. 15, 2013)
EFT Server Enterprise 6.5 (GA release was Feb. 15, 2013)
Mail Express 3.3 (GA release was Feb. 15, 2013)
WAFS and CDP 4.1 (GA release was Oct. 29, 2012)
WAFS 3.7.1.0712 (GA release was Jul. 21, 2010)
CuteFTP Mac Professional 3.1.2 (GA release was Nov. 23, 2011)
DMZ Gateway 3.3 (GA release was Feb. 15, 2013)
CuteFTP Professional 9.0 (GA release was Nov. 27, 2012)

FULL SUPPORT (Wind-down Period¹) (During the Wind-down Period, for Cases that are not Severity One Issues, GlobalSCAPE will typically either (i) provide an existing Bug Fix, (ii) address the issue through a regularly scheduled Maintenance Release to the current Major Release of the Licensed Software product for which EOL has not occurred, or (iii) delay resolution and determine whether it will address the issue in its normal development of future Releases. The Wind-down Period extends 6 months maximum after EOL². )

CuteFTP Professional 8.3.4 (EOL was November 27, 2012, Full Support (Wind-down period) ends May 27, 2013³)
CuteFTP Home 8.3.4 (EOL was November 27, 2012, Full Support (Wind-down period) ends May 27, 2013³)
CuteFTP Lite 8.3.4 (EOL was November 27, 2012, Full Support (Wind-down period) ends May 27, 2013³)
Mail Express 3.2 (EOL was Feb. 15, 2013, Full Support (Wind-down period) ends Aug. 15, 2013³.)
EFT Server 6.4.10 (EOL release was Feb. 15, 2013, Full Support (Wind-down Period) ends August. 15, 2013³.)
EFT Server Enterprise 6.4.10 (EOL release was Feb. 15, 2013, Full Support (Wind-down Period) ends Aug. 15, 2013³.)
DMZ Gateway 3.2 (EOL release was Feb. 15, 2013, Full Support (Wind-down Period) ends Aug. 15, 2013³.)

PARTIAL SUPPORT (With Partial Support, our technical support engineers provide customers with known Bug Fixes, existing Maintenance Releases, or access to online self-help resources in response to requests for assistance. Partial Support will be subject to the availability of resources and may be limited as GlobalSCAPE determines in its sole discretion. The Partial Support period extends 12 months after GA Date⁴ or 6 months after wind-down period, whichever is greater. )

EFT Server 6.4.3 (Wind-down Period) ended Jan. 12, 2013 - EOSL⁵ will be Jul. 31, 2013.)
EFT Server Enterprise 6.4.3 (Wind-down Period) ended Jan. 12, 2013 - EOSL⁵ will be Jul. 31, 2013.)
EFT Server 6.4 (Wind-down Period) ended Sep. 28, 2012 - EOSL⁵ will be Mar. 28, 2013.)
EFT Server Enterprise 6.4 (Wind-down Period) ended Sep. 28, 2012 - EOSL⁵ will be Mar. 28, 2013.)

For more information about Support Levels or Support Periods, please browse to the GlobalSCAPE End of Life (EOL) and Support Life Policy.

¹The Wind-down Period is the period (6-months maximum) immediately following End of Life, or EOL.

²End of Life, or EOL, for any Major Release and its Maintenance Releases shall be the date of the release of the subsequent Major Release.

³Or earlier in the case of an expedited Wind-down Period which is defined in the GlobalSCAPE End of Life and Support Life Policy.

⁴ The GA Date is the date when a new Major Release is made generally available commercially.

⁵ End of Support Life, or EOSL, means when GlobalSCAPE ceases providing Full or Partial Support for a particular Licensed Software product.

HTTP connection fails when connecting to EFT using CoreFTP

GlobalSCAPE 5 — Wed, 20 Mar 2013 03:15:44 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.x

SYMPTOM

HTTP connection fails when connecting to EFT using CoreFTP:

When connecting to EFT v6.4.10 via HTTP, CoreFTP receives “No Response Error Loading Directory.”
When connecting to EFT v6.5.0, CoreFTP receives “HTTP/1.1 400 Bad Request.”

RESOLUTION

Use EFT Server's Plain-Text client (PTC), Web Transfer Client (WTC), CuteFTP, or other client that supports HTTP 1.1.

