THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server Enterprise version 6.4 and later

DISCUSSION

By default, IP Access-related Event Rules are limited to 1000 rules. When clients upgrade and have 1000+ denied IP addresses, it immediately overflows the rule count and they cannot create new rules.

You can add the following registry entries to allow you to increase this limit so you can edit the existing rule set.

32-bit: HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\EFT Server 4.0

64-bit: HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 4.0

DWORD: IPRulesLimit

Accepts values from 0 to 60000; default is 5000

and

DWORD:AutobanLimit

Accepts values from 0 to 60000; default is 10000

It is not necessary to restart the server for the changes to take effect.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.x and later

SYMPTOM

Unable to use backslashes (\) as directory separator in paths, causing a "501 Syntax error in parameters or arguments" error message.

RESOLUTION

Create the registry entries described below.

32-bit:

HKEY_LOCAL_MACHINE\Software\GlobalSCAPE Inc.\EFT Server 7.0\

64-bit:

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.0\

ReplaceBackslashWithSlashInPathsForFTP

ReplaceBackslashWithSlashInPathsForSFTP

Values:

1 = enabled; that is, backslashes (\) in paths are replaced with forward slashes (/)

0 = disabled

Default = 0

It is not necessary to restart the EFT server service; the change takes effect immediately.

MORE INFORMATION

The SFTP specification (https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02) says: "File names are assumed to use the slash ('/') character as a directory separator." EFT v6.5 does not precisely follow the RFC in this regard and allows using a backward slash ('\') as directory separator.

EFT 7.0 and later work according to the RFC. We've implemented this registry key to make EFT v7.x and later work the same way as v6.5 for backward compatibility.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server version 4.x and later and EFT Server Enterprise version 6 and later

DISCUSSION

EFT Server stores its configuration information in the Windows Registry, which contains profiles for each user of the computer and information about system hardware, installed programs, and property settings. EFT Server modifies the system registry as needed, and continually references this information during operation.

To add a key to the registry, you can either edit it directly or create and execute a .reg file. When you add or edit these registry keys, you will need to restart EFT Server.

These options are for advanced users only. Incorrectly editing the registry can severely damage your system. You should always back up (export a copy of) the registry before you make any changes to it. Some paths are HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 3.0\, and others are HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\. Do NOT change the path to match your version of EFT Server.

The registry keys described at the links below are available in EFT Server for advanced system administration.

