Release Notes for WS_FTP™ Server 7.7, WS_FTP Server 7.7 with SSH, and WS_FTP Server 7.7 Corporate

In this File

7.7 Release Notes

Security Update: 7.7

Security Update: Release 7.7 includes OpenSSL 1.0.1l, which contains nine new security fixes described here: https://www.openssl.org/news/secadv_20140806.txt. These are DoS and SSL downgrade attack vectors that are applicable to WS_FTP Server.

Security Update: 7.6.3

Security Update: Release 7.6.3 includes all prior upgrades that addressed the Heartbleed vulnerability, and includes OpenSSL version 1.0.1h.

Security Update: 7.6.2.1 Patch

Security Update on SSL/TLS MITM (Man-in-the-middle) vulnerability (CVE-2014-0224): The recent vulnerability uncovered in OpenSSL has affected vendors and companies that rely on this near-ubiquitous open source security protocol. In basic terms, the vulnerability exposes an OpenSSL to OpenSSL exchange that uses the OpenSSL 0.9.8, 1.0.0 and 1.0.1 family of protocols to an attack. This vulnerability affects all releases starting with 7.1 through the 7.6, 7.6.1 and 7.6.2 versions of WS_FTP Server.

The WS_FTP Server 7.6.2.1 patch release upgrades OpenSSL to the 1.0.1h version, which removes this vulnerability.
Check your version number to see if you need to upgrade.

Note also that we have released updated install programs for the Web Transfer Module and the Ad Hoc Transfer Module. Neither of the modules is affected by the MITM SSL issue, but we updated the install programs to be compatible with the WS_FTP Server 7.6.2.1 patch release. You need to use the 7.6.2.1 versions of the install programs.

Security Update: 7.6.2 Patch

Security Update on Heartbleed SSL: Heartbleed SSL, the recent vulnerability uncovered in OpenSSL, has affected vendors and companies that rely on this near-ubiquitous open source security protocol. In basic terms, the vulnerability exposes any exchange that uses the OpenSSL 1.0.1 family of protocols to an attack. This vulnerability affects only the 7.6 and 7.6.1 versions of WS_FTP Server.

The WS_FTP Server 7.6.2 patch release disables the heartbeat function that exposed the vulnerability in the OpenSSL 1.0.1c version and a later release will provide an update to a version of OpenSSL (1.0.1g or later) that has addressed this issue.

If you have an affected version, you have already received a notification from the Ipswitch Security Team. Check your version number to see if you need to upgrade. Systems that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc) with the assumption that an attacker has already used this vulnerablity to obtain those items.

Note also that we have released updated install programs for the Web Transfer Module and the Ad Hoc Transfer Module. Neither of the modules is affected by the Heartbleed SSL issue, but we updated the install programs to be compatible with the WS_FTP Server 7.6.2 patch release. If you are doing a new installation of these modules, you need to use the 7.6.2 version of the install programs.

About this document

This document contains information on how to install and configure WS_FTP™ Server, WS_FTP Server with SSH, and WS_FTP Server Corporate. Depending on which WS_FTP Server product you have purchased, portions of this document may not apply.

The document also describes how to install and configure add-on modules for the WS_FTP Server and WS_FTP Server with SSH.

What is WS_FTP™ Server?

Ipswitch WS_FTP™ Server is a highly secure, fully featured and easy-to-administer file transfer server for Microsoft Windows® systems. WS_FTP Server lets you create a host that makes files and folders on your server available to other people. Users can connect (via the Internet or a local area network) to your host, list folders and files, and (depending on permissions) download and upload data. Administrators can control access to data and files with granular permissions by folder, user, and group. Administrators can also create multiple hosts that function as completely distinct sites.

WS_FTP Server is proven and reliable. It is used by administrators globally to support millions of end users and enable the transfer of billions of files.

WS_FTP Server complies with the current Internet standards for FTP and SSL protocols. Users can connect to the server and transfer files by using an FTP client that complies with these protocols, such as Ipswitch WS_FTP LE or Ipswitch WS_FTP Professional.

WS_FTP Server with SSH also includes support for SFTP transfers over a secure SSH2 connection.

Administration

Performance

Security and Compliance

WS_FTP Server Product Family

The WS_FTP Server product family provides a broad range of file transfer functionality, from fast file transfer via the FTP protocol, to secure transfer over SSH, to a complete file transfer (server/client) solutions.

WS_FTP Server: Our base product offers fast transfer via the FTP protocol with the ability to encrypt transfers via SSL, and includes FIPS 140-2 validated encryption of files to support standards required by the United States and Canadian governments.

