THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.11 and later

DISCUSSION

EFT v7.4.11 and later use an updated SSH library, v7.7.1.0_openssh. Prior to this update, EFT used 1.82_sshlib (Bitvise). If you want to revert to the legacy SSH library, create the registry setting below.

IMPORTANT

In EFT v7.4.11 and later with the updated library: 

• For non-FIPS implementations, the private keys generated by previous versions should load just fine. RSA, DSA and SSH.com formats are supported.
• For FIPS implementations, FIPS mode does not support MD5. This means that only the new format keys are supported. The keys themselves are fine, it is the file format that is not supported. As a workaround you can use third-party tools like PuTTYGen to convert keys to the OpenSSH new format.

To revert to the legacy SSH library

Create the following registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Type: BOOL

Value name: UseLegacySFTP

Value: 1 = use legacy SFTP; 0 or doesn't exist = use updated SFTP

Restart Required: yes

Backup/Restore: yes

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.11 and later

DISCUSSION

You can download entire folders in the WTC. The folder and its files and subfolders are downloaded as a ZIP file. The registry settings below set a maximum number of files/folders allowed in a ZIP file, and the number of ZIP files that can be created at the same time (in parallel).

NOTE: Zipping folders to download applies only to physical folders, not virtual folders (Workspaces). Attempting to download a virtual folder will present an error to the user.

To specify maximum limits for number of parallel folder-zipping activity on the server and maximum number of files and subfolders in a zipped folder, create the following registry settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Set the maximum number of parallel folder zipping activity on the server:

Type: DWORD

Value name: MaxParallelFolderZippers

Default Value: 40

Restart Required: yes

Backup/Restore: yes

Set the maximum number of files/subfolders in a zipped folder:

Type: DWORD

Value name: MaxSubItemsInZippedFolder

Default Value: 32768

Restart Required: yes

Backup/Restore: yes

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.11 and later

DISCUSSION

In EFT Enterprise, the Web Service allows you to initiate an Event Rule from an external application, such as an enterprise scheduler. After the Event Rule finishes dispatching, the Web service responds with an XML document that consists of a single "Result" element. Creating the registry setting below will modify the original response to add context variables that are in the XML document, from which you can then parse out values with another application.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Setting this value to true (1) will add all context variables to Event Rule Web services response.

Type: BOOL

Value name: EventWebServiceResponseAddContextVariables

Default Value: 0 = default; 1 = add context variables to Invoke Web Services result

Restart Required: yes

Backup/Restore: yes

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.11 and later

DISCUSSION

Persistent DDoS attacks against EFT can cause unbounded ARM database growth--in some cases, millions of rows being created (100GB in a month)--resulting from bogus connections.

Set the registry setting below to TRUE (1) to reduce the level of ARM auditing for bad connections (banned IP, failed authentications). This conserves disk ARM DB space and minimizes index fragmentation when EFT is under heavy connection load, such as brute force attacks.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Type: BOOL

Value name: MinimalAuditingForInvalidConnections

Value: 1 = reduce ARM auditing; default = 0

Restart Required: yes

Backup/Restore: yes

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.4.11 and later

SYMPTOM

EFT fails to load SFTP KEY after upgrading from to new EFT version; Public key blob is gone. Error message: SFTP key failed to load for unknown reason.

CAUSE

Your version of EFT is using older SFTP keys that are no longer supported in the updated FIPS library. For example, MD5 is no longer a supported hash and is not allowed for FIPS mode.

WORKAROUND

Before upgrading, be sure your SFTP keys are the current keys allowed for FIPS compliance. The older keys use an unsupported file format.

As a workaround, you can convert keys by switching to non-FIPS mode and then exporting your keys and using a tool like PuTTYGen to convert them to the new OpenSSH format.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.4.11

SYMPTOM

Direct access links do not work with SSO

WORKAROUND

Remove the POUND SIGN from the URL

For example, in this path e.g., https://localhost/#/Usr/a/anothertest.txt remove the # so that you have https://localhost/Usr/a/anothertest.txt.

