Release Notes for WS_FTP™ Server 7.7, WS_FTP Server 7.7 with SSH, and WS_FTP Server 7.7 Corporate

In this File

7.7 Release Notes

Security Update: 7.7

Security Update: Release 7.7 includes OpenSSL 1.0.1l, which contains nine new security fixes described here: https://www.openssl.org/news/secadv_20140806.txt. These are DoS and SSL downgrade attack vectors that are applicable to WS_FTP Server.

Security Update: 7.6.3

Security Update: Release 7.6.3 includes all prior upgrades that addressed the Heartbleed vulnerability, and includes OpenSSL version 1.0.1h.

Security Update: 7.6.2.1 Patch

Security Update on SSL/TLS MITM (Man-in-the-middle) vulnerability (CVE-2014-0224): The recent vulnerability uncovered in OpenSSL has affected vendors and companies that rely on this near-ubiquitous open source security protocol. In basic terms, the vulnerability exposes an OpenSSL to OpenSSL exchange that uses the OpenSSL 0.9.8, 1.0.0 and 1.0.1 family of protocols to an attack. This vulnerability affects all releases starting with 7.1 through the 7.6, 7.6.1 and 7.6.2 versions of WS_FTP Server.

The WS_FTP Server 7.6.2.1 patch release upgrades OpenSSL to the 1.0.1h version, which removes this vulnerability.
Check your version number to see if you need to upgrade.

Note also that we have released updated install programs for the Web Transfer Module and the Ad Hoc Transfer Module. Neither of the modules is affected by the MITM SSL issue, but we updated the install programs to be compatible with the WS_FTP Server 7.6.2.1 patch release. You need to use the 7.6.2.1 versions of the install programs.

Security Update: 7.6.2 Patch

Security Update on Heartbleed SSL: Heartbleed SSL, the recent vulnerability uncovered in OpenSSL, has affected vendors and companies that rely on this near-ubiquitous open source security protocol. In basic terms, the vulnerability exposes any exchange that uses the OpenSSL 1.0.1 family of protocols to an attack. This vulnerability affects only the 7.6 and 7.6.1 versions of WS_FTP Server.

The WS_FTP Server 7.6.2 patch release disables the heartbeat function that exposed the vulnerability in the OpenSSL 1.0.1c version and a later release will provide an update to a version of OpenSSL (1.0.1g or later) that has addressed this issue.

If you have an affected version, you have already received a notification from the Ipswitch Security Team. Check your version number to see if you need to upgrade. Systems that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc) with the assumption that an attacker has already used this vulnerablity to obtain those items.

Note also that we have released updated install programs for the Web Transfer Module and the Ad Hoc Transfer Module. Neither of the modules is affected by the Heartbleed SSL issue, but we updated the install programs to be compatible with the WS_FTP Server 7.6.2 patch release. If you are doing a new installation of these modules, you need to use the 7.6.2 version of the install programs.

About this document

This document contains information on how to install and configure WS_FTP™ Server, WS_FTP Server with SSH, and WS_FTP Server Corporate. Depending on which WS_FTP Server product you have purchased, portions of this document may not apply.

The document also describes how to install and configure add-on modules for the WS_FTP Server and WS_FTP Server with SSH.

What is WS_FTP™ Server?

Ipswitch WS_FTP™ Server is a highly secure, fully featured and easy-to-administer file transfer server for Microsoft Windows® systems. WS_FTP Server lets you create a host that makes files and folders on your server available to other people. Users can connect (via the Internet or a local area network) to your host, list folders and files, and (depending on permissions) download and upload data. Administrators can control access to data and files with granular permissions by folder, user, and group. Administrators can also create multiple hosts that function as completely distinct sites.

WS_FTP Server is proven and reliable. It is used by administrators globally to support millions of end users and enable the transfer of billions of files.

WS_FTP Server complies with the current Internet standards for FTP and SSL protocols. Users can connect to the server and transfer files by using an FTP client that complies with these protocols, such as Ipswitch WS_FTP LE or Ipswitch WS_FTP Professional.

WS_FTP Server with SSH also includes support for SFTP transfers over a secure SSH2 connection.

Administration

• Fully web-based administration for remote management
• Enhanced logging and reporting
• Connection port configurable by host
• Event-driven communication and automation

Performance

• Proven and reliable: Used by administrators globally to support millions of end users and enable the transfer of billions of files
• Failover architecture

Security and Compliance

• File integrity checking support
• Full support for file transfer using SFTP over SSH
• Implicit and explicit SSL support with up to 256 AES encryption
• Auto-expiring passwords and enhanced password controls
• Ability to hide login banner from client

WS_FTP Server Product Family

The WS_FTP Server product family provides a broad range of file transfer functionality, from fast file transfer via the FTP protocol, to secure transfer over SSH, to a complete file transfer (server/client) solutions.

WS_FTP Server: Our base product offers fast transfer via the FTP protocol with the ability to encrypt transfers via SSL, and includes FIPS 140-2 validated encryption of files to support standards required by the United States and Canadian governments.

WS_FTP Server can operate standalone or is easily integrated with existing user databases (Active Directory, Windows NT, ODBC). The WS_FTP Server Manager provides web-based administration from the local machine and also allows remote management of the server. The Server Manager can use our integrated web server or Microsoft IIS.

When used with our WS_FTP Professional client, WS_FTP Server can retry a failed transfer, perform file integrity checks, verify a user's identity, and speed transfers by using compression and multi-part transfers.

WS_FTP Server is designed with a tiered architecture that allows components and data to be maintained on one computer or distributed among several, allowing the configuration to scale to handle larger capacity.

WS_FTP Server can be deployed in an active-passive failover configuration to ensure file transfer service is always available. The failover configurations use shared resources for the user database, configuration data, and the file system for user directories and log data.

WS_FTP Server with SSH: This product offers all of the features of WS_FTP Server plus the ability to send and receive files over SSH, which automatically delivers encrypted communications during and throughout file transport.

WS_FTP Server Corporate: This product extends the secure transfer capabilities of WS_FTP Server with SSH to include:

Support for SCP2 to provide a secure version of the remote copy capability used in UNIX applications

LDAP support for authentication to leverage existing corporate databases.

Integrates the WS_FTP Server Web Transfer Module to provide a complete file transfer solution (server and client).

• WS_FTP Server Web Transfer Module

  The WS_FTP Server Web Transfer Module, an add-on to WS_FTP Server products, enables users to transfer files between their computers and company servers over HTTP/S using a Web browser. As a result, employees and external business partners can connect to company networks simply and securely to share files, data, and other critical business information.

• WS_FTP Server Ad Hoc Transfer Module

  The WS_FTP Server Ad Hoc Transfer Module, an add-on to WS_FTP Server products, lets users send files from their computers to one or more individuals by sending an Ad Hoc Transfer message via email. Recipients of an Ad Hoc Transfer "package" can connect to a download page, hosted on the WS_FTP Server, and download the files that have been "sent" to them. This module lets your users send a secure transfer to colleagues and clients, without the need to set up temporary accounts.

  Users can send a package by using the Ad Hoc Transfer web interface or Microsoft Outlook.

Update for Ad Hoc Transfer Module and Ad Hoc Transfer Plug-in for Outlook

We have issued a maintenance release of Ad Hoc Transfer Module and the Ad Hoc Transfer Plug-in for Outlook that provides the following enhancements and bug fixes:

• Improved file transfer performance for the Ad Hoc Transfer Plug-in for Outlook. In previous versions, the plug-in was limited to file attachments of no more than 2 GB. This version removes the 2 GB restriction and provides faster transfer of large files. Note that the 2 GB limit still applies for the Ad Hoc Transfer web interface.
• Ad Hoc Transfer Plug-in for Outlook now supports Microsoft Outlook 2013 and Microsoft Exchange 2013.

