You are on page 1of 363

Copyright © 1995-2015 SolarWinds Worldwide, LLC. All rights reserved
worldwide. No part of this document may be reproduced by any means nor
modified, decompiled, disassembled, published or distributed, in whole or in part,
or translated to any electronic medium or other means without the written consent
of SolarWinds. All right, title, and interest in and to the software and
documentation are and shall remain the exclusive property of SolarWinds and its
respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER
TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON
SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS,
NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING
IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF
SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive
property of SolarWinds Worldwide, LLC and its affiliates, are registered with the
U.S. Patent and Trademark Office, and may be registered or pending registration
in other countries. All other SolarWinds trademarks, service marks, and logos
may be common law marks, registered or pending registration in the United
States or in other countries. All other trademarks mentioned herein are used for
identification purposes only and may be or are trademarks or registered
trademarks of their respective companies.
Last revised: 7/8/2015

About SolarWinds
SolarWinds, Inc develops and markets an array of IT management, monitoring,
and discovery tools to meet the diverse requirements of today’s IT management
and consulting professionals. SolarWinds products continue to set benchmarks
for quality and performance and have positioned the company as the leader in IT
management and discovery technology. The SolarWinds customer base includes
over 85 percent of the Fortune 500 and customers from over 170 countries. Our
global business partner distributor network exceeds 100 distributors and
resellers.

Conventions
The documentation uses consistent conventions to help you identify items
throughout the printed and online library.
Convention

Specifying

Bold

Window items, including buttons and fields

Italics

Book and CD titles, variable names, new terms

Fixed font

File and directory names, commands and code
examples, text typed by you

Straight brackets, as
in [value]

Optional command parameters

Curly braces, as in
{value}

Required command parameters

Logical OR, as in
value1|value2

Exclusive command parameters where only one of the
options can be specified

Serv-U documentation library
The following documents are included in the Serv-U File Server documentation
library:
Document

Purpose

Administrator Provides detailed setup, configuration, and conceptual
Guide

information.

Evaluation
Guide

Provides an introduction to Serv-U features and instructions for
installation and initial configuration.

Release
Notes

Provides late-breaking information, known issues, and updates.
The latest Release Notes can be found at
http://www.solarwinds.com.

Technical support
Have a question and need more help? SolarWinds offers a variety of technical
support options. For current product support policies, please refer to the Serv-U
Help Desk.
Users who purchased their copy of Serv-U from an official reseller are referred
back to their reseller for support. Telephone technical support is available.

Free email support
Free technical support is available through email to users with active
maintenance. We ask that all users submit their inquiries to http://www.ServU.com/support/ for technical support requests.

Knowledge base
Our knowledge base is a dynamic support tool that you can use to research
solutions to your questions and problems. Nearly every technical question posed
to our technical support team is answered here. The knowledge base can provide
immediate, informative, step-by-step answers with screenshots to your questions.
Visit http://www.Serv-U.com/kb/ to get answers now.

Sales support
Sales questions relative to the Serv-U File Server software should be directed to:
http://www.Serv-U.com/sales/. Sales representatives can also be reached by
calling SolarWinds at +1 (855) 498-4154.
Technical support options are subject to change without notice at the discretion of
SolarWinds.

Contacting SolarWinds
If you have lost your registration ID, visit the Online Customer Service Center.
You can contact SolarWinds at:
SolarWinds
7171 Southwest Parkway
Bldg 400
Austin, TX 78735
Sales: +1 (855) 498-4154
FAX: +1 (512) 682-9301
Phone: +1 (866) 530-8100
http://www.Serv-U.com/
http://www.Serv-U.com/sales/
http://www.Serv-U.com/support/

For sales inquiries, visit: http://www.Serv-U.com/sales/.
For more information about the Serv-U File Server, visit: http://www.Serv-U.com/.

Table of Contents
Tips and tricks

18

Chapter 1: Serv-U File Server

20

Serv-U File Server overview

20

Serv-U editions

22

How to purchase Serv-U

23

Chapter 2: Getting started

25

System requirements

25

Hardware requirements

25

Operating system and software requirements

26

Client requirements

27

Server concepts

29

Glossary

30

Quick start guide

31

Installing the Serv-U file server

32

Upgrading Serv-U

32

Creating domains

33

Creating user accounts

37

Sharing files

39

Using URL parameters

39

7

Serv-U File Server Administrator Guide The Serv-U Management Console 40 Management Console layout 40 Launching the Web Client 41 User interface conventions 41 Understanding user interface conventions 41 Chapter 3: Server 43 Server details 43 Specifying IP access masks 43 Caveats 44 IP access list controls 46 Examples 47 Serv-U Gateway 48 Serv-U Gateway Add/Edit dialog 52 Serv-U Gateway Properties dialog 53 Status area 53 Install information area 54 Registration ID area 54 Configuring database access 54 Using Serv-U events 58 Using event actions 65 Using email actions 65 Using balloon tip actions 66 Using execute command actions 66 Writing to the Windows Event Log 66 Writing to Microsoft Queue (MSMQ) 67 Event filter fields 68 8 .

Table of Contents Using event filters 70 License information 71 Program Information 73 Configuring SMTP settings 73 Configuring directory access rules 77 File permissions 78 Directory permissions 79 Subdirectory permissions 79 Advanced: Access as Windows User (Windows Only) 79 Quota permissions 80 Mandatory access control 80 Restricting file types 81 Using virtual paths 84 Using automated file management 86 Server limits and settings 88 Connection 90 Password 92 Directory listing 94 Data transfer 95 HTTP 98 Email 99 File sharing 100 Advanced 102 Server settings 104 Configuring FTP settings 106 Configuring encryption 110 9 .

Serv-U File Server Administrator Guide Using custom HTML 115 Using file sharing 117 Server activity 118 Disconnecting sessions 118 Using the spy & chat function 119 Broadcasting messages 120 Canceling sessions 120 Server and domain statistics 120 User and group statistics 122 Server and domain log 125 Chapter 4: Domain 127 Managing domains 127 Configuring domain details 128 Configuring domain listeners 129 Using virtual hosts 133 Server details 134 Case File: Office-only access 138 Case File: Prohibited computers 138 Case File: DNS-based access control 139 Configuring database access 139 Using Serv-U events 143 Using event actions 150 Using email actions 150 Using balloon tip actions 151 Using execute command actions 151 Writing to the Windows Event Log 151 10 .

Table of Contents Writing to Microsoft Queue (MSMQ) 152 Event filter fields 153 Using event filters 155 Configuring SMTP settings 157 Configuring directory access rules 160 File permissions 161 Directory permissions 162 Subdirectory permissions 162 Advanced: Access as Windows User (Windows Only) 162 Quota permissions 163 Mandatory access control 163 Restricting file types 164 Using virtual paths 167 Using automated file management 169 Domain limits and settings 171 Connection 173 Password 175 Directory listing 177 Data transfer 178 HTTP 180 Email 181 File sharing 182 Advanced 184 Domain settings 185 Configuring FTP settings 188 Configuring encryption 192 11 .

Serv-U File Server Administrator Guide Using custom HTML 196 Using file sharing 198 Server activity 199 Disconnecting sessions 199 Using the spy & chat function 200 Broadcasting messages 201 Canceling sessions 201 Server and domain statistics 201 User and group statistics 203 Server and domain log 205 Configuring domain logs 207 Chapter 5: Users 210 Configuring user accounts 210 User information 214 Configuring directory access rules 220 File permissions 221 Directory permissions 222 Subdirectory permissions 223 Advanced: Access as Windows User (Windows Only) 223 Quota permissions 224 Mandatory access control 224 Restricting file types 225 Using virtual paths 228 Physical path 229 Virtual path 229 Including virtual paths in "Maximum Directory Size" calculations 229 12 .

user and group events 238 Creating common events 241 Configuring event filters 245 Server details 248 Specifying IP access masks 249 Caveats 250 IP access list controls 252 Examples 252 Limits and settings 253 Connection 255 Password 256 Directory listing 258 Data transfer 259 HTTP 261 13 .Table of Contents Case File: Using virtual paths 230 Case File: Creating relative virtual paths 230 Configuring user and group logs 230 Logging to File settings 231 Enabling logging to file 232 Automatically rotating the log file 232 Purging old log files 232 Specifying IP addresses exempt from logging 233 Group memberships 233 Using Serv-U events 235 Server events 236 Server and domain events 236 Server. domain.

Serv-U File Server Administrator Guide Email 262 File sharing 262 Advanced 265 Transfer ratio and quota management 266 Using transfer ratios 266 Using quotas 267 Using ratio free files 267 Comparing Windows and LDAP authentication 268 Differences between Windows users and LDAP users 268 Configuring Windows and LDAP authentication 269 Keeping Serv-U Up to Date 270 Configuring Windows authentication 270 Using a Windows user group home directory instead of account home directory 271 Configuring Windows user groups 272 Using Windows user permissions 272 LDAP authentication 273 Before you begin 273 Configuring the LDAP server 274 Specifying the LDAP login ID suffix 278 LDAP group membership 278 Using LDAP user groups 279 Using a list of LDAP servers 281 Testing the connection to the LDAP server 283 LDAP error messages 284 Enabling LDAP authentication 285 Understanding user home folders 286 14 .

Table of Contents Using the LDAP user group home directory instead of the account home directory 286 Understanding the interaction between domain home directories with Default LDAP User Group home directories 288 SFTP (Secure File Transfer over SSH2) for users and groups Chapter 6: Groups 289 291 Configuring user groups 291 Using group templates 292 Setting up Windows groups (Windows only) 292 Configuring a Windows user group (Windows only) 293 LDAP user groups 293 LDAP group membership 294 Group information 295 Configuring directory access rules 298 File permissions 300 Directory permissions 300 Subdirectory permissions 301 Advanced: Access as Windows User (Windows Only) 301 Quota permissions 302 Mandatory access control 302 Restricting file types 303 Using virtual paths 306 Physical path 307 Virtual path 307 Including virtual paths in "Maximum Directory Size" calculations 307 Case File: Using virtual paths 308 Case File: Creating relative virtual paths 308 15 .

Serv-U File Server Administrator Guide Configuring user and group logs 308 Logging to File settings 309 Enabling logging to file 310 Automatically rotating the log file 310 Purging old log files 310 Specifying IP addresses exempt from logging 311 Group members 311 Using Serv-U events 314 Server events 315 Server and domain events 315 Server. domain. user and group events 317 Creating common events 320 Configuring event filters 324 Server details 327 Specifying IP access masks 328 Caveats 329 IP access list controls 331 Examples 331 Limits and Settings 332 Connection 334 Password 336 Directory listing 338 Data transfer 338 HTTP 340 Email 341 File sharing 341 16 .

Applies to the most recently completed successful data transfer 354 Date/Time 356 Server settings 357 Session information .Applies to the last remotely accessed file.Applies to the current session 357 File information .Table of Contents Advanced 344 Using ratio free files 345 SFTP (Secure File Transfer over SSH2) for users and groups 346 Chapter 7: System variables 348 Server information 348 Server statistics 350 Domain statistics 352 User statistics . which is not necessarily the last transferred file 361 Current activity 362 17 .Applies to all sessions attached to the user account 353 Last transfer statistics .

see System variables and Configuring directory access rules. To limit user access to client views. Use $ macros for events and in system messages (such as login messages or customized FTP responses) and % macros for configuration values. For information about setting up user templates. For more information about configuring limits and settings. Encryption options specified at the server level are automatically inherited by all domains. see Configuring user accounts. For information about creating user collections.Archive file l Users folder l Serv-UID. To send emails to multiple recipients and to groups when an event (such as a file transfer) occurs. For example. To back up your Serv-U configuration. use a user template in which a default group is specified. see Server limits and settings. To automatically add new users to a group. configure a Serv-U event to receive notifications about successful file transfers. see Using Serv-U events. modify the system settings that control client view accessibility. For more information. see User information. For more information about macros. use the %DOMAIN_HOME% macro. Any encryption option specified at the domain level automatically . use %DOMAIN_HOME%\%USER%.txt file To identify the user's home directory. see Using Serv-U events. save the following files and folders: l Serv-U. configure email actions.Tips and tricks l l l To confirm that a file transfer has been completed. For information about configuring events. For more information. see Configuring user accounts. l l l l l l Organize user accounts into collections to make account management more logical and organized. to place a user's home directory into a common location.

. l l To control access to virtual paths. For more information. create a new limit.overrides the corresponding server-level option. see Server limits and settings. For more information about setting encryption levels. see Using virtual paths. see Configuring encryption. The value of the new limit takes precedence over the default value. To override default system limits when configuring the file server. configure virtual paths for individual users or groups. For more information.

Administrators create accounts for users that allow access to specific files and folders on the server's hard drive or any other available network resource. These access permissions define where and how the users can access the available resources. In addition.Chapter 1: Serv-U File Server Serv-U File Server overview The Serv-U File Server is a multi-protocol file server capable of sending and receiving files from other networked computers through various means. you can use your favorite web browser or SSH client to connect and transfer files to and from Serv-U. 20 . Server administrators looking to provide a fullfeatured FTP client to users who may not have an FTP client license of their own can even license FTP Voyager JV. The Serv-U File Server supports the following protocols: l FTP (File Transfer Protocol) l HTTP (Hyper Text Transfer Protocol) l FTPS (FTP over SSL) l HTTPS (HTTP over SSL)* l SFTP using SSH2 (File Transfer over Secure Shell)* In addition to Serv-U's support for a large collection of the most popular FTP clients. FTP Voyager JV is a Java-enabled FTP client delivered to the user after logging in to their Serv-U account. Serv-U supports both IPv4 and IPv6 for next-generation networks. Serv-U's multi-protocol support means that users can employ whatever access method is available to them when connecting to your server.

Using the Serv-U File Server. family.Chapter 1: Serv-U File Server The following graphic shows a high level overview of a Serv-U deployment. and clients l l l Provide employees in the field with a central location to send and receive data files Use full group support that streamlines user creation and maintenance View images in thumbnails and slide shows. The Serv-U File Server maintains the Serv-U brand's legendary feature set. you can perform the following actions: l Access files from anywhere l Share files with friends. generated on-the-fly to minimize bandwidth usage 21 .

scripted transfers. FTPS or HTTPS. or both. Serv-U MFT Server is designed for businesses of all sizes that need to secure data in transit through SFTP. a commercial license or maintenance renewal provides you with free software updates and free technical support through email. * . and smaller number of users and domains supported on a single server. NT/SAM.Serv-U editions l Administer the server through a custom-built web interface l Chat with FTP clients and view session logs in real time l Customize FTP command responses l l l l l l Create custom limits and rules at a granular level to control resource usage on the server Connect securely using SSL/TLS or SSH2 Use third party digital certificates to guarantee the identity of the server to clients Host multiple domains on the same IP address and port Use multiple sources of authentication on the same domain (local user database. depending on your edition. phone. After the evaluation period expires. authentication through Active Directory or a 22 . Serv-U FTP Server is designed for small businesses and project teams requiring FTPS to secure FTP. for the duration of the associated maintenance plan. It also adds remote administration through web browsers and iPad.Requires Serv-U MFT Server Serv-U editions Serv-U is available in two editions to support the different needs of different organizations. ODBC) Automatically build the tables necessary for ODBC authentication You can test Serv-U MFT Server in a non-production environment for a specific period of time.

an email containing the registration details is immediately sent. Send an email purchase order. and branding. see the Serv-U FTP Server Editions Information. Send a mail directly to SolarWinds to the following address: 23 . How to purchase Serv-U Serv-U is available as a fully functional MFT Server trial for 30 days after the date of initial installation. clustering and event-driven automation. JPG. You can find pricing information at the Serv-U FTP Server pricing web page. Choose which edition of the Serv-U File Server is required and the quantity to purchase. If you have lost your registration ID. 2. It also includes the FTP Voyager JV module for a rich "sync and side-by-side" web client interface. and mobile device support. You can send a purchase order to SolarWinds in one of the following ways: 1. to a marketing representative at the Serv-U Sales web page. For a feature-by-feature comparison of the versions. Both editions contain FTP. You can purchase a license online at the Serv-U website. visit the Online Customer Service Center to retrieve it.Chapter 1: Serv-U File Server database. 3. Send a fax purchase order to +1 512 682 9301. You must purchase a Serv-U File Server license before adding an FTP Voyager JV license to your shopping cart. preferably in a PDF. When the purchase has been completed. or GIF format. If you do not receive it within an hour. Both editions also support the optional Serv-U Gateway module. web transfer. you must purchase a Serv-U license. which is a reverse proxy component that prevents “data at rest” in a DMZ segment. Discount pricing applies for bulk purchasing. check your spam filter to make sure that the email has not been filtered. To continue using Serv-U with its full set of features.

TX 78735 USA 24 .How to purchase Serv-U SolarWinds 7171 Southwest Parkway Bldg 400 Austin.

The following table lists the requirements in the case of modest traffic: up to 500 configured users and 25 simultaneous transfers. Hardware requirements Most modern operating systems require higher hardware specifications. Hardware Minimum requirement CPU 1 GHz+ RAM 256 MB+ Network 10/100 Mbps NIC Hard drive space 30 MB Video 128 MB Video RAM The hardware requirements of Serv-U are modest. but Serv-U can take advantage of multicore processors and multiple processor architectures. and browser requirements that you must meet to run Serv-U. Hardware Minimum requirement for modest traffic CPU 2 GHz+ multicore RAM 2 GB+ 25 .Chapter 2: Getting started System requirements This topic contains detailed information about the minimum hardware. Use minimum operating system requirements instead where applicable. operating system.

2 GHz+ multicore RAM 4 GB+ Network 10/100/1000 Mbps NIC Hard drive space 120 GB Video 128 MB Video RAM Operating system and software requirements We recommend the use of Microsoft Windows Server 2008 R2 or Red Hat Enterprise Linux v6 with our Serv-U and Serv-U Gateway deployments. Operating system or software Microsoft Windows Requirement l Windows Server 2012 l Windows Server 2012 RC2 l Windows Server 2008. 64-bit and 32-bit editions are supported unless otherwise noted (or not available). but we also support other Windows and Linux operating systems. 2008 R2.Chapter 2: Getting started Hardware Minimum requirement for modest traffic Network 10/100/1000 Mbps NIC Hard drive space 120 GB Video 128 MB Video RAM The following table lists the requirements in the case of high traffic: up to 10 000 configured users and 250 simultaneous transfers. 2008 SP2. Hardware Minimum requirement for high traffic CPU Multiple 3. and 2008 R2 SP1 26 .

27 .6.7.Client requirements Operating system or software Requirement l l Linux Database server (optional) LDAP server (optional) Windows Server 2003 SP2 and 2003 R2 SP2 Windows XP SP2. Windows 7.4 Client requirements The default web browser on many mobile devices can be used to transfer files. 2012 SP1 l MySQL 5. or run the web-based Management Console of Serv-U without any plugins.4 l OpenSUSE l MS SQL 2012.1 for trial purposes l Red Hat Enterprise Linux (RHEL) v. 2008 and 2012 l Open Directory 4 l OpenLDAP 2. Windows 8. However.7.4 l PostgreSQL: latest version l Active Directory 2003.3 and 5. work with files and folders. Windows 8. Javascript and cookies must be enabled.4 l Fedora 19 l Ubuntu l CentOS 6. Windows Vista.

for file management and for web administration purposes: l Microsoft Internet Explorer 8. download.0+ l Mozilla Firefox: latest two versions l Safari 5 and 7 l Google Chrome: latest version l Mobile browser The following Java versions are supported Web Client Pro and FTP Voyager JV: l Java JRE 7 and 8 Notes: l To be able to use Web Client Pro and FTP Voyager JV. Java must be installed and enabled in the browser. manage. manage. and preview files Amazon Kindle Fire upload. run the Management Console Apple iPod download. manage.Chapter 2: Getting started The following functionality is supported on the following devices: Device Supported functionality Apple iPhone 3+ download. and preview files BlackBerry upload. download. manage. and preview files. download. manage. manage. manage. and preview files Google Android 2. download.2+ upload. and preview files The following major browsers are supported with the basic web client. and preview files Microsoft Windows Mobile upload. 28 . and preview files Apple iPad 1+ download.

hierarchical unit.6 installed. the domain. However. Server concepts The Serv-U File Server makes use of several concepts that help you understand how to configure and administer your file server as a single. only the group level is optional. all the groups and user accounts that belong to the domain inherit the domain value as their default value. Apple Macintosh users must have at least Mac OS X 10. Inherited settings can be overridden at each of these lower levels. Domain A server can contain one or more domains. Domains are the interface through which users connect to the file server and access a specific user account. The Serv-U File Server contains a set of default options that can be overridden on a per setting basis. groups. The following section contains an explanation of each configuration level: Server The server is the basic unit of the Serv-U File Server and the highest level of configuration that is available. Domains. 29 . groups. the group. The server is at the top level of the hierarchy of configuring Serv-U. and the user. some settings are exclusive to the server. If a server setting is overridden at the domain level. all the other levels are mandatory parts of the file server. A domain also defines the collection of settings that all of its groups and user accounts inherit.Server concepts l l Web Client Pro does not work on Linux in Google Chrome version later than v35 due to an incompatibility between Chrome and the Java browser plugin. Of all of these. and users. The settings of a domain are inherited from the server. and users inherit their default settings from the server. such as the PASV port range. It represents the file server as a whole and governs the behavior of all domains. The Serv-U File Server contains four related levels of configuration: the server.

For example. User collections must be maintained manually when user accounts change group membership. collections can be created to organize user accounts based on group membership. By using a group. a user collection does not offer any level of configuration to the user accounts they contain.Chapter 2: Getting started Group The group is an optional level of configuration that can make it easier to manage related user accounts that share many of the same settings. FTPS. SFTP. Listener A listening service in Serv-U that is configured in a domain to accept incoming FTP. HTTP or HTTPS connections. or the group does not define a default setting). 30 . User The user is at the bottom of the hierarchy. Virtually every user level setting can be configured at the group level. User collection Contrary to groups. or can be overridden at the user level. a user collection offers a way to organize users into containers for easy viewing and administration. A group defines the collection of settings inherited by all users who are members of the group. Instead. A user account identifies a physical connection to the file server and defines the access rights and limitations of that connection. A group inherits all of its default settings from the domain it belongs to. It can inherit its default settings from multiple groups (if it is a member of more than one group) or from its parent domain (if it is not a member of a group. Glossary This topic contains the list and definition of terms that are frequently used in the Serv-U File Server. you can make changes that propagate to more than one user account instead of having to manually configure each user account separately. Settings overridden at the user level cannot be overridden elsewhere and are always applied to connections authenticated with that user account.

Rules set up at the server and domain levels define who is allowed to make an initial connection to Serv-U. Serv-U events are used to automate behavior and to provide greater visibility of important file transfer processes. Limits can be set for password complexity requirements. IP access rules IP access rules are used in Serv-U to determine who can connect to the server. User Login or File Upload Failed). and also how they may access it. Rules set up at the group and user levels define who can connect using a given user account. Event A Serv-U event primarily consists of an event type (for example. and an action type (for example. By handling only IP addresses who repeatedly fail to log on correctly. domain. Anti-hammering A Serv-U feature which allows administrators to block IP addresses who attempt to connect repeatedly with incorrect credentials. Directory access rules are the foundation of file access rights.Quick start guide Limit A configuration option that can be set at the server. Web Client customization. anti-hammering allows for smart blocking of bots and hackers. domain. and more. because they determine what a user may and may not access. Show Balloon Tip or Send Email). create your first domain. session timeout. and add a user account to 31 . or user level. Directory access Directory access encompasses all of the permissions applied to a server. group. This quick start guide helps you install the server. Quick start guide Serv-U is simple to configure with the flexibility and control you require to easily share files with others under the best security possible. group and user that grant and deny access to files and folders.

make sure that you create a backup of the original installation folder. follow the instructions on the installation screens to choose the installation directory and to configure desktop shortcuts for quickly accessing the server.Chapter 2: Getting started the new domain. the Serv-U Management Console is started. 32 . You can also choose to install Serv-U as a system service. Swedish. Italian. If Serv-U is not installed as a system service. Serv-U supports installation in English. they can select any language they want from the list of supported languages. before any user logs on to the system. At this point you are selecting only the default language for the Management Console. This is useful if Serv-U is run on a dedicated server that does not regularly have an interactive user session logged on to it. Serbian. German. you can launch it by double-clicking the Serv-U icon in the system tray. you will be able to connect to your new file server and start transferring files. Installing the Serv-U file server If you are installing Serv-U for the first time. your database. Upgrading Serv-U Before installing Serv-U over an existing Serv-U installation. French. Russian. or by right-clicking the Serv-U icon and selecting Start Management Console. When the installation is complete. When users connect to Serv-U. After you completed the following steps. Serv-U is automatically started when the server is started. If you chose not to have the Serv-U Management Console started after installation. If Serv-U is installed as a system service. Spanish. it has to be manually started after logging on to the server. and your configuration data first. and Simplified and Traditional Chinese.

clear your browser cache. the configuration files are stored in either of the following locations. it is considered good data management practice to back up critical components before upgrading them. Operating system Windows Vista Windows 7 Location of configuration files C:\ProgramData\RhinoSoft\Serv-U (the location is Hidden in Windows by default) Windows 8 Windows Server 2008 Windows Server 2012 Windows XP C:\Program Files\RhinoSoft\Serv-U Windows Server 2003 Linux /usr/local/Serv-U Even though Serv-U can be safely installed over any existing installations and performs any necessary upgrades to data files and binaries. After creating the necessary backups. you are prompted whether you want to create a new domain if no domains are currently present. Note: If you experience problems with the Management Console after upgrading Serv-U.Creating domains Depending on your operating system. Creating domains When the Management Console finished loading. 33 . follow the installation instructions in the previous section to upgrade your Serv-U instance.

and does not have access to any files or folders unless you explicitly grant them access.Chapter 2: Getting started Serv-U domains are collections of users and groups that share common settings. 4. Type a unique name and an optional description for the new domain. Note: Having users sharing the same domain does not mean that all users have access to the same files. 34 . The name serves as an identifier for the domain to make the identification and management of the domain easier for administrators. 5. clear the Enable domain check box. select the protocols and port numbers the domain should use to provide access to its users. or both. 2. If you want the domain to be temporarily unavailable to users while you are configuring it. The name must be unique so that it can be distinguished by Serv-U from the other domains on the server. with no need to create separate domains. In most cases. 3. On the Protocols page. all of your users and settings will exist in the same domain. nor does it affect the way the domain is accessed by others. and then click Next. Decide whether you want the domain to be a File Transfer Domain. such as transfer rate limitations. Click + (New Domain) at the top of the Management Console. Each user in Serv-U has unique permissions to the directories you define. Click Yes to start the domain creation wizard. service listeners. Click Next. and then click Next. Note: The domain name is not visible to any of its users. a File Sharing Domain. You can run this wizard at any time by clicking + (New Domain) at the top of the Management Console. To create a new domain: 1. and directory access rules. perform the following steps: a. l If you are setting up a File Transfer Domain only.

l If you are setting up a File Sharing Domain only. c. select the appropriate option. If you want to run the server on a non-default port. you can change any of the available ports to a value you want. see Domain limits and settings. 35 . If you want to enable users to recover their passwords. it is recommended that you use a port above 1024. specify the IP address that is used to connect to this domain. select the encryption mode you want to use when storing passwords on the domain. d. specify the domain URL. Note: If you do not specify an address. Click Finish to create the domain. the file sharing repository. On the Encryption page. Serv-U will use any available IP address on the computer. or click Back to modify the settings you specified. e. An SMTP server is necessary for sending email notifications. and whether you want to use secure URL. Note: For more information about password encryption modes. perform the following steps: a. and then click Next. For more information about the supported protocols in each Serv-U edition. see Serv-U editions. b.Creating domains Note: The standard file sharing protocol is FTP. b. On the IP Listeners page. On the File Sharing page. which operates on the default port of 21. Click Configure SMTP to set up an SMTP server. and for events that use email actions. However.

Click Finish to create the domain. On the Protocols page. it is recommended that you use a port 36 . Click Next. Note: If you do not specify an address. select the protocols and port numbers the domain should use to provide access to its users. An SMTP server is necessary for sending email notifications. you can change any of the available ports to a value you want. For more information. or click Back to modify the settings you specified. and then click Next. However. Click Configure SMTP to set up an SMTP server. the file sharing repository. and whether you want to use Secure URL. c. On the IP Listeners page. specify the IP address that is used to connect to this domain. specify the domain URL. Click Next. see Configuring SMTP settings. Serv-U will use any available IP address on the computer. perform the following steps: a. On the File Sharing page. b. see Configuring SMTP settings. and for events that use email actions. If you want to run the server on a non-default port. l If you are setting up a File Transer and File Sharing Domain.Chapter 2: Getting started Note: You can configure the SMTP server at a later time as well. d. d. Note: You can configure the SMTP server at a later time as well. Note: The standard file sharing protocol is FTP. e. For more information. c. which operates on the default port of 21.

specify the IP address that is used to connect to this domain. On the Encryption screen. and then clicking Wizard on the Users page. Other domains on your server can have an account with the same login ID. you are taken to the user's page of the Management Console and you are asked whether you want to create a new user account with the User Wizard. g. First. see Domain settings. Click Yes to start the User Wizard. For more information about the supported protocols in each Serv-U edition. or click Back to modify the settings you specified. Note: For more information about password encryption modes. Note: If you do not specify an address. h. If you want to enable users to recover their passwords. Click Finish to create the domain. You can configure additional properties for a domain. The login ID must be unique for the particular domain. see Domain limits and settings. provide a unique login ID for the account. e. Creating user accounts After your first domain is created. see Serv-U editions.Creating user accounts above 1024. f. You can run this wizard at any time by navigating to the Users menu under Global or Domain. For more information about the available configuration options. select the encryption mode you want to use when storing passwords on the domain. Serv-U will use any available IP address on the computer. select the appropriate option. and then click Next. 37 . This login ID is used to begin the authentication process when the user connects to the domain. On the IP Listeners screen.

This way you can 38 . Additionally. family. you must also specify a password for the account. Click Next to continue. that allows anyone who knows the login ID to access your domain. The third step is to specify a home directory for the account. however. Click Next to proceed to the last step. Click Browse to browse to a location on your hard drive. you can configure the access rights on a more granular basis by editing the user. The Serv-U File Server is now accessible and ready for sharing. The default access is Read Only.Chapter 2: Getting started To create an anonymous account. or type the location. The full name provides a canonical name with which to refer to the user account. access rights can be inherited by all subdirectories contained in an accessible directory. After specifying a unique login ID. which means that the user can list files and folders in their home directory and can download them. You can leave this field blank. or colleagues. However. After selecting the directory access rights. Access rights are granted on a per directory basis. they are not able to access files or folders above the directory structure of their home directory. they cannot upload files. the actual location of their home directory is masked and displayed as "/". the user can do all of these things. or rename files or folders. If users are locked in their home directory. It is the location you want the user account to use when sending and receiving files on the server. After the user is created. Click Next to continue. and selecting the Directory Access page. If Full Access is selected. click Finish to create the user account. create new directories. Each user can have a different home directory. You can also specify a full name and an email address for the user account. or on an accessible network resource that the user account is placed in after a successful login. The email address is used by Serv-U to send email notifications and recovered passwords to the user account. delete files or folders. The last step is to grant access rights to the user account. The home directory is the location on the hard drive of the server. specify anonymous or ftp as the login ID. However. You can create more accounts just like this one to share it with other friends.

use the syntax in the following example: www. and more. see Configuring user accounts.example. see Using file sharing. You can create special login links. To send file sharing invitation emails. playlist=1 Starts the Web Client in media mode. For more information about these options. bypassing the need to log in. start audio files immediately. domain users can send or receive files from guests. There are several more configurable options with which you can fine-tune the way a user account can access the server. you can enhance the login process in various ways. To specify URL parameters. showing a slideshow of all images. This configuration only needs to be set once for the entire server or a domain. you must configure your SMTP settings. but should not be used for confidential or protected information. thumbnail=1 Starts the Web Client in thumbnail mode.Sharing files share different files with different people. Using URL parameters By using URL parameters. showing thumbnails of images. 39 . users can automatically send their login ID and password. slideshow=1 Starts the Web Client in slideshow mode. Note: File sharing is disabled by default. playing audio or video files in order. This can be convenient for audio or video.com/?user=admin&password=test The following parameters are supported in Serv-U: user=username&password=password Allows the Login ID and password to be sent automatically to Serv-U. Sharing files By using the file sharing feature. For more information. By using the special login links.

and then the list of configured domains. respectively. file=file_name Specifies a file to download immediately after login. information about the active sessions. playing video files only. The Serv-U Management Console The Serv-U Management Console is designed to provide quick and easy access to the configuration options of the file server in a familiar way. By default. Management Console layout The Management Console is presented in an accordion style layout.Chapter 2: Getting started playmedia=1 Starts the Web Client in media mode. dir=directory_name Specifies which directory to browse to immediately after login. The column accepts the integer values 1 . you can return to the main Management Console page at any time by clicking the Serv-U File Server logo in the upper left corner. and the global dashboard on the right.3. The accordion menu contains the name of the server on top. and then select one of the options. the Web Client attempts to download the specified file from the specified folder. with an accordion list on the left. or time. When viewing a configuration page. The global dashboard contains the session statistics. the Web Client attempts to download the file from the home directory. size. for sorting by name. 40 . and it also provides direct access to the thwack community. Click the name of the server or a domain to expand the list of configuration options available for the server or for the particular domain. If the dir parameter is used in conjunction with the file parameter. the server log. sortcol=column Specifies the column by which to sort the files in the Web Client.

When an option inherits its value from a parent. an HTTP session can be launched by clicking Serv-U Products > Web Client on the top toolbar. click the Serv-U Management Console icon in the top left corner. all related subcategory pages are displayed in tabs on the same page. Note: To use FTP Voyager JV. Understanding user interface conventions To better illustrate the user interface conventions. However. the text of the value is displayed in bold. the Web Client is available and runs from within the browser. FTP Voyager JV can also be launched by clicking Serv-U Products > FTP Voyager JV. and do not have access to the server-level categories that are displayed to system administrators. The value that is displayed (whether it is a text value or a check box) can change to reflect changes made to the parent where the item is currently inheriting its value. Launching the Web Client While configuring the Serv-U File Server. When opening a category from the Management Console. To return to the global dashboard. the text of the option is displayed in regular font. The value that is currently displayed is always the value of that option. This allows for quick navigation between related configuration options. regardless of changes to its parent. consider the following use 41 . If licensed for use. and also indicates whether that value is the default or inherited value. User interface conventions The Serv-U File Server uses a consistent method of representing configuration options in a manner that conveys the current value of the option. you must install the Java Runtime Environment. If licensed for use. if the value is overriding the default.Launching the Web Client Domain administrators only have access to configuring settings and options for their particular domain.

Each technician has their own account on the file server. The administration privilege level of this group is set to No Privilege because none of the technicians have any file server administration duties. is a computer repair company that maintains a Serv-U File Server which provides global access to shared corporate resources to their traveling technicians. The text of this option turns bold to reflect that it is overriding the default value (No Privilege) that the user account inherits from its membership of the "Technician" group. In addition to his current technician duties. At a later date. the file server administrator makes each user account a member of the "Technician" group. Example Technology Co. A technician receives a promotion.Chapter 2: Getting started case. the administration privilege can be reverted to the default value which is inherited from the "Technician" group by selecting the Inherit default value option from the Administration Privilege list. 42 . The file server administrator can edit the technician's user account and change the technician's administration privilege level to Domain Administrator. To facilitate easy administration of the user accounts. he is also given administration privileges on the file server so he can assist other technicians with their accounts.

Specifying IP access masks IP access rules use masks to authorize IP addresses and domain names. IP access rules are applied in the order they are displayed. fe80:0:0:0:a450:9a2e:ff9d:a915 (IPv6. Server details IP access rules restrict login access to specific IP addresses.Chapter 3: Server On the Serv-U File Server you can configure certain settings at the server level. and wildcards made up of the following elements: xxx Stands for an exact match. ranges. 43 . The arrows on the right side of the list can be used to change the position of an individual rule in the list. specific rules can be placed at the top to allow or deny access before a more general rule is applied later on in the list. or a domain name. The masks can contain specific values.2.0-19 (IPv4). group. If you configure a setting at the server level. such as 192. long form) or fe80::a450:9a2e:ff9d:a915 (IPv6. IP access rules. ranges of IP addresses. and domains on the server unless it is overridden at a lower level.0 (IPv4). groups. such as 192. xxx-xxx Stands for a range of IP addresses. The following sections contain detailed information about each setting and how it can be configured.2.0. the setting applies to all users. In this way. Settings you can configure at the server level include directory access rules. shorthand).0. bandwidth limitations. IP access rules can be configured at the server. and more. global user accounts. and user levels. domain.

or fe80::a450:9a2e:ff9d:a915-a9aa (IPv6. If you use both IPv4 and IPv6 listeners.*.*.2. 44 . fe80:0:0:0:a450:9a2e:ff9d:a915-a9aa * Stands for any valid IP address value.*. Use the *:* mask to match any IPv6 address. add Allow ranges for both IPv4 and IPv6 addresses. Matching all addresses Use the *. / Specifies the use of CIDR notation to specify which IP addresses should be allowed or blocked. addresses matched by a wildcard or a range will be subject to anti-hammering prevention. connections from any IP address are accepted. such as 2001:db8::/32. ? Stands for any valid character when specifying a reverse DNS name.Chapter 3: Server (IPv6. This is also known as an implicit 'Deny All' rule. or fe80::a450:9a2e:ff9d:*.0. Implicit deny all Until you add the first IP access rule. These IP addresses are whitelisted. such as server?. Caveats Specific IP addresses listed in Allow rules will not be blocked by anti-hammering.2.*. However. which is analogous to 192.*) and /24 (for 1. CIDR notation also works with IPv6 addresses. all connections that are not explicitly allowed will be denied.2.0-255. make sure you add a 'wildcard allow' rule (such as Allow *. long form).0. which is analogous to fe80::a450:9a2e:ff9d:0-ffff.2.*. After you add the first IP access rule.* mask to match any IPv4 address.example.*.3. such as 192.*). /16 (for 1.*) at the end of your IP access rule list.*.*). With this in mind. shorthand). Common CIDR blocks are /8 (for 1.*.com.

blocked IP addresses appear in the domain that contains the listener. Server and domain level IP access rules are applied before the welcome message is sent. Serv-U performs either a reverse DNS lookup or DNS resolution to apply these rules. Blocked IP addresses do not appear in the server IP access list. IP addresses blocked by anti-hammering rules appear in the domain IP access rules with a value in the Expires in column. even if anti-hammering is configured at the server level. you can specify a domain name instead of an IP address to allow access to users who do not have a static IP address. Domain level IP access rules are also applied when responding to the HOST command to connect to a virtual domain. You can configure an anti-hammering policy server-wide in Server Limits and Settings > Settings and domain-wide in Domain Limits and Settings > Settings. This can cause a slight delay during login. depending on the speed of the DNS server of the system. If you create a rule based on a domain name or reverse DNS. 45 . If you have multiple domains with different listeners. Rule use during connection The level at which you specify an IP access rule also defines how far a connection is allowed before it is rejected. Anti-hammering You can set up an anti-hammering policy that blocks clients who connect and fail to authenticate more than a specified number of times within a specified period of time. Group and user level IP access rules are applied in response to a USER command when the client identifies itself to the server.Caveats DNS lookup If you use a dynamic DNS service. You can also specify reverse DNS names.

Displaying the IP access list in sort mode does not change the order in which rules are processed. You can unblock any blocked IP early by deleting its entry from the list. To view rule precedence. Using the sort mode By using the sort mode. Viewing the IP access list in numerical order can be a valuable tool when you review long lists of access rules to determine if an entry already exists. IP access list controls The following section contains a description of the options that are available on the IP Access page. disable this option. you can sort the IP access list numerically rather than in the processing order. 46 .Chapter 3: Server The Expires in value of the blocked IP counts down second by second until the entry disappears.

and then specify the path and the file name you want to save the list to.2. and it should be added to either the contractor's user account or a Contractors group that contains multiple contractors. The related Serv-U access rule should be Allow 192.192.024. groups. CIDR block.0.*. and the server by using a text-based CSV file.*.0. To import IP access rules. Description A text description of the rule for reference purposes.2.0. Case File: Prohibited computers Users should normally be able to access Serv-U from anywhere. view the list of rules to export.Examples Importing and exporting IP access rules You can export and import Serv-U IP access rules from users.2.0 192. except from a bank of special internal computers in the IP address range of 192.24.24. Examples The following sections provide examples about the usage of IP address rules. or to 1 for Allow.*. or domain name for which the rule applies. including the headers: IP The IP address. and these should both be added to either the 47 . IP range.0.0.2. To export IP access rules. and only in the office. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list. Case File: Office-only access A contractor has been hired to work in the office. click Export. Office workstations have IP addresses in the range of 192.0. followed by Allow *.0 . The related Serv-U access rules should therefore be Deny 192.2. Allow Set this value to 0 for Deny. click Import and select the file that contains the rules you want to import. domains.2. The CSV file must contain the following fields.0-24.

and these should both be added to the domain IP access rules. Case File: DNS-based access control The only users allowed to access a Serv-U domain will be connecting from *.example. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list. or opening connections from the DMZ to the internal network.example.com in any order.example1.example1.com or *. Serv-U Gateway Serv-U Gateway provides defense in depth to Serv-U deployments.com and Allow *. The related Serv-U access rules should therefore be Allow *. It acts as a reverse proxy in DMZ segments and prevents your Serv-U deployments from storing data in the DMZ.com.Chapter 3: Server domain or the server IP access rules. 48 .

and other high-security requirements. Deploying Serv-U Gateway The following documents contain detailed information about the deployment of Serv-U Gateway: l Serv-U Distributed Architecture Guide l Serv-U Gateway Installation Instructions l l For Windows l For Linux Planning Your Serv-U Gateway Deployment 49 . managed file transfer.Serv-U Gateway This type of architecture is essential to meet PCI DSS.

A status icon is displayed on the left of the gateway address.The Status column displays a brief message that indicates the current status of the gateway. 50 . Serv-U periodically checks every configured gateway and displays a brief status message here. Gateway Address column The gateway address is the IP address on the Serv-U Gateway that Serv-U uses to communicate with Serv-U Gateway.Chapter 3: Server Serv-U Gateway tab The Serv-U Gateway page in Server Details displays all configured gateways known to the Serv-U deployment. This should almost always be a private IP address.

l The gateway is ready but the Serv-U installation is running close to the end of the trial period. and then select Properties. l An error occurred. However. Click Edit to edit existing gateway configurations. which is common during trials and situations in which the gateway is placed behind NAT (network address translation).Serv-U Gateway The icon in the Gateway Address column changes to reflect the current gateway status. Public IP Address column The Public IP Address column shows the IP address file transfer clients should connect to. 51 . It does not affect behavior in any way. A private IP address is displayed in the Public IP Address column if a private IP address was explicitly configured in the gateway. l Serv-U is checking the status of the gateway. l The gateway is ready for connections. the gateway still needs listeners to receive connections. This will be the case if the gateway has no public IP addresses. For more information about why it is not possible connect to the gateway. Another status will appear in a few seconds. or support period. Click Delete to delete existing gateway configurations. select the gateway entry. Managing gateways in Serv-U Click Add to add new gateway configurations. Description column The Description column displays any note that is added to the gateway configuration.

Serv-U Gateway Add/Edit dialog The Gateway Address is the IP address on the Serv-U Gateway that Serv-U uses to communicate with Serv-U Gateway. The Description is an optional note that describes the gateway. It has no effect on the behavior. The Enable Gateway option is used to turn the gateway on and off. The Port is the TCP port on the Serv-U Gateway that Serv-U uses to communicate with Serv-U Gateway. This should almost always be a private IP address. The default is selected. This button only displays complete properties when Serv-U is connected to the gateway. The Public IP Address field should contain the IP address file transfer clients should connect to. 52 . A private IP address should be entered in the Public IP Address field if the gateway has no public IP addresses.Chapter 3: Server Click Properties to view detailed status about and add licenses to existing gateway configurations. This is common during trials and situations in which the gateway lives behind NAT (network address translation). The default is TCP port 1180.

and whether or not it is running with a trial or commercial license. This is expected behavior. 53 . If a private address is configured in the Public IP Address field of the gateway. The Available Public IP Addresses field contains a list of all the public IP addresses automatically detected on Serv-U Gateway. this field displays a message indicating that no public IP addresses are found on the gateway server.Serv-U Gateway Properties dialog Serv-U Gateway Properties dialog Status area The large icon in the Status area and a status message indicate if the gateway is running.