• #10076: Server service will not start (ImagePath)
• #10220: Monitor Folder Event Rule triggering an SFTP offload can cause files to be created in the monitored folder, then some (or none) of the intended files are offloaded. (ASCIIFileExts and DefaultTransferType)
• #10023: Changing the ping interval (gw_keepalive)
• #10262: Adding tenth column to the CL log (Enable10ColumnInClientLog)
• #10270: Changing the load order of the server service (ServiceGroupOrder)
• #10371: How can I display more than 499 files or folders in the WTC? (use_registry)
• #10438: Tuning Windows for TCP-IP
• #10470: WTC Customizations (EFTClient)
• #10478: Copy/Move Event Rule with *.* wildcard does not generate an error if no files exist (WildcardFailMode)
• #10485: Override Outbound on Listen IP (LegacyListenIP)
• #10486: LDAP "Groups Lost" Fix (UserDatabaseSynchronizationMode and IgnoreZeroUsersResult)
• #10487: Pass the Client's IP Address to the Authentication Request (PasswordContainsClientIP)
• #10488: Sending EFT Server's Logs to the Windows Application Event Log (LogToWindowsEventViewer)
• #10489: Buffered CFG Writes (UseBufferedArchiveWriter)
• #10490: Enable Oracle (DBType)
• #10491: Ignore Active Directory Home Directories (IgnoreADHomeDirs)
• #10492: ClientFTP.DLL Enable Logging Override (EnableLogging)
• #10493: Disable COMB Command (DisableCOMBCommand)
• #10494: Redirect Custom Command Output to Connected FTP Clients (FileUploadEventResult)
• #10495: Folder Monitor Change Filter Override (FolderMonitorFilterValue)
• #10496: HTTP Engine Use Server Time Zone (UseServerTimeZone)
• #10497: Legacy SMTP Send Behavior (LegacySMTPSendBehavior)
• #10498: Maintain Password History for "Change Password" Validation (PasswordHistoryLimit)
• #10499: ODBC Auth Manager (EnableODBCSettingsLevelField)
• #10500: Upload Throttling (UploadsPerClient and UploadsPerClientInterval)
• #10501: HTTP->HTTPS Redirection (RedirectHTTPtoHTTPS)
• #10502: Reverse Banned File Logic (RestrictionByFileNameOnUpload)
• #10503: EFT Server Transfer Engine Stub (PASVMode)
• #10504: Web Transfer Client Session Timeout (WTCTimeout)
• #10505: Overriding the Hard-Coded Location of Web Transfer Client Files (path to WTC files)
• #10506: Enable Alternative Permission Logic (UplReqDel)
• #10508: Kill EAS Service on Startup (KillEASServersAtStartup)
• #10509: Specify Location of FTP.CFG (Path=<path_to_config_file>)
• #10516: Turning On/Off the Change Password Feature for AD/LDAP Users in the Web Transfer Client (PasswordChg_NTADLDAP)
• #10537: Allow Server to Accept ODBC Database Passwords that are MD5 Hashed (UseMD5PasswordHash)
• #10553: Web Services Timeout Setting (WebServiceTimeout)
• #10574: Can I use the old version of the HTML Listing and Upload form (Plain-Text Client) that doesn't use JavaScript?
• #10575: Enabling OpenPGP Signature Requirement (PGPVerifySignature)
• #10579: How does EFT Server determine a file's age for the Event Rule file cleanup? (CleanupDateType)
• #10581: Advanced Workflows affect system performance (RunningTaskLimit and GSAWEObjectsPerServerInstance)
• #10594: Could not send “On Error” email for AWE action; default mail server not defined (TaskService)
• #10601: Can I specify the system type so that I can switch from UNIX to Windows NT? (FTPSYSTResponse)
• #10604: Editing the EFT Server Registry Entries on a 64-bit Operating System
• #10626: Long Delay When Returning Directory Listing in EFT Server (LegacyDirListBehavior)
• #10627: Overriding the default time to execute an ARM report (DBTimeout)
• #10648: Folder monitor rules randomly stop working (Windows OS keys)
• #10659: Changing of user password not allowed on LDAP Site if the Site is hosted on a foreign domain (ChangePassByAD)
• #10660: Make the authentication manager read from disk instead of internal memory for load balancing (ReloadAUDOnSync)
• #10661: Disabling the SQL log auto-import function in ARM (DisableARMFileImporter)
• #10662: Use the Apache HTTP client instead of the default JSE HTTP client library (WTC) (use_JSE_HTTP_Client)
• #10669: Reverting to v6.2 Folder Monitor algorithm (FolderMonitorUseIOCP)
• #10681: Changing the amount of time EFT Server waits between reconnect attempts (FolderMonitorWaitBeforeReconnect)
• #10682: Changing the amount of time EFT Server waits for the notification from Windows when a Folder Monitor health check file is created (FolderMonitorHealthCheckTimeout)
• #10683: Force use of Web Transfer Client for browser-based uploads (disable use of PTC) (applet_only)
• #10692: Folder Monitor Interactive Login Override(FolderMonitorUseNonInteractiveLogon)
• #10693: Ignore Client Certificate Requests During SSL Handshake (IgnoreClientCertificateRequests)
• #10696: Enforcing only one health check on Folder Monitor Event Rules (FirstHealthCheckOnly)
• #10705: Uploads to EFT Server fail if file with same name exists during RENAME operation (ReplaceExistingOnRename)
• #10706: EFT Server is unable to upload or download a file to a subfolder (RemoveLeadingSlash)
• #10707: FTPS file transfers fail (SterlingConnectServerCCCLogic)
• #10708: Disable auto redirection to HTTPS for login and account management (DisableHTTPAccountSecurity)
• #10861: Set Event Rule Timer Stack Size (TimerStackSize)
• #10872: Controlling the filename and frequency for creation of a new PGP log file (PGPLogSuffixTemplate)
• #10873: Disable X-frame options for WTC and PTC (disable_xframeoptions)
• #10877: Cannot create new Event Rule after upgrading (IPRulesLimit)
• #10878: Changing the PGP Timeout (PGPTaskExecutionTimeout)
• #10910: Transform incoming file names from ASCII to UTF8 and outgoing filenames from UTF8 to ASCII (ForceASCIIinSFTP)
• #11005: AD users are able to delete virtual folders (AllowDeleteVFSFolders)
• #11009: The Logs folder fills quickly with log files (EnableXferLog)
• #11010: Connection problems when attempting outbound SFTP (WaitForServerVersion and DelayBeforeVersionString)
• #11012: Specifying an Alternate Reporting Connection String (ReportsConnectionString)
• #11032: Edit the number of days and frequency to send notifications (PasswordChg_EmailInterval)
• #11033: HTTP Request Logging (log_request)
• #11034: Using the Custom User Details Fields in HTTP Headers (enable_x_headers)
• #11035: Single Sign-On Support for the WTC (enable_iwa, use_registry)
• #11036: Changing the Number of Concurrent Threads Used by Event Rules (MaxNumberConnections)
• #11099: Adjusting the ARM Queue Behavior (ARMLogMinStalledThreads, ARMQueueSize, ARMLogStalledThreadMinDuration)
• #11120: Does EFT Server allow multipart transfers (COMB)? (MultipartValue, EnableMultipart)
• #11135: PTC file downloads over SSL (HTTPS) do not work with the cache control headers in IE8 (BypassHTTPNoCacheCheck, BypassSSLNoCacheCheck)
• #11172: Enabling FIPS-Compliant Mode for OpenPGP (OpenPGPFIPSCompliantAlgorithmsOnly)
• #11175: Load balanced Folder Monitor events fail to process files in an HA clustered environment (FileInfoCacheLifetime, FileNotFoundCacheLifetime, DirectoryCacheLifetime)
• #11189: Does EFT support older SFTP clients that don't provide for Keyboard Interactive Authentication (AllowMethodKIA)
• #11192: Keep source file after transfer skipped (EnableOldSkipBehavior)
• #11200: Unable to use backslashes (\) as directory separator in paths; 501 Syntax error in parameters or arguments (ReplaceBackslashWithSlashInPathsForFTP, ReplaceBackslashWithSlashInPathsForSFTP)

The instructions below are provided only as a reminder for advanced users.