1. The WTC log in page with SSO button appears.
2. Click SSO.
3. Sign in to SSO with your username and password.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• All products, all versions

DISCUSSION

Over the past decade, EFT has been subjected to a large number of security assessments and pen tests conducted by Globalscape’s customers across a wide variety of verticals (banking and finance, government, healthcare, detail, etc.).

The type of security testing employed by Globalscape’s customers, along with the tools and techniques used, is often dictated by a combination of the organization’s budget and its internal security posture. Based on historical observations, those techniques are typically grouped into the following three categories, from least to most expensive: 

1. The organization uses internal IT staff to leverage homegrown or freely available tools to perform manual penetration tests, including fuzzing tools, debuggers, and similar tools. 

2. The organization leverages third-application security testing tools such as HP’s WebInspect, IBM’ AppScan, Tenable’s Nessus, Paladion’s Plynt, among others. 

3. The organization outsources pen testing to a third party, such as ProCheckup, OneConsult, Emaze Networks, A&O Corsaire, SEC Consult, LTI, Cenzic Hailstorm, and many others. 

Pen test results of any significance are often shared with Globalscape, typically under NDA. Globalscape has a formal process in place to review potential vulnerabilities, beginning with an in-depth technical assessment by Globalscape’s engineering department, which includes categorizing vulnerabilities according to their security impact using CVSS’ scoring methodology, followed by a formal technical response that is delivered to our customers detailing whether the vulnerability is a false positive or not, its CVSS score where applicable, any workarounds if available, and the expected fix and remediation timeline. 

To date, no active exploit or high CVSS scoring vulnerability has been identified, with most vulnerabilities centered around implementation of best practices, such as applying proper anti-CSRF techniques to EFT’s web app pages, using appropriate headers, tagging cookies as HttpOnly, and similar OWASP recommended security techniques. On occasion, a vulnerability is reported as a question, such as “How does EFT mitigate against Spectre, Meltdown, or Poodle?” which may result in a fix being deployed, or simply a knowledgebase article that explains how EFT is or is not affected by said situation.

For the current year (2018) the following vulnerabilities were reported:

• A lack of comprehensive support for “no-cache” in addition to the already present “no-store” cache controls 

• Questions on whether EFT was affected by Meltdown or Spectre vulnerabilities.

• Concern over CSFR token being communicated over a URL rather than in headers on one of WTC’s pages, in accordance with best practices 

• A request that EFT provide configurable options so as to only accept a given set of host headers to reduce the risk of a host header injection attack (addressed in EFT 7.4.11)

These were minor concerns, with no actual vulnerability or exploit reported, instead mainly consisting of adherence to security best practices.

In addition to customer security testing, which comprises the bulk of EFT’s security testing (due to the broad set of tools and techniques used across our customer base), Globalscape conducts its own security testing by using freely available tools provided by HTBridge and Qualsys, applying said scans against each new release of EFT, in particular, its public-facing web client app. Customers can repeat these tests in their own environment by accessing these services directly, as results will varying depending on EFT’s configuration. For example, disabling TLS 1.1 in order to force TLS 1.2 will yield a higher score than if TLS 1.1 is left enabled by default.

Through this combination of direct security testing by Globalscape and indirect third-party security testing by our customers, EFT is subjected to an almost constant barrage of tests, which helps us achieve a high level of confidence in the security of our platform. At the same time, we practice “security by design,” continually striving to find that perfect balance between optimal flexibility while minimizing attack vectors, so that we can maintain our long-standing reputation as a highly secure yet infinitely flexible MFT platform.

Any security vulnerabilities found were promptly addressed and included in subsequent patch or major release versions of the software, as captured in the version history. (On the version history page for your product, search for "security.")

Below is a list of Globalscape Knowledgebase articles discussing vulnerabilities addressed in our products.

All products:

11193, Does the GHOST vulnerability affect any Globalscape products

EFT:

10589, TCP Sequence Number Approximation Vulnerability

11003, Q: What is GlobalSCAPE’s response to the SSL/TLS BEAST exploit?

11096, Is EFT Server vulnerable to the CRIME attack on the SSL protocol?

