GlobalSCAPE Knowledge Base

Thumbnail images not displayed when using Vista

RContreras — Wed, 16 May 2012 08:25:28 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

CuteFTP® Home versions 8.0 thru 8.1 when running on Windows Vista
CuteFTP Pro® versions 8.0 thru 8.1 when running on Windows Vista

This issue was fixed in version 8.2.

SYMPTOMS

When using Thumbnail View, thumbnail images may not be displayed or may be displayed only occasionally.

CAUSE

This error is caused by an incompatibility between CuteFTP and Windows Vista.

RESOLUTION

Upgrade to CuteFTP version 8.2 or greater. Registered users can download the most current version of CuteFTP from the Replacement Software Downloads Web page.

Generate a Self-Signed Certificate for Use with GlobalSCAPE Mail Express

RContreras — Wed, 16 May 2012 05:03:59 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, all versions

DISCUSSION

How to Generate a Self-Signed Certificate to Use with GlobalSCAPE Mail Express

Acquire OpenSSL by going to http://www.slproweb.com/products/Win32OpenSSL.html and downloading the following:
1. Win32 - Win32 OpenSSL v1.0.0(x) Light ? “x” should be the most recent version
2. Win32 - Visual C++ 2008 Redistributables

Win64 - Win64 OpenSSL v1.0.0(x) Light ? “x” should be the most recent version
Win64 - Visual C++ 2008 Redistributables (x64)
Install the appropriate package from 1.b above
Install the appropriate package from 1.a above
Navigate into the bin subdirectory of the OpenSSL directory (or add it to your Windows Path so it is recognized)
Run the following sets of commands:

openssl genrsa –des3 –out keyname.key 2048

openssl req -new -key keyname.key -out csrname.csr -subj "/C=country/ST=state/L=city/O=organization/OU=department/CN=fullyqualified.dnsname.net"

openssl x509 -req -days 365 -in csrname.csr -signkey keyname.key -out certname.crt

openssl rsa –in keyname.key –out keynameclear.key

Convert a Non-Apache Certificate to Use with GlobalSCAPE Mail Express

RContreras — Wed, 16 May 2012 04:58:52 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, all versions

DISCUSSION

How to Convert a Non-Apache Certificate to Use with GlobalSCAPE Mail Express

Start > Run
Type MMC and click OK.
Go into the Console Tab (or File) and select Add/Remove Snap-in.
Click Add and double-click on Certificates and click Add, then click OK.
Select Computer Account and click Next
Select Local Computer and click Finish.
Click OK.
Double-click Certificates to expand the Certificates Console Tree.
Double-click Personal.
Double-click Certificates.
Right-click your domain certificate file and choose ALL TASKS > Export.
In the wizard, check the box to include the private key and continue until you have a .PFX file.
Copy the PFX file to a system that has OpenSSL installed on it.

Export the private key from the PFX file:

C:\OpenSSL\bin\openssl pkcs12 –in name.pfx –nocerts –out name.key.pem

Remove the passphrase from the C:\OpenSSL\bin\openssl rsa –in name.key.pem –out name.key
Fix the KEY file to be Apache compliant.
1. Open the KEY file in WordPad.
2. Remove anything before the line
  “-----BEGIN RSA PRIVATE KEY-----“
3. Remove anything after the line
  “-----END RSA PRIVATE KEY-----“
4. Save the file and close WordPad.

Export the certificate file from the PFX file:

C:\OpenSSL\bin\openssl pkcs12 –in name.pfx –clcerts –nokeys –out name.cert.pem

Fix the CERT.PEM file to be Apache compliant as follows:
1. Open the CERT.PEM file in WordPad.
2. Remove anything before the line
  “-----BEGIN CERTIFICATE-----“
3. Remove anything after the line
  “-----END CERTIFICATE-----“
4. Click File > Save As.
5. Select Unicode Text Document (.txt) from the drop-down for Save as type.
6. Change the name of the file to be name.crt.
7. Close WordPad.

Antivirus Settings in WAFS v3.7.1 and earlier

GlobalSCAPE 5 — Wed, 16 May 2012 03:40:39 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

WAFS/CDP, version 3.7.1 and earlier

For WAFS version 4.0 and later, refer to KB article #11016.

DISCUSSION

Yourantivirus configuration can affect file-access performance when using thesystem. This article describes how to optimize your antivirus setup for usewith WAFS/CDP.

Choose from the following antivirus configurations based on yourparticular needs:

Antivirus at each end-user's workstation - If each of yourend-users' workstations are protected, the possibility of an infected fileis eliminated and there is no need to run antivirus on the computer runningan Agent. This is the most effective level.

Protection at the server running the Agent - Instead of managingantivirus software on each user's workstation, some IT managers prefer torun antivirus software on the servers that run the Agent. When not doneproperly, this can affect the performance of user file access. Refer to "Toconfigure antivirus software at the computer running an Agent" below forimportant exclusion setup notes.

Protection at Server - All files move through the Server. You can,therefore, run antivirus software on the Server and scan the Server's rootbefore propagating files to the Agents.

Running antivirus software on an Agent can degrade the performance if notproperly configured. The performance hit is caused by the antivirus softwarethinking that multiple copies of a file are opening. It may scan the samefile up to 3 times when a user opens the file once. It may also performbackground scans that appear as regular CPU cycles (Norton, E-Trust,NOD32, etc), as well as process scans of the application. If the file is ina linked folder, then the antivirus software scans the file from theoriginal location upon open, AND from inside the replicate drive (e.g., F:\_MySrv\MyVol). Finally, the file is seeninternal to the engine (e.g., C:\WINDOWS\AVMFor D:\AVMF), and scanned again.

In addition to on-the-fly scan when a file is changed, some antivirussoftware includes a daily scan. In this case, if it is necessary to do thisdaily scan, it might be useful to do it when the Agent is offline. Forexample, you can schedule the Agent so that it is online 22 hours a day, andoffline for two hours during times when users are less likely to use theAgent. During that time, the computer running the Agent can do backups,virus scans, and so on.

To configure antivirus software at the computer running an Agent

Virus checkers allow directories to be excluded from the antivirus scan(often called "exclusions"). The following exclusions should be made at eachAgent:

Always exclude directories AVM0 and AVMF. All data mirrored on the C drive will be in C:\Windows\AVMF and all data on any other drive will be in <drive_Letter>:\AVMF (e.g., D:\AVMF).
Exclude the entire new drive letters (e.g., F:\_MyServer ).
If your antivirus scans processes (especially E Trust, Innoculan, Symantec Tamper Protection, Trend Micro OfficeScan/Server protect), always exclude AvlAgt.exe.

If slowness persists for user access to CAD files, exclude the CAD file extension from the workstation antivirus, and check the performance again.

WAFS v4.x Antivirus Settings

GlobalSCAPE 5 — Wed, 16 May 2012 03:37:50 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

WAFS version 4.0 and later

For WAFS v3.7.1 and earlier, refer to KB article #10326.

DISCUSSION

Your antivirus configuration can affect file-access performance when using the system. This section describes how to optimize your antivirus setup for use with WAFS.

Choose from the following antivirus configurations based on your particular needs, in order from most to least recommended:

Antivirus at each end-user's workstation - If each of your end-users' workstations are protected, the possibility of an infected file is eliminated and there is no need to run antivirus on the computer running an Agent. This is the most effective level.
Protection at the Vault - All files move through the Vault. You can, therefore, run antivirus software on the Vault and scan the Vault's root before propagating files to the Agents.
Protection at the computer running the Agent - Instead of managing antivirus software on each user's workstation, some IT managers prefer to run antivirus software on the computers that run the Agents. When not done properly, this can affect the performance of user file access. Refer to Recommendations for Directories, Drives, and Processes to Exclude in Your Antivirus Software, below, for important exclusion setup notes.

Running antivirus software on an Agent can degrade the performance if not properly configured. The performance hit is caused by the antivirus software thinking that multiple copies of a file are opening. It may scan the same file up to 3 times when a user opens the file once. It may also perform background scans that appear as regular CPU cycles (Norton, E-Trust, NOD32, etc), as well as process scans of the application. If the file is in a linked folder, then the antivirus software scans the file from the original location upon open, AND from inside the replicate drive (e.g., F:\_MySrv\MyVol). Finally, the file is seen internal to the engine (e.g., C:\WINDOWS\AVMF or D:\AVMF), and scanned again.

In addition to on-the-fly scan when a file is changed, some antivirus software includes a daily scan. In this case, if it is necessary to do this daily scan, it might be useful to do it when the Agent is offline. For example, you can schedule the Agent so that it is online 22 hours a day, and offline for two hours during times when users are less likely to use the Agent. During that time, the computer running the Agent can do backups, virus scans, and so on.

Recommendations for Directories, Drives, and Processes to Exclude in Your Antivirus Software

Antivirus applications typically allow directories to be excluded from the antivirus scan (often called "exclusions"). When available, you should exclude directories AVM0 and AVMF. All data mirrored on the C drive will be in C:\Windows\AVMF and all data on any other drive will be in <drive_Letter>:\AVMF (e.g., D:\AVMF). Exclude the entire Vault Data drive (e.g., F:\_MyServer). If your antivirus scans processes (especially E Trust, Innoculan, Symantec Tamper Protection, Trend Micro OfficeScan/Server protect), always exclude WAFSAgentManager.exe.

Below is a list of files and locations, and exclusion suggestions for firewalls:

On the Agent computer:

C:\Program Files (x86)\GlobalSCAPE
<Drive(s) with AVMF>:\AVMF
<Drive with AVM0>:\AVM0
Vault drive letter
C:\Program Files (x86)\GlobalSCAPE\WAFS Agent\AgentConsole.exe
C:\Program Files (x86)\GlobalSCAPE\WAFS Agent\AgentService.exe
C:\Program Files (x86)\GlobalSCAPE\WAFS Agent\WafsAgentManager.exe

On the Vault computer:

<Drive with AD>:\AD or <Drive with Vault Data>:\Vault Data
C:\Program Files (x86)\GlobalSCAPE
C:\Program Files (x86)\GlobalSCAPE\WAFS Vault\VaultConsole.exe
C:\Program Files (x86)\GlobalSCAPE\WAFS Vault\VaultService.exe
C:\Program Files (x86)\GlobalSCAPE\WAFS Vault\WafsVaultMonitor.exe

Regarding Firewalls:

Exclude any ports / additional channels that the WAFS Vault and WAFS Agents use
Exclude the IP address of the WAFS Vault and WAFS Agents from monitoring / stateful packet inspection

Some local server antivirus applications in corporate environments, like McAfee, are controlled by a central monitor service run by your IT at headquarters. Exclusions must be specified at that central console; the console then pushes them out. The exclude list you see at each remote site is ignored in these hierarchical topologies. If slowness persists for user access to CAD files, exclude the CAD file extension from the workstation antivirus, and check the performance again.

Does CuteFTP contain spyware or adware?

RContreras — Mon, 14 May 2012 08:13:24 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

CuteFTP^®, all versions

QUESTION

Does CuteFTP contain spyware or adware?

ANSWER

No it does not contain spyware or adware. When CuteFTP 3.0 was released in 1999, it displayed advertising banners during the trial period. The ad banners were provided by a third-party adware (not spyware) company (Aureate/Radiate). The only thing that was ever tracked was whether an ad was clicked on. No information was ever tied to any personally identifiable information and once CuteFTP was registered, the ad banners were disabled.

With the introduction of CuteFTP 4.2 in November of 2000, advertising banners and their associated Aureate/Radiate components were removed from the program. GlobalSCAPE products no longer use Aureate/Radiate adware or any other third-party advertising components.

I cannot login to my FTP site. What is my password?

RContreras — Mon, 14 May 2012 07:52:45 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

CuteFTP (All Versions)

QUESTION

I cannot login to my FTP site. What is my password?

ANSWER

The administrator of your FTP site assigns and maintains your login information, including the Host address, Username, and Password. If you are receiving an error message indicating that any one or more of those items is incorrect, contact your Internet service provider (ISP)/Web/FTP hosting provider for the correct login information.

GlobalSCAPE does not have access to your login information. GlobalSCAPE cannot reset your password. Only your ISP/Web/FTP hosting provider can do that.

To change your password in CuteFTP, refer to Changing a Site's Connection Settings or Login Information in the CuteFTP help file.

If you are certain that your login information is correct and your FTP Server administrator has verified that you have access to the site to which you are attempting to log in, try the following:

Review the connection log and the codes in Q10142 - ERRDOC: FTP Status and Error Codes to determine exactly what the error is.
Verify that the destination server name, IP address, subnet mask, and port numbers are correct.
Try again later. The remote server may be temporarily or permanently inaccessible.
Ensure that your Site is properly configured in CuteFTP.
Verify that you have chosen an allowed protocol (SSH2, SSL, FTP, etc.) and have configured all required options for that protocol.
Try using only one connection thread when connecting to this particular server. The remote server may be refusing multiple connections from the same client.
Verify that your local firewall or Windows Vista is not blocking outbound connections originating from your FTP client.
Try pinging the IP address of the server.
- At a Windows Command Prompt, type ping, a space, and then the address of the FTP server. (e.g., ping ftp.geocities.com)
If you are using a router, verify the router is up and running. (Check it by pinging it and then ping an address outside of the router.)
Do a traceroute to the destination to verify all routers along the connection path are operational. (e.g., traceroute ftp.geocities.com)
Disable your anti-virus software to determine if it is blocking the connection.
Try connecting to the FTP server from a Windows Command Prompt.

Firewalling Mail Express URLs

RContreras — Mon, 14 May 2012 07:11:18 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, v3

DISCUSSION

This article discusses the static URLs that are used by Mail Express. It is recommended that you protect the internal-only URLs in the table below from external (e.g. Internet) access using a firewall. Typically this may be accomplished by adding DENY rules for the URLs identified as "Internal Only" in the table below.

Mail Express Server URLs

The Mail Express Server exposes the following static URLs:

URL	Description	Recommended Access
https://<host>/svc	Web services for Outlook Add-In	Internal Only
https://<host>/admin	Admin Home Page	Internal Only
https://<host>/adminLogin	Admin Login Page	Internal Only
https://<host>/help/AdminUser/*	Admin Help Guide	Internal Only
https://<host>/login	Internal/External Login Page	Internal, External
https://<host>/help/WebUser/*	User Help Guide	Internal, External
https://<host>/pickup	Package Pick-up Page	Internal, External
https://<host>/dropoff	Package Drop-off Page	Internal, External
https://<host>/logout	Logout Page	Internal, External
https://<host>/internal	Internal Web Page	Internal, External
https://<host>/reply	Reply Page	Internal, External

The remaining URLs used to access the system are dynamically generated during operation and are relative to each specific client session. The dynamic URLs are used for both internal and external dynamically generated pages and will be relative to the root URL https://<host>/<dynamic portion>. As such, when configuring firewall rules you must not prevent external access to https://<host>/* so that the external portals may function properly. Typically this may be accomplished by only using DENY rules to prevent access to the URLs identified as "Internal Only" in the table above.

"Attachment size threshold has been exceeded" error appears when attempting to attach a large file to an email

RContreras — Mon, 14 May 2012 07:09:16 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, v3.0 - v3.2

SYMPTOM

"Attachment size threshold has been exceeded" error appears when attempting to attach a large file to an email.

RESOLUTION

When end-users attach a large attachment to an email, they may receive a dialog box stating that their "Attachment size threshold has been exceeded." This occurs even though the user’s threshold settings in Exchange are increased to allow attachments of that size. This error can occur when Cached Exchange Mode is used in Outlook, which can cause Outlook to sometimes ignore the Exchange threshold settings for attachment size or to not notice that the settings have changed.

If you experience this error, please try one of the following approaches:

Approach 1:

Do not use Cached Exchange Mode (see the procedure below to turn off Cached Exchange Mode).

Approach 2:

Turn off Cached Exchange Mode (see the procedure below).
Close Outlook.
Delete the extend.dat file in the %userprofile%\Local Settings\Application Data\Microsoft\Outlook folder.
(extend.dat is a hidden system file. To display hidden files, in Windows Explorer, click Tools > Folder Options > View tab, then click the Show hidden files, folders, and drives option.)
Open Outlook.
Turn Cached Exchange Mode back on.

To turn on or off Cached Exchange Mode (in Outlook 2007)

On the Tools menu, click Account Settings.
On the E-mail tab, click the Exchange account, and then click Change.
Under Microsoft Exchange server, do one of the following:
- To turn off Cached Exchange Mode, clear the Use Cached Exchange Mode check box.
- To turn on Cached Exchange Mode, select the Use Cached Exchange Mode check box.
Exit and restart Outlook.

Tips for working with AutoCAD

RContreras — Mon, 14 May 2012 05:13:20 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

WAFS
CDP

DISCUSSION

Refer to the following help topics:

WAFS/CDP v3.6 - 3.7.1:
- AutoCAD tips: http://help.globalscape.com/help/wafs3/Tips_for_AutoCAD.htm
- Using Revit with GlobalSCAPE WAFS: http://help.globalscape.com/help/wafs3/Using_Revit_with_GlobalSCAPE_WAFS.htm
WAFS/CDP v4:
- AutoCAD tips: http://help.globalscape.com/help/wafs4/Tips_for_AutoCAD.htm
- Using Revit with GlobalSCAPE WAFS: http://help.globalscape.com/help/wafs4/Using_Revit_with_GlobalSCAPE_WAFS.htm

Can EFT Server pull user accounts from multiple child domains and/or forests?

GlobalSCAPE 5 — Wed, 25 Apr 2012 03:23:52 GMT

This article is a duplicate of KB11048. Please point your bookmarks to this other article.

Do EFT Server and SAT support a multi-forest configuration?

GlobalSCAPE 5 — Wed, 25 Apr 2012 03:23:10 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.1 and later

QUESTION

Do EFT Server and SAT support a multi-forest configuration? Can EFT Server pull user accounts from multiple child domains and/or forests?

ANSWER

EFT Server allows you to specify only one domain and one group. However, that group can contain groups and users from foreign domains, as long as a trust relationship exists between the domains. This allows users from remote domains to authenticate to EFT Server. So, as long as a trust relationship exists between the domains, EFT Server can authenticate users from remote domains. The domain in which EFT Server resides will need to have a group that contains the foreign domain users. The main point is that EFT Server only talks to one AD/forest/controller. If the AD/forest/controller is properly configured to get information from the other domain/forest, then EFT Server will authenticate those users. This also applies to the Secure Ad Hoc Transfer (SAT) authentication module when AD authentication is used.

If you plan to override SAT’s Integrated Windows Authentication by modifying the configuration settings file’s Path, DomainAdminUser, DomainAdminPass (base64 encoded), and AuthenticationMethod fields, you must also set "ConnectionSettingEnabled" value="True", otherwise those values will NOT be used by SAT.

Please refer to the online help topics Support for Foreign Groups and Using SAT with Active Directory.

NOTE: When your forest contains domain trees with many childdomains and you observe noticeable user authentication delays betweenthe child domains, you can optimize the user authentication processbetween the child domains by creating shortcut trusts to mid-leveldomains in the domain tree hierarchy. For more information, refer to When to create a shortcut trust on Microsoft's Web site.

For details of controlling access to shared resources across domains, refer to the Microsoft TechNet article, Accessing resources across domains.

Mail Express Outlook Add-in user logon using Windows authentication fails with a (400) Bad request error

GlobalSCAPE Support 1 — Fri, 13 Apr 2012 05:47:14 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, all versions

SYMPTOM

Mail Express Outlook Add-in user logon using Windows authentication fails with a (400) Bad request error.

CAUSE

Apache Tomcat, the web server used by Mail Express, imposes a limit on the size of the header of each HTTP request. The default limit is 8192 bytes. If the header of an HTTP request exceeds this limit (such as when a user has numerous AD accounts and group memberships), Tomcat closes the TCP connection, causing the authentication to fail.

WORKAROUND

Add the maxHttpHeaderSize value to the first Connector in the <Installation Directory>\conf\server.xml file, as described below. The Mail Express Server service must be restarted for any changes to take effect.

To configure the Mail Express Server to allow a larger header size:

Shut down the Mail Express Server service.
Using a text editor such as Notepad, edit the configuration file “<Mail Express Server Installation Directory>\conf \server.xml”

Locate the SSL Connector definition XML Element by searching for the text "port=443". The element will be similar to:

	<Connector 			address="192.168.1.58"			port="443"			protocol="HTTP/1.1"			connectionTimeout="20000"			keepAliveTimeout="20000"			enableLookups="true" 			disableUploadTimeout="true"			acceptCount="100"			maxThreads="200"			scheme="https"			secure="true"			SSLEnabled="true"			SSLProtocol="all"			SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"			SSLCertificateFile="${catalina.home}\conf\MailExpress.crt" 			SSLCertificateKeyFile="${catalina.home}\conf\MailExpress.key"			SSLPassword="mailexpress"			SSLVerifyClient="none"			SSLVerifyDepth="10"/>

Add the maxHttpHeaderSize attribute into the “Connector” definition. For example: maxHttpHeaderSize="16384"

The number can range from 8192 to 65536. The resulting Connector definition should resemble the following example:

	<Connector			address="192.168.1.58"			port="443"			protocol="HTTP/1.1"			connectionTimeout="20000"			keepAliveTimeout="20000"			enableLookups="true" 			disableUploadTimeout="true"			acceptCount="100"			maxThreads="200"			maxHttpHeaderSize="16384"			scheme="https"			secure="true"			SSLEnabled="true"			SSLProtocol="all"			SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"			SSLCertificateFile="${catalina.home}\conf\MailExpress.crt" 			SSLCertificateKeyFile="${catalina.home}\conf\MailExpress.key"			SSLPassword="mailexpress"			SSLVerifyClient="none"			SSLVerifyDepth="10"/>

Save the changes to the file.
Start the Mail Express Server service.

Is CuteHTML Compatible with Windows Vista? (DEPRECATED)

GlobalSCAPE 5 — Thu, 12 Apr 2012 08:02:32 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

CuteHTML 2.3

NOTE: CuteHTML has been discontinued.

QUESTION

Is CuteHTML compatible with Microsoft Windows Vista?

ANSWER

CuteHTML is not supported on Windows Vista.

CuteHTML may run on Windows Vista however special consideration needs to be made when activating and configuring the program. Please browse to GlobalSCAPE Knowledge Base Article ID 10332 for activation and configuration instructions.

No other testing has been performed on CuteHTML running on Windows Vista. At this time there are no plans to support CuteHTML on Windows Vista in the future.

Roaming Profiles

GlobalSCAPE 5 — Thu, 12 Apr 2012 07:58:12 GMT

The Information in This Article Applies to:

WAFS
CDP

Refer to the online help article Roaming Profiles.

Moving EFT Server from one computer to another computer

GlobalSCAPE 5 — Thu, 12 Apr 2012 04:33:05 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, versions 5.x and later
Secure FTP Server (All Versions)

QUESTION

How can I move my Server from one computer to another and keep my configuration, users, permissions, etc.?

ANSWER

The process and file locations for manually copying your Server configuration from one computer to another, or if you need to rebuild the hard drive on which the Server is installed, depends on the version number of the old installation and the version number of the new installation.

In EFT Server Enterprise version 6, you can backup your server configuration on the old (EFT Server Enterprise v6) computer and then restore it on the new computer using the Migration Wizard. (NOTE: "Downgrading" from EFT Server Enterprise to EFT Server basic is not supported.)

Refer to the online help topic Backing Up or Restoring Server Configuration for details of using the Migration Wizard.
Refer to the online help topic Copying a Server Configuration to Several Computers for details of manually copying configuration.
Refer to File Location Changes for details of file location changes between versions.

In EFT Server (basic edition) version 6, the Migration Wizard is not available. To copy configuration from one EFT Server basic to another, or from EFT Server basic to EFT Server Enterprise, you must use the manual process in the online help topic Copying a Server Configuration to Several Computers.

In EFT Server versions 5 and prior and in Secure FTP Server, only manual copy/backup is available.

Refer to Copying an EFT Server Configuration to Several Computers for details of manually copying configuration.

When copying from one EFT Server to another EFT Server, simply copying the old .cfg and .aud files to the new computer might not work, because ftp.cfg contains the full path to the .aud file(s) and the path may have changed. The .aud file either must be stored at the same path where it was previously or the .aud path should be corrected in the new installation. (You can specify the new path in the Authentication Options on the Site's General tab.)

You must copy the entire folder structure from the old computer (source) to the new computer (target). If the folder structure does not exist, an error appears that says "Failed to get permission settings." The drive letters on the target system must match those on the source system for the Virtual File System (VFS) to find EFT Server root. If they do not match, all permissions and groups will be lost.

Registering the new computer with your serial number

Contact the GlobalSCAPE customer service team or your account manager so that an adjustment can be made to your account on our activation and registration server. Activation on the new server computer will not be possible until an adjustment is made, because the registration server will think the serial number is already in use.

Contact the GlobalSCAPE technical support team if your EFT Server was customized by GlobalSCAPE Professional Services or if you are trying to upgrade a server residing in a clustered environment, as slight changes to the instructions may apply.

Cannot connect via SSL to Secure FTP Server using WS_FTP 7.5

GlobalSCAPE 5 — Thu, 12 Apr 2012 04:30:44 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Secure FTP Server (All Versions)

SYMPTOMS

Unable to connect to Secure FTP Server using WS_FTP 7.5 via explict FTP over SSL (FTPS) in either Passive or Port modes. I am able to use CuteFTP just fine.

The error received in WS_FTP is: Failed to create secure data socket

CAUSE

Some older versions of WS_FTP (tested with 7.5 & 7.6) do not adhere to the established standards for FTP over SSL connectivity when establishing SSL connections. The program authenticates properly, however it does not apply the correct PBSZ and PROT sequence necessary to protect the data channel. Subsequently, it breaks the connection when the server replies with a clear-text directory listing.

RFC 2228 states explicitly that the data connection will be in the clear if no PROT argument is provided.

RESOLUTION

Update to WS_FTP 8 or use CuteFTP.

WORKAROUND

You can cause WS_FTP to issue the proper sequence upon connect. In the Site Options for the particular site, go to the Startup tab and enter "PBSZ 0;PROT P" (sans quotes) in the Initialize Command box. You should now be able to connect and establish a secure data channel using WS_FTP 7.x.

Resetting the EFT Server Administrator Password

GlobalSCAPE 5 — Thu, 12 Apr 2012 04:08:37 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server (All Versions)

QUESTION

How can I reset the EFT Server administrator password?

ANSWER

If you cannot remember your password to log in to EFT Administrator, you can reset the password. If you follow the procedure below, you will lose all user- and group- specific settings. You can save the user accounts and their folder structures if you follow the procedure below, but permissions and settings will be lost.

To reset the administrator username and password

In the Windows Services dialog box, stop the EFT Server service.
Navigate to the folder where EFT Server is installed. (By default, C:\Program Files\GlobalSCAPE\EFT.)
The user accounts and folder structures are stored in one or more of the files with an .aud extension. Copy these configuration files to a safe place for backup.
Using the Windows Add/Remove Programs utility, uninstall EFT Server.
Reinstall EFT Server and create a new administrator username and password. (The software is available for download at http://www.globalscape.com/downloads/.)
Open EFT Administrator and login with your new username and password.
Recreate your FTP site(s) with the EXACT same site name as you previously used. The site name must match character for character.
In the Windows Services dialog box, stop the EFT Server service.
Copy the .aud files that you saved in step 3 and paste them into the folder where you have installed EFT Server. Click Yes when asked if you want to overwrite the existing .aud files.
Restart the EFT Server service and log in. The individual groups and user accounts should be preserved; however, you must reassign permissions and settings.

Keep alive issue with Microsoft ISA server

GlobalSCAPE 5 — Thu, 12 Apr 2012 04:04:22 GMT

Due to the nonstandard way in which Microsoft ISA server handles FTP Keep Alive, the Keep Alive feature may not work correctly with Secure FTP Server and EFT Server when connecting via SSL. So far, Microsoft has not released an update to fix the problem.

Unable to pick up Mail Express packages in Internet Explorer

GlobalSCAPE 5 — Thu, 12 Apr 2012 03:26:39 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Mail Express, all versions

SYMPTOM

Unable to pick up Mail Express packages in Internet Explorer, and the following message appears:

RESOLUTION

Disable the Do not save encrypted pages to disk setting in the Internet Explorer's Internet Options dialog box.

To disable the setting

In Internet Explorer, click Tools, then click Internet Options.
Click the Advanced tab.
In the Settings area, scroll down to Security.
Clear the Do not save encrypted pages to disk check box, then click OK.

You do not have to close and reopen Internet Explorer for the changes to take effect.

MORE INFORMATION

Mail Express uses HTTPS for all communications. Therefore, if Internet Explorer has the Do not save encrypted pages to disk option enabled, the user will not be able to pick up any Mail Express files they have received.

Force use of Web Transfer Client for browser-based uploads (disable use of PTC)

GlobalSCAPE 5 — Wed, 11 Apr 2012 10:50:24 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server Enterprise version 5.1.1 and later

DISCUSSION

EFT Server's Web Transfer Client (WTC) uses Client Access Licenses. When a CAL is available, users connecting to EFT Server with a browser use the WTC (if so enabled). When there are no licenses available, the Plain Text Client (PTC) is presented in the browser instead of the WTC. For those customers who want end users to use only the WTC, there is a registry setting that, when present and set to non-zero, disables the automatic fall back to PTC when all WTC licenses are in use. If there are no WTC sessions available on the server, then the HTTP engine will NOT revert to the PTC; instead, it will deploy the contents of <install_directory>/eftclient/NoAppletLicenses.htm, which displays the message that all licenses are currently in use.

The registry setting to turn on the "Use Web Transfer Client Only" feature is:

On 32-bit systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\EFTClient]

On 64-bit systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 4.0\EFTClient]

"applet_only"=dword:00000001

Can the Web Transfer Client (WTC) automatically resume or restart broken transfers?

GlobalSCAPE 5 — Tue, 10 Apr 2012 07:20:44 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.0 and later

QUESTION

Can the Web Transfer Client (WTC) automatically resume or restart broken transfers?

ANSWER

Yes. The WTC will retry failed transfers a number of times before giving up. Even after the WTC has given up, if you attempt to upload the same file and a partial upload already exists on the server, then the WTC will resume the transfer from where it left off.

If network connectivity is lost while the WTC is transferring files,it will attempt some number of retries (set by the user in the WTC's "Transfer retry limit"setting) before stopping and showing the status as "Failed"in the Transfer queue. If connectivity is regained, the user can retrytransfers that previously failed. If a file partially transferred beforethe connection went down, the transfer will be resumed from the pointthat it left off.

Refer to Transferring Files with the WTC in the EFT Server help documentation formore information.

Are GlobalSCAPE’s applications being developed using common secure coding practices?

GlobalSCAPE 5 — Mon, 09 Apr 2012 11:29:53 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

All GlobalSCAPE products

QUESTION

Are GlobalSCAPE’s applications being developed using common secure coding practices?

ANSWER

GlobalSCAPE takes application security very seriously, adhering to generally accepted application security standards as set forth by OWASP, Microsoft, and others, in order to prevent common coding vulnerabilities and to minimize security errors.

Specific security tactics include but are not limited to the following:

Follow secure coding practices as recommended by OWASP, Microsoft, and other resources
Conduct "brown bags" for engineers regarding secure coding practices, including classes offered by third-party security firms
Provide off-site training for engineers for secure coding practices
Enable security flags and high warning levels in the development environment to enforce use of secure functions and types
Maintain and follow a Security Vulnerability Assessment and Response Process
Monitor security industry watch lists for known vulnerabilities
Run security scanners/fuzzers against the various protocols and interfaces
Integrate security verification into the quality assurance process
Track and monitor potential vulnerabilities in a bug tracking system
Employ tools such as FindBugs and PMD to automatically catch potential coding and security issues
Follow a process to review and update third-party libraries for major releases
Implement security-related unit testing and automated testing to prevent accidental breakage

Is there a change document for the ARM database schema?

GlobalSCAPE 5 — Thu, 05 Apr 2012 10:36:38 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server, version 6.0 and later

QUESTION

Is there a change document for the ARM database schema?

ANSWER

The ARM schema is documented in the user guide. The ARM schema rarely changes. Currently, there is no auto-versioning of the schema, so you are prompted to upgrade the schema every time you upgrade EFT Server, even if the schema hasn't changed.

If you want to determine before upgrading whether the database schema has changed between your version and the latest version:

Compare the tables documented in the online help linked above to your database tables.
Install the latest version of EFT Server with ARM on a test system.
Compare the scripts' modified dates in the new version to the scripts on your current version see if they have changed between your version and the new version. (The database scripts are installed in C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\Oracle and in C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\SQL Server.)
If the dates are different, compare the scripts' contents to see what has changed.

Troubleshooting CAC Connections

GlobalSCAPE 5 — Thu, 05 Apr 2012 05:45:58 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server Enterprise version 6.4.3 and later

DISCUSSION

EFT Server provides extensive logging for CAC authentication attempts in EFT.log in the EFT Server installation folder. If you have users unable to connect using their CAC cards, turn on TRACE logging in logging.cfg in the EFT Server installation folder. View the EFT.log to troubleshoot. Don’t forget to comment out the various loggers after you’ve finished troubleshooting.

To turn on TRACE logging to log CAC connection errors

Open logging.cfg and add the following line:

log4cplus.logger.AuthManager =TRACE

Re-attempt the CAC connection and observe log results.
The tables below describe possible error messages, their meanings, and how to troubleshoot the errors.

Log Message	Meaning
Couldn't get certificate info	A certificate wasn’t provided by the client over the SSL session.
Troubleshoot: Has this user authenticated to the computer using their CAC card? If authenticated, are they using a supported browser that can interact with their CAC middleware? For example, IE8 or greater? Was the user prompted to select a certificate? This happens if more than one certificate is present. If so, did they select the correct certificate? If unsure then try again and select an alternate certificate.

Log Message	Meaning
Couldn't find proper SAN field in certificate	The certificated provided didn’t contain a Principal Name (PN) under the Subject Alternative Name (SAN) that contained a well formed EDIPI, for examples 0123456789@mil.
Troubleshoot: Was the user who attempted to log on prompted to select a certificate? This happens if more than one certificate is present. If so, did they select the correct certificate? If unsure, then try again and select an alternate certificate; users must select a certificate that contains the SAN Principal Name that matches the format 0123456789@mil.

Log Message	Meaning
User [name] not found:	Was unable to find a matching user in the directory server using the EDIPI value that was found on the client’s certificate (e.g. 0123456789@mil).
Troubleshoot: What LDAP query does the EFT.log show it is attempting under “Starting ldap search”? Does the value after userPrincipalName match the EDIPI format 01234567899@mil? Look at the list of users in EFT Server. Do they match the format 0123456789@mil? If not then perhaps the EDIPI is not being stored under the UPN field in AD. Sometimes customers will store the EDIPI in an alternate field, such as the pre2000 field. Either adjust EFT Server’s LDAP auth manager query "Attribute" to match what you are using in AD to store the EDIPI, or copy or move the EDIPI value over to the userPrincipalName, which is what EFT Server uses by default for the user Attribute in its LDAP query.

Log Message	Meaning
Failed to obtain certificate from LDAP server for:	Found a matching user but no certificate was found for this user in Active Directory.
Troubleshoot: Does the user have one or more certificates in Active Directory under the user’s Published Certificates tab (must have Advanced Features on to see this tab). This is NOT the same as the list of certificates that appears when you right-click on a user in AD and select Name Mappings. (Rare case) Is it possible that there are multiple matches for this UPN? Run the query in LDAP Browser or similar tool and make sure there is only a SINGLE matching entry. If more than one, then only the first match is used, which may be why the correct user’s certificate isn’t being retrieved.

Log Message	Meaning
Certificates doesn’t match or Certificates don't match for:	A certificate (or more than one) associated with this user (EDIPI) did not match the one provided by the user; i.e., the fingerprints did not match.
Troubleshoot: You MUST ensure that at least one of the certificates in Published Certificates matches the one on their CAC card. Check EFT Server’s log and compare the Thumbprint in the “Incoming certificate info” entry to the Thumbprint of the certificate that was obtained as a result of the LDAP query. If there is a mismatch (the cause for this error) then it is proof positive that the certificates are not the same. It may be possible that the certificate in AD has been updated but the CAC card has not (obtain new CAC card). It may be possible that the wrong certificate was added in AD under Published Certs. Verify the correct certificate (provided by DEERS) is associated with the user that matches the certificate for that corresponding user’s CAC card.

General Issues

After logging off and closing my browser, reopening the browser shows I’m still logged on.
This is the nature of single sign on and integrated authentication. You are not still logged on, but rather the browser is re-authenticating using the CAC cert each time.

I’m being prompted TWICE for my certificate. Once when I navigate to the site and a second time while loading the WTC.
This occurs because Java has no knowledge of certificate selection you made earlier when authenticating. Therefore it must prompt again for you to choose a certificate prior to loading the applet. One way to avoid this is to remove all personal certs from the local cert store except for the CAC one. Also ensure that “Don’t prompt for client certificate selection when no certificates or only one exists” is selected under Java Control Panel > Advanced > Security > General toggles.

I’m being prompted TWICE for my certificate. Once when I navigate to the site and a second time while loading the WTC.

This occurs because Java has no knowledge of certificate selection you made earlier when authenticating. Therefore it must prompt again for you to choose a certificate prior to loading the applet. One way to avoid this is to remove all personal certs from the local cert store except for the CAC one. Also ensure that “Don’t prompt for client certificate selection when no certificates or only one exists” is selected under Java Control Panel > Advanced > Security > General toggles.