Chat now with support
Chat mit Support

KACE Desktop Authority 11.2.1 - ExpertAssist User Guide

User Guide
Copyright Overview User Interface Home Remote Control File Transfer Help Desk Chat Computer Management Computer Settings Server Functions Scheduling and Alerts Performance Monitoring Security Preferences Custom Pages WAP and PDA Interface About Us

Permissions

FTP Configuration

The options for creating and managing the settings for your FTP servers, users and groups are arranged into three tabs.

FTP Servers

In order to create a new virtual FTP server on your machine:

  1. You need to define at least one virtual FTP server on the FTP Servers tab of the FTP Configuration screen.

    If no FTP servers are defined then this screen will be blank, except for the New FTP server button.

    Use the link to know details on the available options.

  2. Once you have defined a new server they will be listed in a table.

    Figure 13: The FTP Servers list.

To delete a server:

Click on the red box in the delete column to the right of a given server.

To start/stop the server:

Click on the status indicator to the left of the virtual server.

Status indicators
  1. A green circle status indicator indicates that the server is running.
  2. A red one shows that it is stopped. This may be either because it was stopped manually, it has been disabled, or it was not able to start due to an error.
  3. When you stop an FTP server on this screen its status will change to Disabled. This means that when you reboot the computer the server will not be started automatically.
  4. Likewise, if you start a stopped or disabled FTP server it will be Enabled, and it will start automatically on rebooting.

FTP Server Configuration options

Name

The name of the virtual FTP server. This is for reference purposes only. You can call your server whatever you want. This is what will be displayed on the FTP Configuration page, the login message from the FTP server, and so on.

TCP/IP port to listen on

The port in use by the virtual FTP server. The default is the standard FTP port, 21.

TCP/IP address to listen on

The IP address to use. You can select one item from the list. If you select All available interfaces the virtual FTP server will listen on all assigned IP addresses.

IP Filter

The IP Filtering drop-down list lets you specify the IP addresses from which to accept connections. By default, the clients can come from any IP address. The IP filtering engine is the same as that used by ExpertAssist itself. Please see the section on IP filtering under Security for more information.

If a server is enabled, it will start automatically with ExpertAssist. If disabled, you will need to start it manually.

Port range for passive data

Enter a range of ports to use for passive FTP data transfers. These ports will be used on FTP server when the client is connecting in passive mode (PASV command). Passive mode is needed if the FTP client is connecting from behind the firewall and the FTP server cannot establish incoming connection to the client.

IP address of the network interface connecting to NAT router

Select the corresponding IP address from the drop-down list for the network interface in the same subnet with the NAT router. This should be the network interface that allows connecting from the FTP server to NAT router.

Subnet mask of the network interface connecting to NAT router

Enter the subnet mask for the network interface in the same subnet with the NAT router.

External address of NAT router

Enter the external IP address for the NAT router.

The server is enabled

Select this box to indicate if the FTP server is enabled. This has the same meaning as clicking the green circle status indicator on the FTP Servers tab.

Use Implicit SSL encryption

Select this checkbox to use implicit SSL encryption (passive security). Implicit security provides and “always-on” mode security when you don’t have to bother about turning the SSL security mode on FTP server each time you connect to FTP server. Once the implicit SSL encryption is enabled, you can connect to a FTP as usual and you will always have your connection encrypted through the SSL.

Root directory

The root directory for the virtual FTP server. If you leave this field blank the drive list will be used as the root.

Resolve shell links

If you enable this option, shell links (.lnk files) pointing to directories will be displayed as directories, enabling you to use Unix and NTFS file system hard links.

Download bandwidth limit

The global download speed limit for the server. No matter how fast users are accepting data, the server will not send it any faster than the speed specified here.

Upload bandwidth limit

The global upload limit to the server. No matter how fast users are sending data, the server will not accept it any faster than the speed specified here.

Note: The following FTP server configuration pages will become available as buttons at the bottom of the page: Security, Windows Users, Welcome, ODBC

Security

The Security configuration page lets you specify various security and connection-related options.

Table 3: FTP Server Security options.