To configure a database. Registration ID area Copy and paste your Serv-U Gateway Registration ID (not your Serv-U Registration ID) into this field. and the password. Serv-U can automatically create all of the tables and columns that are necessary to begin storing users and groups in the database. 2. and then click Save to apply a commercial license to your Serv-U Gateway software.Chapter 3: Server Install information area The Install Information area shows the version and build date of the Serv-U Gateway software running on the gateway. Open the Serv-U Management Console and browse to the appropriate domain or server database settings. but you can use any database that has an ODBC driver available. With these options selected. the server as well as each domain must have a unique ODBC connection to ensure they are stored separately. Because Serv-U uses one set of table names to store its information. Create an ODBC connection for Serv-U to use. In other words. or a User DSN if Serv-U is operating as a regular application. leave the Automatically create options selected. Configuring database access Serv-U enables the use of an ODBC database to store and maintain group and user accounts at both the domain and server levels. the date Serv-U Gateway was installed or last updated. if applicable. and then click Save. the login ID. perform the following steps: 1. Use a System DSN if Serv-U is operating as a system service. the Serv-U 54 . and. the number of days left in the evaluation period. If you configure the database connection for the first time. You can configure the ODBC connections in two locations: Domain > Domain Details > Database and Server > Server Details > Database. Enter the Data Source Name (DSN). individual ODBC connections must be configured for each item which stores details in the database. SolarWinds recommends MySQL.

The Attribute column lists the attributes that are stored in the current table. Using SQL templates Serv-U uses multiple queries to maintain the databases that contain user and group information. Click Edit or double-click the column name to edit a value. Only the User/Group Info Table and User/Group Dir Access Table are required. you may need to alter these queries. 55 . you can modify each query used by Serv-U to conform to the standards supported by your database. These queries conform to the SQL language standards. Warning: Incorrectly editing these SQL queries could cause ODBC support to stop working in Serv-U. However. Serv-U automatically creates and maintains the tables and columns that are necessary to store user and group information in a database. The first row displays the "TableName" and can be used to change the name of the table. if your database have problems working with Serv-U. However. Serv-U stores information for a user or group in 10 separate tables. if you want to connect Serv-U to an existing database which contains this information. Do not edit these queries unless you are comfortable constructing SQL statements and are positive that it is necessary to enable ODBC support with your database software. The Mapped Database Value displays the name of the column that attribute is mapped to in the database. you must customize the table and column names to conform to the existing database structure. Click User Table Mappings or Group Table Mappings to get started. You can change the current table in the Object Table list. Certain tables where the order of the entries is important have a SortColumn attribute listed. In the SQL Templates window. Using user and group table mappings By default.Configuring database access File Server builds the database tables and columns automatically. This column is used to store the order in which rules are applied.

Use a System DSN if Serv-U is running as a service or a User DSN if Serv-U is running as an application. allowing for scripted account management and maintenance. To use ODBC functionality. because the fields will appear in dialogs. Per User Bytes Ratio. For example. Use caution when you disable tables. After you created the appropriate DSN. you can create a DSN after installing the following packages: l mysql-connector-odbc l postgressql-odbc l unixodbc 56 . Per Session Files Ratio. accounts can be managed from outside the Serv-U Management Console through scripted database operations which can be built into many existing account provisioning systems. specify the data source name. You can manage database users and groups in the Database Users and Database Groups pages of Serv-U. Case file: ODBC authentication Authentication in the Serv-U File Server can be handled through an ODBC database.Chapter 3: Server When enabled. In special situations a table that is not being used can be disabled to reduce the number of ODBC (database) calls. migrate to ODBC authentication through a database. the table is accessed as needed. ServU creates the tables and columns transparently. Per User Files Ratio. login ID and password. A DSN must first be created in Control Panel > Administrative Tools > ODBC Data Sources. if you do not use ratios and quotas. Creating data source names in Linux Database access in Serv-U on Linux follows the same method as Serv-U on Windows. and then click Save. By storing credentials in settings in a database. The User Info and Group Info tables cannot be disabled. with the one change in how data source names are created. you can disable the User Ratio-Free Files. located near the normal Users and Groups pages. but they will not be saved or loaded. On Linux. and Per Session Bytes Ratio tables to prevent unnecessary ODBC calls.

log Database = YOURDATABASE Servername = YOURIPADDRESS UserName = USERNAME Password = PASSWORD Port = 5432 Protocol = 6. and then enter the parameters as follows: [MySQL-test] Description = MySQL test database Trace = Off TraceFile = stderr Driver = MySQL SERVER = YOURIPADDRESS USER = USERNAME PASSWORD = PASSWORD PORT = 3306 DATABASE = YOURDATABASE [PostgreSQL-test] Description = Test to Postgres Driver = PostgreSQL Trace = Yes TraceFile = sql. edit the ~/odbc. which contains all system-level DSNs.Configuring database access Only the ODBC driver corresponding to the database needs to be installed. the next step is to edit the /etc/odbc.4 ReadOnly = No RowVersioning = No ShowSystemTables = No ShowOidColumn = No FakeOidIndex = No ConnSettings = Adjust the names in brackets to the DSN name string you want. 57 . If Serv-U is running as an application. see the Serv-U Database Integration Guide. For further customization options.ini file. If Serv-U is running as a service. test the DSN by using the isql %DSN% -c -v command. Finally.ini file instead.

Chapter 3: Server Using Serv-U events In Serv-U. 58 . you can use event handling which can perform various actions triggered by a list of selected events.

59 . according to logging settings. This event only triggers for graceful stops. or as part of normal server startup. Session Connection Triggered by a new TCP session connection. through the Enable Domain setting in the Domain Details > Settings menu. whether from service or applicationlevel status. or as part of normal server startup. Server Stop Triggered by Serv-U shutting down. Log File Deleted Triggered by the automatic deletion of a log file.Using Serv-U events The following list contains the available actions: Server events Server Start Triggered by Serv-U starting up. Domain Stop Triggered by a Serv-U domain stopping. Session Connection Failure Triggered by a failed session connection attempt. Session Disconnect Triggered by a TCP session disconnection. according to logging settings. Log File Rotated Triggered by the automatic rotation of a log file. Server and domain events Domain Start Triggered by a Serv-U domain starting. through the Enable Domain setting in the Domain Details > Settings menu. whether by starting the Serv-U service or starting Serv-U as an application.

Chapter 3: Server Listener Success Triggered by a successful listener connection. and no errors are encountered. File Management Rule Success Triggered when a file management rule is applied. Listener Failure Triggered by a failed listener connection. Permanent Listener Success Triggered by a successful permanent listener connection. 60 . Gateway Listener Failure Triggered by a failed gateway listener connection. Permanent Listener Failure Triggered by a failed permanent listener connection. Listener Stop Triggered by a stopped listener connection. Gateway Listener Stop Triggered by a stopped gateway listener connection. Gateway Listener Success Triggered by a successful gateway listener connection. Permanent Gateway Listener Failure Triggered by a failed permanent gateway listener connection. Permanent Gateway Listener Stop Triggered by a stopped permanent gateway listener connection. Permanent Gateway Listener Success Triggered by a successful permanent gateway listener connection. Permanent Listener Stop Triggered by a stopped permanent listener connection.

User Logout Triggered by the logout of a user account. User Login Failure Triggered by a failed login. domain. or a session disconnect before authentication. incorrect SSH key pair (for SFTP public key authentication). user and group events User Login Triggered by the login of a user account.Using Serv-U events File Management Rule Failure Triggered when a file management rule is applied. File Management Automatic Move Triggered when a file is automatically moved to a different location by the server. 61 . incorrect password. Server. whether due to invalid credentials. User Disabled Triggered by the disabling of a user account that was previously enabled. User Password Change Failure Triggered by a failed password change attempt. User Password Change Triggered by the change of a password for a user account by the user (if permitted). A failed login is any connection attempt to ServU that fails. and at least one error is encountered. either due to an incorrect user name. or any or all of the above. User Enabled Triggered by the enabling of a user account that was previously disabled.

as configured in Limits & Settings. as configured by a user's Automatically Delete date. 62 . in an ODBC database. either due to lack of email address in the user account or lack of permissions. User Pre-delete Triggered by the upcoming deletion of a user account. Password Stale Triggered by a stale password. or in the local Management Console. or in the local Management Console. User Auto Deleted Triggered by the automatic deletion of a user account.Chapter 3: Server User Deleted Triggered by the deletion of a user account by a remote administrator. in an ODBC database. as configured in the user's Automatically Delete date and the Days before automatically deleting account to trigger the pre-delete event limit. as configured by a user's Automatically Disable date. User Added Triggered by the creation of a user account by a remote administrator. User Pre-disable Triggered by the upcoming disabling of a user account. as configured in the user's Automatically Disable date and the "Days before automatically disabling account to trigger the pre-disable event" limit. Password Recovery Sent Triggered by a successful password recovery by an end user. that is going to expire. Password Recovery Failed Triggered by a failed password recovery attempt. User Auto Disable Triggered by the automatic disabling of a user account.

Using Serv-U events User Email Set Triggered by a user setting the email address for a user account. per the Limits & Settings for the user account. group. Too Many Sessions Triggered by more sessions logging on to the server than are permitted. Session Timeout Triggered by a session timeout. 63 . IP Blocked Time Triggered by a failed login attempt due to an IP access rule that was automatically added by brute force settings. IP Auto Added To Access Rules Triggered by the automatic addition of an IP access rule due to a user triggering the "brute force" settings. Session Idle Timeout Triggered by an idle session timeout. configured in Domain Limits & Settings or Server Limits & Settings. domain. or server. User Email Set Failure Triggered by a failed attempt by a user to set the email address for a user account. group. domain. or server. IP Blocked Triggered by a failed login attempt due to an IP access rule. This event triggers for partial uploads if the upload session terminated with a successful message and no data corruption. Too Many Session On IP Triggered by more sessions logging on to the server from a specific IP address than are permitted. File Uploaded Triggered by a file uploaded to Serv-U. according to the Limits & Settings for the user account.

Creating common events You can automatically create a list of the most common events. Directory Deleted Triggered by the deletion of a directory.Chapter 3: Server File Upload Failed Triggered by a failed file upload to Serv-U. File Download Failed Triggered by a failed file download from Serv-U. File Download Triggered by a file downloaded from Serv-U. You can choose 64 . in the Limits & Settings menu. File Moved Triggered by the moving of a file on the Serv-U server by a user. File Deleted Triggered by the deletion of a file on the Serv-U server by a user. Directory Moved Triggered by moving a directory to a new location. The current quota space is shown in the user account. Directory Changed Triggered by changing the current working directory. Over Disk Space Triggered by exceeding the Max Dir Size configured for a directory access rule. Directory Created Triggered by the creation of a directory. Over Quota Triggered by going over disk quota space. or by using the Directory Properties option in the HTTP or HTTPS Web Client and FTP Voyager JV. The current disk space is shown with the AVBL FTP command.

Email actions contain a To. 65 . Separate email addresses by commas or semicolons. To add an email address. Using email actions You can configure email actions to send emails to multiple recipients and to Serv-U groups when an event is triggered. To send emails to a Serv-U group. Note: The Write to Windows Event Log and Write to Microsoft Message Queue (MSMQ) options are available for Windows only. You can use special variables to send specific data pertaining to the event.Using event actions to create these common events using email or balloon tip actions. For more information about the variables. Click Create Common Event in the Events page. Select either the Send Email or Show balloon tip option for the action you want to perform on the common events. Using event actions You can select from the following actions that will be executed when an event is triggered: l Send Email l Show Balloon Tip* l Execute Command* l Write to Windows Event Log (Windows only)* l Write to Microsoft Message Queue (MSMQ) (Windows only)* * Events involving anything other than email can only be configured by Serv-U server administrators. also enter an email address where the events are to be sent. use the Group icon to add or remove Serv-U groups from the distribution list. If you choose to send email. Subject and Message parameter. enter it in the To or Bcc fields. see System variables.

66 . For information about SMTP configuration. $LogFilePath for the Log File Deleted event). you can monitor and record Serv-U activity by using third-party network management software. For the Completion Wait Time parameter. you must first configure SMTP in Serv-U. see Configuring SMTP settings. A wait value should only be used to give an external program enough time to perform some operation. Balloon tip actions contain a Balloon Title and a Balloon Message parameter. see System variables. such as move a log file before it is deleted (for example. and a Completion Wait Time parameter. Execute command actions contain an Executable Path. You can use special variables to send specific data pertaining to the event. see System variables. For more information about the variables. Command Line Parameters. you can enter the number of seconds to wait after starting the executable path. This is normally either a human-readable message (for example. Using balloon tip actions You can configure balloon tip actions to show a balloon tip in the system tray when an event is triggered. You can use special variables to send specific data pertaining to the event. Enter zero for no waiting.Chapter 3: Server To use email actions. Using execute command actions You can configure execute command actions to execute a command on a file when an event is triggered. Writing to the Windows Event Log By writing event messages to a local Windows Event Log. Note: Any amount of time Serv-U spends waiting delays any processing that Serv-U can perform. All messages appear in the Windows Application Log from a source of "Serv-U". For more information about the variables. This event has only one field: l Log Information: The contents of the message to be written into the event log.

This normally only works on public queues on the local machine. preventing Serv-U from writing events to the queue. You can also use ServU system variables in this field.Writing to Microsoft Queue (MSMQ) filename uploaded by person) or a machine-readable string (for example. Local. files have been picked up. This is normally a text string with a specific format specified by an enterprise application owner or enterprise architect. and then set the permissions so that SYSTEM (or the network account under which Serv-U runs) has permission to the queue. or many other activities have occurred. Serv-U attempts to create it. filename|uploaded|person). Remote queues can be addressed when a full path (for example. Message Body: The contents of the message to be sent into the queue. depending on who or what is expected to read these messages. right-click it. Serv-U system variables are supported in this field. public queues on the local machine can be addressed when a full path is not specified (for example. after creating the queue in MSMQ. Writing to Microsoft Queue (MSMQ) Microsoft Message Queuing (MSMQ) is an enterprise technology that provides a method for independent applications to communicate quickly and reliably. This field can be left blank. MessageServer\Serv-U Message Queue) is specified. Serv-U system variables can also be used in this field. Note: Microsoft message queues created in Windows do not grant access to SYSTEM by default. Corporations can use this feature to tell enterprise applications that files have arrived. partners have signed on. 67 . . select Properties. To correct this. but usually is not. This field may be left blank. but usually is not. Serv-U can send messages to new or existing MSMQ queues whenever a Serv-U event is triggered.\Serv-U Message Queue or Serv-U Message Queue). These events have the following two fields: l l Message Queue Path: The MSMQ path that addresses the queue. If the specified queue does not exist.

The Filter Comparison contains the evaluation that must occur for the event to trigger. You can do this by controlling the various variables and values related to the event and by evaluating their results when the event is triggered. you can configure a File Uploaded event to only send an email when the file name contains the string important. used to identify the filter for the event. AND is used. a filter can be configured so that only the user "admin" triggers the event. by using an event filter. l Filter Comparison: This is the most critical portion of the filter. Additionally. Event filter fields Each event filter has the following critical values that must be set: l l l Name: This is the name of the filter. abnormal bandwidth usage of less than 20 KB/s OR greater than 2000 KB/s). By default. For example. you can control to a greater degree when a Serv-U event is triggered. Description (Optional): This is the description of the event. so an email would be sent when the file Important Tax Forms. the comparison will be If $Name = (is equal to) 68 . and all filters must be satisfied for the event to trigger. a standard Serv-U event might trigger an email each time a file is uploaded to the server. Logic: This determines how the filter interacts with other filters for an event. However. Serv-U events trigger each time the event occurs. the OR operator can be used if there are multiple possible satisfactory responses (for example. However.pdf is uploaded but not when other files are uploaded to the server. The function of AND is to require that all conditions be met. not triggering for failed HTTP or SFTP uploads. For example.Chapter 3: Server Configuring event filters By using Serv-U event filters. In most cases. which may be included for reference. you can configure a File Upload Failed event to run only when the FTP protocol is used. events can be triggered on a more targeted basis. In this case. For example. The event filter allows events to be triggered only if certain conditions are met.

and the data type will be string. data77.txt.txt l An event filter that compares the $LocalPathName variable to the string [CD]:\* matches any file or folder on the C: or D: drives. data7.txt.??? matches any file on the C: drive that ends in a three letter file extension.txt. The supported wildcards are the following: l * . An event filter that compares the $Name variable to the string A???? matches any five-character user name that starts with A.txt. Event filters also support wildcards when evaluating text strings. and data77. data77.txt. [687]. data. You can use multiple wildcards in each filter. An event filter that compares the $FileName variable to the string data?.The question mark wildcard matches any one character. data.txt and data8.Event filter fields admin.txt. For example: l l ? . data7.The asterisk wildcard matches any text string of any length. data.* matches files named data7 and data7.txt.txt. data77. data7. For bandwidth.The bracket wildcard matches a character against the set of characters inside the brackets. For example: l An event filter that compares the $FileName variable to the string [cC]:\*.txt but not data5.txt but not data. or data77. [] . or data77. data7. either an "unsigned integer" or "double precision floating point" value would be used. but only one character. An event filter that compares the $FileName variable to the string data? matches a file named data7 but not data. 69 .txt.txt. For example: l An event filter that compares the $FileName variable to the string data matches files named data6. For example: l l l l An event filter that compares the $FileName variable to the string data* matches files named data.

contained in any folder whose name contains Red6.csv is uploaded to the server. an administrator may want to raise an email event when the file HourlyUpdate. To perform this task. or when a certain file is uploaded. To do this. and then add a new filter. The Event Type is File Uploaded. The best example is raising an event only when a certain user triggers the action. create a new event in the Domain Details > Events menu. but not when other files are uploaded. and on the Event Filter tab a new filter must be added. Red7 or Red8. create a new File Upload Failed event. The $FileName variable is used and the value is HourlyUpdate.* matches a file on any Windows drive.Chapter 3: Server l An event filter that compares the $FileName variable to the string ?:\*Red [678]\?????. 70 . Using event filters Event filters are used by comparing fields to expected values in the Event Filter menu. it might be necessary to know when a file transfer fails for a specific user account. and that also has a five character file name followed by a file extension of any length. For example.csv as shown in the following screen capture: As another example.

using wildcards. such as ProductionLineFTP: You can also filter for events based on specific folders. After specifying the email recipients. open the Event Filters page. License information The License Information tab displays the information contained in the current registration ID in use by the Serv-U File Server. and add the filter comparison If $LocalPathName = (is equal to) C:\ftproot\accounting\* with the type of (abcd) string. and the value to compare is the user name. To filter based on a folder name. If the installation is running in trial 71 . Create a new event filter.License information The filter comparison is the $Name variable. and set it to Send Email. This will cause the event to trigger only for files that are located within C:\ftproot\accounting\. such as when an accounting department uploads time-sensitive tax files. and message content. create a new File Uploaded event in the Domain Details > Events menu. subject line. In some cases it may be necessary to trigger events for files uploaded only to a specific folder.

the number of trial days remaining is displayed. 72 . If Serv-U is running as a trial version. Email address The email address associated with the current license. Copies The number of concurrent installations allowed by the current license. click Lost ID for assistance in retrieving it. click Purchase to visit the Serv-U website to purchase an ID. Purchase date The date the current license was purchased. Edition information Displays the enabled functionality and limitations of the licensed Serv-U edition. For more information. see Serv-U editions. Updates The date through which the current license allows free updates to the latest version. and then enter your alphanumeric registration ID. Information contained on this page includes the following: Name The name associated with the current license.Chapter 3: Server mode. click Enter License ID on the bottom toolbar. Additional products Additional add-ons for Serv-U. information about the number of trial days remaining is also included. and whether or not they are enabled. click Upgrade License. Registering Serv-U To register the Serv-U File Server. Serv-U edition The Serv-U edition that is enabled by the current license. If you have lost your ID. To upgrade your Serv-U installation. If you want to purchase an ID.

Program Information Program Information The Program Information page displays information about the current version of Serv-U installed on the server including the following details: Serv-U File Server Version Number The full version number of the current installation. 73 . Legal Disclaimer The Serv-U legal disclaimer. Build Date The date of the software build of the current installation. You can configure SMTP on the server or domain level. you can configure an SMTP connection to send email for events which are configured to use email actions. SMTP configuration at the domain level can be inherited from the server level. Development Information Information about the development and localization (if applicable) for the Serv-U File Server. Configuring SMTP settings In Serv-U. Install Date The original date when Serv-U was first installed on the computer. The SMTP configuration dialog is located in the Events tab in the Domain Details and Server Details pages. Operating system Information about the operating system on which Serv-U is installed. or both. Contact Information The contact information for SolarWinds.

and then specify the following details: l SMTP Server: The name or IP address of the SMTP server. Password: The password for the account. Serv-U supports Implicit SSL only. If your SMTP server requires authentication. 74 . select this option. enable this option. The default port for encrypted SMTP connections is 465. and does not support Explicit SSL (port 587). l This server requires a secure connection (SSL): On some SMTP servers all incoming connections must be encrypted to protect against possible attacks. enter the following information: l l Account Name: The account name associated with authentication for the SMTP server.Chapter 3: Server Click Configure SMTP to launch the dialog. l SMTP Server Port: The port the SMTP server is using. l From Email Address: The email address to use for the outgoing email. l From Name (optional): The name to use for the outgoing email. If your server requires that all incoming connections must be encrypted. l My server requires authentication: To enable authentication.

and then click Send.Configuring SMTP settings Testing the SMTP configuration Perform the following steps to test the SMTP configuration in Serv-U: 1. or click No to return to the SMTP Configuration window. 3. Optionally. 75 . If the email was sent successfully. 2. click OK on the confirmation window to save your SMTP configuration. you can edit the subject and content of the test message. After specifying the details of the SMTP server and the corresponding account. specify the email address where you want to send the test email to. click Send Test Email to test your SMTP connection. In the Send Test Email window.

Please check user name and password. or both is incorrect. Please check that recipient email address is valid. and that the SMTP server is up and running. Unable to send message due to recipient error. Please try again later. password.Chapter 3: Server If an error occurs at any stage of the configuration test. but an unspecified error occurred while sending the test email. The connection to the server is successful. SMTP communication failed. Serv-U returns one of the following error messages in the SMTP error window: Error message Explanation SMTP connection failed. authorization error. Please check your SMTP server and port settings. Check your SMTP connection details. but the provided user name. Unable to send message due to The connection to the server is successful. Verify that these details are correct. Unable to send a message. but the specified server is listening the specified port. Please check that the The connection to the SMTP server timed out. but the email address provided in the To Email Address field of the Send Test Email window is not valid. The connection to the server is successful. An unspecified error occurred. and try the test again. SMTP server address is correct. The error can also occur if incorrect server and port settings are specified. The most common reason for the SMTP connection to fail is an invalid SMTP server address or port number. Ensure that SMTP server settings are correct. 76 . Timeout while contacting SMTP server.

If you specify the %USER% variable in the path. to place a user and their home directory into a common directory. and %DOMAIN_HOME% variables to simplify the process. You can use the %USER_FULL_NAME% variable to insert the Full Name value into the path (the user must have a Full Name specified for this to function).Configuring directory access rules Configuring directory access rules Directory access rules define the areas of the system which are accessible to user accounts. You can also use the %DOMAIN_HOME% macro to identify the user's home directory. The traditional rules of inheritance apply where rules specified at a lower level (for example. use %HOME%/ftproot/ to create a directory access rule that specifies the ftproot folder in the home directory of the user. you can use the %USER%. In other words. Directory access rules are applied in the order they are listed. they are only inherited by users who belong to the particular domain. it is replaced with the user's login ID. For example. the server level). This leads to less maintenance for the file server administrator. if a rule exists that denies access to a particular subdirectory but is listed below the rule that grants access to the parent directory. the user level) override conflicting or duplicate rules specified at a higher level (for example. This variable is useful in specifying a group's home directory to ensure that users inherit a logical and unique home directory. the user "Tom Smith" could use D:\ftproot\%USER_FULL_NAME% for D:\ftproot\Tom Smith. then a user 77 . Directory access rules specified in this manner are portable if the actual home directory changes while maintaining the same subdirectory structure. %USER_ FULL_NAME%. If they are specified at the domain level. Directory access rules specified at the server level are inherited by all users of the file server. While traditionally restricted to the user and group levels. use %DOMAIN_HOME%\%USER%. For example. The first rule in the list that matches the path of a client's request is the one that is applied for that rule. When you set the directory access path. in Serv-U. the usage of directory access rules is extended to both the domain and the server levels through the creation of global directory access rules. %HOME%. For example.

This permission is typically used to grant users the ability to resume transferring partially uploaded files. the parent directory accessed this way will only display the content to which the user has access. Append Allows users to append data to existing files. Execute Allows users to remotely execute files. Rename Allows users to rename existing files. Write Allows users to write (that is. Users with Write and Execute permissions can install any program 78 . even if no explicit access rules are defined for the parent directory. download) files. The following section contains the list and description of the directory access permissions. This is a very powerful permission and great care should be used in granting it to users.Chapter 3: Server still has access to the particular subdirectory. Delete Allows users to delete files. However. Use the arrows on the right of the directory access list to rearrange the order in which the rules are applied. which is granted by the Append permission. which is granted by the List permission. File permissions Read Allows users to read (that is. Note: Serv-U allows to list and open the parent directory of the directory the user is granted access to. upload) files. The execute access is meant for remotely starting programs and usually applies to specific files. This permission does not allow users to list the contents of a directory. This permission does not allow users to modify existing files.

Create Allows users to create new directories within the directory. clear the Inherit check box and grant permissions specifically by folder. because Windows services are run under the Local System account by default.Directory permissions they want on the system. Directory permissions List Allows users to list the files and subdirectories contained in the directory. which has no access 79 . In this environment. but if access must be restricted to subfolders (as is the case when implementing mandatory access control). files can be accessed by the UNC path (\\servername\folder\) instead of the traditional C:\ftproot\folder path. Remove Allows users to delete existing directories within the directory. files and folders may be kept on external servers in order to centralize file storage or provide additional layers of security. Also allows users to list this folder when listing the contents of a parent directory. accessing folders stored across the network poses an additional challenge. Subdirectory permissions Inherit Allows all subdirectories to inherit the same permissions as the parent directory. However. Advanced: Access as Windows User (Windows Only) For a variety of reasons. the user also needs to have the Delete files permission in order to remove the directory. Rename Allows users to rename existing directories within the directory. Note: If the directory contains files. The Inherit permission is appropriate for most circumstances.

you can specify a specific Windows user for each individual directory access rule.Chapter 3: Server to network resources. To implement mandatory access control at a directory level. By clicking the Advanced button. and in this case also to the configured permissions in Serv-U. This means that when a Windows user tries to access a folder. The alternative. directory access is subject to NTFS permissions. To mitigate this problem for all of Serv-U. Mandatory access control You can use mandatory access control (MAC) in cases where users need to be granted access to the same home directory but should not necessarily be able to access the subdirectories below it. the NTFS permissions of the Windows user take priority over the directory access rules. or if the Serv-U File Server service has to run under Local System for security reasons is to configure a directory access rule to use a specific Windows user for file access. As in Windows authentication. disable the Inherit permission as shown in the following screen capture. the security permissions of the user are applied instead of the credentials specified in the directory access rule. you can configure the Serv-U File Server service to run under a network account. Any attempted file transfers that cause the directory contents to exceed this value are rejected. Quota permissions Maximum size of directory contents Setting the maximum size actively restricts the size of the directory contents to the specified value. preferred when many servers exist. 80 . Note: When you use Windows authentication. This feature serves as an alternative to the traditional quota feature that relies upon tracking all file transfers (uploads and deletions) to calculate directory sizes and is not able to consider changes made to the directory contents outside of a user's file server activity.

81 . such as MP3 files. providing the security of mandatory access control in the Serv-U File Server. Now.Restricting file types In the following example. Permissions must individually be granted to subfolders that the user needs access to. the rule applies to D:\ftproot\. you can prevent this by configuring a directory access rule placed above the main directory access rule to prevent MP3 files from being transferred as shown below. the user has access to the ftproot folder but to no folders below it. Restricting file types If users are using storage space on the Serv-U File Server to store non-workrelated files.

type *.mdb extension. as shown in the following screen captures. configure a pair of rules that grants permissions for .mp3. 82 . Similarly.mdb files but denies access to all other files. and use the permissions shown in the following screen capture: The rule denies permission to any transfer of files with the .Chapter 3: Server In the text entry for the rule. if accounting employees only need to transfer files with the .mp3 extension and can be modified to reflect any file extension.

Restricting file types In the first rule enter the path that should be the user's home directory or directory they need access to. 83 .

A virtual path only defines a method of mapping an existing directory to another location on the system to make it visible within a 84 .mdb files within the specified directories.mdb). Using virtual paths If virtual paths are specified.Chapter 3: Server In the second rule enter the extension of the file that should be accessed (such as *. These rules only allow users to access . users can gain access to files and folders outside of their own home directory. You can adapt these rules to any file extension or set of file extensions.

or network. Like directory access rules. a virtual path of %HOME%/public places the specified physical path in a folder named public within the user's home directory. the last specified directory is used as the name displayed in directory listings to the user. To make a virtual path visible to users. Physical path The physical path is the actual location on the system. Virtual path The virtual path is the location that the physical path should appear in for the user. For example. use a full path. In order to actually have access to the mapped location. You can also use a full path without any macros. Including virtual paths in "Maximum Directory Size" calculations When this option is selected. the user must still have a directory access rule specified for the physical path of a virtual path. domain. group. such as D:\inetpub\ftp\public. When virtual paths are created at the domain level. virtual paths can be configured at the server. users must have a directory access rule specified for the physical path. Virtual paths created at the server level are available for all users of the file server. that is to be placed in a virtual location accessible by a user. If the physical path is located on the same computer. The Maximum Directory Size limits the size of directories 85 .Using virtual paths user's accessible directory structure. You can also create virtual paths specifically for individual users or groups. such as \\Server\share\public. and user levels. When specifying the virtual path. the virtual path is included in Maximum Directory Size calculations. they are only accessible by users belonging to that domain. You can also use a UNC path. The %HOME% macro is commonly used in the virtual path to place the specified physical path in the home directory of the user.

If they are specified at the domain level. The developers also need access to an image repository located at D:\corpimages\. You can configure automated file management rules at the server and domain level. Be sure to add a group level directory access rule for D:\corpimages\ as well. To avoid granting the group access to the root D drive. The developers now have access to the image repository without compromising security or relocating shared resources. you can automatically remove or archive files from the file server. If they are specified at the server level. You can avoid this by using the %HOME% macro to create a relative virtual path location that eliminates the need to update the path if the home directory changes. if the home directory of the group of web developers is relocated to another drive. If the home directory changes at a later date. Within the group of web developers. a virtual path must be configured so that the image repository appears to be contained within their home directory.com\corpimages Case File: Creating relative virtual paths Continuing with the previous example. Case File: Using virtual paths A group of web developers have been granted access to the directory D:\ftproot\example.com\ for web development purposes. add a virtual path to bring the directory to the users by specifying D:\corpimages\ as the physical path and as the virtual path. regardless of what the home directory is. use %HOME%\corpimages. Instead of using D:\ftproot\example. This way the corpimages virtual path is placed within the home directory of the group.com\corpimages as the virtual path. both the home directory and the virtual path need to be updated to reflect this change. the file management rules are accessible to all users of the file server. D:\ftproot\example. the virtual path still appears there. Using automated file management Using file management rules.Chapter 3: Server affecting how much data can be uploaded. 86 . they are only accessible to users belonging to that domain.

On Linux. and not only to those that have been uploaded through ServU. the folders themselves remain intact. Select the action you want to perform on the file: a. and then click Add. or click Browse to navigate to the file or folder. The change date is updated whenever the metadata or index node (inode) of the file is modified. The file management rules apply recursively to all files within the folder for which they are configured. the change date is also updated. The file management rules continue to run even if deleting or moving a single file fails. The file management rules run hourly in the background.Using automated file management Depending on the file system. To define a new file management rule: 1. On Windows. 3. Type the path to the file or folder in the Directory Path field. or which are copied to the folder outside of Serv-U. For more information. see Using Serv-U events. there can be an hour delay before Serv-U deletes or moves an expired file. 2. If you want to delete the file after it expires. 87 . If the contents or attributes (such as the permissions) of the file are modified. To monitor the status of the file management rules. When expired files are deleted or moved. Serv-U uses the creation or change date of files to determine the expiration date. Note: The change date is not modified if the file is read from. you can configure a File Management Rule Success and a File Management Rule Error event under Server/Domain Details > Events. Navigate to Directories > File Management. select Delete file(s) after specified time. This way you can manage files which are transferred by clients. the creation date of the file is used to determine when a file expires. The folder structure is not affected by the file management rules. For this reason. the change date is used to determine the expiration date.

4. specify the folder where you want to move the file. The limits stack intelligently.Chapter 3: Server b. select Move file(s) after specified time. Note: Serv-U regularly and individually checks all the files in the directory for their age. and performs the specified action on the files that meet the age criteria you specify. you can configure limits so that they are only applied during certain days of the week or times of the day. and then in the Destination Directory Path field. and which also provide ways to apply limits and custom settings to users. You can also grant exceptions to administrators and restrict specific users more than others. In addition. 5. Specify the number of days after the file creation date when the action should be executed. and domain settings overriding server settings. with user settings overriding group settings. group settings overriding domain settings. domains. Click Save. providing total control over the server. groups. and the server in its entirety. The limits and settings in Serv-U consist of the following categories: l Connection l Password l Directory Listing l Data Transfer l HTTP l Email 88 . Server limits and settings Serv-U contains options which you can use to customize how Serv-U can be used. If you want to move the file after it expires.

perform the following steps: 1. see User interface conventions. click Add. deselect the days for which you do not 89 . this option applies to all users in the domain unless overridden at the group or user level. and then select or enter the value. After completing the previous steps. You can delete limits by selecting them and clicking Delete. select the Directory Listing. Click Add. Limits with a white background are values that override the defaults. To restrict the limit to certain days of the week. to disable the Lock users in home directory option for a server. 4. From the Limit list.Server limits and settings l File Sharing l Advanced To apply a limit. select the appropriate category. For more information about this method of inheritance. Limits with a lightblue background are default values. Click Save. 2. To edit an overridden value. select the limit. Default rules cannot be edited or deleted. Deselect the option. or specific days of the week. The limits list displays the current limits applied to the domain. 3. 6. and then click Edit. Select Apply limit only at this time of day to specify a start and stop time for the new limit. select the limit. a new "Lock users in home directory" limit appears in the list that displays "No" for the value. select Lock users in home directory. To create a limit that is restricted to a specific time of day. click Limits & Settings. Because of inheritance rules. From the Limit Type list. For example. 5. Create a new limit to override a default limit. In the Serv-U Management Console. click Advanced in the New Limit or Edit Limit window.

The value of Packet time-out must be less than the value of the Automatic idle connection timeout for the Automatic idle connection timeout to work properly. Require secure connection before login Requires that a connection must be secure (for example.Chapter 3: Server want the limit applied. Note: Setting the Packet time-out is a requirement for this limit to work. organized by category. When a limit is restricted in this way. Automatic idle connection timeout Specifies the number of minutes that must pass after the last client data transfer before a session is disconnected for being idle. FTPS. default values (or the value of other limit overrides) are applied when the time of day or day of the week restrictions are not met for this limit. or HTTPS) before it is accepted. Maximum number of sessions per user account Specifies the maximum number of concurrent sessions that may be opened from a single user account. Maximum sessions per IP address on server Specifies the maximum number of concurrent sessions that may be opened to the entire server from a single IP address. Connection Maximum number of sessions on server Specifies the maximum number of concurrent sessions that may be allowed on the entire server. For information about setting the packet time-out. see Server 90 . Maximum sessions per IP address for user account Specifies the maximum number of concurrent sessions that a user may open from a single IP address. The following section contains a reference of all available server limits. SFTP.

Block IP address of timed out session Specifies the number of minutes for which the IP address of a timed out session is blocked.Connection settings. which is commonly used to keep FTP Command Channel connections open during long file transfers or other periods of inactivity when no information is being transferred on the control channel. Serv-U disconnects the client when the connection has been idle. Require reverse DNS name Requires that users connecting to the server must connect from an IP address that has a valid reverse DNS name. Block anti-timeout schemes Blocks the use of commands such as NOOP. When these are blocked. also known as a PTR record. Proxy servers and load balancers typically append this parameter to the HTTP header so that HTTP servers can identify the actual client IP address and apply security rules as necessary. Allow X-Forwarded-For to change HTTP connection IP addresses When enabled. This limit checks for the existence of a valid PTR record but does not check 91 . Automatically create home directories Instructs Serv-U whether or not to automatically create the home directory specified when creating a new user account if the directory does not already exist. that is. Automatic session timeout Specifies the number of minutes a session is allowed to last before it is disconnected by the server. not transferring data for a specified period of time. the "X-Forwarded-For" HTTP header parameter changes the IP address of the client for Serv-U. This is useful when all HTTP connections are coming from a proxy server or a load balancer.

Minimum password length Specifies the minimum number of characters required in a user account's password. Maximum sessions per IP address on domain Specifies the maximum number of concurrent sessions that may be opened to the entire domain from the same IP address.Chapter 3: Server its contents. which can be useful for debugging connection problems or auditing user account security. Password encryption mode Specifies the level of password encryption on user passwords. Disabling this allows passwords to be displayed in log files. Automatically expire passwords Specifies the number of days a password is valid before it must be changed. Require complex passwords Specifies that all user account passwords must contain at least one uppercase and one non-alphabetic character to be considered valid. Allow users to change password Specifies whether or not users are allowed to change their own passwords. Specifying zero characters indicates that there is no minimum requirement. Specifying zero days indicates that passwords never expire. The following options are available: 92 . Mask received passwords in logs Masks the passwords received from clients from being shown in log files. Password Check anonymous passwords Specifies whether or not Serv-U should validate email addresses supplied as the password to log in anonymously.

93 . This way the administrator cannot deny access to a user account through misconfiguration. allows users to recover passwords using the Web Client password recovery utility at the login page. Note: The Public Key Only authentication type allows users to log in with a password if they have no SSH key configured in Serv-U. Allow users to recover passwords If enabled. In this case it may be desirable to use two-way encryption so that Serv-U does not need to reset their passwords when password recovery is requested. Simple two-way encryption (less secure): This option encrypts passwords in a reversible format for easy recovery. Public Key Only: Requires that a public key is provided for successful login. Existing passwords are not updated automatically. l l Password or Public Key: Requires either a password or public key for login. all user passwords must be reset. This is the default setting. The following options are available: l Password and Public Key: Requires both a password and a public key (when specified) for login. Using this option may be necessary for integration with legacy systems (especially when using database support).Password l l l One-way encryption (more secure): This option fully encrypts passwords and cannot be reversed. and must be re-saved to be stored in the new format. Use this option when users are expected to take advantage of the password recovery utility in the Web Client. Note: When you change this setting. SSH authentication type Specifies how SSH authentication is to occur. No encryption (not recommended): This option stores passwords in clear text. a password is not allowed.

OTP S/Key MD4. this limit allows users to generate a random password. The following options are available: regular password. Interpret Windows shortcuts as links Instructs Serv-U to treat all valid . FTP password type Specifies the type of password to be used for FTP connections. Use lowercase for file names and directories Forces Serv-U to display all file names and directories using lowercase characters.lnk files as the actual destination object. This value is the lead-time.Chapter 3: Server l Password Only: Requires that a password is provided for successful login. and does not allow users to browse 94 . the destination file is shown in the directory listing instead of the . Treat Windows shortcuts as target in links Instructs Serv-U to treat all valid .lnk file itself. regardless of the actual letter case in use by the file or directory. and OTP S/Key MD5. Disable password generators If enabled. a public key is not allowed. Directory listing Hide files marked as hidden from listings Hides files and folders from directory listings that have the Windows "hidden" system attribute set on them. An event can be configured to identify when a password is about to expire. before password expiration. Lock users in home directory Locks users into their home directory. Days before considering password to be stale The number of days before expiration that a password is to be considered stale. in days.lnk file points to another file. In other words. if a . A stale password is a password that is about to expire.lnk (shortcut) files as a UNIX symbolic link.

however some clients require a certain mask to operate correctly.message can be used as the path. Message file path Welcome messages are typically displayed once to a user during login to relay important information to users about the file server site.Data transfer above their home directory. masking the actual physical location. Allow root ("/") to list drives for unlocked users (Windows Only) Allows users to change directory to the root ("/") of the system and display all drives on the computer. Windows does not support traditional file permissions like Unix. welcome messages can be provided in specific folders to relay additional information. This option only works when users are not locked in their home directory. In addition. 95 . Directory listing mask (Windows Only) Specifies the text string sent to FTP clients for file permissions. The welcome message will only be displayed when navigating into folders which contain a file matching the specified file name. Hide the compressed state of files and directories Hides the compressed state of all compressed files and directories being viewed by the user. By using a secondary message file. A non-relative path such as MessageFile. which makes this option largely cosmetic. Data transfer Maximum upload speed for server Limits the maximum bandwidth that can be used server-wide for all uploads. Setting a limit of 0 KB/s means unlimited bandwidth. their home directory is displayed as "/". Hide the encrypted state of files and directories Hides the encrypted state of all encrypted files and directories being viewed by the user.

Serv-U will assume <LF> characters are the same as <CR><LF> end-of-line markers. Setting a limit of 0 KB/s means unlimited bandwidth.Chapter 3: Server Maximum download speed for server Limits the maximum bandwidth that can be used server-wide for all downloads. Setting a limit of 0 KB/s means unlimited bandwidth. Setting a limit of 0 KB/s means unlimited bandwidth. Interpret line feed byte as a new line when in ASCII mode (Windows Only) When uploading and downloading files using ASCII mode. However. because the definition of a new-line sequence is not fully defined in Windows. Delete partially uploaded files Instructs Serv-U to delete incomplete file uploads. Setting a limit of 0 KB/s means unlimited bandwidth. Most Windows applications expect <CR><LF> to represent a new line. Maximum Upload File Size Restricts the maximum single file size a user can upload to Serv-U. as does the FTP protocol. this option allows Serv-U to 96 . Maximum download speed per session Limits the maximum download bandwidth for each individual session. This option can currently be used in FTP mode only. Maximum upload speed per session Limits the maximum upload bandwidth for each individual session. File size is measured in kilobytes. Maximum download speed for user accounts Limits the maximum download bandwidth shared between all sessions associated with an individual user account. Maximum upload speed for user accounts Limits the maximum upload bandwidth shared between all sessions associated with an individual user account. Setting a limit of 0 KB/s means unlimited bandwidth.

The default Allow read access means that other clients can also attempt to concurrently download the same file. To prevent any other client from accessing a file while it is still being transferred. Maximum simultaneous thumbnails Specifies the maximum number of threads that are dedicated towards generating thumbnail images for HTTP clients and in response to the FTP THUMB command. File upload access Specifies the method in which uploaded files are opened while they are being received from a client. File download access Specifies the method in which downloaded files are opened while they are being sent to a client. When downloading in ASCII mode.Data transfer assume <LF> is the same as <CR><LF>. The default Allow read access means that other clients can attempt to download the file even while it is still being received. Generating thumbnails is a CPU intensive operation. 97 . Allow full access means other clients can read from and write to the file while it is being transferred. select Allow no access. This attribute ensures that Serv-U always has updated directory sizes available instead of having to calculate them at transfer time. even while Serv-U is able to handle more client thumbnail requests concurrently. Automatically check directory sizes during upload Instructs Serv-U to occasionally check the size of directories in which a maximum directory size has been specified. select Allow no access. When uploading in ASCII mode stand-alone <LF> characters are changed to <CR><LF> before writing to the file. Allow full access means other clients can read from and write to the file while it is being sent to another client. Increasing this value too high may cause thumbnails to take longer to generate. To prevent any other client from accessing a file while it is still being sent. which can be a time consuming operation. standalone <LF> characters are changed to <CR><LF> prior to sending to the client.