To backup the registry

1. Click Start, then click Run. The Run dialog box appears.
2. In the Open box, type regedit, then press ENTER. The Registry Editor appears.
3. Do one of the following:
   • To backup the entire registry, click My Computer.
   • To backup a specific group of keys or a specific key, click the folder or key.
4. On the main menu, click File, then click Export. The Export Registry File dialog box appears.
5. Specify a name and location for the file, then click Save. The export process begins.

   If you are exporting the entire registry, it can take a few minutes, and the file size can be up to 100 MB or more. If you are exporting just one key, the file size is approximately 1 KB.

6. After you edit the registry, if you are experiencing problems caused by editing the registry, you can import the backed up file:
   1. On the main menu, click File, then click Import. The Import Registry File dialog box appears.
   2. Click the .reg file to import, then click Open. The import process begins. If you are importing the entire registry, it can take a few minutes.

To create a .reg file

1. In a text editor, such as Notepad, type or paste the following text on the first line:

   Windows Registry Editor Version 5.00

2. On the second line, type or paste the key path. For example, type:

   [HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc.\EFT Server 4.0\EventRules]

   (include brackets)

3. On the third line, type or paste the name of the key and the value (DWORD) for the key. For example, type:

   "FolderMonitorWorkerThreadCount"=dword:00000100

   (include quotation marks)

4. Close the file and save it with a .reg extension. For example, type:

   threadcount.reg

5. Double-click the file and follow the prompts to install the key into the registry. If you receive an error, open the file to verify the information was typed correctly. The .reg file can be transported to and used on other computers.

To create the key manually

1. Click Start, then click Run. The Run dialog box appears.
2. In the Open box, type regedit, then press ENTER. The Registry Editor appears.
3. Expand the My Computer node, the HKEY_LOCAL_MACHINE node, and the SOFTWARE node to find the GlobalSCAPE nodes.
4. Click the applicable GlobalSCAPE node (as described below), then right-click it, point to New, then click Key. This makes a new folder under the GlobalSCAPE node.
5. Type a name for the key based on the instructions below, then press ENTER.
6. Right-click the key, point to New, then click DWORD Value.
7. Type a name for the DWORD value based on the instructions below, then press ENTER.
8. Double-click the DWORD. The Edit DWORD Value dialog box appears.
9. In the Value data box, type an integer, based on the instructions below, then click OK.
10. Close the registry, then restart the Server service.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• DMZ Gateway^®, v3.0 and later

DISCUSSION

The following properties can be edited in the DMZ Gateway configuration file (<InstallDir>\conf\DMZGatewayServerService.conf) to fine tune your DMZ Gateway deployment for specific situations. Please refer to http://kb.globalscape.com/KnowledgebaseArticle10866.aspx and http://kb.globalscape.com/KnowledgebaseArticle10710.aspx, or contact Globalscape Customer Support for information about making these changes.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• DMZ Gateway version 3.0.0 and later

DISCUSSION

By default, DMZ Gateway allows you to connect to up to 15 EFT Server Sites simultaneously. You can override the profile limit by editing a system property, as described below.

To override the profile limit:

1. Open the file <InstallDir>\conf\DMZGatewayServerService.conf in a text editor.
2. Locate the section labeled "Additional Java Parameters,” which will be similar to the following text:

# Additional Java parameters. Add parameters as needed starting from 1.

# By default, use the server Virtual Machine.

wrapper.java.additional.1=-server

wrapper.java.additional.2=-DDMZSharedConfigurationDirectory=%DMZ_SHARED_CONFIG_DIRECTORY%

wrapper.java.additional.2.stripquotes=TRUE

wrapper.java.additional.3=-Djava.ext.dirs=bin/jre1.6.0_24/lib/ext

3. Add the following line at the end of the section:

wrapper.java.additional.<Index>=-DProfileLimit=<New Limit>

Where “<Index>” is 1 more than the index number in the previous line and “<New Limit>” is the desired profile limit. For example:

# Additional Java parameters. Add parameters as needed starting from 1.

# By default, use the server Virtual Machine.

wrapper.java.additional.1=-server

wrapper.java.additional.2=-DDMZSharedConfigurationDirectory=%DMZ_SHARED_CONFIG_DIRECTORY%

wrapper.java.additional.2.stripquotes=TRUE

wrapper.java.additional.3=-Djava.ext.dirs=bin/jre1.6.0_24/lib/ext

wrapper.java.additional.4=-DProfileLimit=100

Will set the profile limit to 100.

4. Save your changes.
5. Restart the DMZ Gateway Server Windows Service.
6. To verify that the changes have taken effect, open the file <InstallDir>\logs\DMZGatewayServer.log and locate the most recent log message containing the text "Number of Profiles is limited to." This line will display the active profile limit.