11173, EFT and SSL Vulnerabilities

11187, The POODLE OpenSSL Vulnerability and Enhanced File Transfer (EFT)

11259, Is EFT affected by CVE-2015-4000 (AKA "Logjam")?

11317, Is EFT vulnerable to SSL vulnerability CVE-2016-6303 (DoS attack)?

11397, Bleichenbacher's ROBOT Vulnerability

11400, Is EFT affected by the recent “Meltdown” and “Spectre” vulnerabilities?

Mail Express:

11166, The Heartbleed OpenSSL Vulnerability and Mail Express

11186, The POODLE OpenSSL Vulnerability and Mail Express

11261, Mail Express® is NOT vulnerable to the Apache Commons Library exploit

10646, DMZ Gateway version 3.x uses Java 1.6.0 build 14. Is there any concern over known remote vulnerabilities in this version of Java?

11359, Is the HTML editor in CuteFTP affected by the compromised scilexer.dll?

Customers who have let their maintenance and support coverage expire and want to reactivate it will need to purchase a new M&S contract (and, potentially, pay a Reconnect Fee) based on the following:

• If Maintenance and Support has been expired for less than 6 months, the new contract will have a start date based on last date of expiration.
• If Maintenance and Support has been expired for greater than 6 months, the contract will have a start date of “Today”; however a Reconnect Fee will be applied to the quote. The Reconnect Fee is based on the full value of the customer's M&S between the customer’s expiration date and start date of the new M&S renewal order.

If the Reconnect Fee causes the quote to be higher than a new license sale, the customer has the option to purchase the new license with maintenance and support.

If you have any questions, please contact our renewals team at renewals@globalscape.com

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Enterprise in Microsoft Azure environment ("Bring Your Own License (BYOL)"

QUESTION

Does EFT installed in a Microsoft Azure environment compatible with the Microsoft Azure SQL database?

ANSWER

Yes. 

If you want to learn more about installing EFT in a private or public cloud, refer to the following articles:

• Public or Private (Cloud) Deployments of EFT: https://www.globalscape.com/managed-file-transfer/public-private-cloud
• Azure-EFT Usage Instructions: https://kb.globalscape.com/KnowledgebaseArticle11278.aspx
• EFT running on Azure in the cloud: https://kb.globalscape.com/KnowledgebaseArticle11230.aspx
• Enable Azure AD SSO with EFT Arcus and the Web Transfer Client: https://kb.globalscape.com/KnowledgebaseArticle11405.aspx

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7 and later

DISCUSSION

Below are a few answers to penetration test results that come up frequently, which are either false positives, misconfiguration, addressed in newer versions, or simply misunderstanding of how EFT works.

1. EFT appears to allow unrestricted file uploads. What prevents people from uploading malicious files?

• The purpose of EFT, as with any Managed File Transfer (MFT) application, is to facilitate file transfers from authorized users. Risk mitigation controls include: access-level controls that control whether users can upload, download, or perform other CRUD operations on files; disk quota limits to avoid resource abuse; and ICAP integration for optionally analyzing uploaded files for malware, viruses, or unauthorized data (via integration with DLP devices). EFT also provides the ability to specify banned file types (by extensions), and controls that can limit the number of connections, bandwidth utilized, and more.

• In addition to frame-busting code, two HTTP headers should be employed to protect against clickjacking. The X-FRAME-OPTIONS header supports options that help protect against clickjacking. The "DENY" option prevents supporting browsers from rendering the page if it resides inside any iframe. The "SAMEORIGIN" option prevents browsers from rendering the page in an iframe on all pages hosted outside the framed page's domain. The Content-Security-Policy header, which specifies whitelists of trusted content that the browser may load along with page content, can be set to prevent a page from being framed using the "frame-ancestors" option “Content-Security-Policy: frame-ancestors 'none'. EFT v7.4.11 provides full control over CSP headers and sends them by default. (To configure, refer to: https://kb.globalscape.com/KnowledgebaseArticle11435.aspx.) EFT supplies the X-FRAME-OPTIONS (DENY and SAMEORIGIN) in all response except the root page, as navigating to root results in a redirect to /login, which does include that header.