Administrators can disallow the use of the Serv-U Web Client by disabling this limit. Default language for Web Client When the end-user connects with an unsupported language. the HTTP login page is displayed in English. Administrators can disallow the use of the Serv-U Web Client Pro by disabling this limit. Allow browsers to remember login information The HTTP login page supports a Remember me option (not enabled by default) that allows user names to be remembered by the login page. Allow users to use Web Client The Serv-U Web Client is enabled by default. The default language can be set to any language you want. the local language of Windows is used. but this option can be disabled if users should not be able to select their preferred language. Allow users to change languages The Serv-U Web Client is supported in many languages. When connecting to Serv-U using a supported localization of Windows. Allow users to use FTP Voyager JV FTP Voyager JV is enabled by default. Administrators can disallow the use 98 .Chapter 3: Server HTTP Warn end users when using old web browsers When enabled (default) users are warned when they are using an outdated browser that they should upgrade the browser to take advantage of performance and feature enhancements to improve their experience. Allow users to use Web Client Pro The Serv-U Web Client Pro is enabled by default. This function can be disabled during specific business hours or altogether based on business needs. Allow HTTP media playback The Serv-U Web Client supports fully interactive media playback of audio and video files. This feature can be disabled for security reasons.

When disabled. it will remain the date and time the file was uploaded. Email Allow end-user to set account email address Specifies whether users are allowed to modify their account email address using the Change Email Address option in the Web Client and File Sharing interfaces. Allow autocomplete for HTTP login fields With this limit you can configure whether or not password auto-completion is allowed on the Serv-U login screen. This option can be disabled but it may cause mobile devices to be disconnected due to frequent IP address changes by these devices.Email of FTP Voyager JV by disabling this limit. Require end-user to set email address at next HTTP login Specifies whether users must set their email address when they log in to Serv-U. Serv-U can maintain the last modification date and time of the file when end-users are using FTP Voyager JV or Web Client Pro. Maintain file dates and times after uploading (FTP Voyager JV and Web Client Pro only) When enabled. Allow HTTP sessions to change IP address (disabling may cause mobile devices to fail) The Serv-U Web Client supports the transfer of HTTP sessions if the IP address changes. the version information of Serv-U will be hidden in HTTP and HTTPs response headers. This option is enabled by default. Serv-U will not set the last modification date and time of the file. Hide Serv-U version information in HTTP response headers When enabled. This way a potential security threat arising from the knowledge of the version information can be mitigated. 99 .

Chapter 3: Server File sharing Require a password for guest access Specifies whether it is possible to set up a file share where the guest is required to provide a password. When this limit is set to Always 100 . When this limit is set to Always or Never. Maximum file size guests can upload (per file) Specifies the file size constraints imposed upon the guest user. Notify user after a file is downloaded Specifies whether the Notify me when the file(s) have been downloaded option can be used in the Send Files wizard. When this limit is set to Always or Never. In this case. When disabled. When this limit is set to Optional. users will be able to specify link expiration dates individually on the Request Files and Send Files wizards. the creator of the file share will not be able to specify this optional setting. Duration before guest link expires Limits the number of days after which a file share link expires if the Allow user-defined guest link expiration limit is disabled. Allow user-defined guest link expiration When enabled. the Include the password in the email option can be selected individually in each file share. Insert passwords within invitation emails Specifies whether it is possible to set up a file share where the password for the share is included in the invitation email. the creator of the file share request can specify the maximum file size in each file share request without an upper limit. the creator of the file share will not be able to specify this optional setting. When this limit is set to Optional. there is no file size constraint. If set to zero. the file share links will expire after the number of days specified in the Duration before guest link expires limit. the user can individually specify in each file share whether or not the guest must provide a password.

101 . the user can individually specify in each file share whether to receive notification of the file download. the user can individually specify in each file share or file share request whether to receive an email copy with the download or upload link. users can edit their name and email address in the Request Files and Send Files wizards. Send the guest access link to the recipients Specifies whether the Automatically send the download/upload link to the guest user(s) in email option can be used in the Send Files and Request Files wizards. users are not allowed to edit their contact information in the Request Files and Send Files wizards. the user will not be able to specify this optional setting. the user can individually specify in each file share request whether to receive notification of the file upload. the user can individually specify in each file share or file share request whether to send the access link automatically. When this limit is set to Optional. Allow user-defined contact information When enabled. When this limit is set to Always or Never. the creator of the file share will not be able to specify this optional setting. When this limit is set to Optional. the creator of the file share request will not be able to specify this optional setting. When this limit is set to Always or Never. When disabled. Notify user after a file is uploaded Specifies whether the Notify me when the file(s) have been uploaded option can be used in the Request Files wizard. When this limit is set to Always or Never. Send the guest access link to the sender Specifies whether the Send me an email copy with the download/upload link option can be used in the Send Files and Request Files wizards.File sharing or Never. When this limit is set to Optional. the user will not be able to specify this optional setting. When this limit is set to Optional.

Maximum number of files for "Requested" shares Specifies the maximum number of files users can upload after receiving a file share request. This option is useful to counter denial-of-service attacks that send large amounts of out-of-band (OOB) data to socket stacks that cannot handle large amounts of OOB data. treating it like normal data. Allowed "Sent" file share sources Specifies the valid file sharing sources that users can browse to when they create an outgoing file share. such as satellite links. Disable usage of Nagle algorithm Disables waiting for the ACK TCP handshake before sending the next packet. Inline out-of-band data Parse out-of-band socket data into the regular TCP data stream. 102 . If set to zero. users can browse to any file stored on their computer or on Serv-U. Advanced Convert URL characters in commands to ASCII Instructs Serv-U to convert special characters contained in command parameters to plain ASCII text. Send keep alive packets to detect broken connections Periodically sends keepalive packets to determine if the socket is still connected. Certain web browsers can encode special characters contained in file names and directories when using the FTP protocol. the default limit of 20 is used. This attribute allows Serv-U to decode these special characters. If set to zero.Chapter 3: Server Maximum number of files for "Sent" shares Specifies the maximum number of files users can include in a single file share. the default limit of 20 is used. This option is typically only used for connections with very large latencies. By default.

For more information. Serv-U supports SFTP versions 3 . Apply server and domain directory access rules before user and group The order in which directory access rules are listed is important in determining the resources that are available to a user or group account. Reset user stats after restart When this limit is enabled. Maximum supported SFTP Version Specifies the maximum version of SFTP permitted for SFTP connections. directory access rules specified at the group or user level take precedence over ones specified at the domain and server level. By default. When disabled. However. there are certain instances where you may want the domain and server level rules to take precedence. 103 . Days before automatically deleting account to trigger the pre-delete event The number of days prior to automatically deleting the user account that the pre-delete event should be triggered. adaptive time-outs make it easier to resume the upload since Serv-U recognizes more quickly that the transfer is dead and thus allows access to the file sooner. Setting this value to "Yes" places the directory access rules of the group and user below the server and domain.6.Advanced Use adaptive time-out on fast file uploads Slowly lower packet time-out for consistently fast transfers during file uploads. Allow rename overwrite When enabled (default) Serv-U allows files to be renamed to files where the destination already exists. the user statistics are reset after a server restart. Days before automatically disabling account to trigger the pre-disable event The number of days prior to automatically disabling the user account that the pre-disable event should be triggered. If the transfer does not complete successfully. users are not allowed to rename a file or directory to a path name that already exists. see the "Apply group directory access rules first" setting in Group information.

complex passwords defeats most dictionary attacks. A successful login resets the counter that is tracking login attempts. enabling this option ensures that Serv-U does not waste time processing connections from these illegitimate sources. and network connectivity. security. you can configure basic server settings that affect performance. 104 . When configuring this option. Group ID (group name) for created files and directories (Linux Only) The group name given to set as the owner of a created file or directory. and then click Save. Using strong. When enabled. type the value you want in the appropriate area. This topic contains detailed information about the settings that you can configure. enabling this option is a method of preventing brute force password guessing systems from using dictionary style attacks to locate a valid password for a user account. However. this option temporarily blocks IP addresses for the specified number of minutes that fail to successfully login after the specified number of attempts within the specified number of seconds. IP addresses blocked in this way can be viewed in the appropriate IP access rules tab. Owner ID (user name) for created files and directories (Linux Only) The user name given to set as the owner of a created file or directory.Chapter 3: Server Reset group stats after restart When this limit is enabled. To configure a setting. ensure that there is some room for legitimate users to correct an incorrect password before they are blocked. Server settings On the Server Limits & Settings > Settings pages. Connection settings Block users who connect more than 'x' times within 'y' seconds for 'z' minutes Also known as anti-hammering. the group statistics are reset after a server restart.

Web Client Pro. for a TCP packet transfer. This is particularly useful in enabling PASV mode FTP data transfers. PASV Port Range Specifies the inclusive range of ports that Serv-U should use for PASV mode data transfers. the server sends identification information to the client. 105 . Serv-U normally allows the operating system to assign it a random port number when opening a socket for a PASV mode data transfer. Packet time-out Specifies the timeout. A range of 10 ports is sufficient for the busiest of file servers. or FTP Voyager JV should be used by all HTTP clients by default. This option is also available at the group and user level. this information includes the server name and version number. Network settings Auto-configure firewall through UPnP (Windows Only) When enabled. This attribute accommodates routers or firewalls that need to know a specific range of ports in advance by restricting the PASV port range of Serv-U to a known range. Normally. Default Web Client Specifies whether the Web Client. Enable this option to prevent the information from being given to the client.Server settings Hide server information from SSH identity After a successful SSH login. in seconds. The third. Serv-U automatically configures the necessary port forwards in your UPnP-enabled network device (usually a router) so that the file server is accessible from outside your network. default option is to prompt the users for the client they want to use instead. Only very slow networks experiencing high levels of latency may need to change this value from the default 300 seconds.

Configuring FTP settings In the Serv-U File Server. To customize the FTP behavior for a specific domain. When the Management Console is running in this way. Using global properties When using custom settings. Other settings Ratio Free Files Files listed by opening the Ratio Free Files button are exempt from transfer ratio limitations on file transfers. Change Admin Password The Serv-U Management Console can be password protected when it is launched by double-clicking on the Serv-U system tray icon. If Serv-U and clients have troubles listing directories or transferring files. and then click Use Custom Settings. For more information. you can customize the FTP commands that Serv-U accepts.Chapter 3: Server Note: Some NAT routers work differently and may require a larger port range. Warning: Customizing the FTP behavior in this way is not recommended except for those very familiar with the FTP protocol and its standard and extended command set. you can click Use Default Settings to have the domain revert back to the default settings of the server. At any time. all domains inherit the customizations. try increasing the port range here and on your router. the Global Properties button becomes available. Ratio free files specified at the server or domain level are inherited by all their users accounts. see Transfer ratio and quota management. If you configure these options at the server level. 106 . there is no admin password. open the FTP Settings page for the domain. By default. the option to change the password becomes available. and you can also customize the responses of Serv-U to the FTP commands it receives. select the appropriate domain.

the 220 response code begins each line of the specified welcome message. see System variables. Click Browse to select a file on the computer. 107 . Advanced Options l Block "FTP_bounce" attacks and FXP (server-to-server transfers): Select this option to block all server-to-server file transfers involving this Serv-U File Server by only allowing file transfers to the IP address in use by the command channel. Message File The server welcome message is sent in addition to the standard "220 Welcome Message" that identifies the server to clients when they first connect. Select this option if your clients are using an FTP client experiencing problems with multi-line responses from Serv-U. Serv-U opens this file and sends its contents to connecting clients. For more information about FTP_bounce attacks. For more information. such as the error message sent when a file is not found. Customizing a global FTP response ensures that the response is used by all other FTP commands rather than having to customize it for each individual FTP command. see CERT advisory CA-97. enter the path to a text file in the Message File Path field. l Include response code on all lines of multi-line responses: The FTP protocol defines two ways in which a multi-line response can be issued by an FTP server.Configuring FTP settings FTP Responses Global FTP responses are responses shared amongst most FTP commands. If the Include response code in text of message file option is selected.27. Some older FTP clients have trouble parsing multi-line responses that do not contain the three-digit response code on each line. To customize the welcome message. FTP command responses can contain special macros that allow real-time data to be inserted in to the response.

Disabled commands are treated as unrecognized commands when they are received from a client. FTP Responses On the FTP Responses page. 108 . When this option is deselected. Serv-U treats all file names and paths as UTF-8 encoded strings. This allows for message files to be specified using a path relative to the home directory of the user for the Message File. For more information. Each FTP command can also be disabled by selecting the Disable command option. Message Files Certain FTP commands allow a message file to be associated with them. a secondary message file path is available as a default option. basic information about the command is shown along with a link to more information on the Serv-U website. Deselecting this option prevents Serv-U from UTF-8 encoding these strings. select the FTP command you want to change. FTP command responses can contain special macros that allow real-time data to be inserted in to the response. Serv-U attempts to use the Secondary Message File instead. If the first message file is not found. all possible FTP responses to the command as issued by the server can be modified by clicking Edit for each response. UTF-8 is not included in the FEAT command response to indicate to clients that the server is not using UTF-8 encoding. By specifying an absolute file path in the secondary location. In addition. see System variables. and then click Edit.Chapter 3: Server l Use UTF-8 encoding for all sent and received paths and file names: By default. Information On the Information page. such as when sending a directory listing. It also sends all file names and paths as UTF-8 encoded strings. The contents of a message file are sent along with the standard FTP response. Editing FTP commands and responses To edit FTP Commands.

Where available. allowing FTP clients to obtain large directory listings with a single command. clients may request excessively large directory listings using the -R parameter to the LIST and NLST commands. The following FTP commands can be used for specifying a message file: l CDUP l CWD l QUIT Managing Recursive Listings Serv-U supports recursive listings by default. edit the response to the STOR command to include a report about available space. recursive listings can be disabled by using the Allow client to specify recursive directory listings with -R parameter option. the 226 (command successful) response to the STOR command (which stores files on the server) is the following: 109 . To do this. If performance in Serv-U is impacted by users requesting excessively large listings. the configuration option is described in detail in the Management Console. In some cases. By default. The following FTP commands contain advanced configuration options: l LIST l MDTM l NLST Case file: Custom FTP command response Users connecting to the server need to know how much quota space is available in a given folder when they have completed a transfer. Advanced Options Some FTP commands contain advanced configuration options that offer additional ways to configure the behavior of the command.Configuring FTP settings you can ensure that each user receives a message file.

their updated quota value. Configuring encryption Serv-U supports two methods of encrypted data transfer: Secure Socket Layer (SSL) and Secure Shell 2 (SSH2).Chapter 3: Server Transfer complete. In the case that multiple encrypted domains are created that share listeners. SSH. Remaining storage space is $QuotaLeft. $TransferKBPerSecond KB/sec. is displayed. $TransferKBPerSecond KB/sec. Encryption options specified at the server level are automatically inherited by all domains. This can be done for any FTP command response. If you do not have either of these required files. $TransferBytes bytes transferred. When creating SSL/TLS. a private key. SFTP does not have anything in common with the FTP protocol itself. you can create them in Serv-U. $TransferBytes bytes transferred. showing an increase in available space. The same can be done for the DELE command. SSL is used to secure the File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). Despite its name. Modify this to include an extra variable in the following way: Transfer complete. In order for each method of encryption to work. each domain must have unique listeners in order to operate properly. it is important to know that encrypted domains cannot share listeners. SSH2 is a method of securely interacting with a remote system that supports a method of file transfer commonly referred to as SFTP. so that every time a user deletes a file. the 110 . a certificate. while SSH2 only requires a private key. Certain configuration options are only available to the server. The last sentence shows the user how much storage space is left at the end of each file upload. SSL requires the presence of both. Because SSL/TLS and SSH encryption is based on encrypting traffic sent between IP addresses. and HTTPS encrypted domains within Serv-U. or both must be supplied. Any encryption option specified at the domain level automatically overrides the corresponding server-level option.

Obtain an SSL certificate and private key file from a certificate authority. If a CA (Certificate Authority) PEM file has been issued. 5. Click Create Certificate. Click Save. Place these files in a secured directory in the server. 4. In most cases. 3. 4. If the password is incorrect or Serv-U cannot find either of the provided files. an error message is displayed that explains the encountered error. Serv-U starts to use the certificate immediately to secure FTPS and HTTPS connections using the provided certificate. Use the appropriate Browse button to select both the certificate and private key files. 6. 2. Specify the state (if applicable) in which the server or corporation is located. modify the listeners of each domain to ensure they listen on unique port numbers. 111 . 3. the installation directory is a safe location (for example. Specify the Certificate Set Name that is used to name each of the files Serv-U creates. and causes other encrypted domains to fail to function properly. Enter the password used to encrypt the private key file. enter or browse to the file. Specify the city in which the server or corporation is located. Configuring SSL for FTPS and HTTPS To use an existing certificate: 1. To create a new certificate: 1. 2. If the provided file paths and password are all correct. To operate multiple encrypted domains. C:\ProgramData\RhinoSoft\Serv-U\). 5.Configuring encryption domain that is created first takes precedence. Specify the output path where the created files are to be placed.

Viewing the certificate To view the SSL certificate when it is configured. Specify the common name of the certificate. All identifying information about the certificate. 9.Chapter 3: Server 6. a certificate request (. clients may be prompted that the certificate does not match the domain name they are connecting to. Advanced SSL options The advanced SSL options can only be configured at the server level. If your private key is compromised. and a private key file (.key) that is used to secure both certificate files. your certificate can be used by malicious individuals.csr) that can be provided to a certificate authority for authentication. Specify the key length in bits. 7. Specify the full organization name. Note: If the Common Name is not the IP address or FQDN used by clients to connect. Serv-U creates three files using the provided information: A self-signed certificate (. Specify the business unit the server is located in. 11.crt) that can be used immediately on the server but is not authenticated by any known certificate authority. including the dates during which the certificate is valid. Specify the two-digit country code for the country in which the server or corporation is located. 10. 8. which cannot be individually overridden. All domains inherit this behavior. 112 . It is extremely important that you keep the private key in a safe and secure location. Click Create to complete the certificate creation. The IP address or the Fully Qualified Domain Name (FQDN) that users use to connect must be listed here. are displayed in a new window. click View Certificate. 12. Specify the password used to secure the private key.

it may be necessary to support SSLv2 or SSLv3 for compatibility with exported clients or old client software. and GCM cipher suites where encryption and authentication are native rather than two discrete operations.2. SEED. Serv-U also supports other cipher suites which enable perfect forward secrecy (PFS). You can configure the following among the advanced SSL options: l Enable low-security SSL ciphers: Select this option to enable low-security SSL ciphers to be used.2.1 or TLSv1. including Camellia. higher levels of SHA. TLSv1. Select the relevant option to disable support for the SSLv2 or SSLv3 protocols. Because these ciphers are considered insecure by today's computing standards.2 support: For compatibility reasons.2 is disabled. If you disabled SSLv2.Configuring encryption Serv-U now supports TLSv1. changing a setting here has no effect. TLSv1. To enable or disable specific cipher suites.0. l l Disable SSLv2 or SSLv3 support: Serv-U supports several different versions of SSL. and 15 new cipher suites. You can configure the following cipher suites: l l l TLSv1. 113 . it may be necessary to disable certain versions of TLS. Select the relevant option to disable support for TLSv1. click Configure Cipher Suites. Some older or international clients may not support today's best SSL ciphers. If TLSv1. Serv-U does not accept these ciphers by default.2.2 only cipher suites: Cipher suites used only by TLSv1.x and SSLv3 cipher suites: Cipher suites used by SSLv3 and all versions of TLSv1. SSLv2 and SSLv3 have documented security weaknesses that make it less secure than TLS. SSLv2 cipher suites: Cipher suites used only by SSLv2. Disable TLSv1. TLSv1.1 or TLSv1. changing a setting here has no effect. However.0.1 and TLSv1.

SFTP (Secure File Transfer over SSH2) To use an existing private key: 1. for example. the OpenSSL library of Serv-U will run in FIPS compliant mode. Obtain a private key file. SSH. the recommended workflow is to first enable FIPS mode. If you disabled low security ciphers. By enabling FIPS mode. 2. may stop working correctly when FIPS mode is enabled.Chapter 3: Server l Low security cipher suites: Cipher suites that are considered to be insecure for modern cryptographic use. changing a setting here has no effect. To avoid these issues. see the NIST website. For the list of encryption algorithms and ciphers compliant with FIPS. In practice it means that older hardware and legacy applications which have embedded support for. Additionally. FIPS options Enable FIPS 140-2 mode: FIPS 140-2 is a set of rigorously tested encryption specifications set by the National Institute of Standards and Technology (NIST). non-compliant SSH keys and certificates stop working after enabling FIPS mode. Enabling FIPS 140-2 mode limits Serv-U to encryption algorithms certified to be FIPS 140-2 compliant and ensures the highest level of security for encrypted connections. but may be required for legacy applications. and applications which are not FIPS compliant cannot connect to ServU. Use Browse in Serv-U to select the file. Place the private key file in a secured directory in the server. 114 . ciphers which are not FIPS compliant are not accepted. and then configure your security certificates and SSH private keys to make sure they are FIPS compliant. When FIPS 140-2 mode is enabled.

C:\ProgramData\RhinoSoft\Serv-U\). Select the Key Type (default of DSA is preferred. 2. Serv-U displays the SSH key fingerprint associated with the private key. 2048 bits is a good median. Basic branding (custom logo and limited text changes) is also available. To create a private key: 1. Select the Key Length (default of 1024 bits provides best performance. 4. and 4096 bits provides best security). 4. MyDomain Key). Serv-U displays the SSH key fingerprint associated with the new private key. Using custom HTML You can use custom HTML for the HTTP and HTTPS login pages of Serv-U. Enter the output path of the certificate (for example. Click Save. Enter the password for the private key file. 6. For more information. 115 .Using custom HTML 3. which is also used to name the storage file. 3. 5. Click Create Private Key. 7. Enter the password to use for securing the private key file. all supported SSH ciphers and MACs (Message Authentication Codes) are enabled for use by the server. web developers can design their login experience to show off their exclusive brand and design the page to match existing business themes. After clicking Save. If your specific security needs dictate that only certain ciphers or MACs can be used. Enter the name of the private key (for example. After you create a new key. but RSA is available). By using this feature. SSH ciphers and MACs By default. you can individually disable unwanted ciphers and MACs by deselecting the appropriate ciphers or MACs. see Domain settings.

Chapter 3: Server By using the custom HTML feature. containers. The custom HTML interface also uses a CSS file which defines the style used in the login form. including all images. the header file. containers. and the CSS file. 116 . This CSS file can also be used to define custom CSS styles. Several branding samples are automatically unpacked to your installation folder (for example. the footer file. The main login form is automatically inserted between the content defined in the header file and footer file. C:\Program Files\RhinoSoft\Serv-U\Custom HTML Samples) when Serv-U is installed. The following fields are used by the Custom HTML feature: l Custom HTML Container Directory: This directory contains all of the files used by the custom HTML. Subdirectories in this folder are allowed. you can provide a custom header and custom footer for the HTTP and HTTPS login page.HTM file contains the content for the HTML header that is inserted before the login form. and other formatting that is used throughout the header file and footer file. and also the styles that will be used by the login form. and other CSS formatting as needed. l l CSS File: This .CSS file contains all the styles. Serv-U KB #2054 has step-by-step instructions to explore the current set of samples and build your own branding. Header File: This .

Most custom HTML interfaces include custom images. To enable file sharing: 1. To send file sharing invitation emails. The tag is used in the following way: <img src="/%CUSTOM_HTML_DIR%/images/image. Type the location of the file sharing repository. because the path only has to be defined once in the Custom HTML Container Directory field. For more information about file sharing. Navigate to Server Limits and Settings > File Sharing. 4. Select the number of days until the shares expire. Enable Custom HTML: The custom HTML is not used by Serv-U until this option is enabled.Using file sharing l l Footer File: This . use of the %CUSTOM_HTML_DIR% tag in paths that refer to images. To use custom images. To universalize the storage location.png" alt="My Image"> Using file sharing By using the file sharing feature. domain users can send or receive files from guests. see the Serv-U Web Client and File Sharing User Guide. Type the address for the domain URL. This configuration only needs to be set once for the entire server or a domain. This has the further benefit of avoiding changes to HTML when the container storing the HTML files and images is changed. you must configure your SMTP settings. the storage location of the images must be specified. 3. 117 . Note: File sharing is disabled by default. You must select the relevant option to enable it. 2.HTM file contains the content for the HTML footer that is inserted after the login form.

Click Save. Depending on the type of connection made by that session (for example. Select whether you want to use the inherited default email invitation subject. or customize your own. If it is not configured yet. When you view the Sessions page while you are administering a domain. all connected sessions from all domains are displayed. If the option is deselected. connection state. see Configuring SMTP settings. 9. In addition. If the option is deselected.Chapter 3: Server 5. and transfer information. or customize your own. configure your SMTP to be able to send and receive notification emails. This information is frequently updated to provide an accurate and up-to-date snapshot of the activities of the session. Server activity The Server Activity > Sessions and Domain Activity > Sessions pages display the current file server session activity. 6. you can view individual sessions. including their current status. When you view the Sessions page from the server. The Active Session Information group is populated with the details of the currently highlighted session. For more information about configuring an SMTP server. 7. FTP. select the session. certain additional functions are available. you can type in a custom email invitation subject. you can type in a custom message. From this page. To view detailed information about a specific session. or SFTP). Select Enable File Sharing. Disconnecting sessions You can disconnect any type of session at any time by clicking Disconnect. only the current sessions of the particular domain are displayed. Select whether you want to use the inherited default email notification message. Click 118 . you can see an overall picture of the current activity on the file server. 8. HTTP.

preventing the client from immediately reconnecting. This way you can browse the log and view all actions taken by the user of the session. If the current session is using the FTP protocol. preventing the client from ever reconnecting from the same IP address. This option is not available for HTTP or SFTP sessions because neither protocol defines a method for chatting with users. Using the spy & chat function You can spy on any type of session by clicking Spy & Chat or by double-clicking a session in the list. you can also disable the user account in use by the session by selecting Disable user account. Another session can be immediately established by the disconnected client. 119 . When disconnecting a session from the Server Session view. Disconnect and block IP permanently: Immediately disconnects the session and adds a deny IP access rule for the IP address. you can send a message to the user before disconnecting them by typing it in the Message to user field. and also includes a complete copy of the session log since it first connected to the file server. In addition to disconnecting the session. The following disconnect options are available: l l l Disconnect: Immediately disconnects the session. you can select where you want the temporary or permanent IP ban to be applied: for the entire server. This is also known as "kicking" the user.Using the spy & chat function this button to bring up another window with additional options for how the disconnect should be performed. Disconnect and ban IP for x: Immediately disconnects the session and bans its IP address for the specified number of minutes. Spying on a user displays all the detailed information normally visible by highlighting the session. you can also use the Apply IP rule to option. By using this option. or only the domain the session is connected to.

the client application must be capable of receiving unsolicited responses from the server instead of discarding them. it is automatically displayed here. Server and domain statistics The Server Activity > Statistics and Domain Activity > Statistics pages show detailed statistics about the use of the server for use in benchmarking and records keeping. If this is the case. Canceling sessions If a session is performing a file transfer. and then click Send. The displayed information includes the following details: 120 . you can cancel the file transfer without disconnecting the session by clicking Abort. Note: Not all FTP clients support chatting with system administrators. Some clients. The Chat group shows all messages sent to and received from the session since beginning to spy on the session. When a message is received from the session. Statistics viewed at the server level are an aggregate of those accumulated by all domains on the server. Broadcasting messages You can send a message to all currently connected FTP sessions by clicking Broadcast. may automatically restart the canceled transfer. Statistics viewed for an individual domain are for that domain only. The command used to send a message to the server is SITE MSG. After confirming the command. making it appear that the cancellation failed. especially FTP and SFTP clients. try disconnecting the session instead.Chapter 3: Server If the current session is using the FTP protocol. additional options are available for chatting with the user. To send a message to the session. the current file transfer for that session is terminated by the server. type the message text in the Message Content field. Sending a message through broadcast is equivalent to opening the Spy & Chat window to each individual FTP session and sending it a chat message. In order for a client to receive messages.

Login statistics differ from session statistics because they apply to a login (providing a login ID and password) as opposed to connecting and disconnecting. Login statistics These statistics can apply to either a domain or the entire server depending on the statistics currently being viewed. Longest Session The longest recorded time for a session. 24 Hrs Sessions The number of sessions that have connected in the past 24 hours. Average Duration Logged In The average login time for all sessions. This is not the last time a connection was made. Highest Num Sessions The highest number of concurrent sessions that has been recorded since being placed online. Total Sessions The total number of sessions that have connected since being placed online. Last Login Time The last recorded valid login time. 121 . Average Session Length The average length of time a session has remained connected.Server and domain statistics Session statistics Current Sessions The number of sessions currently connected. Logins The total number of successful logins.

Statistics viewed for a user or group are for that user or group only. Transfer statistics Download Speed The cumulative download bandwidth currently being used. Average Upload Speed The average upload bandwidth used since being placed online. User and group statistics The User and Group Statistics pages show detailed statistics based on individual user or group activity. The displayed information includes the following details: 122 . and number of files. Uploaded The total amount of data. and number of files. uploaded since being placed online. Upload Speed The cumulative upload bandwidth currently being used.Chapter 3: Server Last Logout Time The last recorded valid logout time. downloaded since being placed online. Most Logged In The highest number of users logged in concurrently. Average Download Speed The average download bandwidth used since being placed online. Downloaded The total amount of data. Currently Logged In The number of sessions currently logged in.

depending on the statistics currently being viewed.User and group statistics Session statistics Current Sessions The number of sessions currently connected. Last Logout Time The last recorded valid logout time. Session Length The average length of time a session has remained connected. Login statistics These statistics can apply to either a user or a group of users. Highest Num Sessions The highest number of concurrent sessions that has been recorded since being placed online. Avg. Total Sessions The total number of sessions that have connected since being placed online. Last Login Time The last recorded valid login time (not the last time a connection was made). Login statistics differ from session statistics because they apply to a login (providing a login ID and password) as opposed to connecting and disconnecting. 24 Hrs Sessions The number of sessions that have connected in the past 24 hours. Logins The total number of successful logins. 123 . Longest Session The longest recorded time for a session.

uploaded since being placed online. Average Download Speed The average download bandwidth used since being placed online. 124 . Shortest Login Duration Seconds The shortest amount of time a session was logged in. Longest Duration Logged In The longest amount of time a session was logged in. and number of files.Chapter 3: Server Logouts The total number of logouts. Average Duration Logged In The average login time for all sessions. Transfer statistics Download Speed The cumulative download bandwidth currently being used. Most Logged In The highest number of simultaneously logged in sessions. Downloaded The total amount of data. Currently Logged In The number of sessions currently logged in. Upload Speed The cumulative upload bandwidth currently being used. Average Upload Speed The average upload bandwidth used since being placed online. downloaded since being placed online. and number of files. Uploaded The total amount of data.

configuration. and shutdown information. The information contained in the server log is also saved to a text file located in the installation directory that is named Serv-U-StartupLog. In addition to status information about libraries. This is useful on busy systems so you can highlight and copy a particular section of the log before it scrolls out of view. the server log also contains information about all domain listener status. see Configuring domain logs. and the current build that is logged when the file server first starts. Universal Plug-and-Play (UPnP) status information. To save statistics to a file. deselect the 125 . Freeze Log Select this option to temporarily pause the refreshing of the log. When it is highlighted.Server and domain log Save Statistics User and group statistics can be saved directly to a CSV file for programmatic analysis and review. This includes the status of the listeners of the domain. licensing. Server and domain log The Server Activity > Log and Domain Activity > Log pages show logged activity for the server or domain. and PASV port range status. and any configured activity log information. When you have finished. It does not show domain activity information. This file is replaced each time the Serv-U File Server is started. view the log of the appropriate domain instead.txt. first select the user or group you want to generate a statistics file for. You can highlight information contained in the log by clicking and dragging the mouse cursor over the appropriate portion of the log. For more information about the types of activity information that can be placed in the domain log. you can copy the selected portion to the clipboard. For activity logs. The server log shows file server startup. and then click Save Statistics at the bottom of the page. The domain log contains information about and activity pertaining to the currently administered domain only.

or it begins to download the file automatically. Only log information received after clicking the button is displayed. Clicking this shows the legend in a draggable dialog. you can filter it based on a search string. Drag the legend dialog to a convenient location so you can use it for reference while you browse the log. open the Filter Log window. each different type of logged message is color-coded for quick identification. click Download Log. If you have permission to download the file. click this button to erase the currently displayed log information. Select All Click this button to automatically freeze the log and highlight all currently displayed log information so you can copy it to the clipboard. Provide a search string. Download Log To download the full log file from Serv-U. and then click Filter to refresh the log to only display log entries containing the search string.Chapter 3: Server option to resume the automatic updating of the log. To view the entire contents of the log again. Clear Log When the log has become too large for you to view at once. Legend To make viewing the different components of the log easier. and then click Reset. your web browser prompts you to choose a location to save the file. Click this button to bring up the Filter Log window. 126 . Filter Log To quickly find and read through specific sections of the log.

a Serv-U domain is a set of user accounts and listeners that allow users to connect to the server to access files and folders. Serv-U supports any number of domains on the file server. With careful advanced planning. After you change the 127 . Domains can share listeners. Serv-U domains can also be configured further to restrict access based on IP address. At the most basic level.Chapter 4: Domain At the core of the Serv-U File Server is the Serv-U domain. Virtually every setting available at the server level can be overridden for each individual domain. you can specify an acceptable level of default options at the server level to minimize the amount of configuration required for a domain. and then select one of the available options. click the domain name in the accordion menu on the left. see Serv-U editions. or they can each be hosted on a unique IP address if the system has multiple IP addresses. To change the active domain. For more information about the different editions of Serv-U. you are prompted to create your first domain using the New Domain Wizard. If it is supported by your license. However. the maximum number of domains that can be created on an installation is dictated by the license. When you run a new installation of the Serv-U File Server for the first time. see the Quick start guide. and more. you can create new domains at any time by clicking + (New Domain) in the Management Console. Follow the instructions on each page of the wizard to create your first domain. limit bandwidth usage. Managing domains The domain that you currently manage is always displayed in the header of each page next to the + (New Domain) button. enforce transfer quotas. For more information about creating domains.

an error message is displayed. select Enable domain. This field is useful for describing the purpose of the domain or summarizing the resources made available by the existence of the domain on the file server. Like the domain name. The domain name is used purely for administrative purposes and is not visible or accessible to users. The domain still exists on the file server. The home directory of the domain does not affect user directory access rules. Configuring domain details Domain name and description Each domain must be uniquely identified with a domain name. and you can still administer it while it is disabled. all settings are preserved. After making changes to any of the previous domain settings. If you provide a name that is not unique. To delete a domain and all of its users and groups. indicating that a unique name is required for each domain. To make the domain accessible to users again. the description text is also only available to users with administrative access. in order to calculate the amount of disk space in use by a domain. click Save to apply the changes. and then click Delete Domain. You can temporarily disable a domain by clearing the Enable domain option. the domain is inaccessible to all users. In addition. you must specify the root directory 128 . Warning: This action cannot be undone. and it does not restrict the paths that are available to a user in any way.Chapter 4: Domain active domain. navigate to Domain > Domain Details. However. the current page is automatically reloaded to reflect the settings of the new active domain. Domain home directory You can limit the disk space available to a domain by configuring a home directory for the domain and specifying a maximum size. While disabled. you can associate additional descriptive information to each domain through the description.

To offer services to both IPv4 and IPv6 users. It normally operates on the default port 21. edit. available to the domain in the Maximum Size field. Click Save to apply the changes. you must also select a file sharing protocol. create a listener both for an IPv4 address and an IPv6 address. FTP is handled in plain-text.File Transfer Protocol FTP is the traditional protocol for transferring files over the Internet. which ensures that all users of the domain are placed in a subdirectory of the home directory of the domain. in megabytes (MB). Note: Calculating the amount of disk space in use by a domain can be a time consuming operation depending on the directory structure. Serv-U supports IPv4 and IPv6 simultaneously. You can add. When you create a domain administrator account for this domain. enter a path in the Domain Home Directory field. FTP . When a limit is imposed. In addition to selecting these connection attributes for a listener. To specify the domain home directory. The following section contains the list and short description of the file sharing protocols supported by the Serv-U File Server. Each domain can listen on multiple ports and IP addresses by adding a listener bound to the IP address and port you want. Traditionally. however. Configuring domain listeners The Serv-U File Server offers a highly configurable interface for enabling the different file sharing protocols on a domain. 129 . Leaving this field blank or entering "0" does not impose a maximum size on the domain. or click Browse to select a path. SSL connections are explicitly supported through the use of the AUTH command. Enter the amount of disk space. any upload that would cause this maximum size to be exceeded is rejected by the server. it is suggested that their home directory be the same.Configuring domain listeners under which Serv-U expects all domain files to be stored. and delete listeners.

SFTP operates on the default port 22. One benefit to adding an HTTP listener to a domain is the availability of the Web Client. After configuring each of the listener options. Each 130 .File Transfer Protocol using SSL FTPS is identical to FTP. This is commonly referred to as Implicit FTPS. HTTP traditionally operates on port 80. It is also a simple method for downloading and transferring files.Hypertext Transfer Protocol HTTP is the protocol used to browse websites. The default port for HTTPS is 443. Adding a listener After clicking Add. Type Select the file sharing protocol that is to be supported by this listener. Like FTPS. click Save to add the listener to the domain. a secure connection is implied when connecting to a listener running the HTTPS protocol. connecting to a listener configured for FTPS means that an SSL connection is required before any protocol communication is performed.Secure File Transfer Using SSH2 SFTP is a secure method of transferring files through a secure shell session. the listener configuration window is displayed. The following section contains the list and short description of the options you can configure for a listener. which normally takes place on the default port 990. SFTP sessions are always encrypted. HTTPS .Hypertext Transfer Protocol using SSL HTTPS is identical to HTTP except all communications are secured using SSL. It performs all protocol communications and data transfers over the same port eliminating the need to open multiple ports in firewalls as is commonly required when using FTP. HTTP . SFTP . which allows users to transfer files to and from your file server without the need for a standalone client.Chapter 4: Domain FTPS . however.

create new listeners for each protocol. IP Address You can bound a listener to a single IP address by entering the IP address here. A brief description of the supported file sharing protocols is found in the previous section. If you do not specify an IP address. it is recommended to use IPv4 addresses and add IPv6 listeners as needed. PASV IP Address or Domain Name (FTP ONLY) If the listener supports the FTP protocol. you can leave this field blank. Serv-U resolves the DNS domain name to ensure it always has the proper external IP address for PASV command responses. Use only with SSL connections This option allows the PASV IP address or domain name to only be used for SSL connections where it is always necessary to provide the PASV IP address to connecting clients. Use with LAN connections Normally. you must select the option to either listen on all available IPv4 addresses or all IPv6 addresses. this additional field is available where you can specify a separate IP address to use for PASV mode data transfers. Unless you are running a purely IPv6 network. Serv-U supports both IPv4 and IPv6 addresses. When this option is enabled. Entering an IP address here ensures that PASV mode works properly on both unsecured and secured connections. If the file server does not have an external IP address. Serv-U does not use the PASV IP address for connections coming from the local area network (computers on the same network as 131 . If the file server does not have an external IP address (for example. the IP address specified for PASV mode will not be provided to clients connecting through non-SSL FTP. try using a dynamic DNS service and entering your DNS domain name in this field. it is behind a router).Configuring domain listeners listener can only support a single protocol. To add more file sharing protocols to the domain.

the browser automatically handles providing the necessary host header to Serv-U based on the domain name that is used to establish the HTTP connection. Using pure virtual domains Serv-U supports the ability for multiple domains to "share" the same listeners. When they are disabled. Port The default port for the selected protocol is automatically provided. In this way. 132 . For more information. For FTP connections. If you use a non-standard port. one domain can possess the necessary listener configurations while the other domain "piggybacks" on the first one. When this option is enabled. This method of "piggybacking" only works with the FTP and HTTP protocols because they are the only two file sharing protocols that specify a method for identifying the specific host after a connection is established. it is recommended that you use a value above 1024 to prevent potential conflicts. see Using virtual hosts. the client must issue a HOST command to identify the specific domain. you can use any port between 1 and 65535. the second domain exists in a virtual way. To have a domain "piggyback" on the listener configurations of existing domains. the PASV IP Address is also used for LAN connections. However. For HTTP connections. clients must know the proper port in advance when they attempt to connect to the domain. In other words. listeners are displayed with a different icon in the list. The "piggybacking" domain needs to have at least one virtual host defined for it. Enable listener You can temporarily disable a listener by deselecting this option. leave the listener list blank for the domain.Chapter 4: Domain Serv-U). When using a nonstandard port.

The virtual host name is usually the fully qualified domain name used to connect to the domain. such as ftp. The virtual host name is entered first. SFTP SFTP users who want to connect to a specific virtual host must use the specially crafted login ID format as described in the FTP section.com. and then type the virtual host name for the domain. Normally. followed by the vertical bar character ('|'). FTP FTP users can use one of two methods to connect to a specific virtual host.Using virtual hosts Using virtual hosts Virtual hosts provide a way for multiple domains to share the same IP and listener port numbers. Otherwise. allowing Serv-U to identify the virtual host from the fully qualified domain name entered into the navigation bar of the browser. then the login ID. The method used by a client to connect to a specific virtual host depends on the protocol that is used to connect to Serv-U. The domains can share the same listeners by proper implementation of virtual hosts. you can host multiple domains on a system that only has one unique IP address without having to use non-standard port numbers. the HOST command can be issued to Serv-U before login to identify the virtual host. This feature is only available when the current license supports hosting multiple domains.Serv-U. If it is supported by the FTP client. click Add under Domain Details > Virtual Hosts. the browser automatically provides Serv-U with the host name that is used to reach the site. the virtual host can be provided with the login ID in the following format: virtual_host_name|login ID. By using virtual hosts. HTTP For HTTP users. To configure virtual hosts for a domain. each domain listener must use a unique IP address and port number combination. 133 .

Because users connecting to both domains must use port 21 for connections. specific rules can be placed at the top to allow or deny access before a more general rule is applied later on in the list. In this way. users can connect to this domain by visiting http://ftp.com.Serv-U. and wildcards made up of the following elements: xxx Stands for an exact match. IP access rules can be configured at the server. If connecting through HTTP. The arrows on the right side of the list can be used to change the position of an individual rule in the list. Specifying IP access masks IP access rules use masks to authorize IP addresses and domain names. or a domain name.com|login ID. shorthand).0 (IPv4). The masks can contain specific values. After connecting to the server with FTP. ranges of IP addresses.Serv-U.0.com command to connect to the appropriate domain on the File Server. fe80:0:0:0:a450:9a2e:ff9d:a915 134 . After setting up the same listener properties on each domain. users can send a HOST ftp. domain. IP access rules are applied in the order they are displayed. group. click Add. FTP and SFTP users can also identify the virtual host through their login ID of ftp. which has one IP address and two Fully Qualified Domain Names (FQDN) pointing to it. and then type the FQDN that clients should use to connect to the domain (such as ftp.2.com). (IPv6. open the Virtual Hosts page. configure virtual hosts on each domain so that Serv-U can distinguish between requests for the two domains. long form) or fe80::a450:9a2e:ff9d:a915 (IPv6.Chapter 4: Domain Case File: Using virtual hosts Multiple domains are being configured on the same server. such as 192. ranges.ServU. Server details IP access rules restrict login access to specific IP addresses. and user levels.Serv-U.

*) and /24 (for 1. CIDR notation also works with IPv6 addresses. Implicit deny all Until you add the first IP access rule.0.*.Server details xxx-xxx Stands for a range of IP addresses.*.*. Caveats Specific IP addresses listed in Allow rules will not be blocked by anti-hammering.0-19 (IPv4).*) at the end of your IP access rule list. make sure you add a 'wildcard allow' rule (such as Allow *. Matching all addresses Use the *. * Stands for any valid IP address value. or fe80::a450:9a2e:ff9d:a915-a9aa (IPv6. These IP addresses are whitelisted. such as server?. such as 192. ? Stands for any valid character when specifying a reverse DNS name. shorthand).*).* mask to match any IPv4 address. connections from any IP address are accepted.0-255. After you add the first IP access rule. With this in mind.2.*). or fe80::a450:9a2e:ff9d:*.0. which is analogous to 192. However. / Specifies the use of CIDR notation to specify which IP addresses should be allowed or blocked. add Allow 135 . fe80:0:0:0:a450:9a2e:ff9d:a915-a9aa (IPv6.*. such as 2001:db8::/32.2.*.*.example. such as 192. long form). all connections that are not explicitly allowed will be denied. This is also known as an implicit 'Deny All' rule.*.3. If you use both IPv4 and IPv6 listeners.2.*. addresses matched by a wildcard or a range will be subject to anti-hammering prevention. Common CIDR blocks are /8 (for 1.com. which is analogous to fe80::a450:9a2e:ff9d:0-ffff.2.0.2. /16 (for 1. Use the *:* mask to match any IPv6 address.