To upgrade to this release, you need to install:

• Version 7.6.1 of Ad Hoc Transfer Module
• Version 2.2.1 of Ad Hoc Transfer Plug-in for Outlook (requires Ad Hoc Transfer Module 7.6.1)

  Your WS_FTP Server version (v 7.6) does not need to be updated.

New in 7.7

• Version 7.7 includes SCSV TLS downgrade protection. SCSV TLS downgrade protection helps maintain the highest possible connection security. This is a TLS extension supported in many current and near-release SSL libraries. It must be implemented on servers and it is recommended for clients.
• This release also supports Windows Server 2012 R2 and Microsoft SQL Server 2012 R2 and 2014.

New in 7.6.3

• Version 7.6.3 includes the option to delete old files and/or empty sub-folders after a specified number of days. You can configure cleanup settings at the folder level or at the host level. By default, folders will inherit the host-level default values unless they are overridden at the folder level. Host-level settings also apply to virtual folders and their descendants, but only if the virtual folder points to a location outside of the host's top folder, to avoid having multiple cleanup profiles affect a single folder. To control this setting, see the WS_FTP Server User Guide > Managing Folders and Files > Cleaning up old files and empty subfolders.
• This release also includes the option to expire user accounts a specified number of days after user account creation or last logon. To control this setting, see the WS_FTP Server User Guide > Managing User Accounts > Creating user accounts. At the host level you can also delete expired user accounts after they have been expired a specified number of days. These settings only take effect when the host's authentication database type is WSFTP. To control this setting, see the WS_FTP Server Manager User Guide> Managing User Accounts > Setting user options for hosts > Configuring user settings.
• A new service, "Ipswitch Scheduler," is installed and runs at 1:00 am every night. This service cleans up old files and sub-folders, as well as expired users. The cleanup process will never delete virtual folders themselves, only physical folders.
• When using a command line to create a user, administrators can now use the -o homefolder argument to set a user's home folder.
• File transfers in WTM and Ad Hoc now display a progress bar indicating percentage of transfer completed. This feature is not available in IE9.

New in 7.6

Version 7.6 updates some of the critical software components used by the WS_FTP Server, including SSL libraries, supported databases, and supported operating systems.

• OpenSSL libraries: The OpenSSL version used by WS_FTP Server has been upgraded from 0.9.8t to 1.0.1c. This upgrade was done to resolve known security issues with the older version of OpenSSL, as well as to add improved functionality that is only available in newer versions of OpenSSL. More specifically, the new version supports the AES CTR ciphers, which allows administrators to disable CBC ciphers and use the AES CTR ciphers instead.

  If you choose to disable the CBC ciphers, Ipswitch WS_FTP Professional versions before v12.4 will not be able to connect using SSH. Older versions of other FTP clients may also use CBC ciphers.

• Supported databases:

  PostgreSQL: The version of PostgreSQL used by WS_FTP Server has been upgraded from 8.3.12 to 8.3.20. This was done to resolve known security vulnerabilities with older versions of PostgreSQL.

  Microsoft SQL Server: WS_FTP Server now supports Microsoft SQL Server 2012, in addition to the 2008 version. Support for Microsoft SQL 2005 has been dropped.

• Supported operating systems: WS_FTP Server now supports Windows Server 2012, in addition to the 2008 R2 version. This version of WS_FTP Server drops support for Windows Server 2003 and Windows XP.

This release includes enhanced features for the Ad Hoc Transfer Plug-in for Outlook:

• Ability to Customize the Ad Hoc Transfer Plug-in for Outlook

  You can add your own brand or organization information to the user interface. You can change logos, icons, and text labels and you can also customize the associated help topics.

• Improvements to the Silent Install Program

  The silent install program has been enhanced to ease the deployment of the Ad Hoc Transfer Plug-in to large numbers of users, and also to support deployment via Group Policy. The changes include supporting installation on a PC for "all users" rather than for a single user, and specification of default install properties.

  The default install properties allow an administrator to configure the plug-in to connect to the WS_FTP server. To complete the configuration, each user will need to enter their WS_FTP password (and possibly their username). In most cases, after using the silent install or group policy, the username will be already configured on the end user's computer.

  Also, when using the Group Policy to deploy the plug-in, the installation program is now run by the "System" user, which fixes a defect in the previous version.

  For more information, see the "Ad Hoc Transfer Plug-in for Outlook Install Guide," on the WS_FTP Support site.

  This release also brings a roll-up of enhancements and bug fixes from ongoing maintenance efforts. For more information, see the "Fixed in 7.6" section.

New in 7.5.1

Version 7.5.1 introduces failover support to the WS_FTP Server family of products. You can now deploy WS_FTP Server on a two-node failover cluster in a Windows Server environment using Microsoft Cluster Services (MSCS) or Microsoft Network Load Balancing (NLB). The failover solution consists of one "active" and one "passive" node, each running identical configurations of WS_FTP Server. If the primary node is unavailable, or if a server (FTP or SSH) is unavailable on the primary node (MSCS only), processing switches over to the secondary node. This two-node configuration uses shared resources for the user database, configuration data (SQL Server), and the file system for user directories and log data.

Version 7.5.1 also includes multiple SSH improvements:

• Users are now able to use multiple SSH user keys to authenticate to SSH servers.
• Administrators can require multiple authentication factors (password and SSH user key) for users authenticating to an SSH server.

New in 7.5

Version 7.5 introduces the Ad Hoc Transfer capability to the WS_FTP Server family of products. Ad Hoc Transfer lets your users send file transfers to an individual, rather than to a folder or file transfer site. Files can be sent to any valid email address, meaning you do not have to maintain accounts for all recipients, or set up temporary accounts.

Files sent via Ad Hoc Transfer are stored in a folder on the WS_FTP Server computer. Recipients receive a notification in their email inbox, and click on a web link to access the posted files.

As the administrator, you can set options that require Ad Hoc Transfers to be password protected, and to manage the size and availability of an Ad Hoc Transfer "package," which is the user-generated email message plus associated files.

The Ad Hoc Transfer Module provides two ways for a WS_FTP Server user to send a transfer:

• The Ad Hoc Transfer Module web interface: Users can open this interface in their web browser to send a file transfer "package" and view recently sent packages. You can set the options, such as password protection and notification on delivery, that are available to users. You provide to users the web address that they will use to access Ad Hoc Transfer Module. No installation is required on the user's computer.
• Microsoft Outlook: Users can send a file transfer "package" by creating a new message in Outlook, attaching the files, and selecting Send Secure (rather than Send). You can set the options, such as password protection and notification on delivery, that are available to users. Users will need to install the Ad Hoc Transfer Plug-in for Outlook.

New in 7.1

Version 7.1 includes the following new features:

• Support for Windows 2008. You can now install WS_FTP Server and each of its features on a Windows 2008 Server. The install will activate several Windows 2008 roles and features (see the WS_FTP Server Getting Started Guide for details). WS_FTP Server is compatible with 32 and 64-bit versions.
• VMWare ESX (32-bit) Support. You can now install WS_FTP Server on virtual machines you have hosted on ESX servers.
• New Email Notification Variables. There are now new variables that you can use to trigger notification emails. Notification variables now include transfer type ("ASCII" or "Binary"), IP addresses of clients performing an action, the server host of a user attempting an action, and the size of a file uploaded or downloaded.
• SMTP Authentication. WS_FTP Server now supports authentication for SMTP servers. If you activate SMTP Authentication in WS_FTP Server Manager, when connecting, the server will submit the username and password you entered.