Refer to http://kb.globalscape.com/KnowledgebaseArticle11201.aspx for other DMZ Gateway configuration settings.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• DMZ Gateway version 3.1.0.5 and later

DISCUSSION

By default, DMZ Gateway will only service SOCKS5 requests if they originate from an IP Address of a connected EFT Server. You can tell if the DMZ Gateway Server is currently disallowing requests due to this behavior by the presence of WARN level log messages in the <InstallDir>\logs\DMZGatewayServer.log file similar to the following text:

16 Aug 2011 14:56:07,561 WARN PNC (192.168.157.1): Refused SOCKS client greeting from unrecognized remote address /192.168.157.179:3091

You can override this behavior and instruct the DMZ Gateway to allow SOCKS5 requests from any IP Address by editing a system property, as described below.

GlobalSCAPE Quality Assurance tested the system with the default setting; changing this setting from the default may cause as yet unknown issues.

To override the default setting:

1. Open the file <InstallDir>\conf\DMZGatewayServerService.conf in a text editor.
2. Locate the “Additional Java Parameters” section which will be similar tothe following text:

# Additional Java parameters. Add parameters as needed starting from 1.

# By default, use the server Virtual Machine.

wrapper.java.additional.1=-server

wrapper.java.additional.2=-DDMZSharedConfigurationDirectory=%DMZ_SHARED_CONFIG_DIRECTORY%

wrapper.java.additional.2.stripquotes=TRUE

wrapper.java.additional.3=-Djava.ext.dirs=bin/jre1.6.0_24/lib/ext

3. Add the following line at the end of the section:

wrapper.java.additional.<Index>=-DDMZAllowSOCKS5ConnectionFromUnknownIP=true

Where “<Index>” is 1 more than the index number in the previous line. For example:

# Additional Java parameters. Add parameters as needed starting from 1.

# By default, use the server Virtual Machine.

wrapper.java.additional.1=-server

wrapper.java.additional.2=-DDMZSharedConfigurationDirectory=%DMZ_SHARED_CONFIG_DIRECTORY%

wrapper.java.additional.2.stripquotes=TRUE

wrapper.java.additional.3=-Djava.ext.dirs=bin/jre1.6.0_24/lib/ext

wrapper.java.additional.4=-DDMZAllowSOCKS5ConnectionFromUnknownIP=true

4. Save your changes.
5. Restart the DMZ Gateway Server Windows Service.
6. To verify that the changes have taken effect verify that the DMZ Gateway now allows SOCKS5 requests from unrecognized addresses and that the WARN level log messages discussed above no longer appear in the <InstallDir>\logs\DMZGatewayServer.log file.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• DMZ Gateway, version v3.0-3.3
• For other versions of DMZ Gateway, contact Globalscape Customer Support.

DISCUSSION

This article discusses installing DMZ Gateway in a failover cluster and upgrading DMZ Gateway in a failover cluster. This article DOES NOT detail configuration for a High Availability (Active/Active) cluster scenario.

Set up DMZ Gateway in a clustered environment using Microsoft Clustering Services or Globalscape’s monitoring utilities and achieve high availability through failover clustering.

If you have Microsoft Clustering Service (MSCS) deployed, you can use its built-in Resource Monitor to manage the availability of DMZ Gateway. MSCS can manage DMZ Gateway as a generic service.

Clustering setups vary between operating systems, hardware resources used, and various other factors. If you have never set up a server cluster before, please consult your Windows documentation or the Cluster Administrator help file for detailed instructions on setting up a server cluster prior to proceeding. The focus of these instructions is for setting up DMZ Gateway in a pre-existing clustered environment.

• To find out which hardware is compatible with MSCS, refer to Microsoft’s hardware compatibility list at: https://winqual.microsoft.com/default.aspx
• To learn more about MSCS, search for "clustering" on the Microsoft Developer Network Library at: http://msdn2.microsoft.com/en-us/library/default.aspx
• For information about clustering on Windows 2003 Server, review the article "Introducing Microsoft Cluster Service (MSCS) in the Windows Server 2003 Family" at: http://msdn2.microsoft.com/en-us/library/ms952401.aspx.

Deploying DMZ Gateway in a clustered environment as described in this document is typically the most reliable method to achieve high availability and mitigate down time. For more information specific to clustering with DMZ Gateway, contact Globalscape Customer Support.

For information regarding clustering in Windows Server 2012, refer to the following articles:

• Installing the Failover Cluster Feature and Tools in Windows Server 2012: http://blogs.msdn.com/b/clustering/archive/2012/04/06/10291601.aspx
• Creating a Windows Server 2012 Failover Cluster: http://blogs.msdn.com/b/clustering/archive/2012/05/01/10299698.aspx

Prerequisites for DMZ Gateway in a Clustered Setup

• Operating System requirements

  Microsoft Clustering Service as available on:

  Windows Server 2003 R2 32-bit and 64-bit (IPv6 is not supported)

  Windows Server 2008 R2 (Standard, Enterprise, and Datacenter editions)

  Windows Server 2012 R2 (Standard, Enterprise, and Datacenter editions)

• Hardware and resource requirements

  A complete system for each node of the cluster (minimum of two)

  A shared disk resource such as DAS, or SANS, preferably configured as a RAID-redundant array

  A disk quorum for disk and resource management; a minimum of two adapters per system (one for internal cluster communications, and another for public access)

• Skill Set

  A systems or network administrator familiar with the organization’s structure and skilled in networking, Active Directory (AD), and cluster administration.