Maximum number of simultaneous connections

The maximum number of simultaneous connections to the FTP server. Setting it to zero means that there are no limits.

Maximum number of failed login attempts

If a user fails to log in with this many tries the connection will be dropped and the user’s originating IP will be locked out on FTP server.

Login timeout

The maximum number of seconds the user can take to log in until control connection will be closed by FTP server.

No transfer timeout

The connection will be considered idle and will terminate after the specified number of seconds have elapsed on an open connection without a file transfer or directory listing.

Stalled transfer timeout

This is the amount of time a file transfer can spend without sending or receiving any data before it is considered stalled and thus terminated.

Allow keep-alives

FTP clients use various commands to keep the connection from being idle. When enabled, FTP commands such as CWD, PWD or the ubiquitous NOOP will reset the No transfer timeout counter (described above). If disabled, only an actual file transfer or a directory listing will reset the counter.

Thread priority

You can select the priority of the threads servicing users for the FTP server. If you are running an FTP server on an otherwise busy host computer it might be a good idea to set the priority to a lower value than the default Normal setting.

Allow unsecured FTP connections

If this option is disabled the FTP client must support and utilize SSL. Client connected though unsecure FTP will get error 524 Only secure authentication is allowed.

Allow data connections to go to different IPs than that of the control connection (enable FXP, basically)

The FTP protocol uses two connections: The control connection and the data connection. The data connection is where all the raw data is sent, the control connection is used to send commands to the server and receive replies. Normally data connections are set up to the same IP address as that of the control connection, but in order to facilitate server-to-server file transfers it may be desirable to allow data connections to go to different IP addresses. If you are not using server-to-server transfers you can safely disable this option.

Quoted password changes 

This determines whether the parameters of the SITE PSWD command are in quotes or simply surrounded by a space. (SITE PSWD oldpwd newpwd vs. SITE PSWD "oldpwd" "newpwd").

Which form is used depends on the targeted FTP client.

Anti-hammer filter

This feature is similar to ExpertAssist’s IP address lockout settings. By default if 4 trials to establish more simultaneous data connections than it is allowed from an IP address occur within one minute, the IP address will be locked out for one hour. When the client IP gets locked out, the FTP client receives an error response 421 Connection rejected. Service available in 01:00:00 from the server.

Enabled

Select this box to enable the anti-hammer filter.

Number of invalid attempts before locking out

You can change the number of bad login attempts from 4 to anything you want.

Reset invalid attempt counter after

You can modify the time before the invalid attempt count is reset to zero.

Lock out for

You can choose the duration for which the user is locked out after the specified number of invalid attempts has been made.

Windows Users

You can connect to the newly defined FTP server with any FTP client, but you are not able to log in until you have created a new FTP user and give them access to the server or you can allow any Windows NT user to access the new virtual FTP server.

The difference between FTP users and NT users is simple. NT users are pre-existing users in the Windows local SAM user database and Active Directory. Creating and managing local users from SAM database is done either via the HTML-based User Manager included in ExpertAssist, or the User Accounts applet that comes with Windows. You cannot explicitly tell the FTP server the directories and files to which the user has access, but Windows access rights will be enforced. If a user can access a file below the server’s root directory locally or over the network, he will be able to do so via FTP as well. If a user has no rights to a file or a directory, he will not be able to access the object with FTP either. This is enforced by the FTP server by having the thread servicing the user impersonate him towards the operating system as soon as login is complete.

FTP users, on the other hand, are created and managed within the FTP configuration pages. You can tell the server which files or folders the user can access, where he can read from, where he can write to. When an FTP user logs on, the thread servicing the user is executing under the LocalSystem account by default. This is rather undesirable, so you can specify an NT user account on a per-server basis that will be impersonated when servicing FTP users. We will return to FTP users later in this chapter, when discussing the content of the FTP Users tab.

The Windows account which the FTP users will impersonate under can be defined by specifying a username, domain and password for an existing Windows account using the corresponding fields on the Windows Users page. This is used when an FTP user logs on: the thread servicing the user will be impersonating this account towards the operating system. If you enter an incorrect username or an incorrect password here, the FTP user will receive a 'Login incorrect' message from the FTP server, even if he enters his credentials correctly.