• EFT uses the latest libraries for the particular track of Jquery leveraged by the web client (as there are multiple version tracks). Furthermore, EFT’s web client does not leverage the handful of methods exposed by the library that are deemed vulnerable.

• This feature is available as of 7.4.10 but is not enabled by default. To enable HSTS, you must first enable HTTPS and the HTTP->HTTPS redirect feature under Site>Connection settings. In an upcoming version, HSTS only requires that HTTPS be enabled (it is decoupled from the HTTP->HTTPS redirect feature). Note that HSTS is only ever sent when either an HTTPS connection is made directly by a client, or the client attempted to connect over HTTP and EFT’s HTTP->HTTPS redirect feature is enabled. When HSTS is enabled, EFT sends a special response header "Strict-Transport-Security" to the client with a duration of time specified (the default, which is set to 15 minutes by default in 7.4.10, changed to 1 year in an upcoming version, configurable by the EFT admin). Once a supported browser receives this header, that browser records this setting and will only make requests to the application over HTTPS for the duration of time specified in the header, even if the user types in “http:”, without the “s”. Any links to resources over HTTP will be redirected to HTTPS before the request is made. Applications that do not use the "HTTP Strict-Transport Security" policy are more susceptible to man-in-the-middle attacks via SSL stripping, which occurs when an attacker transparently downgrades a victim's communication with the server from HTTPS to HTTP. Once this is accomplished, the attacker will gain the ability to view and potentially modify the victim's traffic, exposing sensitive information and gaining access to unauthorized functionality

• EFT can be configured to use TLS v1.1 or v1.2. In fact, TLS v1.0 is disabled by default.

• This is by design, as all resources under "/" are meant to be accessible to users, depending on the ACLs of that user or their inherited permissions group. Keep in mind that EFT is a file transfer server app, not a SaaS app where restricting resources under the domain would normally apply.

• The only guaranteed method of killing a session is to log off (upper right corner in the web client). If you close your browser then the session will expire naturally (set to 5 minutes by default, admin configurable). The reason why closing your browser doesn’t kill the session boils down to the fact that when the browser is exiting, its priority is to exit, without much care for what each open app (in each tab) wants. This behavior is common, whether it be an online file sharing app, your bank, or any other secure sites. As such, you should always instruct your users to log-off manually, or for further risk mitigation, set the session timeout value to a shorter timeframe. We do have an optional, experimental feature that attempts to kill the session on tab or browser unload, but the usability side effects are pretty bad (such as Refresh page results in log-off). Contact support if you want more details on that override.

• Yes. EFT supports an anti-CSRF technique called double-cookie submit, where a CRSF token is sent with each request in a header (or in the URL in some cases) and in a cookie, which mitigates against common CSRF style of attacks.

• EFT designates the web session cookie, which is the authentication cookie, as HttpOnly. What you are seeing is the CRSF token cookie. It is not marked as HttpOnly because the web client needs to read in this value so that it can pass the token along to EFT when requesting resources. There are plenty of resources online that explain why making the CSRF token HttpOnly is completely unnecessary.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.x and later

SYMPTOM

Web page does not render correctly in Internet Explorer

CAUSE

By default, IE displays web pages in the intranet zone in "Compatibility View."

RESOLUTION

1. In Internet Explorer, click Tools > Compatibility View settings. (Press ALT if the menu is not displayed.)

2. Clear the check box next to Display intranet sites in Compatibility View.

3. Click Close.

Some intranet pages may not display correctly with Compatibility View disabled. In those instances, you can add specific URLs to the Compatibility View dialog box.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.x and later

SYMPTOM

Event Rule with DSA ssh key still running while FIPS enabled

WORKAROUND

Restart the EFT server service after enabling FIPS.

MORE INFORMATION

EFT sets FIPS mode at server starting time and caches the connection; therefore, a restart is required for the EFT server service to "re-read" FIPS mode status.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

QUESTION

How do I prevent users from uploading malicious files to EFT?