WS_FTP Server can operate standalone or is easily integrated with existing user databases (Active Directory, Windows NT, ODBC). The WS_FTP Server Manager provides web-based administration from the local machine and also allows remote management of the server. The Server Manager can use our integrated web server or Microsoft IIS.

When used with our WS_FTP Professional client, WS_FTP Server can retry a failed transfer, perform file integrity checks, verify a user's identity, and speed transfers by using compression and multi-part transfers.

WS_FTP Server is designed with a tiered architecture that allows components and data to be maintained on one computer or distributed among several, allowing the configuration to scale to handle larger capacity.

WS_FTP Server can be deployed in an active-passive failover configuration to ensure file transfer service is always available. The failover configurations use shared resources for the user database, configuration data, and the file system for user directories and log data.

WS_FTP Server with SSH: This product offers all of the features of WS_FTP Server plus the ability to send and receive files over SSH, which automatically delivers encrypted communications during and throughout file transport.

WS_FTP Server Corporate: This product extends the secure transfer capabilities of WS_FTP Server with SSH to include:

Support for SCP2 to provide a secure version of the remote copy capability used in UNIX applications

LDAP support for authentication to leverage existing corporate databases.

Integrates the WS_FTP Server Web Transfer Module to provide a complete file transfer solution (server and client).

Update for Ad Hoc Transfer Module and Ad Hoc Transfer Plug-in for Outlook

We have issued a maintenance release of Ad Hoc Transfer Module and the Ad Hoc Transfer Plug-in for Outlook that provides the following enhancements and bug fixes:

To upgrade to this release, you need to install:

New in 7.7

New in 7.6.3

New in 7.6

Version 7.6 updates some of the critical software components used by the WS_FTP Server, including SSL libraries, supported databases, and supported operating systems.

This release includes enhanced features for the Ad Hoc Transfer Plug-in for Outlook:

New in 7.5.1

Version 7.5.1 introduces failover support to the WS_FTP Server family of products. You can now deploy WS_FTP Server on a two-node failover cluster in a Windows Server environment using Microsoft Cluster Services (MSCS) or Microsoft Network Load Balancing (NLB). The failover solution consists of one "active" and one "passive" node, each running identical configurations of WS_FTP Server. If the primary node is unavailable, or if a server (FTP or SSH) is unavailable on the primary node (MSCS only), processing switches over to the secondary node. This two-node configuration uses shared resources for the user database, configuration data (SQL Server), and the file system for user directories and log data.

Version 7.5.1 also includes multiple SSH improvements:

New in 7.5

Version 7.5 introduces the Ad Hoc Transfer capability to the WS_FTP Server family of products. Ad Hoc Transfer lets your users send file transfers to an individual, rather than to a folder or file transfer site. Files can be sent to any valid email address, meaning you do not have to maintain accounts for all recipients, or set up temporary accounts.

Files sent via Ad Hoc Transfer are stored in a folder on the WS_FTP Server computer. Recipients receive a notification in their email inbox, and click on a web link to access the posted files.

As the administrator, you can set options that require Ad Hoc Transfers to be password protected, and to manage the size and availability of an Ad Hoc Transfer "package," which is the user-generated email message plus associated files.

The Ad Hoc Transfer Module provides two ways for a WS_FTP Server user to send a transfer:

New in 7.1

Version 7.1 includes the following new features:

New in 7.0

Version 7 introduces a third product offering, WS_FTP Server Corporate, to the WS_FTP Server family of products. WS_FTP Server Corporate offers a convenient way to purchase the full range of secure, managed file transfer functionality that we provide. For a description of each of the WS_FTP Server product offerings and the major features included, see WS_FTP Server Product Family.

Version 7 is a major release that includes the following new features:

System requirements for WS_FTP Server

Tip: If a listed requirement is hyperlinked, you can click the link to get more information on obtaining and installing that prerequisite.