To grant access to a Windows NT user or group on the FTP server, select its name in the list on the right and click the Apply button. To revoke access from a user or a group, select its name in the list on the left, and click the Apply button.

To list user accounts from a domain rather than from the local computer, enter the domain’s name in the ‘default domain’ field and click the Apply button.

Now that you have granted access to an NT user, you can use an FTP client to connect and log in to the FTP server. The user will have access to all files and directories below the server’s root directory. However, on an NTFS file system, NT access restrictions will apply. For example, if the user does not have the rights to read or write in a certain directory, he will not be able to do so via FTP either. The FTP server enforces this in a very effective way: the thread servicing the user will impersonate him towards the operating system as soon as login is successful.

Welcome

The Welcome configuration page allows you to view and modify the welcome message for your users:

The first message the user will see when they log in will be the ExpertAssist welcome banner. If you do not wish to let the outside world know which FTP server you are running, you can disable this via the checkbox at the bottom of this window.

The next message the user will see looks like this by default:

——————————————————————————————
Welcome to the _!SERVER_NAME!_ FTP server,
running on _!OS_VERSION!_.
The server has been up for _!SERVER_UPTIME!_.
Data downloaded: _!BYTES_DOWN!_
Data uploaded: _!BYTES_UP!_
Sessions serviced: _!TOTAL_LOGINS!_
——————————————————————————————

You can change this to anything you like, or leave it blank if you'd prefer no login message for your users. If you disable both the banner and the welcome note, the FTP Server will just send ‘Welcome’ whenever somebody connects to the FTP port. This is because the FTP specification requires a server to send a code and some text when a connection is established.

By default, the post-login message looks like this:

——————————————————————————————
Welcome, _!USER_NAME!_, to _!SERVER_NAME!_.
Your last successful login was at _!LAST_LOGIN!_.
Good logins so far: _!GOOD_LOGINS!_.
Bad logins so far: _!BAD_LOGINS!_.
You have uploaded _!BYTES_UP!_ and downloaded
_!BYTES_DOWN!_ in your previous sessions.
——————————————————————————————
User logged in.

The final line reading User logged in cannot be customized, as this is a requirement of FTP protocol. The rest you can change to suit your preferences, or leave blank.

The following variables can be inserted into the welcome messages, and they will be automatically replaced with their corresponding values:

_!SERVER_NAME!_

The name of the FTP server.

_!OS_VERSION!_

The operating system and its version.

_!SERVER_UPTIME!_

The amount of time the server has been up.

_!BYTES_UP!_ and _!BYTES_DOWN!_

The amount of data uploaded and downloaded. These variables behave differently when used in the pre-login or post-login messages. In the pre-login message, they represent a server-wide value, while in the post-login message they represent the amount of data transferred by the user.

_!TOTAL_LOGINS!_

The number of successful logins to the FTP server. Only valid in the pre-login message.

_!GOOD_LOGINS!_ and _!BAD_LOGINS!_

The number of logins and unsuccessful login attempts for the user logging in. Only valid in the post-login message.

_!LAST_LOGIN!_

The last successful login by the user. Only valid in the post-login message.

These welcome messages are server-wide settings, and apply to all users and groups. When you specify a welcome message for an FTP group or an FTP user, it will override the post-login message defined here.

ODBC

The ODBC option allows you to specify a database as a source of user information.

With this configuration page you can set up a database to contain user information. This can be any database type: Oracle, SQL Server, Microsoft Access, or even a plain text file. You need to create an ODBC data source that refers to this database so that ExpertAssist can access it. The data source must be a so-called System Data Source, as this is the only ODBC source available to processes running in the system context.

Note: The data source should be of the System DSN type.

Note: On 64-bit Windows environments please use the Microsoft SQL system or SNAC drivers as these are the only ODBC providers available for System data sources.

When you have your database and ODBC data source ready, we advise you to test it by querying it with a tool that supports ODBC queries, such as a spreadsheet program or the Windows built-in ODBC Data Source Administrator tool.