ANSWER

The EFT file transfer server allows you to connect with any industry-standard file-transfer client to transfer files. In theory, those files could have a virus, or include malware, or contain information that violates company policy. EFT implements several safeguards to prevent unwanted files. The first layer of defense is authentication and user access permissions, which allows you to permit or block standard file transfer operations (upload, download, rename, etc.). Additional safeguards include the ability to block files with specified extensions, detect whether a user has renamed an uploaded file (to circumvent the blocked file extension), integrate with content inspection/virus detection software, or rely on locally running anti-virus/malware detection software. The procedure below describes how you can configure an EFT Site to block file extensions, detect when a file is renamed, and scan the file with antivirus/DLP tools via an ICAP server. EFT auditing and reporting can also show you which user or IP address uploaded the file, in case you need to take steps such as disabling the user account or banning their IP.

First, designate which extensions are allowed (not allowed) for uploads:

Create an Event Rule that detects, renames, and if a file is renamed to an EXE extension, perform an action (delete the file, send a notification, or other).

Of course, you should also consider setting up a virus scanner or similar file inspector, and leverage EFT’s ICAP protocol to integrate with that solution. The "Content Integrity Control" action allows EFT to identify and block malicious files, regardless of extension, or prevent the loss of company confidential information (if linked to a DLP device).

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

QUESTION

Penetration testing reports indicate that uploading files to EFT is a security risk. How can I prevent that?

ANSWER

Web application vulnerability scans are not always applicable to EFT.

It is important to understand that EFT is essentially a file server, not a web server. Its intended purpose is for *authorized* users to upload, download, create folders, move files, rename files, and otherwise manage files. Therefore, allowing *authorized* users to upload files is not a security vulnerability, but a feature of EFT.

Still, what if, purposely or otherwise, an authorized user uploads malicious files, or files with content that violates company policy? EFT provides various means of mitigating this risk:

• Disable uploads altogether by removing the upload permission; however, that would be desirable only for situations where you want to limit customers or partners to file downloads (e.g., insurance forms, invoices, reports, documentation, etc.).
• Leverage EFT’s banned extensions feature - You can ban certain file types from being uploaded, even by authorized users. (e.g., Perhaps you want to prevent users from uploading music and video files.)
• Leverage EFT’s ICAP feature to inspect uploaded files - EFT event rules can be defined to scan files to look for viruses, personally identifiable information, and so on, and prevent its transfer.
• Enforce standard best practices for user accounts and password security, such as not allowing anonymous uploads, creating a unique account for each user, frequently changing passwords, using complex passwords, not reusing former passwords, etc.

EFT employs numerous tactics to protect the security of your data. For details of configuration and security best practices, please refer to https://kb.globalscape.com/KnowledgebaseArticle11312.aspx Where you will find the Security Best Practices checklist, which provides recommendations for increased security when managing your data with EFT.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, all versions

QUESTION

Does EFT support Elliptic Curve DSA (ECDSA) for certificate Authentication?

ANSWER

Yes; however, you must use external tools to create an ECC certificate, as EFT’s built in certificate generator only supports generation of certs that support RSA authentication. Note: The authentication mode is distinct from the key-exchange mode, encryption cipher, or message authentication code.

To create an ECDSA compatible certificate:

1. Download and install OplenSSL on a Linux system or use a Windows-compatible version such as the one available from: https://slproweb.com/products/Win32OpenSSL.html.
2. Run the OpenSSL binary to open a command prompt or add OpenSSL to your PATH and type OpenSSL to launch it.
3. Generate a self-signed ECC certificate pair by running each of these commands in turn. Precede each line with OpenSSL unless you are running from within the OpenSSL app. The first command will generate a private key. The second command will generate a certificate, prompting you for cert details. The last command will encrypt the private key created earlier, prompting you to enter a passphrase.

• ecparam -name secp384r1 -param_enc named_curve -genkey -out private.pem
• req -new -x509 -key private.pem -out public.pem -days 730
• ec -in private.pem -out encprivate.pem -aes256

Note that the EC curve name (secp384r1) may not be supported by all browsers. You can find other options in RFC 5480 or similar.

