IBM Aspera Connect Server 3.5.4

Windows 2008r2, 2012

Contents

Introduction... 5

Standard Installation...6

Configuring the Firewall... 21

Securing your SSH Server... 22

Testing a Locally Initiated Transfer... 27

Connect Server Web UI Setup... 30

Configuring your Web UI Settings... 30

Customize your Web UI's Appearance... 33

Configuring HTTP and HTTPS Fallback... 33

Testing Web UI...37

Transferring Files with the Application... 39

Application Overview...39

Managing Connections... 40

Creating SSH Keys...46

Enabling a Transfer or HTTP Proxy...49

Transferring Files...52

Advanced Transfer Mode... 55

Configuring Transfer Notifications... 57

Using Transfer Notifications... 64

Reporting Checksums... 66

Managing Users...70

Setting Up Users...70

Test User-Initiated Remote Transfer... 71

Setting Up Groups... 72

Configuration Precedence...73

Setting Up a User's Public Key... 74

General Configuration Reference... 76

Document Root... 76

Configuring Symbolic Links... 77

Advanced Symbolic Link Options (ascp)... 77

Server-Side Symbolic Link Handling... 78

Authorization...79

Bandwidth... 82

Network...86

Global Transfer Settings... 92

Global Bandwidth Settings...92

Setting Up Virtual Links... 93

Transfer Server Configuration...95

Managing the Node API... 97

Node API Setup...97

Setting up Node Users...98

Node Admin Tool...98

aspera.conf for Nodes...99

Redis DB Backup/Restore...103

Setting up SSL for your Nodes...103

Hot Folders... 107

Setting Up Hot Folders...107

Managing Hot Folders...110

Database Logger... 111

Setting Up Database Logger... 111

Configuring the Database Logger... 112

Pre- and Post-Processing (Prepost)...115

Setting Up Pre/Post...115

Pre/Post Variables... 116

Pre/Post Examples... 118

Setting Up Email Notification...119

Email Notification Examples...122

Transferring from the Command Line... 124

Ascp Command Reference... 124

Ascp General Examples...131

Ascp File Manipulation Examples... 132

Ascp Transfers to Cloud Storage... 133

Token Generation...135

Creating SSH Keys (Command Line)...136

Ascp FAQs...137

Configuring for the Cloud... 140

Configuring aspera.conf for S3... 140

Appendix... 142

Updating Aspera Service Account... 142

Product Limitations...142

FASP Transfer Policies...143

Generate an Internet Server Certificate (IIS)...143

Restarting Aspera Services...144

Optimizing Transfer Performance... 146

Log Files... 147

Updating the Product License... 148

Updating Aspera Service Account... 149

Upgrading Enterprise Server to Connect Server...150

Uninstall... 152

Setting Up Token Authorization...152

Configuring Token Authorization from the GUI... 153

Configuring Token Authorization With aspera.conf... 154

Configuring for Faspex...155

Configuring for Shares... 160

Troubleshooting...164

Using the Troubleshooter... 164

Error Adding Domain User...164

Clients Can't Establish Connection... 165

Configuring IIS for Web UI...167

Uninstall Version 2.2.1 for Upgrade... 170

Technical Support... 173

Feedback... 174

Introduction

IBM Aspera Connect Server is a web-based file transfer server built upon Aspera's FASP transport. Connect Server offers the following features:

Feature Description

FASP transport technology File transfer protocol that dramatically speeds transfers over IP networks by

eliminating the fundamental bottlenecks in conventional technologies. FASP features bandwidth control, resume, transfer encryption, content protection, and data integrity validation.

Transfer server Allows an unlimited number of concurrent client transfers. Uses virtual links to manage aggregate bandwidth usage.

Connect Server Web UI A web-based interface that enables transfers for Aspera Connect clients. Includes the HTTP Fallback Server to allow clients without FASP connectivity to transfer using HTTP or HTTPS.

Connect Server application A graphical file transfer application for initiating and managing transfers, and for configuring transfer users and server settings.

Hot Folders (Aspera Sync) A service, managed by the desktop application, that automates the transferring of files from a specified directory.

Database Logger A MySQL adapter that logs the server's transfer activity to a database. Pre- and Post-Processing

(Prepost) Executes customizable actions when transfer events - start and end of sessions andfiles - occur. An email notification script is included.

Standard Installation

Install the IBM Aspera transfer product and set up your computer for FASP file transfers.

Requirements

Software and hardware requirements for optimal product functionality System requirements for IBM Aspera Connect Server:

• Product-specific Aspera license file.

• Active Server Pages (ASP) must be enabled.

• For Web UI, Internet Information Service (IIS) version 6, or version 7 with IIS 6 Compatibility Component installed (See Microsoft TechNet: IIS 6 Compatibility Components Not Installed).

• For usage in an Active Directory environment - Access to a domain administrator account for product installation. • Access to run WMI.

• For Database Logging - A MySQL Database.

• For Pre- and Post-Processing (Prepost) - Install Active Perl to enable Perl scripts. • Screen resolution 1024 x 768 or higher.

The following web browsers are supported by Connect Server:

Supported OS Supported Browsers

Windows 2008r2, 2012 Internet Explorer 8+, Firefox 27+, Google Chrome 32+ Mac OS X 10.7+ Safari 6+, Firefox 27+, Google Chrome 32+

Linux 64-bit Firefox 27+

If you plan to set up and use the Node API, you must also meet the following requirements on each node machine: • In order to use this application on a cloud platform and access the object-based cloud storage, you must obtain an

on-demand license. Please contact Technical Support.

• Identify a directory that you plan to use for sharing data. Later on (in the topic Node API Setup), we will use this directory as the absolute path for the transfer user.

• Verify that the machine's hosts file has an entry for "127.0.0.1 localhost." For UNIX-based nodes, check

/etc/hosts. For Windows nodes, check C:\WINDOWS\system32\drivers\etc\hosts.

• For UNIX-based nodes, verify that SELINUX is disabled via cat /etc/sysconfig/selinux. SELINUX can be "permissive" or "disabled," but not "enforced."

Before Upgrading

Steps to take before upgrading your IBM Aspera product.

The installer for Aspera Connect Server automatically checks for a previous version of the product on your system. If a previous version is found, the installer automatically removes it and upgrades your computer to the newer version. On a Windows system, the installer displays the following message when an older version of the product is detected:

Although the installer performs your upgrade automatically, we highly recommend completing the tasks below before starting the installation/upgrade process. If you do not follow these steps, you risk installation errors or losing your former configuration settings. Skip any steps that do not apply to your specific product version.

Note: You cannot upgrade directly between different Aspera transfer products (such as from Point-to-Point to Desktop Client, or from Point-to-Point-to-Point-to-Point to Enterprise Server). To upgrade, you need to back up the configuration, uninstall the product, and perform a fresh install of the new version of the product. If you are upgrading your Enterprise Server to Connect Server, see Upgrading Enterprise Server to Connect Server on page 150.