MORE INFORMATION

Q1: What is CoreFTP doing differently than CuteFTP that is preventing it from connecting to HTTP or HTTPS on EFT?

A1: CoreFTP operates via HTTP 1.0 and sends no Host header, while CuteFTP operates via HTTP 1.1 and sends a Host header. EFT relies on the Host header in redirect and authentication logic.

Q2. Are there any configuration options in EFT that would allow CoreFTP to connect over HTTP or HTTPS?

A2. No.

Q3. Do you know of any configuration options in CoreFTP that would allow CoreFTP to connect over HTTP or HTTPS?

A3. We found no such options. We could not connect to several public Internet sites using CoreFTP (400 Bad Request error). Host header support and lack of HTTP 1.0 support is standard among web server engines.

TappIn for Windows Phone 7

GlobalSCAPE 5 — Thu, 14 Mar 2013 11:08:54 GMT

This article applies to:

Now you can use your Windows Phone 7 device to have full time access to your digital content anytime, anywhere. So whether you want to play your latest video, stream your music, share photos and other documents. Get started by following these simple steps:

Get TappIn for Windows Phone 7 from the Zune Marketplace and sign in.
Download the TappIn Desktop App to at least one computer.
Sign up and sign in to www.tappin.com from your home or work computer.

Getting Started: TappIn is a network service with supporting software that offers secure, full time access to all your digital content. TappIn provides access from any device—smartphones, Netbooks, remote computers and laptops, using the secure TappIn network and the TappIn Desktop App that resides on your home or work computer.

Download TappIn for Windows Phone 7. Chances are, you have already completed this download step and you have the TappIn application already. If not, simply go to the Zune marketplace and search for TappIn and download the application.
Sign Up for TappIn. There are two ways to become a subscriber of the TappIn Service. Your choices are to use the Android app and sign up or go to www.tappin.com and use any Web browser to sign up. TappIn for Windows Phone 7 will ask you if you wish to sign up the first time you launch the application. You can also connect to the TappIn website from any computer using a Web browser and sign up via the website. First we’ll show you how to sign up from your Windows Phone 7:
Sign Up for TappIn using your Windows Phone 7 Device. On the TappIn screen, tap "Sign In or Sign Up."

On the Settings screen, click the "Sign Up Now" button to navigate to the sign up page.

Sign Up for TappIn using your Windows Phone 7: Enter your email address. This will become your TappIn username. Then enter a password. (NOTE: You must enter a valid email as you will be sent a confirmation. This confirmation will include a link that you must click in order to complete the sign-up process.)

Sign Up for TappIn from the Web: You can also create your TappIn account by signing up from the TappIn website at www.tappin.com

On the sign up screen, provide your email address.
Create a new password and confirm it. A minimum of six-character passwords are enforced.

Sign In to TappIn: When you are a TappIn subscriber, you are required to sign in for the first time. To sign in, launch the TappIn App by tapping the TappIn button on the home screen.

First time users will see the screen below. Click the "Sign In | Sign Up" button. Enter your email address (this is your TappIn Username) and your password.

Download the TappIn Desktop App. To complete the TappIn installation process, you will need to use your browser to download the TappIn Desktop App to at least one computer. It’s easy! Once you have completed Step 2 and set up your TappIn account, you will receive an email message with further instructions.

Click the link in the email to open the TappIn page on your home or work computer.
Follow the instructions.

This entire process should take a few seconds. Immediately after, you can start enjoying the benefits of TappIn to access and share your digital content anytime, anywhere from any mobile device.

Congratulations! With TappIn, you can:

Share photos from your PC or Mac with your friends and family using your Android device.
Stream your iTunes and MP3 libraries to your work computer or mobile device.
Collaborate on documents with colleagues.
Share photos and other files to Facebook.
Enjoy and share all of your digital content from your computer, Android or any other mobile device.