Note that if you do not generate an ECDSA certificate, you can still list ciphers that support it in EFT’s SSL cipher settings. The client/server SSL handshake will negotiate for ciphers that both support, and will require that you have at least one RSA (or non-Auth) Auth cipher in the list, for a successful handshake to be established. If the client only supports ECDSA auth, then the handshake will fail, even though you’ve listed ECDSA compatible ciphers, unless you have specified an ECC certificate in EFT’s connection settings, as documented above.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.1 and later
• EFT Insight all versions

QUESTION

Can I configure an EFT administrator account such that it can have access to EFT Insight, but not have ANY administrative capabilities over EFT?

ANSWER

Yes, you can configure EFT to accomplish this in one of the following ways:

Using EFT Admin accounts:

1. Create a new EFT admin account. (see below)
2. Assign the account to a “Change Password” level of admin.
3. Assign that admin to a dummy Settings Template (one with no users).
4. Ensure that Run & Edit Reports is selected for that admin account.
5. Apply changes.

Using Windows Admin accounts:

1. Create a group in AD for Insight-only admins.
2. Add desired AD users to the newly created AD group.
3. In EFT, add a new admin and specify the AD group created earlier.
4. Assign to that new account to a “Change Password” level of admin.
5. Assign that admin to a dummy Settings Template (one with no users).
6. Ensure that Run & Edit Reports and COM is selected for that admin account
7. Apply changes.

To create an administrator account

1. In the administration interface, connect to EFT and click the Server tab.

2. On the Server tab, click the Server node to which you want to add an administrator account.

3. In the right pane, click the Administration tab.

4. In the Administrator Access and Permissions area, click Add. The Create Administrator Account dialog box appears.

5. Specify either Windows Authentication or EFT Authentication. (Windows Authentication is available in EFT Enterprise.)

   • If you choose EFT Authentication, specify the account details:

   1. Define a user name for the account.

   2. Define and confirm a password for the account or click Generate to generate a strong password.

Passwords are case-sensitive; the username and password fields each cannot exceed 1024 characters. If the Password and Confirm boxes do not match, the OK button is disabled. Retype the passwords.

6. If you choose Windows Authentication, click Browse to specify the User or group. The Select User or Group dialog box appears.

   1. To expand the dialog box, click Advanced.

   2. To specify the type of object to search for (User or Group), click Object Types. The Object Types dialog box appears.

   3. By default, both groups and users are searched. To search only groups, clear the Users check box; to search only users, clear the Group check box, and then click OK.

   4. Click Locations to specify a network address to search. The Locations dialog box appears with available locations displayed. Click a location, and then click OK.

   5. In the Select User or Group dialog box, use the Common Queries area to search for a specific user or group.

   6. After you have specified your search criteria, click Find Now. The search results appear.

   7. Click the user or group that you want to use for this account, and then click OK. The user or group appears in the Create Administrator Account dialog box.

   8. Click OK.

   AD accounts that are part of the local computer’s Administrator’s group will not appear when browsing the “local computer” because these accounts are AD accounts, not local. AD accounts will appear when browsing the "AD" scope.
   You can select AD accounts when performing remote administration as long as the administration interface and EFT are in the same domain or working across trusted domains.

   The new user appears in the Admin account names box.

7. Click the Selected account permissions policy box, then specify the functions this account can control. (Refer to Delegated Administration for details of each type.)

8. If you specified that the account is a Site Admin, Template Settings Admin, Change Password Admin, or User Admin, theassignment dialog box appears.

9. Specify one or more items in the Available box, then double-click the selection or click Add, then click OK. The assignment appears in the Assigned to list.

Password Policy and Account Policy options apply to all EFT-managed administrator accounts defined on this Server. The Selected account permissions policy (Site Admin, User Admin, etc.) and Optional permissions (Reports and COM) apply only to the account
selected.

10. Click Apply to save the changes on the Server.

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Insight, all versions

SYMPTOM

Cannot complete EFT Insight installation, because it is unable to connect to the ODBC database.

RESOLUTION

EFT Insight requires a connection to the EFT database to acquire data. If the database is not available, it will not complete installation. 

You can work around this issue in one of two ways:

• In the Server > Logs tab, in the Authentication area, with SQL Server selected, provide the username and password to connect to the database.
• In the Server > Logs tab, in the Authentication area, select Window authentication. 