New in 7.0

Version 7 introduces a third product offering, WS_FTP Server Corporate, to the WS_FTP Server family of products. WS_FTP Server Corporate offers a convenient way to purchase the full range of secure, managed file transfer functionality that we provide. For a description of each of the WS_FTP Server product offerings and the major features included, see WS_FTP Server Product Family.

Version 7 is a major release that includes the following new features:

• Blocking of IP addresses that attempt multiple concurrent connections.

  The IP Lockouts feature is designed to thwart dictionary attacks, which can shut down a server by flooding it with connection requests. WS_FTP Server can monitor connection attempts, identify possible abuse, and deny access to the FTP and SSH servers for the offending IP address.

  The IP Lockouts feature lets the administrator set the criteria for blocking an address (or subnet range), manually add an approved address to the whitelist, or manually add a problem address to the blacklist.

  From the Server Manager, select Server > IP Lockouts.

• Support for LDAP databases for user authentication (with failover) to leverage existing corporate databases.

  WS_FTP Server supports standard implementations of LDAP, including Microsoft's Active Directory, OpenLDAP, and Novell's eDirectory. Administrators can configure a WS_FTP Server host to use an LDAP database for the user database. Failover to a secondary LDAP database is supported, and communications are secured via SSL.

  The LDAP user database option is selected from the Create Host page. Selecting Configure opens the LDAP Configuration page.

• Support for Secure Copy (SCP2) transfers, to provide a secure version of the remote copy capability used in UNIX applications. (WS_FTP Server Corporate)

  WS_FTP Server supports SCP2 protocol (i.e. SCP over SSH2), which leverages SSH to provide authentication and secure transfer. In addition, the WS_FTP implementation of SCP2 has the benefit of leveraging any users, rules, and notifications created for the WS_FTP server host. For an SCP client, users can use either OpenSSH or PuTTY SCP.

  The Enable Secure Copy (SCP2) is on the Edit Listener page when you select an SSH listener.

• FIPS 140-2 validated encryption of files, to support standards required by the United States and Canadian governments. (WS_FTP Server Corporate)

  FIPS 140-2 sets a standard for encoding data (cryptography) that is required of many military and government organizations. WS_FTP Server provides FIPS 140-2 validated ciphers to encrypt file transmissions. The administrator can enable FIPS mode for the FTPS and SSH services.

  FIPS mode does not apply to FTP and HTTP services. FIPS mode ensure that all secure listeners use FIPS 140-2 validated cryptographic algorithms. If you use the default WS_FTP Server certificate, you will have to create a new certificate.

  The Operate in FIPS 140-2 Mode option is on the System Details page.

• Updated home folder options: A new user option to Show home folder as root can hide the directory path to the user's home folder. This option is used with the Lock user to home folder option to improve security of user folders. Both options are on the Edit User page when you select an individual user. To set either option to apply to all users, use the iftpaddu program, found in:
  • 32-bit: C:\Program Files\Ipswitch\WS_FTP Server
  • 64-bit: C:\Program Files (x86)\Ipswitch\WS_FTP Server
• SSH User Level Key Management: SSH user keys can be imported and exported to and from Windows, Unix and Linux systems. You can now import OpenSSH keys in the same way as you would other types of SSH keys.
• Enhanced SSL Certificate Support: The WS_FTP Server Trusted Authorities database now supports SSL certificate chains containing either the full chain or just the peer level certificate. Also, SSL Certificates now support more than 2 characters for the State/Province.
• SSH Listener Options: Support for suppressing the server identification and version (WS_FTP_SSH_7.0) from being displayed on the login banner, preventing users from attempting malicious actions on the SSH server based on the server identification and version.
• Notification variables: Added %emailaddress variable, which returns the email address of the user that attempted the action.
• License Activation Support: During installation, if an install executable does not have an active license, a license dialog will prompt the user for a serial number, MyIpswitch username, and password. A license activation shortcut will also be available in the Windows Start Menu (Programs > Ipswitch WS_FTP Server > Activate or Refresh WS_FTP Server License), so that the user can activate a license after installation.

System requirements for WS_FTP Server

Tip: If a listed requirement is hyperlinked, you can click the link to get more information on obtaining and installing that prerequisite.

WS_FTP Server

Supported Operating Systems

For a standalone WS_FTP Server installation:

Operating System	Edition	Service Packs	Supported Versions
Windows Server 2012 R2	Standard Datacenter		64-bit: English
Windows Server 2012	Standard Datacenter		64-bit: English
Windows Server 2008	Standard Enterprise	SP2 or later	32-bit: English and German 64-bit: English
Windows Server 2008 R2	Standard Enterprise		64-bit: English

For a WS_FTP Server failover cluster using Microsoft Clustering Services:

Operating System	Edition	Service Packs	Supported Versions
Windows Server 2012 R2	Standard Datacenter		64-bit: English
Windows Server 2012	Standard Datacenter		64-bit: English
Windows Server 2008	Enterprise	SP2 or later	32-bit: English
Windows Server 2008 R2	Enterprise		64-bit: English

For a WS_FTP Server failover cluster using Microsoft Network Load Balancing:

Operating System	Edition	Service Packs	Supported Versions
Windows Server 2012 R2	Standard Datacenter		64-bit: English
Windows Server 2012	Standard Datacenter		64-bit: English
Windows Server 2008	Standard Enterprise	SP2 or later	32-bit: English
Windows Server 2008 R2	Standard Enterprise		64-bit: English

System Requirements

• Microsoft .NET Framework 2.0

  If you plan to install the WS_FTP Server Web Transfer Client, make sure that Microsoft .NET Framework 3.0 is installed.

• ASP.NET (via IIS) and .NET 3.0 or 3.5 for Web Transfer Module, Ad Hoc Transfer module, and WS_FTP Server Corporate
• Broadband connection to the Internet (recommended)
• During installation, you can select Microsoft Internet Information Services (IIS) as your web server (instead of WS_FTP's Web Server). If you choose this option, you need to have Microsoft Internet Information Services (IIS) 7.0 or later installed on your computer.
• The default database for configuration data is PostgreSQL 8.3.20 (local only).
• During installation, you can select Microsoft SQL Server as your database for configuration data. If you choose this option, you must use one of the following versions:
  • Microsoft SQL Server 2014 Express, Standard, or Enterprise versions (local or remote)
  • Microsoft SQL Server 2012 or 2012 R2 Express, Standard, or Enterprise versions (local or remote)
  • Microsoft SQL Server 2008 or 2008 R2 Express, Standard, or Enterprise versions (local or remote)

Recommended Hardware

The minimum recommended hardware is the same as recommended for Windows Server 2008. (For more information, see the Windows Server information on Microsoft's web site.) If you are using a later version operating system, you should meet the hardware requirements for that system.

Component	Requirement
Processor	Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor) Recommended: 2 GHz or faster
Memory	Minimum: 512 MB RAM Recommended: 2 GB RAM or greater Maximum (32-bit systems): 4 GB (Standard) or 64 GB (Enterprise and Datacenter) Maximum (64-bit systems): 32 GB (Standard) or 1 TB (Enterprise and Datacenter) or 2 TB (Itanium-Based Systems)
Available disk space	Minimum: 10 GB Recommended: 40 GB or greater

Virtualization Requirements

• VMware ESXi 4.0 (32-bit and 64-bit guest operating systems) and ESX 5.0
• Microsoft Hyper-V 1.0 on Windows 2012; Windows 2008 64-bit (32-bit and 64-bit guest operating systems)

Ipswitch Notification Server

All requirements for WS_FTP Server (above), plus:

• Broadband or dial-up connection to the Internet (required for email notifications sent from outside of the local area network)
• Modem and phone line required for pager and SMS notifications (optional)

Ipswitch Notification Server is a part of WS_FTP Server and is typically installed on the same machine.

