User's Guide. Product Version: Publication Date: 7/25/2011

(1)

User's Guide

Product Version: 2.5.0 Publication Date: 7/25/2011

(2)

GoAnywhere Services™ Welcome

GoAnywhere Services™ is a secure file server that allows trading partners and employees to connect to your organization and easily exchange files within a fully managed and audited environment. Popular file transfer and encryption standards are supported without the need for proprietary client software. GoAnywhere Services is an on-premises solution that allows for localized control, user management and security of your data.

GoAnywhere Services includes the following comprehensive features:

l Installs to Windows, Linux, AIX, IBM i (iSeries), UNIX, Solaris, and HP-UX

l FTP server component with support for SSL (Explicit SSL)

l SFTP server component, with SCP support, for secure FTP transfers over SSH

l FTPS server component for secure FTP transfers over SSL (Implicit SSL)

l HTTPS web-client for simple browser-based file transfers

l AS2 server component for receiving EDI and other documents over secure connections

l No files stored in the DMZ (when usingGoAnywhere Gateway)

l No incoming ports are opened into the internal network (when usingGoAnywhere Gateway)

l Highly scalable with support for multiple concurrent file transfer sessions

l Browser-based interface for all administrative and monitoring functions

l Unlimited administrative users with configurable individual roles

l Wizards and templates for creating trading partner accounts quickly

l Trading partner permission controls for specific services (FTP, SFTP, FTPS, HTTPS), actions (for example, upload, download, etc.) and directories

l Event Triggers - Send email alerts or perform actions on files when user-defined events occur (for example, upload, download, invalid login, etc.)

l Integrated key management tools for SSH Keys and SSL Certificates

l Detailed audit logs for all activity (e.g. logins, file transfers, errors and other events)

l No programming or special skills required to set up

l Integrates with GoAnywhere Director™ for a cohesive managed file transfer solution

(7)

Getting Started

Authorized Users access GoAnywhere Services’s browser-based dashboard to perform configuration and monitoring within the application. Follow these steps to get started with GoAnywhere Services.

1. Loginto GoAnywhere Services through a browser.

2. Review (or modify) theGlobal Settingsfor GoAnywhere Services.

3. Configure theLogin Methods, theWeb User Password PolicyandWeb User Templatesfor Web Users.

4. Set upUsersandUser Groupswith their applicable roles and permissions.

5. Create theWeb UsersandWeb User Groupsauthorized to work with GoAnywhere Services.

6. Configure the services through theService Managerscreen.

7. DefineTriggersto execute specified actions when certain conditions are met.

8. If installed, configure the GoAnywhere Gateway through theGateway Managerscreen for IP/port mappings.

The term "Users" is used to indicate those individuals that are allowed to perform administration functions in GoAnywhere Services. The term "Web Users" indicates the credentials for connecting to a service in GoAnywhere Services.

Screen Tips

l Required fields are indicated with a red asterisk*.

l On-line help is available on each screen by clicking the icon.

l By default, the GoAnywhere Services administrator will timeout your browser session after 60 minutes of inactivity.

Use the buttons and links provided in GoAnywhere Services to navigate. Do not use the Back, Forward, or Refresh buttons in your browser since it may cause out of sync issues.

Login

Follow the steps below to login to GoAnywhere Services:

1. From your browser, type the URL where GoAnywhere Services is installed, using the format [protocol]://[hostname]:[portnumber]

l [protocol] can be either http or https

l [hostname] is the host name or IP address of the GoAnywhere Services server

l [portnumber] is the port number of the GoAnywhere Services server. The default port is 9000 (for example, http://myserver:9000).

2. Login with your User Name and Password. The default User Name is administrator and the default Password is goanywhere.

The Password is case-sensitive.

(8)

Dashboard

The GoAnywhere Services dashboard is displayed after login. Along with displaying vital system statistics, the dashboard provides menus and links that quickly access components within GoAnywhere Services. All components are available from drop-down lists on the main menu bar.

Main Menu Bar

To access a component, select it from a drop-down list on the main menu bar.

Quick Links

Launch popular components by clicking a correspondingQuick Linksicon.

Statistics

Statistics are shown on the bottom of the dashboard (for Users with the Auditor role). These statistics show the number of uploads and downloads, login and other errors for each service.

By default, statistics are initially shown for today’s activity. Click the tabs to view statistics for other time periods or select a different service type to view statistics for the particular service. View Audit Log details by clicking the corresponding value.

For instance, to view more details about the Login Errors, click the number to the right of the “Login Errors” heading.

If links or icons appear inactive, you do not have permissions for those functions based on your User Roles. Contact your GoAnywhere Services administrator for assistance with Roles and Permissions.

(9)

Quick Links

Listed below are descriptions of the Quick Links available on the GoAnywhere Services dashboard.

Icon Component Description Security Role Required *

Admin Users

Setup and configure the Users who are authorized to administer

GoAnywhere Services. This component provides functions to view, create and maintain Users.

Security Officer

Web Users

Define the accounts (for example, trading partners) authorized to access GoAnywhere Services. This component provides functions to view, create and maintain Web Users. Web Users are granted access to transfer files using one or more of the AS2, HTTPS, FTP, FTPS, or SFTP services.

Web User Manager

Active Sessions

Active sessions are the Web User accounts currently logged on to the GoAnywhere Services server. The Active Sessions component provides the ability to see how many Web Users are logged on to each service, view their activity or end their sessions.

Product Administrator

Audit Logs

Used to view the Audit Logs for each service. The Audit Logs keep a detailed record of all file activity on the GoAnywhere Services server.

