GlobalSCAPE Secure FTP Server, v3 Quick Start Guide

The topics below provide instructions for installing and configuring Secure FTP Server and its SFTP module, and configuring Windows to interoperate with Cisco CUCM versions 5.1 and 6.1 with Secure FTP Server. Follow the steps in order as described in this guide.

1. Install the Server and the SFTP module and Activate Secure FTP Server.

2. Activate the SFTP module.

3. Configure the SFTP connection.

4. Create a Windows user account for Secure FTP Server.

5. Create Windows Registry Keys for TCP/IP Performance Tuning.

6. Configure CUCM to transfer data using Secure FTP Server

For more information about GlobalSCAPE's Secure FTP Server, visit http://www.globalscape.com/gsftps/.

For instructions for adding user accounts and other Secure FTP Server configuration procedures, refer to the in-application help or the online help at http://help.globalscape.com/help/secureserver3/.

Download the Secure FTP Server software and the SFTP module on GlobalSCAPE's download page, at http://www.globalscape.com/downloads/gsftps.aspx.

To install Secure FTP Server

1. Double-click the executable to start the installer. The Welcome page appears.



2. Click Next. The License Agreement appears.



3. You must read and then accept the license agreement (click Yes) in order to continue. 

4. Click Next. The Destination Location page appears.



5. Specify the folder in which to install Secure FTP Server, then click Next. The Select Components page appears.



The FTP Server and Administrator Interface check boxes are selected by default.

• FTP Server: This component installs the Server that runs as an NT Service.

• Administrator Interface: This component is the administrative interface for the server. It must be installed on the server machine and it may be installed on a separate machine to provide remote administration over TCP/IP.

6. Click Next. The Administrator Account Settings page appears.



7. Create a username and password that you will use to connect to and administer Secure FTP Server, then click OK.

If the administrator username or password is lost, you will not be able to administer the Server. Resetting the administrator account is possible, but will result in the loss of all user and group specific settings..

The Server service and Administrator interface are installed and the Finished Setup page appears.



8. The Launch Administrator Interface check box is selected by default. Select the View README file check box if you want to read the release notes, then click Finished. The GlobalSCAPE Secure FTP Server Administrator and Connect to FTP Server dialog box appear.



9. Provide the administrator Username and Password that you created during installation, then click Connect. The Welcome dialog box appears.



10. You are prompted to provide a serial number.

• If you are evaluating the software, a trial serial number is needed to continue. If you have not already received a trial serial number, you can request one on the GlobalSCAPE support pages. Click Enter Trial Serial Number and follow the instructions.  

• If you have purchased the software, click Enter Serial Number and follow the instructions.

The Registration wizard appears.



11. Type or paste your serial number in the Serial Number box, then click Next. The Personal Details page appears.



12. The information on this page can be used to verify your account if you need to contact Customer Support. Complete the personal details fields, then click Next. Registration of the Server is complete.

13. Click Finish. The Create New Site wizard appears.



14. Provide a Name for the Site or keep the default name. This name will appear in the Server tree.

15. Click the Listening IP list, then click the address of the computer or keep the default of All incoming.

16. In the Port box, type or select the port number. The default port used for FTP connections is 21, however, you can enter any value between 1 and 65,535. (If you are using the site for secure FTP connections, you can later turn off plain FTP access on the Connection Options tab.)

Assigning port numbers under 1024 may lead to conflicts with other programs running on your computer.

17. The FTP connection to the Server is called a Site. If you want the connection to be available immediately, select the Start site automatically after creation check box. Otherwise, you can clear the check box and start the Site later.

18. Specify the Authentication method. The default method is GlobalSCAPE Secure FTP Server Authentication. GlobalSCAPE Authentication does not rely on outside sources for user information. All information in the authentication database is protected from the operating system, contained within the .aud file located in the Server installation folder, and encrypted, and can only be modified through the Administrator

• If you need to use NT Authentication see Creating a site that uses NT authentication.

• If you need to use ODBC authentication, see Creating a site that uses ODBC authentication.

19. Click Next. The Authentication Options page appears.



20. Provide the path at which to store the user database. Leave the default path unless you want to store the authentication database in a new location.

21. In the User list refresh interval list, specify how often the Server should check the authentication database for new users (Never, every 5, 15, or 30 minutes, 1, 2, 6, or 12 hours, or once per day).

22. Click Next. The final page of the wizard appears.



23. In the Default FTP Root Folder area, specify a path to the root folder for the site.

24. Select the Create standard subfolders check box to automatically create Bin, Pub, Usr and Incoming folders with appropriate permissions under the root folder. This is selected by default, but is only necessary if you are trying to mimic a typical default *nix Server setup.

25. Select the Enable anonymous access to the server check box to create an anonymous account that does not require a password. The account will have limited permissions.

26. Select the Auto assign home folders to site users check box to automatically create a user folder under \Site Root\Usr\ when a new user is added.

27. Click Finish. If the root folder has not already been created, you are prompted to do so.



28. Click Yes. The folder is created and the Create New Site wizard closes.

 

Secure FTP Server is now configured to allow FTP connections at the IP address and port that you specified.

 

 

 

 

Next: Activate the SFTP module so that you can configure it to allow the Site to use SFTP to connect to Secure FTP Server.