Rule use during connection The level at which you specify an IP access rule also defines how far a connection is allowed before it is rejected. blocked IP addresses appear in the domain that contains the listener. you can specify a domain name instead of an IP address to allow access to users who do not have a static IP address. Anti-hammering You can set up an anti-hammering policy that blocks clients who connect and fail to authenticate more than a specified number of times within a specified period of time. Domain level IP access rules are also applied when responding to the HOST command to connect to a virtual domain. even if anti-hammering is configured at the server level. This can cause a slight delay during login. Serv-U performs either a reverse DNS lookup or DNS resolution to apply these rules. 136 . depending on the speed of the DNS server of the system.Chapter 4: Domain ranges for both IPv4 and IPv6 addresses. Group and user level IP access rules are applied in response to a USER command when the client identifies itself to the server. IP addresses blocked by anti-hammering rules appear in the domain IP access rules with a value in the Expires in column. You can configure an anti-hammering policy server-wide in Server Limits and Settings > Settings and domain-wide in Domain Limits and Settings > Settings. If you create a rule based on a domain name or reverse DNS. If you have multiple domains with different listeners. DNS lookup If you use a dynamic DNS service. Server and domain level IP access rules are applied before the welcome message is sent. Blocked IP addresses do not appear in the server IP access list. You can also specify reverse DNS names.

Using the sort mode By using the sort mode. You can unblock any blocked IP early by deleting its entry from the list. disable this option. 137 . IP access list controls The following section contains a description of the options that are available on the IP Access page. Displaying the IP access list in sort mode does not change the order in which rules are processed. To view rule precedence. you can sort the IP access list numerically rather than in the processing order.Server details The Expires in value of the blocked IP counts down second by second until the entry disappears. Viewing the IP access list in numerical order can be a valuable tool when you review long lists of access rules to determine if an entry already exists.

0. and the server by using a text-based CSV file. Allow Set this value to 0 for Deny.2. and then specify the path and the file name you want to save the list to.2. or to 1 for Allow. IP range. To export IP access rules.2. click Export. The related Serv-U access rule should be Allow 192.2. view the list of rules to export.*. CIDR block.192.*.0-24.0. and these should both be added to either the 138 .0.0.24.0. except from a bank of special internal computers in the IP address range of 192. and it should be added to either the contractor's user account or a Contractors group that contains multiple contractors. followed by Allow *. Examples The following sections provide examples about the usage of IP address rules. Case File: Office-only access A contractor has been hired to work in the office. and only in the office. groups. Case File: Prohibited computers Users should normally be able to access Serv-U from anywhere. Office workstations have IP addresses in the range of 192.2.Chapter 4: Domain Importing and exporting IP access rules You can export and import Serv-U IP access rules from users.0 192. domains. The related Serv-U access rules should therefore be Deny 192. or domain name for which the rule applies. Description A text description of the rule for reference purposes.*. click Import and select the file that contains the rules you want to import. To import IP access rules.0. The CSV file must contain the following fields. including the headers: IP The IP address.024. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list.0 .2.24.

and then click Save. Because Serv-U uses one set of table names to store its information. With these options selected. but you can use any database that has an ODBC driver available. Case File: DNS-based access control The only users allowed to access a Serv-U domain will be connecting from *. SolarWinds recommends MySQL. Enter the Data Source Name (DSN). and these should both be added to the domain IP access rules.Case File: DNS-based access control domain or the server IP access rules. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list. perform the following steps: 1.example1. Create an ODBC connection for Serv-U to use. the server as well as each domain must have a unique ODBC connection to ensure they are stored separately. 139 . the Serv-U File Server builds the database tables and columns automatically.example. or a User DSN if Serv-U is operating as a regular application.com. To configure a database.com or *. Use a System DSN if Serv-U is operating as a system service.example1. In other words. 2.example. leave the Automatically create options selected. Open the Serv-U Management Console and browse to the appropriate domain or server database settings. The related Serv-U access rules should therefore be Allow *. individual ODBC connections must be configured for each item which stores details in the database. If you configure the database connection for the first time. You can configure the ODBC connections in two locations: Domain > Domain Details > Database and Server > Server Details > Database. and the password. the login ID.com and Allow *. Serv-U can automatically create all of the tables and columns that are necessary to begin storing users and groups in the database.com in any order. Configuring database access Serv-U enables the use of an ODBC database to store and maintain group and user accounts at both the domain and server levels.

the table is accessed as needed. Do not edit these queries unless you are comfortable constructing SQL statements and are positive that it is necessary to enable ODBC support with your database software. if your database have problems working with Serv-U. The Mapped Database Value displays the name of the column that attribute is mapped to in the database. you must customize the table and column names to conform to the existing database structure. if you want to connect Serv-U to an existing database which contains this information.Chapter 4: Domain Using SQL templates Serv-U uses multiple queries to maintain the databases that contain user and group information. However. In special situations a table that is not being used can be disabled to reduce the number of ODBC (database) 140 . Serv-U stores information for a user or group in 10 separate tables. In the SQL Templates window. You can change the current table in the Object Table list. The Attribute column lists the attributes that are stored in the current table. These queries conform to the SQL language standards. you can modify each query used by Serv-U to conform to the standards supported by your database. Certain tables where the order of the entries is important have a SortColumn attribute listed. The first row displays the "TableName" and can be used to change the name of the table. Click Edit or double-click the column name to edit a value. When enabled. Warning: Incorrectly editing these SQL queries could cause ODBC support to stop working in Serv-U. Only the User/Group Info Table and User/Group Dir Access Table are required. This column is used to store the order in which rules are applied. Serv-U automatically creates and maintains the tables and columns that are necessary to store user and group information in a database. However. you may need to alter these queries. Using user and group table mappings By default. Click User Table Mappings or Group Table Mappings to get started.

For example. login ID and password. because the fields will appear in dialogs. The User Info and Group Info tables cannot be disabled. Creating data source names in Linux Database access in Serv-U on Linux follows the same method as Serv-U on Windows. ServU creates the tables and columns transparently.Configuring database access calls. if you do not use ratios and quotas. accounts can be managed from outside the Serv-U Management Console through scripted database operations which can be built into many existing account provisioning systems. allowing for scripted account management and maintenance. On Linux. A DSN must first be created in Control Panel > Administrative Tools > ODBC Data Sources. Per User Files Ratio. Per Session Files Ratio. To use ODBC functionality. and then click Save. you can disable the User Ratio-Free Files. specify the data source name. Use caution when you disable tables. You can manage database users and groups in the Database Users and Database Groups pages of Serv-U. Use a System DSN if Serv-U is running as a service or a User DSN if Serv-U is running as an application. After you created the appropriate DSN. you can create a DSN after installing the following packages: l mysql-connector-odbc l postgressql-odbc l unixodbc 141 . Case file: ODBC authentication Authentication in the Serv-U File Server can be handled through an ODBC database. migrate to ODBC authentication through a database. By storing credentials in settings in a database. but they will not be saved or loaded. and Per Session Bytes Ratio tables to prevent unnecessary ODBC calls. with the one change in how data source names are created. Per User Bytes Ratio. located near the normal Users and Groups pages.

the next step is to edit the /etc/odbc. test the DSN by using the isql %DSN% -c -v command.ini file instead.ini file.Chapter 4: Domain Only the ODBC driver corresponding to the database needs to be installed. 142 .log Database = YOURDATABASE Servername = YOURIPADDRESS UserName = USERNAME Password = PASSWORD Port = 5432 Protocol = 6. For further customization options.4 ReadOnly = No RowVersioning = No ShowSystemTables = No ShowOidColumn = No FakeOidIndex = No ConnSettings = Adjust the names in brackets to the DSN name string you want. edit the ~/odbc. Finally. If Serv-U is running as an application. which contains all system-level DSNs. see the Serv-U Database Integration Guide. If Serv-U is running as a service. and then enter the parameters as follows: [MySQL-test] Description = MySQL test database Trace = Off TraceFile = stderr Driver = MySQL SERVER = YOURIPADDRESS USER = USERNAME PASSWORD = PASSWORD PORT = 3306 DATABASE = YOURDATABASE [PostgreSQL-test] Description = Test to Postgres Driver = PostgreSQL Trace = Yes TraceFile = sql.

you can use event handling which can perform various actions triggered by a list of selected events. 143 .Using Serv-U events Using Serv-U events In Serv-U.

or as part of normal server startup. according to logging settings. Session Disconnect Triggered by a TCP session disconnection. This event only triggers for graceful stops. through the Enable Domain setting in the Domain Details > Settings menu. or as part of normal server startup. Session Connection Failure Triggered by a failed session connection attempt. whether from service or applicationlevel status. whether by starting the Serv-U service or starting Serv-U as an application. Domain Stop Triggered by a Serv-U domain stopping. 144 . according to logging settings.Chapter 4: Domain The following list contains the available actions: Server events Server Start Triggered by Serv-U starting up. Log File Deleted Triggered by the automatic deletion of a log file. Server Stop Triggered by Serv-U shutting down. Server and domain events Domain Start Triggered by a Serv-U domain starting. Session Connection Triggered by a new TCP session connection. Log File Rotated Triggered by the automatic rotation of a log file. through the Enable Domain setting in the Domain Details > Settings menu.

Permanent Listener Stop Triggered by a stopped permanent listener connection. and no errors are encountered. Permanent Listener Success Triggered by a successful permanent listener connection.Using Serv-U events Listener Success Triggered by a successful listener connection. File Management Rule Success Triggered when a file management rule is applied. Listener Stop Triggered by a stopped listener connection. Gateway Listener Success Triggered by a successful gateway listener connection. Permanent Listener Failure Triggered by a failed permanent listener connection. Permanent Gateway Listener Success Triggered by a successful permanent gateway listener connection. 145 . Gateway Listener Failure Triggered by a failed gateway listener connection. Listener Failure Triggered by a failed listener connection. Gateway Listener Stop Triggered by a stopped gateway listener connection. Permanent Gateway Listener Stop Triggered by a stopped permanent gateway listener connection. Permanent Gateway Listener Failure Triggered by a failed permanent gateway listener connection.

User Enabled Triggered by the enabling of a user account that was previously disabled. whether due to invalid credentials. or a session disconnect before authentication. user and group events User Login Triggered by the login of a user account. User Password Change Triggered by the change of a password for a user account by the user (if permitted). Server. incorrect SSH key pair (for SFTP public key authentication). incorrect password. or any or all of the above. User Logout Triggered by the logout of a user account. A failed login is any connection attempt to ServU that fails. and at least one error is encountered. 146 .Chapter 4: Domain File Management Rule Failure Triggered when a file management rule is applied. User Password Change Failure Triggered by a failed password change attempt. User Login Failure Triggered by a failed login. either due to an incorrect user name. File Management Automatic Move Triggered when a file is automatically moved to a different location by the server. User Disabled Triggered by the disabling of a user account that was previously enabled. domain.

User Auto Deleted Triggered by the automatic deletion of a user account. that is going to expire. Password Recovery Failed Triggered by a failed password recovery attempt. either due to lack of email address in the user account or lack of permissions. Password Recovery Sent Triggered by a successful password recovery by an end user. in an ODBC database. or in the local Management Console. User Added Triggered by the creation of a user account by a remote administrator. or in the local Management Console. 147 . as configured in Limits & Settings. as configured in the user's Automatically Disable date and the "Days before automatically disabling account to trigger the pre-disable event" limit. as configured by a user's Automatically Disable date. as configured by a user's Automatically Delete date. User Pre-disable Triggered by the upcoming disabling of a user account. Password Stale Triggered by a stale password.Using Serv-U events User Deleted Triggered by the deletion of a user account by a remote administrator. User Pre-delete Triggered by the upcoming deletion of a user account. in an ODBC database. User Auto Disable Triggered by the automatic disabling of a user account. as configured in the user's Automatically Delete date and the Days before automatically deleting account to trigger the pre-delete event limit.

Session Idle Timeout Triggered by an idle session timeout. This event triggers for partial uploads if the upload session terminated with a successful message and no data corruption. or server. per the Limits & Settings for the user account. IP Blocked Time Triggered by a failed login attempt due to an IP access rule that was automatically added by brute force settings.Chapter 4: Domain User Email Set Triggered by a user setting the email address for a user account. User Email Set Failure Triggered by a failed attempt by a user to set the email address for a user account. Session Timeout Triggered by a session timeout. domain. or server. Too Many Session On IP Triggered by more sessions logging on to the server from a specific IP address than are permitted. group. group. IP Auto Added To Access Rules Triggered by the automatic addition of an IP access rule due to a user triggering the "brute force" settings. 148 . domain. IP Blocked Triggered by a failed login attempt due to an IP access rule. Too Many Sessions Triggered by more sessions logging on to the server than are permitted. according to the Limits & Settings for the user account. File Uploaded Triggered by a file uploaded to Serv-U. configured in Domain Limits & Settings or Server Limits & Settings.

File Download Failed Triggered by a failed file download from Serv-U. Directory Deleted Triggered by the deletion of a directory. or by using the Directory Properties option in the HTTP or HTTPS Web Client and FTP Voyager JV. Directory Moved Triggered by moving a directory to a new location. File Moved Triggered by the moving of a file on the Serv-U server by a user. File Deleted Triggered by the deletion of a file on the Serv-U server by a user. Directory Changed Triggered by changing the current working directory. You can choose 149 . Creating common events You can automatically create a list of the most common events. Over Quota Triggered by going over disk quota space. Directory Created Triggered by the creation of a directory. The current quota space is shown in the user account. File Download Triggered by a file downloaded from Serv-U. in the Limits & Settings menu. Over Disk Space Triggered by exceeding the Max Dir Size configured for a directory access rule. The current disk space is shown with the AVBL FTP command.Using Serv-U events File Upload Failed Triggered by a failed file upload to Serv-U.

Using email actions You can configure email actions to send emails to multiple recipients and to Serv-U groups when an event is triggered. To send emails to a Serv-U group. To add an email address. enter it in the To or Bcc fields. Click Create Common Event in the Events page. Select either the Send Email or Show balloon tip option for the action you want to perform on the common events. Note: The Write to Windows Event Log and Write to Microsoft Message Queue (MSMQ) options are available for Windows only. Subject and Message parameter. If you choose to send email. Using event actions You can select from the following actions that will be executed when an event is triggered: l Send Email l Show Balloon Tip* l Execute Command* l Write to Windows Event Log (Windows only)* l Write to Microsoft Message Queue (MSMQ) (Windows only)* * Events involving anything other than email can only be configured by Serv-U server administrators. You can use special variables to send specific data pertaining to the event. Separate email addresses by commas or semicolons. Email actions contain a To. For more information about the variables. also enter an email address where the events are to be sent. use the Group icon to add or remove Serv-U groups from the distribution list. 150 .Chapter 4: Domain to create these common events using email or balloon tip actions. see System variables.

such as move a log file before it is deleted (for example. Balloon tip actions contain a Balloon Title and a Balloon Message parameter.Using balloon tip actions To use email actions. Note: Any amount of time Serv-U spends waiting delays any processing that Serv-U can perform. $LogFilePath for the Log File Deleted event). Command Line Parameters. You can use special variables to send specific data pertaining to the event. you can enter the number of seconds to wait after starting the executable path. see Configuring SMTP settings. Using execute command actions You can configure execute command actions to execute a command on a file when an event is triggered. You can use special variables to send specific data pertaining to the event. For more information about the variables. and a Completion Wait Time parameter. This event has only one field: l Log Information: The contents of the message to be written into the event log. 151 . you can monitor and record Serv-U activity by using third-party network management software. For information about SMTP configuration. see System variables. A wait value should only be used to give an external program enough time to perform some operation. This is normally either a human-readable message (for example. Enter zero for no waiting. Using balloon tip actions You can configure balloon tip actions to show a balloon tip in the system tray when an event is triggered. you must first configure SMTP in Serv-U. see System variables. For more information about the variables. Writing to the Windows Event Log By writing event messages to a local Windows Event Log. Execute command actions contain an Executable Path. For the Completion Wait Time parameter. All messages appear in the Windows Application Log from a source of "Serv-U".

\Serv-U Message Queue or Serv-U Message Queue). To correct this. This field may be left blank. but usually is not. This normally only works on public queues on the local machine. If the specified queue does not exist. after creating the queue in MSMQ. 152 . or many other activities have occurred. Message Body: The contents of the message to be sent into the queue. select Properties. Corporations can use this feature to tell enterprise applications that files have arrived. public queues on the local machine can be addressed when a full path is not specified (for example. These events have the following two fields: l l Message Queue Path: The MSMQ path that addresses the queue. but usually is not. right-click it. Local.Chapter 4: Domain filename uploaded by person) or a machine-readable string (for example. depending on who or what is expected to read these messages. MessageServer\Serv-U Message Queue) is specified. files have been picked up. Serv-U system variables can also be used in this field. Note: Microsoft message queues created in Windows do not grant access to SYSTEM by default. This field can be left blank. preventing Serv-U from writing events to the queue. Serv-U attempts to create it. . and then set the permissions so that SYSTEM (or the network account under which Serv-U runs) has permission to the queue. Serv-U can send messages to new or existing MSMQ queues whenever a Serv-U event is triggered. partners have signed on. filename|uploaded|person). Serv-U system variables are supported in this field. This is normally a text string with a specific format specified by an enterprise application owner or enterprise architect. Remote queues can be addressed when a full path (for example. Writing to Microsoft Queue (MSMQ) Microsoft Message Queuing (MSMQ) is an enterprise technology that provides a method for independent applications to communicate quickly and reliably. You can also use ServU system variables in this field.

However. AND is used. For example. For example. so an email would be sent when the file Important Tax Forms. In most cases. However. By default. a filter can be configured so that only the user "admin" triggers the event. the comparison will be If $Name = (is equal to) 153 . by using an event filter. a standard Serv-U event might trigger an email each time a file is uploaded to the server. the OR operator can be used if there are multiple possible satisfactory responses (for example. Event filter fields Each event filter has the following critical values that must be set: l l l Name: This is the name of the filter. Serv-U events trigger each time the event occurs. The Filter Comparison contains the evaluation that must occur for the event to trigger. which may be included for reference. Additionally.Event filter fields Configuring event filters By using Serv-U event filters. events can be triggered on a more targeted basis.pdf is uploaded but not when other files are uploaded to the server. you can control to a greater degree when a Serv-U event is triggered. and all filters must be satisfied for the event to trigger. Description (Optional): This is the description of the event. You can do this by controlling the various variables and values related to the event and by evaluating their results when the event is triggered. you can configure a File Upload Failed event to run only when the FTP protocol is used. you can configure a File Uploaded event to only send an email when the file name contains the string important. The event filter allows events to be triggered only if certain conditions are met. In this case. abnormal bandwidth usage of less than 20 KB/s OR greater than 2000 KB/s). For example. The function of AND is to require that all conditions be met. not triggering for failed HTTP or SFTP uploads. Logic: This determines how the filter interacts with other filters for an event. used to identify the filter for the event. l Filter Comparison: This is the most critical portion of the filter.

txt.txt.The question mark wildcard matches any one character. data7. Event filters also support wildcards when evaluating text strings. data7.txt. or data77.The asterisk wildcard matches any text string of any length.txt.The bracket wildcard matches a character against the set of characters inside the brackets. For example: l l ? .txt but not data. An event filter that compares the $Name variable to the string A???? matches any five-character user name that starts with A. or data77. data7.txt. either an "unsigned integer" or "double precision floating point" value would be used.txt.txt. data. For example: l l l l An event filter that compares the $FileName variable to the string data* matches files named data. For example: l An event filter that compares the $FileName variable to the string data matches files named data6.??? matches any file on the C: drive that ends in a three letter file extension.txt l An event filter that compares the $LocalPathName variable to the string [CD]:\* matches any file or folder on the C: or D: drives. The supported wildcards are the following: l * . An event filter that compares the $FileName variable to the string data?. but only one character. For bandwidth. data77. You can use multiple wildcards in each filter. data.* matches files named data7 and data7. [] .txt and data8. For example: l An event filter that compares the $FileName variable to the string [cC]:\*. data.txt. data77. and data77.txt but not data5. and the data type will be string. [687].Chapter 4: Domain admin. An event filter that compares the $FileName variable to the string data? matches a file named data7 but not data. data7.txt.txt. 154 . data77.

or when a certain file is uploaded. The Event Type is File Uploaded.* matches a file on any Windows drive. and on the Event Filter tab a new filter must be added. Red7 or Red8. but not when other files are uploaded. and then add a new filter. an administrator may want to raise an email event when the file HourlyUpdate. To perform this task. create a new File Upload Failed event. The $FileName variable is used and the value is HourlyUpdate. Using event filters Event filters are used by comparing fields to expected values in the Event Filter menu. For example.Using event filters l An event filter that compares the $FileName variable to the string ?:\*Red [678]\?????. and that also has a five character file name followed by a file extension of any length. 155 . To do this.csv is uploaded to the server. create a new event in the Domain Details > Events menu. it might be necessary to know when a file transfer fails for a specific user account.csv as shown in the following screen capture: As another example. The best example is raising an event only when a certain user triggers the action. contained in any folder whose name contains Red6.

In some cases it may be necessary to trigger events for files uploaded only to a specific folder. and the value to compare is the user name. and set it to Send Email. This will cause the event to trigger only for files that are located within C:\ftproot\accounting\. such as when an accounting department uploads time-sensitive tax files. create a new File Uploaded event in the Domain Details > Events menu. 156 .Chapter 4: Domain The filter comparison is the $Name variable. open the Event Filters page. using wildcards. subject line. and add the filter comparison If $LocalPathName = (is equal to) C:\ftproot\accounting\* with the type of (abcd) string. Create a new event filter. After specifying the email recipients. and message content. such as ProductionLineFTP: You can also filter for events based on specific folders. To filter based on a folder name.

enter the following information: l l Account Name: The account name associated with authentication for the SMTP server. and does not support Explicit SSL (port 587). or both. enable this option. l SMTP Server Port: The port the SMTP server is using. and then specify the following details: l SMTP Server: The name or IP address of the SMTP server. l l This server requires a secure connection (SSL): On some SMTP servers all incoming connections must be encrypted to protect against possible attacks. My server requires authentication: To enable authentication. l From Email Address: The email address to use for the outgoing email. Password: The password for the account. 157 . l From Name (optional): The name to use for the outgoing email. The SMTP configuration dialog is located in the Events tab in the Domain Details and Server Details pages. Click Configure SMTP to launch the dialog. The default port for encrypted SMTP connections is 465. SMTP configuration at the domain level can be inherited from the server level. select this option. If your server requires that all incoming connections must be encrypted. you can configure an SMTP connection to send email for events which are configured to use email actions. If your SMTP server requires authentication. Serv-U supports Implicit SSL only.Configuring SMTP settings Configuring SMTP settings In Serv-U. You can configure SMTP on the server or domain level.

If the email was sent successfully. In the Send Test Email window. click OK on the confirmation window to save your SMTP configuration. 158 . click Send Test Email to test your SMTP connection. Optionally. specify the email address where you want to send the test email to. and then click Send. 3. After specifying the details of the SMTP server and the corresponding account. or click No to return to the SMTP Configuration window.Chapter 4: Domain Testing the SMTP configuration Perform the following steps to test the SMTP configuration in Serv-U: 1. 2. you can edit the subject and content of the test message.

Check your SMTP connection details. The connection to the server is successful. Please check user name and password. and try the test again. SMTP communication failed. password. The connection to the server is successful. Ensure that SMTP server settings are correct. but the specified server is listening the specified port. The error can also occur if incorrect server and port settings are specified. or both is incorrect. authorization error.Configuring SMTP settings If an error occurs at any stage of the configuration test. Timeout while contacting SMTP server. but the provided user name. Please try again later. but the email address provided in the To Email Address field of the Send Test Email window is not valid. The most common reason for the SMTP connection to fail is an invalid SMTP server address or port number. Please check your SMTP server and port settings. An unspecified error occurred. SMTP server address is correct. Verify that these details are correct. Serv-U returns one of the following error messages in the SMTP error window: Error message Explanation SMTP connection failed. Please check that the The connection to the SMTP server timed out. 159 . Unable to send message due to The connection to the server is successful. but an unspecified error occurred while sending the test email. Please check that recipient email address is valid. and that the SMTP server is up and running. Unable to send message due to recipient error. Unable to send a message.

%HOME%.Chapter 4: Domain Configuring directory access rules Directory access rules define the areas of the system which are accessible to user accounts. then a user 160 . use %HOME%/ftproot/ to create a directory access rule that specifies the ftproot folder in the home directory of the user. to place a user and their home directory into a common directory. use %DOMAIN_HOME%\%USER%. If you specify the %USER% variable in the path. the usage of directory access rules is extended to both the domain and the server levels through the creation of global directory access rules. in Serv-U. Directory access rules specified in this manner are portable if the actual home directory changes while maintaining the same subdirectory structure. they are only inherited by users who belong to the particular domain. Directory access rules specified at the server level are inherited by all users of the file server. This leads to less maintenance for the file server administrator. The traditional rules of inheritance apply where rules specified at a lower level (for example. the server level). For example. This variable is useful in specifying a group's home directory to ensure that users inherit a logical and unique home directory. if a rule exists that denies access to a particular subdirectory but is listed below the rule that grants access to the parent directory. You can use the %USER_FULL_NAME% variable to insert the Full Name value into the path (the user must have a Full Name specified for this to function). While traditionally restricted to the user and group levels. the user "Tom Smith" could use D:\ftproot\%USER_FULL_NAME% for D:\ftproot\Tom Smith. You can also use the %DOMAIN_HOME% macro to identify the user's home directory. When you set the directory access path. If they are specified at the domain level. The first rule in the list that matches the path of a client's request is the one that is applied for that rule. it is replaced with the user's login ID. %USER_ FULL_NAME%. In other words. For example. you can use the %USER%. Directory access rules are applied in the order they are listed. For example. and %DOMAIN_HOME% variables to simplify the process. the user level) override conflicting or duplicate rules specified at a higher level (for example.

Append Allows users to append data to existing files. Execute Allows users to remotely execute files. This permission is typically used to grant users the ability to resume transferring partially uploaded files. which is granted by the List permission. Use the arrows on the right of the directory access list to rearrange the order in which the rules are applied. which is granted by the Append permission. the parent directory accessed this way will only display the content to which the user has access. even if no explicit access rules are defined for the parent directory. This is a very powerful permission and great care should be used in granting it to users. upload) files. This permission does not allow users to modify existing files.File permissions still has access to the particular subdirectory. This permission does not allow users to list the contents of a directory. Users with Write and Execute permissions can install any program 161 . Write Allows users to write (that is. The following section contains the list and description of the directory access permissions. File permissions Read Allows users to read (that is. download) files. Delete Allows users to delete files. However. Rename Allows users to rename existing files. The execute access is meant for remotely starting programs and usually applies to specific files. Note: Serv-U allows to list and open the parent directory of the directory the user is granted access to.

clear the Inherit check box and grant permissions specifically by folder. However. Directory permissions List Allows users to list the files and subdirectories contained in the directory. Note: If the directory contains files. which has no access 162 . Create Allows users to create new directories within the directory. because Windows services are run under the Local System account by default. Also allows users to list this folder when listing the contents of a parent directory. Remove Allows users to delete existing directories within the directory. the user also needs to have the Delete files permission in order to remove the directory. files and folders may be kept on external servers in order to centralize file storage or provide additional layers of security. The Inherit permission is appropriate for most circumstances.Chapter 4: Domain they want on the system. Subdirectory permissions Inherit Allows all subdirectories to inherit the same permissions as the parent directory. Rename Allows users to rename existing directories within the directory. Advanced: Access as Windows User (Windows Only) For a variety of reasons. accessing folders stored across the network poses an additional challenge. files can be accessed by the UNC path (\\servername\folder\) instead of the traditional C:\ftproot\folder path. but if access must be restricted to subfolders (as is the case when implementing mandatory access control). In this environment.

The alternative.Quota permissions to network resources. To implement mandatory access control at a directory level. the NTFS permissions of the Windows user take priority over the directory access rules. This means that when a Windows user tries to access a folder. 163 . preferred when many servers exist. Note: When you use Windows authentication. To mitigate this problem for all of Serv-U. and in this case also to the configured permissions in Serv-U. disable the Inherit permission as shown in the following screen capture. Quota permissions Maximum size of directory contents Setting the maximum size actively restricts the size of the directory contents to the specified value. This feature serves as an alternative to the traditional quota feature that relies upon tracking all file transfers (uploads and deletions) to calculate directory sizes and is not able to consider changes made to the directory contents outside of a user's file server activity. Any attempted file transfers that cause the directory contents to exceed this value are rejected. or if the Serv-U File Server service has to run under Local System for security reasons is to configure a directory access rule to use a specific Windows user for file access. the security permissions of the user are applied instead of the credentials specified in the directory access rule. directory access is subject to NTFS permissions. you can specify a specific Windows user for each individual directory access rule. you can configure the Serv-U File Server service to run under a network account. By clicking the Advanced button. As in Windows authentication. Mandatory access control You can use mandatory access control (MAC) in cases where users need to be granted access to the same home directory but should not necessarily be able to access the subdirectories below it.

the rule applies to D:\ftproot\. providing the security of mandatory access control in the Serv-U File Server. the user has access to the ftproot folder but to no folders below it. Restricting file types If users are using storage space on the Serv-U File Server to store non-workrelated files. Now.Chapter 4: Domain In the following example. 164 . you can prevent this by configuring a directory access rule placed above the main directory access rule to prevent MP3 files from being transferred as shown below. Permissions must individually be granted to subfolders that the user needs access to. such as MP3 files.

Similarly.Restricting file types In the text entry for the rule. as shown in the following screen captures. type *.mdb files but denies access to all other files.mp3. 165 . configure a pair of rules that grants permissions for .mdb extension.mp3 extension and can be modified to reflect any file extension. and use the permissions shown in the following screen capture: The rule denies permission to any transfer of files with the . if accounting employees only need to transfer files with the .

166 .Chapter 4: Domain In the first rule enter the path that should be the user's home directory or directory they need access to.

mdb). You can adapt these rules to any file extension or set of file extensions. These rules only allow users to access .Using virtual paths In the second rule enter the extension of the file that should be accessed (such as *. Using virtual paths If virtual paths are specified.mdb files within the specified directories. A virtual path only defines a method of mapping an existing directory to another location on the system to make it visible within a 167 . users can gain access to files and folders outside of their own home directory.

The Maximum Directory Size limits the size of directories 168 . the user must still have a directory access rule specified for the physical path of a virtual path. In order to actually have access to the mapped location. they are only accessible by users belonging to that domain. You can also use a full path without any macros.Chapter 4: Domain user's accessible directory structure. Virtual path The virtual path is the location that the physical path should appear in for the user. that is to be placed in a virtual location accessible by a user. virtual paths can be configured at the server. users must have a directory access rule specified for the physical path. use a full path. When virtual paths are created at the domain level. The %HOME% macro is commonly used in the virtual path to place the specified physical path in the home directory of the user. To make a virtual path visible to users. You can also create virtual paths specifically for individual users or groups. or network. such as D:\inetpub\ftp\public. Like directory access rules. a virtual path of %HOME%/public places the specified physical path in a folder named public within the user's home directory. the last specified directory is used as the name displayed in directory listings to the user. Physical path The physical path is the actual location on the system. group. Including virtual paths in "Maximum Directory Size" calculations When this option is selected. For example. Virtual paths created at the server level are available for all users of the file server. When specifying the virtual path. You can also use a UNC path. such as \\Server\share\public. If the physical path is located on the same computer. the virtual path is included in Maximum Directory Size calculations. and user levels. domain.

The developers now have access to the image repository without compromising security or relocating shared resources. D:\ftproot\example. if the home directory of the group of web developers is relocated to another drive. a virtual path must be configured so that the image repository appears to be contained within their home directory. Case File: Using virtual paths A group of web developers have been granted access to the directory D:\ftproot\example. Using automated file management Using file management rules. the file management rules are accessible to all users of the file server.com\corpimages Case File: Creating relative virtual paths Continuing with the previous example.com\corpimages as the virtual path. Within the group of web developers. regardless of what the home directory is. 169 . If they are specified at the domain level. You can avoid this by using the %HOME% macro to create a relative virtual path location that eliminates the need to update the path if the home directory changes. If they are specified at the server level. use %HOME%\corpimages. Instead of using D:\ftproot\example.Using automated file management affecting how much data can be uploaded. the virtual path still appears there. If the home directory changes at a later date. Be sure to add a group level directory access rule for D:\corpimages\ as well. To avoid granting the group access to the root D drive. add a virtual path to bring the directory to the users by specifying D:\corpimages\ as the physical path and as the virtual path. you can automatically remove or archive files from the file server.com\ for web development purposes. This way the corpimages virtual path is placed within the home directory of the group. You can configure automated file management rules at the server and domain level. they are only accessible to users belonging to that domain. both the home directory and the virtual path need to be updated to reflect this change. The developers also need access to an image repository located at D:\corpimages\.

Type the path to the file or folder in the Directory Path field. select Delete file(s) after specified time. 2. see Using Serv-U events. or which are copied to the folder outside of Serv-U. and not only to those that have been uploaded through ServU. To define a new file management rule: 1. and then click Add. or click Browse to navigate to the file or folder. For this reason. Select the action you want to perform on the file: a. For more information. If you want to delete the file after it expires. The change date is updated whenever the metadata or index node (inode) of the file is modified. 170 . you can configure a File Management Rule Success and a File Management Rule Error event under Server/Domain Details > Events. This way you can manage files which are transferred by clients. The file management rules run hourly in the background. If the contents or attributes (such as the permissions) of the file are modified. the folders themselves remain intact. The file management rules apply recursively to all files within the folder for which they are configured. Note: The change date is not modified if the file is read from. When expired files are deleted or moved. the creation date of the file is used to determine when a file expires. Navigate to Directories > File Management. To monitor the status of the file management rules. the change date is used to determine the expiration date. On Linux.Chapter 4: Domain Depending on the file system. there can be an hour delay before Serv-U deletes or moves an expired file. Serv-U uses the creation or change date of files to determine the expiration date. the change date is also updated. 3. On Windows. The file management rules continue to run even if deleting or moving a single file fails. The folder structure is not affected by the file management rules.

It is possible to grant exceptions to administrators and restrict specific users more than others. The limits stack intelligently. Click Save. and performs the specified action on the files that meet the age criteria you specify. providing total control over the server. The limits and settings in Serv-U consist of the following categories: l Connection l Password l Directory Listing l Data Transfer l HTTP l Email 171 . and then in the Destination Directory Path field. and domain settings overriding server settings. In addition.Domain limits and settings b. and which also provide ways to apply limits and custom settings to users. domains. select Move file(s) after specified time. 4. Specify the number of days after the file creation date when the action should be executed. If you want to move the file after it expires. and the server in its entirety. 5. groups. group settings overriding domain settings. specify the folder where you want to move the file. Note: Serv-U regularly and individually checks all the files in the directory for their age. with user settings overriding group settings. Domain limits and settings Serv-U contains options which you can use to customize how Serv-U can be used. limits can be applied only during certain days of the week or times of the day.

and then select or enter the value. deselect the days for which you do not want to apply the limit. default values (or the value of other limit overrides) are applied when the time of day or day of the week restrictions are not met for this limit. The limits list displays the current limits applied to the domain. 5. select the limit. To edit an overridden value. 3. 4. Limits with a white background are values that override the defaults. Select Domain Limits & Settings from the Serv-U Management Console. Click Add. You can delete limits by selecting them and clicking Delete. this option applies to all users in the domain unless overridden at the group or user level. a new Lock users in home directory limit appears in the list that displays "No" as the value. Deselect the option. select Directory Listing. Create a new limit to override a default one. and then click Edit. From the Limit list. click Advanced in the New Limit or Edit Limit window. to disable the Lock users in home directory option for a domain. Click Save. Because of inheritance rules. see User interface conventions. select the limit. select Lock users in home directory. 6. Select Apply limit only at this time of day to specify a start and stop time for the new limit. Limits with a lightblue background are default values. select the appropriate category. When a limit is restricted in this way. For more information about this method of inheritance. follow these steps: 1.Chapter 4: Domain l File Sharing l Advanced To apply a limit. After completing the previous steps. To create a limit that is restricted to a specific time of day or days of the week. From the Limit Type list. To restrict the limit to certain days of the week. For example. 172 . 2. click Add. Default rules cannot be edited or deleted.

Automatic session timeout Specifies the number of minutes a session is allowed to last before being 173 . Maximum sessions per IP address on domain Specifies the maximum number of concurrent sessions that may be opened to the current domain from a single IP address. or HTTPS) before it is accepted. Maximum number of sessions per user account Specifies the maximum number of concurrent sessions that may be opened from a single user account. Note: Setting the Packet time-out is a requirement for this limit to work. SFTP.Connection The following section contains a reference of all available domain limits. see Server settings. Require secure connection before login Requires that a connection must be secure (for example. For information about setting the packet time-out. Maximum sessions per IP address for user account Specifies the maximum number of concurrent sessions that a user may open from a single IP address. Connection Maximum number of sessions on domain Specifies the maximum number of concurrent sessions that may be allowed on the current domain. FTPS. organized by category. Automatic idle connection timeout Specifies the number of minutes that must pass after the last client data transfer before a session is disconnected for being idle. The value of Packet time-out must be less than the value of the Automatic idle connection timeout for the Automatic idle connection timeout to work properly.

174 . for a specified period of time. that is. not transferring data.Chapter 4: Domain disconnected by the server. the "X-Forwarded-For" HTTP header parameter changes the IP address of the client for Serv-U. When these are blocked. Allow X-Forwarded-For to change HTTP connection IP addresses When enabled. which is commonly used to keep FTP Command Channel connections open during long file transfers or other periods of inactivity where no information is being transferred on the control channel. Proxy servers and load balancers typically append this parameter to the HTTP header so that HTTP servers can identify the actual client IP address and apply security rules as needed. Block IP address of timed out session Specifies the number of minutes for which the IP address of a timed out session is blocked. Require reverse DNS name Requires that users connecting to the server must connect from an IP address that has a valid reverse DNS name. Checks for the existence of a valid PTR record but does not check its contents. Serv-U disconnects the client when the connection has been idle. Block anti-timeout schemes Blocks the use of commands such as NOOP. Automatically create home directories Instructs Serv-U on whether or not to automatically create the home directory specified when creating a new user account if the directory does not already exist. This is useful when all HTTP connections are coming from a proxy server or a load balancer. also known as a PTR record.

This is the default setting. Mask received passwords in logs Masks the passwords received from clients from being shown in log files. The following options are available: l l One-way encryption (more secure): This option fully encrypts passwords and cannot be reversed.Password Password Check anonymous passwords Specifies whether or not Serv-U should validate email addresses supplied as the password to login anonymously. Minimum password length Specifies the minimum number of characters required in the password of a user account. Specifying zero days means that passwords never expire. Require complex passwords Specifies that all user account passwords must contain at least one uppercase and one non-alphabetic character to be considered valid. Specifying zero characters indicates that there is no minimum requirement. Allow users to change password Specifies whether or not users are allowed to change their own passwords. Simple two-way encryption (less secure): This option encrypts passwords in a reversible format for easy recovery. Password encryption mode Specifies the level of password encryption on user passwords. Automatically expire passwords Specifies the number of days a password is valid before it must be changed. Use this option when users are expected to take advantage of the Password Recovery utility in the Web 175 . Disabling this allows passwords to be displayed in log files. which can be useful for debugging connection problems or auditing user account security.

l No encryption (not recommended): This option stores passwords in clear text. Password Only: Requires that a password is provided for successful login. The available options are regular password. a password is not allowed. SSH authentication type Specifies how SSH authentication is to occur. The following options are available: l l l l Password and Public Key: Requires both a password and a public key (when specified) for login. allows users to recover passwords using the Web Client password recovery utility at the login page.Chapter 4: Domain Client. OTP S/Key MD4. In this case it may be desirable to use two-way encryption so that Serv-U does not need to reset their passwords when password recovery is requested. This way the administrator cannot deny access to a user account through misconfiguration. and OTP S/Key 176 . Note: When you change this setting. and must be re-saved to be stored in the new format. Existing passwords are not updated automatically. FTP password type Specifies the type of password to be used for FTP connections. Public Key Only: Requires that a public key is provided for successful login. Password or Public Key: Requires either a password or public key for login. Note: The Public Key Only authentication type allows users to log in with a password if they have no SSH key configured in Serv-U. Using this option may be necessary for integration with legacy systems (especially when using database support). Allow users to recover password If enabled. a public key is not allowed. all user passwords must be reset.

in days.lnk file points to another file. Interpret Windows shortcuts as links Instructs Serv-U to treat all valid . if a .Directory listing MD5.lnk files as the actual destination object. this limit allows users to generate a random password. This value is the lead-time. An event can be configured to identify when a password is about to expire. their home directory is displayed as "/". In other words. A stale password is a password that is about to expire. before password expiration. masking the actual physical location.lnk (shortcut) files as a UNIX symbolic link. and does not allow users to browse above that folder. In addition. Use lowercase for file names and directories Forces Serv-U to display all file names and directories using lowercase characters. Directory listing Hide files marked as hidden from listings Hides files and folders from directory listings that have the Windows "hidden" system attribute set on them. Disable password generators If enabled. Days before considering password to be stale The number of days prior to expiration that a password is to be considered stale. the destination file is shown in the directory listing instead of the .lnk file itself. Treat Windows shortcuts as target in links Instructs Serv-U to treat all valid . Lock users in home directory Locks users into their home directory. This option only works when users are not 177 . regardless of the actual letter case in use by the file or directory. Allow root ("/") to list drives for unlocked users (Windows Only) Allows users to change directory to the root ("/") of the system and display all drives on the computer.

Data transfer Maximum upload speed for domain Limits the maximum bandwidth that can be used domain-wide for all uploads. Setting a 178 . Hide the encrypted state of files and directories Hides the encrypted state of all encrypted files and directories being viewed by the user. Setting a limit of 0 KB/s means unlimited bandwidth. Setting a limit of 0 KB/s means unlimited bandwidth. However. Maximum upload speed per session Limits the maximum upload bandwidth for each individual session. welcome messages can be provided in specific folders to relay additional information.message can be used as the path. Serv-U supports both sort orders. The welcome message will only be displayed when navigating into folders which contain a file matching the specified file name. Maximum download speed for domain Limits the maximum bandwidth that can be used domain-wide for all downloads.Chapter 4: Domain locked in their home directory. By using a secondary message file. Message file path Welcome messages are normally displayed once to a user during login to relay important information to users about the file server site. A non-relative path such as MessageFile. Serv-U uses natural language sorting for a more intuitive sort order. some clients may prefer ASCII sorting. Hide the compressed state of files and directories Hides the compressed state of all compressed files and directories being viewed by the user. Use natural language sorting for sorted listings By default.