TappIn for Android

GlobalSCAPE 5 — Thu, 14 Mar 2013 11:08:20 GMT

This article applies to:

TappIn is a network service with supporting software that offers secure, full time access to all your digital content. TappIn provides access from any device — smartphones, Netbooks, remote computers and laptops, using the secure TappIn network and the TappIn Desktop App that resides on your home or work computer. Get started with Tappin for Google Android by following these steps:

Download TappIn for Google Android. Chances are, you have already completed this download step and you have the TappIn application already. If not, simply go to the Android Market and search for TappIn and download the application.
Sign Up for TappIn. There are two ways to become a subscriber of the TappIn Service. You can use the Android app and sign up or go to www.tappin.com and use any Web browser to sign up. TappIn for Android will ask if you wish to sign up the first time you launch the application. You can also connect to the TappIn website from any computer using a Web browser and sign up via the website. First we will show you how to sign up from your Android device:
1. Sign Up for TappIn using your Android Device. On the TappIn screen, tap “Sign In | Sign Up.”
2. On the Settings Screen, click the “Sign Up Now” button to navigate to the sign up page.
3. Enter your email address. This will become your TappIn username. Then enter a password. NOTE: You must enter a valid email as you will be sent a confirmation. The confirmation will include a link that you must click in order to complete the sign-up process.
Download the TappIn Desktop App. To complete the TappIn installation process, you will need to use your browser to download theTappIn Desktop App to at least one computer. It’s easy! Once you have completed Step 2 above and set up your TappIn account, you will receive an email message with further instructions.

Click the link in the email to open the TappIn page on your home or work computer.
Follow the instructions.

Congratulations! With TappIn, you can:

Share photos from your PC or Mac with your friends and family using your Android device.
Stream your iTunes and MP3 libraries to your work computer or mobile device.
Collaborate on documents with colleagues.
Share photos and other files to Facebook.
Enjoy and share all of your digital content from your computer, Android or any other mobile device.

TappIn for Apple iPhone, iPad and iPod Touch

GlobalSCAPE 5 — Thu, 14 Mar 2013 11:07:44 GMT

This article applies to:

About TappIn for the Apple iPhone, iPad and iPod Touch: Now you can use your iPhone, iPad or iPod Touch to have full time access to your digital content anytime, anywhere. Whether you want to play your latest video, stream your music, share photos and other documents, we’ll show you how to get started. Here’s what you need to do:

Download TappIn via the iTunes App Store. Chances are, you have already completed this download step and you have the TappIn application already. If not, simply go to the iTunes App Store and search for TappIn and download the TappIn application.
Sign Up for TappIn. There are two ways to become a subscriber of the TappIn service. Your can use the iPhone app or go to www.tappin.com and use any Web browser to sign up. TappIn for iPhone/iPad will ask if you wish to sign up the first time you launch the application. You can also connect to the TappIn website from any computer using a Web browser and sign up via the Website. First we’ll show you how to sign up from your iPhone.

On the Settings screen, click the "Create an account" button to navigate to the sign up page.
Enter your email address. This will become your TappIn username. Then enter a password.
NOTE: You must enter a valid email as you will be sent a confirmation. The confirmation will include a link that you must click in order to complete the sign-up process.

Sign Up for TappIn from the Web. You can also create your TappIn account by signing up from the TappIn website at www.tappin.com.

On the sign up button, provide your email address.
Create a new password and confirm it. (A minimum six-character password is enforced.)

To sign in, launch the TappIn App by tapping the TappIn button on the home screen.

First time users will see the following screen. Click the orange "Sign In | Sign Up" button."

Enter your email address (this is your TappIn Username) and your password.

Download the TappIn Desktop App. To complete the TappIn installation process, you will need to use your browser to download a small TappIn app to at least one computer. It’s easy! Once you have completed Step 2 above and set up your TappIn account, you will receive an email message with further instructions.

Click the link in the email to open the TappIn page on your home or work computer.
Follow the instructions.

This entire process should take a few seconds. Immediately after, you can start enjoying the benefits of TappIn to access and share your digital content anytime, anywhere.

Congratulations! With TappIn, you can:

Share photos from your PC or Mac with your friends and family using your iPhone.
Stream your iTunes and MP3 libraries to your work computer or mobile device.
Collaborate on documents with colleagues.
Share photos and other files to Facebook.
With just a tap, enjoy and share all of your digital content from your computer, iPhone, iPad, iPad 2 or any other mobile device.