Note: On 64-bit Windows please make sure to use the 64-bit ODBC Data Source Administrator tool. It is available under the %systemroot%\system32 folder.

You should have all user information available in one table. If you already have a user database and user information is in separate tables, you should set up a query within your database that contains all user-related fields. ExpertAssist only reads from the database.

Suppose that you have a user database in a data source called FTPUsers. The user information is present in a database table called Users. A database SQL login called ea is able to read from the Users table. You should also supply the password for this user.

ODBC Data source settings
Use ODBC

Set this checkbox to enable the use of ODBC.

Data source name

Enter the name of the System DNS created using the ODBC Data Source Administrator tool to be used as the data source.

Login name

Enter the User Name that is used to access the ODBC data source.

Password

Enter the Password that is used to access the ODBC data source.

Connect timeout

The amount of time to wait while establishing a connection before ending the connection attempt.

User information table name

Enter the name of the database table that the ODBC data source will use.

Column names for user properties
User name

Enter database table field (column) name storing the users’ login names.

Password

Enter database table field (column) name storing the users’ passwords.

Home Directory

Enter database table field (column) name storing the users’ home directory path here. Users have full access to their home directory, but have neither read nor write permissions outside of it. The path can be an absolute path (such as z:\ftp\users\~john) or it can be relative to the server root (such as /users/~john).

Quota

Optional) The quota field will restrict user from storing more data in his home directory and its subdirectories than the number of bytes specified here.

Download/Upload Bandwidth

Optional) These fields restrict download/upload speed. They are optional, and should be an integer number specifying bytes per second.

Disabled

Optional) Enter database table field (column) name storing the user’s status. Within the database this field should store an integer value. When the value is non-zero, the user is disabled and cannot log in.

Maximum number of simultaneous connections

Optional) Enter database table field (column) name that specifies the maximum simultaneous connections to this FTP server for a user.

Maximum number of simultaneous connections per IP address

Optional) Enter database table field (column) name that specifies the maximum number of simultaneous connections per unique IP address for a user.

Welcome Message

(Optional) Enter database table field (column) name storing a custom welcome message for the user.

FTP Users

If you click on the FTP Configuration page under the Server Functions object and select the FTP Users tab, you can view, create or modify your existing FTP users. These are only defined in ExpertAssist and unlike Windows NT users they do not exist outside of the FTP server.

As on the FTP Users tab, users are shown in a table, with a delete column to the right.

Below this is the New FTP user button.

New FTP User

To create a new FTP user, click on the New FTP user button on the FTP Users tab of the FTP Configuration page.

Enter the desired username and password on the Settings for FTP user page. You can also specify upload and download speed limits for the user. If not set to zero (meaning disabled) these options override the global FTP server settings.

You can also enable or disable their ability to change this password, and select an IP from the IP filter drop-down list.

Click Apply to create the user.

When you create a new user the following options become available:

Groups
Permissions
Ratio
Disable
Home/Quota
Max Connections
Welcome
Permissions Report

The newly created user cannot log in yet: you have to assign permissions to them for an FTP server and a path so that the user is able to use the account.

Groups

This configuration page lets you specify the FTP groups to which the user belongs. For more details on FTP groups, please see the next section.

Selecting a group that the user is a member of and clicking the Apply button will remove the user from that group. Selecting a group that the user is not a member of and clicking the Apply button will add the user to that group.

The Back button takes you back to the Settings for FTP user page.

This configuration page lets you edit users’ access rights to directories. To grant access to a directory on a server, select the virtual server from the server list, select the type of rights you wish to assign to the user, enter the path to the directory and click the Apply button.

The path you specify can be a full path, containing a drive letter, or a path relative to the server’s root directory. If you assign rights to a path that is not within the server’s root directory, the setting will have no effect at all.

The following rights are possible:

L – Show directory contents.
Allows the user to list the contents of the directory.

R – Read file.
Download files from the directory.

C – Create subdirectories.
Create new directories in the directory.

D – Delete/rename file.
Delete or rename a file or a directory. Also required to be able to overwrite files.

W – Create/modify file.
Create a new file and/or write data to it.

Full access.
All of the above.