Configure the DMZ Gateway Cluster

Perform the steps below to configure clustering before setting up DMZ Gateway on the system.

1. Make sure the hardware is set up correctly and there is a shared disk resource, disk quorum, hub, or switch with Ethernet hookups between the two DMZ Gateways, as well as adapters for the crossover and for outside access, an adequate uninterruptible power supply (UPS) support for each device, and so on.
2. Make sure you install an operating system that supports clustering on each system.
3. Install Active Directory (AD) and configure the domain name service (DNS) on the first node. Choose one of DMZ Gateways to be node 1. The administrator password cannot be left blank.
4. Create an account for the cluster in AD with a non-blank password and assign the account to the Administrators group.
5. Join the second node to the AD domain.
6. Reboot, then log in to the first node with the cluster account.
7. Launch the Cluster Configuration Manager from the Add/ Remove Windows components dialog box and create a new cluster.

8. Complete the new cluster creation wizard, providing a name for the cluster and cluster account credentials. Allow it to manage the disk, quorum, and other shared resources. Verify the quorum drive is correct, and select the private network option. Use one adapter for the cluster nodes and the other for the public network. Specify the IP address for managing the cluster.

9. Run the cluster configuration tool on the second node and configure it to be an additional node in the cluster. You will need to provide the cluster name and appropriate cluster account credentials.
10. After you have completed the cluster configuration wizard, verify that the two nodes are set up properly from the cluster administrator dialog box. (To access the cluster administrator, click Start > Programs > Administrative Tools > Cluster Administrator.)
11. In the left pane, right-click the Resources folder, click New > Resource, then specify the shared IP address on which the DMZ Gateways will listen. Note that DMZ Gateway captures the IP address when the DMZ Gateway service starts, so if the IP address is changed after that, the service must be restarted to capture it.

Configure DMZ Gateway to Run in a Clustered Environment

After you install and configure clustering on the system, perform the following procedure to configure DMZ Gateway in the cluster.

1. Install DMZ Gateway on the active node.
2. Specify the installation directory for DMZ Gateway:
   • For DMZ Gateway 3.0-3.2.x, select the shared disk drive as the installation directory.
   • For DMZ Gateway 3.3.x:
     • For the installation files, specify a location local to the server.
     • For the configuration files, specify a shared disk location.
3. When the install completes, launch the product. Connect to DMZ Gateway using the administrator account that you created during installation.
4. Open the Services dialog box (in Windows Administrative Tools), open the DMZ Gateway service Properties dialog box, then switch the startup mode from Automatically to Manual.
5. Stop the DMZ Gateway service, close the Services dialog box, and launch the Cluster Administrator.
6. In the Cluster Administrator, make the second node active: In the left pane, click Groups, right-click the appropriate cluster and disk groups, then click Move Group. All resources should move from the first node over to the second node so that the second DMZ Gateway installation succeeds. If not, the shared disk will lock for the second node. It may take a few moments for the resources to switch over.
7. Install DMZ Gateway on the second node once it is active (also to the shared directory), following steps above, and then exit the Services dialog box without stopping the DMZ Gateway service.
8. Launch the administration interface, connect to the DMZ Gateway service on the second node, and configure DMZ Gateway.

Integrate DMZ Gateway into the Cluster

After you have set up the DMZ Gateway cluster and configured DMZ Gateway to run in a clustered environment, DMZ Gateway configuration is identical for both DMZ Gateways because both are using the same configuration file stored on the shared disk, saving data to the same place, and sharing the same outside-facing IP address.

To integrate DMZ Gateway into the cluster

1. Open the cluster administrator. In the left pane, right-click the Resources folder, click New Resource, expand the Create New Resource list, then click Generic Services.
2. Choose both nodes, select all resources as dependencies, then type the exact service name as displayed in the Windows Services dialog box (e.g., "DMZ Gateway Server"; it must be exact, including case.) Do not choose to replicate the registry settings.
3. Click Finish to add the service as a resource.

Complete Cluster Configuration and Test

After you set up the DMZ Gateway cluster, configured DMZ Gateway to run in a clustered environment, and integrated DMZ Gateway into the cluster, you should have both nodes configured with shared resources, including a shared IP address, disk array, quorum, and two DMZ Gateways.

Perform tests to ensure the system was correctly configured.

1. In the Cluster Manager, right-click the DMZ Gateway Server service, then click Bring Online.
2. Open the DMZ Gateway administration interface and verify that it is online.
3. In the Cluster Manager, right-click the DMZ Gateway Server service then click Bring Offline.
4. In the DMZ Gateway administration interface, verify that the service has stopped.
5. Cause a failover to confirm the service can be started on each node automatically.
6. Configure the remote server to connect to DMZ Gateway using the cluster IP address (IP address that the cluster shares).
7. Verify that the DMZ Gateway administration interface has a green light (to show that the server has connected).
8. Verify that the failover allows the server to continue to be connected to a DMZ Gateway in the cluster.