WS_FTP Server Manager

The WS_FTP Server Manager provides web-based administration from the local machine and also allows remote management of the server.

Server Requirements:

• WS_FTP's Web Server (included in installation package) or Microsoft Internet Information Services (IIS) 7.0 or later.

Client Requirements:

• Microsoft Internet Explorer 9, 10 or 11 (Windows only); Mozilla Firefox 16 or later, Google Chrome 21 or later, Apple Safari 5 or later (Mac-only)
• Enabled Javascript support in the Web browser
• Enabled Cookie support in the Web browser

WS_FTP Server Server Manager is a part of WS_FTP Server and is installed on the same machine.

Installing WS_FTP Server on Windows Server 2008 or 2012

The WS_FTP Server installer automatically activates certain components in your Windows Server installation. This is necessary because after installation, Windows Server does not turn on non-core operating system components. However, before installing WS_FTP Server, you should be sure that these changes conform to your organization’s security policies.

When you install WS_FTP Server, the install activates the following 2008 Server roles:

• ISAPI Extensions
• Windows Authentication
• ASP

Note: If you are installing the WS_FTP Server Web Transfer Client, there are additional components activated. See "System requirements for WS_FTP Server Web Transfer Client" below.

Installing WS_FTP Server

For detailed instructions for installing and configuring WS_FTP Server and activating a new or upgraded license, see the WS_FTP Server Installation and Configuration Guide.

Fixed in 7.7

The following issues were addressed in V7.7:

• Directory traversal vulnerability with WinSCP and WS_FTP Server

  Fixed a problem that allowed a user to write to another user's home folder, for which the first user had neither read nor write permissions. User was able to upload files and overwrite files in directories to which he did not have permission by including double backslashes (%5c) in the file name.

• Session fixation vulnerability

  An attacker could impersonate a user by abusing an authenticated session ID (SID). Fixed this issue by renewing the session ID when a user logs in.

• Unable to create SSH User key with no passphrase

  When creating an SSH User Key, a passphrase is supposed to be optional, but was resulting in an error when no passphrase was included. This has been fixed to handle the case when no passphrase is included.

• Web Transfer Module install breaks Remote Desktop connection

  After installing the Web Transfer Module, Remote Desktop sessions to the server no longer work due to an issue with the certificate on the server. This issue was fixed within the Web Transfer Module install program.

• Remember My Password remove from login page of Web Transfer Module and Ad Hoc Transfer Module
• Issue creating new SSL certificates

  In version 7.6.3, when creating a new SSL certificate the following error message may display: "Wrong number of arguments or invalid property assignment". The error occurs for all three key sizes. The issue has been fixed.

• WS_FTP Server Manager showed user as expired when account was not expired

  If host default was set to automatically delete expired users after X days, and new user was created and set to expire X amount of days after last login, the user would appear as expired in the Users list. This issue has been fixed.

• When creating a virtual folder using the WS_FTP Server Manager, screen is showing the Get Value instead of number of days

  When using the WS_FTP Server Manager and creating a new Virtual Folder, the Get Value was shown after saving the settings, instead of the default or days set for files and subfolders. When returning to the newly created virtual folder, it does then display the correct days. Worked correctly with IIS WSFTP Server Manager. This issue has been fixed.

• Directory Listing not possible over SSH

  If "Auto create users' home folders" is disabled and the user has "Lock user to home folder" enabled and the home folder doesn't exist, an exception occurs. This exception handling issue also caused:

  • Intermittent active directory authentication issues: Periodically when logging into the SFTP the user will be told their credentials are invalid. When it happens this error shows in the SFTP log with advanced logging enabled: _IsUserInGroup(USERNAME) failed - user does not have group membership. These are accompanied by eventlog error messages.
  • Wrong impersonation user for session due to connect/disconnect timing issue: When users from different hosts that use different impersonation users, connect and/or disconnect concurrently, there is a chance that a timing issue results in the SSH service using the wrong impersonation user for that session. This results in "Failed to obtain landing folder" since it attempts to access the home folder with the wrong username after the connection. This issue occurred infrequently

  Updated exception handling code to fix these issues.

• Bulk SSH connections with NONE authentication attempts were treated as failed logins, which triggered IP Lockouts and Login Rules

  Modified the code so the logon count is not incremented if the logon is auth-none and this a multi-factor authentication. This will still increment failures in the secondary check. On the host, set IP Lockout Settings > Failed Connection attempts to 11.

OpenSSL Issues

• Upgrades to 7.6.3 resulted in broken web modules (WTM and AHT)

  After upgrading to WS_FTP Server 7.6.3, some customers could not install or log in to the web modules (Web Transfer Module and Ad Hoc Transfer). This issue is fixed by the new version of OpenSSL (libeay32.dll, ssleay32.dll).

Fixed in 7.6.3

The following issues were addressed in V7.6.3:

• LDAP login fails. Blank BindRequest sent during connection

  Added a new LDAP configuration option "Force Simple Binding" that when enabled, will default back to the simple binding method used in pre-7.6 versions of WSFTP Server.

• User can get to Change Password page without providing correct password

  If the administrator had set Force Change Password on an account and that user then attempted to log in, that user did not have to provide the correct password for the change password dialog to appear. Fixed this so that now the user must provide the correct current password before being allowed to change the password.

• STAT command is case-sensitive

  Difficulties were experienced when downloading files from WS_FTP Server using Coldfusion, or OpenSSH command line clients and SFTP. The openSSH and ColdFusion clients issued a STAT command before attempting to download the file, and if the STAT command failed, they never attempted to read the file. In WS_FTP Server, the STAT command failed if the filename was not issued with the exact filename (matching case). There was a case-sensitive comparison of the filename when the STAT command was issued. Fixed this issue.

• Unsecure Cookies Parameter on Web Application

  Vulnerability allowed an attacker to commit theft over cookies that do not using a secure parameter (in https). During the sniffing process, the attacker can see the current value of the cookies to be used for login. For WTM and AHT, all cookies now use the "HttpOnly" flag, and if the connection is secure, they also use the "Secure" flag.

• Notification Variable: %Status returns Failed when files are downloaded using SFTP (binary mode) on Filezilla 3.6 or WinSCP 5.1

  There was a failure to check the proper variables when determining whether or not a whole file had been downloaded, which led to the system thinking it had not downloaded the whole file when closing the connection. Fixed this issue.

• Blacklist Notifications do not display in GUI after upgrading from a version prior to 7.5 to version 7.6.

  After adding a blackout notification on the server, clicking save, restarting the services and then returning to the IP Lockout Settings in the Manager, the notification did not display. In 7.5 there was a modification to have blacklist notifications all show up regardless of the host, using ID '0' in the host_rules table for this rule. However, old entries in host_rules were not updated to use ID '0' when upgrading to 7.5+, so none of these rules would show up in the UI after an upgrade, as it explicitly looks for ID '0'. Fixed this issue.

• AHT Unable to download file if file name over 132 characters

  A file with a file name over 132 characters could be successfully uploaded to the Ad Hoc Transfer package folder, but when that file was downloaded, the filename would be truncated in the database and the download would fail with a 'file not found' error. We were using an array limited to 128 characters in one function where the file name was passed through. That array has been updated to 512 characters (matching the database field max), which fixes the issue.

