Release Notes for WS_FTP Server 6.1.1 and WS_FTP Server 6.1.1 with SSH
In this File
About this document
This document contains information on how to install and configure WS_FTP Server and WS_FTP Server with SSH. If you are using WS_FTP Server, portions of this document pertaining to SSH do not apply.
The document also describes how to install and configure add-on modules for the WS_FTP Server and WS_FTP Server with SSH.
What is WS_FTP Server?
Ipswitch WS_FTP® Server is a highly secure, fully featured and easy-to-administer file transfer server for Microsoft Windows® systems. WS_FTP Server lets you create a host that makes files and folders on your server available to other people. Users can connect (via the Internet or a local area network) to your host, list folders and files, and (depending on permissions) download and upload data. Administrators can control access to data and files with granular permissions by folder, user, and group. Administrators can also create multiple hosts that function as completely distinct sites.
WS_FTP Server is proven and reliable. It is used by administrators globally to support millions of end users and enable the transfer of billions of files.
WS_FTP Server complies with the current Internet standards for FTP and SSL protocols. Users can connect to the server and transfer files by using an FTP client that complies with these protocols, such as Ipswitch WS_FTP Home or Ipswitch WS_FTP Professional.
WS_FTP Server with SSH also includes support for SFTP transfers over a secure SSH2 connection.
- Fully web-based administration for remote management
- Enhanced logging and reporting
- Connection port configurable by host
- Event-driven communication and automation
- Proven and reliable: Used by administrators globally to support millions of end users and enable the transfer of billions of files
- High availability architecture
Security and Compliance
- File integrity checking support
- Full support for file transfer using SFTP over SSH
- Implicit and explicit SSL support with up to 256 AES encryption
- Auto-expiring passwords and enhanced password controls
- Ability to hide login banner from client
- Support for non-repudiation of transfers (XSIGN command)
New in this Release (6.1.1)
The main purpose of this release of WS_FTP Server and WS_FTP Server with SSH is to allow for integration of the new WS_FTP Server Web Transfer Module. Several minor enhancements and bug fixes were also made in this release.
- WS_FTP Server Web Transfer Client
WS_FTP Server Web Transfer Client is a web application that runs with Microsoft Internet Information Server (IIS) and lets your WS_FTP Server users access their accounts via a browser (using HTTP).
No installation is required for the end user. The end user will open a web address in a browser and log on to their account using the Web Transfer Client.
You can enable Web Transfer access to any of your WS_FTP Server users. All existing user settings, rules, and notifications apply to the WS_FTP Server Web Transfer Client account.
For the end user, the Web Transfer Client offers easy, secure access via a browser, basic upload and download operations, and no client installation or maintenance.
For the administrator, WS_FTP Server Web Transfer Client provides secure file transfer via HTTPS, offers quick setup and rollout, and works the same across different operating systems and browsers.
For more information, see the WS_FTP Server Web Transfer Module Getting Started Guide and release notes.
The following enhancements were made to this release, along with several defect fixes.
- Date format specification (on System Details page of WS_FTP Server Manager): Sets the date display format for all of the WS_FTP Server Manager pages that display the date, and sets the format for text boxes where you can enter a date, including: auto expiring accounts, SSL certificates, Log Viewer. After you have selected a date format, the WS_FTP Server Manager will verify a date that you enter against the selected format. Note that these settings are cached by WS_FTP Server for up to ninety seconds. Changes made to these settings are not recognized until the services are restarted or the cache expires.
- Data channel timeout (on Edit Listeners page of WS_FTP Server Manager): When a client is disconnected from the server, this value sets the number of seconds after which the server will abandon the transfer of an uploaded file and release the lock from any partially uploaded file. The default is 60 seconds.
For a list of defects fixed in this release, see Fixed in 6.1.1 section in the WS_FTP Server Release Notes.
New in 6.1
The release of WS_FTP Server 6.1 and WS_FTP Server 6.1 with SSH introduces the following new features and fixes:
- Choice of databases: Administrators have the option to either use the embedded WS_FTP Server database (PostgreSQL) or integrate with an existing Microsoft® SQL Server for both user authentication and server system configuration (i.e access controls, user permissions, password policies, etc). This choice is made when running the installation program.