WS_FTP Server

Supported Operating Systems

For a standalone WS_FTP Server installation:

Operating System

Edition

Service Packs

Supported Versions

Windows Server 2012 R2

  • Standard
  • Datacenter

 

  • 64-bit: English

Windows Server 2012

  • Standard
  • Datacenter

 

  • 64-bit: English

Windows Server 2008

  • Standard
  • Enterprise

SP2 or later

  • 32-bit: English and German
  • 64-bit: English

Windows Server 2008 R2

  • Standard
  • Enterprise

 

  • 64-bit: English

For a WS_FTP Server failover cluster using Microsoft Clustering Services:

Operating System

Edition

Service Packs

Supported Versions

Windows Server 2012 R2

  • Standard
  • Datacenter

 

  • 64-bit: English

Windows Server 2012

  • Standard
  • Datacenter

 

  • 64-bit: English

Windows Server 2008

Enterprise

SP2 or later

  • 32-bit: English

Windows Server 2008 R2

Enterprise

 

  • 64-bit: English

For a WS_FTP Server failover cluster using Microsoft Network Load Balancing:

Operating System

Edition

Service Packs

Supported Versions

Windows Server 2012 R2

  • Standard
  • Datacenter

 

  • 64-bit: English

Windows Server 2012

  • Standard
  • Datacenter

 

  • 64-bit: English

Windows Server 2008

  • Standard
  • Enterprise

SP2 or later

  • 32-bit: English

Windows Server 2008 R2

  • Standard
  • Enterprise

 

  • 64-bit: English

System Requirements

Recommended Hardware

The minimum recommended hardware is the same as recommended for Windows Server 2008. (For more information, see the Windows Server information on Microsoft's web site.) If you are using a later version operating system, you should meet the hardware requirements for that system.

Component

Requirement

Processor

  • Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)
  • Recommended: 2 GHz or faster

Memory

  • Minimum: 512 MB RAM
  • Recommended: 2 GB RAM or greater
  • Maximum (32-bit systems): 4 GB (Standard) or 64 GB (Enterprise and Datacenter)
  • Maximum (64-bit systems): 32 GB (Standard) or 1 TB (Enterprise and Datacenter) or 2 TB (Itanium-Based Systems)

Available disk space

  • Minimum: 10 GB
  • Recommended: 40 GB or greater

Virtualization Requirements

Ipswitch Notification Server

All requirements for WS_FTP Server (above), plus:

Ipswitch Notification Server is a part of WS_FTP Server and is typically installed on the same machine.

WS_FTP Server Manager

The WS_FTP Server Manager provides web-based administration from the local machine and also allows remote management of the server.

Server Requirements:

Client Requirements:

WS_FTP Server Server Manager is a part of WS_FTP Server and is installed on the same machine.

Installing WS_FTP Server on Windows Server 2008 or 2012

The WS_FTP Server installer automatically activates certain components in your Windows Server installation. This is necessary because after installation, Windows Server does not turn on non-core operating system components. However, before installing WS_FTP Server, you should be sure that these changes conform to your organization’s security policies.

When you install WS_FTP Server, the install activates the following 2008 Server roles:

Note: If you are installing the WS_FTP Server Web Transfer Client, there are additional components activated. See "System requirements for WS_FTP Server Web Transfer Client" below.

Installing WS_FTP Server

For detailed instructions for installing and configuring WS_FTP Server and activating a new or upgraded license, see the WS_FTP Server Installation and Configuration Guide.

Fixed in 7.7

The following issues were addressed in V7.7:

OpenSSL Issues

Fixed in 7.6.3

The following issues were addressed in V7.6.3:

Fixed in 7.6

The following issues were addressed in V7.6:

Fixed in 7.5.1.2

The following issue was addressed in V7.5.1.2:

Fixed in 7.5.1

The following issues were addressed in V7.5.1:

Fixed in 7.5

Fixed in 7.1

The following issues were addressed in 7.1:

Fixed in 7.0

The following issues were addressed in this release:

Known Issues in Windows 2012R2

Cannot open WS_FTP Server Manager via the Metro UI programs list.

The workaround requires that you modify your local security policy:

  1. Press the Windows key + R to bring up the Run box, and then type secpol.msc. Press Enter.
  2. On the Local Security Policy window, navigate to Security Settings > Local Policies > Security Options.
  3. On the right panel, double-click on the option User Account Control: Admin Approval mode for the Built-in Administrators Account and enable it.
  4. Click Apply and exit Local Security Policy.
  5. Press the Windows key + R to bring up the Run box, and then type regedit. Press Enter.
  6. On the Registry Editor window, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI. On the right side, double-click on default and change the value to 000000001(1). Click OK.
  7. Restart your computer. Now you should be able to run Modern UI Apps using the Built-in Administrator account.

Note: If http://127.0.0.1 has not already been added to the Trusted Sites you will see an error page:

This page can’t be displayed.
Make sure the web address is correct.
Look for the page in your search engine.
Refresh the page in a few minutes.