The rights you specify for a directory are automatically inherited by its subdirectories, unless you specify different rights for them.

The following method is used when checking access rights to a directory:

The current virtual server’s access list is enumerated for the current user.

When the directory closest to the directory in question is found, the access rights specified for that directory is used. For example, if the user has LRW rights for C:\Work, he has LR rights for C:\Work\CPP, and the directory in question is C:\Work\CPP\Project1, only LR rights are returned – meaning that the user can only list and read files, but not write to them.

If an NT user is specified on the Windows Users configuration page for the server to run FTP accounts under, further Windows NT-enforced restrictions might apply, based on file system permissions. This configuration page is available from the Settings for FTP server page.

You can also make the user member of one or more groups, and these groups can also be members of one or more groups. For an explanation of this scenario, please see the FTP Groups section.

Ratio

This configuration page lets you edit the upload/download ratio settings for users. The upload/download ratio lets you control how much data the user has to upload before he can download anything.

If the Upload ratio is set to 1, and the Download ratio is set to 5, the user can download 5 bytes for every byte uploaded. If it were the other way around, the user would have to upload 5 bytes to be able to download one. You can enter any positive integer number in either of these fields.

There are four possible settings for the Ratio type:

  1. None. The user is a normal user, and can download any file he has read access to, without having to upload first.
  2. Per session. When the user logs in, his counters are zeroed. Should he lose connection while uploading or downloading, any remaining credits he has will be lost.
  3. Per user. The user’s credits are remembered over sessions. It is not recommended if you want several users to share the same account.
  4. Per IP address. Even if the user loses connection, his credits are remembered, if he logs in again from the same IP address. This does not cause a problem, even if the user account is shared by hundreds of concurrent users.

The Per IP ratio expiration time setting allows you to expire the per-IP credits after a certain amount of time. If the user logs back from the same IP address after not visiting the server for this much time, he will have to start over building up his credits.

The ratio setting applies to all virtual FTP servers.

To let the user download files without uploading, you can specify a starting credit. The amount given is in kilobytes – the user will be able to download the specified amount of data without uploading.

Disable

The following configuration page lets you explicitly disable (or ban) a user on a virtual FTP server. Disabled users cannot log in, even if they have rights on an FTP server. You can also disable a connected user from the FTP status page.

Home/Quota

This configuration page lets you specify home directories for the user. A home directory is basically the entry point for a user on an FTP server. When the user logs in, he will find himself in the directory you specify here. If no home directory is specified, he will be logged in to the server’s root directory. The user can move out from his home directory if he has rights to an outside directory. You can use a full path, starting with a drive letter, when specifying home directories – or you can enter a relative path to the server’s root directory.

You should make sure that the user has rights to his entry point on the server – either to his home directory, or if the home directory is not specified, to the root directory of the server. If the user has no rights to the entry point, he will not be able to log in. If the user’s home directory is specified above the server’s root, the user will not be able to log in.

You can specify quotas for your users. Quotas are only enforced on home directories, and apply to all files contained in the home directory and its subdirectories. If a user has rights to upload files outside of his home directory, he will be able to do so without restrictions – quotas only apply to the home directory and its contents.

The ExpertAssist can help to enforce disk quotas for user accounts. When a user starts to upload a file, the FTP server quickly scans the contents of the directory to determine if the user is below or above the quota. If the quota is not exceeded, the upload can be started – however, the FTP server will interrupt the transfer as soon as the file being uploaded starts to exceed the specified quota.

Home directory quotas are entirely optional, by leaving the field empty you choose not to limit the amount of data that can be stored on the server by the user.

Maximum Connections

You can specify the maximum number of simultaneous connections for a user account on this configuration page. By default, a user account can be used to log in any number of times, until exhausting the maximum number of connections for the virtual FTP server, or exhausting the resources of the computer.

Simply select the server on the right, enter the number of maximum simultaneous connections in the Count field and click the Apply button.

To remove a limitation, select it in the list on the left and click the Apply button.

