Upgrading Secure FTP Server

Prerequisites

Verify that you are running version 3 or higher. Versions prior to 3 are not supported by the upgrade process.
Choose an installation procedure: From non-FIPS to FIPS or between non-FIPS versions.
Download the desired version from http://www.globalscape.com/support/srv.aspx.

Upgrading from Secure FTP Server versions 3.0 through 3.3.9 to Secure FTP Server 3.3.10.

To upgrade

Document the administrator account user name and password for the existing FTP server.
Stop the Server service.
As a precaution, back up the existing Server installation folder (by default, C:\Program Files\GlobalSCAPE\Secure FTP Server). At a minimum, the following files should be saved:

*.aud (User database)
*.cfg (Site configuration and user permissions)
*.bak (Backup of .cfg file from previous session)
*.pvk (SSH key pair)
*.crt (Certificate)
*.key (Private keys)

Double-click the file that you downloaded (see Prerequisites, above), click Repair, then click Next and follow the instructions.
When the upgrade or update is finished, start the Server service.

Upgrading from a non-FIPS version of Secure FTP Server to Secure FTP Server (FIPS)

You have the following configuration options:

Overwrite an existing version
Install side by side with existing version

To install Secure FTP Server (FIPS) over the existing Secure FTP Server directory

Stop the Server service.
As a precaution, back up the entire Secure FTP Server directory (by default, C:\Program Files\GlobalSCAPE\Secure FTP Server).
Double-click the file that you downloaded (see Prerequisites, above), click Repair, then click Next and follow the instructions.
When prompted for the installation path, change the path to the existing Secure FTP Server installation directory.
After completing the installation, attempt to connect to an account on the Server that has FTP over SSL enabled, using an FTPS client (such as CuteFTP Pro).

You will not be able to connect if the certificates do not meet FIPS requirements. Refer to SSL Authentication Error on Connection to Secure FTP Server (FIPS) below for more information.

If you want to perform remote administration, run the FIPS installer on each remote machine, choose the Administrator Interface component, and then use it to manage the FIPS version, as the non-FIPS version will fail when connecting to the FIPS Server. The FIPS version listens on port 1221 and the non-FIPS version on port 1000.

To install Secure FTP Server (FIPS) in a side-by-side configuration

Double-click the file that you downloaded (see Prerequisites, above), click Repair, then click Next and follow the instructions.
The installer will detect that a prior version is installed, and you will be asked if you want to keep the current configuration.

If you click Yes, the non-FIPS configuration file will be copied to the FIPS installation folder (perform steps 3 - 9).

If you choose Yes, the prior non-FIPS Server service will be stopped, placed in a disabled state, and its main configuration file will be copied over to the FIPS Server installation folder. This configuration file references important files in the non-FIPS installation location. If you delete or uninstall the non-FIPS server, the FIPS version will not find the referenced information and reset everything to default values! If you decide to remove the non-FIPS version, make sure you edit the various paths (step 5 below) in the FIPS configuration before you delete or uninstall the non-FIPS version.
If you click No, none of the current non-FIPS version configuration is copied to the new location (perform steps 3 and 4 only).

If you choose not to copy the existing configuration, both servers will run side-by-side. You can run both Servers, but you must ensure they are using different IP:port bindings. e.g. port 21, on one server and port 2121 on the other to service FTP connections.

If you want to perform remote administration, run the FIPS installer on each remote machine, choose the Administrator Interface component, and then use it to manage the FIPS version, and the previous Administrator interface to manage the non-FIPS version, as the FIPS version will fail when connecting to the non-FIPS version and vice-versa. Additionally the FIPS version listens on port 1221 and the non-FIPS version on port 1000.

After completing the installation, open the Administrator Interface, and connect to the Site to verify settings. You will need to configure the Server, add users, enable secure protocols, and so on. (Refer to Configuring the Server for details.)
After everything is configured, attempt to connect to an account on the Server that has FTP over SSL enabled, using an FTPS client (such as CuteFTP Pro).