You will need to add http://127.0.0.1 to the Trusted Sites through the desktop Internet Explorer page. You can also go to Internet Explorer > Internet Options > Security tab > Trusted Sites > Sites and add 127.0.0.1 to the list of trusted websites. For more information, see Adding a website to your browser's Trusted Sites.

Known Issues in All Versions

OpenSSL conflicts when installing WS_FTP Server V7.5.1 or later

The WS_FTP Server 7.5.1 and 7.6 installation programs install a new version of the OpenSSL library. The new version (OpenSSL 0.9.8p for 7.5.1; OpenSSL 1.0.1c for 7.6), is required and gets installed to the installation folder (the default is: C:\Program Files\Ipswitch\WS_FTP Server).

If the installation program finds a version of the library in the Windows system folders, it will stop the installation and ask you to move or rename the library files. If these library files are used by other programs, you want to make sure that you retain a copy of them. We suggest you create a backup in another folder, or rename these files, then remove the files from these locations:

32-bit OS

64-bit OS

C:\Windows\libeay32.dll

C:\Windows\libeay32.dll

C:\Windows\ssleay32.dll

C:\Windows\ssleay32.dll

C:\Windows\system32\libeay32.dll

C:\Windows\SysWOW64\libeay32.dll

C:\Windows\system32\ssleay32.dll

C:\Windows\SysWOW64\ssleay32.dll

C:\Users\[username]\Windows\libeay32.dll or
C:\Documents and Settings\[username]\Windows\libeay32.dll

C:\Users\[username]\Windows\libeay32.dll or
C:\Documents and Settings\[username]\Windows\libeay32.dll

C:\Users\[username]\Windows\ssleay32.dll or
C:\Documents and Settings\[username]\Windows\ssleay32.dll

C:\Users\[username]\Windows\ssleay32.dll or
C:\Documents and Settings\[username]\Windows\ssleay32.dll

Upgrading WS_FTP Server V7.5 to V7.5.1 or later (PostgreSQL)

When upgrading a WS_FTP Server installation that uses a PostgreSQL database from V7.5 to V7.5.1 or later, you must install Microsoft .NET framework 3.5 or 3.5 SP1 before running the installer to upgrade, otherwise the installer will halt the installation.

IP Lockouts do not carry over failed logon attempts after cluster failover

When a cluster fails over from node 1 to node 2, the number of failed logon attempts does not carry over to node 2. Therefore, the server does not lock out the user even if the failed logon count is cumulatively greater than the limit set by the IP Lockouts rule since the failed logon count per node is less than the IP Lockout rule allows. Once a user fails a number of logons on a single node equal to the IP Lockouts limit, then the user is locked out.

For example, assume a user account’s IP Lockouts rule is set to blacklist the user after 5 failed attempts. If a user fails to log on 3 times while node 1 is the active node and then the cluster fails over, the user will have to fail 5 more log on attempts on node 2 in order for WS_FTP Server to blacklist the user because the failed attempts do not transfer between nodes.

Currently, there is no work around for this issue.

See IP Lockouts do not carry over failed logon attempts after cluster failover in the Ipswitch Knowledge Base for more information.

Unhandled exception when using AHT and switching nodes after a failed send

When a cluster fails over from node 1 to node 2 while an Ad Hoc Transfer user attempts to send a package from the AHT site, the file transfer fails, the user is logged out, and the browser displays the Microsoft error "Internet Explorer cannot display the webpage." After node 2 becomes the active node, users attempting to log on to the AHT site again receive an error message about an unhandled exception.

To resolve this issue, the user must restart the browser session before logging back onto the site. Then the user can send packages normally.

See An unhandled exception when using AHT and switching nodes after a failed send in the Ipswitch Knowledge Base for more details and the content of the exception.

Unable to resume transfer or delete file after failover

When a cluster fails over from node 1 to node 2 during an upload, the transfer fails and the file transfer client‘s connection to the cluster drops (the message is "Connection is dead"). The upload does not resume when the user logs back into the server. Although the partially uploaded file is present, it cannot be deleted. This is caused by the share host (Windows UNC or Linux NAS) holding an open handle for node 1 on the partially uploaded file, presumably waiting for the client to (possibly) reconnect. Node 2 cannot modify the file at this time.

Since resuming the transfer is impossible, the user must delete the file and then restart the transfer.

To delete the file, the user must wait a few minutes until the share host releases its hold on the file handle, and then the user can delete the file. ("A few minutes" ranges from about 2 minutes on Windows, up to about 10 minutes on a Linux NAS.)