When uploading in ASCII mode stand-alone <LF> characters are changed to <CR><LF> prior to writing to the file. Automatically check directory sizes during upload Instructs Serv-U to occasionally check the size of directories in which a 179 . stand-alone <LF> characters are changed to <CR><LF> prior to sending to the client. since the definition of a new-line sequence is not fully defined in Windows. Maximum download speed per session Limits the maximum download bandwidth for each individual session. this option allows Serv-U to assume <LF> is the same as <CR><LF>. Delete partially uploaded files Instructs Serv-U to delete incomplete file uploads. Maximum upload file size Restricts the maximum single file size a user can upload to Serv-U. Setting a limit of 0 KB/s means unlimited bandwidth. Setting a limit of 0 KB/s means unlimited bandwidth. Most Windows applications expect <CR><LF> to represent a new-line. This option can currently be used in FTP mode only. However. Serv-U will assume <LF> characters are the same as <CR><LF> end-of-line markers. When downloading in ASCII mode. Interpret line feed byte as a new line when in ASCII mode (Windows Only) When uploading and downloading files using ASCII mode. The file size is measured in kilobytes. as does the FTP protocol. Maximum upload speed for user accounts Limits the maximum upload bandwidth shared between all sessions associated with an individual user account. Setting a limit of 0 KB/s means unlimited bandwidth.Data transfer limit of 0 KB/s means unlimited bandwidth. Maximum download speed for user accounts Limits the maximum download bandwidth shared between all sessions associated with an individual user account.

the HTTP login page is displayed in English. Administrators can disallow 180 . Allow users to change languages The Serv-U Web Client is supported in many languages. This function can be disabled during specific business hours or altogether based on business needs. Allow HTTP media playback The Serv-U Web Client supports fully interactive media playback of audio and video files. Default language for Web Client When the end-user connects with an unsupported language. Allow browsers to remember login information The HTTP login page supports a Remember me option (not enabled by default) that allows user names to be remembered by the login page. Administrators can disallow the use of Serv-U Web Client by disabling this limit. HTTP Warn end users when using old web browsers When enabled (default) users are warned when they are using an outdated browser that they should upgrade the browser to take advantage of performance and feature enhancements to improve their experience. This attribute ensures that Serv-U always has updated directory sizes available instead of having to calculate them at transfer time. The default language can be set to any language you want. Allow users to use Web Client Serv-U Web Client is enabled by default. Allow users to use Web Client Pro Serv-U Web Client Pro is enabled by default. This feature can be disabled for security reasons. When connecting to Serv-U using a supported localization of Windows. the local language of Windows is used.Chapter 4: Domain maximum directory size has been specified. which can be a time consuming operation. but this option can be disabled if users should not be able to select their preferred language.

Hide Serv-U version information in HTTP response headers When enabled. This way a potential security threat arising from the knowledge of the version information can be mitigated. This option is enabled by default. Serv-U will not set the last modification date and time of the file. Serv-U can maintain the last modification date and time of the file when end-users are using FTP Voyager JV or Web Client Pro. Maintain file dates and times after uploading (FTP Voyager JV and Web Client Pro only) When enabled. Allow autocomplete for HTTP login fields With this limit you can configure whether or not password auto-completion is allowed on the Serv-U login screen. Allow HTTP sessions to change IP address (disabling may cause mobile devices to fail) The Serv-U Web Client supports the transfer of HTTP sessions if the IP address changes. 181 . the version information of Serv-U will be hidden in HTTP and HTTPs response headers. Email Allow end-user to set account email address Specifies whether users are allowed to modify their account email address using the Change Email Address option in the Web Client or File Sharing interfaces.Email the use of Serv-U Web Client Pro by disabling this limit. it will remain the date and time the file was uploaded. Allow users to use FTP Voyager JV FTP Voyager JV is enabled by default. This option can be disabled but it may cause mobile devices to be disconnected due to frequent IP address changes by these devices. Administrators can disallow the use of FTP Voyager JV by disabling this limit. When disabled.

Chapter 4: Domain Require end-user to set email address at next HTTP login Specifies whether users must set their email address when they log in to Serv-U. the creator of the file share request can specify the maximum file size in each file share request without an upper limit. 182 . there is no file size constraint. the file share links will expire after the number of days specified in the Duration before guest link expires limit. When this limit is set to Optional. the user can individually specify in each file share whether or not the guest must provide a password. If set to zero. Insert passwords within invitation emails Specifies whether it is possible to set up a file share where the password for the share is included in the invitation email. File sharing Require a password for guest access Specifies whether it is possible to set up a file share where the guest is required to provide a password. When this limit is set to Optional. In this case. Allow user-defined guest link expiration When enabled. Duration before guest link expires Limits the number of days after which a file share link expires if the Allow user-defined guest link expiration limit is disabled. the Include the password in the email option can be selected individually in each file share. users will be able to specify link expiration dates individually on the Request Files and Send Files wizards. When disabled. When this limit is set to Always or Never. When this limit is set to Always or Never. Maximum file size guests can upload (per file) Specifies the file size constraints imposed upon the guest user. the creator of the file share will not be able to specify this optional setting. the creator of the file share will not be able to specify this optional setting.

Send the guest access link to the sender Specifies whether the Send me an email copy with the download/upload link option can be used in the Send Files and Request Files wizards. the user will not be able to specify this optional setting. the user can individually specify in each file share whether to receive notification of the file download. users are not 183 .File sharing Notify user after a file is downloaded Specifies whether the Notify me when the file(s) have been downloaded option can be used in the Send Files wizard. the user can individually specify in each file share request whether to receive notification of the file upload. When this limit is set to Always or Never. When this limit is set to Optional. the user can individually specify in each file share or file share request whether to send the access link automatically. users will be able to edit their name and email address in the Request Files and Send Files wizards. When this limit is set to Always or Never. When this limit is set to Always or Never. When this limit is set to Optional. Send the guest access link to the recipients Specifies whether the Automatically send the download/upload link to the guest user(s) in email option can be used in the Send Files and Request Files wizards. the user can individually specify in each file share or file share request whether to receive an email copy with the download or upload link. the creator of the file share will not be able to specify this optional setting. the user will not be able to specify this optional setting. When disabled. When this limit is set to Always or Never. Allow user-defined contact information When enabled. Notify user after a file is uploaded Specifies whether the Notify me when the file(s) have been uploaded option can be used in the Request Files wizard. When this limit is set to Optional. When this limit is set to Optional. the creator of the file share request will not be able to specify this optional setting.

By default. the default limit of 20 is used.6. Maximum supported SFTP version Specifies the maximum version of SFTP permitted for SFTP connections. Maximum number of files for "Sent" shares Specifies the maximum number of files users can include in a single file share. Certain web browsers can encode special characters contained in file names and directories when using the FTP protocol. If set to zero. This attribute allows Serv-U to decode these special characters. Serv-U supports SFTP versions 3 . By 184 . When disabled. If set to zero. Advanced Convert URL characters in commands to ASCII Instructs Serv-U to convert special characters contained in command parameters to plain ASCII text. Maximum number of files for "Requested" shares Specifies the maximum number of files users can upload after receiving a file share request. Apply server and domain directory access rules before user and group The order in which directory access rules are listed is important in determining the resources that are available to a user or group account. Allow rename overwrite When enabled (default) Serv-U allows files to be renamed to files where the destination already exists. users are not allowed to rename a file or directory to a path name that already exists. the default limit of 20 is used.Chapter 4: Domain allowed to edit their contact information in the Request Files and Send Files wizards. Allowed "Sent" file share sources Specifies the valid file sharing sources that users can browse to when they create an outgoing file share. users can browse to any file stored on their computer or on Serv-U.

security. Owner ID (user name) for created files and directories (Linux Only) The user name given to set as the owner of a created file or directory. see the "Apply group directory access rules first" setting in Group information. there are certain instances where you may want the domain and server level rules to take precedence. Domain settings On the Domain Limits and Settings > Settings pages.Domain settings default. Group ID (group name) for created files and directories (Linux Only) The group name given to set as the owner of a created file or directory. This topic contains detailed information about the settings that you can configure. For more information. To configure a setting. Days before automatically deleting account to trigger the pre-delete event The number of days prior to automatically deleting the user account that the pre-delete event should be triggered. Days before automatically disabling account to trigger the pre-disable event The number of days prior to automatically disabling the user account that the pre-disable event should be triggered. Reset group stats after restart When this limit is enabled the group statistics are reset after a server restart. and then click Save. you can configure basic domain settings that affect performance. Setting this value to "Yes" places the directory access rules of the group and user below the server and domain. 185 . However. Reset user stats after restart When this limit is enabled the user statistics are reset after a server restart. directory access rules specified at the group or user level take precedence over ones specified at the domain and server level. and network connectivity. type the value you want in the appropriate area.

or FTP Voyager JV should be used by all HTTP clients by default. Web Client Pro. complex passwords defeats most dictionary attacks. this information includes the server name and version number.Chapter 4: Domain Connection settings Block users who connect more than 'x' times within 'y' seconds for 'z' minutes Also known as anti-hammering. Advanced branding is also available. A successful login resets the counter that is tracking login attempts. the server sends identification information to the client. enabling this option ensures that Serv-U does not waste time processing connections from these illegitimate sources. default option is to prompt the user for the client they want to use instead. When enabled. Normally. enabling this option is a method of preventing brute force password guessing systems from using dictionary style attacks to locate a valid password for a user account. ensure that there is some room for legitimate users to correct an incorrect password before they are blocked. this option temporarily blocks IP addresses for the specified number of minutes that fail to successfully login after the specified number of attempts within the specified number of seconds. Default Web Client Specifies whether the Web Client. For 186 . When configuring this option. Custom HTTP settings Basic branding (custom logo and limited text changes) can be implemented using the Custom HTTP Settings. IP addresses blocked in this way can be viewed in the appropriate IP Access rules tab. This option is also available at the group and user level. However. The third. Using strong. Enable this option to prevent the information from being given to the client. Hide server information from SSH identity After a successful SSH login.

and then click Save. HTTP Client Interface Background (CSS Only) Provide a custom CSS background style for the Web Client. HTTP Login Page Text Provide any custom login page text you want in this area. Specify a custom logo to be displayed on the login and Web Client pages Dimensions for custom logos must have a width of 400 pixels and a height of 100 pixels. click Browse next to Custom Logo Path. Click Save and the logo will appear below the Custom Logo Path field. images.Domain settings more information. Custom HTML must be enabled and a Custom HTML Container Directory must be specified. underline. alignment and more. This text can be HTML-formatted. clear the path in the Custom Logo Path field. and then select the path to your logo. If a logo does not meet this criteria an error message will appear when you attempt to save the logo. The format for a CSS background is color url('/%CUSTOM_HTML_ DIR%/images/yourimage. bold. see Using custom HTML. The %CUSTOM_HTML_DIR% must be used in conjunction with the Custom HTML settings. The following examples provide a reference: 187 . Note: JPEG images which use CMYK instead of RGB encoding may not work properly in certain browsers. including links. Test your logo image to make sure it is displayed properly in all browsers. To delete a custom logo. and standard formatting like italics. File Sharing and FTP Voyager JV landing page. The "background:" string is assumed so it does not need to be entered here. To add a logo.png') repeat-type horizontal-alignment verticalalignment. HTTP Login Title Text (no HTML) Provide text to be used as the title of the HTTP login and Web Client pages. This style follows the CSS background shorthand standard.

Other settings Ratio Free Files Files listed by clicking Ratio Free Files are exempt from transfer ratio limitations on file transfers. For more information about ratio free files. see the Serv-U Integration Sample DLL installed with Serv-U in the Serv-U Integration Sample DLL sub-directory. The Integration API is documented in this sample. The password recovery email message has a simple default subject and message with the user's login ID and password. Integration DLL / Shared Library For information about writing an Integration DLL or Shared Library.png') repeat-x left top l red (this example uses no image) l url('/%CUSTOM_HTML_DIR%/images/MyHeader. you can customize the FTP commands that Serv-U 188 . Administrators can also send this message to users using the Recover Password button under domain users and global users in the Management Console. Ratio free files specified at the server or domain level are inherited by all their users accounts. see Transfer ratio and quota management.Chapter 4: Domain l #0b16f8 url('/%CUSTOM_HTML_DIR%/images/Header01. This message will be sent if the user has a valid email address recorded in Serv-U. Configuring FTP settings In the Serv-U File Server. Users can request this message from the Serv-U login page.png') no-repeat right top l #FFFFFF url('/%CUSTOM_HTML_DIR%/images/MyLogoTile.png') no-repeat center top (this example uses no custom color) Password Recovery Email Message Send email messages to users with their login credentials using this customizable password recovery message.

the 220 response code begins each line of the specified welcome message. and then click Use Custom Settings.Configuring FTP settings accepts. enter the path to a text file in the Message File Path field. If you configure these options at the server level. and you can also customize the responses of Serv-U to the FTP commands it receives. FTP Responses Global FTP responses are responses shared amongst most FTP commands. FTP command responses can contain special macros that allow real-time data to be inserted in to the response. Customizing a global FTP response ensures that the response is used by all other FTP commands rather than having to customize it for each individual FTP command. see System variables. open the FTP Settings page for the domain. Using global properties When using custom settings. For more information. At any time. To customize the welcome message. the Global Properties button becomes available. Message File The server welcome message is sent in addition to the standard "220 Welcome Message" that identifies the server to clients when they first connect. 189 . you can click Use Default Settings to have the domain revert back to the default settings of the server. Warning: Customizing the FTP behavior in this way is not recommended except for those very familiar with the FTP protocol and its standard and extended command set. If the Include response code in text of message file option is selected. all domains inherit the customizations. To customize the FTP behavior for a specific domain. such as the error message sent when a file is not found. Click Browse to select a file on the computer. Serv-U opens this file and sends its contents to connecting clients. select the appropriate domain.

Deselecting this option prevents Serv-U from UTF-8 encoding these strings. It also sends all file names and paths as UTF-8 encoded strings. Serv-U treats all file names and paths as UTF-8 encoded strings. see CERT advisory CA-97. For more information about FTP_bounce attacks. Select this option if your clients are using an FTP client experiencing problems with multi-line responses from Serv-U. UTF-8 is not included in the FEAT command response to indicate to clients that the server is not using UTF-8 encoding. l Use UTF-8 encoding for all sent and received paths and file names: By default. basic information about the command is shown along with a link to more information on the Serv-U website. Some older FTP clients have trouble parsing multi-line responses that do not contain the three-digit response code on each line. all possible FTP responses to the command 190 . and then click Edit. Each FTP command can also be disabled by selecting the Disable command option. FTP Responses On the FTP Responses page. Information On the Information page. such as when sending a directory listing.27. Include response code on all lines of multi-line responses: The FTP protocol defines two ways in which a multi-line response can be issued by an FTP server.Chapter 4: Domain Advanced Options l l Block "FTP_bounce" attacks and FXP (server-to-server transfers): Select this option to block all server-to-server file transfers involving this Serv-U File Server by only allowing file transfers to the IP address in use by the command channel. Disabled commands are treated as unrecognized commands when they are received from a client. When this option is deselected. Editing FTP commands and responses To edit FTP Commands. select the FTP command you want to change.

This allows for message files to be specified using a path relative to the home directory of the user for the Message File. If the first message file is not found. The contents of a message file are sent along with the standard FTP response. see System variables. you can ensure that each user receives a message file. FTP command responses can contain special macros that allow real-time data to be inserted in to the response. LIST Advanced Options Some FTP commands contain advanced configuration options that offer additional ways to configure the behavior of the command. Message Files Certain FTP commands allow a message file to be associated with them. Where available. In some cases. For more information.Configuring FTP settings as issued by the server can be modified by clicking Edit for each response. Serv-U attempts to use the Secondary Message File instead. The following FTP commands can be used for specifying a message file: l CDUP l CWD l QUIT Managing Recursive Listings Serv-U supports recursive listings by default. allowing FTP clients to obtain large directory listings with a single command. In addition. clients may request excessively large directory listings using the -R parameter to the and NLST commands. a secondary message file path is available as a default option. By specifying an absolute file path in the secondary location. If performance in Serv-U is impacted by users requesting excessively large listings. 191 . recursive listings can be disabled by using the Allow client to specify recursive directory listings with -R parameter option.

Remaining storage space is $QuotaLeft. This can be done for any FTP command response. 192 . edit the response to the STOR command to include a report about available space. $TransferBytes bytes transferred. so that every time a user deletes a file. Modify this to include an extra variable in the following way: Transfer complete. showing an increase in available space. SSH2 is a method of securely interacting with a remote system that supports a method of file transfer commonly referred to as SFTP. SFTP does not have anything in common with the FTP protocol itself. Despite its name. The following FTP commands contain advanced configuration options: l LIST l MDTM l NLST Case file: Custom FTP command response Users connecting to the server need to know how much quota space is available in a given folder when they have completed a transfer. $TransferKBPerSecond KB/sec. The last sentence shows the user how much storage space is left at the end of each file upload. Configuring encryption Serv-U supports two methods of encrypted data transfer: Secure Socket Layer (SSL) and Secure Shell 2 (SSH2). $TransferBytes bytes transferred. To do this.Chapter 4: Domain the configuration option is described in detail in the Management Console. their updated quota value. $TransferKBPerSecond KB/sec. is displayed. SSL is used to secure the File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). By default. The same can be done for the DELE command. the 226 (command successful) response to the STOR command (which stores files on the server) is the following: Transfer complete.

Configuring SSL for FTPS and HTTPS To use an existing certificate: 1.Configuring encryption In order for each method of encryption to work. Certain configuration options are only available to the server. If you do not have either of these required files. When creating SSL/TLS. Because SSL/TLS and SSH encryption is based on encrypting traffic sent between IP addresses. the domain that is created first takes precedence. Use the appropriate Browse button to select both the certificate and private key files. and causes other encrypted domains to fail to function properly. Enter the password used to encrypt the private key file. Click Save. modify the listeners of each domain to ensure they listen on unique port numbers. Encryption options specified at the server level are automatically inherited by all domains. 6. 3. If the provided file paths and password are all correct. SSL requires the presence of both. and HTTPS encrypted domains within Serv-U. 4. or both must be supplied. 5. each domain must have unique listeners in order to operate properly. enter or browse to the file. while SSH2 only requires a private key. it is important to know that encrypted domains cannot share listeners. Place these files in a secured directory in the server. In the case that multiple encrypted domains are created that share listeners. If a CA (Certificate Authority) PEM file has been issued. 2. a private key. a certificate. To operate multiple encrypted domains. Any encryption options specified at the domain level automatically overrides the corresponding server-level option. SSH. Serv-U starts to use the 193 . you can create them in Serv-U. Obtain an SSL certificate and private key file from a certificate authority.

Specify the output path where the created files are to be placed. Specify the key length in bits. 5. If the password is incorrect or Serv-U cannot find either of the provided files. clients may be prompted that the certificate does not match the domain name they are connecting to. 6. Specify the Certificate Set Name that is used to name each of the files Serv-U creates. Click Create Certificate. In most cases. 4. 2. 11. Specify the password used to secure the private key. the installation directory is a safe location (for example. 3. Serv-U creates three files using the provided information: A self-signed certificate (. Click Create to complete the certificate creation.Chapter 4: Domain certificate immediately to secure FTPS and HTTPS connections using the provided certificate. Specify the full organization name. Specify the city in which the server or corporation is located. 9. Specify the business unit the server is located in. an error message is displayed that explains the encountered error. 10. The IP address or the Fully Qualified Domain Name (FQDN) that users use to connect must be listed here. C:\ProgramData\RhinoSoft\Serv-U\). To create a new certificate: 1. Specify the 2-digit country code for the country in which the server or corporation is located. 7. 8. Specify the common name of the certificate. 12.crt) that can be used immediately on the server but is not authenticated by any 194 . Note: If the Common Name is not the IP address or FQDN used by clients to connect. Specify the state (if applicable) in which the server or corporation is located.

Click Save. 2. 3. 5. and a private key file (. 2. (for example. Enter the output path of the certificate. Use Browse in Serv-U to select the file. Enter the password to use for securing the private key file. Place the private key file in a secured directory in the server. a certificate request (. 4. MyDomain Key). Serv-U displays the SSH key fingerprint associated with the private key. Select the Key Type (default of DSA is preferred. C:\ProgramData\RhinoSoft\Serv-U\). To create a private key: 1.Configuring encryption known certificate authority. Click Create Private Key. Select the Key Length (default of 1024 bits provides best performance. 4. but RSA is also available). including the dates during which the certificate is valid. Enter the password for the private key file. 2048 bits is a good median. 3. 195 . SFTP (Secure File Transfer over SSH2) To use an existing private key: 1.csr) that can be provided to a certificate authority for authentication.key) that is used to secure both certificate files. are displayed in a new window. It is extremely important that you keep the private key in a safe and secure location. (for example. 6. click View Certificate. and 4096 bits provides best security). If your private key is compromised. your certificate can be used by malicious individuals. Obtain a private key file. After clicking Save. which is also used to name the storage file. Enter the name of the private key. Viewing the certificate To view the SSL certificate once it is configured. All identifying information about the certificate.

Using custom HTML You can use custom HTML for the HTTP and HTTPS login pages of Serv-U. containers. By using the custom HTML feature. After you create a new key. Serv-U displays the SSH key fingerprint associated with the new private key. and other CSS formatting as needed.Chapter 4: Domain 7. The main login form is automatically inserted between the content defined in the header file and footer file. Basic branding (custom logo and limited text changes) is also available. see Domain settings. For more information. Serv-U KB #2054 has step-by-step instructions to explore the current set of samples and build your own branding. Several branding samples are automatically unpacked to your installation folder (for example. SSH ciphers and MACs By default. This CSS file can also be used to define custom CSS styles. web developers can design their login experience to show off their exclusive brand and design the page to match existing business themes. 196 . The custom HTML interface also uses a CSS file which defines the style used in the login form. C:\Program Files\RhinoSoft\Serv-U\Custom HTML Samples) when Serv-U is installed. all supported SSH ciphers and MACs (Message Authentication Codes) are enabled for use by the server. If your specific security needs dictate that only certain ciphers or MACs can be used. you can individually disable unwanted ciphers and MACs by deselecting the appropriate ciphers or MACs. By using this feature. you can provide a custom header and custom footer for the HTTP and HTTPS login page.

Footer File: This . CSS File: This . Header File: This .HTM file contains the content for the HTML footer that is inserted after the login form. and also the styles that will be used by the login form. the storage location of the images must be specified. To universalize the storage location. containers. because the path only has to be defined once 197 . including all images. and the CSS file.HTM file contains the content for the HTML header that is inserted before the login form. Enable Custom HTML: The custom HTML is not used by Serv-U until this option is enabled. and other formatting that is used throughout the header file and footer file.CSS file contains all the styles. the header file. Most custom HTML interfaces include custom images. This has the further benefit of avoiding changes to HTML when the container storing the HTML files and images is changed. Subdirectories in this folder are allowed. the footer file. use of the %CUSTOM_HTML_DIR% tag in paths that refer to images. To use custom images.Using custom HTML The following fields are used by the Custom HTML feature: l l l l l Custom HTML Container Directory: This directory contains all of the files used by the custom HTML.

Select whether you want to use the inherited default email notification message. 5.Chapter 4: Domain in the Custom HTML Container Directory field. To enable file sharing: 1. For more information about file sharing. you can type in a custom email invitation subject.png" alt="My Image"> Using file sharing By using the file sharing feature. If the option is deselected. Note: File sharing is disabled by default. 2. Type the address for the domain URL. Navigate to Server Limits and Settings > File Sharing. Select whether you want to use the inherited default email invitation subject. 3. you can type in a custom message. For more information about configuring an 198 . If the option is deselected. 6. configure your SMTP to be able to send and receive notification emails. or customize your own. Select Enable File Sharing. The tag is used in the following way: <img src="/%CUSTOM_HTML_DIR%/images/image. 7. If it is not configured yet. see the Serv-U Web Client and File Sharing User Guide. Select the number of days until the shares expire. you must configure your SMTP settings. 8. You must select the relevant option to enable it. Type the location of the file sharing repository. To send file sharing invitation emails. This configuration only needs to be set once for the entire server or a domain. or customize your own. domain users can send or receive files from guests. 4.

9. including their current status. FTP. Click this button to bring up another window with additional options for how the disconnect should be performed.Server activity SMTP server. certain additional functions are available. The Active Session Information group is populated with the details of the currently highlighted session. Click Save. This information is frequently updated to provide an accurate and up-to-date snapshot of the activities of the session. From this page. connection state. you can view individual sessions. Server activity The Server Activity > Sessions and Domain Activity > Sessions pages display the current file server session activity. This is also known as "kicking" the user. or SFTP). you can see an overall picture of the current activity on the file server. 199 . In addition. only the current sessions of the particular domain are displayed. When you view the Sessions page from the server. preventing the client from immediately reconnecting. Depending on the type of connection made by that session (for example. When you view the Sessions page while you are administering a domain. To view detailed information about a specific session. see Configuring SMTP settings. select the session. The following disconnect options are available: l l Disconnect: Immediately disconnects the session. HTTP. Disconnect and ban IP for x: Immediately disconnects the session and bans its IP address for the specified number of minutes. Another session can be immediately established by the disconnected client. Disconnecting sessions You can disconnect any type of session at any time by clicking Disconnect. and transfer information. all connected sessions from all domains are displayed.

or only the domain the session is connected to. Using the spy & chat function You can spy on any type of session by clicking Spy & Chat or by double-clicking a session in the list. additional options are available for chatting with the user. If the current session is using the FTP protocol. and also includes a complete copy of the session log since it first connected to the file server. preventing the client from ever reconnecting from the same IP address. the client application must be capable of receiving unsolicited responses from the server instead of discarding them. When disconnecting a session from the Server Session view. you can send a message to the user before disconnecting them by typing it in the Message to user field. you can select where you want the temporary or permanent IP ban to be applied: for the entire server. In order for a client to receive messages. The Chat group shows all messages sent to and received from the session since beginning to spy on the session. This option is not available for HTTP or SFTP sessions because neither protocol defines a method for chatting with users. you can also disable the user account in use by the session by selecting Disable user account. The command used to send a message to the server is SITE MSG. Note: Not all FTP clients support chatting with system administrators.Chapter 4: Domain l Disconnect and block IP permanently: Immediately disconnects the session and adds a deny IP access rule for the IP address. it is automatically displayed here. This way you can browse the log and view all actions taken by the user of the session. Spying on a user displays all the detailed information normally visible by highlighting the session. In addition to disconnecting the session. By using this option. When a message is received from the session. and then click Send. you can also use the Apply IP rule to option. To send a message to the session. type the message text in the Message Content field. If the current session is using the FTP protocol. 200 .

Sending a message through broadcast is equivalent to opening the Spy & Chat window to each individual FTP session and sending it a chat message. If this is the case. 24 Hrs Sessions The number of sessions that have connected in the past 24 hours. 201 . making it appear that the cancellation failed. especially FTP and SFTP clients. Server and domain statistics The Server Activity > Statistics and Domain Activity > Statistics pages show detailed statistics about the use of the server for use in benchmarking and records keeping. Statistics viewed at the server level are an aggregate of those accumulated by all domains on the server. Some clients. Canceling sessions If a session is performing a file transfer. Statistics viewed for an individual domain are for that domain only. The displayed information includes the following details: Session statistics Current Sessions The number of sessions currently connected. the current file transfer for that session is terminated by the server. may automatically restart the canceled transfer. After confirming the command. Total Sessions The total number of sessions that have connected since being placed online. you can cancel the file transfer without disconnecting the session by clicking Abort. try disconnecting the session instead.Broadcasting messages Broadcasting messages You can send a message to all currently connected FTP sessions by clicking Broadcast.

Login statistics These statistics can apply to either a domain or the entire server depending on the statistics currently being viewed. Currently Logged In The number of sessions currently logged in. Average Duration Logged In The average login time for all sessions. This is not the last time a connection was made. Last Logout Time The last recorded valid logout time. Most Logged In The highest number of users logged in concurrently. 202 . Login statistics differ from session statistics because they apply to a login (providing a login ID and password) as opposed to connecting and disconnecting. Average Session Length The average length of time a session has remained connected. Logins The total number of successful logins.Chapter 4: Domain Highest Num Sessions The highest number of concurrent sessions that has been recorded since being placed online. Longest Session The longest recorded time for a session. Last Login Time The last recorded valid login time.

User and group statistics The User and Group Statistics pages show detailed statistics based on individual user or group activity. Uploaded The total amount of data. Upload Speed The cumulative upload bandwidth currently being used. The displayed information includes the following details: Session statistics Current Sessions The number of sessions currently connected. uploaded since being placed online. Downloaded The total amount of data. downloaded since being placed online. Average Download Speed The average download bandwidth used since being placed online. 203 .User and group statistics Transfer statistics Download Speed The cumulative download bandwidth currently being used. Average Upload Speed The average upload bandwidth used since being placed online. Statistics viewed for a user or group are for that user or group only. Total Sessions The total number of sessions that have connected since being placed online. and number of files. and number of files. 24 Hrs Sessions The number of sessions that have connected in the past 24 hours.

Longest Session The longest recorded time for a session. Longest Duration Logged In The longest amount of time a session was logged in. 204 . Currently Logged In The number of sessions currently logged in. Avg. Average Duration Logged In The average login time for all sessions. Login statistics These statistics can apply to either a user or a group of users. Last Login Time The last recorded valid login time (not the last time a connection was made). depending on the statistics currently being viewed. Most Logged In The highest number of simultaneously logged in sessions. Logins The total number of successful logins. Login statistics differ from session statistics because they apply to a login (providing a login ID and password) as opposed to connecting and disconnecting. Logouts The total number of logouts. Last Logout Time The last recorded valid logout time. Session Length The average length of time a session has remained connected.Chapter 4: Domain Highest Num Sessions The highest number of concurrent sessions that has been recorded since being placed online.

Uploaded The total amount of data. Transfer statistics Download Speed The cumulative download bandwidth currently being used. It does not show domain activity information. To save statistics to a file. and number of files. view the log of the 205 . The server log shows file server startup. configuration. and then click Save Statistics at the bottom of the page. Average Download Speed The average download bandwidth used since being placed online. Server and domain log The Server Activity > Log and Domain Activity > Log pages show logged activity for the server or domain. Save Statistics User and group statistics can be saved directly to a CSV file for programmatic analysis and review. first select the user or group you want to generate a statistics file for. uploaded since being placed online. and number of files. Average Upload Speed The average upload bandwidth used since being placed online. downloaded since being placed online. For activity logs.Server and domain log Shortest Login Duration Seconds The shortest amount of time a session was logged in. Downloaded The total amount of data. Upload Speed The cumulative upload bandwidth currently being used. and shutdown information.

see Configuring domain logs. Clear Log When the log has become too large for you to view at once. Legend To make viewing the different components of the log easier. click this button to erase the currently displayed log information. Select All Click this button to automatically freeze the log and highlight all currently displayed log information so you can copy it to the clipboard. You can highlight information contained in the log by clicking and dragging the mouse cursor over the appropriate portion of the log.txt. In addition to status information about libraries. The domain log contains information about and activity pertaining to the currently administered domain only. the server log also contains information about all domain listener status. The information contained in the server log is also saved to a text file located in the installation directory that is named Serv-U-StartupLog. licensing. For more information about the types of activity information that can be placed in the domain log. Clicking this 206 . each different type of logged message is color-coded for quick identification. Only log information received after clicking the button is displayed.Chapter 4: Domain appropriate domain instead. This includes the status of the listeners of the domain. you can copy the selected portion to the clipboard. Freeze Log Select this option to temporarily pause the refreshing of the log. This is useful on busy systems so you can highlight and copy a particular section of the log before it scrolls out of view. and PASV port range status. and the current build that is logged when the file server first starts. Universal Plug-and-Play (UPnP) status information. When you have finished. deselect the option to resume the automatic updating of the log. and any configured activity log information. This file is replaced each time the Serv-U File Server is started. When it is highlighted.

After configuring the logging options you want.Configuring domain logs shows the legend in a draggable dialog. To view the entire contents of the log again. When combined with the Automatically rotate log file option. Filter Log To quickly find and read through specific sections of the log. Click this button to bring up the Filter Log window. Download Log To download the full log file from Serv-U. When an option is selected from the Screen column. Wildcard characters which refer to the date apply to the day that the log file is created. click Download Log. Logging consists of two sections: File and Screen. you can filter it based on a search string. and then click Filter to refresh the log to only display log entries containing the search string. select the appropriate option in the File or Screen column. click Save to save the changes. the appropriate logging information is saved to the specified log file if Enable logging to file is selected. your web browser prompts you to choose a location to save the file. or it begins to download the file automatically. You can configure the log to show as much or as little information as you want. Provide a search string. Logging to file settings Before information can be saved to a file. If you have permission to download the file. wildcards provide an automatic way to 207 . Click Browse to select an existing file or directory location for the log file. The log file path supports certain wildcard characters. you must specify the name of the log file. you can customize the logging of domain events and activity to a great extent. Drag the legend dialog to a convenient location so you can use it for reference while you browse the log. and then click Reset. To enable a logging option. Configuring domain logs In the Serv-U File Server. open the Filter Log window. the event is displayed in the log when viewed from the Serv-U Management Console. When an option is selected from the File column.

%D The current day of the month. or year. 2015). 208 . Serv-U can rotate the log file and create a unique file name every hour. %X The 2-digit value of the current year (for example. %M The name of the current month. 14 for 2015).Chapter 4: Domain archive domain activity for audits. By specifying a Log file path containing wildcards referencing the current date. Enabling logging to file Select this option to enable Serv-U to begin saving log information to the file specified in the Log file path. you can automatically rotate the log file on a regular basis. %N The numeric value of the current month (1-12). month. regardless of the individual options selected in the File column. %Y The 4-digit value of the current year (for example. Automatically rotating the log file To ensure that log files remain a manageable size and can be easily referenced during auditing. If this option is not selected. You can use the following wildcard characters: %H The hour of the day (24-hour clock). week. %S The name of the domain whose activity is being logged. day. Serv-U does not log any information to the file.

It can also be used to save log space and reduce overhead. Log file variables are replaced with Windows wildcard values used to search for matching files.txt C:\Logs\%S\%Y:%M:%D Log. Warning: Log files are purged based only on the current log file path name.txt \????:*:?? Log. Click Do Not Log IPs. Specifying IP addresses exempt from logging You can specify IP addresses that are exempt from logging. Activity from these IP addresses is not logged to the location specified by the rule: the Screen. or both. and then add IP addresses as appropriate. or both. a maximum size limit in megabytes.txt C:\Logs\%Y:%M:%D %S Log.Configuring domain logs Purging old log files You can automatically purge old log files by setting a maximum number of files to keep.txt is searched for C:\Logs\????:*:?? * Log. Setting these options to "0" means that the setting is unlimited.txt is searched for C:\Logs\--DomainName-- The following wildcards can be used for log variables: %D --> ?? %N --> ?? %M --> * %Y --> ???? %X --> ?? %S --> * Anything matching the path name you used wildcards for can be purged. For example: is searched for C:\Logs\????:??:?? * Log. and the limit is not applied. a File.txt C:\Logs\%Y:%N:%D %S Log. Use caution: it is best practice to place log files into a single directory to avoid unexpected file deletion. 209 . This is useful to exempt IP addresses for administrators that may otherwise generate a significant amount of logging information that can obfuscate domain activity from regular users. and they are purged approximately every 10 minutes.

Each active session on the file server has a user account associated with it that identifies the client to the administrator. At its most basic level. Global Users Defined at the server level. and require a Serv-U MFT Server license. 210 . Windows Users Defined at the domain level. a home directory. the home directories. Windows users use the credentials and often. database users are stored in an external database accessible through ODBC and supplement the local account database. of Windows accounts from the local machine or Windows domain controller (including Active Directory). including the following: Domain Users Defined at the domain level. and the actions the user can perform in those locations. User accounts can be defined in various ways on the Serv-U File Server. and a set of directory access rules that define the areas of the system that are accessible to the user. login ID and password). a user account defines login credentials (that is. global users can log in to any domain on the file server. Database Users Available at both the server and domain level.Chapter 5: Users Configuring user accounts A user account is required in order to provide access to the file server. Windows users only work on Windows. domain users can only log in to the domain under which they are created.

or place all users at an office in Topeka in a collection named Topeka Users. and then click Save. LDAP users require a Serv-U MFT Server license. You can save time and effort by entering such settings at the server level to remove the need for multiple user accounts at the domain level. you can place all users in the accounting department in a collection named Accounting. To move a user from one collection to another.Chapter 5: Users LDAP Users Defined at the domain level. and may access LDAP servers. LDAP users work on both Windows and Linux. and select the appropriate location for the user account accordingly. the email and other attributes. This can be useful when you manage all users from a department or physical location. click Add in the Select user collection area in the users window. Unlike Windows users. 211 . Because user accounts can be assigned at the various levels with the same login ID. in any accessible domain. click Move below the user list. To create a collection. Where user accounts can be specified at both the domain and server levels. the domain level account always takes precedence over the server one. of LDAP accounts from a remote LDAP server. including Active Directory and OpenLDAP. When you create users. For example. you can organize user accounts into collections to make account management more logical and organized. a hierarchy is used by Serv-U to determine which account takes precedence. The user account types listed previously are listed in the order of precedence. and then select the destination collection for the highlighted user accounts. You can add users to this new collection by selecting them and clicking Add below the user list. LDAP users use the credentials and often. type the name of your collection. In the new window. You can also rename or delete collections by using the appropriate button. In Serv-U MFT Server. consider what kind of access they need.

most File Server administrators have a collection of settings that they want all user accounts to abide by. there are times when it may not be the course of action you want. they will automatically be added to the particular group which is specified in the user template. all users are created in the General user collection. The New User Wizard walks you through the four steps required to create a user account with the minimum number of required attributes. when new users are created. make sure you move them before deleting the collection. You can configure the template user just like any other user account. If you want to keep the user accounts. Groups are the best way to accomplish this task. see the Quick start guide. After it is created. If you set up the user template as a member of the group you want all users to be a member of. This way. you can edit the user account to configure more advanced settings. however. 212 . you can add users to a specific default group.Configuring user accounts Warning: When deleting a collection. User Template While the New User Wizard provides a way to quickly create a user account with the minimum number of required attributes. all new user accounts that are manually created are done so with their default settings set to those found within the template. such as group membership or additional directory access rules. By default. For more information about using the New User Wizard. too. By using user templates. with the exception of a login ID. New User Wizard Click Wizard on the Users page to open the New User Wizard. Serv-U allows an administrator to configure a template for new user accounts by clicking Template. After these settings are saved to the template. all user accounts contained in that collection are deleted.

the password will be reset and the new password will be sent to the user's email address. and then choose Copy. Importing and exporting user accounts User accounts can be imported and exported using the Import and Export options. users can use the Recover Password option in the Web Client. and then click Recover Password. For password recovery to be available. use Copy to create a copy of a user account that only lacks the user name and the password. Filtering user and group ID lists In larger deployments of Serv-U. Password Recovery from the Web Client requires that the Allow users to recover password limit be enabled for the user account. among other things. Additionally. Password Recovery from the Web Client otherwise works the same as from the Management Console. you can filter user and group lists by login ID using 213 . which can be viewed in Excel and analyzed by database engines.Chapter 5: Users Copying user accounts User templates offer a way for large numbers of users to be created with the same settings. and the user account must have an email address listed. In order to easily find a specific user account. you must configure the SMTP options for the server or domain. Recovering passwords Serv-U supports password recovery both through the Management Console and through the Web Client. To copy a user. select the user account. In cases where only the settings of a single user must be duplicated or there is a need for multiple user templates. the user list can grow very large. select a user account. Click Export to export all users in either the current domain or server. the original password will be sent by email. If the password is stored using two-way encryption or no encryption. If the password is stored using one-way encryption. To use password recovery from the Management Console. Once this option is enabled. or the current Collection to a comma-separated values file (CSV file). by creating a CSV file using the same format as the export it is possible to import lists of users from CSV files into Serv-U.

and the type of account. The following wildcards are also supported: l l l Use the "*" parameter to filter for Users or Group login IDs when the whole ID is unknown (for example. User information A user account consists of several attributes and settings. Serv-U requires users who log on with one of these accounts to provide their email address to complete the login process. The User Information page contains general information about the user account including login credentials. and they can be used for guests on your file server. ????Lastname. These users do not require a password. Instead. [utr] sername. *Admin*. Use the "?" parameter when a specific character is unknown (for example. In addition to the login ID. Firstname???).User information input from the administrator. the home directory. Login IDs must be unique for each account specified at the particular level. Login IDs cannot contain any of the following special characters: \/<>|:. Use the "[]" parameter when a specific character is unknown but should contain one of the specified characters in the brackets (for example. These login IDs are synonymous with one another. 214 . which should be left blank in this case. Full name The full name of the account is available to specify additional identifying information about the account. Login ID The login ID is provided by the client as one part of authenticating the session to the file server. clients must provide a password to complete authentication.?* Note: Two special login IDs exist: Anonymous and FTP. It is not used by clients when they log in. This topic provides detailed information about each attribute. Tech*). User[fmn]ame). *Department.

You can place restrictions on the length and complexity of passwords through limits. all passwords are eight characters long and are complex. edit. and 215 . A user account with No Privilege is a regular user account that can only log in to transfer files to and from the File Server. A Group Administrator can only perform administrative duties relating to their primary group (the group that is listed first in their Groups memberships list). generated passwords will follow the specified domain value. the password will be four characters long. For more information about password limits. A strong password contains at least six characters including a mix of upper and lowercase letters and at least one number. By default. If the minimum password length is equal to or less than four characters. see Limits and settings. Otherwise. This new password will follow the defined password length requirements. Administration privilege A user account can be granted one of the following types of administrative privileges: l No Privilege l Group Administrator l Domain Administrator l System Administrator The value of this attribute can be inherited through group membership. You can also generate a new random password for a user by clicking the Lock icon next to the Password. and delete users which are members of their primary group. The Serv-U Management Console is not available to these user accounts. They can add.Chapter 5: Users Password The password is the second item that is required so that a session can be authenticated with the file server. The password should be kept a secret and not shared with anyone other than the person that owns the account.

They may not make any other changes. take care in specifying their home directory. or even updating the license of the file server. Instead. greatly aiding remote problem diagnosis when working with outside parties./. Read-only administrator privileges are identical to their full-access equivalents. relative paths must be used. user accounts. An administrator with a home directory other than "\" (root) that is locked in their home directory may not use absolute file paths outside of their home directory when configuring the file server. Home directory The home directory for a user account is where the user is placed immediately after logging in to the file server. A user account with System Administrator privileges that is logged in through HTTP remote administration can administer the server as if they had physical access to the server..User information they can also assign permissions at or below the level of the Group Administrator. The domainrelated activities that may not be performed by Domain Administrators consist of configuring their domain listeners or configuring ODBC database access for the domain. A System Administrator can perform any file server administration activity including creating and deleting domains. .. You can also create read-only administrator accounts which can allow administrators to log in and view configuration options at the domain or server level. Additionally. such a user account can also use setting files located outside the home directory. A Domain Administrator can only perform administrative duties for the domain to which their account belongs./exampleFile. Each user must have a home directory assigned 216 . and cannot create. A Domain Administrator is also restricted from performing domain-related activities that may affect other domains. however. these files must also be specified by using relative paths. except that they cannot change any settings. Note: When you configure a user account with administrative privileges. for example. delete or edit user accounts.txt.

This path can include the following macros: %HOME% The home directory of the user account. SSH public key path The SSH public key can be used to authenticate a user when logging in to the the Serv-U File Server. This is used mostly to configure a default home directory at the group level or within the new user template to ensure that all new users have a unique home directory. to place a user's home directory into a common location. a new user can be configured with a unique home directory and the appropriate access rights to that location with a minimal amount of effort. You can also use the %DOMAIN_HOME% macro to identify the user's home directory. allowing them the ability to access all system drives. The public key path should point to the key file in a secured directory on the server. When you specify the home directory. use %DOMAIN_HOME%\%USER%. Home directories must be specified using a full path including the drive letter or the UNC share name. In order for this to work properly. you can use the %USER% macro to insert the login ID in to the path. For example. If the home directory is not found. although it can be specified at the group level if the user is a member of a group. When it is combined with a directory access rule for %HOME%. %USER% The login ID. you can configure Serv-U to create it. 217 .Chapter 5: Users to it. The home directory can be specified as "\" (root) in order to grant system-level access to a user. used if the public key will have the login ID as part of the file name. the user must not be locked in their home directory.

all accounts are permanent and exist on the file server until they are manually deleted or disabled. After selecting the appropriate type. Instead of asking users which client they want to use. you can also specify a default client. If you change this option. Examples: %HOME%\SSHpublic. the Account Expiration Date control is displayed. Account type By default. then users connecting to the file server through HTTP can choose which client they want to use after logging in. Default Web Client If your Serv-U license enables the use of FTP Voyager JV. Type an email address here to allow email notifications or password recovery for the user account. it overrides the option specified at the server or domain level. 218 . It can also be inherited by a user through group membership.pub For information about creating an SSH key pair. Use the Inherit default value option to reset it to the appropriate default value. used if the keys are in a central folder relative to the domain home directory. set in Domain Details > Settings. You can configure an account to be automatically disabled or even deleted on a specified date by configuring the account type.User information %DOMAIN_HOME% The home directory of the domain.pub %DOMAIN_HOME%\SSHKeys\%USER%. and password recovery using the Web Client requires an email address to send a recovered password to a user. Email address Serv-U events can use the Email Address field when sending email notifications to groups. see SFTP (Secure File Transfer over SSH2) for users and groups. Click the calendar or expiration date to select when the account should be disabled or deleted.pub %HOME%\%USER%.