- Choice of Web Servers: Administrators can either use the embedded, standards-based Web server that ships with WS_FTP Server, or integrate with Microsoft Internet Information Services (IIS) for powering the Web administration interface of the WS_FTP Server. This choice is made when running the installation program.
- Silent Install for Fast Deployment of Multiple Servers: This feature lets administrators customize the installation and quickly deploy multiple servers with unattended "silent" installations. Silent install can automate product installation on both local and remote computers. For more information, see Appendix: Silent Install (in the
- Lock Files During Upload: This feature ensures version control of files by preventing different users from simultaneously uploading and downloading the same file. File lock during upload prevents users from downloading a file before it is fully uploaded to the server.
- Enhanced Password Management: This feature lets administrators force end users to change their password upon their initial login to the server. Administrators can also set policies that require users to reset their password at any time on an ongoing basis.
- For fixes in this release, see the Fixed in 6.1 section in the WS_FTP Server Release Notes.
: If a listed requirement is hyperlinked, you can click the link to get more information on obtaining and installing that prerequisite.
WS_FTP Server requires:
Ipswitch Notification Server requires:
All requirements for WS_FTP Server (above), plus:
- Broadband or dial-up connection to the Internet (required for email notifications outside of the local area network)
- Modem and phone line (required for pager and SMS notifications)
WS_FTP Server Manager requires:
- Microsoft Internet Explorer 5.1 or later, Mozilla Firefox 2.0 or later, Netscape Navigator (or other Web browser that is CSS2 and HTML 4.01 compliant)
- Enabled Cookie support in the Web browser
Upgrading from WS_FTP Server 6
Upgrading from 5.04 or higher
Upgrading from a version lower than 5.04
- Versions previous to 5.04 of FTP Server will not upgrade to Server 6 and will need to be upgraded to at least 5.04 before attempting an upgrade. If you need to upgrade your current server version to 5.04, please visit the Download Center.
Changes related to upgrades from WS_FTP Server 5
- After upgrading to WS_FTP Server 6.1.1 and WS_FTP Server 6.1.1 with SSH, some permissions may differ from the permissions granted in WS_FTP Server 5.x.
- The Anonymous user is no longer included in the Everyone group.
- When connecting via FTP or SFTP, host administrators and system administrators have expanded control over the folders on the host they administer. In WS_FTP Server 5.x, administrator permissions are determined by explicit permissions set on each folder. In WS_FTP Server 6.1.1 and WS_FTP Server 6.1.1 with SSH, administrators have full permission to all folders on the hosts they administer unless an explicit deny permission is set to limit permission.
- If any Folder Rules were applied to a user in WS_FTP Server 5.x that prevented him from completing an action, the upgrade creates a Deny permission on all affected folders to reproduce the restriction in WS_FTP Server 6.1.1 and WS_FTP Server 6.1.1 with SSH.
- Permissions that are set to propagate do not propagate into virtual folders.
- Mapped drives are no longer supported. Use UNC paths in place of mapped drives.
- The option in WS_FTP Server 5.x has been changed to in WS_FTP Server 6.0. This means that upgrading a host with the option enabled in WS_FTP Server 5.x forces clients to use SSL version 3.1 or higher in WS_FTP Server 6.0 instead of SSL version 2 or higher in WS_FTP Server 5.x.
- If the WS_FTP Server 5.x that you are upgrading is set to run as any user other than the default Local System, the upgrade changes the run as user to Local System. You may reset this after the upgrade is complete, or set the impersonation user on the host.
Installing WS_FTP Server
:If upgrading from a previous version of WS_FTP Server, before running the installation program, see the Upgrade Notes in the previous section.
During the installation, a host using the internal WS_FTP Server user database is created. You can create hosts using Microsoft Active Directory, Microsoft Windows, or other external user database types after the install is completed.
: Installing WS_FTP Server on a domain controller is not recommended.
: Installing WS_FTP Server via Terminal Services is not recommended. You can use Terminal Services to install subsequent WS_FTP Server updates and installations.
To install WS_FTP Server:
- If you are using Microsoft IIS as your web server, before you begin the WS_FTP Server installation, confirm that Microsoft IIS is running and that you can access the Web site on which you will install the WS_FTP Server Manager web application.
- If you received an installation CD, insert it into a drive. If the Welcome screen does not appear, select , and enter the drive path followed by launch.exe.