You can also limit the number of simultaneous connections to be established by the user from a single IP address. The Per IP field serves this purpose. When left blank, or a zero is entered, this limitation is disabled and the user can establish that many connections as defined in the Count field. If you enter a numeric value, a single computer can be used to log in that many times with the account.

It is a good idea to limit certain user accounts (for example the Anonymous account) this way. An overall maximum connection limit defined in the Count field ensures that the server cannot be overloaded by thousands of Anonymous users, and a Per IP limitation makes sure that no single user can take up all available connections.

Welcome

You can compose a custom welcome message for the user in this window.

——————————————————————————————
Welcome, _!USER_NAME!_, to _!SERVER_NAME!_.
Your last successful login was at _!LAST_LOGIN!_.
Good logins so far: _!GOOD_LOGINS!_.
Bad logins so far: _!BAD_LOGINS!_.
You have uploaded _!BYTES_UP!_ and downloaded
_!BYTES_DOWN!_ in your previous sessions.
_!QUOTA!_
——————————————————————————————

Messages specified here override any post-login message specified for the virtual FTP server. In this case, messages specified for any groups the user belongs to will be disregarded as well. See the equivalent section on welcome messages above for the available variables.

Permissions Report

The permissions report can be retrieved for any FTP user. It will list all FTP servers, and all the rights a user has on the given server.

This report can be useful if you have a more complicated setup of groups and users, and would like to see what exactly the user can do on the system, and from where these rights come.

FTP Groups

If you click on the FTP Groups tab on the FTP Configuration page under the Server Functions object, you can easily control the resources available to your FTP users. As on the FTP Servers and FTP Users tabs, groups are shown in a table, with a Delete column to the right.

To add a new FTP Group click on New FTP group.

General Group Settings

You can make a group a member of another group, thus bringing in any permissions or restrictions for its member users from the parent group.

Selecting a group in the Member of list and clicking the Apply button will remove it from that group. Selecting a group in the Not member of list and clicking the Apply button will add the group to it.

You can also specify a welcome message for a group. Whenever a member logs in, he will see this message instead of the server’s general welcome message.

With this configuration page you can specify the rights to servers and directories.

The configuration page works very much like the Permissions configuration page within the FTP Users tab. For a basic description please see the appropriate section of this document.

There are some scenarios, however, that might require further explanation.

Suppose the following, rather complicated scenario:

  • User1 is member of Group1.
  • Group1 is member of Group2 and Group3. In the Member of list for the Group1, Group2 is shown first and Group3 is shown second.
  • User1 is granted LR access to C:\, and LRW access to C:\Work.
  • Group1 is granted full access to C:\, LR access to C:\Work, and LRWD access to C:\Work\CPP.
  • Group2 is granted LR access to C:\Work\CPP and full access to C:\Work\CPP\Project1
  • Group3 is granted LR access to C:\Work\CPP\Project1

So, what exactly User1 can do in the aforementioned directories?

  • C:\

He has LR rights. He was explicitly granted LR rights to this directory, and this overrides anything else.

  • C:\TEMP

He has LR rights. He was explicitly granted LR rights to the directory closest to this one (C:\), and no groups that he is a member of, directly or indirectly, specify anything else for the C:\TEMP directory.

  • C:\Work

LRW rights again. See the first case.

  • C:\Work\CPP

LRWD, because Group1 has LRWD rights. Even though Group2, which Group1 is a member of, specifies LR access for this directory, Group1 is the least indirect object that specifies actual rights for the directory. Group2 is one more indirection away, with User1 only being a member of it because he is a member of Group1, and is therefore overridden by Group1.

  • C:\Work\CPP\Project1

Full access. Both Group2 and Group3 are two indirections away, they both specify access rights to the same directory, so the deciding factor between Group2 and Group3 is that Group2 is the first one in the Member of list of the Group1.

FTP Status

When you click on FTP Status under Server Functions, you can view the current status of each of your virtual FTP servers consolidated into a table.

For each server, it provides a listing of all current connections and their current activity. The fields in the list are:

Icon

This field shows a small icon, representing the current status of the connection. A green checkmark indicates a ready, or idle connection. An hourglass indicates a connection currently in the process of logging in or becoming ready. An up or down arrow indicates uploading or downloading.