Chapter 5: Users
Lock user in home directory
Users locked in their home directory may not access paths above their home
directory. In addition, the actual physical location of their home directory is
masked because Serv-U always reports it as "/" (root). The value of this attribute
can be inherited through group membership.
Enable account
Deselect this option to disable the current account. Disabled accounts remain on
the file server but cannot be used to log in. To re-enable the account, select the
Enable account option again.
Always allow login
Enabling this option means that the user account is always permitted to log in,
regardless of restrictions placed upon the file server, such as maximum number of
sessions. It is useful as a fail-safe in order to ensure that critical system
administrator accounts can always remotely access the file server. As with any
option that allows bypassing access rules, care should be taken in granting this
ability. The value of this attribute can be inherited through group membership.
Note: Enabling the Always Allow Login option does not override IP access rules.
If both options are defined, the IP access rules prevail.
Description
The description allows for the entry of additional notes that are only visible to
administrators.
Availability
This feature limits when users can connect to this server. You can place
limitations on the time of day, and also on the day of the week. When users
attempt to log in outside the specified available times, they are presented with a
message that their user account is currently unavailable.
Welcome message
The welcome message is a message that is traditionally sent to the FTP client
during a successful user login. Serv-U extends this ability to HTTP so that users

219

Configuring directory access rules
accessing the file server through the Web Client or FTP Voyager JV also receive
the welcome message. This feature is not available to users logging in through
SFTP over SSH2, because SSH2 does not define a method for sending general
text information to users.
The welcome message can contain general information about the status of the
server, a special message for the user, disclaimers, or other legal notices. You
can configure a welcome message in one of two ways. The first method involves
specifying the path to a file containing the welcome message in the Message File
Path field. Use Browse to select an existing file on the system.
As an alternative, the text of the welcome message can be explicitly provided to
Serv-U in the appropriate text field. In order to override an explicit welcome
message at the user level, select the Override inherited group welcome
message option first. The provided text is then sent to the user instead of the
contents of the file specified in the Message File Path field.
These values can be inherited by the user through group membership.
You can also use system variables in the welcome message. For a
comprehensive list of system variables, see System variables.

Configuring directory access rules
Directory access rules define the areas of the system which are accessible to
user accounts. While traditionally restricted to the user and group levels, in
Serv-U, the usage of directory access rules is extended to both the domain and
the server levels through the creation of global directory access rules. Directory
access rules specified at the server level are inherited by all users of the file
server. If they are specified at the domain level, they are only inherited by users
who belong to the particular domain. The traditional rules of inheritance apply
where rules specified at a lower level (for example, the user level) override
conflicting or duplicate rules specified at a higher level (for example, the server
level).

220

Chapter 5: Users
When you set the directory access path, you can use the %USER%, %HOME%, %USER_
FULL_NAME%, and %DOMAIN_HOME% variables to simplify the process. For example,
use %HOME%/ftproot/ to create a directory access rule that specifies the ftproot
folder in the home directory of the user. Directory access rules specified in this
manner are portable if the actual home directory changes while maintaining the
same subdirectory structure. This leads to less maintenance for the file server
administrator. If you specify the %USER% variable in the path, it is replaced with the
user's login ID. This variable is useful in specifying a group's home directory to
ensure that users inherit a logical and unique home directory. You can use the
variable to insert the Full Name value into the path (the user
must have a Full Name specified for this to function). For example, the user "Tom
Smith" could use D:\ftproot\%USER_FULL_NAME% for D:\ftproot\Tom Smith. You
can also use the %DOMAIN_HOME% macro to identify the user's home directory. For
example, to place a user and their home directory into a common directory, use
%DOMAIN_HOME%\%USER%.
%USER_FULL_NAME%

Directory access rules are applied in the order they are listed. The first rule in the
list that matches the path of a client's request is the one that is applied for that
rule. In other words, if a rule exists that denies access to a particular subdirectory
but is listed below the rule that grants access to the parent directory, then a user
still has access to the particular subdirectory. Use the arrows on the right of the
directory access list to rearrange the order in which the rules are applied.
Note: Serv-U allows to list and open the parent directory of the directory the user
is granted access to, even if no explicit access rules are defined for the parent
directory. However, the parent directory accessed this way will only display the
content to which the user has access.
The following section contains the list and description of the directory access
permissions.

File permissions
Read
Allows users to read (that is, download) files. This permission does not

221

Directory permissions
allow users to list the contents of a directory, which is granted by the List
permission.
Write
Allows users to write (that is, upload) files. This permission does not allow
users to modify existing files, which is granted by the Append permission.
Append
Allows users to append data to existing files. This permission is typically
used to grant users the ability to resume transferring partially uploaded files.
Rename
Allows users to rename existing files.
Delete
Allows users to delete files.
Execute
Allows users to remotely execute files. The execute access is meant for
remotely starting programs and usually applies to specific files. This is a
very powerful permission and great care should be used in granting it to
users. Users with Write and Execute permissions can install any program
they want on the system.

Directory permissions
List
Allows users to list the files and subdirectories contained in the directory.
Also allows users to list this folder when listing the contents of a parent
directory.
Create
Allows users to create new directories within the directory.
Rename
Allows users to rename existing directories within the directory.

222

Chapter 5: Users
Remove
Allows users to delete existing directories within the directory.
Note: If the directory contains files, the user also needs to have the Delete
files permission in order to remove the directory.

Subdirectory permissions
Inherit
Allows all subdirectories to inherit the same permissions as the parent
directory. The Inherit permission is appropriate for most circumstances, but
if access must be restricted to subfolders (as is the case when implementing
mandatory access control), clear the Inherit check box and grant
permissions specifically by folder.

Advanced: Access as Windows User (Windows Only)
For a variety of reasons, files and folders may be kept on external servers in order
to centralize file storage or provide additional layers of security. In this
environment, files can be accessed by the UNC path (\\servername\folder\)
instead of the traditional C:\ftproot\folder path. However, accessing folders
stored across the network poses an additional challenge, because Windows
services are run under the Local System account by default, which has no access
to network resources.
To mitigate this problem for all of Serv-U, you can configure the Serv-U File
Server service to run under a network account. The alternative, preferred when
many servers exist, or if the Serv-U File Server service has to run under Local
System for security reasons is to configure a directory access rule to use a
specific Windows user for file access. By clicking the Advanced button, you can
specify a specific Windows user for each individual directory access rule. As in
Windows authentication, directory access is subject to NTFS permissions, and in
this case also to the configured permissions in Serv-U.
Note: When you use Windows authentication, the NTFS permissions of the
Windows user take priority over the directory access rules. This means that when

223

Quota permissions
a Windows user tries to access a folder, the security permissions of the user are
applied instead of the credentials specified in the directory access rule.

Quota permissions
Maximum size of directory contents
Setting the maximum size actively restricts the size of the directory contents
to the specified value. Any attempted file transfers that cause the directory
contents to exceed this value are rejected. This feature serves as an
alternative to the traditional quota feature that relies upon tracking all file
transfers (uploads and deletions) to calculate directory sizes and is not able
to consider changes made to the directory contents outside of a user's file
server activity.

Mandatory access control
You can use mandatory access control (MAC) in cases where users need to be
granted access to the same home directory but should not necessarily be able to
access the subdirectories below it. To implement mandatory access control at a
directory level, disable the Inherit permission as shown in the following screen
capture.

224

Chapter 5: Users
In the following example, the rule applies to D:\ftproot\.

Now, the user has access to the ftproot folder but to no folders below it.
Permissions must individually be granted to subfolders that the user needs
access to, providing the security of mandatory access control in the Serv-U File
Server.

Restricting file types
If users are using storage space on the Serv-U File Server to store non-workrelated files, such as MP3 files, you can prevent this by configuring a directory
access rule placed above the main directory access rule to prevent MP3 files from
being transferred as shown below.

225

and use the permissions shown in the following screen capture: The rule denies permission to any transfer of files with the . Similarly. 226 .Restricting file types In the text entry for the rule.mdb extension. if accounting employees only need to transfer files with the . configure a pair of rules that grants permissions for . type *.mp3 extension and can be modified to reflect any file extension.mdb files but denies access to all other files. as shown in the following screen captures.mp3.

227 .Chapter 5: Users In the first rule enter the path that should be the user's home directory or directory they need access to.

These rules only allow users to access . You can adapt these rules to any file extension or set of file extensions.Using virtual paths In the second rule enter the extension of the file that should be accessed (such as *. A virtual path only defines a method of mapping an existing directory to another location on the system to make it visible within a 228 . users can gain access to files and folders outside of their own home directory.mdb). Using virtual paths If virtual paths are specified.mdb files within the specified directories.

domain. virtual paths can be configured at the server. For example. users must have a directory access rule specified for the physical path. When specifying the virtual path. that is to be placed in a virtual location accessible by a user. In order to actually have access to the mapped location. Like directory access rules. group. You can also use a UNC path. they are only accessible by users belonging to that domain. Virtual paths created at the server level are available for all users of the file server. You can also use a full path without any macros. the last specified directory is used as the name displayed in directory listings to the user.Chapter 5: Users user's accessible directory structure. the user must still have a directory access rule specified for the physical path of a virtual path. and user levels. If the physical path is located on the same computer. Including virtual paths in "Maximum Directory Size" calculations When this option is selected. a virtual path of %HOME%/public places the specified physical path in a folder named public within the user's home directory. such as D:\inetpub\ftp\public. Physical path The physical path is the actual location on the system. When virtual paths are created at the domain level. To make a virtual path visible to users. You can also create virtual paths specifically for individual users or groups. Virtual path The virtual path is the location that the physical path should appear in for the user. The %HOME% macro is commonly used in the virtual path to place the specified physical path in the home directory of the user. use a full path. such as \\Server\share\public. The Maximum Directory Size limits the size of directories 229 . or network. the virtual path is included in Maximum Directory Size calculations.

The developers now have access to the image repository without compromising security or relocating shared resources. you can customize the logging of user and group events and activity to a great extent. You can configure the log to show 230 .com\corpimages Case File: Creating relative virtual paths Continuing with the previous example. Be sure to add a group level directory access rule for D:\corpimages\ as well. Within the group of web developers. The developers also need access to an image repository located at D:\corpimages\. Instead of using D:\ftproot\example.com\corpimages as the virtual path. When an option is selected. use %HOME%\corpimages. the appropriate logging information is saved to the specified log file if the Enable logging to file option is selected. This way the corpimages virtual path is placed within the home directory of the group. regardless of what the home directory is.Case File: Using virtual paths affecting how much data can be uploaded. select the appropriate option in the Log Message Options grouping. a virtual path must be configured so that the image repository appears to be contained within their home directory. To enable a logging option.com\ for web development purposes. both the home directory and the virtual path need to be updated to reflect this change. add a virtual path to bring the directory to the users by specifying D:\corpimages\ as the physical path and as the virtual path. if the home directory of the group of web developers is relocated to another drive. the virtual path still appears there. To avoid granting the group access to the root D drive. Configuring user and group logs In the Serv-U File Server. Case File: Using virtual paths A group of web developers have been granted access to the directory D:\ftproot\example. If the home directory changes at a later date. D:\ftproot\example. You can avoid this by using the %HOME% macro to create a relative virtual path location that eliminates the need to update the path if the home directory changes.

Click Browse to select an existing file or directory location for the log file. %X The 2-digit value of the current year (for example. 231 . When combined with the Automatically rotate log file option. Logging to File settings You must specify the name of the log file before information can be saved to a file. %S The name of the domain whose activity is being logged.Chapter 5: Users as much or as little information as you want. 2014). %D The current day of the month. The log file path supports certain wildcard characters. %G The name of the group whose activity is being logged. %Y The 4-digit value of the current year (for example. %N The numeric value of the current month (1-12). wildcards provide an automatic way to archive activity for audits. %L The name of the login ID whose activity is being logged. After configuring the logging options you want. The following list contains the wildcard characters that you can use: %H The hour of the day (24-hour clock). click Save to save the changes. %M The name of the current month. Wildcard characters which refer to the date apply to the day that the log file is created. 14 for 2014).

txt C:\Logs\%L\%Y:%M:%D Log. a maximum size limit in megabytes. or both. you can automatically rotate the log file on a regular basis. Automatically rotating the log file To ensure that log files remain a manageable size and can be easily referenced during auditing. Purging old log files You can automatically purge old log files by setting a maximum number of files to keep. day.Enabling logging to file %U The full name of the user whose activity is being logged.txt C:\Logs\%G\%Y:%M:%D Log.txt is searched for C:\Logs\--LoginID--\????:*:?? Log. week.txt is searched for C:\Logs\--DomainName-C:\Logs\%Y:%M:%D %S Log. Log file variables are replaced with Windows wildcard values used to search for matching files.txt is searched for C:\Logs\????:*:?? * Log. or year.txt is searched for C:\Logs\--GroupName--\????:*:?? Log. month. By specifying a Log file path containing wildcards that reference the current date.txt is searched for C:\Logs\????:??:?? * Log.txt \????:*:?? Log. If this option is not selected. and they are purged approximately every 10 minutes. For example: C:\Logs\%Y:%N:%D %S Log.txt C:\Logs\%S\%Y:%M:%D Log. regardless of the individual options selected in the Log Message Options area. Setting these options to "0" means that the setting is unlimited and the limit is not applied. Serv-U can rotate the log file and create a unique file name every hour. Warning: Log files are purged based only on the current log file path name. Serv-U does not log any information to the file. Enabling logging to file Select this option to enable Serv-U to begin saving log information to the file that you specified in the Log file path.txt 232 .

Chapter 5: Users C:\Logs\%U\%Y:%M:%D Log. This is useful to exempt IP addresses for administrators that may otherwise generate a lot of logging information that can obfuscate domain activity from regular users. Group memberships A user can be a member of any number of groups. see Configuring user groups. the order in which group memberships are presented is important. It can also be used to save log space and reduce overhead.txt is searched for C:\Logs\--UserFullName-- The following wildcards can be used for log variables: %H --> ?? %D --> ?? %N --> ?? %M --> * %Y --> ???? %X --> ?? %S --> * %G --> * %L --> * %U --> * Anything matching the path name you used wildcards for can be purged. and then add IP addresses as appropriate. Use caution: it is best practice to place log files into a single directory to avoid unexpected file deletion. Activity from these IP addresses is not logged. Click Do Not Log IPs. For more information about configuring groups. Specifying IP addresses exempt from logging You can specify IP addresses that are exempt from logging. Because a user can be a member of multiple groups.txt \????:*:?? Log. The first group membership for a user 233 . Groups provide a convenient way of applying a base set of user attributes and settings to multiple users.

Group memberships encountered by Serv-U that provides a value for an attribute is the value that is used. 234 . Use the left arrow buttons to add additional group memberships to the user. or use the right arrow buttons to remove the user from the selected groups. Use the arrows on the right side of the group membership list to arrange the order of group memberships.

you can use event handling which can perform various actions triggered by a list of selected events.Chapter 5: Users Using Serv-U events In Serv-U. 235 .

Server events The following list contains the available actions: Server events Server Start Triggered by Serv-U starting up. Server Stop Triggered by Serv-U shutting down. Server and domain events Domain Start Triggered by a Serv-U domain starting. Domain Stop Triggered by a Serv-U domain stopping. This event only triggers for graceful stops. or as part of normal server startup. 236 . or as part of normal server startup. Session Connection Triggered by a new TCP session connection. Log File Deleted Triggered by the automatic deletion of a log file. through the Enable Domain setting in the Domain Details > Settings menu. whether from service or applicationlevel status. according to logging settings. whether by starting the Serv-U service or starting Serv-U as an application. Session Disconnect Triggered by a TCP session disconnection. Log File Rotated Triggered by the automatic rotation of a log file. through the Enable Domain setting in the Domain Details > Settings menu. according to logging settings. Session Connection Failure Triggered by a failed session connection attempt.

Listener Failure Triggered by a failed listener connection. Gateway Listener Failure Triggered by a failed gateway listener connection. Permanent Listener Success Triggered by a successful permanent listener connection. Permanent Gateway Listener Success Triggered by a successful permanent gateway listener connection. Gateway Listener Success Triggered by a successful gateway listener connection. and no errors are encountered. Permanent Gateway Listener Stop Triggered by a stopped permanent gateway listener connection. Gateway Listener Stop Triggered by a stopped gateway listener connection. Listener Stop Triggered by a stopped listener connection. Permanent Listener Failure Triggered by a failed permanent listener connection. Permanent Listener Stop Triggered by a stopped permanent listener connection. 237 .Chapter 5: Users Listener Success Triggered by a successful listener connection. File Management Rule Success Triggered when a file management rule is applied. Permanent Gateway Listener Failure Triggered by a failed permanent gateway listener connection.

238 . User Enabled Triggered by the enabling of a user account that was previously disabled. either due to an incorrect user name. A failed login is any connection attempt to ServU that fails. or any or all of the above. domain. User Logout Triggered by the logout of a user account. user and group events User Login Triggered by the login of a user account. incorrect SSH key pair (for SFTP public key authentication). or a session disconnect before authentication. domain. File Management Automatic Move Triggered when a file is automatically moved to a different location by the server. User Password Change Failure Triggered by a failed password change attempt. Server. User Password Change Triggered by the change of a password for a user account by the user (if permitted). incorrect password.Server. whether due to invalid credentials. User Login Failure Triggered by a failed login. and at least one error is encountered. user and group events File Management Rule Failure Triggered when a file management rule is applied. User Disabled Triggered by the disabling of a user account that was previously enabled.

User Pre-delete Triggered by the upcoming deletion of a user account. 239 . as configured in Limits & Settings. or in the local Management Console. Password Stale Triggered by a stale password. as configured in the user's Automatically Delete date and the Days before automatically deleting account to trigger the pre-delete event limit. either due to lack of email address in the user account or lack of permissions. in an ODBC database. Password Recovery Failed Triggered by a failed password recovery attempt. User Auto Deleted Triggered by the automatic deletion of a user account. User Auto Disable Triggered by the automatic disabling of a user account. as configured by a user's Automatically Delete date. or in the local Management Console. that is going to expire.Chapter 5: Users User Deleted Triggered by the deletion of a user account by a remote administrator. as configured by a user's Automatically Disable date. User Added Triggered by the creation of a user account by a remote administrator. Password Recovery Sent Triggered by a successful password recovery by an end user. as configured in the user's Automatically Disable date and the "Days before automatically disabling account to trigger the pre-disable event" limit. User Pre-disable Triggered by the upcoming disabling of a user account. in an ODBC database.

IP Auto Added To Access Rules Triggered by the automatic addition of an IP access rule due to a user triggering the "brute force" settings. domain. Too Many Session On IP Triggered by more sessions logging on to the server from a specific IP address than are permitted. or server. Session Timeout Triggered by a session timeout. User Email Set Failure Triggered by a failed attempt by a user to set the email address for a user account. group. Too Many Sessions Triggered by more sessions logging on to the server than are permitted. or server. domain. user and group events User Email Set Triggered by a user setting the email address for a user account. group. IP Blocked Time Triggered by a failed login attempt due to an IP access rule that was automatically added by brute force settings. This event triggers for partial uploads if the upload session terminated with a successful message and no data corruption. File Uploaded Triggered by a file uploaded to Serv-U. IP Blocked Triggered by a failed login attempt due to an IP access rule. domain. 240 . according to the Limits & Settings for the user account. Session Idle Timeout Triggered by an idle session timeout. configured in Domain Limits & Settings or Server Limits & Settings. per the Limits & Settings for the user account.Server.

File Download Triggered by a file downloaded from Serv-U. File Download Failed Triggered by a failed file download from Serv-U. Directory Moved Triggered by moving a directory to a new location. File Moved Triggered by the moving of a file on the Serv-U server by a user. The current quota space is shown in the user account. Creating common events You can automatically create a list of the most common events. in the Limits & Settings menu.Chapter 5: Users File Upload Failed Triggered by a failed file upload to Serv-U. File Deleted Triggered by the deletion of a file on the Serv-U server by a user. Over Quota Triggered by going over disk quota space. You can choose 241 . The current disk space is shown with the AVBL FTP command. or by using the Directory Properties option in the HTTP or HTTPS Web Client and FTP Voyager JV. Directory Deleted Triggered by the deletion of a directory. Directory Created Triggered by the creation of a directory. Directory Changed Triggered by changing the current working directory. Over Disk Space Triggered by exceeding the Max Dir Size configured for a directory access rule.

Email actions contain a To. Select either the Send Email or Show balloon tip option for the action you want to perform on the common events.Creating common events to create these common events using email or balloon tip actions. 242 . To send emails to a Serv-U group. Using event actions You can select from the following actions that will be executed when an event is triggered: l Send Email l Show Balloon Tip* l Execute Command* l Write to Windows Event Log (Windows only)* l Write to Microsoft Message Queue (MSMQ) (Windows only)* * Events involving anything other than email can only be configured by Serv-U server administrators. Using email actions You can configure email actions to send emails to multiple recipients and to Serv-U groups when an event is triggered. You can use special variables to send specific data pertaining to the event. see System variables. also enter an email address where the events are to be sent. For more information about the variables. To add an email address. If you choose to send email. Separate email addresses by commas or semicolons. use the Group icon to add or remove Serv-U groups from the distribution list. Click Create Common Event in the Events page. Note: The Write to Windows Event Log and Write to Microsoft Message Queue (MSMQ) options are available for Windows only. enter it in the To or Bcc fields. Subject and Message parameter.

You can use special variables to send specific data pertaining to the event. A wait value should only be used to give an external program enough time to perform some operation. see Configuring SMTP settings. You can use special variables to send specific data pertaining to the event. For information about SMTP configuration. Execute command actions contain an Executable Path. Enter zero for no waiting. This event has only one field: l Log Information: The contents of the message to be written into the event log. such as move a log file before it is deleted (for example. Using execute command actions You can configure execute command actions to execute a command on a file when an event is triggered. Balloon tip actions contain a Balloon Title and a Balloon Message parameter. Using balloon tip actions You can configure balloon tip actions to show a balloon tip in the system tray when an event is triggered. see System variables. For the Completion Wait Time parameter.Chapter 5: Users To use email actions. For more information about the variables. you can enter the number of seconds to wait after starting the executable path. Note: Any amount of time Serv-U spends waiting delays any processing that Serv-U can perform. $LogFilePath for the Log File Deleted event). Command Line Parameters. 243 . see System variables. you can monitor and record Serv-U activity by using third-party network management software. and a Completion Wait Time parameter. you must first configure SMTP in Serv-U. For more information about the variables. Writing to the Windows Event Log By writing event messages to a local Windows Event Log. All messages appear in the Windows Application Log from a source of "Serv-U". This is normally either a human-readable message (for example.

\Serv-U Message Queue or Serv-U Message Queue). Writing to Microsoft Queue (MSMQ) Microsoft Message Queuing (MSMQ) is an enterprise technology that provides a method for independent applications to communicate quickly and reliably. preventing Serv-U from writing events to the queue. and then set the permissions so that SYSTEM (or the network account under which Serv-U runs) has permission to the queue. These events have the following two fields: l l Message Queue Path: The MSMQ path that addresses the queue. If the specified queue does not exist. but usually is not. or many other activities have occurred. MessageServer\Serv-U Message Queue) is specified.Creating common events filename uploaded by person) or a machine-readable string (for example. This normally only works on public queues on the local machine. . right-click it. Serv-U system variables are supported in this field. files have been picked up. Corporations can use this feature to tell enterprise applications that files have arrived. Serv-U system variables can also be used in this field. Local. Serv-U can send messages to new or existing MSMQ queues whenever a Serv-U event is triggered. public queues on the local machine can be addressed when a full path is not specified (for example. This is normally a text string with a specific format specified by an enterprise application owner or enterprise architect. Note: Microsoft message queues created in Windows do not grant access to SYSTEM by default. filename|uploaded|person). select Properties. To correct this. after creating the queue in MSMQ. but usually is not. depending on who or what is expected to read these messages. Remote queues can be addressed when a full path (for example. Serv-U attempts to create it. You can also use ServU system variables in this field. partners have signed on. Message Body: The contents of the message to be sent into the queue. 244 . This field can be left blank. This field may be left blank.

not triggering for failed HTTP or SFTP uploads. By default. For example. a filter can be configured so that only the user "admin" triggers the event. For example. However. a standard Serv-U event might trigger an email each time a file is uploaded to the server. For example. l Filter Comparison: This is the most critical portion of the filter. used to identify the filter for the event. Logic: This determines how the filter interacts with other filters for an event.Chapter 5: Users Configuring event filters By using Serv-U event filters. Additionally. you can configure a File Upload Failed event to run only when the FTP protocol is used.pdf is uploaded but not when other files are uploaded to the server. The Filter Comparison contains the evaluation that must occur for the event to trigger. The event filter allows events to be triggered only if certain conditions are met. Description (Optional): This is the description of the event. Event filter fields Each event filter has the following critical values that must be set: l l l Name: This is the name of the filter. you can configure a File Uploaded event to only send an email when the file name contains the string important. events can be triggered on a more targeted basis. AND is used. which may be included for reference. In most cases. In this case. abnormal bandwidth usage of less than 20 KB/s OR greater than 2000 KB/s). However. You can do this by controlling the various variables and values related to the event and by evaluating their results when the event is triggered. The function of AND is to require that all conditions be met. the comparison will be If $Name = (is equal to) 245 . you can control to a greater degree when a Serv-U event is triggered. so an email would be sent when the file Important Tax Forms. Serv-U events trigger each time the event occurs. and all filters must be satisfied for the event to trigger. the OR operator can be used if there are multiple possible satisfactory responses (for example. by using an event filter.

txt and data8.* matches files named data7 and data7.txt but not data. data7. An event filter that compares the $Name variable to the string A???? matches any five-character user name that starts with A. An event filter that compares the $FileName variable to the string data?. For bandwidth.txt. An event filter that compares the $FileName variable to the string data? matches a file named data7 but not data.The bracket wildcard matches a character against the set of characters inside the brackets.txt l An event filter that compares the $LocalPathName variable to the string [CD]:\* matches any file or folder on the C: or D: drives.txt.Configuring event filters admin. For example: l l l l An event filter that compares the $FileName variable to the string data* matches files named data. [] . [687]. data77.The question mark wildcard matches any one character.txt. The supported wildcards are the following: l * . or data77. data7.txt. data.txt but not data5. data77. 246 . either an "unsigned integer" or "double precision floating point" value would be used.The asterisk wildcard matches any text string of any length. or data77. data7.txt. data7.txt.txt. data. data77.txt.txt. data. and the data type will be string. but only one character. For example: l An event filter that compares the $FileName variable to the string data matches files named data6. You can use multiple wildcards in each filter. Event filters also support wildcards when evaluating text strings. and data77. For example: l An event filter that compares the $FileName variable to the string [cC]:\*.txt. For example: l l ? .??? matches any file on the C: drive that ends in a three letter file extension.

The Event Type is File Uploaded. contained in any folder whose name contains Red6. To do this. or when a certain file is uploaded. To perform this task.* matches a file on any Windows drive. Using event filters Event filters are used by comparing fields to expected values in the Event Filter menu.csv as shown in the following screen capture: As another example. and then add a new filter.Chapter 5: Users l An event filter that compares the $FileName variable to the string ?:\*Red [678]\?????. 247 . and that also has a five character file name followed by a file extension of any length. For example. it might be necessary to know when a file transfer fails for a specific user account. The best example is raising an event only when a certain user triggers the action.csv is uploaded to the server. Red7 or Red8. The $FileName variable is used and the value is HourlyUpdate. create a new File Upload Failed event. but not when other files are uploaded. create a new event in the Domain Details > Events menu. and on the Event Filter tab a new filter must be added. an administrator may want to raise an email event when the file HourlyUpdate.

or a domain name. In some cases it may be necessary to trigger events for files uploaded only to a specific folder. After specifying the email recipients. 248 . such as when an accounting department uploads time-sensitive tax files. subject line. and add the filter comparison If $LocalPathName = (is equal to) C:\ftproot\accounting\* with the type of (abcd) string. ranges of IP addresses. create a new File Uploaded event in the Domain Details > Events menu. To filter based on a folder name. Create a new event filter. such as ProductionLineFTP: You can also filter for events based on specific folders. open the Event Filters page. and the value to compare is the user name. IP access rules can be configured at the server. and message content.Server details The filter comparison is the $Name variable. This will cause the event to trigger only for files that are located within C:\ftproot\accounting\. using wildcards. Server details IP access rules restrict login access to specific IP addresses. and set it to Send Email.

Specifying IP access masks IP access rules use masks to authorize IP addresses and domain names. such as 2001:db8::/32.0. ranges.0-255. which is analogous to 192. ? Stands for any valid character when specifying a reverse DNS name.0-19 (IPv4).*). xxx-xxx Stands for a range of IP addresses. 1. fe80:0:0:0:a450:9a2e:ff9d:a915 (IPv6.*.example. / Specifies the use of CIDR notation to specify which IP addresses should be allowed or blocked. In this way.2.*. IP access rules are applied in the order they are displayed. /16 (for and /24 (for 1. * Stands for any valid IP address value.com. such as server?.Chapter 5: Users domain. The masks can contain specific values. shorthand). specific rules can be placed at the top to allow or deny access before a more general rule is applied later on in the list. Common CIDR blocks are /8 (for 1.2. such as 192.0. CIDR notation also works with IPv6 addresses.0.2. or fe80::a450:9a2e:ff9d:*. such as 192.*) 249 . such as 192. group. and wildcards made up of the following elements: xxx Stands for an exact match.*.*. fe80:0:0:0:a450:9a2e:ff9d:a915-a9aa (IPv6. which is analogous to fe80::a450:9a2e:ff9d:0-ffff. long form) or fe80::a450:9a2e:ff9d:a915 (IPv6.2.0 (IPv4). or fe80::a450:9a2e:ff9d:a915-a9aa (IPv6.0.*).3.2.2. and user levels. The arrows on the right side of the list can be used to change the position of an individual rule in the list. long form). shorthand).

Serv-U performs either a reverse DNS lookup or DNS resolution to apply these rules. Use the *:* mask to match any IPv6 address.* mask to match any IPv4 address. If you create a rule based on a domain name or reverse DNS. all connections that are not explicitly allowed will be denied.*.Caveats Caveats Specific IP addresses listed in Allow rules will not be blocked by anti-hammering. These IP addresses are whitelisted.*. However. Group and user level IP access rules are applied in response to a USER command when the client identifies itself to the server. connections from any IP address are accepted. You can also specify reverse DNS names. DNS lookup If you use a dynamic DNS service. Implicit deny all Until you add the first IP access rule.*. With this in mind. Rule use during connection The level at which you specify an IP access rule also defines how far a connection is allowed before it is rejected. This can cause a slight delay during login. depending on the speed of the DNS server of the system. This is also known as an implicit 'Deny All' rule. Server and domain level IP access rules are applied before the welcome message is sent. add Allow ranges for both IPv4 and IPv6 addresses. addresses matched by a wildcard or a range will be subject to anti-hammering prevention. After you add the first IP access rule. If you use both IPv4 and IPv6 listeners. Matching all addresses Use the *.*. make sure you add a 'wildcard allow' rule (such as Allow *. you can specify a domain name instead of an IP address to allow access to users who do not have a static IP address. Domain level IP access rules are also applied when responding to the HOST command to connect to a virtual domain. 250 .*) at the end of your IP access rule list.

Blocked IP addresses do not appear in the server IP access list. You can configure an anti-hammering policy server-wide in Server Limits and Settings > Settings and domain-wide in Domain Limits and Settings > Settings.Chapter 5: Users Anti-hammering You can set up an anti-hammering policy that blocks clients who connect and fail to authenticate more than a specified number of times within a specified period of time. You can unblock any blocked IP early by deleting its entry from the list. even if anti-hammering is configured at the server level. If you have multiple domains with different listeners. The Expires in value of the blocked IP counts down second by second until the entry disappears. blocked IP addresses appear in the domain that contains the listener. IP addresses blocked by anti-hammering rules appear in the domain IP access rules with a value in the Expires in column. 251 .

click Export. Importing and exporting IP access rules You can export and import Serv-U IP access rules from users. you can sort the IP access list numerically rather than in the processing order. and then specify the path and the file name you want to save the list to. view the list of rules to export. and the server by using a text-based CSV file. Displaying the IP access list in sort mode does not change the order in which rules are processed. Case File: Office-only access A contractor has been hired to work in the office. The CSV file must contain the following fields. Viewing the IP access list in numerical order can be a valuable tool when you review long lists of access rules to determine if an entry already exists. and only in the office. domains. groups. or domain name for which the rule applies. Examples The following sections provide examples about the usage of IP address rules. Office 252 . Description A text description of the rule for reference purposes. Using the sort mode By using the sort mode. including the headers: IP The IP address. To view rule precedence. or to 1 for Allow. Allow Set this value to 0 for Deny. IP range. disable this option. CIDR block. click Import and select the file that contains the rules you want to import.IP access list controls IP access list controls The following section contains a description of the options that are available on the IP Access page. To export IP access rules. To import IP access rules.

The limits stack intelligently. you can configure limits so that they are only applied during certain days of the week.24. In addition.24. The related Serv-U access rules should therefore be Allow *.*.2.Chapter 5: Users workstations have IP addresses in the range of 192.0. The related Serv-U access rule should be Allow 192.0. with user settings overriding group settings. Limits and settings Serv-U contains options which you can use to customize how Serv-U can be used. The related Serv-U access rules should therefore be Deny 192.2.2. You can also grant exceptions to administrators and restrict specific users more than others.com or *. and the server in its entirety.example1.192.example1. and domain settings overriding server settings.0.2. groups.example.*.0. 253 .024. followed by Allow *.*. and which also provide ways to apply limits and custom settings to users. domains.0 .0 192. or certain times of the day.0-24.0. Case File: DNS-based access control The only users allowed to access a Serv-U domain will be connecting from *. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list. and it should be added to either the contractor's user account or a Contractors group that contains multiple contractors.com in any order. providing total control over the server.example.2. and these should both be added to the domain IP access rules.com and Allow *. group settings overriding domain settings.com. Case File: Prohibited computers Users should normally be able to access Serv-U from anywhere. and these should both be added to either the domain or the server IP access rules.0.2. except from a bank of special internal computers in the IP address range of 192.

Because of inheritance rules. click Add. select Lock users in home directory. select the appropriate category. The limits list displays the current limits applied to the domain. l Click Add. perform the following steps: l In the Serv-U Management Console. After you complete the previous steps. Limits with a white background are values that override the default values. For example. click Domain > Domain Limits & Settings. see User interface conventions. select the limit. For more information about this method of inheritance. select Directory Listing. l Click Save. l From the Limit list. this option applies to all users in the domain unless it is overridden at the group or user level. and then select or enter the value.Limits and settings The limits and settings in Serv-U are divided into the following categories: l Connection l Password l Directory Listing l Data Transfer l HTTP l Email l File Sharing l Advanced To apply a limit. 254 . l From the Limit Type list. to disable the Lock users in home directory option for a domain. a new Lock users in home directory limit appears in the list that displays "No" as the value. l Deselect the option. Limits with a lightblue background are default values.

SFTP. To edit an overridden value. Select Apply limit only at this time of day to specify a start and stop time for the new limit. Connection Maximum number of sessions per user account Specifies the maximum number of concurrent sessions that may be opened from a single user account. click Advanced in the New Limit or Edit Limit window. When a limit is restricted in this way. The value of Packet time-out must be less than the value of the Automatic idle connection timeout for the Automatic idle connection timeout to work 255 . or HTTPS) before it is accepted. Note: Setting the Packet time-out is a requirement for this limit to work. deselect the days for which you do not want to apply the limit. The following section contains a reference of all available user limits. organized by category. To restrict the limit to certain days of the week. Create a new limit to override a default one. Maximum sessions per IP address for user account Specifies the maximum number of concurrent sessions that a user may open from a single IP address. FTPS. Automatic idle connection timeout Specifies the number of minutes that must pass after the last client data transfer before a session is disconnected for being idle. select the limit. default values (or the value of other limit overrides) are applied when the time of day or day of the week restrictions are not met for this limit. Default rules cannot be edited or deleted.Chapter 5: Users You can delete limits by selecting them and clicking Delete. To create a limit that is restricted to a specific time of day or days of the week. and then click Edit. Require secure connection before login Requires that a connection be secure (for example.

not transferring data. for a specified period of time.Password properly. Automatic session timeout Specifies the number of minutes a session is allowed to last before being disconnected by the server. which is commonly used to keep FTP Command Channel connections open during long file transfers or other periods of inactivity where no information is being transferred on the control channel. Block IP address of timed out session Specifies the number of minutes for which the IP address of a timed out session is blocked. Password Require complex passwords Specifies that all user account passwords must contain at least one 256 . Block anti-timeout schemes Blocks the use of commands such as NOOP. Allow HTTP and HTTPS connections Allows the user to connect using the HTTP and HTTPS protocols. For information about setting the packet time-out. see Server settings. Deselect Allow SFTP connections to disable the SFTP protocol. that is. Allow FTP and FTPS connections Allows the user to connect using the FTP and FTPS protocols. When these are blocked. Allow SFTP connections Allows the user to connect using the SFTP protocol. Deselect Allow FTP and FTPS connections to disable the FTP and FTPS protocols. Deselect Allow HTTP and HTTPS connections to disable the HTTP and HTTPS protocols. Serv-U disconnects the client when the connection has been idle.

Specifying zero characters indicates that there is no minimum requirement. The following options are available: l l One-way encryption (more secure): This option fully encrypts passwords and cannot be reversed. 257 . Use this option when users are expected to take advantage of the password recovery utility in the Web Client. Using this option may be necessary for integration with legacy systems (especially when using database support). In this case it may be desirable to use two-way encryption so that Serv-U does not need to reset their passwords when password recovery is requested. Automatically expire passwords Specifies the number of days a password is valid before it must be changed. This is the default setting. Mask received passwords in logs Masks the passwords received from clients from being shown in log files. Minimum password length Specifies the minimum number of characters required in a user account's password. l No encryption (not recommended): This option stores passwords in clear text. Specifying zero days means passwords never expire. which can be useful for debugging connection problems or auditing user account security.Chapter 5: Users uppercase and one non-alphabetic character to be considered valid. Allow users to change password Specifies whether or not users are allowed to change their own passwords. Simple two-way encryption (less secure): This option encrypts passwords in a reversible format for easy recovery. SSH authentication type Specifies how SSH authentication is to occur. Disabling this allows passwords to be displayed in log files.

all user passwords must be reset. allows users to recover passwords using the Web Client password recovery utility at the login page. Disable password generators If enabled. and must be re-saved to be stored in the new format. two additional types of password storage are available for accounts that use the FTP protocol: MD4 and MD5 OTP S/KEY passwords. Allow users to recover password If enabled. These options only apply to the FTP protocol.Directory listing Note: When you change this setting. Existing passwords are not updated automatically. irreversible state in Serv-U's configuration files (unless the file server is configured to not encrypt stored passwords through a password limit). In addition to the Regular Password option. Setting this option does not affect a user's ability to log in through other protocols. This value is the lead-time. FTP password type All passwords are stored in an encrypted. in days. this limit allows users to generate a random password. Directory listing Hide files marked as hidden from listings Hides files and folders from directory listings that have the Windows "hidden" system attribute set on them. Days before considering password to be stale The number of days prior to expiration that a password is to be considered stale. An event can be configured to identify when a password is about to expire. This type of password setting allows the user to log in through FTP without sending the password to the file server as plain text. Use lowercase for file names and directories Forces Serv-U to display all file names and directories using lowercase 258 . A stale password is a password that is about to expire. before password expiration.

A non-relative path such as MessageFile. By using a secondary message file. the destination file is shown in the directory listing instead of the . This option only works when the user is not locked in their home directory. Setting a 259 . Data transfer Maximum upload speed per session Limits the maximum upload bandwidth for each individual session.lnk (shortcut) files as a UNIX symbolic link. Message file path Welcome messages are normally displayed once to a user during login to relay important information to users about the file server site.lnk file points to another file. Hide the encrypted state of files and directories Hides the encrypted state of all encrypted files and directories being viewed by the user. Hide the compressed state of files and directories Hides the compressed state of all compressed files and directories being viewed by the user.lnk file itself. In other words.lnk files as the actual destination object. The welcome message will only be displayed when navigating into folders which contain a file matching the specified file name. if a . welcome messages can be provided in specific folders to relay additional information.message can be used as the path. regardless of the actual letter case in use by the file or directory. Allow root ("/") to list drives for unlocked users (Windows Only) Allows users to change directory to the root ("/") of the system and display all drives on the computer. Interpret Windows shortcuts as links Instructs Serv-U to treat all valid .Chapter 5: Users characters. Treat Windows shortcuts as target in links Instructs Serv-U to treat all valid .

When downloading in ASCII mode. Setting a limit of 0 KB/s means unlimited bandwidth. This option can currently be used in FTP mode only. Delete partially uploaded files Instructs Serv-U to delete incomplete file uploads. Automatically check directory sizes during upload Instructs Serv-U to occasionally check the size of directories in which a 260 . Setting a limit of 0 KB/s means unlimited bandwidth. Interpret line feed byte as a new line when in ASCII mode (Windows Only) When uploading and downloading files using ASCII mode. Maximum upload file size Restricts the maximum single file size a user can upload to Serv-U. Serv-U will assume <LF> characters are the same as <CR><LF> end-of-line markers. Maximum upload speed for user accounts Limits the maximum upload bandwidth shared between all sessions associated with an individual user account. Maximum download speed per session Limits the maximum download bandwidth for each individual session. The file size is measured in kilobytes. Most Windows applications expect <CR><LF> to represent a new-line. since the definition of a new-line sequence is not fully defined in Windows. Setting a limit of 0 KB/s means unlimited bandwidth.Data transfer limit of 0 KB/s means unlimited bandwidth. stand-alone <LF> characters are changed to <CR><LF> prior to sending to the client. When uploading in ASCII mode stand-alone <LF> characters are changed to <CR><LF> prior to writing to the file. However. this option allows Serv-U to assume <LF> is the same as <CR><LF>. Maximum download speed for user accounts Limits the maximum download bandwidth shared between all sessions associated with an individual user account. as does the FTP protocol.

but if users should not be able to select their preferred language this can be disabled. HTTP Default language for Web Client When the end-user connects with an unsupported language. This feature can be disabled for security reasons. This feature is visual only and has no impact on security or functionality. This option can be disabled for business needs. the HTTP login page is displayed in English. This attribute ensures that Serv-U always has updated directory sizes available instead of having to calculate them at transfer time. the local language of Windows is used. Allow users to change themes The Serv-U Web Client supports visual themes to change the look and feel of the Web Client and HTTP login page. The default language can be set to any language. This function can be disabled during specific business hours or altogether based on business needs. When connecting to Serv-U using a supported localization of Windows. Allow HTTP media playback The Serv-U Web Client supports fully interactive media playback of audio and video files. 261 .Chapter 5: Users maximum directory size has been specified. Allow users to use Web Client Pro Serv-U Web Client Pro is enabled by default. Allow browsers to remember login information The HTTP login page contains a Remember me option (not enabled by default) that allows user names to be remembered by the login page. Administrators can disallow the use of Serv-U Web Client Pro by disabling this limit. which can be a time consuming operation. Allow users to change languages The Serv-U Web Client is supported in many languages.