Your cluster setup is now complete.

Upgrading DMZ Gateway in a Cluster

To upgrade DMZ Gateway in a cluster

1. Obtain the new installation file(s).
2. Bring down the cluster (from within the cluster manager). It is critically important that DMZ Gateway service is STOPPED on both nodes!
3. Verify that the DMZ Gateway service is stopped by logging in to each node and inspecting the service control panel. For extra assurance you can change the startup type to Manual from Automatic. (Make sure to switch it back before you bring the cluster back up in step 7 below.)
4. Run the installer on the first node and select Upgrade when prompted.
5. Run the installer on the second node and select Upgrade when prompted.
6. If you changed DMZ Gateway service startup to Manual in step 4, change it back to Automatic
7. Bring the cluster back up.
8. Verify the upgrade was successful:
   1. Verify that DMZ Gateway is running on the primary node.
   2. Disable the primary node and verify secondary node starts up.
   3. Open the DMZ Gateway administration interface and verify that the version number is the same on both nodes (click Help > About).

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, when using Java applet, all versions
• Mail Express, when using Java applet, all versions

SYMPTOM

Cannot send a file in the browser using the Java applet; the Applet is unable to connect to the server

RESOLUTION

Download and install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download" http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html from Oracle to allow a Java instance to support "strong" ciphers.

MORE INFORMATION

When Java attempts SSL connections, it cannot, by default, use strong ciphers (256bit and higher) *unless* the computer running Java deploys a specific Policy file to enable strong ciphers.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• All products, all versions

QUESTION

How does Globalscape manage quality in their products?

ANSWER

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.1.1 and later

DISCUSSION

With the exception of the SFTP (SSH2) protocol, all EFT inbound and outbound connections in EFT v7.1.1 and later use the global SSL settings to determine which OpenSSL cipher suites and protocol versions are exposed/used. There may be instances where customers require more fine-grained control over SSL settings. To address this, EFT v7.1.1 and later recognizes a number of registry entries that may be used to override the global SSL settings.

Refer to the attached PDF for details of these settings.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT 7.1 and later

DISCUSSION

EFT Workspaces provides a stellar solution to problem of allowing employeesto share working folders with internal colleagues and external partners,leveraging the data room concept within the EFT framework to allow forproject collaboration, digital materials distribution, and more. The goalof this article is to provide guidance on establishing proper licensemanagement, security, control over who can create workspaces, and meetingthese goals without the need for administrators to manually create alluser accounts for third parties to participate.

For new EFT implementations, there are no legacy configurations to consider,which simplifies the introduction of the Workspaces capabilities to employeesand partners alike. However, when an implementation already exists andis well-known, there may be many considerations to take into account,and those will likely differ from one scenario to the next.

With that in mind, the broadest recommendation is that there bean additional site created, using the internally managed Globalscape EFTuser provider (known as a “GS site”), and that site should be dedicatedexclusively to Workspaces.

Rationale:

The foundational premise of the Workspaces functionality is to providea way for new or existing EFT customers to provide working folders forcollaboration. The nuances may differ based on use case, from an projectmanager employee uploading a project folder to EFT and sharing it outamongst colleagues and third parties participating in the project forongoing collaboration on project data through file transfers to and fromEFT, to a Channel Sales Manager uploading various pieces of marketingmaterial and selling guides and sharing them out in a read-only mannerto interested parties at new or prospective partner organizations, toEnterprise Sales Managers creating a workspace for each opportunity andinviting relevant internal and third party personnel to be able to addnew RFI revisions, retrieve updated quotes, and so on. The possibilitiesare vast.

Implementation Details:

• Workspaces must be disabled on any other sites (unless enabled on an AD/LDAP site for exclusively internal use, but this will count against Workspaces licenses).
• Administrators must preemptively create the user accounts for internal employees they wish to allow to create workspaces and invite new users to participate.
• In the Workspaces configuration tab, allowing invitations to new users must be enabled.
• Accounts created manually for employees should be placed in a separate, non-default Settings Template (perhaps called “Employees” for example).
• Administrators will likely want to disable the “Grant full permissions to users in their home folder” setting that is enabled by default (see item C-iv below), instead explicitly checking the box to enable this option during creation of employee accounts.

KeyItems of Note:

1. Administrators are not able to control who may create workspaces.
2. Workspace participation and invitation may only occur within the site where the workspace was created.
   • EXAMPLE: An employee in an LDAP site is not able to invite a third party in a GS site to participate in a workspace, regardless of whether that 3rd party already has an account in the GS site or would need to have one created for them by virtue of accepting a workspace invite.
3. Accounts created by virtue of a workspace invite:
   1. are themselves able to create and manage their own workspaces, which counts against licensing.
   2. can only invite other existing users to participate, not net new users, in order to maintain a more secure implementation.
   3. will be added to whichever Settings Template is set as the default.
   4. are treated as fully fledged users with the exception of item ii (cannot invite net new users)
   • EXAMPLE: A real home folder will be created for the user, and if default options are selected then they will have full access in that folder to do with as they please. Quotas cannot be reliably leveraged to rein this in (see item D below).