 

The SFTP module requires the purchase of an SFTP module license.

To activate the module

1. On the main menu, click Help > Enter SFTP Module Serial Number.

The Registration Wizard appears.

2. Follow the instructions in the wizard to activate the module. (Refer to the procedure for activating the Server, if necessary.)

To configure SFTP

1. In the left pane, click the Site.

In the right pane, click the SFTP Settings tab.



Select the Enable SFTP check box.

2. In the SFTP Port box, specify which port to use, if different from the default of port 22.

3. In the Site key pair box, provide the path to the .pvk file to use for the SSH2 public/private key pair.

• If you do not yet have a key pair, click Create to create a key pair. The Create SSH2 Public/Private Keypair dialog box appears. Type a name for the key pair, the location to store it, then click Finish. The Server generates and stores the key pair.

In the Use encryption algorithms list, select the check boxes for the algorithms you want to allow for encrypting SFTP sessions. The Server tries each selected algorithm with the client until one is agreed upon.

5. In the Use MAC algorithms list, select the check boxes for the algorithms to use for message authentication. The Server tries each selected MAC with the client until an algorithm is agreed upon.

4. Click Apply. A message appears telling you that the Site must be restarted for the changes to take effect.



5. Click Yes.

 

Setup of Secure FTP Server and the SFTP module are complete.

 

 

 

Next: Follow the procedures below to create a Windows account for Secure FTP Server for secure connections, and make some changes to the registry for optimum performance.

 

 

 

 

To secure the computer on which the Server is installed, create a Windows user account for the Server and grant restrictive permissions to that user account. Setting up a user account increases security, but is not required to run the Server.

To create a user account in Windows XP Professional or Windows 2000

After you install the Server, on the Desktop, right-click My Computer, then click Manage.
The Computer Management console appears.

Expand the Local users and groups node, right-click Users, then click New User.
The New User dialog box appears.

Create the user account (e.g., GSFTPS), click Create, then click Close.

Close the Computer Management console.

5. In Administrative Tools, double-click Local Security Policy. The Local Security Settings dialog box appears.



Expand the Local Policies node, then click User Rights Assignment.

6. In the right pane, in the Policy column, double-click Act as part of the operating system.
   The Properties dialog box appears.

Click Add User or Group. The Select Users or Groups dialog box appears.

Click Advanced, then click Find Now. The dialog box expands and displays the new user account that you just created (GSFTPS).

Select the Server's account (e.g., GSFTPS), click OK to collapse the Advanced box, then click OK to save the changes.

Open the Windows Services dialog box (Start > Run > services.msc.)

Right-click GlobalSCAPE Secure FTP Server, then click Properties.

Click the Log On tab, then follow the Windows operating system procedures for selecting an account under which the service will run.

This topic describes how to tune Windows 2000, Windows XP, and Windows 2003 operating systems for TCP/IP performance. To add a key to the registry, you can either edit it directly as described below or create and execute a .reg file. When you have finished adding or editing these registry keys, you will need to restart the Server. Configure the following settings or variables below according to your specific tuning needs. If necessary, refer to the GlobalSCAPE Knowledge Base article Q10411 - HOWTO: Windows Registry Settings, for the procedure for creating/editing keys and creating a .reg file.

This key determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. This interval between closure and release is known as the TIME_WAIT state or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster and provide more resources for new connections. Adjust this parameter if the running application requires rapid release, the creation of new connections, or an adjustment because of a low throughput caused by multiple connections in the TIME_WAIT state.

To activate this feature, create the following key:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters

Value name:  TcpTimedWaitDelay

Value data: 0x0000001e  (Hex 0x0000001e = decimal 30. This value sets the wait time to 30 seconds.)

This key determines the highest port number that TCP/IP can assign when an application requests an available user port from the system.

To activate this feature, create the following key:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters

Value name: MaxUserPort

Value data: (minimum) 32768

These keys, if many connection attempts are received simultaneously, increase the default number of pending connections that are supported by the operating system.

To activate this feature, create the following 4 keys:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters

Value name: EnableDynamicBacklog

Value data: 00000001

Value name: MinimumDynamicBacklog

Value data: 00000020

Value name: MaximumDynamicBacklog

Value data: 00001000

Value name: DynamicBacklogGrowthDelta

Value data: 00000010

These values request a minimum of 20 and a maximum of 1000 available connections. The number of available connections is increased by 10 each time that there are fewer than the minimum number of available connections.

This key determines how often TCP repeats keep-alive transmissions when no response is received.

To activate this feature, create the following key:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters

Value name: KeepAliveInterval

Value data: 1 (second)

This key determines how many times TCP retransmits an unacknowledged data segment on an existing connection.

To activate this feature, create the following key:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value name: TcpMaxDataRetransmissions

Value data: 5 (seconds)

TCP/IP can be the source of some significant remote method delays. You can increase TCP performance by immediately acknowledging incoming TCP segments, in all situations.

To activate this feature, create the following key:

On Microsoft Windows 2000:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Value name: TcpDelAckTicks

Value data: 0

On Microsoft Windows XP or Windows Server 2003:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Value name: TcpAckFrequency

Value data: 1

 

Next: If necessary, refer to the Secure FTP Server help documentation to configure secure remote administration of the Server, add users and permission Groups, define automated event rules, and generate reports.