Select the service type from the drop-down menu after clicking the Audit Logs Quick Link.

Auditor

Triggers

Used to work with Triggers. Includes functions to display triggers, add new triggers, and set trigger preferences. Allows viewing trigger status

information and trigger logs.

Trigger Manager

* Roles are defined in theSecuritysection.

If links or icons appear inactive, you do not have permissions for those functions based on your User Roles. Contact your GoAnywhere Services administrator for assistance with Roles and Permissions.

(10)

Security

GoAnywhere Services implementsRoles,Login Methods,Users,User Groups, to control access to functions in the

application. GoAnywhere Services provides external access controls withWeb User Accounts,Web User Groups,Web User Templates, and aWeb User Password Policy.

Roles

Roles are assigned toUsersandGroups. A role specifies which GoAnywhere Services functions (authorities) are available to the User or Group.

Listed below are the roles available in GoAnywhere Services:

Role Name Authorized Functions

Auditor ^l Access Audit Logs

l View statistics

File Manager ^l Manage files (for example, download, copy, delete, upload) on the server where GoAnywhere Services is installed

Key Manager ^l Manage SSH Keys

l Manage SSL Certificates Product

Administrator

l View and change global preferences

l Download product updates

l View, install and uninstall the product license

l View the Server Log

l Manage Services Configuration and Preferences

l Manage GoAnywhere Gateway

l Configure, tune and migrate the GoAnywhere Services database Security Officer ^l Configure how User and Web User passwords are authenticated

l Manage Users and their assigned Roles

l Manage Groups and their assigned Roles

l Reset User and Web User passwords

l Manage IP Filters

l Manage Web User Password Policy

l View the server log Trigger Manager ^l Manage Triggers

l View Trigger Logs

l Define Trigger Resources

Web User Manager ^l Manage Web Users and their assigned permissions

l Manage Web User Groups and their assigned permissions

l Assign Web Users to Web User Groups

l Manage Web User Templates

Roles assigned to a Group will be adopted by the Users belonging to that Group.

(11)

Role Management

To work with roles, login as a User with the Security Officer role.

From the main menu bar, point to Security and then click Roles.

Available Options

l Viewthe Users and Groups assigned to the role by clicking the icon.

l Editthe Users and Groups assigned to the Role by clicking the icon.

Role Details

The Role Details screen displays the Users and Groups assigned to a Role.

(12)

Edit Role

A Role can be assigned to Users and Groups through the Edit Role screen. The Edit Role screen is split in two columns.

The Users and Groups not assigned to the role are displayed in the left column. The Users and Groups assigned to the role are displayed in the right column.

Follow the instructions below to edit the Roles for a User or Group:

1. From the main menu bar, point to Security, and then click Roles.

2. In theRoles Managerscreen, click the icon beside the Role you wish to edit.

3. Assign or Remove Users to the appropriate roles.

Assign Users or Groups to a Role:

1. In the left column, click to select the Users or Groups to assign to the Role. Multiple entries can be selected by pressing the Ctrl or Shift key while selecting Users or Groups.

2. When the desired Users or Groups are selected, click the icon to move the Users or Groups from left to right.

Remove Users or Groups from a Role:

1. In the right column, click to select the Users or Groups to remove from the role. Multiple entries can be selected by pressing the Ctrl or Shift key while selecting Users or Groups.

2. When the desired Users or Groups are selected, click the icon to move the Users or Groups from right to left.

4. Click the Save button to apply the changes.

(13)

Users

In order to perform administrative functions in GoAnywhere Services, a User must login with a valid User name and password. Users can be added and managed only by a User with the Security Officer role.

The passwords for these Users can be stored and authenticated within GoAnywhere Services's database, or can be authenticated against an IBM i, LDAP or Windows Active Directory.

Each User may belong to one or moreGroups. The User will adopt theRoles(authorities) from any Group(s) to which they belong. A User can also be granted individual Roles.

The User's Roles (permissions) will determine which functions the User has access to in GoAnywhere Services.

The User Names administrator and root are created by default when installing GoAnywhere Services. These

"administrative level" users have authorization to all functions in GoAnywhere Services. After installation of

GoAnywhere Services, a Security Officer shouldchange the default passwordsfor the administrator and root User accounts, in accordance with their corporate data security policy.

User Management

To manage User accounts, login as a User with the Security Officer role.

From the main menu bar, point to Security and then click Users.

l Adda User by clicking the Add User link in the sub-menu bar

l Viewthe details for a User by clicking the icon

l Edita User by clicking the icon

l Reseta User's password by clicking the icon

l Delete a User by clicking the icon. Delete one or more users by selecting the appropriate check boxes and clicking the Delete button.

(14)

Add User

A User can be created using the Add User screen. Follow the instructions below to add a new User:

1. Login as a User with the Security Officer role.

2. From the main menu, point to Security and then click Users.

3. In theUsersscreen, click the Add User link in the sub-menu bar.

4. Type the User information in the appropriate boxes.

5. If needed, select the individualRolesto be assigned to the User. See note below.

6. Assign the User to one or moreGroups. The User will adopt the Roles from any Groups to which it belongs.

7. Click the Save button to add the User account.

For ease of User management, it is generally not recommended to give individual Roles to a User. Instead, you should assign each User to one or more Groups, from which the User will adopt the roles from those Groups. This allows you to quickly adjust Roles for several Users at once by changing the Roles for the Group(s) to which they belong.

User Name

The User Name is not case sensitive and can not exceed 20 characters.

Description

This describes the User. This value cannot exceed 512 characters.

(15)

Password

Passwords are case sensitive and can contain numbers and characters up to 20 characters.

Specify a User password only if the Default Login Method for Users setting on theLogin Methodspage is set to GoAnywhere Services. Otherwise leave blank.

E-Mail Address The User email address.

Roles

IndividualRolesfor the User.

Groups

The Groups are split into two sections. The Groups to which the User does not belong are shown on the left side of the screen. The Groups to which the User does belong are shown on the right side of the screen.

The User will adopt the Roles from any groups to which it belongs.

Home Directory

The home directory that the User will see when launching theFile Manager. *DOCROOT/*USER is the User's default home directory located in the global documents directory. *DOCROOT is the global documents directory specified on the Data tab inGlobal Settings. *OTHER allows the specification of a custom home directory on the file system.

Restrict to Home Directory

Indicates if the User is restricted to the specified home directory or has access to the entire file system when using theFile Manager. If checked, the User will only have access to the specified home directory and its sub-directories.

File Permissions

Indicates if the User will have Read Only access to files or Read/Write access to files when using theFile Manager. Read Only specifies the User can only browse and download files. Read/Write allows the User to browse, download, upload, copy, move, delete, and rename files.

The Home Directory, Restrict to Home Directory and File Permissions attributes are only applicable if the User has a File Manager role.

(16)

Edit User

A User can be edited using the Edit User screen. Follow the instructions below to edit a User:

3. In theUsersscreen, click the icon next to the User.

4. Modify the field values for the User.

5. Click the Save button to save the settings.

For ease of User management, it is generally not recommended to give individual Roles to a User. Instead, you should assign each User to one or more groups, from which the User will adopt the Roles from those groups. This allows you to quickly adjust Roles for several users at once by changing the Roles for the group(s) to which they belong.

User Name

The User Name is not case sensitive and can not exceed 20 characters.

Description

This describes the User. This value cannot exceed 512 characters.

E-Mail Address The User email address.

(17)

Enabled

If selected, this indicates that the User account is enabled.

This option is only visible when editing a User.

Roles

IndividualRolesfor the User.

Groups

The Groups are split into two sections. The Groups to which the User does not belong are shown on the left side of the screen. The Groups to which the User does belong are shown on the right side of the screen.

The User will adopt the Roles from any groups to which it belongs.

Home Directory

The home directory that the User will see when launching theFile Manager. *DOCROOT/*USER is the User's default home directory located in the global documents directory. *DOCROOT is the global documents directory specified on the Data tab inGlobal Settings. *OTHER allows the specification of a custom home directory on the file system.

Restrict to Home Directory

Indicates if the User is restricted to the specified home directory or has access to the entire file system when using theFile Manager. If checked, the User will only have access to the specified home directory and its sub-directories.

File Permissions

Indicates if the User will have Read Only access to files or Read/Write access to files when using theFile Manager. Read Only specifies the User can only browse and download files. Read/Write allows the User to browse, download, upload, copy, move, delete, and rename files.

The Home Directory, Restrict to Home Directory and File Permissions attributes are only applicable if the User has a File Manager role.

(18)

User Details

The User Details screen shows the properties for the User, when the User was created and when it was last modified. It also shows the Roles assigned to the User and the groups to which it belongs. The User Details screen is only available to Users with the Security Officer role. Follow the instructions below to view User Details:

(19)

Reset User Password

The reset password function can be used if the password is authenticated against the GoAnywhere Services database.

Follow the instructions below to reset a User password:

The passwords for the administrator and root accounts are encrypted and can only be stored in the GoAnywhere Services database.

Change User Password

To change your own password, click the Change Password link in the upper right corner of the GoAnywhere Services screen.

1. In the Change Password screen, type your current password in the Current Password box.

2. Type a new password in the New Password box and re-type it in the Confirm New Password box.

3. When complete, click the Change Password button.

(20)

Groups

A Group is an association of one or more administrativeUsers. Each Group can be assigned specificRolesfor controlling access to various GoAnywhere Services functions. Any Users belonging to a group will adopt the roles from that Group.

For instance, you may want to create a Group for Auditors that would only have authority to view Logs.

Another Group could be created for IT Security or Managers that have the authority to create or disable Users.

Group Management

To administer Groups, login as a User with the Security Officer role.

From the main menu bar, point to Security and then click Groups.

l Adda Group by clicking the Add Group link in the sub-menu bar.

l Edita Group by clicking the icon.

l Viewa Group by clicking the icon.

l Delete a Group by clicking the icon. Delete one or more groups by selecting the appropriate check boxes and clicking the Delete button.

(21)

Add Group

Follow the instructions below to add a new Group:

1. From the main menu bar, point to Security, and then click Groups.

2. In the Groups screen, click the Add Group link in the sub-menu bar.

3. Type the Group information in the appropriate boxes.

4. Click to select theRolesthat will be assigned to the Group.

5. Assign the members (Users) to the Group.

6. Click the Save button to add the Group.

Assigning Members (Users) to a Group:

Perform the following steps to assign Users to a Group:

1. On the left side of the screen, click to select (highlight) the User(s) to assign to the Group. Multiple entries can be selected by pressing the Ctrl or Shift key while clicking the mouse.

2. When the desired Users are selected, click the arrow between the group boxes to move the Users from left to right.

Removing Members (Users) from a Group:

Perform the following steps to remove Users from a Group:

1. On the right side of the screen, click to select (highlight) the User(s) to remove from the group. Multiple entries can be selected by pressing the Ctrl or Shift key while clicking the mouse.

2. When the desired Users are selected, click the arrow between the group boxes to move the Users from right to left.

(22)

Edit Group

Follow the instructions below to edit the properties for a Group:

1. From the main menu bar, point to Security, and then click Groups.

2. In theGroups Managerscreen, click the icon beside the Group you wish to edit.

3. Modify the field values for the Group.

Assigning Members (Users) to a Group:

Perform the following steps to assign Users to a Group:

1. On the left side of the screen, click to select (highlight) the User(s) to assign to the Group. Multiple entries can be selected by pressing the Ctrl or Shift key while clicking the mouse.

2. When the desired Users are selected, click the arrow between the group boxes to move the Users from left to right.

Removing Members (Users) from a Group:

Perform the following steps to remove Users from a Group:

1. On the right side of the screen, click to select (highlight) the User(s) to remove from the group. Multiple entries can be selected by pressing the Ctrl or Shift key while clicking the mouse.

2. When the desired Users are selected, click the arrow between the group boxes to move the Users from right to left.

(23)

View Group

The Group Details screen shows the properties for the Group, when the Group was created and when it was last modified.

It also shows the Roles assigned to the Group and the members that belong to it. Follow the instructions below to view Group Details:

2. From the main menu, point to Security and then click Groups.

3. In theGroupsscreen, click the icon next to the Group.

(24)

Login Methods

By default, User and Web User passwords are authenticated against the passwords stored in the GoAnywhere Services database. Optionally, you can configure GoAnywhere Services to authenticate User and Web User passwords against a Windows Active Directory, a Generic LDAP, or an IBM i (iSeries) located within your organization. With any of the alternative options, passwords will not be maintained in the GoAnywhere Services database.

The Login Method screen provides options to create Login Methods, select default Login Methods for User or Web User accounts and edit available Login Methods.

Login Methods Management

To manage Login Methods, login as a User with the Security Officer role.

From the main menu bar, point to Security and then click Login Methods.

l Adda Login Method by clicking the Add Login Method link in the sub-menu bar.

l Select the Login Method for GoAnywhere Services Users or Web Users. The available options in the drop-down lists are based on the created Login Methods. The default Login Method is GoAnywhere Services. When finished making a selection, click the Save button.

l ViewLogin Method details by clicking the icon.

l Edita Login Method by clicking the icon.

l Delete a Login Method by clicking the icon. Login methods referenced by Users, Web Users, Web User Templates or specified as a default setting cannot be deleted

In a Disaster Recovery scenario, verify the Login Methods are updated to point to the Disaster Recovery Server or instance. User authentication will fail if the Login Method is not referencing the proper location.

(25)

Add Login Method

Follow the instructions below to add a new Login Method:

2. From the main menu, point to Security and then click Login Methods.

3. In theLogin Methodsscreen, click the Add Login Method link in the sub-menu bar.

4. Complete the required information.

Name

A unique name for the Login Method.

Description

The description field is optional text to describe the login method. Limited to 512 characters.

Type

The authentication type used by the Login Method. Based on the selection, additional Login Method information is requested in the Options section based on the Login Method Type selection.

Windows Active Directory

Active Directory (LDAP) URL

The URL should be in the format [protocol]://[hostname]:[port]. For example,

ldap://mydomainhostname:389 or ldaps://10.1.4.1:636. The default port for the Active Directory Server is 389. The default port for a secure LDAPS connection is 636.

Domain Name

The Domain Name where the accounts authenticate. For example, MYDOMAIN.

(26)

Generic LDAP

LDAP URL

ldap://mydomainhostname:389 or ldaps://10.1.4.1:636. The default port for a LDAP Server is 389. The default port for a secure LDAPS connection using SSL is 636.

DN Pattern

The DN Pattern used to identify a user in the Generic LDAP database. The variable ${user}

must be included in the DN pattern and will be replaced with the username during login. For example, cn=${user},ou=users,dc=example,dc=com

IBM i (OS/400)

Host Name

The Host Name (or IP address) of the IBM i server.

(27)

Edit Login Method

Follow the instructions below to edit a Login Method:

3. In theLogin Methodsscreen, click the icon next to the Login Method.

4. Modify the field values for the Login Method.

Name

A unique name for the Login Method.

Description

Use this text-box for any extra information pertaining to the Login Method. This field is limited to 512 characters.

Type

The authentication type used by the Login Method. Based on the selection, additional Login Method information is requested in the Options section based on the Login Method Type selection.

Windows Active Directory

Active Directory (LDAP) URL

ldap://mydomainhostname:389 or ldaps://10.1.4.1:636. The default port for the Active Directory Server is 389. The default port for a secure LDAPS connection is 636.

Domain Name

The Domain Name where the accounts authenticate. For example, MYDOMAIN.

(28)

Generic LDAP

LDAP URL

ldap://mydomainhostname:389 or ldaps://10.1.4.1:636. The default port for a LDAP Server is 389. The default port for a secure LDAPS connection using SSL is 636.

DN Pattern

The DN Pattern used to identify a user in the Generic LDAP database. The variable ${user}

must be included in the DN pattern and will be replaced with the username during login. For example, cn=${user},ou=users,dc=example,dc=com

IBM i (OS/400)

Host Name

The Host Name (or IP address) of the IBM i server.

(29)

Login Method Details

The Login Method Details screen shows the properties for the Login Method, when the Login Method was created and when it was last modified. The screen also shows the Settings, Users, Web Users, and the Web User Templates using this Login Method. Follow the instructions below to view Login Method Details:

3. In theLogin Methodsscreen, click the icon next to the Login Method.

(30)

Security Settings

The Security Settings option is only available to Users with the Security Officer role. The security settings on this screen apply only to Administrative Users.

From the main menu bar, point to Security and then click Security Settings.

Session Timeout

The length of idle time (in seconds), before a User is automatically logged out of GoAnywhere Services. The session timeout default is 3600 seconds (60 minutes). A value of 0 indicates the session will never timeout.

Allow Browsers to Save Login Credentials

By default, GoAnywhere Services will not allow a browser to save login credentials. If enabled, the first time a User logs in to GoAnywhere Services, their browser will ask them if they want to save their password.

(31)

Web User Password Policy

The Web User Password Policy screen provides options for a User with the Security Officer role to define the password policies for the Web Users (Trading Partners). This Password Policy is only used for Web Users that authenticate against the GoAnywhere Services database.

To manage the Web User Password Policy, login as a User with the Security Officer role.

From the main menu bar, point to Security and then click Web User Password Policy.

Password Strength

Enforce Settings

Select the checkbox if the Web User passwords must adhere to the Password Strength settings.

Minimum Password Length

The minimum number of characters required for a password. By default, the minimum length is eight (8).

Minimum Number of Upper Case Letters

The minimum number of upper case or capital letters that each password must contain. The GoAnywhere Services default minimum is one (1) character.

Minimum Number of Lower Case Letters

The minimum number of lower case letters that each password must contain. If you do not want Web Users to use all upper case letters, change this value to a number greater than zero (0).

Minimum Number of Digits

The minimum number of numerical characters that each password must contain. The GoAnywhere Services default minimum is one (1) character.

(32)

Minimum Number of Special Characters

The minimum number of special characters that each password must contain.

Allowable Special Characters

The GoAnywhere Services default special characters are all the non-alphanumeric characters on a standard US-101 keyboard. You can add more special characters if you are in a location using more characters (for example, Japanese or Arabic characters).

Password Age

Minimum Password Age

The number of days a password must be used before it can be changed. A value of zero (0) indicates there is no password age and it can be changed at any time.

Maximum Password Age

The number of days before the password expires and must be changed. A value of zero (0) indicates the password never expires.

If a Web User's password expires and they attempt to login using the HTTPS Web Client, they will be immediately prompted to change it.

Password History

Enforce Password History

Select this checkbox to indicate that passwords cannot be reused for a specified number of times.

Disallow Reuse of the Last Password(s)

When specified, a Web User must use this number of different passwords before they can reuse an old password. The reuse value is any number between 1 and 25.

(33)

Web Users

Web Users are the accounts that can access GoAnywhere Services for exchanging files using standard protocols. Web Users can be external (for example, Trading Partners) or internal to your company (for example, remote employees).

Web Users are managed by an administrative User that has a Web User Manager role. Web Users can be added individually or through theimportprocess that provides the ability to add multiple Web Users based on Web User Templates.

Each Web User may belong to one or moreWeb User Groups. The Web User will adopt the Permissions (authorities) from any Web User Group to which they belong. A Web User can also be granted individual Permissions for various services. IP Filters can also be configured to ensure that Web Users are only accessing GoAnywhere Services from an expected location.

Web User Management

To manage Web User accounts, login as a User with the Web User Manager role.

From the main menu bar, point to Security and then click Web Users.

l Adda Web User by clicking the Add Web User link in the sub-menu bar.

l ImportWeb Users by clicking the Import Web Users link in the sub-menu bar.

l Filter the Web User list on the screen by typing part or all of a Web User name.

l Edita Web User by clicking the icon.

l View more Web User actions by clicking the icon. A drop-down menu provides available options.

More Actions

l ViewWeb User details by clicking the icon.

l Edita Web User by clicking the icon.

l Reseta Web User's password by clicking the icon.

l Delete a Web User by clicking the icon. Delete one or more Web Users by selecting the appropriate check boxes and clicking the Delete button.

l Importa public SSH key for a Web User by clicking Import SSH Public Key.

l Delete a public SSH key for a Web User by clicking Delete SSH Public Key. A warning message confirms the public key deletion.

If a Web User is "grayed out," the account is disabled. If you wish to re-enable the account, then edit the Web User account and select the Enabled checkbox.

(34)

Add Web User

A Web User can be added using the Add Web User screen. Follow the instructions below to add a Web User:

1. Login as a User with the Web User Manager role.

2. From the main menu, point to Security and then click Web Users.

3. In theWeb Usersscreen, click the Add Web User link in the sub-menu bar.

4. Type the Web User information in the appropriate boxes.

5. Click the Save button to add the Web User account.

General

Web User Template

The template sets the default authentication, permissions and groups, IP filters and status settings for this Web User. The available options in the drop-down list are based on previously createdWeb User Templates.

If a Web User Template is selected and some of the pre-defined options are changed on the subsequent tabs, changing the Web User Template to another template will open a confirmation message to verify the change.

User Name

The user name for a Web User is not case sensitive and cannot exceed 20 characters.

First Name

The Web User's first name.

Last Name

The Web User's last name.

(35)

Description

The description is optional information pertaining to the Web User. This field is limited to 512 characters.

Organization

The Web User's company.

E-Mail Address

The primary email address for the Web User.

Phone

The primary phone number for the Web User.

Authentication

Login Method

Login Methods define what authentication method is used by a Web User. When the default option is selected the Web User will use the Default Login Method for Web Users setting located on theLogin Methodspage. If the Web User should authenticate against another Login Method or should not be affected by changes to the default method, clear the checkbox and select from the available methods. The password options are not displayed for Login Methods other than GoAnywhere Services.

Password Generation

Passwords for Web User accounts can be generated automatically based on theWeb User Password Policy. Otherwise the Web User Manager creating the account can type in the password manually. If specifying the password, GoAnywhere Services will alert you if the password does not meet theWeb User Password Policy.

(36)

Password Options

The password options allow you to specify how the new Web User password is handled. The following options can be specified when creating the Web Users password:

l Display password to the screen - The new Web User password is displayed on the screen.

l E-mail password - The password is emailed to the Web User using aWeb User Email Template.

l Allow User to Change Password - This option makes a Change Password link available at the top of the page in the HTTPS Web Client.

l Force Password Change at Next Login - This option is only available to Web Users using the HTTPS service. If selected, this option will force a Web User to type a new password after a successful initial login. This is the best practice.

Password Expiration Interval

The password expiration interval determines how long before a password expires.

l Default - The Password Expiration Interval is defined in theWeb User Password Policy

l Password Never Expires

l Password Expires After - The Web User password will expire after the specified number of days.

Authentication Types

The Authentication Type can be specified per service. This provides the Web User Manager with complete control over the Web User's access. For example, a Web User can be forced to use a Password and Certificate when authenticating to FTPS but only require a Password for HTTPS.

If certification authentication is specified and the certificate being used is either self-signed or signed by an untrusted Certificate Authority (CA), then the certificate will need to beimportedinto the Default Trusted Certificates Key Store.

Importing the certificate instructs GoAnywhere Services to trust this source. If the certificate being used is already signed by a trusted authority (for example, Verisign, GoDaddy, Equifax, etc.) the certificate does not need to be imported since the trust is inherited.

HTTPS/AS2

l Password - Web Users login using their standard Web User name and password.

l Certificate - Web Users are authenticated by a certificate which must be in the GoAnywhere Services Default Trusted Key Store and on the Web User's local computer. This method does not require the Web User to specify a user name or password any time they use GoAnywhere Services. If Certificate is selected, type the unique SHA1 Fingerprint for the Web User's certificate in the box. Each Web User must have a unique SHA1 Fingerprint.

l Either - If a matching certificate is found during the connection, the Web User will automatically authenticate.

However if a match is not found, the Web User can still login to the GoAnywhere Services server with a user name and password. If Either is selected, type the unique SHA1 Fingerprint for the Web User's certificate in the box.

FTPES (Explicit SSL)

l Certificate - Web Users are authenticated by a certificate which must be in the GoAnywhere Services Default Trusted Key Store and on the Web User's local computer. This method does not require the Web User to specify a password any time they use GoAnywhere Services. If Certificate is selected, type the certificate's SHA1 Fingerprint in the box.

However if a match is not found, the Web User can still login to the GoAnywhere Services server with a user name and password. If Either is selected, type the certificate's SHA1 Fingerprint in the box.

l Password and Certificate - Web Users are authenticated by their standard Web User name and password along with a shared certificate that is both on the GoAnywhere Services server and the Web Users' local computer. Type the certificate's SHA1 Fingerprint in the box.

FTPS (Implicit SSL)

l Certificate - Web Users are authenticated by a certificate which must be in the GoAnywhere Services Default Trusted Key Store and on the Web User's local computer. This method does not require the Web User to specify a password any time they use GoAnywhere Services. If Certificate is selected, type the certificate's SHA1 Fingerprint in the box.

(37)

However if a match is not found, the Web User can still login to the GoAnywhere Services server with a user name and password. If Either is selected, type the certificate's SHA1 Fingerprint in the box.

l Password and Certificate - Web Users are authenticated by their standard Web User name and password along with shared certificate that is both on the GoAnywhere Services server and the Web Users' local computer. Type the certificate's SHA1 Fingerprint in the box.

SFTP

l Public Key - Web Users use a public key on the server to encrypt a session key that produces a secure login.

l Either - If a matching public key is found during the connection, the Web User will automatically pass

authentication. However if a key match is not found, the Web User can still login to the GoAnywhere Services server with a user name and password.

l Password and Public Key - Web Users must login using their Web User name and password along with a public key.

Associate an SSH Public Key with a Web User by using theImport SSH Public Keyoption on theWeb Usersscreen.

Permissions and Groups

Services Allowed

Click to select the services the Web User can use for file transfers. If the Web User is a member of a group, these services are in addition to the services inherited from the group.

Home Directory

This is the home directory for the Web User. To define a different location where Web User files are stored, clear the Default check and click the icon. If a home directory does not exist when the Default option is selected, it is created

automatically. The standard default directory is the [installdirectory]/userdata/webdocs/[Web User name] folder, where [installdirectory] is the installation directory of GoAnywhere Services and [Web User name] is the account name of the Web User. The defaults for a Web User's Home Directory are found on the Services tab of theGlobal Settingsscreen.

Permissions

The permissions the Web User is able to perform on files and folders. If the Web User is a member of a group, the selections made in this section will be in addition to the permissions inherited from a group.

(38)

(39)

If a Web User has the permission to delete directories, it is implied that they are also able to delete files.

The checksum option can be used by HTTPS, FTP and FTPS transfers. The checksum allows Web Users to verify the integrity of the transferred file. Please note that an error may occur if aTriggermoves the file before the checksum process completes.

Groups

The Web User Groups are split in two columns. The column on the left displays the available Groups to which the Web User does not belong. The column on the right displays the Groups in which the Web User is a member. Click to highlight groups and then use the direction buttons between the columns to move Groups to the appropriate side.

Assigning Web User Groups to a Web User

Perform the following steps to assign Web User Groups to a Web User:

1. On the left side of the screen, click to select (highlight) the Web User Group(s) to assign to the Web User. Multiple entries can be selected by pressing the Ctrl or Shift key while clicking the mouse.

2. When the desired Web User Groups are selected, click the button between the Group boxes to move the Web User Groups from left to right.

Removing Users from a Web User Group

Perform the following steps to remove Web User Groups from a Web User:

1. On the right side of the screen, click to select (highlight) the Web User Group(s) to remove from the Web User. Multiple entries can be selected by pressing the Ctrl or Shift key while clicking the mouse.

2. When the desired Web User Groups are selected, click the button between the group boxes to move the Web User Groups from right to left.

For ease of Web User management, it is generally not recommended to give individual permissions to a Web User.

Instead, assign each Web User to one or more Web User Groups, from which the Web User will adopt the

permissions assigned to those Web User groups. This allows you to quickly adjust permissions for several Web Users at once by changing the permissions for the Web User Group(s) in which they belong.

IP Filter

The IP filter can be used to indicate which IP addresses are allowed or restricted when the Web User connects to GoAnywhere Services. Both IPv4 and IPv6 address formats are supported.

Enable IP Filter

The IP Filter can be enabled or disabled at the individual Web User level.

Filter Type

A Blacklist will deny any specified addresses and permit all others, whereas a Whitelist will only permit the specified

(40)

addresses and deny all others. In most cases aGlobal IP Filteris set to Blacklist addresses that are known threats. At the Web User level, it is common to specify a white list of allowable addresses.

Filter Entries

The Filter Entries is a list of IP addresses that will either be denied or permitted based on the Filter Type selected above.

Click a row to type an IP address in either single, range, or CIDR notation format. A red flag on an entry simply indicates that it is a new entry.

A single IPv4 address is comprised of four sets of three numbers from 0 to 255, separated by periods. A single IPv6 address is comprised of eight sets of four hexidecimal numbers separated by colons. An IP range includes all the addresses between two specified addresses. The addresses are separated by a hyphen. An IP address in CIDR notation is an IP address followed by a "prefix." The prefix notates a range of IP addresses without the need to type all the sets.

Status

The Status tab allows specifying options for expiring and disabling the Web User account.

Expires On

Use the calendar icon to select the date.

Disable Inactive Account

A Web User account can be disabled after a number of inactive days. Inactive days are calculated from the last login date or the last date the account was modified .

l Default - The Disable Inactive Account value is defined on the Services tab ofGlobal Settings.

l Never - The account will not disable based on inactivity.

l Disable account after - The Web User account will become disabled after the specified number of inactive days.

AS2

The AS2 tab allows specifying properties for receiving AS2 messages from the Web User. Additional AS2 information is located in theAS2 Quick Start Guide.

(41)

AS2 ID

The AS2 ID of the sender (Web User). The AS2 ID is case sensitive and can be 1 to 128 ASCII printable characters in length.

Signature Certificate Alias

This is the alias of the public certificate used by this Web User to sign their messages. If the certificate is signed by a certificate authority (for example, Verisign), this field can be left blank since the certificate chain already exists in the Default Trusted Certificates Key Store. If a specific certificate is to be used by the Web User for signing messages or they use a self-signed certificate, then that certificate should beimportedinto the Default Trusted Certificates Key Store. If you do not know the alias name for the certificate, click the icon to select the certificate alias.

Default Upload Folder

The location where AS2 messages are saved when received (uploaded). The default location is the default home directory for the Web User, which is the [installdirectory]/userdata/webdocs/[webuser] folder, where [installdirectory] is the

installation directory of GoAnywhere Services and [webuser] is the account name of the Web User. If files for this Web User should be saved in a different location, use the Other... option to manually type a folder location (for example,

inbound/as2).

When File Exists

The action that GoAnywhere Services performs when a file with the same name already exists in the default upload folder.

Require Encryption

This option indicates whether or not messages sent by this Web User must be encrypted.

Require Signature

A signed message contains a digital signature from the sender to further authenticate the message. If signatures are required, any unsigned message sent by this Web User will be rejected.

Asynchronous MDN Approval

If a return receipt is requested by the Web User, select if the MDN will be sent automatically during the Web User's session or manually after the message is processed. The icon on theAS2 Logpage indicates a manual receipt needs to be sent for a message. A manual receipt can only be sent if a message is received successfully. If an error occurs during

transmission, an asynchronous receipt is sent automatically.

(42)

Import Web Users

The import Web Users process can automatically create Web Users from a CSV file based on a template. The information contained in this CSV file specifies a Web User account name and other pieces of information that can be used in the Web User account creation process. Follow the steps below to import Web Users:

1. Establish theLogin Methodsthe new Web users will use to authenticate with GoAnywhere Services.

2. Define theWeb User Templatesthat will specify the password settings, file access permissions, email communications, etc. for each created Web User.

3. Createa CSV file for importing Web Users.

4. Validate and Importthe CSV file to create new Web User accounts.

5. Reviewthe import results including any values that were created during the import process (for example, passwords).

(43)

Create the CSV File

The CSV file contains the information used to create one or more Web User accounts. The first row of the CSV file is the header row and only contains column names. The column names are not case sensitive and can be arranged in any order.

The following column names are valid for the CSV file:

l WebUserTemplate - Specifying a template in the CSV file is optional and will override the template selected on the Import Web Users page for the given record. This can be used to import multiple Web Users with different templates in a single import.

l UserName - The Web User name for the Web User account is a required field.

l Password - If the Web User Template requires a user specified password, a password meeting the Web User Password Policymust be included in this column.

l FirstName - The Web User's first name. This field is required if the Home Directory refers to the variable ${user.firstName}.

l LastName - The last name of the Web User. This field is required if the Home Directory refers to the variable ${user.lastName}.

l Description - The description field is limited to 512 characters and used for notes regarding the Web User.

l Organization - The Web User's company. This field is required if the Home Directory refers to the variable ${user.organization}.

l Email - The email address of the Web User becomes a required field if the template uses the Web User's email (for example, sending an account password). This field is also required if the Home Directory refers to the variable ${user.email}.

l Phone - The Web User's phone number.

l HTTPSFingerprint - If the specified Web User Template has the Authentication Type for HTTPS/AS2 set to Certificate or Either, the HTTPSFingerprint column is required.

l FTPESFingerprint - If the specified Web User Template has the Authentication Type for FTPES set to Certificate, Either or Certificate and Password, the FTPESFingerprint column is required.

l FTPSFingerprint - If the specified Web User Template has the Authentication Type for FTPS set to Certificate, Either or Certificate and Password, the FTPSFingerprint column is required.

l HomeDirectory - The Home Directory is optional. It can use the value defined in the template or can be defined in the CSV file. In either case, variables can be used to define the HomeDirectory (for example, C:\webdocs\${user.organization}\${user.name}).

Variable Description

${user.name} User name from the CSV file

${user.firstName} First name from the CSV file

${user.lastName} Last name from the CSV file

${user.organization} Organization from the CSV file

${user.email} Email from the CSV

CSV File Example

In the following example, three Web Users will be imported. The first uses the template selected on the Import Web Users page and only requires the specification of a Web User name. The second uses a different template that requires a

password. The third requires both an Organization (as it is used by the variable to create the Home Directory) and a HTTPSFingerprint (as the specified template uses a certificate for HTTPS authentication).

If the Web User Import CSV file is created using a spreadsheet, save the file as file type CSV.

(44)

Validate and Import CSV File

1. On the Import Web Users screen, specify the following:

l Import From - The CSV file can be imported from either a file on the end user’s PC or a file on the GoAnywhere Services server.

l Input File - The path or location of the CSV file containing the import information.

l Web User Template - The Web User Template to use for authentication, permissions and groups, IP filters and account status settings. The selected Web User Template is used if no template is specified in the CSV file.

2. When complete, click the Validate and Import button.

3. The Import Web Users dialog box opens, providing the results of the validation. The Input Row number

corresponds with the row that contains the information in the CSV file. If the validation process detects an error or inconsistencies, the dialog box provides a message with what caused the error.

l If no errors were found, click the Import button to create the Web User accounts.

l If errors were found, click the Cancel button and then correct the specified errors in the CSV file.

(45)

Review Import Web User Results

After the Web User Import completes, a dialog box displays the results. Any errors encountered will also display in this dialog box. The Input Row number corresponds to the row in the CSV file that triggered the message.

l Click the Download Import Results button to download a file of the Import messages to a location on your computer.

l Click the Done button to close the Import Web Users dialog box.

(46)

Edit Web User

Use this feature to edit the properties for an existing Web User.

2. From the main menu, point to Security and then click Web Users.

3. In theWeb Usersscreen, click the icon next to the Web User.

4. Modify the field values for the Web User.

General

First Name

The Web User's first name.

Last Name

The Web User's last name.

Description

The description is optional information pertaining to the Web User. This field is limited to 512 characters.

Organization

The Web User's company.

E-Mail Address

The primary email address for the Web User.

Phone

The primary phone number for the Web User.

(47)

Authentication

Login Method

Login Methods define what authentication method is used by a Web User. When the default option is selected the Web User will use the Default Login Method for Web Users setting located on theLogin Methodspage. If the Web User should authenticate against another Login Method or should not be affected by changes to the default method, clear the checkbox and select from the available methods. The password options are not displayed for Login Methods other than GoAnywhere Services.

Password Options

The following options can be specified for the Web User password:

l Allow User to Change Password - This option makes a Change Password link available at the top of the page in the HTTPS Web Client.

l Force Password Change at Next Login - This option is only available to Web Users using the HTTPS service. If selected, this option will force a Web User to type a new password after a successful initial login. This is the best practice.

Password Expiration Interval

The password expiration interval determines how long before a password expires.

l Default - The Password Expiration Interval is defined in theWeb User Password Policy

l Password Never Expires

l Password Expires After - The Web User password will expire after the specified number of days.

User's Guide. Product Version: Publication Date: 7/25/2011

User's Guide

Contents

GoAnywhere Services™ Welcome

Getting Started

Screen Tips

Login

Dashboard

Quick Links

Security

Roles

Role Management

Role Details

Edit Role

Users

User Management

Add User

Edit User

User Details

Reset User Password

Change User Password

Groups

Group Management

Add Group

Edit Group

View Group

Login Methods

Login Methods Management

Add Login Method

Windows Active Directory

Generic LDAP

IBM i (OS/400)

Edit Login Method

Windows Active Directory

Generic LDAP

IBM i (OS/400)

Login Method Details

Security Settings

Web User Password Policy

Password Strength

Password Age

Password History

Web Users

Web User Management

Add Web User

General

Authentication

Permissions and Groups

IP Filter

Status

AS2

Import Web Users

Create the CSV File

Validate and Import CSV File

Review Import Web User Results

Edit Web User

General

Authentication