1. All Versions - Verify the version of your existing product

Depending on your current product version, the upgrade preparation procedure may differ. In the Windows Command Prompt (Start menu > All Programs > Accessories > Command Prompt), execute this command:

> ascp -A

This displays the product name and version number.

Warning:

When upgrading from 2.7.X to 3.X on Windows, please be aware that user names are now case sensitive.

2. All Versions - Confirm your Aspera service account.

If you have already installed IBM Aspera Enterprise Server, Connect Server, Point-to-Point Client or Desktop Client on your computer, there is already a user account that has been designated to run the services for Aspera products. By default, the user name for the Aspera services account is svcAspera; however, this is not a requirement and you can select a different user to run the services. When you install additional Aspera products or perform an upgrade to an existing Aspera product, you must identify the same account name and password that you set for your first Aspera product installation.

To confirm which user is designated as your Aspera service account in Windows 2003, Vista, and 7, right-click on

My Computer and select Manage > Services and Applications > Services. In Windows 2008, go to the Server Manager and select Configuration > Services. The account designated for each Aspera service is listed. Please make note of this account for the installation of additional Aspera products or product upgrades. If you have forgotten your Aspera service account password or would like to change the designated Aspera service account, please follow the instructions described in Updating Aspera Service Account on page 142.

3. All versions - Stop all FASP transfer-related applications and connections. Before upgrading the application, close the following applications and services: • ascp connections

• SSH connections

• The SSHD service and any SSHD processes. To stop the SSHD service, go to the Computer Management window, which is accessible via Manage > Services and Applications > Services. Then, kill any SSHD

processes (using the Windows Task Manager). • The Connect Server application

4. All versions - Verify the website that runs Web UI

Aspera recommends that you set up the new Connect Server Web UI on the same website that your current Web UI is running on. During the installation, you will be able to select the website to use.

To find out which web site is running Web UI, go to Control Panel > Administrative Tools > Internet Information Services (Manager). In the left panel, navigate into the (Computer name) > Web Sites. The website that runs Web UI should contain the "aspera" folder.

5. All versions - Back up the files

Depending on the version of your previous installation and the operating system, back up the files in the specified locations:

Aspera Version Folder

2.5+ _{Note: If you have installed the product in a different location, change the path} accordingly.

32-bit Windows Default Path:

• C:\Program Files\Aspera\Enterprise Server\etc\(Configuration files, Shared Remote Hosts)

• C:\Program Files\Aspera\Enterprise Server\var\(Prepost scripts, Connect Server)

64-bit Windows Default Path:

• C:\Program Files (x86)\Aspera\Enterprise Server\etc \(Configuration files, Shared Remote Hosts)

• C:\Program Files (x86)\Aspera\Enterprise Server\var\(Prepost scripts, Connect Server)

Individual User Files' Default Path:

• <APPDATA>\Aspera\Enterprise Server\(Individual user's remote hosts and hot folder info.)

Note: Use this command in a Command Prompt window to find out the current user's <APPDATA> path:

> echo %APPDATA%

2.2.x and earlier 32-bit Windows:

Aspera Version Folder

• C:\Program Files\Aspera\FASP\var\(Prepost scripts, Connect Server)

• C:\Program Files\Aspera\Aspera Scp\etc\(Remote Hosts an Hot Folders info)

64-bit Windows:

• C:\Program Files (x86)\Aspera\FASP\etc\(Configuration files)

• C:\Program Files (x86)\Aspera\FASP\var\(Prepost scripts, Connect Server)

• C:\Program Files (x86)\Aspera\Aspera Scp\etc\(Remote Hosts and Hot Folders info)

If a previous version of Connect Server (Aspera Web) was set up and customized on your computer, back up the customized Connect Server installation in the following location and use it as a template to modify the new one:

C:\Inetpub\wwwroot\aspera\

6. Version 2.1.x - Verify Aspera's configuration file (aspera.conf) version

If you are upgrading from Connect Server version 2.1.x and have HTTP Fallback configured, you may need to modify aspera.conf file to avoid upgrading errors. Open aspera.conf with a text editor:

Platform Path

32-bit Windows C:\Program Files (x86)\Aspera\FASP\etc\aspera.conf

64-bit Windows C:\Program Files\Aspera\FASP\etc\aspera.conf

Remove the version="2" from the opening tag <CONF>:

<CONF version="2"> ...

7. Version 2.2.x and earlier - Restore the saved "Remote Endpoints" This is a post-install step.

Since 2.5, a connection (a.k.a. "endpoint") can either be shared with all users, as in previous versions, or kept exclusive to the user who created it.

When you upgrade a product 2.2.x or earlier, on the first launch of the application, existing connections will be imported only for that user. Aspera recommends you launch it as an administrator account after the upgrade, so that you can import the connections and share them with other users.

Note:

When you have finished the upgrade procedure, to share the imported connections with other users, launch the application and go to Connections. Select a created connection and navigate into the Connection tab. Check Share this connection with all users on this computer for each connection to share. Refer to Managing Connections on page 40 for more information.

Product Setup

A walkthrough of the setup process.

Important: If this is a product upgrade, ensure that you have reviewed all prerequisites detailed under the topic "Before Upgrading."

IBM Aspera Connect Server is a web-based file server that enables file access through a browser, and transfers files using the IBM Aspera Connect Browser Plug-in. Additionally, you can set up HTTP Fallback to establish HTTP- or HTTPS-based file transfers with clients that don't have FASP connectivity.

Important: On Windows, Connect Server uses Internet Information Service (IIS) authentication. If user names use the extended character set, both the client and server machine must be set to use the same codepage, and the client must use IE 7 or later (other browsers don't support users names using extended characters). For more information, refer to http://support.microsoft.com/kb/938418.

To install Connect Server, log into your computer with Administrator (or Domain Administrator if you are in an Active Directory environment) permissions, and follow the steps below.

1. Install Windows Internet Information Service (IIS)

The Connect Server Web UI requires Internet Information Service (IIS) 6, or IIS 7 with the IIS 6 Compatibility component. Depending on your version of Windows, IIS may not be installed by default. For instructions on installing/enabling IIS for your specific Windows OS, see the table below. Note that Windows 7, 8, and 2008 require installation of IIS 7 with the IIS 6 Compatibility component. You also need to ensure that ASP, ASP.NET, and Basic Authentication services are installed.

OS Instructions

Windows 7, 8,

and Vista Note: Requires installation of IIS 7 with the IIS 6 Compatibility component.

In Windows 7 and 8, go to the Control Panel > Programs > Turn Windows features on or off.

OS Instructions

(Fig: Windows 7 and 8)

In Windows Vista, go to the Control Panel > Programs and Features > Turn Windows features on or off (located in the left panel).

(Fig: Windows Vista)

In the Turn Windows features on or off window, turn on the following features and click OK: • Place a check next to Internet Information Services and then expand the tree.

• Expand the Web Management Tools tree and place a check next to IIS 6 Management Compatibility. Then, expand the IIS 6 Management Compatibility tree and place a check next to each IIS 6 component.

• Within World Wide Web Services > Application Development Features, place a check next to ASP and ASP.NET. Note that if you are running Windows 8, you can select either .NET 3.5 or .NET 4.5.

• Within World Wide Web Services > Common HTTP Features, place a check next to

Static Content.

• Within World Wide Web Services > Security, and place a check next to Basic Authentication.

OS Instructions

(Fig: Windows 8)

Your computer may take a few minutes to configure itself. You can verify a successful installation by navigating to "Administrative Tools." In Windows 7 and 8, go to Control Panel > System and Security > Administrative Tools. In Windows Vista, go to Control Panel > Administrative Tools.

Within "Administrative Tools," you should see the following features:

• Internet Information Services (IIS) 6.0 Manager (or IIS6 Manager on Windows Vista)

• Internet Information Services (IIS) Manager (or IIS Manager on Windows Vista)

Windows 2008 _{Important: Requires installation of IIS 7 with the IIS 6}

OS Instructions

Go to Administrative Tools > Server Manager > Roles > Add Roles.

In the Add Roles Wizard, check Web Server (IIS). When checked, a popup window appears that requires you to identify features that are required for the Web server. Click Add Required Features in the popup window and click Next. Read the information on the following screen and then click Next again to proceed with adding required features.

Add the following role services as required features by checkmarking the appropriate boxes and click Next when finished.

• ASP.NET • ASP

• Basic Authentication

OS Instructions

Once you read the confirmation message and click install, your server takes a few minutes to configure itself. You can verify a successful installation by navigating to your Role Summary. Go to the Administrative Tools > Server Manager > Roles > Web Server (IIS) > Role Services.

OS Instructions

Windows 2003 Go to Control Panel > Add or Remove Programs > Add/Remove Windows Components

(located in the left panel).

For Windows 2003, in the Windows Components Wizard window, place a checkmark next to Application Server, and click Next.

(Fig: Windows 2003)

Your computer may take a few minutes to configure itself. You can verify a successful installation by going to Control Panel > Administrative Tools. Here, you should see the Internet Information Services (IIS) Manager.

OS Instructions

(Fig: Windows 2003)

Important: When you elect to install the Connect Server Web UI feature (as directed in the steps below), the Aspera installer automatically configures the following settings in IIS:

• Disable Anonymous Authentication • Disable ASP.Net Impersonation • Enable Basic Authentication

If you do not install the Connect Server Web UI feature, then the settings will not be modified.

2. Download the IBM Aspera product installer

Download the installer from the link below. Use the credentials provided to your organization by Aspera to access: http://asperasoft.com/en/downloads/4

If you need help determining your firm's access credentials, contact Technical Support on page 173.

3. For product upgrades, ensure you have prepared your machine to upgrade to a newer version.

Although the installer for Aspera Connect Server performs your upgrade automatically, Aspera highly

recommends completing the tasks identified in the topic Before Upgrading. If you do not follow these steps, you risk installation errors or losing your former configuration settings.

Warning: When upgrading from 2.7.X to 3.X on Windows, please be aware that user names for 3.X are case sensitive.

4. Open the installation package and select the setup type

After downloading, open the installation package and follow the on-screen instructions.

Important: On Windows Vista, Windows 7, or Windows 2008 with UAC (User Account Control) enabled, you must run the installer as an Administrator. To do so, right-click the installation package and select the option Run as administrator. You may be asked to enter the administrator's password to allow the installer to make changes to your computer.

After the license agreement screen, click the desired setup type. If you are upgrading from a previous version, the installer will skip this step.

Important: When installing Connect Server, you must select one of the following: - The Complete setup type (which includes the Web UI component).

or

- The Custom setup type, along with the Connect Server Web UI component. The following setup options are available:

Setup Type Description

Typical Install the standard Enterprise Server without Web UI. Custom Select the features and the path to install.

Complete Install all features, including an SSH Server (OpenSSH) and the Connect Server Web UI. To proceed with this option, ensure that IIS has already been installed on your Windows OS (see Step 1, above).

Important: When you elect to install the Connect Server Web UI feature, the Aspera installer automatically configures the following settings in IIS: • Disable Anonymous Authentication

• Disable ASP.Net Impersonation • Enable Basic Authentication

If you do not install the Connect Server Web UI feature, the settings are not modified.

Note: If your system has an existing SSH service installed (such as Cygwin), select the Custom setup type and deselect SSH Server to avoid conflicts. For assistance, contact Technical Support on page 173.

5. Select features and install path (Custom setup type)

If you selected the custom setup type, you will see the two additional steps during installation, as follows: Check the features to install. If you wish to configure your own SSH Server for FASP transfers, deselect the SSH Server (so that the OpenSSH Service is not installed). Check the Connect Server Web UI only if you have a Connect Server license and you have installed IIS, as described in Step 1, above.

Select the destination folder for the installation. Under Install this application for:, choose between Anyone who uses this computer (all users) to allow access for all system users, or Only for me to allow only your user account to use the application.

6. Set up Aspera service account

On Windows Vista, 2003, 2008, and 7, the installer prompts you to create or update an Aspera service account that runs the services for Aspera products. These services include the following:

• Aspera Central

• OpenSSH Service (optional) • Aspera NodeD

• Aspera HTTPD • Aspera Sync

By default, the user name is svcAspera. If your machine is not joined to a Windows domain, then a local user (such as the default svcAspera) is all that is required to run Aspera services. If your machine is already joined to a domain, or you need to support requirements #2 and/or #3 below, then the type of account specified will vary. Please refer to the following table:

No. Requirement Type of Service Account User

1 Provision local transfer users

only. Local account. Domain account with local admin privileges can beused, but is not required. 2 Provision Active Directory

accounts for transfer users (users who wish to transfer with your server are authenticated through Active Directory).

Domain account with local admin privileges.

3 Transfer users store files on a remote file system (not on your server machine), such as an SMB file share.

Domain account with local admin privileges. In some cases, additional actions are required to support this requirement. Please see the aspera knowledgebase or contact Aspera Technical Support for assistance.

If the server is configured to accept the domain user login, use a domain account that has been added to the local administrator's group to run the services. You must create this domain account on your Domain Controller first.

If the local account does not already exist, enter new credentials and click Next. If the account already exists (for example, if created for the previous installation), enter the account password and click Next. If the existing user's password you have entered is incorrect, or you wish to change the Aspera service user, refer to Updating Aspera Service Account on page 142.

If you are entering details for a domain account, then the user name must be in the form "[email protected]." Please refer to the example below.