How to Use TappIn with AirSharing Pro

GlobalSCAPE 5 — Thu, 14 Mar 2013 11:07:05 GMT

This article applies to:

Overview: The purpose of this article is to outline how to use the highly popular AirSharing Pro iPhone App from Avatron Software, and TappIn, and also to provide the necessary information required to successfully use AirSharing Pro with TappIn. AirSharing Pro is a very functional file management tool that turns any iPhone device into a wireless-accessible storage device and in addition, it can access file servers over the Internet. The value of using AirSharing Pro with TappIn is that you can have simultaneous access to all your files and media at home, while also connected to other Cloud storage or servers on the Internet. Using both solutions in this way provides one app, AirSharing Pro to provide file management between the Home and Cloud storage or other servers such as FTP, or other WebDAV accessible services such as Apple’s MobileMe storage.

Getting Started: TappIn enables safe and easy access to all your personal content. Avatron’s AirSharing Pro iPhone app is a universal WebDAV client that can be used to access all your personal content that resides within your home network or computers, when configured to work with TappIn.

Setting Up TappIn

A TappIn account is required prior to setting up and using AirSharing Pro. Here is a short checklist on how to setup TappIn:

Launch your web browser to www.tappin.com.
Click Sign Up.
Provide your valid e-mail address and set a password.
Click Go.
Log into your mail account and click the TappIn Activation link provided in the e-mail.
Install at least one TappIn Agent on one of your home computers. By default you home directory will be securely accessible over the TappIn Network.

Get the AirSharing Pro App: You can use AppStore on the iPhone or iTunes to purchase AirSharing Pro. Purchase and Install the app on your device. AirSharing Pro has extensive help built into the app itself, so make use of that along the way to make sure you understandexactly how AirSharing Pro works. Once, installed, launch the application by tapping the AirSharing Pro icon:

AirSharing Pro will launch and briefly display its splash screen:
Once the splash screen goes away you will be looking at the AirSharing Pro home screen below. This home screen displays the list of folders and documents you currently have stored on your iPhone or iPod touch device. The Edit button at the top allows you to make changes to the local files and folders. The Servers button allows you to add new Cloud or Internet servers to AirSharing Pro so that they may be accessed.

When you tap the Servers button you will see the Servers screen. This screen displays your local folder storage within AirSharing Pro called "My Documents" which will hold any documents you choose to keep local on the iPhone device itself.

Adding TappIn as a WebDAV Server: In order to access your TappIn shared folders using AirSharing Pro, you need to add the TappIn Service using the “Other WebDAV” server option.

To add the server click the PLUS button in the upper left of the AirSharing Pro Servers screen:

Clicking the Plus button exposes the list of new server types you can add to make accessible from AirSharing Pro. In this case, we want to choose to add the WebDAV server object so we can add the TappIn configuration information:

This screen will be displayed once you choose Other WebDAV:

Enter a descriptive name for this TappIn share, this is what will show up in the main list of Servers.
Enter the URL for the share you want to access. The form of the URL: https://webdav.homepipe.net/user@email.com/sharename
Enter your TappIn Username which is the e-mail addressed you are registered with for TappIn.
Optionally enter your password, if you leave it blank it will prompt you at connection time.
Click Save to save this TappIn server.

AirSharing Pro takes you back to the Servers screen where your new TappIn server is shown in the list of servers you can connect to:

Now, if you tap on TappIn while you have an Internet connection, the AirSharing Pro Application will talk across the Internet securely to the TappIn services, and attach to your TappIn shared folder(s):

That’s it. You can now use your favorite WebDAV client, AirSharing Pro with your favorite Home Access Service, TappIn!

Secure Mobile Access Module: Administration Guide

GlobalSCAPE 5 — Thu, 14 Mar 2013 10:44:13 GMT

This guide provides the steps to provision and configure the Secure Mobile Access (SMA) module for EFT Server. The process should take no more than 15 minutes to complete and will provide end users with access to their EFT Server data from their desktop and handheld device.
Refer to http://help.globalscape.com/help/sma/ for the most current version.

How to Cancel Your TappIn Account Subscription

lgarcia — Thu, 14 Mar 2013 10:08:35 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

QUESTION:
I would like to cancel my TappIn account subscription. How can I do this?

ANSWER:
Follow the steps below to cancel your TappIn account subscription:

Go to www.tappin.com/login.
Login using the email address associated with the account to be cancelled. If you need to recover a forgotten password, click Forgot your password?.
Enter the password after the email address section and click Login. This takes you inside the website user area.
In the upper right corner, the email address is shown. Click on the email address itself or click on the smaller down arrow to its right. A drop-down menu will appear:
Click on Account Summary, as shown above. A screen titled Account Information will appear.
Click on the Cancel Account link.
A new screen will appear verifying that you want to cancel your account. To finalize the cancellation, click Cancel Account.
You will be automatically be logged out and returned to the www.tappin.com page when the task is complete.

Using Single Sign On (SSO) to login to Mail Express triggers "Clock skew too great" error

aacuna@globalscape.com — Wed, 13 Mar 2013 07:42:26 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, v3.3 and later

SYMPTOM

Using Single Sign On (SSO) to log in to Mail Express triggers "Clock skew too great" error

RESOLUTION

Make sure the server running Mail Express and the Kerberos or Active Directory domain controller have synchronized clocks.

MORE INFORMATION

Clients can be prevented from authenticating by the mechanisms that Kerberos authentication uses to prevent "replay" attacks. In a replay attack, a malicious user captures the network traffic and replays it to trick the authenticating server into accepting the attacker as a legitimate user who is providing credentials. If this error occurs frequently for users in your system (and you know your network is not being attacked), you could change the value of the "Maximum tolerance for computer clock synchronization" to a higher value. Refer to the Microsoft Technet article Authentication Errors are Caused by Unsynchronized Clocks for more information.

Failed FTP connection after upgrading DMZ Gateway

GlobalSCAPE 5 — Fri, 08 Mar 2013 09:53:32 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server version 6.4.x and DMZ Gateway version 3.3 or later

SYMPTOM

When running EFT Server version 6.4.x with the DMZ Gateway version 3.3 or later, FTP protocol connections through the DMZ Gateway to EFT Server fail.

RESOLUTION

Upgrading EFT Server to version 6.5 resolves this problem. (If you upgrade EFT Server to v6.5 before upgrading the DMZ Gateway to v3.3, you will not encounter this problem.)

MORE INFORMATION

The data channel used, in either PORT or PASV mode, fails to connect. This occurs because the server-side IP address from the DMZ Gateway is being used when communicating with the FTP client application rather than the client-side IP address. If the server-side IP address is not accessible by the FTP client the connection will fail.

Can I create static cookies to use with the Web Transfer Client (WTC)?

GlobalSCAPE 5 — Fri, 08 Mar 2013 06:52:41 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.1 and later

QUESTION

Can I create static cookies to use with the Web Transfer Client (WTC)?

ANSWER

Yes, you can pass static cookie values to the WTC Java applet.

In the EFTWebClient.htm file (e.g., C:\Program Files\Globalscape\EFT Server Enterprise\web\public\EFTClient\wtc\EFTWebClient.htm), you can specify a cookie parameter and a cookie value for each browser type. The cookie references must increment cookiename/cookievalue, cookiename1/cookievalue1, cookiename2/cookievalue2, and so on, and be different from those already used in the file. (You can have up to 16 param/value pairs.)

To specify the cookies

Make a backup copy of EFTWebClient.htm, and then open it in a text editor.
Under "Load applet based on browser type," in a separate section for each browser type, you will find parameters for cookies:

<PARAM NAME = "param5" VALUE="cookiename"> \
<PARAM NAME = "value5" VALUE="websessionid"> \
<PARAM NAME = "param6" VALUE="cookievalue"> \
<PARAM NAME = "value6" VALUE="<%=session_id%>"> \
<PARAM NAME = "param8" VALUE="cookieoverwrite"> \
<PARAM NAME = "value8" VALUE="true"> \
<PARAM NAME = "param15" VALUE="sso_cookies"> \
<PARAM NAME = "value15" VALUE="<%=sso_cookie%>"> \

Add the appropriate parameters for each browser type, such as:

For Firefox:

param10 = "cookiename1" \>
value10 = "testcookie" \
param11 = "cookievalue1" \
value11 = "testcookievalue" \

For Internet Explorer, Chrome, and other browsers :

<PARAM NAME = "param10" VALUE="cookiename1"> \
<PARAM NAME = "value10" VALUE="testcookie"> \
<PARAM NAME = "param11" VALUE="cookievalue1"> \
<PARAM NAME = "value11" VALUE="testcookievalue"> \

Save the file.
Open the WTC in a browser and log in to verify your changes.