Features in ActiveTransfer Global Settings
This topic provides information about specific features you can use to configure global settings for ActiveTransfer:
Throttling
Throttling enables you to control the speed of file transfers. By imposing such a restriction on bandwidth, you help prevent a situation where your organization’s entire bandwidth is used for file transfers. You can specify the following options:
Maximum number of client connections that can be made to
ActiveTransfer Server at any given time.
Maximum outgoing and incoming speeds allowed across all listeners for an
ActiveTransfer instance.
IP patterns that define a range of IP addresses that are immune to the speed settings.
Restrictions for Files
You can restrict particular operations for files that match a specified pattern. You can set the following server restrictions:
Restrict server availability to specified days of the week.
Restrict particular actions for files that match a specified pattern. For example, you can restrict users from uploading files that end with
.exe.
Restrict access to subfolders in a folder system that match a specified pattern.
Hammering
At times, applications might attempt to access your ActiveTransfer Server or ActiveTransfer Gateway through a rapid succession of login attempts, a technique sometimes referred to as hammering. This can consume significant bandwidth and processing time, resulting in the denial of connection requests from other users.
Note:
Apply the settings to ActiveTransfer Server only in the absence of a Gateway instance. If you have an ActiveTransfer Server and a Gateway instance, apply the settings to the Gateway.
You can use the hammering settings to do the following:
Set limits on the number of connection, password, or command execution attempts and the interval between them. Then, ban the user’s IP address for a specified number of minutes when the defined limits are reached.
Ban the IP address associated with a user after the user’s first incorrect password attempt, either permanently or for a specified number of minutes.
Block efforts to discover valid user credentials by holding the names of invalid users in the cache for a specified number of seconds.
Discourage hack attempts by robots that scan for writable directories on the server by slowing down responses to such clients.
Note:
If the hammering settings are too restrictive, they can prevent users and applications from connecting to ActiveTransfer Server or ActiveTransfer Gateway to exchange files or perform file operations under normal operating conditions.
When the specified time interval elapses,
ActiveTransfer Server and
ActiveTransfer Gateway automatically lift the ban on IP addresses. You can also free banned IP addresses before the specified time interval by using the
Integration Server service
wm.mft.server:unbanIPs. For more information about the
wm.mft.server:unbanIPs service, see
Server Services.
Restrictions for IP Addresses
You can allow or deny a range of IP addresses for selective access to ActiveTransfer Server or ActiveTransfer Gateway. The default range is 0-255, which indicates that ActiveTransfer Server or ActiveTransfer Gateway allows all IP addresses to access the server and Gateway, respectively.
Note:
The IP version supported is IPv4.
SSL Ciphers
Ciphers are algorithms that are used to encrypt or decrypt data. You can specify the SSL ciphers that ActiveTransfer will apply to all SSL listeners associated with a server instance.
File-based Encryption and Decryption
File-based encryption and decryption enables you to encrypt files before you store them on your drive. Encrypted files are decrypted when they are transferred back through ActiveTransfer using the same key that was used to encrypt them.
ActiveTransfer Server encrypts and decrypts files instream rather than after the file is fully transferred.
When encryption and decryption keys are configured at multiple levels (user, server, and folder), ActiveTransfer enforces the following order of preference:
1. Users
2. Folders
3. Servers
For example, if user A accesses port 10 and uploads a file in a VFS MN, then ActiveTransfer checks if the encryption or decryption key is available for user A. If no key is available at the user level, then ActiveTransfer checks for the folder settings for a key. If no key is present at the VFS level, then ActiveTransfer checks the server level settings for the key.