User name

The name of the user associated with the connection. For NT users, it is in an AUTHORITY\ACCOUNT form. For FTP users, it’s simply the username. For connections not yet logged in, it’s N/A.

Control IP

The IP address of the FTP control connection. This is where commands from FTP client to virtual FTP server are sent from.

Downloaded

Bytes downloaded during this connection.

Uploaded

Bytes uploaded during this connection.

Data IP

The IP address of the FTP data connection, if applicable. This is where data is sent via from or to.

Path

The path and name of the file currently being uploaded or downloaded, if any.

Speed

The speed of the upload or download process.

Bytes left

The amount of data left from the transfer operation. Only applies to download transfers, since the FTP protocol does not let the server know the size of the file being uploaded in advance.

Est. time left

The estimated time remaining from the transfer operation. Only applies to download transfers, for the same reason as the previous item.

Kick

This button kicks the user out – in other words, terminates the connection.

Ban

This button kicks and then bans the user from the FTP server. Only applies to FTP users, and not to NT users. The Disabled configuration page for the banned user will show him as disabled on the server he was banned from.

Ban user IP

This option first kicks the user from the server in question, then adds an IP filtering rule to the IP Filtering page under the Security object and sets the created rule to the IP filter drop-down list on the Settings for FTP user for the banned user. That will prevent him from logging in again from the IP address in question. He will have the ability to log in from other IP addresses (depending on IP filtering setup) and the IP address will only be disabled for this user.

Ban server IP

This button kicks the user, then adds an IP filtering rule to the IP Filtering page under the Security object and sets the created rule to the IP filter drop-down list on the Settings for FTP server for the banned server. That will cause the server not to accept connections from the IP address in question at all. No matter which user is logging onto the FTP server from the banned IP. The user will be able to log in from other IP addresses.

Anti-hammering

Information for each server is also shown, where applicable. It is in the following format:

IP address

The address the attempted connection came from.

Expires at

The time when the information will be discarded – users will be able to establish connections from the IP address at this time again.

Delete

Clicking this button will remove the anti-hammering information from the FTP server’s memory, thus making the IP address available for logins, had it been locked out.

The Refresh button refreshes the contents of the screen to reflect any changes, while the Back button goes back to the main FTP settings screen.

FTP Statistics

If you click on FTP Statistics under Server Functions, in the table you can view per-server and per-user statistics, such as the last login, number of logins, bytes sent and received, etc.

The red button Delete button in the Reset table column will reset or delete statistics kept on that object.

Port Forwarding Config

ExpertAssist also comes with Port Forwarding Server. This allows you to forward one or more TCP ports on one computer to another so that separate networks can be bridged.

Before getting into the details of how you would configure your Port Forwarding Server (PFS) we will look at how it works. Picture the following scenario:

You have a Local Area Network (LAN), connected to the Internet with a firewall / proxy server. The computers on the LAN all have non-Internet IP addresses, and they connect to the outside world via the proxy server.

If you have ExpertAssist installed on any computer on the LAN — say, the fileserver — you would be able to access it from within the LAN without any problems. However, it is not accessible from the Internet.

If you set up ExpertAssist and PFS on the firewall, so that a certain port (say, 3000) on the firewall is forwarded to the fileserver’s IP address and ExpertAssist port (2000 by default), accessing port 3000 on the firewall will let you access ExpertAssist on the fileserver. Both from within the LAN and from the outside as well.

When you click on the Port Forwarding Config page under the Server Functions object in the tree you can set up the above scenario. In order to look at the interface for this feature we will look at some more possible scenarios.

Imagine, for example, the following situation:

The firewall’s Internet IP address is 145.236.120.227
The firewall’s LAN IP address is 192.168.0.2
The fileserver’s LAN IP address is 192.168.0.10. ExpertAssist is installed on both computers, and is listening on port 2000.
The IP addresses used in the foregoing are for demonstration purposes only.

What we need to do is simple: map port 3000 on the firewall computer to port 2000 on the fileserver. Having called up the Port Forwarding Config page from the tree you can now add a new rule by clicking the Create forwarding rule button.

