THE INFORMATION IN THIS ARTICLE APPLIES TO:
- Upgrading Secure FTP Server version 3.3.10 to EFT Server (SMB) version 6.2.31
**Secure FTP Server is no longer a supported product, and is not compatible with Windows 2008 or later.
Also refer to article #10359, Moving Secure FTP Server from One Computer to Another Computer.
Refer to https://kb.globalscape.com/KnowledgebaseArticle11307.aspx for the procedure for updating a Secure FTP Server ODBC database to work with EFT v6 or v7.
Note: If you are running a version of Secure FTP Server
version 3 earlier than v3.3.10, you must first upgrade to v3.3.10 before
upgrading to EFT Server. EFT Server 6.x.x installer is expecting Secure
FTP Server to be version 3.3.10. For this reason we strongly recommend
that you upgrade to Secure FTP Server 3.3.10, if you are not already on
that version. You can download Secure FTP Server v3.3.10 at ftp://ftp.globalscape.com/pub/gsftps/archive/gsftps33.exe. Refer to the procedure at the bottom of this article for details of upgrading Secure FTP Server.
DISCUSSION
The process for migrating a Secure FTP Server 3.3.10 configuration to
a new server running EFT Server 6, which includes all Event Rules, user
accounts, keys, etc., is straight forward and should only take about 20
to 45 minutes. (It is not necessary for EFT Server to have been
installed on the old server; EFT Server v6 will properly convert the
files for Secure FTP Server 3.3.10 **. Nor is it necessary for the OS to
be the same version on the new server as on the old server; the new
installation of EFT Server will correctly conform itself to the new
server OS.) While it used to be possible to do a migrating upgrade from
Secure FTP Server 3.3.10 directly to the latest version of EFT Server 6,
and this process continues to be successful in some situations, there
have been sufficient problems caused by this extreme jump that we now
strongly recommend performing a stepping upgrade through EFT Server
6.2.31. To obtain the installer for EFT Server 6.2.31, browse to the
Replacement Software Downloads page [https://www.globalscape.com/support/reg.aspx]
of our website. Once the installer is downloaded, use the migration
guide below to move the Secure FTP Server 3.3.10 configuration to the
new server running a straight installation of EFT Server 6.2.31. After
verifying that the configuration is working properly for EFT Server
6.2.31, please use the upgrade instructions to upgrade to EFT Server 6.4.x; then you can upgrade to v6.5 or later. (Upgrades are supported only within 2 version numbers.)
Please note that per Globalscape policy for liability reasons,
Support does not upgrade or migrate the servers of our clients,
but provides instructions or guidance for accomplishing the process.
While Support does not upgrade or migrate servers for our clients, it is
possible to acquire an upgrade package from our Professional Services
team to have them personally handle the process.
Migration from Secure FTP Server 3.3.10 to EFT Server 6.2.31
Prepare:
-
Ensure that EFT Server 6 is compatible the system requirements. (Remember, you can only upgrade Secure FTP Server to EFT v6.2.31. After installing v6.2.31, you can upgrade to v6.4. Upgrades are supported only within 2 version numbers.)
-
Request and receive a new EFT Server 6 licenses (if you have a
Secure FTP Server or EFT Server 4 or 5 serial numbers) and a new DMZ 3
licenses (if you have a DMZ Gateway 1 or 2 serial number) from your
account representative.
-
Download EFT Server 6.2.31 from https://www.globalscape.com/support/reg.aspx,
making certain to specify correctly the installer that corresponds with
the EFT Server license. (You must have the EFT Server (SMB) installer
for an EFT Server (SMB) serial number and the EFT Server Enterprise
installer for the EFT Server Enterprise serial number].
-
Ensure that the account used to log in to Secure FTP Server 3 is a unique
account within Secure FTP Server (this is critical) and not a local
server or domain account. During the upgrade process, all local server
or domain accounts will be locked out of EFT Server unless you own the
High Security Module (HSM); use this article if you need assistance
changing it: https://help.globalscape.com/help/archive/secureserver3/Change_global_administration_password.htm.
-
Stop the Secure FTP Server 3 service to ensure all settings are
preserved; once the ftp://ftp.cfg/ copy is complete, the service can be
restarted.
-
Create a migration folder on the new server and add the
appropriate application data files from C:\Program
Files\GlobalSCAPE\Secure FTP Server:
-
FTP.cfg and FTP.bak
-
*.aud
-
All pgp keys (*.skr, *.pkr)
-
All SSL certificate files (*.cer, *crt)
-
All SSH key files (*.pvk, *.pub)
-
Any scripts or .bat files
-
Any custom reports
-
Ensure that the Secure FTP Server 3.3.10 site data folders are
copied to the new server (default location is C:\inetpub\EFTRoot) using
the exact same folder structure as exists on the old one (e.g., if it is
D:\EFTRoot on the old server, make certain it is D:\EFTRoot on the new
server). Otherwise, it will be necessary to point each Site to the
correct location and potentially set the folder permissions.
[Instructions for moving the Site Root can be provided upon request.]
Migrate:
-
Use the installer to install only EFT Server, without the ARM
Database module, on the new server (clear the check box to start the
service) [Installing EFT:
https://help.globalscape.com/help/archive/eft6-2/mergedprojects/eft/installingserveradministratormodules.htm]
-
Add the EFT Server service account to run the EFT Server service.
[Our best practice is to have a windows or domain account that starts
the windows service (services.msc) for the EFT Server.]
-
Ensure that the EFT Server service account has full rights to the application data directory and the Site data directory.