• Unable to send email notification to more than 2 recipients (rcpt to) or if email address length exceeds 73 characters

  After setting an email notifications in WS_FTP Server to send to multiple email recipients, only the first two email accounts received notifications; no other users received notifications. This was a known issue related to a character limit with the Send To field in a telnet style email. An encoding function was being run against the list of 'To' addresses, which was adding some unnecessary additional characters which weren't needed. The encoding function no longer adds these unnecessary characters. The recipient list can now contain up to 500 characters.

• Linux SSH public key imports to WS_FTP Server, but will not authenticate until the SSH key is converted

  We were including comments at the end of the public key (which are auto-generated in Linux systems) as a part of the key itself, so the fingerprints being generated were inaccurate. The fix modifies the Server to not read those comments as part of the key during the login process, so administrators do not need to re-import any keys.

• ViewState variable is not strongly encrypted, which enables an attacker to view contents that could potentially reveal sensitive information

  Configuration changes were made to the application to ensure that the View State data is sufficiently protected by setting the viewStateEncryptionMode to "Always."

• Upgrade of WS_FTP Server 7.5.1.2 to 7.6 Build 444 took hours to complete (Windows Server 2008 32-bit with WS_FTP Server 7.5.1.2 upgraded to 7.6 Build 444)

  Replaced pkgmgr.exe with servermanagercmd.exe in the core and module installers. This has improved the performance of this piece of the install by approximately a magnitude of ten.

• Service Trusted Path Privilege exploit

  The exploit took advantage of the unquoted service paths vulnerability outlined in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128. The vulnerability took advantage of the way Windows parsed directory paths to execute code. Fixed this issue by placing double quotes around the path to the service when providing it to whatever function creates the service. Clean installs will now install services with quoted image paths. During an upgrade or maintenance, the WS_FTP Server installer will check existing service image paths and quote them if they currently aren't quoted.

• Change Directory (CD) commands are case-sensitive when changing into a virtual folder

  Affected only the CD into the initial virtual folder; sub-directories under that did accept either upper or lower case CD commands. Fixed this issue by modifying the query to allow case-insensitive searches.

• Ability to better control SSL version support in WS_FTP Server

  Customers needed the ability to disable SSL v1 and v2 in WS_FTP Server, but leave SSL v3 and TLS enabled on the server. PCI compliance scans were failing when SSL v2 was enabled. The only option was to disable all but TLS. Fixed this issue by adding a new option to the listener encryption settings page: "Enable TLS and SSL version 3."

• Entering a user name that beings with the letters "s," "g," or "d" in the WTM caused the password field to auto-fill with an invalid password after having logged on previously, requiring the user to clear the password field and manually enter the correct password.

  Fixed the issue by fine-tuning the way usernames are located from within cookies.

• Files larger than 2 GB cannot be downloaded, renamed or deleted via the WTM using Internet Explorer, and files larger than 2 GB cannot be renamed or deleted via the WTM using Firefox and Chrome but they can be downloaded. Browsers are also not reporting total file size of downloads correctly when the downloaded file size is larger than 2 GB.

  Fixed this issue. Previously, headers returned to the client for the file download included a negative file size if the file was larger than 2 GB, which caused IE to break and other browsers to not be able to report total downloaded file size. Files larger than 2 GB can now be downloaded, renamed, and deleted in all browsers and downloaded file sizes are correct.

• Large number of files in a user folder slows down the directory listing or results in failure to log on altogether in WTM

  We now allow 10 times the number of files/folders.

• Failover delayed due to slow stopping services

  On Windows Server 2008R2, if the WS_FTP Server and SSH Server services lose access to the SQL database, they remain in a prolonged stopping state. These services should each now take around 15-20 seconds to shut down if the database is down.

• When you have an SSL certificate larger than 2048-4096 installed in IIS and bound to the site, you receive an error when trying to install the modules. The following error is received: "There was an error serializing the security certificate. Setup will abort." Thereafter, login attempts fail. Fixed this issue to allow larger pre-existing SSL certificates.
• Web Module installation does not use existing certificate in IIS 8 but creates a new one in Windows Server 2012. When importing a certificate via IIS and the option to import into a new "Webhosting" certificate store is selected, the following warning now displays: "Unable to use the existing certificate bound in IIS because it's located in a certificate store other than Personal. The installation will continue with a newly generated self-signed certificate." Certificate will need to be in the personal store for WS_FTP Server to not create a new one.
• Secondary LDAP user database is not checked when primary LDAP user database is down.

  Server does not attempt to connect to the secondary LDAP server when the primary server fails. Fixed the issue by updating the DLL file for the LDAP connection.

• After removing machine IP from blacklist, WTM login continues to fail until IIS is reset.

  Fixed this issue. WTM wasn’t being notified when blacklist items were removed because it didn't have a 'heartbeat' process set up that was enabled for AHT/FTP/SSH. It should now behave the same as the other interfaces. It may take a few minutes, but now users will be able to log in after their IP has been removed from the blacklist without needing an IIS reset.

• SSH private key can be imported into an SFTP client without prompting for passphrase

  When the WS_FTP Server generates an SSH user key it prompts for a passphrase, but when that key is imported into an SFTP client the passphrase is never requested. The OpenSSL functions were not correctly generating the PEM-formatted key with encryption. Fixed this issue by specifying 3DES encryption when writing the key file.

• CTR ciphers are not added to all SSH listeners on upgrade (WS_FTP Server versions 7.1 to 7.6 Build 452 on 2k8G 32-bit MSSQL 2008 SP3/Internal Web Server)

  When multiple SSH listeners were created to listen on unique IP addresses and then WS_FTP Server was upgraded, not all SSH listeners would have the new CTR ciphers added, however, the ciphers could be added manually. Fixed this issue so that upgrading does add the CTR ciphers to the other listener IPs.

• Cannot reach syslog server with host name

  When entering details for a syslog server you could not use the host name and had to use the IP address. Fixed this issue by adding a function call to resolve the host names.

• Using PSFTP to move .tif files from one directory to another via SSH on the WS_FTP Server using the MV (Move) command caused intermittent system exception error within the FTP Server log files on Windows 2008 R2 64-Bit, MS SQL 2012 and PostgreSQL 8.3.20.

  There was a race condition where the permissions object could sometimes be released before it was accessed when checking permissions for a file. This issue is now fixed.

Fixed in 7.6

The following issues were addressed in V7.6:

• Ability to specify a port for the SMTP server in WS_FTP Server

  Administrators can now configure a custom port to be used when sending SMTP notifications; port 25 was required for all SMTP notifications prior to this update.

• PostgreSQL upgrade to fix security vulnerabilities

  The version of PostgreSQL used by WS_FTP Server has been upgraded from 8.3.12 to 8.3.20. This was done to resolve known security vulnerabilities with older versions of PostgreSQL.

• WS_FTP Server 7.5.1.2 services (FTP and SSH) fail and require a restart before they will accept connections again.

  A race condition on busy systems using FTP and/or SSH was capable of causing those services to crash due to corrupt memory. This bug has been fixed.

• Directory request with a folder name gives folder attributes rather than list of contents

  The commands "dir ." and "dir FolderName" were returning the attributes of the current folder, rather than the appropriate directory listings. This bug has been fixed.

• DoD OpenSSL version requirement

  The OpenSSL version used by WS_FTP Server has been upgraded from 0.9.8t to 1.0.1c. This upgrade was done to resolve known security issues with the older version of OpenSSL, as well as to add improved functionality that is only available in newer versions of OpenSSL.