Email Allow users to use FTP Voyager JV FTP Voyager JV is enabled by default. When disabled. the creator of the file share will not be able to specify this optional setting. This option can be disabled but it may cause mobile devices to be disconnected due to frequent IP address changes by these devices. Serv-U can maintain the last modification date and time of the file when end-users are using FTP Voyager JV or Web Client Pro. Serv-U will not set the file's last modification date and time. Administrators can disallow the use of FTP Voyager JV by disabling this limit. Allow HTTP sessions to change IP address (disabling may cause mobile devices to fail) The Serv-U Web Client supports the transfer of HTTP sessions if the IP address changes. it will remain the date and time the file was uploaded. When this limit is set to Always or Never. Email Allow end-user to set account email address Specifies whether users are allowed to modify their account email address using the Change Email Address option in the Web Client or File Sharing interfaces. Require end-user to set email address at next HTTP login Specifies whether users must set their email address when they log in to Serv-U. 262 . File sharing Require a password for guest access Specifies whether it is possible to set up a file share where the guest is required to provide a password. Maintain file dates and times after uploading (FTP Voyager JV and Web Client Pro only) When enabled.

the creator of the file share will not be able to specify this optional setting. Insert passwords within invitation emails Specifies whether it is possible to set up a file share where the password for the share is included in the invitation email. When this limit is set to Optional. Notify user after a file is downloaded Specifies whether the Notify me when the file(s) have been downloaded option can be used in the Send Files wizard. If set to 0. there is no file size constraint. the creator of the file share will not be able to specify this optional setting. When this limit is set to Optional.Chapter 5: Users When this limit is set to Optional. When this limit is set to 263 . In this case. When disabled. users will be able to specify link expiration dates individually in the Request Files and Send Files wizards. Maximum file size guests can upload (per file) Specifies the file size constraints imposed upon the guest user. the user can individually specify in each file share whether or not the guest must provide a password. When this limit is set to Always or Never. the file share links will expire after the number of days specified in the Duration before guest link expires limit. Duration before guest link expires Limits the number of days after which a file share link expires if the Allow user-defined guest link expiration limit is disabled. the creator of the file share request can specify the maximum file size in each file share request without an upper limit. When this limit is set to Always or Never. the Include the password in the email option can be selected individually in each file share. Notify user after a file is uploaded Specifies whether the Notify me when the file(s) have been uploaded option can be used in the Request Files wizard. Allow user-defined guest link expiration When enabled. the user can individually specify in each file share whether to receive notification of the file download.

When this limit is set to Always or Never.File sharing Always or Never. Send the guest access link to the recipients Specifies whether the Automatically send the download/upload link to the guest user(s) in email option can be used in the Send Files and Request Files wizards. 264 . If set to 0. the user can individually specify in each file share request whether to receive notification of the file upload. When this limit is set to Optional. the user can individually specify in each file share or file share request whether to send the access link automatically. Send the guest access link to the sender Specifies whether the Send me an email copy with the download/upload link option can be used in the Send Files and Request Files wizards. the user will not be able to specify this optional setting. users will be able to edit their name and email address in the Request Files and Send Files wizards. Allow user-defined contact information When enabled. When this limit is set to Optional. When this limit is set to Optional. users are not allowed to edit their contact information in the Request Files and Send Files wizards. the default limit of 20 is used. When disabled. the user can individually specify in each file share or file share request whether to receive an email copy with the download/upload link. Allow file sharing Specifies whether the user is allowed to use file sharing. When this limit is set to Always or Never. the user will not be able to specify this optional setting. Maximum number of files for "Sent" shares Specifies the maximum number of files users can include in a single file share. the creator of the file share request will not be able to specify this optional setting.

This attribute allows Serv-U to decode these special characters. users are not allowed to rename a file or directory to a path name that already exists. If set to 0. Certain browsers can encode special characters contained in file names and directories when using the FTP protocol. For more information. However. Advanced Convert URL characters in commands to ASCII Instructs Serv-U to convert special characters contained in command parameters to plain ASCII text.6. see the "Apply group directory access rules first" setting in 265 . Setting this value to "Yes" places the group's and user's directory access rules below the server and domain. By default. the default limit of 20 is used. Maximum Supported SFTP Version Specifies the maximum version of SFTP permitted for SFTP connections. Serv-U supports SFTP versions 3 . By default.Chapter 5: Users Maximum number of files for "Requested" shares Specifies the maximum number of files users can upload after receiving a file share request. users can browse to any file stored on their computer or on Serv-U. directory access rules specified at the group or user level take precedence over ones specified at the domain and server level. Allowed "Sent" file share sources Specifies the valid file sharing sources that users can browse to when they create an outgoing file share. When disabled. Apply server and domain directory access rules before user and group The order in which directory access rules are listed has significance in determining the resources that are available to a user or group account. there are certain instances where you may want the domain and server level rules to take precedence. Allow Rename Overwrite When enabled (default) Serv-U allows files to be renamed to files where the destination already exists.

Days before automatically deleting account to trigger the pre-delete event The number of days prior to automatically deleting the user account that the pre-delete event should be triggered. you can grant credits to the user for transferring a specified number of bytes or complete files. To enable transfer ratios for the current user account. and then select Enable transfer ratio. Select the appropriate type of ratio to impose on the user account. They can also be 266 . The following sections provide information about their usage. Reset user stats after restart When this limit is enabled. Using transfer ratios Transfer ratios are a convenient way of encouraging file sharing on your file server. Days before automatically disabling account to trigger the pre-disable event The number of days prior to automatically disabling the user account that the pre-disable event should be triggered. This is commonly used to grant a user the ability to download 'x' megabytes of data or files for every 'y' megabytes of data or files that they upload.Transfer ratio and quota management Group information. By specifying an appropriate transfer ratio setting. Group ID (group name) for created files and directories (Linux Only) The group name given to set as owner of a created file or directory. Ratios can be tracked in terms of megabytes or complete files. click Ratios & Quotas on the User Information page of the User Properties window. Transfer ratio and quota management Transfer ratios and quotas are just one of the many ways in which file transfers are managed on the Serv-U File Server. Owner ID (user name) for created files and directories (Linux Only) The user name given to set as owner of a created file or directory. the user statistics are reset after a server restart.

Serv-U tracks the file uploads and deletions made by the user and updates the current value as appropriate. The ratio itself is configured by assigning a numeric value to both the uploads and downloads side of the ratio. changes must not be made to the contents of the directories that are accessible by the user account outside of Serv-U. Note: A considerable drawback to using quotas is that in order for the current value to remain accurate. both fields must be filled in. For example. a 3:1 ratio that is counting files over all sessions means that the user account must upload three files in order to have the ability to download one file. The current credit for the user account is displayed in the Credit field. a file that matches an entry in this list can always be downloaded by users. consider imposing a maximum size on the contents of a directory when specifying the directory access rules for the user account. see Configuring directory access rules. Using quotas Quotas are another way to limit the amount of data that is transferred by a user account. In other words. Because these changes take place outside of a file server connection. they are not able to use more disk space than that value. For more information about this option. Serv-U cannot track them and update the current quota value.Chapter 5: Users tracked per session established or for all sessions established by the user account. The Current field shows how much disk space is currently being used by the user account. When a Maximum quota value is assigned to the user. When initially configuring a quota. This value is the current value and can be initialized to a nonzero value to grant the user initial credits. As an alternative to quotas. even if they have no current credits. From that point on. This is commonly 267 . Using ratio free files Files listed in the ratio free file list are exempt from any imposed transfer ratios. if a user must upload files in order to earn credits towards downloading a file.

Use Windows users if the following conditions apply: l l You only want to access one Windows machine or domain (per Serv-U domain). You want each end user to see that user's home folders and enjoy that user's NTFS permissions.Comparing Windows and LDAP authentication used to make special files. such as a readme or a directory information file. The Windows directory access rules can 268 . Differences between Windows users and LDAP users Windows and LDAP Users are similar in many ways but there are a number of important differences that can help you decide which type of user is right for your environment. Additionally. always accessible to users. LDAP allows for authentication against other LDAP servers such as Apache Directory Server and OpenLDAP.txt. In addition. For example. entering *. only that specific file is exempt from transfer ratios. You can also specify full paths by using standard directory paths such as C:\ftproot\common\ (on Windows) or /var/ftpfiles/shared/ (on Linux). the provided file is exempt from transfer ratios regardless of the directory it is located in.txt makes any file with a . If you use a full path when you specify a file name. you can use full or relative paths when you are specifying an entry. If you use a relative path. You can use the * and ? wildcard characters when you specify a ratio free file. Using * specifies a wildcard of any kind of character and any length. Serv-U uses impersonation so that it respects the Windows directory access rules. regardless of the actual filename. such as when you enter just readme.txt extension free for download. Comparing Windows and LDAP authentication Both LDAP and Active Directory are used to allow users to connect to Serv-U by using Active Directory credentials. You can use a ? to represent a single character within the file name or directory.

refer to the following resources: l Configuring Windows authentication l Configuring user groups l Integrating Serv-U with Windows accounts l Windows Groups and Organizational Units in Serv-U l Enabling Windows User NT-SAM .Chapter 5: Users be supplemented with directory access rules defined in Serv-U. Configuring Windows and LDAP authentication For information about configuring Windows authentication in Serv-U. Use LDAP users if the following conditions apply: l You want to deploy Serv-U on Linux. For more information.Active Directory Support in Serv-U For information about configuring LDAP authentication in Serv-U. see Configuring directory access rules. see Configuring directory access rules. For more information. but you can define Serv-U directory access rules for LDAP users.error: Login was not successful 269 . l You want to be able to access different Windows domains. l You do not care about natively incorporating NTFS permissions. refer to the following resources: l LDAP authentication l Configuring user groups l LDAP Authentication . It is not possible to pull directory access rules from LDAP directly. l You want to be able to access more than one Windows domain.

visit the release notes. To ensure the best experience. and migration information. it is highly recommended that you make sure your Serv-U installation is up to date. backup. refer to the following resources: l Upgrading to the Latest Version of Serv-U l Backing Up or Moving Serv-U Settings Configuring Windows authentication By enabling Windows authentication. 270 . When logging in using their Windows account. users are placed in the home directory for their Windows account eliminating the need to manually specify a home directory. users can log in to Serv-U using their Windows login credentials as provided by the local Windows account database or a specific Windows domain server (Active Directory). For upgrade.Keeping Serv-U Up to Date Keeping Serv-U Up to Date If you work with LDAP or Windows authentication. upgrade to the latest version of Serv-U before configuring your advanced user authentication. For more information about the latest version of Serv-U.

271 . the domain name can be entered in this field to have user logins authorized by the domain server. To authenticate to Active Directory or a Windows domain server. Enabling this option causes Serv-U to use the home directory specified in the Windows user group instead. then the Windows user account's home directory is still used.Chapter 5: Users To enable Windows authentication. After changing this field. click Save to apply the changes. If the system is a member of a Windows domain. Serv-U uses the Windows account's home directory when a client logs in using a Windows user account. select Enable Windows authentication. Using a Windows user group home directory instead of account home directory By default. If no home directory is specified at the group level. enter a specific domain name in this field and ensure your Serv-U computer is a member of that domain.

Click Configure Windows User Group to configure this group just like a normal group. All settings configured in this group are inherited by Windows user accounts. For more information. and they cannot be configured on an individual basis in Serv-U. or add additional directory access rules. To aid in configuring the many advanced options of a local user account. see Configuring user groups. specify bandwidth limitations. This feature can be used to add IP access rules.Configuring Windows user groups Configuring Windows user groups Windows user accounts are not visible. all Windows user accounts are a member of a special Windows user group. Windows and Active Directory user accounts do not require any 272 . Using Windows user permissions By default.

If an important NTFS permissions change is made that requires immediate application. see Using LDAP user groups. To decide between LDAP authentication and Windows user authentication. LDAP users can use a home directory from their LDAP account. see Comparing Windows and LDAP authentication. saving time and documentation. such as Active Directory or OpenLDAP. restarting the Serv-U service can force Windows to provide the updated permissions to the Serv-U File Server. administrators do not need to configure specific permissions beyond those already defined on the network.Chapter 5: Users directory access rules to be configured because Serv-U automatically applies their NTFS permissions to their login sessions. For information. Note: In some cases Windows may cache directory access rules for a short period of time. users can log in to Serv-U using login credentials as provided by a remote LDAP server. Before you begin Before you begin the configuration of LDAP authentication. eliminating the need to manually specify a home directory. 273 . LDAP authentication If LDAP authentication is enabled. l Log in to your LDAP server to verify the correct directory structure. consider the following steps: l Check the logs of your LDAP server to identify the correct group membership. l Configure the default LDAP group in Serv-U. Note: Active Directory and OpenLDAP users are configured in the same way. This way. In the case of OpenLDAP. the user account must have permission to connect to the OpenLDAP database.

This may be IPv4 or IPv6. 274 . Port: The TCP port on which the LDAP server is listening. Edit. This will often be 389. Provide the following information to configure your LDAP server: l l Host: The host name or IP address of the LDAP server. navigate to Users > LDAP Authentication in the Serv-U Management Console. but it is always required. or Copy on the LDAP Servers list. Configuring the LDAP server The LDAP Server configuration dialog is displayed when you click Add. To start configuring LDAP authentication.Configuring the LDAP server The examples and illustrations in this topic show a Serv-U instance configured to use authentication through Active Directory.

Connection Account: The user name of the account that is used to connect to the LDAP server and execute queries against it. this value can be DC=solar. This is usually similar to the domain name over which your LDAP server has authority. The Base DN determines the structure in your LDAP server where the search filter will be applied. Description: An optional field in which you can write more notes about your LDAP server. and look for the highlighted information. Provide the account name complete with the UPN suffix. For example. To determine the correct Base DN. Serv-U does not automatically apply the UPN suffix for the name you provide here. Note: If the Connection Account credentials are not supplied. Disabled LDAP servers will be skipped over during LDAP authentication if you have configured multiple LDAP servers. 275 .Chapter 5: Users l l l Server Name: This required field should contain a short description of this LDAP server. l l l Enable LDAP Server: Select this option to enable the LDAP server.DC=local. Provide a brief description of the domain and the type of LDAP server (for example. if your LDAP server provides information about your solar domain. then the credentials that are being authenticated are used. Connection Account Password: The password belonging to the account that is used to connect to the LDAP server and execute queries against the LDAP server. Tampa Office OpenLDAP). LDAP authentication will stop working if you disable all your configured LDAP servers. hover over the main node of the LDAP server. Base DN: Use this required field to provide the Base DN (or search DN) of the main node in your LDAP server.

Configuring the LDAP server Search Filter l This required field is used to tell Serv-U how to match incoming LoginIDs ("usernames") to specific LDAP Server entries. For Active Directory LDAP servers. $LoginID must be included somewhere in this field. a value of (&(objectClass=user) (userPrincipalName=$LoginID)) is recommended. 276 . During authentication Serv-U will replace this variable with the LDAP User's LoginID (and LDAP Login ID suffix. Consult with your local LDAP administrator or use an LDAP client (for example. The value of the search filter varies between different types of LDAP servers. and then modify the default search filter according to your specific setup. Softerra LDAP Browser or Apache Directory Studio) to find and test the right value for your LDAP server before deploying into production. This value is provided by default in Serv-U. The search filter is used to search in the Users tree of the LDAP server. if specified). and may even vary between different LDAP servers of the same type (depending on the specific schema your LDAP administrator has implemented).

l Group Membership: This field uses all the values found in the named LDAP attribute as additional LDAP Group membership assigments. A typical value on Active Directory is userPrincipalName. For more information about the location and usage of the Ldp tool. For 277 . In other words. This value will almost always match the value paired with $LoginID in your Search Filter. The configuration of the following values in the Attribute Mapping grouping is optional. modify the search filter by adding a wildcard value (*) to match the whole folder structure.The search filter must be configured in a way that it only returns one user.exe. use the Ldp tool. A typical value on Active Directory is name. To test your search filters against Active Directory. Full Name: This field assigns the value of the named LDAP user entry attribute as your LDAP Users' full name. Email Address: This field assigns the value of the named LDAP user entry attribute as your LDAP Users' email address. A typical value on Active Directory is homeDirectory. if your LDAP server configuration contains subfolders.Chapter 5: Users For example. search for Ldp on the Microsoft Technet or on the Microsoft Support website. The default location of the tool is C:\Windows\System32\ldp. l l l l Home Directory: This field assigns the value of the named LDAP user entry attribute as your LDAP Users' home directory. and it is compared to the userPrincipalName in the search filter. Login ID: This field assigns the value of the named LDAP user entry attribute as your LDAP Users' login ID (username). this is your login ID in Serv-U. A typical value on Active Directory is mail.

click Save to apply the change. After changing this field. In this case it is possible that Serv-U successfully authenticates to the LDAP server. the entire hierarchy. Membership in one or more LDAP groups is required if the Require fullyqualified group membership for login option is selected on the Groups > LDAP Groups page. if the Group Membership field is configured to be grp and an LDAP user record has both grp=Green and grp=Red attributes. specify the LDAP login ID suffix. For example. For more information about group permissions and settings.Specifying the LDAP login ID suffix example. Specifying the LDAP login ID suffix After configuring the LDAP server. they will not be allowed to sign on. Serv-U will associate that LDAP User with both the "Red" and "Green" LDAP Groups.com. LDAP Users are also added to any LDAP Groups whose names appear in "Group Membership" attributes defined on the LDAP Authentication page. LDAP group membership In order for Serv-U to match users up to the appropriate user groups. The LDAP login ID suffix is necessary to send fully qualified login IDs to the LDAP server. 278 . see Configuring user groups. If this option is selected. including the Distinguished Name (DN) must be recreated in the user group hierarchy. Serv-U associates that LDAP User with both the "Red" and "Green" LDAP Groups. A typical value on Active Directory is memberOf. and then rejects the user login because the user is not a member of any group. if this is configured as grp and an LDAP user record has both grp=Green and grp=Red attributes. and LDAP Users cannot be matched up to at least one LDAP Group. A typical value in an Active Directory environment might be @mydomain. The suffix you specify here is placed at the end of the user name when a user logs in.

By hovering over a user or group in Active Directory. Navigate either to Users > LDAP Authentication. The following image illustrates the group structure in Active Directory. but LDAP group membership can be used to apply common permissions and settings such as IP restrictions and bandwidth throttles. or Groups > LDAP Authentication. 2. see LDAP user groups and the general information about Groups. To configure the default LDAP group in Serv-U: 1. Navigate to Users > LDAP Authentication. All LDAP users are members of a special default LDAP group. Click Configure LDAP Groups. LDAP groups have the same configuration options as other Serv-U groups. and use the same names as the group names in Active Directory. recreate the same structure as the group structure in Active Directory. 279 . 2. the group structure is displayed. LDAP Users can also be members of individual LDAP Groups.Chapter 5: Users Using LDAP user groups LDAP user accounts are not visible or configurable on an individual basis in Serv-U. For information about the configuration options available at the group level. To configure LDAP groups in Serv-U: 1. Click Configure Default LDAP Group. When you configure LDAP groups.

280 .Using LDAP user groups This information is highlighted in yellow.

Using a list of LDAP servers Serv-U requires administrators to define one or more LDAP Servers before LDAP authentication will work. You can define more than one LDAP Server if you want Serv-U to try a backup server in case the primary LDAP server is down. or if you want to try LDAP credentials against different LDAP servers with different sets of users. LDAP Servers are configured on the Users > LDAP Authentication page in the Serv-U Management Console. Serv-U attempts authentication against the list of LDAP servers from top to bottom.Chapter 5: Users The following image illustrates how the group structure of Active Directory is recreated in Serv-U. the first LDAP server that approves a set of credentials will 281 . During login.

The error log provides detailed information of any possible connection failure. Note: The error log contains information about the last LDAP server Serv-U contacted.Using a list of LDAP servers be the server from which the associated LDAP user will draw its full name. even if the login credentials fail. email address and other attributes. For information about the error messages. Serv-U tries each LDAP server in the list until it either encounters a successful login. 282 . Serv-U makes login attempts on LDAP servers that are lower on the list if the preceding LDAP servers are unresponsive. or it encounters an unsuccessful login paired with an authoritative response from the LDAP server that the attempted LoginID exists on that LDAP server. Serv-U tries each available LDAP server. see LDAP error messages. or if they report that they have no knowledge of the LDAP user. In other words. After attempting a login against the first LDAP server.

and move to bottom ordering arrows on the right of the window. and Copy buttons to work with individual LDAP server entries. selecting any entry will reveal move up. move to top. Testing the connection to the LDAP server To test the connection to the LDAP server. 283 . Note that LDAP and Windows authentication looks identical in the log files. Edit. log in with an LDAP user. move down. The log entries for both a successful and a failed login are displayed under Domain > Domain Activity > Log. The following images show what a successful HTTP login looks like for the user and for the Serv-U administrator. When there are multiple LDAP server entries in the list. Delete.Chapter 5: Users Use the Add. the log files of Serv-U will provide detailed information about the reason for the failure. If the connection fails. The following image shows the login page for the user named LDAP.

The search filter must be configured in a way that it only returns a single user account.This message signifies a specific LDAP error. or it indicates a problem with the search filter (if multiple accounts are returned). For information about configuring the search filter. If group membership is expected. . The error code returned by the LDAP server was %d.This message either indicates that the provided user name is wrong (if zero accounts are returned).LDAP error messages The following image shows the log entries for a successful login and logout. . Please double-check your LDAP configuration. 284 .This message signifies a generic issue when the LDAP server does not return any specific error. see Search Filter. A list of all known groups for this user follows. The error code returned by the LDAP server can be used to find the specific LDAP error. No group memberships found. An unknown LDAP authentication error has occurred. LDAP error messages l l l An unknown LDAP authentication error has occurred. LDAP server returned zero or multiple user records matching the account credentials. l l Authenticated external user "%s" rejected because group membership is required and no matching Serv-U group was found. doublecheck the "Group Membership" attribute map for your LDAP configuration in Serv-U. l No LDAP servers are defined or enabled. .

Chapter 5: Users l l Unable to initialize LDAP server. navigate to Users > LDAP Authentication. The connection credentials in the LDAP server configuration have been rejected by the LDAP server. the device for home dir "%s" is not ready. The search filter string in the LDAP server configuration was rejected by the LDAP server. and are not LDAP specific: l l l l Error logging in user "%s". 285 . Error logging in user "%s". l l The connection credentials in the LDAP server configuration do not have permission to run queries. Enabling LDAP authentication To enable LDAP authentication: 1. Error logging in user "%s". permission denied by the operating system to access home dir "%s". l The LDAP server is unavailable to Serv-U. Select Enable LDAP Authentication. the error returned by the operating system was %d. Error logging in user "%s". permission denied by Serv-U access rules to access home dir "%s". search for the LDAP error codes in the documentation of your LDAP server. Additionally. when Serv-U returns unknown LDAP authentication errors. l The user credentials were rejected by the LDAP server. 2. In the Serv-U Management Console. could not access home dir "%s". The following error messages relate to issues with accessing an account's home directory.

then the Windows servu user should have full permissions to \\usernas\homefolders. Serv-U uses the LDAP account's home directory when an LDAP user logs in. For example. This is the value of the Home Folder LDAP attribute that is specified in the LDAP server configuration. The service account Serv-U runs as should have full permission to the root folder of all LDAP User folders. Using the LDAP user group home directory instead of the account home directory By default. 286 .Understanding user home folders Understanding user home folders The home folders of LDAP users are pulled from the "Home Directory" LDAP attribute that is specified in your LDAP server configuration. if your LDAP user home folders are similar to \\usernas\homefolders\username and Serv-U is running as a service on Windows as servu. as highlighted in the following image.

Chapter 5: Users For information about configuring the LDAP account's home directory. as highlighted in the following image. group. For information about configuring the Default LDAP User Group. The home directory of the Default LDAP User Group is specified on the Group Properties window of the Default LDAP User Group. If no home directory is specified at the group level. if no home directory is defined at the user. and none is available from the LDAP server. or system level. domain. However. see Using LDAP user groups. 287 . see Configuring the LDAP server. then the LDAP account's home directory is still used. If you select the Use LDAP Group home directory instead of account home directory option under Users > LDAP Authentication in the Serv-U Management Console. the user will not be allowed to sign on. Serv-U will use the home directory that you specify in the Default LDAP User Group instead of the LDAP account's home directory.

To avoid possible issues in this case. and configure the LDAP group home directory as described in Using LDAP user groups. make sure that you select the Use LDAP Group home directory instead of the account home directory option under Users > LDAP Authentication. resulting in errors.Understanding the interaction between domain home directories with Default Understanding the interaction between domain home directories with Default LDAP User Group home directories If a domain home directory is defined on the Domain Details > Settings page. 288 . this directory would be used by Serv-U as the default directory for LDAP authentication.

4. Click Create. and then specify the key name and the key path.Chapter 5: Users SFTP (Secure File Transfer over SSH2) for users and groups Using an existing public key 1. 3. Click Create Key. Type the output directory of the certificate (for example. 7. Select the key length (default of 1024 bits provides best performance. Place the public key file in a secured directory in the server. you can associate multiple public keys with a user account. but RSA is available). Enter the password to use for securing the key file. Obtain a public key file. Type the name of the key pair (for example. 2. Click Save. 8. 6. 2048 bits is a good median. MyKey). Select the key type (default of DSA is preferred. 5. which is also used to name the storage file. Click Manage Keys. To create multiple keys for an account: 1. Click Add Key. C:\ProgramData\RhinoSoft\Serv-U\). 2. 2. Creating multiple keys per user For the purposes of public key authentication. Creating a key pair 1. 289 . Click Manage Keys. and 4096 bits provides best security). 3. and then use Browse in Serv-U to select the file.

If you have a large number of public keys. Serv-U proceeds to check the next key. Serv-U checks all the keys you provide here. Avoid storing the public keys in a network path.SFTP (Secure File Transfer over SSH2) for users and groups When authenticating a client. the following best practices are recommended: l l l It is recommended that you do not create more than 100 keys per user account. If authenticating against one key fails. 290 . For optimal results. and define the common user properties at group level. divide the keys between multiple users.

Chapter 6: Groups
Configuring user groups
Groups are a method of sharing common configuration options with multiple user
accounts. Configuring a group is similar to configuring a user account. Virtually
every configuration option available for a user account can be set at the group
level. In order for a user to inherit a group's settings, it must be a member of the
group. Permissions and attributes inherited by a user through group membership
can still be overridden at the user level. A user can be a member of multiple
groups in order to acquire multiple collections of permissions, such as directory or
IP access rules.
Like user accounts, groups can be created at multiple different levels, including
the following:
l

Global Groups

l

Domain Groups

l

Database Groups (available at both the server and domain levels)

l

Windows Groups

However, groups are only available to user accounts that are defined at the same
level. In other words, a global user (that is, a user defined at the server level) can
only be a member of a global group. Likewise, a user defined for a specific
domain can only be a member of a group also created for that domain. This
restriction also applies to groups created in a database in that only users created
within a database at the same level can be members of those groups.
Use the Add, Edit, and Delete buttons to manage the available groups.

291

Chapter 6: Groups

Using group templates
You can configure a template for creating new groups by clicking Template. The
template group can be configured just like any other group object, with the
exception of giving it a name. After the settings are saved to the template, all new
groups are created with their default settings set to those found within the
template. This way you can configure some basic settings that you want all of
your groups to use by default.

Setting up Windows groups (Windows only)
You can use Window groups to apply common permissions and settings such as
IP restrictions and bandwidth throttles to Windows users.
All Windows users are members of the default Windows group. You can create
additional Windows groups to assign different permissions and settings to
different groups of Windows users.

Windows group membership is determined by the hierarchical OU (organizational
unit) membership of each Windows user. For example, a user in the My

292

Configuring a Windows user group (Windows only)
Business > Accounting > red team OU tree would be a member of the My
Business > Accounting > red team Windows group on Serv-U, if that group
exists. (Visually, "My Business" would be the top Windows group, "Accounting"
would be an indented child Windows group under that, and "red team" would be
an indented child under "Accounting".)
Membership in one or more Windows Groups is required if the Require fullyqualified group membership for login option is selected on the Windows
Groups page. If this option is selected and Windows users cannot be matched up
to at least one Windows group, they are not be allowed to log in.
Windows groups are only available when the following conditions apply:
l

Serv-U is running on Windows.

l

Serv-U has an MFT Server license.

l

Windows Authentication is enabled under Domain Users > Windows
Authentication.

Configuring a Windows user group (Windows only)
Administrators can allow clients to log in to the file server using the local
Windows user database or one that is made accessible through a domain server.
These user accounts do not exist in the local Serv-U user database and cannot
be configured on an individual basis. To aid in configuring these accounts, all
users logged in through this method belong to the Default Windows User Group.
Clicking this button allows this group to be configured like normal. However,
changes that are made to this group only apply to Windows user accounts.

LDAP user groups
LDAP user accounts are not visible or configurable on an individual basis in
Serv-U, but LDAP group membership can be used to apply common permissions
and settings such as IP restrictions and bandwidth throttles.

293

Chapter 6: Groups
All LDAP users are members of a special default LDAP group. Click Configure
Default LDAP Group in Users > LDAP Authentication or in Groups > LDAP
groups to configure this group just like a normal Serv-U group.
LDAP users can also be members of individual LDAP groups. Click Configure
LDAP Groups in Users > LDAP Authentication to configure these groups just
like normal Serv-U groups.

LDAP group membership
In order for Serv-U to match users up to the appropriate user groups, the entire
hierarchy, including the Distinguished Name (DN) must be recreated in the user
group hierarchy.
LDAP users are also added to any LDAP Groups whose names appear in Group
Membership attributes defined on the LDAP Authentication page. For example,
if the Group Membership field is configured to be grp and an LDAP user record
has both grp=Green and grp=Red attributes, Serv-U will associate that LDAP user
with both the "Red" and "Green" LDAP groups.

294

Group information
Membership in one or more LDAP groups is required if the Require fullyqualified group membership for login option is selected on the Groups >
LDAP Groups page. If this option is selected, and LDAP users cannot be
matched up to at least one LDAP Group, they will not be allowed to sign on. In
this case it is possible that Serv-U successfully authenticates to the LDAP server,
and then rejects the user login because the user is not a member of any group.
For more information about LDAP authentication, see LDAP authentication.

Group information
Virtually every attribute available for a user account can be configured at the
group level. Group level settings are inherited by the group members and can be
overridden at the user level. The Group Information tab contains general
information about the group including the name, home directory, and the default
administrative privilege for group members. The following sections contain
detailed information about each of the available attributes.
Group name
The group name is a unique identifier that must be unique for each group
specified at the particular level (server or domain). Group names may not
contain any of the following special characters:
\/<>.|:?*
Home directory
The home directory for a user account is where the user is placed
immediately after logging in to the file server. Each user must have a home
directory assigned to it, although the home directory can be specified at the
group level if the user is a member of a group. Home directories must be
specified using a full path including the drive letter or the UNC share name.
If the home directory is not found, Serv-U can be configured to create it.
When specifying the home directory, you can use the %USER% macro to insert
the login ID into the path. This is used mostly to configure a default home
directory at the group level or within the new user template to ensure that all

295

Chapter 6: Groups
new users have a unique home directory. When combined with a directory
access rule for %HOME%, a new user can be configured with a unique home
directory and the proper access rights to that location with a minimal amount
of effort.
You can also use the %DOMAIN_HOME% macro to identify the user's home
directory. For example, to place a user's home directory into a common
location, use %DOMAIN_HOME%\%USER%.
The home directory can be specified as "\" (root) in order to grant systemlevel access to users, allowing them the ability to access all system drives.
In order for this to work properly, the user must not be locked in their home
directory.
Administration privilege
A user account can be granted one of the following types of administrative
privileges:
l

No Privilege

l

Group Administrator

l

Domain Administrator

l

System Administrator

The value of this attribute can be inherited through group membership.
A user account with no privilege is a regular user account that can only log
in to transfer files to and from the file server. The Serv-U Management
Console is not available to these user accounts.
A group administrator can only perform administrative duties relating to their
primary group (the group that is listed first in their group memberships list).
They can add, edit, and delete users which are members of their primary
group, and they can also assign permissions at or below the level of the
group administrator. They may not make any other changes.

296

Group information
A domain administrator can only perform administrative duties for the
domain to which their account belongs. A domain administrator is also
restricted from performing domain-related activities that may affect other
domains. The domain-related activities that may not be performed by
domain administrators consist of configuring their domain listeners or
configuring ODBC database access for the domain.
A system administrator can perform any file server administration activity
including creating and deleting domains, user accounts, or even updating
the license of the file server. A user account with system administrator
privileges that is logged in through HTTP remote administration can
essentially administer the server as if they had physical access to the
system.
Default web client
If your Serv-U license enables the use of FTP Voyager JV, then users
connecting to the file server through HTTP can choose which client they
want to use after logging in. Instead of asking users which client they want
to use, you can also specify a default client. If this option is changed, it
overrides the option specified at the server or domain level. It can also be
inherited by a user through group membership. Use the Inherit default
value option to reset it to the appropriate default value.
Lock user in home directory
Users who are locked in their home directory cannot access paths above
their home directory. In addition, the actual physical location of their home
directory is masked because Serv-U always reports it as "/" (root). The value
of this attribute can be inherited through group membership.
Apply group directory access rules first
The order in which directory access rules are listed has significance in
determining the resources that are available to a user account. By default,
directory access rules specified at the group level take precedence over
directory access rules specified at the user level. However, there are certain

297

You can place limitations on the time of day and also on the day of the week. It is useful as a fail-safe in order to ensure that critical system administrator accounts can always remotely access the file server. Description The description allows for the entry of additional notes that are only visible by administrators. If they are specified at the domain level. When users attempt to log in outside the specified available times. the usage of directory access rules is extended to both the domain and the server levels through the creation of global directory access rules. While traditionally restricted to the user and group levels. Deselect this option to place the directory access rules of the group below the user's. Availability This feature limits when users can connect to this server. If both options are defined. they are only inherited by users who belong to the particular domain.Chapter 6: Groups instances where you may want the user level rules to take precedence. they are presented with a message that their user account is currently unavailable. Configuring directory access rules Directory access rules define the areas of the system which are accessible to user accounts. The traditional rules of inheritance apply 298 . in Serv-U. Note: Enabling the Always Allow Login option does not override IP access rules. regardless of restrictions placed upon the file server such as maximum number of sessions. Always allow login Enabling this option means that the user account is always permitted to log in. care should be taken in granting this ability. Directory access rules specified at the server level are inherited by all users of the file server. As with any option that allows bypassing access rules. The value of this attribute can be inherited through group membership. the IP access rules prevail.

You can also use the %DOMAIN_HOME% macro to identify the user's home directory. If you specify the %USER% variable in the path. The first rule in the list that matches the path of a client's request is the one that is applied for that rule. the user level) override conflicting or duplicate rules specified at a higher level (for example. the parent directory accessed this way will only display the content to which the user has access. This variable is useful in specifying a group's home directory to ensure that users inherit a logical and unique home directory. %HOME%. You can use the %USER_FULL_NAME% variable to insert the Full Name value into the path (the user must have a Full Name specified for this to function). even if no explicit access rules are defined for the parent directory. Directory access rules are applied in the order they are listed.Configuring directory access rules where rules specified at a lower level (for example. Use the arrows on the right of the directory access list to rearrange the order in which the rules are applied. Note: Serv-U allows to list and open the parent directory of the directory the user is granted access to. 299 . For example. you can use the %USER%. When you set the directory access path. %USER_ FULL_NAME%. use %DOMAIN_HOME%\%USER%. This leads to less maintenance for the file server administrator. Directory access rules specified in this manner are portable if the actual home directory changes while maintaining the same subdirectory structure. and %DOMAIN_HOME% variables to simplify the process. the user "Tom Smith" could use D:\ftproot\%USER_FULL_NAME% for D:\ftproot\Tom Smith. However. For example. to place a user and their home directory into a common directory. The following section contains the list and description of the directory access permissions. the server level). use %HOME%/ftproot/ to create a directory access rule that specifies the ftproot folder in the home directory of the user. it is replaced with the user's login ID. then a user still has access to the particular subdirectory. For example. In other words. if a rule exists that denies access to a particular subdirectory but is listed below the rule that grants access to the parent directory.

Execute Allows users to remotely execute files. Directory permissions List Allows users to list the files and subdirectories contained in the directory. This permission does not allow users to modify existing files. download) files. Users with Write and Execute permissions can install any program they want on the system. Rename Allows users to rename existing files. Write Allows users to write (that is. upload) files. This is a very powerful permission and great care should be used in granting it to users. 300 . which is granted by the List permission.Chapter 6: Groups File permissions Read Allows users to read (that is. The execute access is meant for remotely starting programs and usually applies to specific files. Append Allows users to append data to existing files. This permission is typically used to grant users the ability to resume transferring partially uploaded files. Create Allows users to create new directories within the directory. Also allows users to list this folder when listing the contents of a parent directory. This permission does not allow users to list the contents of a directory. Delete Allows users to delete files. which is granted by the Append permission.

preferred when many servers exist. you can specify a specific Windows user for each individual directory access rule. However. accessing folders stored across the network poses an additional challenge. because Windows services are run under the Local System account by default. you can configure the Serv-U File Server service to run under a network account. the user also needs to have the Delete files permission in order to remove the directory. but if access must be restricted to subfolders (as is the case when implementing mandatory access control).Subdirectory permissions Rename Allows users to rename existing directories within the directory. files can be accessed by the UNC path (\\servername\folder\) instead of the traditional C:\ftproot\folder path. clear the Inherit check box and grant permissions specifically by folder. Advanced: Access as Windows User (Windows Only) For a variety of reasons. 301 . Remove Allows users to delete existing directories within the directory. The alternative. The Inherit permission is appropriate for most circumstances. As in Windows authentication. which has no access to network resources. files and folders may be kept on external servers in order to centralize file storage or provide additional layers of security. By clicking the Advanced button. directory access is subject to NTFS permissions. or if the Serv-U File Server service has to run under Local System for security reasons is to configure a directory access rule to use a specific Windows user for file access. and in this case also to the configured permissions in Serv-U. To mitigate this problem for all of Serv-U. In this environment. Subdirectory permissions Inherit Allows all subdirectories to inherit the same permissions as the parent directory. Note: If the directory contains files.

Mandatory access control You can use mandatory access control (MAC) in cases where users need to be granted access to the same home directory but should not necessarily be able to access the subdirectories below it. Any attempted file transfers that cause the directory contents to exceed this value are rejected. the NTFS permissions of the Windows user take priority over the directory access rules. To implement mandatory access control at a directory level. disable the Inherit permission as shown in the following screen capture. Quota permissions Maximum size of directory contents Setting the maximum size actively restricts the size of the directory contents to the specified value. 302 . This feature serves as an alternative to the traditional quota feature that relies upon tracking all file transfers (uploads and deletions) to calculate directory sizes and is not able to consider changes made to the directory contents outside of a user's file server activity. This means that when a Windows user tries to access a folder.Chapter 6: Groups Note: When you use Windows authentication. the security permissions of the user are applied instead of the credentials specified in the directory access rule.

the rule applies to D:\ftproot\. Permissions must individually be granted to subfolders that the user needs access to. such as MP3 files. 303 . Restricting file types If users are using storage space on the Serv-U File Server to store non-workrelated files.Restricting file types In the following example. Now. you can prevent this by configuring a directory access rule placed above the main directory access rule to prevent MP3 files from being transferred as shown below. the user has access to the ftproot folder but to no folders below it. providing the security of mandatory access control in the Serv-U File Server.

mp3 extension and can be modified to reflect any file extension.mp3.Chapter 6: Groups In the text entry for the rule. type *.mdb files but denies access to all other files. Similarly. 304 .mdb extension. as shown in the following screen captures. if accounting employees only need to transfer files with the . and use the permissions shown in the following screen capture: The rule denies permission to any transfer of files with the . configure a pair of rules that grants permissions for .

305 .Restricting file types In the first rule enter the path that should be the user's home directory or directory they need access to.

You can adapt these rules to any file extension or set of file extensions.mdb). A virtual path only defines a method of mapping an existing directory to another location on the system to make it visible within a 306 .Chapter 6: Groups In the second rule enter the extension of the file that should be accessed (such as *. users can gain access to files and folders outside of their own home directory. These rules only allow users to access .mdb files within the specified directories. Using virtual paths If virtual paths are specified.

users must have a directory access rule specified for the physical path. and user levels. When specifying the virtual path. Virtual path The virtual path is the location that the physical path should appear in for the user.Physical path user's accessible directory structure. virtual paths can be configured at the server. You can also use a UNC path. The Maximum Directory Size limits the size of directories 307 . group. or network. To make a virtual path visible to users. use a full path. the virtual path is included in Maximum Directory Size calculations. the last specified directory is used as the name displayed in directory listings to the user. If the physical path is located on the same computer. domain. Like directory access rules. such as D:\inetpub\ftp\public. the user must still have a directory access rule specified for the physical path of a virtual path. When virtual paths are created at the domain level. a virtual path of %HOME%/public places the specified physical path in a folder named public within the user's home directory. The %HOME% macro is commonly used in the virtual path to place the specified physical path in the home directory of the user. For example. they are only accessible by users belonging to that domain. You can also use a full path without any macros. Virtual paths created at the server level are available for all users of the file server. that is to be placed in a virtual location accessible by a user. Physical path The physical path is the actual location on the system. Including virtual paths in "Maximum Directory Size" calculations When this option is selected. You can also create virtual paths specifically for individual users or groups. In order to actually have access to the mapped location. such as \\Server\share\public.

The developers now have access to the image repository without compromising security or relocating shared resources. Be sure to add a group level directory access rule for D:\corpimages\ as well. a virtual path must be configured so that the image repository appears to be contained within their home directory. When an option is selected. To enable a logging option.Chapter 6: Groups affecting how much data can be uploaded. select the appropriate option in the Log Message Options grouping. To avoid granting the group access to the root D drive. If the home directory changes at a later date.com\corpimages Case File: Creating relative virtual paths Continuing with the previous example. The developers also need access to an image repository located at D:\corpimages\. you can customize the logging of user and group events and activity to a great extent. if the home directory of the group of web developers is relocated to another drive. Within the group of web developers. add a virtual path to bring the directory to the users by specifying D:\corpimages\ as the physical path and as the virtual path. the appropriate logging information is saved to the specified log file if the Enable logging to file option is selected. both the home directory and the virtual path need to be updated to reflect this change. D:\ftproot\example. You can configure the log to show 308 . the virtual path still appears there. Instead of using D:\ftproot\example. use %HOME%\corpimages. regardless of what the home directory is. Case File: Using virtual paths A group of web developers have been granted access to the directory D:\ftproot\example. This way the corpimages virtual path is placed within the home directory of the group. Configuring user and group logs In the Serv-U File Server.com\corpimages as the virtual path. You can avoid this by using the %HOME% macro to create a relative virtual path location that eliminates the need to update the path if the home directory changes.com\ for web development purposes.

14 for 2014). wildcards provide an automatic way to archive activity for audits. 309 . %N The numeric value of the current month (1-12). click Save to save the changes. Click Browse to select an existing file or directory location for the log file. %X The 2-digit value of the current year (for example. Logging to File settings You must specify the name of the log file before information can be saved to a file. %S The name of the domain whose activity is being logged. Wildcard characters which refer to the date apply to the day that the log file is created. %Y The 4-digit value of the current year (for example. The log file path supports certain wildcard characters. The following list contains the wildcard characters that you can use: %H The hour of the day (24-hour clock). When combined with the Automatically rotate log file option. %D The current day of the month. After configuring the logging options you want.Logging to File settings as much or as little information as you want. 2014). %G The name of the group whose activity is being logged. %L The name of the login ID whose activity is being logged. %M The name of the current month.

txt \????:*:?? Log. and they are purged approximately every 10 minutes. month. week. day. By specifying a Log file path containing wildcards that reference the current date. Serv-U does not log any information to the file. you can automatically rotate the log file on a regular basis. a maximum size limit in megabytes. For example: C:\Logs\%Y:%N:%D %S Log. regardless of the individual options selected in the Log Message Options area. Automatically rotating the log file To ensure that log files remain a manageable size and can be easily referenced during auditing. Purging old log files You can automatically purge old log files by setting a maximum number of files to keep. Setting these options to "0" means that the setting is unlimited and the limit is not applied.txt C:\Logs\%S\%Y:%M:%D Log. or both. If this option is not selected.txt is searched for C:\Logs\--LoginID--\????:*:?? Log. Warning: Log files are purged based only on the current log file path name. or year.txt is searched for C:\Logs\????:??:?? * Log.txt C:\Logs\%L\%Y:%M:%D Log.txt is searched for C:\Logs\????:*:?? * Log. Enabling logging to file Select this option to enable Serv-U to begin saving log information to the file that you specified in the Log file path.Chapter 6: Groups %U The full name of the user whose activity is being logged.txt 310 . Serv-U can rotate the log file and create a unique file name every hour.txt is searched for C:\Logs\--GroupName--\????:*:?? Log. Log file variables are replaced with Windows wildcard values used to search for matching files.txt is searched for C:\Logs\--DomainName-C:\Logs\%Y:%M:%D %S Log.txt C:\Logs\%G\%Y:%M:%D Log.

