WS_FTP Server 2017 Plus Release Notes

WS_FTP Server 2017 Plus Release Notes

This document describes the new features, defects resolved, and known issues for:

• WS_FTP Server 2017 Plus
• Web Transfer Module
• Ad Hoc Transfer Module
• Ad Hoc Transfer Plug-in for Outlook

To upgrade to this release, you must have WS_FTP Server version 7.6 or higher.

Depending on which WS_FTP Server product you purchased, portions of this document may not apply.

What's New: 2017 Plus

• OpenSSL update: 2017 Plus includes the move from OpenSSL 1.0.1t to OpenSSL 1.0.2k, which contains new security fixes described here: https://www.openssl.org/news/openssl-1.0.2-notes.html. The new OpenSSL (1.0.2k) will support a different set of ciphers from any upgraded version (1.0.1t or previous). Any new ciphers that were not part of the version from which they upgraded will be added to the available cipher list but will not be associated with a particular listener until the user manually adds them. Any ciphers that have been deprecated between OpenSSL versions will be removed from from both the available cipher list and the list of ciphers associated with a particular listener. OpenSSL 1.0.1 will no longer be supported starting with WS_FTP Server 2017 Plus.
• Additonal KEX algorithm support: SSH to include Diffie-Hellman-group14-sha256 and Diffie-Hellman-group-exchange-sha256.
• Ability to connect to a remote SQL Server database using TLS 1.2
• Improved logging for LDAP connection failures

SCP Protocol Defects Resolved in WS_FTP Server 2017 Plus (8.5.4)

ID	Category	Issues
WSRVR-3832 WSRVR-3835	Security	CVE-2019-12144, CVE-2019-12145: Supplied filenames are validated to ensure that they are valid Windows filenames. Credit: Dan Bastone of Aon's Cyber Solutions.
WSRVR-3833	Security	CVE-2019-12146: Destination directories containing invalid Windows paths are rejected as invalid paths. Credit: Devon Greene of Aon's Cyber Solutions.
WSRVR-3834	Security	CVE-2019-12143: Authenticated users cannot download files outside of their home directory. If a user does not have access to a file, they receive a permission denied error. Credit: Devon Greene of Aon's Cyber Solutions.

Defects Resolved in WS_FTP Server 2017 Plus (8.5)

ID	Category	Issues
WSRVR-2349	Install, Security	Installation log file in PostgreSQL configuration no longer contains plain text passwords.
WSRVR-3045	Logging	Previously, logging for WTM uploads and downloads showed a relative path to the file location on the WS_FTP Server. Now, logging shows absolute paths for all uploaded and downloaded files on the WS_FTP Server.
WSRVR-3184	Server Admin	Manage Server > Listeners > SSH > Edit SSH Settings > RSA and DSA host key > Select > Create had a dropdown for selecting SHA1 or SHA2 for the host key creation. This was removed.
WSRVR-3271	Install	If you installed and then uninstalled WS_FTP Server, user folders were left behind, along with other configuration files. A new install would detect these folders and a message erroneously warned that it would delete these folders. This message was not accurate. The new installation does not delete the user folders. The message is updated now to indicate the detection of folders, but not their deletion. All folders and their contacts that were left behind from prior installations remain intact.
WSRVR-3317	Install	Ipswitch Scheduler and Ipswitch SSH Server didn't show a description in Services for new installs. This has been corrected.
WSRVR-3321	Links	Previously, clicking on "Help System" in the bottom right corner led to an error page. This has been corrected.
WSRVR-3322	Links	Help > About Ipswitch > iCare Community Program link was broken. This has been removed.
WSRVR-3335	Logging	Logging for LDAP connection failures was improved.
WSRVR-3369	FTP, Security	When listeners were set to "SSL Enabled" and hosts were set to "Force SSL" and the USER command was sent, there was a continued connection when the user didn't exist on a host, but a dropped connection when the user did exist on the host. This was not fixed completely in the prior release. The logic was updated to get: "530 Non SSL connections forbidden." Now all connections are dropped when all hosts on a particular listener are set to "Force SSL" and the connection doesn't send the AUTH command before the USER command.
WSRVR-3372	Database, Install	Corrected a problem that blocked installation on Windows 2016 Datacenter Removed MDAC check from installer code that was failing for Windows 2016 DataCenter installations.
WSRVR-3412	Documentation	Added missing response file to Silent Install section.

Defects Resolved in WS_FTP Server 2017 (8.0.1)

ID	Category	Issues
WSRVR-1703	SSH	The last log on date is now updated for users that log on with an SSH client key. In previous releases, the last log on date was not updated for users that logged on with an SSH client key.
WSRVR-3183	SSH, SSL	You can utilize all defined SHA2 MAC algorithms in WS_FTP Server 2017 (8.0.1). In the WS_FTP Server 2017 (8.0) release, it was not possible to connect with an SSH Client using hmac-sha2-384 and hmac-sha2-512.
WSRVR-3188	Install, SSL	If there are no bindings on the targeted IIS website, the installer creates a binding. If there is one binding on the targeted IIS website, the installer will select and use that binding. If there are multiple bindings on the targeted IIS website, you must remove any bindings on the targeted IIS website, other than the SSL binding selected for use with the WS_FTP Server. In the WS_FTP Server 2017 (8.0) release, the AHT and WTM logon failed if there was a pre-existing binding on the targeted IIS website, and the user elected to create a new binding during the installation.
WSRVR-3191	Install, Licensing	The number of license activations and the license file path in the registry were corrected. In the WS_FTP Server 2017 (8.0) release, the “Too many activations for this license” message displayed when a user canceled an installation and used the same license to install on another machine.
WSRVR-3250	SSH, FTP	Fixed an issue that in previous releases, under heavy load, occasionally caused the WS_FTP Server SSH or FTP services to crash while making or removing directory calls.