- OR -
If you downloaded the software from our Web site, double-click the executable (.exe) file to begin the installation.
- On the installation Welcome screen, click to read the release notes or to download and view an electronic copy of the Getting Started Guide. Click to continue. The License Agreement dialog appears.
- Read the license agreement carefully. If you agree to its terms, select and click . The Setup Type dialog appears.
- The Setup Type dialog lets you select from two installation methods, and .
- installs the WS_FTP web server and installs the following components to default locations: WS_FTP Server or WS_FTP Server with SSH, Ipswitch Notification Server, Ipswitch Logging Server, and PostgreSQL. The option to install WS_FTP Server with a Microsoft IIS web server, or with a SQL Server database, will not be available with express install.
- installation allows you to select the specific components you want to install and also specify locations for each component install. Custom install also allows you the option of using a Microsoft IIS web server and/or MS SQL Server database.
- Select the installation method you want to use, then click .
To use the express install option:
:The express installation option does not include the option of installing WS_FTP Server with Microsoft IIS as the web server, or Microsoft SQL Server as your database. If you wish to run WS_FTP Server with IIS or SQL Server, click the back button and choose the Custom install option.
- Enter the port that your WS_FTP Web Server will use. (The install will verify that the port is not in use.) Click .
- Verify or enter the fully qualified host name for this server. The installation program provides the host name of the server, but you may need to add domain information. This host name is used to create the first host.
- When you click , one of the following screens opens:
- . This screen opens if PostgreSQL database server was previously installed on your computer. Go to step 4.
- . Continue to step 5.
- In the box, enter a System Administrator Password for access to the system administrator (sa) account for the PostgreSQL database that hosts WS_FTP Server data. Click . The Enter Host Name screen opens.
- The Create User Accounts screen opens. Set the appropriate options.
- Click . The Ready to Install the Program screen opens.
- The install program is now ready to install the components you selected. Click . The install program installs and configures the components you selected. This may take a few minutes.
To use the custom install option:
- When you select the install option, the Select Features screen opens. Select the checkboxes next to the components you want to install. Click .
- Choose the database you wish to use for WS_FTP Server: PostgreSQL or Microsoft SQL Server (you will be asked for configuration values later in the install).
- For each component that you selected, confirm the where the install program will install the component. To choose a new folder, select and choose another folder. After you have made your selection, click . Repeat this step for each component (including the database components). When the destination folder for each component has been selected, the Select Web Host screen appears.
- Select the web server that you will use with WS_FTP Server. (If you select Microsoft IIS, be sure that IIS is running on the PC that you are installing to.) Click .
- If you chose the PostgreSQL database, enter the port that your WS_FTP Web Server will use. (The install will verify that the port is not in use.) Click .
- Next, enter the fully qualified host name for this server. The installation program provides the host name of the server, but you may need to add domain information. This host name is used to create the first host.
- When you click , one of the following screens apprears:
- . This screen opens if PostgreSQL database server was previously installed on your computer. Go to step 8.
- . Continue to step 9.
- In the box, enter a System Administrator Password for access to the system administrator account for the PostgreSQL database that hosts WS_FTP Server data. Click . The Enter Host Name screen opens.
- The Create User Accounts screen opens. Set the appropriate options.
- . Select the host on which you want to create a system administrator account (if you are using WS_FTP Server). If you are installing for the first time, only one host is available.
- . Enter a username. This username is used to create:
- a WS_FTP Server user (if applicable) to serve as the system administrator. This user belongs to the specified host, but is granted full system administrator permissions for all hosts on the server.
- a non-privileged Windows user account named
IPS_ plus the name you provide. For example, if you enter
admin, the Windows user is named
IPS_admin. This account is used by the configuration data store (PostgreSQL) and serves as the run-as user for the
WSFTPSVR Microsoft IIS virtual folder (if you use Microsoft IIS).
- and . Enter and confirm a password. This password is assigned to both the WS_FTP Server system administrator user (if applicable) and the Windows user account. Click .
: Your domain password policy may require that you use complex password rules. If so, make sure that you use a password that conforms to the domain requirements. The account will not be created without conforming to the domain password requirements.
: The Windows user account must comply with the security policies on your Windows server. Once the install completes, verify that the account is not set to expire at the next logon and that you are aware of any expiration policies that apply to the account.
- If you chose Microsoft SQL Server for your database (in step 2), next you will be asked to enter the Server's name or IP address with the instance name (formatted as Server/Instance), a Port number (the install autofills SQl Server's default value of 1433), the Master Database Username, and Password. Click .
- If you chose Microsoft IIS as your web server, the Web Configuration screen opens. In the dropdown, select the preferred Internet Information Services (IIS) Web site. Click .
- The Ready to Install the Program screen opens, which will install the components you selected. Click . This may take a few minutes.
Fixed in 6.1.1
The following issues were addressed in this release:
- The "TLS Only" option allowed connections using SSL v2, but would reject the connection during the login attempt. "TLS Only" now rejects connections during SSL negotiation.
- Clients with SSL session reuse and mutual authorization activated (requiring a client certificate) failed during second attempts to connect to the server. This problem has been fixed.
- File transfers were keeping files locked when network connections were suddenly dropped. This problem has been addressed by including a Data Channel Timeout for listeners.
Ipswitch would like to thank Secunia (secunia.com) for reporting the following issues, which have been fixed in this release:
- [SA28753] SSH Server Denial of Service vulnerability: A boundary error in the SSH Server Service could be exploited by passing an overly long argument to a command.
- [SA28822] The WS_FTP Server Manager log viewer vulnerability: HTTP requests for the FTPLogServer/LogViewer.asp script could be exploited allowing unauthorized log access.
- [SA28761] WS_FTP Server Denial of Service vulnerability: Overly large datagrams sent within a short time period could cause the log service to stop responding to log requests.
Fixed in 6.1
The following issues were addressed in this release:
- You can now generate an SSL certificate that uses the full State name (Georgia, Florida, etc), which is required when validating a CSR with Verisign. The previous release used a 2-letter abbreviation for State names.
- Fixed a defect that caused the WS_FTP Server Manager to display page errors (for the Host pages) when NTFS compression was used with folders on an FTP site. This also fixes the error seen when a client attempted to retrieve a directory listing of compressed folders.
- Using the MLSD command to display a directory listing in an FTP client caused the Modified date and time to be displayed incorrectly. It now displays correctly.
- When upgrading from 5.04, and using Internet Explorer to browse folders, some customers saw an invalid time stamp displayed for the file modified date. Time stamps now display correctly.
- When issuing a Port command using a script, if a leading zero was used (for example, 010), the Port command would fail. Leading zeros are now accepted in the Port command.
Ipswitch would like to thank Secunia (secunia.com) for reporting the following issues, which have been fixed in this release:
- [SA26529] WS_FTP Server Script insertion vulnerability: Parameters passed to valid FTP commands could insert arbitrary HTML and script code.
- [SA26040] WS_FTP Log Server Denial of Service vulnerability: An error within the WS_FTP Log Server (ftplogsrv.exe) could be exploited to crash a server.
- Prior to installing, the Microsoft Internet Information Services Web site on which you intend to install WS_FTP Server Manager must be configured to use a port that is not already in use. If another application, such as the Web server included with Ipswitch WhatsUp Gold, is operating on the same port as the Web site, you must take one of the following actions:
- change the port used by the existing application.
- configure the Web site to use a port that is not already in use.
- The setup program makes the following changes to your IIS configuration:
- On the Web site, Web Services Extensions will be set to Allow ASP Pages.
- On the WSFTPSVR Virtual Directory, Enable Parent Paths will be enabled.
- On the WSFTPSVR Virtual Directory, Application Pooling will be set to the Medium/Pool level.
- On 64-bit versions of Windows, if 32-bit applications are not allowed to run under IIS, a "Service Unavailable" error is displayed in the browser. To correct this, you must run the following command from the command line to enable 32-bit applications to access IIS:
cscript %SystemDrive%\inetpub\AdminScripts\adsutil.vbs set w3svc/AppPools/Enable32bitAppOnWin64 1
After running the command, you must restart IIS.
- In some cases the install will display the error message Could not enable ASP. This typically occurs when Active Server Pages in the IIS Server Extension section have been enabled. To verify this:
- Right-click , then click . The Computer Management console opens.
- Click . The Web Service Extensions are displayed in the right-hand console window.
- Make sure that the status is set to . If it is not, right-click and select .
- Close the Computer Management console.
- If you specify a user other than the default user to serve as the run as user on the IIS virtual folder (if you are using Microsoft IIS as your web server), you may get a HTTP 401 error when you attempt to open the WS_FTP Server Manager. If this occurs, you must open the
WSFTPSVR virtual folder in IIS and change the anonymous access user password to match the specified user's password.
Operating system notes
- If installing on a Windows Server 2003 domain controller, some required user accounts may not be present. For more information, please see knowledge base article 827016 on the Microsoft Web site.
: Installing on a domain controller is NOT recommended.
- Microsoft Windows XP Systems NOT on a Windows domain may encounter problems creating and validating system administrator account entries against local system accounts during the install. To complete the install, a registry value must be edited. Launch Regedit and navigate to the key
HLKM\SYSTEM\CurrentControlSet\Control\Lsa. Find the value
forceguest. Set the value to
0 to allow account validation. Following the installation, this value may be set back to the original value; however, future installations may also require this change in order to install.
- To install on Windows XP, the Windows "Guest" account must be disabled. To disable the "Guest" account:
- Right-click on and select . The Computer Management console opens.
- Expand and select . The list of users appears in the main pane of the Computer Management console.
- Double-click . The Guest Properties dialog appears.
- Select and click .
- On servers running Windows 2000, you must enable the local security policy for the WS_FTP Server user account in Windows if you want to use Microsoft Windows or Microsoft Active Directory user databases. If you are upgrading on Windows 2000 with a WS_FTP Server host that uses Windows NT user database, you must set this policy for the user account under which you are logged in when you run the install program.
: Domain-level security policies override local security policies.
To enable the security policy for a user:
- From the Start menu, select . The Control Panel opens.
- Double-click . The Administrative Tools folder opens.
- Double-click . The Local Security Settings console opens.
- Expand , then select .
- In the pane on the right side of the window, double-click Act as part of the operating system. The Act as part of the operating system Properties window opens.
- Click . The Select Users or Groups dialog appears.
- Select the users for which you need to enable the Act as part of the operating system local security policy. When you are done, select .
- To ensure the changed policies are in effect, restart Windows.
For more information about this local security policy, see "Act as part of the operating system" on the Microsoft Web site.
Configuring the database for remote connections
By default, the database (whether PostgreSQL or Microsoft SQL Server) will only accept connections coming from the local system. To use a remote notification server, to allow multiple servers to share a data store, or to allow a remote Web Transfer Client connection, you have to enable remote connections - the following sections describe how to do this for each supported database.
Configuring PostgreSQL for Remote Connections
- On the computer where PostgreSQL is installed, open the file C:\Program files\PostgreSQL\bin\pgAdmin3.
The pgAdmin screen opens.
- Right-click , then select .
The Login dialog opens.
- Enter your password for the IPS_admin account (created when you installed WS_FTP Server), then click .
You are connected to the database.
- Double-click to expand the tree, then double-click .
- Select the database.
- Select . The Backend Configuration Editor opens.
- Select the option and set the value to: *
- Select .
- Select . The Backend Access Configuration Editor opens.
- Select the second type. Verify that it is enabled. If you need to edit settings, double-click the entry.
- The should include the CIDR subnet for the domain, for example:192.168.197.202/32. This is the equivalent of entering the address and a subnet of 255.255.255.255.
- should be set to: password
- Select .
- In the Windows Control Panel, go to Services and restart the service:
Configuring Microsoft SQL Server for Remote Connections
Microsoft's Knowledge Base (KB) provides the following information on remote connections:
"When you try to connect to an instance of Microsoft SQL Server 2005 from a remote computer, you may receive an error message. This problem may occur when you use any program to connect to SQL Server. For example, you receive the following error message when you use the SQLCMD utility to connect to SQL Server:
Sqlcmd: Error: Microsoft SQL Native Client: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.This problem may occur when SQL Server 2005 is not configured to accept remote connections. By default, SQL Server 2005 Express Edition and SQL Server 2005 Developer Edition do not allow remote connections.
For instructions, see the Microsoft KB article: How to Configure SQL Server 2005 to Allow Remote Connections
net.exe has been removed from the computer on which you want to install WS_FTP Server, you must create a user account to serve as the WS_FTP Server account in Windows before installing. The account name must begin with
IPS_, and it is recommended that it be configured so that the password never expires.
During the install, when you reach the Create User Accounts dialog, specify this username without the
IPS_ at the beginning.
For example, if you created a Windows user account called
wsftpadmin for the username on the Create User Accounts dialog.
: If you are upgrading a previous version of WS_FTP Server with hosts that use Windows NT user databases exclusively, the username you create must be
IPS_ plus the username of an existing Windows NT user that has system administrator privileges in WS_FTP Server.
- If you select to install to a Web site that uses a custom host header or port, the desktop shortcut created does not use the host header or port. To correct this, you must create a new shortcut using the correct host header and port.
- When creating a rule for Failed Login, Folder Action, Quota Limits, or Bandwidth Limits, the Group Search function does not work.
- When upgrading a host using an external (ODBC) user database, you must manually set permissions to the external database file after the upgrade completes.
When multiple hosts with firewall settings configured share a single listener, the firewall settings for the first of those hosts that a user logs into are applied to all of the hosts that share the listener and have firewall settings configured. Hosts that do not have firewall settings configured are not effected by this issue. We recommend that all hosts that are assigned to a common listener share the same firewall settings.
- If you create a virtual folder with the same name as a physical folder, in 6.1, the physical folder takes precedence for permissions purposes. (This has changed from 5.0, where the virtual folder took precedence.) A work around is simply to change the name of one of the 2 folders.
- Uninstalling WS_FTP Server
- In the Control Panel, select Add/Remove Programs.
- Select Ipswitch WS_FTP Server, then click and follow the onscreen prompts to uninstall.
The User Configuration Data Exists screen presents options for removing the configuration database:
- Remove the WS_FTP Server configuration data from the data store
- Remove the Ipswitch Notification Server configuration from the data store
- Also, remove the PostgreSQL database server. (Note: You may have other databases on that server.)
If you want to maintain the configuration data in the database, for example when you plan to upgrade or migrate to another database, make sure that these options are not selected.
Restoring WS_FTP Server 5.x
To return to WS_FTP Server 5.x from WS_FTP Server 6.0:
- Locate the registry files (.REG) in the WS_FTP Server installation folder (usually
C:\iFtpSvc\) and copy them to a safe location. These files contain the configuration information for WS_FTP Server 5.x. If you do not copy them to a safe location, they are removed when you uninstall WS_FTP Server 6.1.1 and WS_FTP Server 6.1.1 with SSH
- In the Add or Remove Programs window in the Windows control panel, select and select and follow the onscreen prompts to uninstall.
- Run the WS_FTP Server 5.x install program.
- Follow the onscreen prompts to complete the installation.
: If you originally installed to a folder other than
C:\iFtpSvc\, you must select on the Setup Type screen and specify the same folder.
- Locate and double click on the
IFTPSVC_BACKUP.REG file that you saved from the WS_FTP Server installation folder in Step 1. Select on the confirmation dialog that appears.
- Open WS_FTP Server Manager and verify that your server has been restored to the condition it was in prior to installing WS_FTP Server 6.1.1 and WS_FTP Server 6.1.1 with SSH.
: If you need to restore the Ipswitch Notification Server, you must save the .REG files from the Ipswitch Notification Server installation folder (usually
C:\iNotifySvc\) prior to uninstalling WS_FTP Server 6. Then, install Ipswitch Notification Server using the WS_FTP Server 5.x install program. When the install is complete, locate and double click the
INOTIFYSVC_BACKUP.REG file you saved from the Ipswitch Notification Server installation folder.
For more assistance
For more assistance with WS_FTP Server, consult the following resources:
- The Getting Started Guide includes information on custom installations, unattended "silent" installations, and uninstalling the product.
- . Contains dialog assistance, general configuration information, and how-to's that explain the use of each feature. The application help can be accessed from any page in the WS_FTP Server Manager by clicking .
- . This guide describes how to use the application out-of-the-box. It is also useful if you want to read about the application before installing. To view or download the User Guide, select .
- . Provides a resource for you to interact with other WS_FTP Server users to share helpful information about the application.
- . Search the Ipswitch Knowledge Base of technical support and customer service information.