• Security scan vulnerabilities listed for the SSL protocols in WS_FTP Server:

  CBC mode ciphers can now be disabled across the system by an admin, as this type of cipher has been found to be vulnerable.

  If you choose to disable the CBC ciphers, Ipswitch WS_FTP Professional versions before v12.4 will not be able to connect using SSH. Older versions of other FTP clients may also use CBC ciphers.

• Web Transfer Manager installer should not create SSL certificate if SSL is configured in IIS, or machinename certificate exists

  New installations of the Web Transfer Module and the Ad Hoc Transfer Module will now detect a pre-configured SSL certificate and use that cert instead of creating a new self-signed certificate.

• Ad Hoc Transfer transfers fail if the "files expire date" matches the maximum expiration date using MS SQL as the DB backend.

  A bug has been fixed that was preventing packages sent via the Ad Hoc Transfer module to be configured with the maximum expiration time allowed. This bug only occurred on systems using Microsoft SQL Server as the back-end database.

• Users cannot authenticate against an LDAP host when Active Directory displayname format includes a comma, for example: <lastname, <firstname>

  A bug has been fixed that was preventing Active Directory users from authenticating to WS_FTP Server when the user's display name within Active Directory contained a comma.

• Uppercase Folder names are modified to lower case in folders view as well as on the physical folder

  Folder names are modified after adding a user; for example if you have a folder named ABC, once you add a user and save it, the folder name display changes to "abc" in both the WS_FTP Server Manager and on the physical server machine where the folder resides.

• WS_FTP Server will not authenticate when password contains '\'

  A bug has been fixed that was preventing users from logging in when their password contained a backslash.

• LDAP plugin now supports a Read-only Active Directory Server

  The LDAP plugin has been updated to support accessing Read-Only Active Directory (RODC) servers. Previous versions of the plugin were incompatible with RODC connections and thus failed to authenticate the user.

• Ability to handle openSSH rename with leading "./" in the folder path

  A bug has been fixed that caused folder paths entered with a preface of "./" to fail if used with various SSH commands.

• AHT Download speed is very slow

  The download transfer rate of files from the Ad Hoc Transfer interface has been greatly improved.

• Renaming a virtual folder through a client connection results in physical folder deletion

  When a user renamed a virtual directory via FTP or FTP/SSL, the physical folder pointed to by the virtual directory was being deleted and its contents were being copied to a new physical folder within the location of the user's original virtual directory. This bug has been fixed, so that attempts to rename a virtual directory will only rename that virtual directory and will not result in any files being moved or deleted.

• Permissions search will not resolve groups, you can scroll to it only

  When adding permissions to folders, admins will now be able to search for group names that contain uppercase characters. This bug only affected systems running with a PostgreSQL back-end database.

• The Add User utility (iftpaddu.exe) returns an ERROR: Incorrect syntax when both -e and -n variables are used at the same time.

  The utility iftpaddu.exe has been updated to allow both the -e and -n parameters to be specified at the same time when adding users.

• User home folder deleted when user removed from Windows Database and synchronized

  User home folders will no longer be deleted when a user account is deleted via sync in the following scenarios:

  • The user home folder is the root folder
  • The user home folder is also another user's home folder
  • The user home folder is used by a virtual folder

Fixed in 7.5.1.2

The following issue was addressed in V7.5.1.2:

• Fixed an issue in V7.5.1 where SSH and FTP server services stop accepting connections after receiving a network error. The SSH or FTP server stopped receiving new connections when it received this network error:

  10054 Network Error

  Failed to accept client connection: An existing connection was forcibly closed by the remote host.

  Users would restart the server service before it started to accept new connections.

Fixed in 7.5.1

The following issues were addressed in V7.5.1:

• Fixed a security vulnerability where an attacker could exploit a cookie vulnerability to expose passwords for the Server Manager, Web Transfer Module, and Ad Hoc Transfer module web interfaces.
• Fixed issue where administrators were unable to save changes to a user's home folder path when it was entered manually in the Server Manager.
• Idle sessions were not closing in WS_FTP Server. The server now closes sessions that have been idle for the specified timeout period. Administrators can also terminate idle sessions from the Session Manager page in the Server Manager.
• Silent uninstall of WS_FTP Server has been changed to silently deactivate the server license, even if there is no network connectivity. This will prevent an offline deactivation pop-up window.
• Internet Explorer 8 displayed error messages when viewing help files for Ad Hoc Transfer module and Web Transfer Module. Fixed Javascript errors in the English and German help systems for both the modules.
• Users now see explanatory messages and detailed messages are now written to the system log when uploads fail while sending Ad Hoc Transfer packages due to impersonation account errors.

  If the impersonation account is incorrectly configured, the user sees the message "Send files failed - data access error, contact system administrator." If the impersonation account does not have permissions to read and write to the folder where Ad Hoc Transfer packages are stored, the user sees the message "Send files failed - system account error, contact system administrator."

• Documentation updated to support backup utilities on 64-bit systems.
• In WS_FTP Server Manager Help, "Removing users from groups" no longer appears as "Adding Users to a User Group."
• Upgraded PostgreSQL to 8.3.12 to eliminate security vulnerabilities from previous versions.
• Upgraded zlib to 1.2.5 to fix some bugs and implement some security enhancements. See http://www.zlib.net for more information.
• Fixed bug where some SFTP clients cannot retrieve a directory listing if the folder contains paths or files with filenames that contain special UTF-8 characters such as French characters (like é, à or ô) or German characters (like ä, ë, or ö).
• The certificate import utility certimport.exe has been reintroduced in V7.5.1. It can be found in:
  • 32-bit: C:\Program Files\Ipswitch\WS_FTP Server\Utilities
  • 64-bit: C:\Program Files (x86)\Ipswitch\WS_FTP Server\Utilities
• Fixed bug in the Ad Hoc Transfer module that caused AHT to become inaccessible after reinstalling AHT with the Repair option.

Fixed in 7.5

• Fixed a defect that caused notification variables (%Dir,%File, %ToFile and %FmFiles) to not display the correct file path when executed from a folder action rule on a virtual folder.
• Fixed a defect in v7.1 that caused %File and %Dir notification variables to not work.
• Fixed a defect in v7.1 that caused downloads via the Web Transfer Module to fail when the files were on a network (UNC) drive.
• Fixed a defect that caused the SSH server service to stop accepting connections due to the incoming packet size setting in the SSH client.

Fixed in 7.1

The following issues were addressed in 7.1:

• Users upgrading from versions 5 to 7 or 6 to 7 were getting error messages (“Error 1053”). This was due to a problem in the Ipswitch licensing system, which was resolved for 7.1.
• Some clients on non-Windows OSs had problems connecting to WS_FTP Server. This was due to a problem with a newly-introduced security feature and was resolved.
• Tumbleweed and other clients using the JScape SSH Factory for .NET were getting errors when connecting to WS_FTP Server. The new version of Server has been modified to fix this problem.
• In WS_FTP Server Manager, when creating a SITE command, the system failed to save when double quotes were used in the path. This problem was corrected for 7.1.
• In WS_FTP Server Manager, some users were seeing multiple passwords reset at the same time when individual users took the action of resetting their password. A fix included in 7.1 addressed this problem.
• When you use the "Show home folder as root" option, the PUT / STOR commands to move files to subfolders were not working. All commands now work as expected.
• After a period following installation, users were not able to log into the WS_FTP Web Client. This was due to a problem setting permissions on folders. This problem was addressed for 7.1.
• In some cases, notifications were not triggered for files upload via the Web Client. This had do to with OS level permissions in specific folders, and has been resolved.
• FTP sessions, in certain cases, were failing with "unsupported SFTP feature" errors when STAT / commands were issued. This has been addressed.
• When shutting down WS_FTP Server on the Windows 2003 OS, some users were receiving runtime errors. This was corrected.
• In some cases, on WS_FTP Server 7.0, when you configured two hosts with two separate domains using LDAP, the separate configurations were not successfully saving, and appeared as identical. This has been fixed.
• WS_FTP Server's Web Admin application had several cross-site scripting (XSS) vulnerabilities of low to moderate severity in versions 6.x and 7.0. These could allow remote attackers to inject arbitrary web script or HTML into pages of the web-based administration interface. These have all been addressed. (Thank you to Paul Hand, CEH for bringing these to our attention.)

Fixed in 7.0

The following issues were addressed in this release:

• WS_FTP Server: SSL Certificates now support more than 2 characters for the State/Province.
• WS_FTP Server: Linux/Unix public keys can now be imported successfully.
• WS_FTP Server: Fixed a defect that caused an SSH connection attempt to fail for some clients and displayed the message “Bad remote protocol version identification: 'SSH-2.0' "
• Web Transfer Module: Fixed a defect that caused the installation to fail (and display a 1720 error) when installing the WS_FTP Server Web Transfer Client on a 64-bit Windows operating system.
• Web Transfer Module: Fixed a defect that caused a failed download if the selected file's name had been truncated in the display.
• Web Transfer Module: Fixed a defect that caused a download of a file with a Chinese file name to fail. The IE and Firefox browsers can now support a multi-byte character set filename, though the Safari browser cannot.

Known Issues in Windows 2012R2

Cannot open WS_FTP Server Manager via the Metro UI programs list.

The workaround requires that you modify your local security policy:

1. Press the Windows key + R to bring up the Run box, and then type secpol.msc. Press Enter.
2. On the Local Security Policy window, navigate to Security Settings > Local Policies > Security Options.
3. On the right panel, double-click on the option User Account Control: Admin Approval mode for the Built-in Administrators Account and enable it.
4. Click Apply and exit Local Security Policy.
5. Press the Windows key + R to bring up the Run box, and then type regedit. Press Enter.
6. On the Registry Editor window, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI. On the right side, double-click on default and change the value to 0×00000001(1). Click OK.
7. Restart your computer. Now you should be able to run Modern UI Apps using the Built-in Administrator account.

Note: If http://127.0.0.1 has not already been added to the Trusted Sites you will see an error page:

This page can’t be displayed.
Make sure the web address is correct.
Look for the page in your search engine.
Refresh the page in a few minutes.

You will need to add http://127.0.0.1 to the Trusted Sites through the desktop Internet Explorer page. You can also go to Internet Explorer > Internet Options > Security tab > Trusted Sites > Sites and add 127.0.0.1 to the list of trusted websites. For more information, see Adding a website to your browser's Trusted Sites.

Known Issues in All Versions

OpenSSL conflicts when installing WS_FTP Server V7.5.1 or later

The WS_FTP Server 7.5.1 and 7.6 installation programs install a new version of the OpenSSL library. The new version (OpenSSL 0.9.8p for 7.5.1; OpenSSL 1.0.1c for 7.6), is required and gets installed to the installation folder (the default is: C:\Program Files\Ipswitch\WS_FTP Server).

If the installation program finds a version of the library in the Windows system folders, it will stop the installation and ask you to move or rename the library files. If these library files are used by other programs, you want to make sure that you retain a copy of them. We suggest you create a backup in another folder, or rename these files, then remove the files from these locations:

32-bit OS	64-bit OS
C:\Windows\libeay32.dll	C:\Windows\libeay32.dll
C:\Windows\ssleay32.dll	C:\Windows\ssleay32.dll
C:\Windows\system32\libeay32.dll	C:\Windows\SysWOW64\libeay32.dll
C:\Windows\system32\ssleay32.dll	C:\Windows\SysWOW64\ssleay32.dll
C:\Users\[username]\Windows\libeay32.dll or C:\Documents and Settings\[username]\Windows\libeay32.dll	C:\Users\[username]\Windows\libeay32.dll or C:\Documents and Settings\[username]\Windows\libeay32.dll
C:\Users\[username]\Windows\ssleay32.dll or C:\Documents and Settings\[username]\Windows\ssleay32.dll	C:\Users\[username]\Windows\ssleay32.dll or C:\Documents and Settings\[username]\Windows\ssleay32.dll

Upgrading WS_FTP Server V7.5 to V7.5.1 or later (PostgreSQL)

When upgrading a WS_FTP Server installation that uses a PostgreSQL database from V7.5 to V7.5.1 or later, you must install Microsoft .NET framework 3.5 or 3.5 SP1 before running the installer to upgrade, otherwise the installer will halt the installation.

IP Lockouts do not carry over failed logon attempts after cluster failover

When a cluster fails over from node 1 to node 2, the number of failed logon attempts does not carry over to node 2. Therefore, the server does not lock out the user even if the failed logon count is cumulatively greater than the limit set by the IP Lockouts rule since the failed logon count per node is less than the IP Lockout rule allows. Once a user fails a number of logons on a single node equal to the IP Lockouts limit, then the user is locked out.

For example, assume a user account’s IP Lockouts rule is set to blacklist the user after 5 failed attempts. If a user fails to log on 3 times while node 1 is the active node and then the cluster fails over, the user will have to fail 5 more log on attempts on node 2 in order for WS_FTP Server to blacklist the user because the failed attempts do not transfer between nodes.

Currently, there is no work around for this issue.

See IP Lockouts do not carry over failed logon attempts after cluster failover in the Ipswitch Knowledge Base for more information.

Unhandled exception when using AHT and switching nodes after a failed send

When a cluster fails over from node 1 to node 2 while an Ad Hoc Transfer user attempts to send a package from the AHT site, the file transfer fails, the user is logged out, and the browser displays the Microsoft error "Internet Explorer cannot display the webpage." After node 2 becomes the active node, users attempting to log on to the AHT site again receive an error message about an unhandled exception.

To resolve this issue, the user must restart the browser session before logging back onto the site. Then the user can send packages normally.

See An unhandled exception when using AHT and switching nodes after a failed send in the Ipswitch Knowledge Base for more details and the content of the exception.

Unable to resume transfer or delete file after failover

When a cluster fails over from node 1 to node 2 during an upload, the transfer fails and the file transfer client‘s connection to the cluster drops (the message is "Connection is dead"). The upload does not resume when the user logs back into the server. Although the partially uploaded file is present, it cannot be deleted. This is caused by the share host (Windows UNC or Linux NAS) holding an open handle for node 1 on the partially uploaded file, presumably waiting for the client to (possibly) reconnect. Node 2 cannot modify the file at this time.

Since resuming the transfer is impossible, the user must delete the file and then restart the transfer.

To delete the file, the user must wait a few minutes until the share host releases its hold on the file handle, and then the user can delete the file. ("A few minutes" ranges from about 2 minutes on Windows, up to about 10 minutes on a Linux NAS.)

To delete the file sooner, an administrator can force a failover so that node 1 is active, allowing the user to modify the file again.

See Unable to resume transfer or delete file after failover in the Ipswitch Knowledge Base for more information.

Unable to delete files in the Web Transfer Client after failover

When a cluster fails over from node 1 to node 2 during an upload using the Web Transfer Client, both the browser session and the file transfer fail. When the user logs back in, the upload does not resume. Although the partially uploaded file is present, it cannot be deleted. This is caused by the share host (Windows UNC or Linux NAS) holding an open handle for node 1 on the partially uploaded file. Node 2 cannot modify the file at this time.

Since resuming the transfer is impossible, the user must delete the file and then restart the transfer, or overwrite the file on another upload attempt.

To delete or overwrite the file, the user must wait a few minutes until the share host releases its hold on the file handle, and then the user can delete the file. ("A few minutes" ranges from about 2 minutes on Windows, up to about 10 minutes on a Linux NAS.)

To delete the file sooner, an administrator can force a failover so that node 1 is active, allowing the user to modify files again.

See Unable to delete files in the Web Transfer Client after failover in the Ipswitch Knowledge Base for more information.

Error connecting in FIPS mode (FIPS mode cannot use the pre-7 default SSL certificate)

If you installed WS_FTP Server 6.x with the default SSL certificate, when you upgrade to WS_FTP Server 7.x, that default certificate is maintained. If you then enable FIPS mode, which requires the use of FIPS-validated ciphers in the certificate, the default certificate will cause a connection error when a user attempts a secure connection. The server log will show the following error:

Failed to begin accepting connection: SSL failed to load key file. Non-FIPS algorithms might be used in the selected SSL certificate.

To work around this issue, you need to use a certificate that uses a FIPS-validated algorithm, such as SHA1. You can select to use your own certificate, or create a new certificate in the WS_FTP Server Manager (from the Home page, select SSL Certificates).

IIS notes

• Prior to installing, the Microsoft Internet Information Services Web site on which you intend to install WS_FTP Server Manager must be configured to use a port that is not already in use. If another application, such as the Web server included with Ipswitch WhatsUp Gold, is operating on the same port as the Web site, you must take one of the following actions:
  • change the port used by the existing application.
  • configure the Web site to use a port that is not already in use.
• The setup program makes the following changes to your IIS configuration:
  • On the Web site, Web Services Extensions will be set to Allow ASP Pages.
  • On the WSFTPSVR Virtual Directory, Enable Parent Paths will be enabled.
  • On the WSFTPSVR Virtual Directory, Application Pooling will be set to the Medium/Pool level.
• On 64-bit versions of Windows, if 32-bit applications are not allowed to run under IIS, a "Service Unavailable" error is displayed in the browser. To correct this, you must run the following command from the command line to enable 32-bit applications to access IIS:

  cscript %SystemDrive%\inetpub\AdminScripts\adsutil.vbs set w3svc/AppPools/Enable32bitAppOnWin64 1

  After running the command, you must restart IIS.

• In some cases the install will display the error message Could not enable ASP. This typically occurs when Active Server Pages in the IIS Server Extension section have been enabled. To verify this:
  1. Right-click My Computer, then click Manage. The Computer Management console opens.
  2. Click Services and Applications > Internet Information Services > Web Service Extensions. The Web Service Extensions are displayed in the right-hand console window.
  3. Make sure that the Active Server Pages status is set to Allowed. If it is not, right-click Active Server Pages and select Allow.
  4. Close the Computer Management console.

If you specify a user other than the default user to serve as the run as user on the IIS virtual folder (if you are using Microsoft IIS as your web server), you may get a HTTP 401 error when you attempt to open the WS_FTP Server Manager. If this occurs, you must open the WSFTPSVR virtual folder in IIS and change the anonymous access user password to match the specified user's password.

Configuring the database for remote connections

By default, the Microsoft SQL Server database will only accept connections coming from the local system. To use a remote notification server, to allow multiple servers to share a data store, or to allow a remote Web Transfer Client connection, you have to enable remote connections.

Microsoft's Knowledge Base (KB) provides the following information on remote connections:

"When you try to connect to an instance of Microsoft SQL Server 2005 from a remote computer, you may receive an error message. This problem may occur when you use any program to connect to SQL Server. For example, you receive the following error message when you use the SQLCMD utility to connect to SQL Server:

Sqlcmd: Error: Microsoft SQL Native Client: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.This problem may occur when SQL Server 2005 is not configured to accept remote connections. By default, SQL Server 2005 Express Edition and SQL Server 2005 Developer Edition do not allow remote connections.

For instructions, see the Microsoft KB article: How to Configure SQL Server 2005 to Allow Remote Connections

Other notes

• If net.exe has been removed from the computer on which you want to install WS_FTP Server, you must create a user account to serve as the WS_FTP Server account in Windows before installing. The account name must begin with IPS_, and it is recommended that it be configured so that the password never expires.

  During the install, when you reach the Create User Accounts dialog, specify this username without the IPS_ at the beginning.

  For example, if you created a Windows user account called IPS_wsftpadmin, enter wsftpadmin for the username on the Create User Accounts dialog.

  Note: If you are upgrading a previous version of WS_FTP Server with hosts that use Windows NT user databases exclusively, the username you create must be IPS_ plus the username of an existing Windows NT user that has system administrator privileges in WS_FTP Server.

• If you select to install to a Web site that uses a custom host header or port, the desktop shortcut created does not use the host header or port. To correct this, you must create a new shortcut using the correct host header and port.
• When creating a rule for Failed Login, Folder Action, Quota Limits, or Bandwidth Limits, the Group Search function does not work.
• When upgrading a host using an external (ODBC) user database, you must manually set permissions to the external database file after the upgrade completes.

  When multiple hosts with firewall settings configured share a single listener, the firewall settings for the first of those hosts that a user logs into are applied to all of the hosts that share the listener and have firewall settings configured. Hosts that do not have firewall settings configured are not effected by this issue. We recommend that all hosts that are assigned to a common listener share the same firewall settings.

• If you create a virtual folder with the same name as a physical folder, in 6.1, the physical folder takes precedence for permissions purposes. (This has changed from 5.0, where the virtual folder took precedence.) A work around is simply to change the name of one of the 2 folders.

Uninstalling WS_FTP Server

1. In the Control Panel, select Add/Remove Programs.
2. Select Ipswitch WS_FTP Server, then click Change/Remove and follow the onscreen prompts to uninstall.

   The User Configuration Data Exists screen presents options for removing the configuration database:

   • Remove the WS_FTP Server configuration data from the data store
   • Remove the Ipswitch Notification Server configuration from the data store
   • Also, remove the PostgreSQL database server. (Note: You may have other databases on that server.)

   If you want to maintain the configuration data in the database, for example when you plan to upgrade or migrate to another database, make sure that these options are not selected.

For more assistance

For more assistance with WS_FTP Server, consult the following resources:

• Installation and Configuration Guide. This guide includes information on configuring the modules, failover clusters, custom installations, unattended "silent" installations, and uninstalling the product.
• User Guide. This guide describes how to use the application out-of-the-box. It is also useful if you want to read about the application before installing. To view the User Guide offline, select Start > Programs > Ipswitch WS_FTP Server > WS_FTP Server User Guide.
• Application Help. Contains dialog assistance, general configuration information, and how-to's that explain the use of each feature. The application help can be accessed from any page in the WS_FTP Server Manager by clicking Help.
• Ipswitch Knowledge Base. Search the Ipswitch Knowledge Base of technical support and customer service information.

Installing and Configuring the WS_FTP Server Web Transfer Client

Whether you purchased the WS_FTP Server Web Transfer Client as an add-on to WS_FTP Server or WS_FTP Server with SSH, or you received it with your WS_FTP Server Corporate purchase, you need to run the WS_FTP Server Web Transfer Client installation program. For system requirements, installation procedure, and release notes, go to Installing and Configuring the WS_FTP Server Web Transfer Client.

Installing and Configuring the Ad Hoc Transfer Module

The Ad Hoc Transfer Module is installed separately from WS_FTP Server. For system requirements, installation procedure, and release notes, go to Installing and Configuring the Ad Hoc Transfer Module.