When using an ODBC database in EFT, the ODBC string must be in both the Database host address field, and the uid and pwd fields in the connection string.

e.g.: DRIVER=SQL Server Native Client 11.0; DATABASE=EFTDB; SERVER=192.168.102.145\OURTESTSQL; uid=Bob123; pwd=Test123!

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7. and later

QUESTION

What EFT Services listen on HTTP (default 80) or HTTPS (default 443) ports?

ANSWER

EFT has a number of services that if enabled, will start either the HTTP or HTTPS listener (or both), with the port number defined next to either the “HTTP” or “HTTPS” (file transport) toggle in EFT’s Site > Connections tab. (See screen shot below.)

Note that simply disabling the HTTP or HTTPS transport engine may not disable HTTP/S listeners, as there are other services that use those, as described below.

Below is the logic used by EFT to determine whether a particular insecure (not SSL/TLS protected) or secure (SSL/TLS protected) listener is used.

1. EFT starts insecure listener if:

• HTTP is ON for site

• HTTPS is ON for site

OR

• AS2 is ON for site

OR

• Web Services (SOAP) is ON for site

OR

• Account management page is ON for site.

• ASM module is registered

AND

• auto-redirect HTTP->HTTPS redirect is ON for site OR CAC authentication is ON for site

• Via both plaintext and SSL listener

• HTTP is ON for site

AND

• HTTP is ON for user (directly or via inheritance)

AND

• Auto-redirect HTTP->HTTPS redirect is OFF

• HTTPS is ON for site

AND

• HTTPS is ON for user (directly or via inheritance)

OR

• HTTP->HTTPS redirect is ON

• Via SSL listener only

AND

• For authenticated users only

Via SSL listener only

• Via both plaintext and SSL listener*

• Via both plaintext and SSL listener*

• Via both plaintext and SSL listener*

*see above conditions for when connections are processed using insecure vs. secure listener.

• Via SSL listener only (port 4450 by default, located on Server > Administrator tab)

For security best practices:

• Disable HTTP unless you absolutely require it (unlike the HTTPS listener, no other service will start it automatically if it is disabled for transport, under the Site > Connections tab)
• If HTTP is enabled, we recommend you enable the “Redirect all plaintext HTTP traffic to HTTPS”
• Preferably, only enable Account Management if you also plan on enabling HTTPS (for transfers)
• Don’t enable AS2 or MTC/Mobile access if not necessary
• Don’t enable Web Services unless you plan on invoking event rules via SOAP calls
• When using HTTPS, also enable HSTS
• Always use a strong set of ciphers (see Server > Security tab)

The section of EFT in question (not counting 12 above):

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.4.13

SYMPTOM

EFT fails to start one or more Sites

CAUSE

EFT falsely determines that the Site's ports are are in use, because the ports were not de-allocated before the service restart has completed—usually due to powerful hardware causing service restart to happen with little to no delay.

RESOLUTION

Configure the following registry settings to insert a slight delay before restarting, or retry Site start a few times when the initial attempt fails.

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Value name: SiteStartDelay

Type: DWORD

Default Value: 0 = no delay (default behavior); any other decimal value = milliseconds to insert a delay before the initial start

Cached: yes

Backup/Restore: yes

Value name: SiteStartRetries

Type: DWORD 

Default Value: 0 = no retry (default behavior); any other decimal value = number of retries

Cached: yes

Backup/Restore: yes

Value name: SiteStartRetryDelay

Type: DWORD

Default Value: 0 = no retry delay(default behavior); any other decimal value = retry delay in milliseconds

Cached: yes

Backup/Restore: yes

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT, v7.4.13 and later

SYMPTOM

Authentication on IdP is slow, causing SAML to timeout when authenticating on EFT.

RESOLUTION

A registry option is available to override the default timeout setting: 

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Type: DWORD

Value name: SAMLSSOMaximumRequestTimeoutInMs

Default Value: 5 minutes if not specified; otherwise, specify the time in milliseconds; maximum allowed is 4294967295 milliseconds (~71 minutes)

Cached: no

Backup/Restore: no