Defects Resolved in WS_FTP Server 2017 (8.0)

ID	Category	Issues
WSRVR-1499	SSH	WS_FTP Server 7.6 SSH service stops responding to connections until it is restarted. Added handler for Maverick clients to handle bad packet sizes.
WSRVR-1566	Security	Password length increased from 40 to 128 characters for both the create user and change password pages. There is no length check (like previous versions). The control stops accepting characters after the 128th.
WSRVR-1587	Security	When listeners were set to "SSL Enabled" and hosts were set to "Force SSL" and the USER command was sent, there was a continued connection when the user didn't exist on a host, but a dropped connection when the user did exist on the host. Now all connections are dropped when all hosts on a particular listener are set to "Force SSL" and the connection doesn't send the AUTH command before the USER command.
WSRVR-1589	Security	Added functionality to add/remove specific ciphers for SSL listeners. 2017 installs/upgrades will populate tables with ciphers from the current OpenSSL dll, and by default will enable all. End users can remove/add/prioritize from this list using new/modified UI pages (Add Cipher and Remove Cipher).
WSRVR-1607	Security	Prior to 2017, WSFTP provided the ability to set the SSL security level on SSL listeners with these options: Enable TLS only (more secure) Enable TLS and SSL version 3 Enable TLS and SSL versions 1, 2, and 3 In 2017 these values have changed to explicit protocols where the security level can be changed to one or a combination of: Enable SSL 3 Enable TLS 1.0 Enable TLS 1.1 Enable TLS 1.2 For new installs SSL listeners are defaulted to Enable TLS 1.2 only. Upgrades are mapped to the pre-2017 equivalent.
WSRVR-1630	Settings	Fixed issue where iftpaddu.exe ignored default host settings. Added default host settings to command line user creation.
WSRVR-1645	SSL	Added SHA dropdown to Create SSL Certificate page that allows user to select either SHA1 or SHA2 when creating certificates.
WSRVR-1718	FTP	In CuteFTP 8.3.4.0007 and CuteFTP 9.0.5.0007 (current) if the "Protocol type:" of the Site Profile was set to "FTP with SSL (AUTH SSL - Explicit) and the Global setting of "Reuse cached session for data connection" was applied (Tools > Global Options > Security > SSL Secutiry > Check "Reused cached session for data connection"), when the connection attempt was made it would crash the WS_FTP Server Service. The service had to be manually restarted before connections could be made. Added handler for socket shutdown so service no longer crashes.
WSRVR-2028	Core	Prior versions used file creation time for folder cleanup settings. In 2017, a Use File Create Time option (uncheck for File Copy Time) was added to the Host Details, Create Host, and Edit Folder pages. Selecting this checkbox will use the file copy time for cleanup. The default for install/upgrade is checked.
WSRVR-2078	Core, Security, SSH	A checkbox (Disable Diffie-Hellman Group1) was added under System Details. New installs and upgrades will default to off (unchecked). Checking this box will exclude this group from the kex algorithm.
WSRVR-2323	Licensing	If you upgrade from a previous version, and try to use an evaluation license, it will accept the license and allow you to log in, but the system settings (where license is listed), says the file is invalid. On a fresh install, the license works fine.
WSRVR-2414	Web Transfer Module	Image was missing when file extension contained uppercase letters. In order to add additional image file formats you can edit mimetype.xml file (default location is C:\Program Files (x86)\Ipswitch\WS_FTP Server\WebClients\ThinClient\Bin) and add a new row <mimeMap fileExtension=".newExtension" mimeType="image/newExtension" />

Known Issues in WS_FTP Server 2017 Plus (8.5)

ID	Category	Issues
WSRVR-3314	Install	Before installing WS_FTP Server on a Windows Server 2008 R2, you must pre-install .NET (4.0).
WSRVR-3332	Install	For PostgreSQL clean installs the "%" character cannot be used for usernames or passwords. For migrations 7.7 -> 8.5 where the username or password contain a "%" character, run the dbconfig tool to update services and connection strings. Select OK in the PostgreSQL Configuration dialogue.
WSRVR-3483	Ad Hoc Transfer Module (potentially Web Transfer Module)	WS_FTP does not support for Windows .Net 4.7.
WSRVR-3531	Browsers	Windows Server 2012 does not support Internet Explorer 10. Alternative browsers can be used, such as Chrome and Firefox.

Known Issues in WS_FTP Server 2017 (8.0.1)

WS_FTP Server does not support multiple SSL bindings

You must remove any SSL bindings on the targeted IIS Website, other than the SSL binding selected for use with the WS_FTP Server.