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

DISCUSSION

In most corporate environments, EFT does not have Internet access. In those cases, DMZ Gateway^® is used to provide EFT a secure remote connection. When troubleshooting Event Rules in EFT, it helps to connect to DMZ Gateway first, to determine whether any connection errors are in the Event Rule or the remote connection. With CuteFTP^® and DMZ Gateway, you can connect to the remote server to test the connection details, folder paths, or to check if a file is ready to be picked up or delivered. Debugging Event Rules connections is made easier by connecting and testing remote connections using CuteFTP.

The attached PDF provides a procedure to connect from CuteFTP to the DMZ Gateway, where you can see if the connection was successful.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• DMZ Gateway, version 3.0.0 and later

DISCUSSION

By default, DMZ Gateway installed on Linux runs as root, because the install script must itself be run as root. Good security practices require each server to run as its own user account, though, to isolate and protect sensitive information and services.

Although the installer prompts for optional user information during the installation process, this is not altering the user account under which the service runs; instead, it is simply setting the group and owner for the installed files.

To run the DMZ Gateway as non-root user after installing the DMZ Gateway:

1. Create a non-root user account on the server (be sure to set up a home folder for that user account as well). Establish a strong password for that user account. (e.g., a user "dmzgatewayserver" with home folder "/home/dmzgatewayserver")
2. Locate the installation folder (default "/opt/dmzgateway") and change ownership to the user account you created in step #1 (e.g., "sudo chown dmzgatewayserver /opt/dmzgateway")
3. Ensure that the owner has write access to that folder (required to create .pid and log files) (e.g., "sudo chmod 744 /opt/dmzgateway")
4. Edit the server daemon init script, "dmzgatewayd" (e.g., "sudo vi /opt/dmzgateway/dmzgatewayd")
5. Find the line reading "#RUN_AS_USER=" and remove the initial comment marker, "#", and append the name of the user created in step #1 above after the equals sign (e.g., the line becomes ("RUN_AS_USER=dmzgatewayserver")
6. Now you may start (or restart) the DMZ Gateway Server service to have it run as the designated user (e.g., "sudo service dmzgatewayd start"). If you encounter any errors, look in the log files found in the "Logs" subfolder of the installation directory.

When you run the DMZ Gateway Server service as a non-root user, the server can no longer bind to low number ports like 21, 22, 80, and 443. If the paired EFT Server attempts to direct the DMZ Gateway to listen on those ports, it will fail.

To resolve this, you must:

1. Configure iptables on the DMZ Gateway machine to listen on the desired public facing TCP ports (like 21, 22, 80, and 443) and redirect them to high number ports on which DMZ Gateway can listen (e.g., 8021, 8022, 8080, and 8443).
   For example,
   iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
   (this works under Linux kernel 2.3, 2.4, 2.5 and 2.6)
2. Configure the EFT DMZ Gateway options to direct the DMZ Gateway to listen on those higher number ports to receive client traffic (e.g., 8021, 8022, 8080, and 8443). Be sure that you configure both iptables and EFT DMZ Gateway options to have the same port numbers.

This will cause the Linux OS to redirect traffic on the low ports to those ports DMZ Gateway is listening on, resulting in traffic properly routing to/from the EFT Server.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

DISCUSSION

If you have numerous Event Rules, like most customers, enabling them one at a time is rather difficult. The attached PDF shows you how to enable them by groups based on the NAME of the Event Rule using the EFTSync tool from Globalscape Professional Services.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• All Globalscape products

QUESTION

With which browsers are Globalscape products supported?

ANSWER

Before releasing a product feature that requires the use of a browser, the Globalscape Quality Assurance team tests the feature on the current version of the most-often used browsers: Internet Explorer, Firefox, Chrome, and Safari. Once the browser manufacturer removes their support for a version of their browser, Globalscape no longer supports it in their products. For example, when Internet Explorer v8 reached its End of Life (EOL), Globalscape tested on more current versions of the browser and did not test on the EOLed browser.

Microsoft periodically releases new versions of its browser to improve functionality and to increase security. To see which versions of Internet Explorer are longer supported by Microsoft, refer to https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=internet%20explorer.

For optimum performance in Internet Explorer, please use the most current, most secure, version of the browser available.

NOTE: It is possible for EFT to function with other browsers, but Globalscape only offers support for EFT with the tested and recommended browsers and browser versions.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT 6.5 and later

DISCUSSION

EFT Enterprise offers a rich scheduler with extensive timing options and custom calendar capabilities. In many implementations, the Scheduler (Timer) Event Rule plays a major role in continually recurring automated tasks. With that in mind, there may be some concern regarding what happens if the task takes long enough to complete that it overlaps the next scheduled run time. For example, if you have a Scheduler Rule that runs every 5 minutes, but on occasion it takes 7 minutes to complete, what happens? This is especially important when it pertains to Advanced Workflow Engine (AWE) tasks that can sometimes be fairly complex and take much longer to complete during peak loads compared to normal low levels of activity.

NOTE: This article specifically applies to Scheduler Rules configured to run “Continually” and not necessarily other timer configurations.

Refer to the attached PDF for details of how timed Event Rules are processed.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server, all versions (Server Only)
• EFT Server Enterprise, all versions (Client and Server)
• CuteFTP, all versions (Client Only)

DISCUSSION

Following is an explanation of firewall rules needed for each protocol/mode to work:

For information about defining a range of ports, refer to"Specifying a PASV IP or Port Range" in the help documentation.

The ideal scenario is to support both Implicit SSL and Explicit SSL, when possible. From the server side, this support would look like this:

• INBOUND ports 21 from ANY
• INBOUND ports 990 from ANY
• INBOUND ports 28000-30000 from ANY
• OUTBOUND ports from source port 20 to ANY
• OUTBOUND from source port 989 to ANY

From the client view point:

• It is far simpler, easier, more secure, and more fool-proof to use Implicit SSL in PASV mode.
• Only OUTBOUND connections from their trusted network need to be allowed at that point. This reduces the security risk, avoids the need to set up complex firewall or NAT rules to maintain and conflicts to resolve, and it is encrypted from the moment the socket is opened.

Explicit SSL in PASV mode is the second-best choice. Sometimes Explicit SSL is the only FTPS type supported by some older legacy platforms, so there may not be any getting around that. But if Explicit SSL is used, then it is important to remember that Explicit SSL works by the client opening a socket and briefly communicating with in clear-text FTP mode, then issuing the AUTH_SSL or AUTH_TLS command to make the switch to SSL-encrypted FTP. This can cause problems with some firewall/NAT devices. These devices recognize, and latch onto clear-text FTP connection, and then have no idea how to react during the SSL negotiations. It can often react by blocking any further communication that does not confirm to its idea of standard FTP. This is an exception, not the rule, but it is not rare, so be on the lookout for that.

PORT mode applies equally to both Explicit and Implicit SSL. The problem is that they have clients capable of being configured to issue public IP address and specific ports if client is behind NAT, as is always the case, as a part of the PORT command. It is a rare feature to have. But, they must also manage their firewall/NAT devices so as to appropriately allow direct incoming traffic from the untrusted public internet. This is rarely desirable, and it is never preferable when compared to PASV mode. It is not necessarily impossible, just potentially more painful and require intricate management and maintenance by administrators on the client side, deepening the furrows in the firewall and security personnel's collective brow. Usually this is only done when absolutely necessary due to legacy applications that have limitations which simply cannot be addressed in any other manner.

Note: The ports listed above are the default port configurations for EFT. These ports can be configured for alternate ports within the application.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions
• Mail Express, all versions

SYMPTOM

Java applet unresponsive

RESOLUTION

It is necessary to enable NPAPI plugins to use the Java applet.

1. In the address bar, enter:

chrome://flags/#enable-npapi

2. Click Enable.
3. Click Relaunch at the bottom of the configuration page.

MORE INFORMATION

In recent versions of Chrome (42 and later), Google has disabled the NPAPI plugin, which is required to run Java applets, by default. A series of steps are now required to enable the plugin. This affects customers who might be using Chrome to access Mail Express (Java uploader / downloader) and the Java WTC. Google apparently plans on completely phasing out support for NPAPI by the end of the year, with Firefox to follow.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.0 and later

DISCUSSION

HAProxy is an open source, Linux-based load balancer that can be used as a load balancer for traffic inbound to an EFT HA cluster. The attached article provides the steps and some configuration samples for a HAProxy running on CentOS/REHL that can be used to load balance N number of nodes of an EFT in High Availability mode for inbound connections.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• WTC, v1.1
• EFT, v7.1.1.11

SYMPTOM

Unable to upload a folder to EFT through the Web Transfer Client (WTC) when using Internet Explorer or Firefox

RESOLUTION

Do one of the following:

1. Compress the entire folder, and then upload the resulting ZIP file.

2. Change to Google Chrome or other browser that supports folder uploads.

MORE INFORMATION

The administrator can enable a popup message to appear in the browser when a user attempts to upload a folder using Internet Explorer or Firefox.

To enable the message

1. Open the configuration file in a text editor. By default, the file is at:

C:\Program Files (x86)\GlobalSCAPE\EFT Server Enterprise\web\public\EFTClient\jument\scripts\39ba4de0.adminConfig.js

2. Change

gsb.config.showSiteInitPopups = false;

to

gsb.config.showSiteInitPopups = true;

Example:

\Globalscape\EFT Server Enterprise\web\public\EFTClient\Jument\scripts\39ba4de0.adminConfig.js

'use strict';

/* global gsb */

on initialization (e.g., browser incompatibility for feature). */

gsb.config.showSiteInitPopups = true;

3. Save the file.

A message similar to the following should appear when using Firefox and Internet Explorer:

4. To upload folders, either compress the entire folder and upload the ZIP file, or switch to the Chrome browser.