-
Copy the application data files from the migration folder to the
correct places, overwriting any files, as needed. If the EFT Server was
installed to the default location, copy the files to this folder:
Windows Server 2003: C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\EFT Server
Windows Server 2008: C:\ProgramData\GlobalSCAPE\EFT Server
-
Start the EFT Server service and log in to the administration interface.
-
Register EFT Server and all modules, including the DMZ Gateway 3 serial number.
-
On the Server's (Local Host) Administration tab:
-
On the Server's Security tab:
-
Set the Allowed SSL versions to Defined and clear the SSL 2.0 option. [This protocol is no longer secure.]
-
In the Allowed ciphers field, move RC4 128 bit cipher up to first in the Priority list. [This works around the SSL Beast exploit.]
-
On the Server's Logs tab, point Folder in which to save
log files to the correct directory path. [This typically consists of
pointing to the new Logs folder in the application data directory, such
as C:\ProgramData\GlobalSCAPE\EFT Server.]
-
On each Site's Connections tab:
-
Set the Listening IP address correctly
-
Click SFTP Config and specify the SFTP private key location.
-
Click Configure for SSL Certificate settings and specify the Certificate and Private key locations.
-
On each Site's Security tab:
-
Click Configure for Invalid login options, and set Ban IP address after to 12. [This eliminates the ability of end users to get themselves banned but does not compromise security against attackers.]
-
Click Count both ‘incorrect username’ and ‘correct username + incorrect password'. [This provides stronger security against attackers.]
-
Verify that the Site is working properly by testing connections, Event Rules, and reports.
Upgrading EFT Server 6.2.31 to v6.3.x or 6.4.x
Prepare for upgrade:
[**Please
note that the installer for EFT Server or EFT Server Enterprise with
the SQL Server Express for ARM database is only needed for the first
time the ARM module is installed and then only if the free SQL Server
Express 2008 is to be used instead of a full licensed version of SQL
Server. Following the initial installation this larger installer will
not be needed as both versions will successfully setup and/or upgrade
the ARM module.]
-
Download EFT Server [and the DMZ Gateway module if needed] from one of the following:
-
Stop the EFT Server service (this must be done to ensure all
settings are preserved; once the ftp://ftp.cfg/ copy is complete, the
service can be restarted).
-
Create a backup of the EFT Server application configuration:
-
Create a backup of the registry.
Upgrade:
-
Use the new EFT Server installer to upgrade EFT Server 6.2.31
and, if using ARM, install/update the database. Before clicking finish,
clear the Start the Server service check box.
-
Add/verify that an EFT Server Service account is set to run the
EFT Server Service. [Our best practice is to have a Windows or domain
account that starts the Windows service (services.msc) for EFT Server.]
Ensure that the EFT Service account has full rights to the application
data directory and the Site data directory.
-
Start the EFT Server service.
-
If you use or will be using the Secure Ad Hoc Transfer (SAT)
Module or DMZ Gateway Module, use the corresponding installers and the
following instructions to install or upgrade.
-
Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports
-
For EFT Server Enterprise 6.3.x and later, all Event Rule
syntax is strictly enforced; entries in EFT Server Enterprise 6.2 for
Events Rules where the Source or Destination virtual paths worked
without a “/” at the beginning will fail. Instead each virtual path must
look like this /rootfolder/ or this /rootfolder/subfolder/.
-
Additionally, in EFT Server Enterprise 6.4.x and later, all outbound
connection Event Rules use the IP address specified in the Event Rule.
(Refer to https://help.globalscape.com/help/archive/eft6-4/mergedprojects/eft/copy_move_file_to_host_action_help.htm item 15b.)
-
For EFT Server 6.3.x and later, all rebranding done in prior
versions will not work with the newer versions it will be necessary to
brand the WTC, PTC, etc. using the new rebranding
instructions.
You can now upgrade to EFT v6.5 or later.
Rollback:
-
Uninstall the newer EFT Server version.
-
If nothing else changed between the newer EFT Server install and rollback process, restore the registry.
-
Install the previous EFT Server version, skipping the ARM
portion. (Before clicking finish, clear the Start the service check
box.)
-
If the Auditing and Reporting Module (ARM) was active, restore
the ARM Database. (The reports will not function until the restore is
complete.)
-
Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports.
Upgrading Secure FTP Server v3.x to v3.3.10
Prepare:
- Create a backup of the Secure FTP Server 3.x.x application
configuration: (Windows 2003) C:\Program Files\GlobalSCAPE\Secure FTP
Server.
- Copy the following items to a backup folder: ftp.cfg, ftp.bak, and *.aud
- Create a backup of the registry.
- If the Auditing and Reporting Module (ARM) is active, create a back-up of the database.
Upgrade:
- Download Secure FTP Server 3.3.10: ftp://ftp.globalscape.com/pub/gsftps/archive/gsftps33.exe.
- Use the Secure FTP Server 3.3.10 installer to upgrade Secure FTP Server. [https://help.globalscape.com/help/archive/secureserver3/Upgrading_the_Software.htm]
- Add the Secure FTP Server Service account to run the Secure FTP Server Service.
- Ensure that the Secure FTP Server Service account has full
rights to the application data directory and the Site data directory.
- Start the Secure FTP Server service.
- Verify that the EFT Server Sites are working properly by testing connections, Event Rules, and reports.
Rollback:
- Stop the Secure FTP Server service.
-
Paste the backed up Secure FTP Server folder over the new installation (default=C:\Program Files\GlobalSCAPE\Secure FTP\).
- Start the Secure FTP Service.
- Verify that the Secure FTP sites are working properly by testing connections, Event Rules, and reports