You will not be able to connect if the certificates do not meet FIPS requirements. Refer to SSL Authentication Error on Connection to Secure FTP Server (FIPS) below for more information.

(Do not continue with this procedure if you chose not to copy the existing configuration. Your installation is complete.)

If you chose Yes in step 2 and want to remove the prior version, open the Administrator Interface, and connect to the Site, then modify the paths for the following:

Log files: In the left pane, click the Server node, then click the Server Options tab. In the Folder to save log files box, type the path to the new location, then click Apply.
Server SSL certificate for remote administration: In the left pane, click the Server node, then click the Remote Administration tab. In the Certificate file path boxes, type the path to the new location, then click Apply.
Site root folder: In the left pane, click the Site node, then click the Site Options tab. In the Site root folder box, specify the path to a new Site root folder, then click Apply.
Authentication file: If you are using GlobalSCAPE authentication, in the left pane, click the Site node. In the right pane, click the Site Options tab, then click Advanced. In the Authentication provider options dialog box, type the path to the new location, then click Apply.
Site SSL certificate: In the left pane, click the Site node, then click the Connection Options tab. In the Certificate file path boxes, type the path to the new location, then click Apply.
SFTP Site key pair: In the left pane, click the Site node, then click the SFTP Settings tab. In the Site key pair box, type the path to the new location, then click Apply.

Edit any scripts, Custom Commands, and Event Rules that refer to the old installation directory to refer to the new installation directory.
Stop the FIPS and non-FIPS FTP Server Service, copy over the following files from the non-FIPS version to FIPS installation folder or path(s) you defined in step 5.

*.aud (User database)
*.cfg (Site configuration and user permissions)
*.bak (Backup of .cfg file from previous session)
*.pvk (SSH key pair)
*.crt (Certificate)
*.key (Private keys)
log files (or entire log directory), reports (or entire report directory)

Rename or archive the non-FIPS Server installation folder.
Start the FIPS Server and verify all configuration appears intact. Test the connection to be extra sure, verify logs updated, pull a report, verify certificate paths, and so on.
Once you have confirmed everything is working, you can safely remove or uninstall the prior non-FIPS Server.

The steps are virtually identical installing the FIPS version on one computer and then merging the configuration from a non-FIPS version installed on another computer. Copy over all the configuration files, verify all paths, and test your installation before removing the old version.

Troubleshooting

If you experience errors after upgrading, refer to the topics below. If you need additional information or help, visit the Support Center.

Remote Clients

A remote Secure FTP Server client (Administrator interface) cannot connect to a Secure FTP Server (FIPS) service. Once the configuration files are copied over to the new installation directory, your remote clients that previously connected to the Secure FTP Server service will attempt to connect to the Secure FTP Server (FIPS) service. You must configure the remote clients to use a different port to connect to the Server if you are not disabling or removing the non-FIPS Server service. The FIPS version listens on port 1221 and the non-FIPS version on port 1000.

SSL Authentication Error on Connection to Secure FTP Server (FIPS)

After the installation has completed, if an SSL authentication error occurs when you connect to the Server, there may be a problem with your SSL certificates due to FIPS 140-2 hashing function requirements. If the certificates used by the Server are MD-5, not SHA-1, you will need to recreate or import certificates that are SHA-1.

To correct the SSL authentication error

Certificates created in the non-FIPS version of Secure FTP Server and some 3rd party-generated certificates employ an MD5 hashing function. FIPS 140-2 requires SHA-1 hashing function instead. Do one of the following:

Create new certificates in the Server. Refer to Creating Certificates for details.
Redirect SSL settings to the correct certificates. Refer to Selecting a Certificate for details.
For 3rd party certificates, you will need to repurchase or reacquire the certificate pair and request that the certificates use SHA-1 instead of MD-5.