To delete the file sooner, an administrator can force a failover so that node 1 is active, allowing the user to modify the file again.

See Unable to resume transfer or delete file after failover in the Ipswitch Knowledge Base for more information.

Unable to delete files in the Web Transfer Client after failover

When a cluster fails over from node 1 to node 2 during an upload using the Web Transfer Client, both the browser session and the file transfer fail. When the user logs back in, the upload does not resume. Although the partially uploaded file is present, it cannot be deleted. This is caused by the share host (Windows UNC or Linux NAS) holding an open handle for node 1 on the partially uploaded file. Node 2 cannot modify the file at this time.

Since resuming the transfer is impossible, the user must delete the file and then restart the transfer, or overwrite the file on another upload attempt.

To delete or overwrite the file, the user must wait a few minutes until the share host releases its hold on the file handle, and then the user can delete the file. ("A few minutes" ranges from about 2 minutes on Windows, up to about 10 minutes on a Linux NAS.)

To delete the file sooner, an administrator can force a failover so that node 1 is active, allowing the user to modify files again.

See Unable to delete files in the Web Transfer Client after failover in the Ipswitch Knowledge Base for more information.

Error connecting in FIPS mode (FIPS mode cannot use the pre-7 default SSL certificate)

If you installed WS_FTP Server 6.x with the default SSL certificate, when you upgrade to WS_FTP Server 7.x, that default certificate is maintained. If you then enable FIPS mode, which requires the use of FIPS-validated ciphers in the certificate, the default certificate will cause a connection error when a user attempts a secure connection. The server log will show the following error:

Failed to begin accepting connection: SSL failed to load key file. Non-FIPS algorithms might be used in the selected SSL certificate.

To work around this issue, you need to use a certificate that uses a FIPS-validated algorithm, such as SHA1. You can select to use your own certificate, or create a new certificate in the WS_FTP Server Manager (from the Home page, select SSL Certificates).

IIS notes

If you specify a user other than the default user to serve as the run as user on the IIS virtual folder (if you are using Microsoft IIS as your web server), you may get a HTTP 401 error when you attempt to open the WS_FTP Server Manager. If this occurs, you must open the WSFTPSVR virtual folder in IIS and change the anonymous access user password to match the specified user's password.

Configuring the database for remote connections

By default, the Microsoft SQL Server database will only accept connections coming from the local system. To use a remote notification server, to allow multiple servers to share a data store, or to allow a remote Web Transfer Client connection, you have to enable remote connections.

Microsoft's Knowledge Base (KB) provides the following information on remote connections:

"When you try to connect to an instance of Microsoft SQL Server 2005 from a remote computer, you may receive an error message. This problem may occur when you use any program to connect to SQL Server. For example, you receive the following error message when you use the SQLCMD utility to connect to SQL Server:

Sqlcmd: Error: Microsoft SQL Native Client: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.This problem may occur when SQL Server 2005 is not configured to accept remote connections. By default, SQL Server 2005 Express Edition and SQL Server 2005 Developer Edition do not allow remote connections.

For instructions, see the Microsoft KB article: How to Configure SQL Server 2005 to Allow Remote Connections

Other notes

Uninstalling WS_FTP Server

  1. In the Control Panel, select Add/Remove Programs.
  2. Select Ipswitch WS_FTP Server, then click Change/Remove and follow the onscreen prompts to uninstall.

    The User Configuration Data Exists screen presents options for removing the configuration database:

    • Remove the WS_FTP Server configuration data from the data store
    • Remove the Ipswitch Notification Server configuration from the data store
    • Also, remove the PostgreSQL database server. (Note: You may have other databases on that server.)

    If you want to maintain the configuration data in the database, for example when you plan to upgrade or migrate to another database, make sure that these options are not selected.

For more assistance

For more assistance with WS_FTP Server, consult the following resources:

Installing and Configuring the WS_FTP Server Web Transfer Client

Whether you purchased the WS_FTP Server Web Transfer Client as an add-on to WS_FTP Server or WS_FTP Server with SSH, or you received it with your WS_FTP Server Corporate purchase, you need to run the WS_FTP Server Web Transfer Client installation program. For system requirements, installation procedure, and release notes, go to Installing and Configuring the WS_FTP Server Web Transfer Client.

Installing and Configuring the Ad Hoc Transfer Module

The Ad Hoc Transfer Module is installed separately from WS_FTP Server. For system requirements, installation procedure, and release notes, go to Installing and Configuring the Ad Hoc Transfer Module.


Ipswitch Logo