AHT and WTM pages display a gray screen if Active Scripting is not enabled in Internet Explorer 11

AHT and WTM pages display a gray screen if Active Scripting is not enabled in Internet Explorer 11.

To enable active scripting, complete the following steps.

1. On the web browser menu, click Tools or the Tools icon, and select Internet Options.
2. On the Internet Options window, select the Security tab.
3. On the Security tab, select the Internet zone and click the Custom level button.
4. In the Security Settings - Internet Zone dialog box, locate the Scripting section. Click Enable for Active Scripting.
5. To accept the changes for this zone, click Yes in the Warning window.
6. To close the Internet Options window, click OK.
7. To refresh the browser page and run scripts, click the refresh icon or F5.

If non-default ports are used, the AHT and WTM redirect fails, resulting in a “This page cannot be displayed” error message.

The default IIS port for HTTPS is 443. When IIS is configured to use a different port for HTTPS, the redirect from HTTP to HTTPS fails.

To mitigate this issue, add the correct port number to the Thinclient, AHT, or both web.config files, or disable the HTTP to HTTPS redirect.

To add the correct port number to the Thinclient and AHT web.config files, complete the following steps.

1. Open C:\Program Files (x86)\Ipswitch\WS_FTP Server\WebClients\ThinClient\web.config with a source code editor.
2. Locate the following line of code.

   <action type="Redirect" redirectType="Permanent" url="https://

   {HTTP_HOST}:443/ThinClient/{R:1}" />

3. Replace 443 with the HTTPS port number that IIS is using for Thinclient.
4. Open C:\Program Files (x86)\Ipswitch\WS_FTP Server\Ad Hoc Transfer\AHT\web.config with a source code editor.
5. Locate the following line of code.

   <action type="Redirect" redirectType="Permanent" url="https://

   {HTTP_HOST}:443/AHT/{R:1}" />

6. Replace 443 with the HTTPS port number that IIS is using for AHT.

To disable the HTTP to HTTPS redirect, complete the following steps.

1. Open C:\Program Files (x86)\Ipswitch\WS_FTP Server\WebClients\ThinClient\web.config with a source code editor.
2. Locate the following line of code.

   <rule name="HTTP to HTTPS redirect" stopProcessing="true" >

3. Modify the code as follows.

   <rule name="HTTP to HTTPS redirect" stopProcessing="true" enabled="false">

4. Open C:\Program Files (x86)\Ipswitch\WS_FTP Server\Ad Hoc Transfer\AHT\web.config with a source code editor.
5. Locate the following line of code.

   <rule name="HTTP to HTTPS redirect" stopProcessing="true" >

6. Modify the code as follows.

   <rule name="HTTP to HTTPS redirect" stopProcessing="true" enabled="false">

The default IIS port for HTTP is 80. When IIS is configured to use a different port for HTTP, the redirect from HTTP to HTTPS fails.

To mitigate this issue, replace {HTTP_HOST} with {SERVER_NAME} in the Thinclient, AHT, or both web.config files, or disable the HTTP to HTTPS redirect, as described above.

To replace {HTTP_HOST} with {SERVER_NAME} in the Thinclient and AHT web.config files, complete the following steps.

1. Open C:\Program Files (x86)\Ipswitch\WS_FTP Server\WebClients\ThinClient\web.config with a source code editor.
2. Locate the following line of code.

   <action type="Redirect" redirectType="Permanent" url="https://

   {HTTP_HOST}:443/ThinClient/{R:1}" />

3. Replace {HTTP_HOST} with {SERVER_NAME}.
4. Open C:\Program Files (x86)\Ipswitch\WS_FTP Server\Ad Hoc Transfer\AHT\web.config with a source code editor.
5. Locate the following line of code.

   <action type="Redirect" redirectType="Permanent" url="https://

   {HTTP_HOST}:443/AHT/{R:1}" />

6. Replace {HTTP_HOST} with {SERVER_NAME}.
7. To implement this workaround for Internet Explorer, locate the following line of code.

   <action type="Redirect" url="AHT_UI/public/#/password" appendQueryString="true" logRewrittenUrl="true" />

8. Add the following lines of code directly following the code in step 7.

   <conditions>

   <add input="

   {HTTP}" pattern="off" ignoreCase="true" />

   </conditions>

Password authentication fails during installation of WS_FTP Server 2017.

If the IPS_user's password utilizes the % character as the first character in the password, the password authentication fails during installation or upgrade to WS_FTP Server 2017 (8.0.1).

To mitigate this issue, uninstall WS_FTP Server 2017 (8.0.1) and delete the registry key containing the IPS_username. Re-install WS_FTP Server 2017 (8.0.1) with a different password.

WS_FTP Server 2017 (8.0.1) crashes during repair installations and upgrading from 2017 (8.0)

WS_FTP Server 2017 (8.0.1) crashes during repair installations and upgrading from 2017 (8.0) if modules are not installed.

To mitigate this issue, install the modules during the installation.

Known Issues in WS_FTP Server 2017 (8.0)

Known Issues in Windows 2012R2

Eval License Issue

If you upgrade from a previous version and try to use an evaluation license, it will accept the license and allow you to log in, but the system settings (where license is listed), says the file is invalid. On a fresh install, the license works fine.