7. Select a website for the Connect Server Web UI

During IIS installation, a default Web site configuration is created on your Web server (for example, "Default Web Site (ID:1)"). You may have elected to use this default directory to publish your Web content, or you may have created a directory at a file system location of your choice. In this step, select the website (default or other) that you created for the Connect Server Web UI.

Note: If you are upgrading Connect Server from a previous version, Aspera recommends you select the same website that your current Web UI is running on.

8. Install the license

When installation is finished, launch the application to add or update the license. Go to:

Start Menu > All Programs > Aspera > Enterprise Server > Enterprise Server

If this is a fresh install, an Enter License window appears. Either click Import License File and select the license file, or Paste License Text to copy-and-paste the license file's content. When finished, the license information appears in the window. Verify that it is correct and click Close.

/opt/aspera/etc/aspera-license

When finished, save and close the file. To verify the license info, run the following command:

If you are updating your product license after the installation, see Updating the Product License on page 148.

9. (Optional) Configure SSL

For instructions on generating an Internet Server Certificate for IIS 6 (Windows 2003) or IIS 7 (Windows Vista, 2008, 7), see Generate an Internet Server Certificate (IIS) on page 143.

10.(For upgrades) Check aspera.conf for errors

When upgrading your Aspera product to a newer version, it is recommended that you check the aspera.conf

configuration file for errors. Run the following command in a Command window to validate aspera.conf:

Platform Command

32-bit Windows "C:\Program Files\Aspera\Enterprise Server\bin \asuserdata" -v

64-bit Windows "C:\Program Files (x86)\Aspera\Enterprise Server\bin \asuserdata" -v

11.Troubleshooting

Problem Description

Installer freezes You may have another Aspera product running on your computer. To stop all FASP transfer-related applications and connections, see Before Upgrading on page 6. "Error 1721" If you are upgrading to the latest version and see "Error 1721" regarding the

Problem Description

installation (2.2.1). For details, see Uninstall Version 2.2.1 for Upgrade on page 170.

12.Set up your new Connect Server's Web UI (or verify your Web UI settings after an upgrade).

At this point, your IBM Aspera transfer product is installed; however additional steps are required to configure the Web UI. For information on configuring the Web UI, see "Connect Server Web UI Setup".

Configuring the Firewall

Your Aspera transfer product requires access through the ports listed in the table below. If you cannot establish the connection, review your local corporate firewall settings and remove the port restrictions accordingly.

Product Firewall Configuration

Connect Server An Aspera server runs one SSH server on a configurable TCP port (33001 by default).

Important: Aspera strongly recommends running the SSH server on a non-default port to ensure that your server remains secure from SSH port scan attacks. Please refer to the topic Securing your SSH Server on page 22 for detailed instructions on changing your SSH port.

Your firewall should be configured as follows:

• Allow inbound connections for SSH, which is on TCP/33001 by default, or on another non-default, configurable TCP port. If you have a legacy customer base utilizing TCP/22, then you can allow inbound connections on both ports. Please refer to the topic Securing your SSH Server on page 22 for details.

• Allow inbound connections for FASP transfers, which use UDP/33001 by default, although the server may also choose to run FASP transfers on another port.

• If you have a local firewall on your server (like Windows Firewall), verify that it is not blocking your SSH and FASP transfer ports (e.g. TCP/UDP 33001).

• For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/ or HTTPS (e.g. TCP/8080, TCP/8443).

• For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g. TCP/80, TCP/443).

The firewall on the server side must allow the open TCP port to reach the Aspera server.

Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera client, the client opens an SSH session to the SSH server on the designated TCP port and negotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients, the Windows operating system does not allow the Aspera FASP protocol to reuse the same UDP port for multiple connections. Thus, if you have multiple concurrent clients and your Aspera server runs on Windows, then you must allow inbound connections on a range of UDP ports, where the range of ports is equal to the maximum number of concurrent FASP transfers expected. These UDP ports should be opened incrementally from the base port, which is UDP/33001, by default.

For example, to allow 10 concurrent FASP transfers, allow inbound traffic from UDP/33001 to UDP/33010.

Client Typically, consumer and business firewalls allow direct outbound connections from client computers on TCP and UDP. There is no configuration required for Aspera transfers in this case. In the special case of firewalls disallowing direct outbound connections, typically using proxy servers for Web browsing, the following configuration applies:

Product Firewall Configuration

• Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by default, when connecting to a Windows server, or on another non-default port for other server operating systems).

• Allow outbound connections from the Aspera client on the FASP UDP port (33001, by default).

• If you have a local firewall on your server (like Windows Firewall), verify that it is not blocking your SSH and FASP transfer ports (e.g. TCP/UDP 33001).

Important: Multiple concurrent clients cannot connect to a Windows Aspera server on the same UDP port. Similarly, multiple concurrent clients that are utilizing two or more user accounts cannot connect to a Mac OS X or FreeBSD Aspera server on the same UDP port. If connecting to these servers, you will need to allow a range of outbound connections from the Aspera client (that have been opened incrementally on the server side, starting at UDP/33001). For example, you may need to allow outbound connections on UDP/33001 through UDP/33010 if 10 concurrent connections are allowed by the server.

Important: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), then you will need to allow the Vlink UDP port (55001, by default) for multicast traffic. For additional information on setting up Vlinks, please refer to the topic Setting Up Virtual Links on page 93.

Securing your SSH Server

Secure your SSH server to prevent potential security risks.

Introduction

Keeping your data secure is critically important. Aspera strongly recommends you take additional steps in setting up and configuring your SSH server so that it is protected against common attacks. Most automated robots will try to log into your SSH server on Port 22 as Administrator, with various brute force and dictionary combinations in order to gain access to your data. Furthermore, automated robots can put enormous loads on your server as they perform thousands of retries to break into your system. This topic addresses steps to take in securing your SSH server against potential threats, including changing the default port for SSH connections from TCP/22 to TCP/33001.

Why Change to TCP/33001?

It is well known that SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject to countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effective deterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535). To standardize the port for use in Aspera transfers, we recommend using TCP/33001.

Please note that your Aspera transfer product ships with OpenSSH listening on both TCP/22 and TCP/33001. As such, Aspera recommends only exposing TCP/33001 through your organization's firewall and disabling TCP/22.

Note: Remote Aspera application connections attempt to establish an SSH connection using the default port 33001. However, if the connection fails, the application attempts the connection using port 22.

The following explains how to change the SSH port to 33001 and take additional steps for securing your SSH server. The steps all require Administrator access privileges.

1. Locate and open your system's SSH configuration file

Open your SSH configuration file with a text editor. You will find this file in the following system location:

OS Version Path

OS Version Path

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc \sshd_config

2. Add new SSH port

Note: Before changing the default port for SSH connections, please verify with your network administrators that TCP/33001 is open.

The OpenSSH suite included in the installer uses TCP/22 and TCP/33001 as the default ports for SSH connections. Aspera recommends disabling TCP/22 to prevent security breaches of your SSH server.

Note: When changing the SSH port, you must also update the SshPort value in the <WEB...> section of aspera.conf. Please refer to Configuring your Web UI Settings for details.

Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disable Port 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment-out Port 22 in your

sshd_config file.

... #Port 22 Port 33001 ...

Note: Aspera recognizes that disabling the default SSH connection port (TCP/22) may affect your client users. When you change the port, ensure that you advise your users on configuring the new port number. Basic instructions for specifying the SSH port for FASP file transfers can be found below. To change the SSH port for Aspera Client, click Connections on the main window, and select the entry for your computer. Under the Connection tab, click Show Advanced Settings and enter the SSH port number in the SSH Port (TCP) field.

To make an impromptu connection to TCP/33001 during an ascp session, specify the SSH port (33001) with the -P (capital P) flag. Please note that this command does not alter ascp or your SSH server's configuration.

3. Disable non-admin SSH tunneling

Note: The instructions below assume that OpenSSH 4.4 or newer is installed on your system. For OpenSSH 4.4 and newer versions, the "Match" directive allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. If you are running an OpenSSH version older than 4.4, the "Match" directive will not be available and Aspera recommends updating to the latest version.

In OpenSSH versions 4.4 and newer, disable SSH tunneling to avoid potential attacks; thereby only allowing tunneling from Administrator group users. To disable non-admin SSH tunneling, open your SSH Server configuration file, sshd_config, with a text editor.

Add the following lines to the end of the file (or modify them if they already exist):

...

AllowTcpForwarding no Match Group Administrators AllowTcpForwarding yes

Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are set to the default Yes. Please review your sshd_config file for other instances and disable as appropriate.

4. Update authentication methods

Public key authentication can prevent brute force SSH attacks if all password-based authentication methods are disabled. For this reason, Aspera recommends disabling password authentication in the sshd_config file and enabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes and comment out PasswordAuthentication yes.

...

PubkeyAuthentication yes #PasswordAuthentication yes PasswordAuthentication no ...

Note: If you choose leave password authentication enabled, be sure PermitEmptyPasswords is set to "no".

PermitEmptyPasswords no

5. Restart the SSH server to apply new settings

When you have finished updating your SSH server configuration, you must restart the server to apply your new settings. Restarting your SSH server will not impact currently connected users. To restart your SSH Server, go to

Control Panel > Administrative Tools > Services. Locate the OpenSSH Service and click Restart.

6. Restrict user access

Restricting user access is a critical component of securing your server. When a user's docroot is empty (i.e. blank), that user has full access to your server's directories and files. To restrict the user, you must set a non-empty docroot, which automatically changes the user's shell to aspshell (Aspera shell). You can do so from the product GUI by going to Configuration > Users > Docroot > Absolute Path. Input a path in the blank field and ensure that Override is checked.

Once you have set the user's docroot, you can further restrict access by disabling read, write and/or browse. You may do so via the product GUI (as shown in the screenshot above).

Field Description Values

Absolute Path The area of the file system (i.e. path) that is accessible to the Aspera user.

The default empty value gives a user access to the entire file system. Path or blank Read Allowed Setting this to true allows users to transfer from the designated area of

the file system as specified by the Absolute Path value. •_• true_false Write Allowed Setting this to true allows users to transfer to the designated area of the

file system as specified by the Absolute Path value. •_• true_false Browse Allowed Setting this to true allows users to browse the directory. _{• true}

• false

7. Review your logs periodically for attacks

Aspera recommends reviewing your SSH log periodically for signs of a potential attack. Launch Control Panel >

Administrative Tools > Event Viewer. To see only SSH Server events, select View > Filter... to bring up the filter settings. In Application Properties > Filter tab, select sshd in the Event source menu to display only SSH Server events. You may also apply other conditions when needed.

With a filter applied, you can review the logs in the Event Viewer main window, or select Action > Save Log File As... to export a log file using .txt or .csv format.

Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example:

...

Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4 port 1585 ssh2

...

Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4 port 1585 ssh2

...

If you have identified attacks:

• Double-check the SSH security settings in this topic.

• Report attacker to your ISP's abuse email (e.g. abuse@your-isp).

8. Set up transfer server authentication

For transfers mediated by a web application, the client browser sets up the context for the transfer using an HTTPS connection to the server, and then delegates the transfer to the Aspera FASP engine. The FASP engine then connects to the transfer server. In so doing, it needs to ensure the server's authenticity in order to protect the client against server impersonation and man-in-the-middle (MITM) attacks.

To verify the authenticity of the transfer server, the web app passes the client a trusted SSH host key fingerprint

of the transfer server. When connecting to the transfer server, the client confirms the server's authenticity by comparing the server's fingerprint with the trusted fingerprint.

To configure transfer server authentication, open the transfer server's aspera.conf file:

C:\Program Files[ (x86)]\Aspera\Enterprise Server\etc\aspera.conf

• <ssh_host_key_fingerprint>

<ssh_host_key_fingerprint>fingerprint</ssh_host_key_fingerprint>

To retrieve the SSH fingerprint, locate the transfers server's public or private key, and run the following command on a Linux, Mac, or other UNIX computer:

# cd /etc/ssh

# cat ssh_host_rsa_key.pub | cut d' ' f2 | base64 d | sha1sum | cut -d' ' -f1

The following is an example SSH fingerprint:

43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8

By convention, Aspera uses a hex string without the colons ( : ). For example:

435143a1b5fc8bb70a3aa9b10f6673a8

The aspera.conf setting for this key would then be as follows:

<ssh_host_key_fingerprint>435143a1b5fc8bb70a3aa9b10f6673a8 </ssh_host_key_fingerprint>

After modifying aspera.conf, be sure to restart the node service by running asperanoded:

> sc stop asperanoded > sc start asperanoded

Testing a Locally Initiated Transfer

Test client functionality by transferring to and from the Aspera Demo Server.

To make sure the software is working properly, follow these steps to test download and upload transfers between your system and the Aspera Demo Server:

1. Add the Demo Server in the Connection Manager

Launch the application: Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server . Then click Connections.

Note:

This topic shows a very basic configuration to establish a connection. For more detailed instructions about

Connections, refer to Managing Connections on page 40.

In the Connection Manager, click to add a new connection, and enter the following info, leave other options with default values or blank:

Field Value

Host demo.asperasoft.com

User aspera

Authentication (Password) demoaspera

2. Test your connection to the remote server

Click Test Connection to determine whether you can reach the remote server with the settings you configured. An alert box opens and reports whether the connection is successful.

3. Connect to the Demo Server and download test files

From the main window, select the demo server entry and click the Connect button.

On the server file browser (right panel), browse to the folder /aspera-test-dir-large, select the file 100MB, and click to download it to your local machine.

You should see the session appear in the Transfer tab.

4. Upload to the Demo Server

When downloaded, try uploading the same files back to the Demo Server. Select the same file (100MB) on the local file browser (left panel), navigate to the folder /Upload on the server, and click to upload it.

Connect Server Web UI Setup

Configure the server's Web UI settings and appearance.

Configuring your Web UI Settings

Configure Connect Server's Web UI transfer settings by updating aspera.conf

The instructions below describe the process of configuring IBM Aspera Connect Server's Web UI transfer settings by updating aspera.conf.

1. Locate and open aspera.conf

To configure Connect Server's Web UI transfer settings, locate aspera.conf and open it with a text editor:

OS Version File Location

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc \aspera.conf

64-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\aspera.conf

2. Additionally, open Aspera's sample Web UI configuration file

Locate and open Aspera's sample Web UI configuration file, which can be found in the following directory:

OS Version File Location

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\samples \aspera-web-sample.conf

64-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\samples \aspera-web-sample.conf

3. Modify the <WEB> section inside the sample Web UI configuration file and copy it into aspera.conf

Locate the <WEB> section and modify it based on your requirements. Then, copy the <WEB> section into

aspera.conf. <CONF version="2"> ... <WEB SshPort = "33001" UdpPort = "33001" PathMTU = "0" HttpFallback = "no" HttpFallbackPort = "8080" HttpsFallbackPort = "8443" EnableDelete = "yes" EnableCreateFolder = "yes" AsperaServer = "" EnableUserSwitching = "no" HideRestrictedFolders = "yes" EnableSortByName = "false" EnableConnectUpdates = "yes" /> </CONF>

Important: The default configuration example, above, assumes you are using TCP/33001 as your SSH port.

The table below provides descriptions of all Web UI configuration options.

Field Description Values Default

SshPort The TCP port for SSH transfer

communication. integer between1 and 65535 33001 UdpPort The UDP port for FASP file transfer. integer between

1 and 65535 33001 PathMTU Sets the maximum packet size for file

transmission. When using the value "0", FASP will automatically set the appropriate value for the network within this value.

integer between 296 and 10000 0

HttpFallback Use HTTP Fallback transfer when

UDP-port transfer fails. yes / no no

HttpFallbackPort The TCP port for HTTP Fallback transfer. integer between 1 and 65535 8080 HttpsFallbackPort The TCP port for HTTPS Fallback

transfer. integer between1 and 65535 8443 EnableDelete When set to "yes" (default), users with

the appropriate permissions can delete files and folders within the Web UI.

yes / no yes

EnableCreateFolder When set to "yes" (default), users with the appropriate permissions can create new folders using the "New Folder" button within the Web UI.

Note: Please note that the user can still upload a new folder even if

"EnableCreateFolder" is set to "no."

yes / no yes

AsperaServer To use this computer solely for the Connect Server Web UI (and not for file transfers), enter the IP address or host name of the transfer server machine in this field. In the case of a high-availability or clustered setup, this value should be the IP address or host name of the VIP (where the VIP/cluster service/ load balancer will manage the transfer servers). Once added, Connect Server allows the user to transfer to and from the file system on the indicated transfer server machine. The IP address or host name of the transfer server machine unspecified (transfer using local machine)

MinimumConnectVersion Specifies the minimum version of Connect that must be installed in order for users to be able to use Connect Server. If the minimum version is not installed, a message is displayed that indicates the minimum version required and provides

Field Description Values Default

a download link. This option takes the value in the format of the Aspera Connect version, for example, "3.0.0.12345".

Note: The default value for this setting is also the lowest allowable value. If the value specified is below the default value, the Web UI enforces the default value.

EnableUserSwitching _{This option enables a feature that allows a} user to switch to a different user account. When set to "yes", a Change User

button is added to the web page in the upper-right corner. Note that the feature only allows users to log in to a different account than the one they are exiting. This is currently an experimental feature.

Note: On Windows Connect Server, unicode user names are not supported.

yes / no no

HideRestrictedFolders Hide folders that the user doesn't have permission to read. When set to "no", the user can see all folders, and may encounter error when trying to access unaccessible folders.

yes / no no

EnableSortByName _{When value is "true," files are sorted} into a given order to be displayed in before being listed on the Connect Server Web UI.

Important: We recommend that you keep the default setting of "false." If you browse a directory that contains numerous files, then browsing performance may be impacted due to the extra sorting that needs to occur.

true / false false

EnableConnectUpdates When the value is "yes," the Connect Server Web UI will display a prompt to upgrade the Connect browser plugin when an upgrade is available. When set to "no," this prompt will no longer appear, except for mandatory upgrades when the minimum version requirement for Connect is not met. This setting does not affect the installation message that appears when Connect is not installed.

yes / no yes

You may restart Aspera HTTPD within the Computer Management window, which is accessible via Manage >

Services and Applications > Services.

Customize your Web UI's Appearance

To customize Connect Server's Web UI header and footer, locate the following header and footer files:

OS Version File Location

32-bit Windows _{• Header - C:\Program Files\Aspera\Enterprise Server\var\www\user\aspdir-header.html} • Footer - C:\Program Files\Aspera\Enterprise Server\var\www\user\aspdir-footer.html 64-bit Windows _{• Header - C:\Program Files (x86)\Aspera\Enterprise}

Server\var\www\user\aspdir-header.html

• Footer - C:\Program Files (x86)\Aspera\Enterprise Server\var\www\user\aspdir-footer.html

Once you have modified your header/footer file(s), save them in the custom directory, as shown below.

OS Version File Location

32-bit Windows _{• Header - C:\Program Files\Aspera\Enterprise Server\custom\www\aspdir-header.html} • Footer - C:\Program Files\Aspera\Enterprise Server\custom\www\aspdir-footer.html 64-bit Windows _{• Header - C:\Program Files (x86)\Aspera\Enterprise}

Server\custom\www\aspdir-header.html

• Footer - C:\Program Files (x86)\Aspera\Enterprise Server\custom\www\aspdir-footer.html

Alternatively, you can integrate Aspera transfers into a custom web application. For more information, refer to Aspera Developer Network - Aspera Web.

Configuring HTTP and HTTPS Fallback

Configure HTTP/HTTPS Fallback using the Connect Server GUI or aspera.conf.

HTTP Fallback serves as a secondary transfer method when the Internet connectivity required for Aspera accelerated transfers (UDP port 33001, by default) is unavailable. When HTTP Fallback is enabled and UDP connectivity is lost or cannot be established, the transfer will continue over the HTTP (or HTTPS) protocol. The instructions below walk through the process of setting up HTTP/HTTPS fallback. For additional information on configuring different modes and testing, see the Aspera KB Article "HTTP fallback configuration, testing and troubleshooting."

1. Turn on HTTP/HTTPS Fallback.

These instructions assume that you have already configured your Connect Server's Web UI, as documented in the topic "Connect Server Web UI Settings." If you have not done so, please review that topic before

proceeding. To turn on HTTP/HTTPS Fallback, you must edit the <WEB/> section of aspera.conf. This configuration file can be found in the following directory:

OS Version File Location

OS Version File Location

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc \aspera.conf

If you do not see the <WEB/> section, you will need to copy it from the file aspera-web-sample.conf, as described in "Connect Server Web UI Settings." Within the <WEB/> section, locate and confirm the following entries:

<WEB ...

HttpFallback = "yes" <!-- Yes to turn on; No to turn off --> HttpFallbackPort = "8080" <!-- Default: 8080 -->

HttpsFallbackPort = "8443" <!-- Default: 8443 --> />

If you modify aspera.conf, run the following command (from Enterprise Server's bin directory) to validate your updated configuration file:

> C:\{Program Files or Program Files (x86)}\Aspera\Enterprise Server\bin \asuserdata -v

2. Configure HTTP/HTTPS Fallback settings.

You can configure HTTP/HTTPS Fallback either in the Connect Server GUI or in aspera.conf. To edit your settings, launch Connect Server and go to Configuration > Global (tab in left pane) > HTTP Fallback (tab in right pane).

Review the following settings: • Set Enable HTTP to true.

• If you want to allow fallback over HTTPS, set Enable HTTPS to true.

• Verify that the value shown for HTTP Port matches that which is displayed in the aspera.conf file, under the <WEB/> section (default: 8080). Refer to Step 1 for additional information.

• (If applicable) Verify that the value shown for HTTPS Port matches that which is displayed in the

aspera.conf file, under the <WEB/> section (default: 8443). Refer to Step 1 for additional information.

Additional HTTP Fallback settings can be found under the Connect Server GUI's HTTP Fallback tab:

# Field Description Values Default

1 Cert File The absolute path to an SSL certificate file. If left blank, the default certificate file that came with Enterprise Server is used.

file path blank 2 Key File The absolute path to an SSL key file. If left blank,

the default certificate file that came with your Aspera Enterprise Server will be used.

file path blank

3 Bind Address This is the network interface address on which the HTTP Fallback server listens. The default value 0.0.0.0 allows the HTTP Fallback server to accept transfer requests on all network interfaces for this node. Alternatively, a specific network interface address may be specified.

valid IPv4

address 0.0.0.0

4 Restartable

Transfers Setting this to resume at the point of interruption.true allows interrupted transfers to •_• true_false true 5 Session Activity

Timeout Any value greater than 0 sets the amount of time,in seconds, that the HTTP Fallback server will wait without any transfer activity before canceling the transfer. Notice that this option cannot be left at 0, otherwise interrupted HTTP Fallback sessions will get stuck until server or asperacentral is restarted.

positive integer

-6 HTTP Port The port on which the HTTP server listens. Valid port

numbers range between 1 and 65535. positive integer 8080 7 HTTPS Port The port on which the HTTPS server listens. Valid

port numbers range between 1 and 65535. positive integer 8443 8 Enable HTTP Enables the HTTP Fallback server that allows failed

UDP transfers to continue over HTTP. •_• true_false false 9 Enable HTTPS Enables the HTTPS Fallback server that allows failed

UDP transfers to continue over HTTPS. •_• true_false false

4. Specify a token encryption key.

The token encryption key is the secret text string that is used to authorize transfers configured to require a token.

Note: If HTTP/HTTPS fallback is enabled, a token encryption key is required. If HTTP/HTTPS is configured without the encryption key, initiating a transfer with the download button generates the following error:

Error: internal error - unable to start token generation

You can specify a token encryption key from the Enterprise/Connect Server GUI or in aspera.conf. To configure your token encryption key within the GUI, launch your Enterprise/Connect Server application and click

Configuration. Go to Global > Authorization, check the option Token Encryption Key and enter a key string of your choice (in the example below, the string "secret").

To specify the token encryption key in aspera.conf, open the file with a text editor, and add or update the

authorization section's encryption_key (the example below uses the string "secret"; however, it can be any string):

Important: After changing your Aspera token settings (either via aspera.conf or the GUI), you must restart AsperaHTTPD. For instructions, see the final step in this topic.

5. Restart Aspera Central and Aspera HTTPD to apply new settings.

To restart Aspera HTTPD and Aspera Central, go to the Computer Management window, which is accessible via Manage > Services and Applications > Services.

Testing Web UI

Test Aspera Connect client transfers through Web UI.

Follow the steps below to test your client transfers through the Web UI.

Note: The instructions require steps to be taken on both the Connect Server system and a client computer. Make sure you are performing the steps on the specified machine.

1. Clients: Test the connection to the Web UI

To test your connection to the Connect Server Web UI, go to the following address with a client computer's browser:

Scope URL

HTTP http://server-ip-or-name/aspera/user

HTTPS https://server-ip-or-name/aspera/user 2. Connect Server: Set up a test user account

Prepare a system user (asp1), and add the user to Connect Server with the specified docroot. Launch the application (Start menu>All Programs>Aspera>Enterprise Server>Enterprise Server ) and click

Configuration.

In the Server Configuration, select the Users tab and click . Enter the system user's name (asp1).

Select the user's Docroot tab, check Absolute Path and enter or select an existing path as the user's docroot (for example, C:\sandbox\asp1 ). Set all other options true. Click OK or Apply when finished.

Note: Use the -c option only if this is the first time running htpasswd to create the webpasswd file. Do not use the -c option otherwise.

3. Client: Test the Web UI with the client machine

Prepare a client computer with the supported OS and browser to test connecting to the Web UI. See the Introduction on page 5 for supported platform and browser. Browsing the Web UI from the client machine, you should see the Aspera Connect browser plugin installation instruction on the web page. Click either Install Now

or Download Aspera Connect and follow the instructions.

In the Web UI, click Upload and select one or more files to send to Connect Server. When finished, select the uploaded files on the Web UI, and click Download.

Note:

When adding files to the Web UI, do not use the following characters in the filenames:

/ \ " : ' ? > < & * |

For further information about the Aspera Connect browser plugin, see the Aspera Connect User Guide.

If you are having difficulties establishing FASP transfers using the Web UI, see Clients Can't Establish Connection on page 165.

Transferring Files with the Application

Using the desktop application to transfer files.

Application Overview

Desktop application overview.

To launch the application, go to Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server .

Note: The Configuration button shown in the screenshots below is only enabled when the application is run as an Administrator.

Item Description

A The transfer mode. Reveal the local/remote file browsers.

B The transfer details mode. Show the selected transfer session's details and the transfer control options.

C Bring up the Connection Manager window to manage the remote endpoints.

D Bring up the Server Configuration window to configure the computer's FASP transfer settings. E Set the local computer's default transfer settings such as the FASP global bandwidth and the

number of simultaneous transfers in the queue, and the SMTP server's information for transfer notifications.

F Browse the local file system to find files to transfer.

G When not connected, this panel shows connections that lists the saved connections. When connected, it becomes the remote file browser.

H Display previous, ongoing, and queued transfers. Manage the priority. I Display all configured Hot Folders. Start or manage Hot Folders.

Item Description

A Path indicator/selector. B Go to the parent directory.

C Create a new folder, or set up a Hot Folder. D Choose between the list views and the detail view. E Create a new folder, or set up a Hot Folder.

F Bring up the advanced upload or download window.

G Decrypt the selected file if it is encrypted with the content protection. H Choose between the detail or the list views. Refresh the folder. I Options to manipulation the selected files.

J Show the selected files' properties.

Managing Connections

Add and manage the remote FASP servers.

To connect to a remote computer or to a server in the cloud, you need to add it to the Connection Manager before establishing the connection. If you are planning to perform transfers with an S3 bucket, you must meet the following prerequisites:

• You (username) have permissions to access the S3 bucket. • You know your username's S3 Access ID and Secret Key.

• To transfer files from and/or to an S3 storage device using an S3-direct connection, you cannot have a docroot. A local docroot will result in a failed transfer. Be sure to confirm your docroot settings before attempting a transfer. Start the application: Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server . In the main window, click Connections to open the Connection Manager.

In the Connection Manager, click to create a new connection. You can also use to duplicate a selected connection (i.e. copy all information into a new profile) and to delete a connection profile.

To name or rename a connection, click the orange connection profile name that appears at the top of the screen. The Rename Connection dialog appears. You can also launch the Rename Connection dialog by clicking once on an already selected connection name in the left panel of the Connection Manager. When you have entered the new name, save it by clicking OK (once in the Rename Connection dialog and again in the Connection Manager).

Tab Description

Connection The basic host information, such as the address, login credentials, and connection ports. Transfer The transfer session-related options, such as the transfer speed and retry rules.

Tracking Options for tracking the transfer session, including the confirmation receipt and the email notifications.

Filters Create filters to skip files that match certain patterns. Security Enable the transfer encryption and the content protection.

File Handling Set up resume rule, preserve transferred file attributes, and remove source files. The following tables detail all options in these tabs:

Connection

Option Description

Host Required The server's address, such as 192.168.1.10 or companyname.com. User The login user for the server.

Authentication Choose either password or public key for authentication. To use the key-based authentication, see Creating SSH Keys on page 46.

Storage Type _{Use this drop-down menu to configure storage in the cloud. Note that the default option is} local storage.

Storage types include the following: • Akamai NetStorage

• Amazon S3: Once selected, you will be required to input your Access Id / Secret Access Key and identify a bucket. Note that the local machine must be reasonably time-synchronized in order to communicate with the Amazon servers. You can also select the

Advanced button to modify the following settings:

• Host: Amazon S3 hostname (default: s3.amazonaws.com). • Port: Default is port 443.

• HTTPS connection for file browsing: Enable for secure browsing. • Server-side file encryption: Enable for AES256 encryption.

• Reduced redundancy storage class: Assign objects to a to the "reduced redundancy" storage class (durability of 99.99%).

• Google Storage

• Windows Azure

• Windows Azure SAS

Note: You can only choose special storage if you have full access to that storage on the cloud-based machine.

Target Directory The default directory when connecting to this computer. When leaving it blank, browsing the remote host brings up either the user account's document root (docroot), or the

last-Option Description

visited folder; when specifying a path, connecting to the host always brings up the exact directory. The default directory is shown in the Connections panel.

Share this

connection ... Check this box to share this connection with other users on your computer. When aconnection is authenticated through Public Key, the SSH keys used by this connection should be shared as well. Refer to Creating SSH Keys on page 46.

Advanced Settings >

SSH Port (TCP) The TCP network port. Default: 33001. Note that if connecting on 33001 fails, theapplication attempts to establish a connection on port 22. If the connection on 22 succeeds, the setting is updated to 22.

Advanced Settings >

fasp Port (UDP) The UDP network port: Default: 33001. Advanced Settings >

Connection Timeout Time out the connection attempt after the selected time.

Test Connection Click this button to test the connection to the remote server with the settings you configured. An alert box opens and reports whether the connection is successful.

Transfer

Option Description

Transfer Name Choose between the following option: Automatically generate allows the user interface to generate the transfer name; Automatically generate and add prefix uses auto-generated name with prefix; Specify uses the user-specified name.

Policy Select the transfer policy. Refer to FASP Transfer Policies on page 143.

Speed Check this option to specify the transfer rate. The target rate is constrained by the global bandwidth in the Preferences window. Refer to Global Bandwidth Settings on page 92. Retry Check this option to automatically retry the transfer after a recoverable failure. When

checked, set the amount of time the transfer should be retried in seconds, minutes or hours. You may set the initial and maximum retry intervals by clicking the More Options... button. • Initial interval: The first retry waits for the initial interval. Input in seconds, minutes or

hours.

• Maximum interval: After the initial interval, the next interval doubles until the

maximum interval is met, and then stops retrying after the retry time is reached. Input in seconds, minutes or hours.

Example 1:

10s initial interval, 60s maximum interval, retry for 180s Retry at (seconds): 10s 30s 70s 130s 180s

Interval progression (seconds): 10s 20s 40s 60s 60s 50s

Example 2:

30s initial interval, 120s maximum interval, retry for 600s Retry at (seconds): 30s 90s 210s 330s 450s 570s 600s

Interval progression (seconds): 30s 60s 120s 120s 120s 120s 30s

Show Advanced

Option Description

• Specify FASP datagram size (MTU): By default, the detected path MTU is used. Once you enable this checkbox, you can specify a value between 296 and 10000 bytes. • Disable calculation of source files size before transferring: By enabling this checkbox,

you can turn off the job size calculation on the client-side (if allowed by the server).

Tracking

Option Description

Generate delivery

confirmation receipt Check the option to create the delivery receipt file in the specified location. Send email

notifications Send out email notifications based on specified events (start, complete, and error). Refer toUsing Transfer Notifications on page 64 for more information.

Filters

Click Add and enter the pattern to exclude files or directories with the specified pattern in the transfer. The exclude pattern is compared with the whole path, not just the file name or directory name. Two special symbols can be used in the setting of patterns:

Symbol Name Description

* Asterisk Represents zero to many characters in a string, for example *.tmp matches

.tmp and abcde.tmp.

? Question mark Represents one character, for example t?p matches tmp but not temp. Examples:

Filter Pattern Matched files

*dirName path/to/dirName, another/dirName

*1 a/b/file1, /anotherfile1

*filename path/to/filename, /filename path?/file? path1/fileA, pathN/file5

Security

Option D