GlobalSCAPE Knowledge Base

Files/Folders do not show the date and time modified, only the year

GlobalSCAPE 5 — Thu, 18 Mar 2010 14:24:11 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server

SYMPTOM

Files/Folders do not show the date and time modified, only the year

RESOLUTION

When a file or folder was last modified in the same year as the server current time, the HOURS:MINUTES display in the directory listing. However, if it was last modified during a previous year, it only displays the YEAR modified.

This is not a bug, it is standard directory listing behavior for Unix systems. For example, if you look at the sites pre-built into CuteFTP Professional, you will notice that this type of folder/file listing is typical for many FTP servers. Additionally, this listing behavior is standard for Redhat Linux, Macintosh operating system support, Microsoft, and Palm.

SSL Security Levels

GlobalSCAPE 5 — Thu, 18 Mar 2010 11:15:55 GMT

THIS ARTICLE APPLIES TO:

Secure FTP Server
EFT Server
CuteFTP Professional

DISCUSSION

Enhanced File Transfer Server and Secure FTP Server can provide three basic levels of security when used with CuteFTP Professional as the client:

Secure (server certificate only)
- The server creates a public certificate/key/passphrase for SSL
- The client has SSL only enabled
- The client connects, is asked to trust certificate from server, and accepts the certificate, which is stored in the client's cache. After certificate acceptance, the user is not asked to trust the certificate again; it is assumed.
More Secure (server certificate AND client certificate)
- The server creates a public certificate/key/passphrase for SSL.
- The server requires a certificate from client.
- The client has SSL enabled AND creates a certificate/key/passphrase
- The client connects. The connection fails the first time, and the server can choose to trust or not to trust the client certificate.
- The server trusts the client certificate.
- The client connects and does not fail again because the client certificate is now trusted by the server.
Most Secure (server certificate AND a signed client certificate)
- The server creates a public certificate/key/passphrase for SSL.
- The server requires a certificate from client.
- The client has SSL enabled AND creates a certificate/key/passphrase.
- During this process a certificate signing request (csr) is generated.
- Use the Secure FTP Server or Enhanced File Transfer Server signing utility to sign the certificate or...
- Send the CSR to a trusted 3rd party such as Verisign to be signed. Verisign then sends back a signed certificate which replaces the CuteFTP Professional certificate.
- The client connects. The connection fails the first time, and the server can choose to trust or not to trust the client certificate.
- The server trusts the client certificate.
- The client connects and does not fail again because the client certificate is now trusted by the server.

FTP client hangs on the list command

GlobalSCAPE 5 — Thu, 18 Mar 2010 11:10:33 GMT

This article is a duplicate of #10088. If you have bookmarked this page, please redirect your bookmark to http://kb.globalscape.com/KnowledgebaseArticle10088.aspx.
Sorry for the inconvenience.

Cannot connect to EFT Server with Internet Explorer

GlobalSCAPE 5 — Thu, 18 Mar 2010 11:04:10 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server

SYMPTOM

Cannot connect to EFT Server with Internet Explorer

RESOLUTION

A connection to EFT Server using Internet Explorer can normally be accomplished using the default settings for both products. You may need to allow two or more concurrent connections from the same user and the same IP address to facilitate connection from a Web browser.

For your convenience, some basic connection and troubleshooting information is shown here. If you continue to have trouble establishing a connection using IE, you should consult the IE documentation.

Depending on the firewall configuration on either the FTP client or server side, you may need to change the mode that is used by the FTP client. IE5 and later support both Standard (PORT) and Passive (PASV) modes.

To change the IE FTP client mode

Start Internet Explorer.
Click Tools > Internet Options.
Select the Advanced tab.
Under the Browsing node, clear Enable FTP folder view.
Select Use Passive FTP (for firewall and DSL modem compatibility).
Select OK.

If you select the Enable FTP folder view, IE behaves as a Standard (PORT) mode FTP client even if you also select Use Passive FTP. If you clear the Enable FTP folder view check box and then select the Use Passive FTP check box, IE behaves as a Passive (PASV) mode FTP client. By default, both IE and EFT Server use Standard or Port mode.

Standard (PORT) mode FTP clients first establish a connection to TCP port 21 on the FTP server. This connection establishes the FTP command channel. The client sends a PORT command over the FTP command channel when the FTP client needs to receive data, such as a folder list or file. The PORT command contains information about which port the FTP client receives the data on. In Standard (PORT) mode, the FTP server always sends data from TCP port 20. The FTP server must open a new connection to the client when it sends data.

Passive (PASV) mode FTP clients also start by establishing a connection to TCP port 21 on the FTP server to create the control channel. When the client sends a PASV command over the command channel, the FTP server opens an ephemeral port (between 1024 and 5000) and informs the FTP client to request data transfer from that port. The FTP server responds to the request by using the ephemeral port as the source port for data transfer. If this occurs, the FTP server does not have to establish a new inbound connection to the FTP client.

Firewall configuration

Many firewalls do not accept new connections through an external interface. The firewall may detect these connections as unsolicited connection attempts and, therefore, drop them. Standard mode FTP clients do not work in this environment because the FTP server must make a new connection request to the FTP client.

Firewall administrators may sometimes not want to use Passive (PASV) mode FTP servers because the FTP server can open any ephemeral port number. Although EFT Server by default uses the default ephemeral port range of 1024 through 5000, many FTP servers are configured with an ephemeral port range of 1024 through 65535. Firewall configurations that allow full access to all ephemeral ports for unsolicited connections may sometimes be considered unsecure.

Internet Explorer security warning

GlobalSCAPE 5 — Thu, 18 Mar 2010 10:57:03 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server

SYMPTOM

Internet Explorer warning

RESOLUTION

When you first install and start EFT Server, you may see an Internet Explorer Warning about security. Select Add to allow Internet Explorer to recognize content from www.globalscape.com as safe content.

The message appears because your Internet Explorer settings are set at High Security. The trial version of EFT Server attempts to open a page from the Internet to update you on the status of the trial. After you register the full version of EFT Server, you can change your Internet Explorer security settings and remove globalscape.com from your list of trusted sites. This issue occurs most often in new installations of Windows 2003 Server.

To add globalscape.com as a "Trusted" site

In Internet Explorer, click Tools > Internet Options.
On the Security tab, click Trusted sites, then click Sites.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this zone check box before adding the address. If that option is selected, you can only add secure websites to the list.
Click Close, and then click OK.

Cannot find environment option

GlobalSCAPE 5 — Thu, 18 Mar 2010 10:44:02 GMT

This article was a duplicate of article #10082. If you have bookmarked this page, please redirect your bookmark to http://kb.globalscape.com/KnowledgebaseArticle10082.aspx.

Sorry for the inconvenience.

Server will not run on Windows XP

GlobalSCAPE 5 — Thu, 18 Mar 2010 10:43:13 GMT

This article was a duplicate of article #10110. If you have bookmarked this page, please redirect your bookmark to http://kb.globalscape.com/KnowledgebaseArticle10110.aspx.

Sorry for the inconvenience.

Server will not run on Windows XP with Windows Firewall active

GlobalSCAPE 5 — Thu, 18 Mar 2010 10:39:30 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

SYMPTOM

Server will not run on Windows XP

RESOLUTION

Some versions of Windows XP have an built-in Internet Firewall that blocks FTP traffic. This firewall is active by default.

To turn off the Windows XP firewall

Follow the instructions Microsoft has posted on their Web site at http://www.microsoft.com/WINDOWSXP/home/using/howto/homenet/icf.asp.

System cannot find the environment option that was entered

GlobalSCAPE 5 — Thu, 18 Mar 2010 10:38:24 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server

SYMPTOM

System cannot find the environment option that was entered

RESOLUTION

If EFT Server will not run and generates the error message "The system could not find the environment option that was entered," verify that the system has full access to the EFT Server executable (cftpses.exe). Also, make sure you are launching the service from the NT Services applet, not from the command prompt.

FTP client hangs on the list command

GlobalSCAPE 5 — Thu, 18 Mar 2010 10:35:57 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Secure FTP Server

SYMPTOM

FTP client hangs on the list command

RESOLUTION

Internet Security and Acceleration (ISA) Server maintains secondary connections for secure network address translation (NAT) clients in Kernel mode, which can improve data throughput for protocols that use secondary connections. Secondary connections for secure NAT clients are only supported if an application filter that can process the protocol is installed on ISA Server.

For example, File Transfer Protocol (FTP) uses the secondary connection over port 20 to transfer data. Because the primary connection is enabled only if the requirements
for all applicable rules are met, and the secondary connection is established only after the primary connection is established, there is no need to inspect the traffic for this connection.

For information on correcting this problem, view the following articles in Microsoft’s knowledge base:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279347

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294679

Script have slight delay when running commands such as WScript.Quit

GlobalSCAPE 5 — Thu, 18 Mar 2010 09:28:32 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Secure FTP Server
EFT Server
CuteFTP for Windows

SYMPTOM

Script have slight delay when running commands such as WScript.Quit

RESOLUTION

Use the latest Windows script host. When running scripts that use the Windows Script Host on some computers—such as using cscript.exe to drive Custom Commands in Secure FTP Server or EFT Server—it may take several seconds for the script to terminate, even if the script itself has completed. This unnecessary delay can be solved by simply updating the Windows Script Host on the affected computer to the latest version.

Refer to Microsoft's website for more information: http://msdn.microsoft.com/en-us/library/9bbdkx3k(VS.85).aspx

Cannot connect to Secure FTP Server using SSL

GlobalSCAPE 5 — Thu, 18 Mar 2010 09:20:56 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

Secure FTP Server

SYMPTOM

Cannot connect to Secure FTP Server using SSL

RESOLUTION

The most common cause for this is that the server is behind a firewall and the firewall is unable to decrypt the information being transferred between the client and server. To correct this problem you need to specify a range of ports for the server to use and open the same range of ports on your firewall.

Refer to http://help.globalscape.com/help/secureserver3/Specify_a_PASV_connection_t.htm in the Secure FTP Server online help for more information.

Users have to wait a long time before they can resume an upload

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:46:51 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

SYMPTOM

Users have to wait a long time before they can resume an upload

RESOLUTION

If users frequently lose their connection to the Server, resuming an upload may take several minutes.

If you want to allow users with problematic connections to quickly resume broken uploads, you will need to set their accounts to time out quickly.

If users lose their connection to the Server while uploading a file, the portion of the file on the server will remain locked to changes (like a resumed upload) until the server tries to disconnect. Generally, Secure FTP Server will not try to disconnect until nothing has happened for the amount of time set in Enable time out.

The default connection time out value in Enable time out is 600 seconds (ten minutes). It can be set as low and 1 second, and as high as 9999 seconds (almost 3 hours), but a connection time out at 30 seconds or 60 seconds will be less likely to interfere with transfer tasks.

When you set the time out value, you can tell the users the value, and if they have an FTP client that automatically attempts to reconnect and resume the transfer, they can set their client to wait the same amount of time before reconnecting.

For details of setting the timeout value, refer to the following topics:

Secure FTP Server v3: http://help.globalscape.com/help/secureserver3/Setting_Time-Out.htm
EFT Server v5: http://help.globalscape.com/help/eft5/admin/disconnecting_users_timeout.htm
EFT Server v6: http://help.globalscape.com/help/eft6-2/Disconnecting_Users_Timeout.htm

Users in ODBC database cannot login

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:41:43 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

SYMPTOM

Users in ODBC database cannot login

RESOLUTION

If you are using an ODBC data source for authentication on your server, and users always get an error saying they are not logged in, make sure the "anonymous" row in the "ftpserver_users" table is set to "0" or "1". It cannot be set to "Null".

Man-in-the-middle attack

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:40:01 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

SYMPTOM

End users claim that their SSH FTP client is reporting a possible "man-in-the-middle" attack

RESOLUTION

Either they have an old SSH keypair for your site, or they are actually victims of a possible attack.

FTP clients will report a possible man-in-the-middle attack whenever you change your SSH keypair. The client software is correctly reporting that your "fingerprint" has changed.

To avoid confusion, notify your users every time you change your keypair.

Unable to import SSH keys

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:33:51 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

SYMPTOM

Unable to import SSH keys

RESOLUTION

If SSH keys fail to import with no error message, make sure you are importing the public opposed to the private key. Normally, public keys are named *.pub.

For more information about importing SSH keys, refer to the following topics:

Secure FTP Server v3: http://help.globalscape.com/help/secureserver3/Viewing_Importing_and_Deleting_Client_Keys.htm
EFT Server v5: http://help.globalscape.com/help/eft5/admin/viewing_importing_and_deleting_client_keys.htm
EFT Server v6: http://help.globalscape.com/help/eft6/viewing_importing_and_deleting_client_keys.htm
EFT Server v6.1: http://help.globalscape.com/help/eft6-1/viewing_importing_and_deleting_client_keys.htm
EFT Server v6.2: http://help.globalscape.com/help/eft6-2/viewing_importing_and_deleting_client_keys.htm

Troubleshooting NAT firewalls

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:27:04 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

DISCUSSION

Most NAT setups allow outbound connection initializations without any problems but if you need to configure outbound connections manually, refer to the chart below to see which ports should be allowed for *outbound* communications on the client side. The server side configuration is much more important in most cases.

For FTPS (SSL), the connection port and the PASV ports need to be forwarded. For SFTP (SSH2), there's no such thing as PASV mode, so only the connection port needs to be forwarded. The following chart shows what ports should be forwarded to the server, assuming the default connection ports are being used. Please keep in mind that these ports need only be opened for *inbound* connections on the server side. You do not have to allow connections to be initialized outbound on the server side, as the connections will always be initiated from the client to the server.

Explicit SSL: 21, PASV range

Implicit SSL: 990, PASV range

SFTPS (SSH2): 22

The PASV range, which consists of ports 28000 to 30000 by default, can be defined in the Site Options tab, which is made accessible by clicking on the site in the tree view on the left. If you feel you need to restrict that range, the general rule of thumb is to take the maximum number of concurrent connections you think you're going to experience, and then add a third of that number to itself to get the total number of ports that should be open for smooth operation. NOTE: since the server will be behind NAT, you MUST specify the valid, external IP address (behind which the Server resides) in the PASV Mode Options.

What are your SSH implementations based on?

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:24:54 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server (All Versions)

QUESTION

What are your SSH implementations based on?

ANSWER

The Secure FTP Server and EFT Server's SSH server implementation is based on proprietary, OpenSSH-compliant libraries that comply with the SSH2 protocol per IETF documentation. Note that the EFT Server client features (SFTP Copy/Move and Download) are based on a Unix port of SSH2 which is based on SSH.com's implementation.

What type of SSL Certificate does Secure FTP Server or EFT Server create?

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:21:39 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server (All Versions)

QUESTION

What is the certificate format that Secure FTP Server creates?

ANSWER

X.509, base64 encoded.

EFT Server can import a digital certificate in the following formats: PEM, Base64 Encoded X509, DER Encoded X509, PKCS#7, PKCS#12.

For more information about creating SSL certificates, refer to the following topics:

Secure FTP Server 3: http://help.globalscape.com/help/secureserver3/TOC_Creating_certificates.htm
EFT Server 6: http://help.globalscape.com/help/eft6/CreatingSSLcertificates.htm
EFT Server 6.1: http://help.globalscape.com/help/eft6-1/CreatingSSLcertificates.htm
EFT Server 6.2: http://help.globalscape.com/help/eft6-2/CreatingSSLcertificates.htm

Tumbleweed SecureTransport client does not send correct commands for SSL support

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:05:46 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server

SYMPTOM

When using SSL, users may not be able to connect to EFT Server using a Tumbleweed SecureTransport client. This occurs because the SecureTransport client fails to issue the appropriate FTP commands to secure the data channel connection that EFT Server expects.

RESOLUTION

This happens because SecureTransport (ST) client violates a mandate of the RFC for FTP over SSL. The Tumbleweed client connects to the EFT Server, initiates SSL/TLS communication, and authenticates correctly with the EFT Server; however, any time the ST Client attempts to transfer a file or get a folder listing—that is, anything that requires a data channel connection—it fails to tell EFT Server to protect the communication of that data channel. At that point, EFT server is expecting plaintext data and does not attempt to perform an SSL Handshake on that data connection; however, the ST Client does attempt an SSL Handshake and of course that fails because the server does not anticipate it.

The RFC that specifies how SSL/TLS sits atop FTP is RFC 2228, found here http://www.ietf.org/rfc/rfc2228.txt Section 3, in the DATA CHANNEL PROTECTION LEVEL section (the "PROT" command), states that "The default protection level if no other level is specified is Clear."

It is the responsibility of the client software to clearly indicate to the server that the client wishes the Data Channel to be secured by issuing a "PROT P" command; further, that command requires a "PBSZ 0" command to be issued prior to the "PROT P". It is the sequence of these two commands together that turns ON the protection of the data channel, and this is the sequence that RFC compliant clients use to make this happen. Note that once this is set for a login session, all subsequent data channel connections remain protected. That is, you need only do this once, prior to your first transfer.

A typical sequence of client commands for a secure login and transfer session looks something like the following. This does not reflect the server responses. Missing Tumbleweed commands are indicated in RED:

AUTH SSL
USER foo
PASS bar
PBSZ 0
PROT P
PASV
STOR somefile.dat

Use a RFC 2228 compliant client such as CuteFTP Professional.

WORKAROUND

The current workaround for using the Tumbleweed SecureTransport client involves issuing the "PBSZ 0" and "PROT P" commands manually. To do this, type "quote" followed by the command. An example from the perspective of the SecureTransport client command line:

[ root@end-ipst03.bin ]# ./fdx -F off -V -p xsecureftp.xyz.com
220-Secure FTP.
Name (secureftp.xyz.co:root): AOR1468
331 Password required for AOR1468.
Password: XXXX
230 Login OK. Proceed.
Remote system type is UNIX.
Using 'binary' mode to transfer files.
fdx> quote PBSZ 0
200 PBSZ Command OK. Protection buffer size set to 0.
fdx> quote PROT P
200 PROT Command OK. Using Private data connection
fdx> ls

The lines in red must be manually inserted. If the client is using a script, the script file needs to be updated with those commands.

Note: A folder listing (ls or dir) is considered a data transfer, so the PBSZ and PROT commands must be issued prior to any folder listing.

Permissions required by EASServer to start

GlobalSCAPE 5 — Thu, 18 Mar 2010 08:00:05 GMT

The EASServer is an out-of-process COM server that requires Local launch and Local activation permissions. It also needs Local access permissions. It does not require any Configuration Permissions. The AuthManagers are also COM objects; however, they are in-process COM objects (DLL's) and thus don't need to go through this change.

The EFT Server service cannot start the EASServer; it does not have appropriate access rights. The EFT Server service needs access to read the registry and read the files on the file system, so the permissions must be set accordingly.

Recently added IP addresses are not listed in the Home IP list

GlobalSCAPE 5 — Thu, 18 Mar 2010 07:52:46 GMT

The information in this article applies to:

Secure FTP Server 3
EFT Server 4

SYMPTOMS
	When making configuration changes on the Site Options tab for the specified site, no recently added IP addresses are listed in the Home IP address list.

RESOLUTION
	Restart the server service. If still not resolved, restart the server computer.

Remote administration of the server fails; wrong version indicated in the remote interface

GlobalSCAPE 5 — Thu, 18 Mar 2010 07:52:01 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO

Secure FTP Server (All versions)
Enhanced File Transfer Server (All versions)

SYMPTOMS

When attempting to administer Secure FTP Server or EFT Server remotely, an error message appears.
The Help > About dialog box on the remote interface indicates an incorrect version.

CAUSE

Secure FTP Server or EFT Server was updated on the server computer but the remote Administrator was not updated. When connected remotely, the server version and build number shown in the Administrator is that of the remote Administrator console, not of the server.

RESOLUTION

Update any remote administration interfaces whenever Secure FTP Server or EFT Server is updated.

Windows Virtual Server 2005

GlobalSCAPE 5 — Thu, 18 Mar 2010 07:44:21 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server
Secure FTP Server

SYMPTOM

EFT Server or Secure FTP Server hangs, becomes unresponsive, or will not accept connections on Windows Virtual Server 2005 with multiple IP addresses. This in turn causes problems with the sites.

RESOLUTION

Do not run EFT Server or Secure FTP Server on Windows Virtual Server 2005 unless you are using only one IP address.

How to view the encryption and hashing method used in creating a self-signed certificate

GlobalSCAPE 5 — Thu, 18 Mar 2010 07:15:57 GMT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT Server Enterprise
Secure FTP Server

DISCUSSION

An SSL certificate is a digital certificate installed on a server that enables user verifications and secure data exchange using the Secure Socket Layer (SSL) protocol.

To view the encryption and the hashing method used in the creation of the certificate

Browse to the folder where the certificate is stored.
When you create a SSL certificate, three files are generated:
- a self-signed certificate file with a .crt extension
- a certificate key with a .key extension
- a certificate request file with a .csr extension.

.crt

Click the Details tab to view the encryption and the hashing method used in the creation of the certificate. RSA-based certificate use Sha1 as the Thumbprint hashing algorithm and md5RSA as the Signature algorithm.

Note: EFT Server and Secure FTP Server use the same techniques for certificate management.