Cannot open WS_FTP Server Manager via the Metro UI programs list

The workaround requires that you modify your local security policy:

1. Press the Windows key + R to bring up the Run box, and then type secpol.msc. Press Enter.
2. On the Local Security Policy window, navigate to Security Settings > Local Policies > Security Options.
3. On the right panel, double-click on the option User Account Control: Admin Approval mode for the Built-in Administrators Account and enable it.
4. Click Apply and exit Local Security Policy.
5. Press the Windows key + R to bring up the Run box, and then type regedit. Press Enter.
6. On the Registry Editor window, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI. On the right side, double-click on default and change the value to 0×00000001(1). Click OK.
7. Restart your computer. Now you should be able to run Modern UI Apps using the Built-in Administrator account.

Note: If http://127.0.0.1 has not already been added to the Trusted Sites you will see an error page that reads: This page can’t be displayed. Make sure the web address is correct. Look for the page in your search engine. Refresh the page in a few minutes. You will need to add http://127.0.0.1 to the Trusted Sites through the desktop Internet Explorer page. You can also go to Internet Explorer > Internet Options > Security tab > Trusted Sites > Sites and add 127.0.0.1 to the list of trusted websites. For more information, see Adding a website to your browser's Trusted Sites.

If Host's Password Policy not followed in Change Password form, user will be signed out from Web Transfer Module and Ad Hoc Transfer Module

If you change an Ad Hoc Transfer Module or Web Transfer Module password to a new password that does not comply with the Host's password policies (Server > Host details > Password Settings), the user will be signed out of those modules with a password change failure. You may encounter the following errors:

'Change user password failed - user user@host password change failed'
'Change user password failed - user user@host password change failed'
'Failed to Change Password'

Upgrading Resets Log Settings and Log Level

If the log settings on WS_FTP Server point to a remote server, upgrading WS_FTP Server will cause the log settings to change to 127.0.0.1. If the log level was set to anything other than Normal, upgrading will cause the log level to return to the default level of Normal.

Web Transfer Module Missing Icons in Internet Explorer 11

Internet Explorer 11 may not display the Rename and Delete icons in the Web Transfer Module. To fix this issue, in Internet Explorer go to Security Settings > Downloads > and enable Font Downloads.

On Reinstall, WS_FTP Server Folder not deleted

If you uninstall WS_FTP Server and leave the configuration data, on re-install you will get an invalid prompt that data in the WS_FTP Server folder exists and will be deleted on uninstall. When continuing the reinstall, the folder is actually not deleted.

On Upgrade of System with SQL Express, Manual Entry of Port Number with Server Name Required

When upgrading a system with SQL Express, using port 1433, you will have to enter the port number with the server name during the upgrade. For example: "localhost,1433".

Known Issues in All Versions

OpenSSL conflicts when installing WS_FTP Server V7.5.1 or later

The WS_FTP Server 2017 installation programs installs a new version of the OpenSSL library. The new version (OpenSSL 0.9.8p for 7.5.1; OpenSSL 1.0.1c for 7.6), is required and gets installed to the installation folder (the default is: C:\Program Files\Ipswitch\WS_FTP Server).

If the installation program finds a version of the library in the Windows system folders, it will stop the installation and ask you to move or rename the library files. If these library files are used by other programs, you want to make sure that you retain a copy of them. We suggest you create a backup in another folder, or rename these files, then remove the files from these locations:

32-bit OS	64-bit OS
C:\Windows\libeay32.dll	C:\Windows\libeay32.dll
C:\Windows\ssleay32.dll	C:\Windows\ssleay32.dll
C:\Windows\system32\libeay32.dll	C:\Windows\SysWOW64\libeay32.dll
C:\Windows\system32\ssleay32.dll	C:\Windows\SysWOW64\ssleay32.dll
C:\Users\[username]\Windows\libeay32.dll or C:\Documents and Settings\[username]\Windows\libeay32.dll	C:\Users\[username]\Windows\libeay32.dll or C:\Documents and Settings\[username]\Windows\libeay32.dll
C:\Users\[username]\Windows\ssleay32.dll or C:\Documents and Settings\[username]\Windows\ssleay32.dll	C:\Users\[username]\Windows\ssleay32.dll or C:\Documents and Settings\[username]\Windows\ssleay32.dll

IP Lockouts do not carry over failed logon attempts after cluster failover

When a cluster fails over from node 1 to node 2, the number of failed logon attempts does not carry over to node 2. Therefore, the server does not lock out the user even if the failed logon count is cumulatively greater than the limit set by the IP Lockouts rule since the failed logon count per node is less than the IP Lockout rule allows. Once a user fails a number of logons on a single node equal to the IP Lockouts limit, then the user is locked out.

For example, assume a user account’s IP Lockouts rule is set to blacklist the user after 5 failed attempts. If a user fails to log on 3 times while node 1 is the active node and then the cluster fails over, the user will have to fail 5 more log on attempts on node 2 in order for WS_FTP Server to blacklist the user because the failed attempts do not transfer between nodes.

Currently, there is no work around for this issue.

See IP Lockouts do not carry over failed logon attempts after cluster failover in the Ipswitch Knowledge Base for more information.

Unhandled exception when using AHT and switching nodes after a failed send

When a cluster fails over from node 1 to node 2 while an Ad Hoc Transfer user attempts to send a package from the AHT site, the file transfer fails, the user is logged out, and the browser displays the Microsoft error "Internet Explorer cannot display the webpage." After node 2 becomes the active node, users attempting to log on to the AHT site again receive an error message about an unhandled exception.

To resolve this issue, the user must restart the browser session before logging back onto the site. Then the user can send packages normally.

See An unhandled exception when using AHT and switching nodes after a failed send in the Ipswitch Knowledge Base for more details and the content of the exception.

Unable to resume transfer or delete file after failover

When a cluster fails over from node 1 to node 2 during an upload, the transfer fails and the file transfer client‘s connection to the cluster drops (the message is "Connection is dead"). The upload does not resume when the user logs back into the server. Although the partially uploaded file is present, it cannot be deleted. This is caused by the share host (Windows UNC or Linux NAS) holding an open handle for node 1 on the partially uploaded file, presumably waiting for the client to (possibly) reconnect. Node 2 cannot modify the file at this time.

Since resuming the transfer is impossible, the user must delete the file and then restart the transfer.

To delete the file, the user must wait a few minutes until the share host releases its hold on the file handle, and then the user can delete the file. ("A few minutes" ranges from about 2 minutes on Windows, up to about 10 minutes on a Linux NAS.)

To delete the file sooner, an administrator can force a failover so that node 1 is active, allowing the user to modify the file again.

See Unable to resume transfer or delete file after failover in the Ipswitch Knowledge Base for more information.

Unable to delete files in the Web Transfer Client after failover

When a cluster fails over from node 1 to node 2 during an upload using the Web Transfer Client, both the browser session and the file transfer fail. When the user logs back in, the upload does not resume. Although the partially uploaded file is present, it cannot be deleted. This is caused by the share host (Windows UNC or Linux NAS) holding an open handle for node 1 on the partially uploaded file. Node 2 cannot modify the file at this time.

Since resuming the transfer is impossible, the user must delete the file and then restart the transfer, or overwrite the file on another upload attempt.

To delete or overwrite the file, the user must wait a few minutes until the share host releases its hold on the file handle, and then the user can delete the file. ("A few minutes" ranges from about 2 minutes on Windows, up to about 10 minutes on a Linux NAS.)

To delete the file sooner, an administrator can force a failover so that node 1 is active, allowing the user to modify files again.

See Unable to delete files in the Web Transfer Client after failover in the Ipswitch Knowledge Base for more information.

Error connecting in FIPS mode (FIPS mode cannot use the pre-7 default SSL certificate)

If you installed WS_FTP Server 6.x with the default SSL certificate, when you upgrade to WS_FTP Server 7.x, that default certificate is maintained. If you then enable FIPS mode, which requires the use of FIPS-validated ciphers in the certificate, the default certificate will cause a connection error when a user attempts a secure connection. The server log will show the following error:

Failed to begin accepting connection: SSL failed to load key file. Non-FIPS algorithms might be used in the selected SSL certificate.

To work around this issue, you need to use a certificate that uses a FIPS-validated algorithm, such as SHA1. You can select to use your own certificate, or create a new certificate in the WS_FTP Server Manager (from the Home page, select SSL Certificates).

System Requirements

WS_FTP Server Requirements

Supported Operating Systems

For a standalone WS_FTP Server installation:

Operating System	Edition	Supported Versions
Windows Server 2016	Standard	64-bit: English
Windows Server 2012 R2	Standard Datacenter	64-bit: English
Windows Server 2012	Standard Datacenter	64-bit: English
Windows Server 2008 R2	Standard Enterprise	64-bit: English

For a WS_FTP Server failover cluster using Microsoft Clustering Services:

Operating System	Edition	Supported Versions
Windows Server 2012 R2	Standard Datacenter	64-bit: English
Windows Server 2012	Standard Datacenter	64-bit: English
Windows Server 2008 R2	Enterprise	64-bit: English

For a WS_FTP Server failover cluster using Microsoft Network Load Balancing:

Operating System	Edition	Supported Versions
Windows Server 2012 R2	Standard Datacenter	64-bit: English
Windows Server 2012	Standard Datacenter	64-bit: English
Windows Server 2008 R2	Standard Enterprise	64-bit: English

Windows Server Components Activated Automatically

The WS_FTP Server installer automatically activates certain components in your Windows Server installation. This is necessary because after installation, Windows Server does not turn on non-core operating system components. However, before installing WS_FTP Server, you should be sure that these changes conform to your organization’s security policies.

When you install WS_FTP Server, the install activates the following 2008 R2 Server roles:

• ISAPI Extensions
• Windows Authentication
• ASP

Database Requirements

• The default database for configuration data is PostgreSQL 9.3.11 (local only).
• During installation, you can select Microsoft SQL Server as your database for configuration data. If you choose this option, you must use one of the following versions:
  • Microsoft SQL Server 2016 Express, Standard, or Enterprise versions (local or remote) (WS_FTP Server 2017 8.0.1 only)
  • Microsoft SQL Server 2014 Express, Standard, or Enterprise versions (local or remote)
  • Microsoft SQL Server 2012 or 2012 R2 Express, Standard, or Enterprise versions (local or remote)
  • Microsoft SQL Server 2008 R2 Express, Standard, or Enterprise versions (local or remote)

Configuring the database for remote connections

By default, the Microsoft SQL Server database will only accept connections coming from the local system. To use a remote notification server, to allow multiple servers to share a data store, or to allow a remote Web Transfer Client connection, you have to enable remote connections.

Microsoft's Knowledge Base (KB) provides the following information on remote connections:

"When you try to connect to an instance of Microsoft SQL Server 2005 from a remote computer, you may receive an error message. This problem may occur when you use any program to connect to SQL Server. For example, you receive the following error message when you use the SQLCMD utility to connect to SQL Server:

Sqlcmd: Error: Microsoft SQL Native Client: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.This problem may occur when SQL Server 2005 is not configured to accept remote connections. By default, SQL Server 2005 Express Edition and SQL Server 2005 Developer Edition do not allow remote connections.

For instructions, see the Microsoft KB article: How to Configure SQL Server 2005 to Allow Remote Connections.

Web Server Requirements

During installation, you can select Microsoft Internet Information Services (IIS) as your web server (instead of WS_FTP's Web Server). If you choose this option, you need to have Microsoft Internet Information Services (IIS) 7.0 or later installed on your computer. If you opt to use IIS, WS_FTP Server requires the ASP .NET Web Server Role Service.

• Prior to installing, the Microsoft Internet Information Services Web site on which you intend to install WS_FTP Server Manager must be configured to use a port that is not already in use. If another application, such as the Web server included with Ipswitch WhatsUp Gold, is operating on the same port as the Web site, you must take one of the following actions:
  • change the port used by the existing application.
  • configure the Web site to use a port that is not already in use.
• The setup program makes the following changes to your IIS configuration:
  • On the Web site, Web Services Extensions will be set to Allow ASP Pages.
  • On the WSFTPSVR Virtual Directory, Enable Parent Paths will be enabled.
  • On the WSFTPSVR Virtual Directory, Application Pooling will be set to the Medium/Pool level.
• On 64-bit versions of Windows, if 32-bit applications are not allowed to run under IIS, a "Service Unavailable" error is displayed in the browser. To correct this, you must run the following command from the command line to enable 32-bit applications to access IIS:

  cscript %SystemDrive%\inetpub\AdminScripts\adsutil.vbs set w3svc/AppPools/Enable32bitAppOnWin64 1

  After running the command, you must restart IIS.

• In some cases the install will display the error message Could not enable ASP. This typically occurs when Active Server Pages in the IIS Server Extension section have been enabled. To verify this:
  1. Right-click My Computer, then click Manage. The Computer Management console opens.
  2. Click Services and Applications > Internet Information Services > Web Service Extensions. The Web Service Extensions are displayed in the right-hand console window.
  3. Make sure that the Active Server Pages status is set to Allowed. If it is not, right-click Active Server Pages and select Allow.
  4. Close the Computer Management console.

If you specify a user other than the default user to serve as the run as user on the IIS virtual folder (if you are using Microsoft IIS as your web server), you may get a HTTP 401 error when you attempt to open the WS_FTP Server Manager. If this occurs, you must open the WSFTPSVR virtual folder in IIS and change the anonymous access user password to match the specified user's password.

Framework and Accessibility Requirements

WS_FTP Server requires the Microsoft .NET Framework and other Microsoft packages for scripting and software accessibility. Microsoft .NET Framework 4.0 is included in the installation program.

Third Party Software

WS_FTP Server utilizes third-party open source software subject to the licenses described below.

WS_FTP Server
Library	Version	License
PostgreSQL	9.3	PostgreSQL License
zlib	1.2.5	zlib License
OpenSSL	1.0.2K	OpenSSL License
Distributed 3rd Party Code
Greta	Last copyright 2002
Web Transfer Module
Library	Version	License
Angular	1.4.6	MIT
Angular-cookies	1.4.7	MIT
Angular-translate	2.9.1	MIT
Angular-bootstrap	0.13.4	MIT
Angular-ui-router	0.2.15	MIT
Bootstrap	3.3.5	MIT
Font-awesome	4.6.3	SIL OFL 1.1 (Fonts) MIT (Code)
JQuery	2.2.0	MIT
Lodash	3.10.1	MIT
Ngstorage	0.3.9	MIT
Moment	2.10.6	MIT
Restangular	1.5.1	MIT
Ad Hoc Transfer Module
Library	Version	License
Angular	1.4.6	MIT
Angular-cookies	1.4.7	MIT
Angular-translate	2.9.0	MIT
Angular-bootstrap	0.13.4	MIT
Angular-ui-router	0.2.15	MIT
Bootstrap	3.3.5	MIT
Font-awesome	4.6.3	SIL OFL 1.1 (Fonts) MIT (Code)
JQuery	2.2.0	MIT
Lodash	3.10.1	MIT
Ngstorage	0.3.9	MIT
Restangular	1.5.1	MIT

Other Notes

• If net.exe has been removed from the computer on which you want to install WS_FTP Server, you must create a user account to serve as the WS_FTP Server account in Windows before installing. The account name must begin with IPS_, and it is recommended that it be configured so that the password never expires.

  During the install, when you reach the Create User Accounts dialog, specify this username without the IPS_ at the beginning.

  For example, if you created a Windows user account called IPS_wsftpadmin, enter wsftpadmin for the username on the Create User Accounts dialog.

  Note: If you are upgrading a previous version of WS_FTP Server with hosts that use Windows NT user databases exclusively, the username you create must be IPS_ plus the username of an existing Windows NT user that has system administrator privileges in WS_FTP Server.

• If you select to install to a web site that uses a custom host header or port, the desktop shortcut created does not use the host header or port. To correct this, you must create a new shortcut using the correct host header and port.
• When creating a rule for Failed Login, Folder Action, Quota Limits, or Bandwidth Limits, the Group Search function does not work.
• When upgrading a host using an external (ODBC) user database, you must manually set permissions to the external database file after the upgrade completes.

  When multiple hosts with firewall settings configured share a single listener, the firewall settings for the first of those hosts that a user logs into are applied to all of the hosts that share the listener and have firewall settings configured. Hosts that do not have firewall settings configured are not effected by this issue. We recommend that all hosts that are assigned to a common listener share the same firewall settings.

• If you create a virtual folder with the same name as a physical folder, the physical folder takes precedence for permissions purposes. A work around is simply to change the name of one of the 2 folders.

Hardware Requirements

The minimum recommended hardware is the same as recommended for Windows Server 2008 R2. (For more information, see the Windows Server information on Microsoft's web site.) If you are using a later version operating system, you should meet the hardware requirements for that system.

Component	Requirement
Processor	Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor) Recommended: 2 GHz or faster
RAM	Minimum: 512 MB RAM Recommended: 2 GB RAM or greater Maximum (32-bit systems): 4 GB (Standard) or 64 GB (Enterprise and Datacenter) Maximum (64-bit systems): 32 GB (Standard) or 1 TB (Enterprise and Datacenter) or 2 TB (Itanium-Based Systems)
Hard Drive	Minimum: 10 GB Recommended: 40 GB or greater Hard drive capacity depends on how much data you plan to store.

Virtualization Requirements

• VMware ESXi 4.0 (32-bit and 64-bit guest operating systems), ESXi 5.0, ESXi 6.0
• Microsoft Hyper-V 1.0 on Windows 2012; Windows 2008 64-bit (32-bit and 64-bit guest operating systems)

WS_FTP Server Manager

The WS_FTP Server Manager provides web-based administration from the local machine and also allows remote management of the server. WS_FTP Server Server Manager is a part of WS_FTP Server and is installed on the same machine.

Web Interface Requirements

See the Ad Hoc Transfer Plug-in for Outlook Requirements.

WS_FTP Server Web Transfer Client and Ad Hoc Transfer Module Requirements

The WS_FTP Server Web Transfer Client and the Ad Hoc Transfer Module come bundled with the WS_FTP Server installer. If your license includes these modules, make sure your system can support these requirements.

WS_FTP Server Web Transfer Client Requirements

The Web Transfer Module needs access to the file system on your FTP host or hosts so it can upload and download files. During the WS_FTP Server Web Transfer Client installation, you will specify a Windows user account with permissions to the top folder of each WS_FTP Server host (for each host for which you will enable WS_FTP Server Web Transfer Client). We recommend you create a Windows user account for use by the Web Transfer Module. Note that this Windows user account is used differently depending on the WS_FTP Server host settings and the user database configured for that host:

• If the host uses a Microsoft Windows or Microsoft Active Directory user database, configured to use Windows file permissions, the user account permissions take precedence, and this Windows account is not used.
• If the host has a host-level impersonation account, which is required if the host Top folder uses a UNC path, the host-level impersonation account takes precedence, and this Windows account is not used.
• If the host uses the WS_FTP Server or ODBC user database, and the host-level impersonation is not specified, this Windows account is used.

Ad Hoc Transfer Module Requirements

Before you install the Ad Hoc Transfer Module, verify that the WS_FTP Server computer has the following:

• The Ad Hoc Transfer Module needs access to the Package Storage root folder on your FTP host or hosts so it can store package files and make them available for download. During the Ad Hoc Transfer Module installation you will specify a Windows user account with permissions to the Package Storage folder.
• For the Ad Hoc Transfer Module to be available to recipients outside your internal network, you must install it in the WS_FTP Server and configure it with the appropriate DNS settings.

Requirements for the WS_FTP Server Web Transfer Client and Ad Hoc Transfer Module end user

The end user can use any computer with an operating system that can support the following:

• Microsoft Internet Explorer 9, 10 or 11 (Windows only); Mozilla Firefox 16 or later, Google Chrome 21 or later, Apple Safari 5 or later (Mac-only)
• Enabled Javascript support in the Web browser
• Enabled Cookie support in the Web browserBroadband connection to the Internet (recommended)

Requirements for the WS_FTP Server Web Transfer Client and the Ad Hoc Transfer Module on Windows Server 2008 R2 or 2012

The WS_FTP installer automatically activates certain components in your Windows Server installation (in addition to the ones activated by a normal Server install). Before installing WS_FTP Server, you should be sure that these changes conform to your organization’s security policies.

The following list shows features activated by the Ad Hoc Transfer Module install under the IIS7 role. Features shown as indented indicate a nested relationship with the non-indented feature above it.

Common HTTP Features

• Static Content
• Default Document
• Directory Browsing
• HTTP Errors

Application Development

• ASP .NET
• .Net Extensibility
• ISAPI Extensions
• ISAPI Filter

Health and Diagnostics

• HTTP Logging
• Request Monitor

Security

• Request Filtering

Performance

• Static Content Compression

Management Tools

• IIS Management Console

The following list shows the Windows Server stand-alone features activated during WS_FTP Server install:

.Net Framework 4.5.2 Features

• .Net Framework 4.5.2
• XPS-Viewer
• WCF Activation (HTTP Activation, Non-HTTP Activation)

Remote Server Administration Tools

• Role Administration Tools (Web Server (IIS) Tools)

Windows Process Activation Service

• Process Model
• .Net Environment
• Configuration APIs

Additionally, the Web Transfer Module install process does the following:

• Runs servicemodelreg to install the WCF service model.
• Places the Web Transfer Module and the underlying web service in classic mode application pools.

Also, if HTTPS is not enabled on the site hosting the Web Transfer Module, the install will:

• Create a self-signed certification for the machine hostname
• Grant permissions to EVERYONE to read the folder where the certifications live
• Create an HTTPS binding on the website hosting the Web Transfer Module (if applicable)
• Attach the certificate to the HTTPS binding

Ad Hoc Transfer Plug-in for Outlook Requirements

The following software must be installed on the machine on which you install the Ad Hoc Transfer Plug-in for Outlook. If the required software is needed by only one of the clients, it is noted as such.

• Microsoft Outlook 2016, 2013, 2010, 2007 (Outlook plug-in only)
• Supported Operating Systems:
  • Windows 10 (32-bit and 64-bit)
  • Windows 8.1 (32-bit and 64-bit)
  • Windows 8 (32-bit and 64-bit)
  • Windows 7 (32-bit and 64-bit)
• Microsoft Visual Studio 2010 Tools for Office Runtime (VSTOR 2010) Redistributable (all OS) (Outlook plug-in only)
• Microsoft Visual Studio 2010 Tools for the Microsoft Office System (version 4.0 Runtime) Language Packs (non-English OS) (Outlook plug-in only)

  If you are running the installer live (not doing a silent install), the installer automatically installs the Microsoft Visual Studio redistributable programs. You do not need to download anything from Microsoft. If running a silent install, you must download and install these redistributable programs before running the install. See the Requirements in the Silent Install section.

On the last screen of the installer, you can select to View Install Log.

• Microsoft Internet Explorer 9, 10 or 11 (Windows only); Mozilla Firefox 16 or later, Google Chrome 21 or later, Apple Safari 5 or later (Mac-only)
• Enabled Javascript support in the Web browser
• Enabled Cookie support in the Web browser

Installing and Configuring the WS_FTP Server, WS_FTP Server Web Transfer Client, and Ad Hoc Transfer Module

For detailed instructions for installing and configuring WS_FTP Server and activating a new or upgraded license, see the WS_FTP Server Installation and Configuration Guide.

WS_FTP Server 2017 supports direct upgrade installations from version 7.6 or higher only.

For More Information

For more assistance with WS_FTP Server, consult the following resources:

• Application Help. Contains dialog assistance, general configuration information, and how-to's that explain the use of each feature. The application help can be accessed from any page in the WS_FTP Server Manager by clicking Help.
• User Guide. This guide describes how to use the application out-of-the-box. It is also useful if you want to read about the application before installing. To view the User Guide offline, select Start > Programs > Ipswitch WS_FTP Server > WS_FTP Server User Guide.
• Additional WS_FTP Server resources. For a list of current and previous guides and help available for WS_FTP Server products, see the Ipswitch web site.
• Technical Support. Use the Ipswitch Support Site for a variety of WS_FTP Server product help resources. From here you can view product documentation, search Knowledge Base articles, access the community site for help from other users, and get other Technical Support information. The Support Site is available on the Ipswitch web site.

Copyright

©1991-2017 Ipswitch, Inc. All rights reserved.

This document, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. Except as permitted by such license, no part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the express prior written consent of Ipswitch, Inc.

The content of this document is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Ipswitch, Inc. While every effort has been made to assure the accuracy of the information contained herein, Ipswitch, Inc. assumes no responsibility for errors or omissions. Ipswitch, Inc., also assumes no liability for damages resulting from the use of the information contained in this document.

WS_FTP, the WS_FTP logos, Ipswitch, and the Ipswitch logo, MOVEit and the MOVEit logo, MessageWay and the MessageWay logo are trademarks of Ipswitch, Inc. Other products and their brands or company names, are or may be trademarks or registered trademarks, and are the property of their respective companies.

This document was published on Sunday, August 20, 2017 at 00:27.