The Protocol drop-down list in the In group should have TCP selected in it. Other protocols (SSL, CSSL) will be discussed later. The IP Address drop-down list in the In group can be set to an * (asterisk) meaning that the port will be forwarded from all IP addresses of the firewall. If you want to use a single IP address instead of all assigned ones, select it here. The Port edit box in the Incoming group can be anything not already in use on the computer – in our case it is 3000.

The Protocol drop-down list in the Out group should have TCP selected in it. The IP Address edit box in the Out group will be 192.168.0.10 (or the actual DNS address of the host), and the Port edit box will be 2000. The Defer and the Timeout values can be left to their defaults. These will be explained later.

The Description field lets you specify a remark associated with the port forwarding item. This will be displayed in the table on the Port Forwarding Config page.

If you fill out the dialog and click the Apply button, the item will be listed on the Port Forwarding Config page.

That’s really all there is to it. Your first port forwarding item has now been configured.

Advanced Options

You can edit a port forwarding item by double clicking it, or by selecting on it and clicking on the Modify Rule button.

You can specify IP address restrictions for the item from the IP address filter profile drop-down list. This works exactly like the ExpertAssist IP Filtering feature, only it restricts incoming connections to the corresponding port forwarding item only. For more information, please read the documentation on IP Filtering.

Timeout

This setting lets you specify how long the PFS will hold a connection open with no data going through it in either direction. When the amount of time specified here is reached and the connection is idle, both ends of the connection will be closed gracefully.

Defer

This setting lets you specify a timeout value for a special condition. When one end of the connection has been closed, but the other is still open, PFS will wait this much time for the open end of the connection to be closed. It will then close the connection itself.

Protocol (In and Out)

These fields let you specify SSL or CSSL as well as TCP. To translate SSL connections to TCP or TCP to SSL, and thus behave as an SSL proxy for applications that are not SSL-enabled, simply set one end to SSL and the other end to TCP.

There are situations when SSL encryption would be a very nice thing to have, but neither the client nor the server support it. In this case, you can use two installations of ExpertAssist: one to translate the connection from TCP to SSL, the other to translate it back from SSL to TCP.

Let’s suppose that you are using a laptop with a dialup account, and your email software does not support SSL. Let’s also suppose that your corporate mail server does not support SSL either. If you still want to keep your email secure, you can install ExpertAssist both on your laptop and on the email server, and set up a port forwarding item on both computers.

On your laptop, you would need to do the following:

  • Create a port forwarding item with the incoming IP address as 127.0.0.1 (the loopback address), the incoming port as 3110, the incoming protocol is TCP. The outgoing IP address or host name would be set to that of your email server, the outgoing port would be set to 3110, and the outgoing protocol would be SSL.
  • Change your email client’s preferences so that the POP3 server is 127.0.0.1 and the port is 3110.

On the mail server, you would need to only create one port forwarding item, with the incoming IP address set to your mail server’s Internet IP address, the incoming port would be 3110, and the incoming protocol would be SSL. The outgoing IP address would be the same (the mail server’s Internet IP address), the outgoing port would be 110 (the standard POP3 port), and the outgoing protocol would be set to TCP.

If you performed the above three steps, starting up your email client and checking for mail would actually go through two port forwarding servers; the first one being on your own computer, encrypting all data before it’s sent to the mail server. The mail server’s port forwarding server would receive the encrypted data, and decrypt it before sending it on to the actual mail server software. Data flowing in the other direction would be also seamlessly encrypted and decrypted.

However, if you have two ExpertAssist Port Forwarding Servers talking to each other, you could also utilize the proprietary CSSL protocol instead of using plain SSL. CSSL, which stands for Compressed SSL, would also seamlessly compress and decompress your data as well as encrypt and decrypt it - to keep to the above example, making your mail arrive much faster over a dialup connection. (And also, to properly finish the laptop/email example, you would also have to create one additional port forwarding item on both computers for the SMTP protocol that is used to send email as opposed to receiving it. This runs on port 25 by default.)

Click the Export button to download a CSV file containing the list of custom port forwarding rules to your local computer.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen