Which EFT Services listen on HTTP (default 80) or HTTPS (default 443) ports?


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7. and later

QUESTION

Which EFT Services listen on HTTP (default 80) or HTTPS (default 443) ports?

ANSWER

EFT has a number of services that if enabled, will start either the HTTP or HTTPS listener (or both), with the port number defined next to either the “HTTP” or “HTTPS” (file transport) toggle in EFT’s Site > Connections tab. (See screen shot below.)

Note that simply disabling the HTTP or HTTPS transport engine may not disable HTTP/S listeners, as there are other services that use those, as described below.

Below is the logic used by EFT to determine whether a particular insecure (not SSL/TLS protected) or secure (SSL/TLS protected) listener is used.

  1. EFT starts insecure listener if:
    • HTTP is ON for site
  2. EFT starts secure listener if:
    • HTTPS is ON for site
    • OR

    • AS2 is ON for site
    • OR

    • Web Services (SOAP) is ON for site
    • OR

    • Account management page is ON for site.
  3. EFT auto-redirects plaintext=>SSL if:
    • ASM module is registered
    • AND

    • auto-redirect HTTP->HTTPS redirect is ON for site OR CAC authentication is ON for site
  4. EFT processes login page:
    • Via both plaintext and SSL listener
  5. EFT processes HTTP file transfers if:
    • HTTP is ON for site
    • AND

    • HTTP is ON for user (directly or via inheritance)
    • AND

    • Auto-redirect HTTP->HTTPS redirect is OFF
  6. EFT processes HTTPS file transfers if:
    • HTTPS is ON for site
    • AND

    • HTTPS is ON for user (directly or via inheritance)
    • OR

    • HTTP->HTTPS redirect is ON
  7. EFT processes account management page (/manageaccount):
    • Via SSL listener only
    • AND

    • For authenticated users only
  8. EFT processes MTC requests:
  9. Via SSL listener only

  10. EFT processes AS2 requests:
    • Via both plaintext and SSL listener*
  11. EFT processes (REST) Workspaces requests:
    • Via both plaintext and SSL listener*
  12. EFT processes (SOAP) Web-service:
    • Via both plaintext and SSL listener*

    *see above conditions for when connections are processed using insecure vs. secure listener.

  13. EFT processes (REST) Administrator requests:
    • Via SSL listener only (port 4450 by default, located on Server > Administrator tab)

For security best practices:

  • Disable HTTP unless you absolutely require it (unlike the HTTPS listener, no other service will start it automatically if it is disabled for transport, under the Site > Connections tab)
  • If HTTP is enabled, we recommend you enable the “Redirect all plaintext HTTP traffic to HTTPS”
  • Preferably, only enable Account Management if you also plan on enabling HTTPS (for transfers)
  • Don’t enable AS2 or MTC/Mobile access if not necessary
  • Don’t enable Web Services unless you plan on invoking event rules via SOAP calls
  • When using HTTPS, also enable HSTS
  • Always use a strong set of ciphers (see Server > Security tab)

The section of EFT in question (not counting 12 above):