Specifying IP addresses exempt from logging
C:\Logs\%U\%Y:%M:%D Log.txt
\????:*:?? Log.txt

is searched for C:\Logs\--UserFullName--

The following wildcards can be used for log variables:
%H --> ??
%D --> ??
%N --> ??
%M --> *
%Y --> ????
%X --> ??
%S --> *
%G --> *
%L --> *
%U --> *
Anything matching the path name you used wildcards for can be purged. Use
caution: it is best practice to place log files into a single directory to avoid
unexpected file deletion.

Specifying IP addresses exempt from logging
You can specify IP addresses that are exempt from logging. Activity from these IP
addresses is not logged. This is useful to exempt IP addresses for administrators
that may otherwise generate a lot of logging information that can obfuscate
domain activity from regular users. It can also be used to save log space and
reduce overhead. Click Do Not Log IPs, and then add IP addresses as
appropriate.

Group members
The user accounts that are members of the currently selected group are displayed
on this page. It can be used to get a quick overview of what users are currently
inheriting the settings of the group at this time. Users cannot be added or removed
from the group using this interface. Adding or removing a group membership must
be done from the appropriate user's account properties window.

311

Chapter 6: Groups
A user account can be granted one of four types of administrative privileges:
l

No Privilege

l

Group Administrator

l

Domain Administrator

l

System Administrator

The value of this attribute can be inherited through group membership. A user
account with no privilege is a regular user account that can only log in to transfer
files to and from the file server. The Serv-U Management Console is not available
to these user accounts.
A group administrator can only perform administrative duties relating to their
primary group (the group that is listed first in their groups memberships list). They
can add, edit, and delete users which are members of their primary group, and
they can also assign permissions at or below the level of the group administrator.
They may not make any other changes.
A domain administrator can only perform administrative duties for the domain to
which their account belongs. A domain administrator is also restricted from
performing domain-related activities that may affect other domains. The domainrelated activities that may not be performed by domain administrators consist of
configuring their domain listeners or configuring ODBC database access for the
domain.
A system administrator can perform any file server administration activity
including creating and deleting domains, user accounts, or even updating the
license of the file server. A user account with system administrator privileges that
is logged in through HTTP remote administration can essentially administer the
server as if they had physical access to the system.
Serv-U also supports read-only administrator accounts which can allow
administrators to log in and view configuration options at the domain or server
level, greatly aiding remote problem diagnosis when working with outside parties.
Read-only administrator privileges are identical to their full-access equivalents,

312

Group members
except that they cannot change any settings or create, delete or edit user
accounts.
Note: When you configure a user account with administrative privileges, take
care in specifying their home directory. An administrator with a home directory
other than "\" (root) that is locked in their home directory may not use absolute file
paths outside of their home directory when configuring the file server. Instead,
relative paths must be used.
Additionally, such a user account can also use setting files located outside the
home directory, however, these files must also be specified by using relative
paths, for example, ../../exampleFile.txt.

313

Chapter 6: Groups

Using Serv-U events
In Serv-U, you can use event handling which can perform various actions
triggered by a list of selected events.

314

Server events
The following list contains the available actions:

Server events
Server Start
Triggered by Serv-U starting up, whether by starting the Serv-U service or
starting Serv-U as an application.
Server Stop
Triggered by Serv-U shutting down, whether from service or applicationlevel status. This event only triggers for graceful stops.

Server and domain events
Domain Start
Triggered by a Serv-U domain starting, through the Enable Domain setting
in the Domain Details > Settings menu, or as part of normal server startup.
Domain Stop
Triggered by a Serv-U domain stopping, through the Enable Domain
setting in the Domain Details > Settings menu, or as part of normal server
startup.
Session Connection
Triggered by a new TCP session connection.
Session Disconnect
Triggered by a TCP session disconnection.
Session Connection Failure
Triggered by a failed session connection attempt.
Log File Deleted
Triggered by the automatic deletion of a log file, according to logging
settings.
Log File Rotated
Triggered by the automatic rotation of a log file, according to logging
settings.

315

Chapter 6: Groups
Listener Success
Triggered by a successful listener connection.
Listener Stop
Triggered by a stopped listener connection.
Listener Failure
Triggered by a failed listener connection.
Gateway Listener Success
Triggered by a successful gateway listener connection.
Gateway Listener Stop
Triggered by a stopped gateway listener connection.
Gateway Listener Failure
Triggered by a failed gateway listener connection.
Permanent Listener Success
Triggered by a successful permanent listener connection.
Permanent Listener Failure
Triggered by a failed permanent listener connection.
Permanent Listener Stop
Triggered by a stopped permanent listener connection.
Permanent Gateway Listener Success
Triggered by a successful permanent gateway listener connection.
Permanent Gateway Listener Stop
Triggered by a stopped permanent gateway listener connection.
Permanent Gateway Listener Failure
Triggered by a failed permanent gateway listener connection.
File Management Rule Success
Triggered when a file management rule is applied, and no errors are
encountered.

316

Server, domain, user and group events
File Management Rule Failure
Triggered when a file management rule is applied, and at least one error is
encountered.
File Management Automatic Move
Triggered when a file is automatically moved to a different location by the
server.

Server, domain, user and group events
User Login
Triggered by the login of a user account.
User Logout
Triggered by the logout of a user account.
User Login Failure
Triggered by a failed login. A failed login is any connection attempt to ServU that fails, whether due to invalid credentials, or a session disconnect
before authentication, either due to an incorrect user name, incorrect
password, incorrect SSH key pair (for SFTP public key authentication), or
any or all of the above.
User Password Change
Triggered by the change of a password for a user account by the user (if
permitted).
User Password Change Failure
Triggered by a failed password change attempt.
User Enabled
Triggered by the enabling of a user account that was previously disabled.
User Disabled
Triggered by the disabling of a user account that was previously enabled.

317

User Pre-disable Triggered by the upcoming disabling of a user account. as configured in the user's Automatically Disable date and the "Days before automatically disabling account to trigger the pre-disable event" limit. either due to lack of email address in the user account or lack of permissions. in an ODBC database. as configured in Limits & Settings. as configured in the user's Automatically Delete date and the Days before automatically deleting account to trigger the pre-delete event limit. as configured by a user's Automatically Disable date. User Added Triggered by the creation of a user account by a remote administrator. Password Stale Triggered by a stale password.Chapter 6: Groups User Deleted Triggered by the deletion of a user account by a remote administrator. User Pre-delete Triggered by the upcoming deletion of a user account. Password Recovery Failed Triggered by a failed password recovery attempt. 318 . User Auto Deleted Triggered by the automatic deletion of a user account. as configured by a user's Automatically Delete date. User Auto Disable Triggered by the automatic disabling of a user account. in an ODBC database. or in the local Management Console. or in the local Management Console. Password Recovery Sent Triggered by a successful password recovery by an end user. that is going to expire.

domain. Too Many Sessions Triggered by more sessions logging on to the server than are permitted. File Uploaded Triggered by a file uploaded to Serv-U.Server. This event triggers for partial uploads if the upload session terminated with a successful message and no data corruption. 319 . according to the Limits & Settings for the user account. user and group events User Email Set Triggered by a user setting the email address for a user account. IP Blocked Time Triggered by a failed login attempt due to an IP access rule that was automatically added by brute force settings. group. domain. Too Many Session On IP Triggered by more sessions logging on to the server from a specific IP address than are permitted. or server. IP Auto Added To Access Rules Triggered by the automatic addition of an IP access rule due to a user triggering the "brute force" settings. Session Idle Timeout Triggered by an idle session timeout. or server. Session Timeout Triggered by a session timeout. configured in Domain Limits & Settings or Server Limits & Settings. domain. User Email Set Failure Triggered by a failed attempt by a user to set the email address for a user account. per the Limits & Settings for the user account. group. IP Blocked Triggered by a failed login attempt due to an IP access rule.

Chapter 6: Groups
File Upload Failed
Triggered by a failed file upload to Serv-U.
File Download
Triggered by a file downloaded from Serv-U.
File Download Failed
Triggered by a failed file download from Serv-U.
File Deleted
Triggered by the deletion of a file on the Serv-U server by a user.
File Moved
Triggered by the moving of a file on the Serv-U server by a user.
Directory Created
Triggered by the creation of a directory.
Directory Deleted
Triggered by the deletion of a directory.
Directory Changed
Triggered by changing the current working directory.
Directory Moved
Triggered by moving a directory to a new location.
Over Quota
Triggered by going over disk quota space. The current quota space is
shown in the user account, in the Limits & Settings menu.
Over Disk Space
Triggered by exceeding the Max Dir Size configured for a directory access
rule. The current disk space is shown with the AVBL FTP command, or by
using the Directory Properties option in the HTTP or HTTPS Web Client
and FTP Voyager JV.

Creating common events
You can automatically create a list of the most common events. You can choose

320

Creating common events
to create these common events using email or balloon tip actions. Click Create
Common Event in the Events page. Select either the Send Email or Show
balloon tip option for the action you want to perform on the common events. If you
choose to send email, also enter an email address where the events are to be
sent.
Note: The Write to Windows Event Log and Write to Microsoft Message
Queue (MSMQ) options are available for Windows only.
Using event actions
You can select from the following actions that will be executed when an event is
triggered:
l

Send Email

l

Show Balloon Tip*

l

Execute Command*

l

Write to Windows Event Log (Windows only)*

l

Write to Microsoft Message Queue (MSMQ) (Windows only)*

* Events involving anything other than email can only be configured by Serv-U
server administrators.
Using email actions
You can configure email actions to send emails to multiple recipients
and to Serv-U groups when an event is triggered.
To add an email address, enter it in the To or Bcc fields. To send emails to a
Serv-U group, use the Group icon to add or remove Serv-U groups from the
distribution list. Separate email addresses by commas or semicolons. Email
actions contain a To, Subject and Message parameter. You can use special
variables to send specific data pertaining to the event. For more information about
the variables, see System variables.

321

Chapter 6: Groups
To use email actions, you must first configure SMTP in Serv-U. For information
about SMTP configuration, see Configuring SMTP settings.
Using balloon tip actions
You can configure balloon tip actions to show a balloon tip in the system tray
when an event is triggered. Balloon tip actions contain a Balloon Title and a
Balloon Message parameter. You can use special variables to send specific
data pertaining to the event. For more information about the variables, see
System variables.
Using execute command actions
You can configure execute command actions to execute a command on a file
when an event is triggered. Execute command actions contain an Executable
Path, Command Line Parameters, and a Completion Wait Time parameter. For
the Completion Wait Time parameter, you can enter the number of seconds to
wait after starting the executable path. Enter zero for no waiting.
Note: Any amount of time Serv-U spends waiting delays any processing that
Serv-U can perform.
A wait value should only be used to give an external program enough time to
perform some operation, such as move a log file before it is deleted (for example,
$LogFilePath for the Log File Deleted event). You can use special variables to
send specific data pertaining to the event. For more information about the
variables, see System variables.
Writing to the Windows Event Log
By writing event messages to a local Windows Event Log, you can monitor and
record Serv-U activity by using third-party network management software. All
messages appear in the Windows Application Log from a source of "Serv-U".
This event has only one field:
l

Log Information: The contents of the message to be written into the event
log. This is normally either a human-readable message (for example,

322

Creating common events

filename uploaded by person) or a

machine-readable string (for example,
filename|uploaded|person), depending on who or what is expected to read
these messages. Serv-U system variables are supported in this field. This
field can be left blank, but usually is not.
Writing to Microsoft Queue (MSMQ)
Microsoft Message Queuing (MSMQ) is an enterprise technology that provides a
method for independent applications to communicate quickly and reliably. Serv-U
can send messages to new or existing MSMQ queues whenever a Serv-U event
is triggered. Corporations can use this feature to tell enterprise applications that
files have arrived, files have been picked up, partners have signed on, or many
other activities have occurred.
These events have the following two fields:
l

l

Message Queue Path: The MSMQ path that addresses the queue. Remote
queues can be addressed when a full path (for example,
MessageServer\Serv-U Message Queue) is specified. Local, public queues
on the local machine can be addressed when a full path is not specified (for
example, .\Serv-U Message Queue or Serv-U Message Queue). If the
specified queue does not exist, Serv-U attempts to create it. This normally
only works on public queues on the local machine. You can also use ServU system variables in this field.
Message Body: The contents of the message to be sent into the queue. This
is normally a text string with a specific format specified by an enterprise
application owner or enterprise architect. Serv-U system variables can also
be used in this field. This field may be left blank, but usually is not.

Note: Microsoft message queues created in Windows do not grant access to
SYSTEM by default, preventing Serv-U from writing events to the queue. To
correct this, after creating the queue in MSMQ, right-click it, select Properties,
and then set the permissions so that SYSTEM (or the network account under
which Serv-U runs) has permission to the queue.

323

Chapter 6: Groups

Configuring event filters
By using Serv-U event filters, you can control to a greater degree when a Serv-U
event is triggered. By default, Serv-U events trigger each time the event occurs.
The event filter allows events to be triggered only if certain conditions are met. For
example, a standard Serv-U event might trigger an email each time a file is
uploaded to the server. However, by using an event filter, events can be triggered
on a more targeted basis. For example, you can configure a File Uploaded event
to only send an email when the file name contains the string important, so an
email would be sent when the file Important Tax Forms.pdf is uploaded but not
when other files are uploaded to the server. Additionally, you can configure a File
Upload Failed event to run only when the FTP protocol is used, not triggering for
failed HTTP or SFTP uploads. You can do this by controlling the various
variables and values related to the event and by evaluating their results when the
event is triggered.
Event filter fields
Each event filter has the following critical values that must be set:
l

l

l

Name: This is the name of the filter, used to identify the filter for the event.
Description (Optional): This is the description of the event, which may be
included for reference.
Logic: This determines how the filter interacts with other filters for an event.
In most cases, AND is used, and all filters must be satisfied for the event to
trigger. The function of AND is to require that all conditions be met.
However, the OR operator can be used if there are multiple possible
satisfactory responses (for example, abnormal bandwidth usage of less than
20 KB/s OR greater than 2000 KB/s).

l

Filter Comparison: This is the most critical portion of the filter. The Filter
Comparison contains the evaluation that must occur for the event to trigger.
For example, a filter can be configured so that only the user "admin" triggers
the event. In this case, the comparison will be If $Name = (is equal to)

324

Configuring event filters

admin, and

the data type will be string. For bandwidth, either an "unsigned
integer" or "double precision floating point" value would be used.
Event filters also support wildcards when evaluating text strings. The supported
wildcards are the following:
l

* - The asterisk wildcard matches any text string of any length. For example:
l

l

? - The question mark wildcard matches any one character, but only one
character. For example:
l

l

l

l

An event filter that compares the $FileName variable to the string data*
matches files named data, data7, data77, data.txt, data7.txt, and
data77.txt.

An event filter that compares the $FileName variable to the string data?
matches a file named data7 but not data, data77, data.txt, data7.txt,
or data77.txt.
An event filter that compares the $FileName variable to the string
data?.* matches files named data7 and data7.txt but not data,
data77, data.txt, or data77.txt.
An event filter that compares the $Name variable to the string A????
matches any five-character user name that starts with A.

[] - The bracket wildcard matches a character against the set of characters
inside the brackets. For example:
l

An event filter that compares the $FileName variable to the string data
matches files named data6.txt, data7.txt and data8.txt
but not data5.txt.
[687].txt

l

An event filter that compares the $LocalPathName variable to the string
[CD]:\* matches any file or folder on the C: or D: drives.

You can use multiple wildcards in each filter. For example:
l

An event filter that compares the $FileName variable to the string
[cC]:\*.??? matches any file on the C: drive that ends in a three letter file
extension.

325

Chapter 6: Groups

l

An event filter that compares the $FileName variable to the string ?:\*Red
[678]\?????.* matches a file on any Windows drive, contained in any folder
whose name contains Red6, Red7 or Red8, and that also has a five character
file name followed by a file extension of any length.

Using event filters
Event filters are used by comparing fields to expected values in the Event Filter
menu. The best example is raising an event only when a certain user triggers the
action, or when a certain file is uploaded. For example, an administrator may want
to raise an email event when the file HourlyUpdate.csv is uploaded to the server,
but not when other files are uploaded. To do this, create a new event in the
Domain Details > Events menu. The Event Type is File Uploaded, and on the
Event Filter tab a new filter must be added. The $FileName variable is used and
the value is HourlyUpdate.csv as shown in the following screen capture:

As another example, it might be necessary to know when a file transfer fails for a
specific user account. To perform this task, create a new File Upload Failed
event, and then add a new filter.

326

using wildcards. and set it to Send Email. such as ProductionLineFTP: You can also filter for events based on specific folders. This will cause the event to trigger only for files that are located within C:\ftproot\accounting\. Create a new event filter. 327 . In some cases it may be necessary to trigger events for files uploaded only to a specific folder.Server details The filter comparison is the $Name variable. open the Event Filters page. and add the filter comparison If $LocalPathName = (is equal to) C:\ftproot\accounting\* with the type of (abcd) string. After specifying the email recipients. To filter based on a folder name. and the value to compare is the user name. create a new File Uploaded event in the Domain Details > Events menu. subject line. ranges of IP addresses. and message content. such as when an accounting department uploads time-sensitive tax files. Server details IP access rules restrict login access to specific IP addresses. IP access rules can be configured at the server. or a domain name.

0. such as 2001:db8::/32. long form) or fe80::a450:9a2e:ff9d:a915 (IPv6. Common CIDR blocks are /8 (for 1. long form).3.2. such as server?. * Stands for any valid IP address value. Specifying IP access masks IP access rules use masks to authorize IP addresses and domain names.2. which is analogous to 192.0-255.*).0-19 (IPv4). shorthand).example. ranges. and wildcards made up of the following elements: xxx Stands for an exact match. CIDR notation also works with IPv6 addresses.2. such as 192. such as 192.Chapter 6: Groups domain.*).*) 328 . shorthand). IP access rules are applied in the order they are displayed.*. / Specifies the use of CIDR notation to specify which IP addresses should be allowed or blocked.0 (IPv4). and user levels.0. group.*. xxx-xxx Stands for a range of IP addresses.*. or fe80::a450:9a2e:ff9d:*. which is analogous to fe80::a450:9a2e:ff9d:0-ffff.0. ? Stands for any valid character when specifying a reverse DNS name. or fe80::a450:9a2e:ff9d:a915-a9aa (IPv6. The arrows on the right side of the list can be used to change the position of an individual rule in the list. 1.2. such as 192.2. /16 (for and /24 (for 1.*. specific rules can be placed at the top to allow or deny access before a more general rule is applied later on in the list. fe80:0:0:0:a450:9a2e:ff9d:a915-a9aa (IPv6. In this way.0.com.2. The masks can contain specific values. fe80:0:0:0:a450:9a2e:ff9d:a915 (IPv6.

Group and user level IP access rules are applied in response to a USER command when the client identifies itself to the server.*) at the end of your IP access rule list. However.Caveats Caveats Specific IP addresses listed in Allow rules will not be blocked by anti-hammering. depending on the speed of the DNS server of the system. Rule use during connection The level at which you specify an IP access rule also defines how far a connection is allowed before it is rejected. DNS lookup If you use a dynamic DNS service. Implicit deny all Until you add the first IP access rule. This can cause a slight delay during login. This is also known as an implicit 'Deny All' rule. Server and domain level IP access rules are applied before the welcome message is sent. If you create a rule based on a domain name or reverse DNS. Matching all addresses Use the *. connections from any IP address are accepted. addresses matched by a wildcard or a range will be subject to anti-hammering prevention. Domain level IP access rules are also applied when responding to the HOST command to connect to a virtual domain.* mask to match any IPv4 address. all connections that are not explicitly allowed will be denied. If you use both IPv4 and IPv6 listeners.*. Use the *:* mask to match any IPv6 address. make sure you add a 'wildcard allow' rule (such as Allow *. After you add the first IP access rule. You can also specify reverse DNS names. With this in mind. Serv-U performs either a reverse DNS lookup or DNS resolution to apply these rules. you can specify a domain name instead of an IP address to allow access to users who do not have a static IP address.*.*. add Allow ranges for both IPv4 and IPv6 addresses.*. 329 . These IP addresses are whitelisted.

You can unblock any blocked IP early by deleting its entry from the list. You can configure an anti-hammering policy server-wide in Server Limits and Settings > Settings and domain-wide in Domain Limits and Settings > Settings.Chapter 6: Groups Anti-hammering You can set up an anti-hammering policy that blocks clients who connect and fail to authenticate more than a specified number of times within a specified period of time. blocked IP addresses appear in the domain that contains the listener. IP addresses blocked by anti-hammering rules appear in the domain IP access rules with a value in the Expires in column. 330 . If you have multiple domains with different listeners. The Expires in value of the blocked IP counts down second by second until the entry disappears. even if anti-hammering is configured at the server level. Blocked IP addresses do not appear in the server IP access list.

Allow Set this value to 0 for Deny. The CSV file must contain the following fields. Case File: Office-only access A contractor has been hired to work in the office. IP range. Displaying the IP access list in sort mode does not change the order in which rules are processed. To view rule precedence. To import IP access rules. domains. and the server by using a text-based CSV file. including the headers: IP The IP address. CIDR block. groups. Examples The following sections provide examples about the usage of IP address rules. or domain name for which the rule applies. Office 331 . Using the sort mode By using the sort mode. view the list of rules to export. Importing and exporting IP access rules You can export and import Serv-U IP access rules from users. disable this option. To export IP access rules. click Export. and only in the office. click Import and select the file that contains the rules you want to import. you can sort the IP access list numerically rather than in the processing order. Viewing the IP access list in numerical order can be a valuable tool when you review long lists of access rules to determine if an entry already exists. or to 1 for Allow. and then specify the path and the file name you want to save the list to. Description A text description of the rule for reference purposes.IP access list controls IP access list controls The following section contains a description of the options that are available on the IP Access page.

group settings overriding domain settings.2. In addition.0.0. Case File: Prohibited computers Users should normally be able to access Serv-U from anywhere.com. providing total control over the server. and it should be added to either the contractor's user account or a Contractors group that contains multiple contractors. you can configure limits so that they are only applied during certain days of the week.com or *.192. and the server in its entirety. with user settings overriding group settings. The related Serv-U access rules should therefore be Deny 192.24. The limits stack intelligently.024.0.example.2.com in any order. and domain settings overriding server settings.*. groups. Limits and Settings Serv-U contains options which you can use to customize how Serv-U can be used.example1.0. You can also grant exceptions to administrators and restrict specific users more than others. and which also provide ways to apply limits and custom settings to users.2. and these should both be added to either the domain or the server IP access rules.2.0.2.example1. followed by Allow *.*. Case File: DNS-based access control The only users allowed to access a Serv-U domain will be connecting from *. domains.0 192.*.2.com and Allow *. except from a bank of special internal computers in the IP address range of 192. 332 .0-24. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list.0 .24. No deny rule is required here because Serv-U provides an implicit deny all rule at the end of the list.0.example. The related Serv-U access rule should be Allow 192.Chapter 6: Groups workstations have IP addresses in the range of 192. or certain times of the day. The related Serv-U access rules should therefore be Allow *. and these should both be added to the domain IP access rules.

click Add. Because of inheritance rules. For more information about this method of inheritance. select the limit. a new Lock users in home directory limit appears in the list that displays "No" as the value. Limits with a white background are values that override the defaults. this option applies to all users in the domain unless it is overridden at the group or user level. l Deselect the option. After you complete the previous steps. and then select or enter the value. 333 . perform the following steps: l Select Domain > Domain Limits & Settings from the Serv-U Management Console. l Select Directory Listing from the Limit Type list. l Click Save. to disable the Lock users in home directory option for a domain. The limits list displays the current limits applied to the domain. see User interface conventions. Limits with a lightblue background are default values. select the appropriate category. l Select Lock users in home directory from the Limit list. l Click Add.Limits and Settings The Limits and Settings in Serv-U are divided into the following categories: l Connection l Password l Directory Listing l Data Transfer l HTTP l Email l File Sharing l Advanced To apply a limit. For example.

To edit an overridden value. To create a limit that is restricted to a specific time of day or days of the week. or HTTPS) before it is accepted. Require secure connection before login Requires that a connection be secure (for example. Connection Maximum number of sessions for group Specifies the maximum number of concurrent sessions that may be allowed for all users that are a member of the group. select the limit. deselect the days for which you do not want to apply the limit. The following section contains a reference of all available group limits. Maximum number of sessions per user account Specifies the maximum number of concurrent sessions that may be opened from a single user account. Default rules cannot be edited or deleted. organized by category. default values (or the value of other limit overrides) are applied when the time of day or day of the week restrictions are not met for this limit. Create a new limit to override a default one. SFTP. and then click Edit. Select Apply limit only at this time of day to specify a start and stop time for the new limit. FTPS. When a limit is restricted in this way. Maximum sessions per IP address for user account Specifies the maximum number of concurrent sessions that a user may open from a single IP address. To restrict the limit to certain days of the week. click Advanced in the New Limit or Edit Limit window.Chapter 6: Groups You can delete limits by selecting them and clicking Delete. 334 . Maximum sessions per IP address for group Specifies the maximum number of concurrent sessions that may be opened from a single IP address for all users of the group.

for a specified period of time. Allow HTTP and HTTPS connections Allows the user to connect using the HTTP and HTTPS protocols. that is. Serv-U disconnects the client when the connection has been idle. Allow SFTP connections Allows the user to connect using the SFTP protocol. Block IP address of timed out session Specifies the number of minutes for which the IP address of a timed out session is blocked. When these are blocked. Allow FTP and FTPS connections Allows the user to connect using the FTP and FTPS protocols. For information about setting the packet time-out. which is commonly used to keep FTP Command Channel connections open during long file transfers or other periods of inactivity where no information is being transferred on the control channel. Deselect Allow FTP and FTPS connections to disable the FTP and FTPS protocols. Note: Setting the Packet time-out is a requirement for this limit to work. see Server settings. not transferring data. Automatic session timeout Specifies the number of minutes a session is allowed to last before being disconnected by the server. Deselect 335 . The value of Packet time-out must be less than the value of the Automatic idle connection timeout for the Automatic idle connection timeout to work properly. Block anti-timeout schemes Blocks the use of commands such as NOOP. Deselect Allow SFTP connections to disable the SFTP protocol.Connection Automatic idle connection timeout Specifies the number of minutes that must pass after the last client data transfer before a session is disconnected for being idle.

Automatically expire passwords Specifies the number of days a password is valid before it must be changed. Use this option when users are expected to take advantage of the password recovery utility in the Web 336 . This is the default setting. Password Require complex passwords Specifies that all user account passwords must contain at least one uppercase and one non-alphabetic character to be considered valid. Mask received passwords in logs Masks the passwords received from clients from being shown in log files. SSH authentication type Specifies how SSH authentication is to occur. which can be useful for debugging connection problems or auditing User account security. Disabling this allows passwords to be displayed in log files. Allow users to change password Specifies whether or not users are allowed to change their own passwords. Simple two-way encryption (less secure): This option encrypts passwords in a reversible format for easy recovery. Specifying zero days means passwords never expire. Specifying zero characters indicates that there is no minimum requirement. Minimum password length Specifies the minimum number of characters required in the password of a user account. The following options are available: l l One-way encryption (more secure): This option fully encrypts passwords and cannot be reversed.Chapter 6: Groups Allow HTTP and HTTPS connections to disable the HTTP and HTTPS protocols.

this limit allows users to generate a random password. Setting this option does not affect a user's ability to login through other protocols. irreversible state in the configuration files of Serv-U (unless the file server is configured to not encrypt stored passwords through a password limit). and must be re-saved to be stored in the new format. Allow users to recover password If enabled. These options only apply to the FTP protocol. A stale password is a password that is about to expire. Disable password generators If enabled. In addition to the Regular Password option.Password Client. Days before considering password to be stale The number of days prior to expiration that a password is to be considered "stale". in days. This type of password setting allows the user to log in through FTP without sending the password to the file server as plain text. Note: When you change this setting. An event can be configured to identify when a password is about to expire. all user passwords must be reset. l No encryption (not recommended): This option stores passwords in clear text. Using this option may be necessary for integration with legacy systems (especially when using database support). FTP Password Type All passwords are stored in an encrypted. 337 . two additional types of password storage are available for accounts that use the FTP protocol: MD4 and MD5 OTP S/KEY passwords. this limit allows users to recover passwords using the Web Client password recovery utility at the login page. In this case it may be desirable to use two-way encryption so that Serv-U does not need to reset their passwords when password recovery is requested. before password expiration. This value is the lead-time. Existing passwords are not updated automatically.

Hide the encrypted state of files and directories Hides the encrypted state of all encrypted files and directories being viewed by the user.lnk (shortcut) files as a UNIX symbolic link. In other words. Hide the compressed state of files and directories Hides the compressed state of all compressed files and directories being viewed by the user. Data transfer Maximum upload speed for all group members Limits the maximum total bandwidth that can be used by all members of the group for all uploads. Treat Windows shortcuts as target in links Instructs Serv-U to treat all valid .lnk file points to another file. Allow root ("/") to list drives for unlocked users (Windows Only) Allows users to change directory to the root ("/") of the system and display all drives on the computer.Chapter 6: Groups Directory listing Hide files marked as hidden from listings Hides files and folders from directory listings that have the Windows "hidden" system attribute set on them. regardless of the actual letter case in use by the file or directory. the destination file is shown in the directory listing instead of the . if a .lnk files as the actual destination object. Use lowercase for file names and directories Forces Serv-U to display all file names and directories using lowercase characters. Setting a limit of 0 KB/s means unlimited bandwidth. Interpret Windows shortcuts as links Instructs Serv-U to treat all valid .lnk file itself. 338 . This option only works when users are not locked in their home directory.

Setting a limit of 0 KB/s means unlimited bandwidth. This option can currently be used in FTP mode only. Maximum download speed per session Limits the maximum download bandwidth for each individual session. Maximum download speed for user accounts Limits the maximum download bandwidth shared between all sessions associated with an individual user account. However. Maximum upload speed for user accounts Limits the maximum upload bandwidth shared between all sessions associated with an individual user account. Setting a limit of 0 KB/s means unlimited bandwidth. Maximum upload speed per session Limits the maximum upload bandwidth for each individual session. Setting a limit of 0 KB/s means unlimited bandwidth. since the definition of a new-line sequence is 339 . Most Windows applications expect <CR><LF> to represent a new-line. as does the FTP protocol.Data transfer Maximum download speed for all group members Limits the maximum total bandwidth that can be used by all members of the group for all downloads. Delete partially uploaded files Instructs Serv-U to delete incomplete file uploads. Setting a limit of 0 KB/s means unlimited bandwidth. Setting a limit of 0 KB/s means unlimited bandwidth. The file size is measured in kilobytes. Interpret line feed byte as a new line when in ASCII mode (Windows Only) When uploading and downloading files using ASCII mode. Maximum upload file size Restricts the maximum single file size a user can upload to Serv-U. Serv-U treats <LF> characters the same as <CR><LF> end-of-line markers.

The default language can be set to any language you want. This feature can be disabled for security reasons. HTTP Allow HTTP media playback The Serv-U Web Client supports fully interactive media playback of audio and video files. Allow users to use Web Client Pro Serv-U Web Client Pro is enabled by default. Default language for Web Client When the end-user connects with an unsupported language. When downloading in ASCII mode. Allow browsers to remember login information The HTTP login page contains a "Remember me" option (not enabled by default) that allows user names to be remembered by the login page.Chapter 6: Groups not fully defined in Windows. Administrators can disallow the use of Serv-U Web Client Pro by disabling this limit. Allow users to use FTP Voyager JV FTP Voyager JV is enabled by default. stand-alone <LF> characters are changed to <CR><LF> prior to sending to the client. 340 . Allow users to use Web Client Serv-U Web Client is enabled by default. Administrators can disallow the use of FTP Voyager JV by disabling this limit. this option allows Serv-U to treat <LF> the same as <CR><LF>. When connecting to Serv-U using a supported localization of Windows. Administrators can disallow the use of Serv-U Web Client by disabling this limit. the local language of Windows is used. This function can be disabled during specific business hours or altogether based on business needs. When uploading in ASCII mode stand-alone <LF> characters are changed to <CR><LF> prior to writing to the file. the HTTP login page is displayed in English.

Allow HTTP sessions to change IP address (disabling may cause mobile devices to fail) The Serv-U Web Client supports the transfer of HTTP sessions if the IP address changes. This option can be disabled but it may cause mobile devices to be disconnected due to frequent IP address changes by these devices. it remains the date and time when the file was uploaded. Serv-U can maintain the last modification date and time of the file when end-users are using FTP Voyager JV or Web Client Pro. When disabled. Email Allow end-user to set account email address Specifies whether users are allowed to modify their account email address using the Change Email Address option in the Web Client or File Sharing interfaces. When this limit is set to Always or Never. Maintain file dates and times after uploading (FTP Voyager JV and Web Client Pro only) When enabled. 341 . Require end-user to set email address at next HTTP login Specifies whether users must set their email address when they log in to Serv-U. but if users should not be able to select their preferred language this can be disabled.Email Allow users to change languages The Serv-U Web Client is supported in many languages. Serv-U does not set the last modification date and time of the file. the creator of the file share will not be able to specify this optional setting. File sharing Require a password for guest access Specifies whether it is possible to set up a file share where the guest is required to provide a password.

users will be able to specify link expiration dates individually in the Request Files and Send Files wizards. the user can individually specify in each file share whether or not the guest must provide a password. the file share links will expire after the number of days specified in the Duration before guest link expires limit. the Include the password in the email option can be selected individually in each file share. Insert passwords within invitation emails Specifies whether it is possible to set up a file share where the password for the share is included in the invitation email. When this limit is set to Optional. the creator of the file share request can specify the maximum file size in each file share request without an upper limit. the creator of the file share will not be able to specify this optional setting. the creator of the file share will not be able to specify this optional setting. If set to zero. the user can individually specify in each file share whether to receive notification of the file download. Duration before guest link expires Limits the number of days after which a file share link expires if the Allow user-defined guest link expiration limit is disabled. Notify user after a file is downloaded Specifies whether the Notify me when the file(s) have been downloaded option can be used in the Send Files wizard. When this limit is set to Optional.Chapter 6: Groups When this limit is set to Optional. When this limit is set to Always or Never. In this case. Maximum file size guests can upload (per file) Specifies the file size constraints imposed upon the guest user. Notify user after a file is uploaded Specifies whether the Notify me when the file(s) have been uploaded option can be used in the Request Files wizard. When disabled. Allow user-defined guest link expiration When enabled. When this limit is set to Always or Never. When this limit is set to 342 . there is no file size constraint.

When this limit is set to Optional. When this limit is set to Optional. Allow user-defined contact information When enabled. the user will not be able to specify this optional setting. Allow file sharing Specifies whether the user is allowed to use file sharing.File sharing Always or Never. the user can individually specify in each file share or file share request whether to send the access link automatically. When this limit is set to Always or Never. Send the guest access link to the recipients Specifies whether the Automatically send the download/upload link to the guest user(s) in email option can be used in the Send Files and Request Files wizards. Send the guest access link to the sender Specifies whether the Send me an email copy with the download/upload link option can be used in the Send Files and Request Files wizards. Maximum number of files for "Sent" shares Specifies the maximum number of files users can include in a single file share. If set to 0. When this limit is set to Always or Never. the user can individually specify in each file share request whether to receive notification of the file upload. the user can individually specify in each file share or file share request whether to receive an email copy with the download/upload link. users are not allowed to edit their contact information in the Request Files and Send Files wizards. the user will not be able to specify this optional setting. the creator of the file share request will not be able to specify this optional setting. the default limit of 20 is used. 343 . When disabled. When this limit is set to Optional. users will be able to edit their name and email address in the Request Files and Send Files wizards.

If set to 0. Certain web browsers can encode special characters contained in file names and directories when using the FTP protocol. Serv-U supports SFTP versions 3 . This attribute allows Serv-U to decode these special characters. Maximum Supported SFTP Version Specifies the maximum version of SFTP permitted for SFTP connections. Allow Rename Overwrite When enabled (default) Serv-U allows files to be renamed to files where the destination already exists. By default. By default. When disabled users are not allowed to rename a file or directory to a path name that already exists. directory access rules specified at the group or user level take 344 . users can browse to any file stored on their computer or on Serv-U. Allowed "Sent" file share sources Specifies the valid file sharing sources that users can browse to when they create an outgoing file share. Automatically check directory sizes during upload Instructs Serv-U to occasionally check the size of directories in which a maximum directory size has been specified.Chapter 6: Groups Maximum number of files for "Requested" shares Specifies the maximum number of files users can upload after receiving a file share request. Advanced Convert URL characters in commands to ASCII Instructs Serv-U to convert special characters contained in command parameters to plain ASCII text. This attribute ensures that Serv-U always has updated directory sizes available instead of having to calculate them at transfer time. which can be a time consuming operation. Apply server and domain directory access rules before user and group The order in which directory access rules are listed has significance in determining the resources that are available to a user or group account.6. the default limit of 20 is used.

always accessible to users. even if they have no current credits. Days before automatically disabling account to trigger the pre-disable event The number of days prior to automatically disabling the user account that the pre-disable event should be triggered. In other words. 345 . For more information. Setting this value to "Yes" places the group's and user's directory access rules below the server and domain. Reset user stats after restart When this limit is enabled. This is commonly used to make special files. Reset group stats after restart When this limit is enabled. such as a readme or a directory information file. see the "Apply group directory access rules first" setting in Group information. Using ratio free files Files listed in the ratio free file list are exempt from any imposed transfer ratios. Owner ID (user name) for created files and directories (Linux Only) The user name given to set as owner of a created file or directory.Using ratio free files precedence over ones specified at the domain and server level. a file that matches an entry in this list can always be downloaded by users. if a user must upload files in order to earn credits towards downloading a file. the user statistics are reset after a server restart. Group ID (group name) for created files and directories (Linux Only) The group name given to set as owner of a created file or directory. However. the group statistics are reset after a server restart. there are certain instances where you may want the domain and server level rules to take precedence. Days before automatically deleting account to trigger the pre-delete event The number of days prior to automatically deleting the user account that the pre-delete event should be triggered.

3. Type the output directory of the certificate (for example. full or relative paths can be used when making an entry. 3. 5. 346 . C:\ProgramData\RhinoSoft\Serv-U\). If a full path is used when specifying a file name. which is also used to name the storage file. A '?' can be used to represent a single character within the file name or directory. Place the public key file in a secured directory in the server. For example.txt makes any file with a . 2. Type the name of the key pair (for example. In addition. entering *. Finally. Using '*' specifies a wildcard of any kind of character and any length. but RSA is available). Click Manage Keys. Select the key type (default of DSA is preferred. Click Create Key. 4. and then use Browse in Serv-U to select the file. If a relative path is used. only that specific file is exempt from transfer ratios.Chapter 6: Groups You can use the '*' and '?' wildcard characters when specifying a ratio free file. such as entering only readme.txt extension free for download. full paths can be specified by using standard directory paths such as C:\ftproot\common\ (on Windows) or /var/ftpfiles/shared/ (on Linux). MyKey). Click Save. 2. Creating a key pair 1. the provided file is exempt from transfer ratios regardless of the directory it is located in. Obtain a public key file. regardless of the actual file name. SFTP (Secure File Transfer over SSH2) for users and groups Using an existing public key 1.txt.

Avoid storing the public keys in a network path. 8. 7. When authenticating a client. Serv-U checks all the keys you provide here. For optimal results. 347 . and define the common user properties at group level. Click Manage Keys. you can associate multiple public keys with a user account. To create multiple keys for an account: 1. and 4096 bits provides best security). Creating multiple keys per user For the purposes of public key authentication. Click Add Key. Enter the password to use for securing the key file. and then specify the key name and the key path. the following best practices are recommended: l l l It is recommended that you do not create more than 100 keys per user account. If authenticating against one key fails. 2. If you have a large number of public keys. 2048 bits is a good median.SFTP (Secure File Transfer over SSH2) for users and groups 6. divide the keys between multiple users. Serv-U proceeds to check the next key. Select the key length (default of 1024 bits provides best performance. Click Create.

or a welcome message. 348 . you can also use the %USER%. 15. it is best to use $ macros for events and in system messages (such as login messages or customized FTP responses) and % macros for configuration values. %USER_FULL_NAME%. When you use macros. is calculated since the Serv-U File Server was last started. see Configuring directory access rules. Furthermore. %HOME%. These variables are replaced at run time with the appropriate value allowing up-to-date statistics and feedback to be provided to logged in users. For more information about these variables. unless otherwise specified. Some of the places where you can use these variables include event messages. whereas the % macros have explicit values at all times. and %DOMAIN_HOME% variables. All variables are case sensitive. Server information $ServerName Displays the full name of the server (that is. $ServerVersionShort Displays the first two digits of the current version of the Serv-U File Server (for example. in general. Serv-U).Chapter 7: System variables You can customize certain configurable messages in Serv-U to include a wide range of variables as outlined in the following list. customized FTP command responses. Statistical information.1). Many of the $ macros do not have explicit values until a session has been successfully established or a specific action has taken place.

WEB-SERVER-01). normally the same as the UNC name on a Windows network (for example.0. $LogFilePath Retrieves the path to the log file (Log File Deleted and Log File Rotated Events only). $ComputerName Displays the name of the computer retrieved from the operating system. $OSVer Displays the full version number of the operating system (for example.Chapter 7: System variables $ServerVersionLong Displays the full version number of the Serv-U File Server (for example. $EventName Contains the configured name of the event.1. $OSCaseSensitive States if the operating system is case sensitive. Windows Server 2008 R2) and platform (for example. $OS Displays the name of the operating system (for example. Windows Server 2008 R2). 15.480).1. 6. $OSAndPlatform Displays the name of the operating system (for example.7601). $EventDescription Contains the configured description of the event. 32-bit or 64-bit). $EventType Contains the type of the event that was triggered. 349 .

Server statistics $OldLogFilePath Retrieves the old path to the log file (Log File Rotated Events only). Server statistics $ServerDays Displays the total number of days the server has been online continuously. $ListenerPort Retrieves the listener port (Listener Success. $ListenerIPAddress Retrieves the listener IP address (Listener Success. Permanent Listener Failure Events only). Permanent Gateway Listener Success. Listener Failure. Permanent Listener Failure Events only). Permanent Gateway Listener Failure Events only). $ServerHours Displays the number of hours from 0 to 24 the server has been online. Listener Failure. Permanent Listener Success. Permanent Gateway Listener Failure Events only) $GatewayPort Retrieves the Gateway port (Gateway Listener Success. Permanent Listener Success. Permanent Listener Success. Permanent Listener Failure Events only). Permanent Listener Failure Events only). 350 . $ListenerType Retrieves the listener type (Listener Success. Listener Failure. $GatewayIPAddress Retrieves the Gateway IP address (Gateway Listener Success. Permanent Listener Success. Gateway Listener Failure. Permanent Gateway Listener Success. carries over to $ServerDays. $ListenResult Retrieves the listener result (Listener Success. Listener Failure. Gateway Listener Failure.

$ServerUploadKBps Displays the current upload transfer rate in KB/s. $ServerKBup Displays the total number of kilobytes uploaded. carries over to $ServerMins. 351 . $ServerKBdown Displays the total number of kilobytes downloaded. carries over to $ServerHours. $ServerFilesUp Displays the total number of files uploaded. $ServerSecs Displays the number of seconds from 0 to 60 the server has been online. $ServerUploadAvgKBps Displays the average upload rate in KB/s. $ServerFilesTot Displays the total number of files transferred. $ServerFilesDown Displays the total number of files downloaded. $LoggedInAll Displays the total number of established sessions. essentially ($ServerFilesUp + $ServerFilesDown).Chapter 7: System variables $ServerMins Displays the number of minutes from 0 to 60 the server has been online. $ServerAvg Displays the average data transfer rate (uploads and downloads) in KB/s. $ServerDownloadAvgKBps Displays the average download rate in KB/s.

$DomainFilesTot Displays the total number of files transferred.Domain statistics $ServerDownloadKBps Displays the current download transfer rate in KB/s. $DomainUploadAvgKBps Displays the average upload rate in KB/s. $DomainLoggedIn Displays the total number of sessions currently connected. $ServerSessions24H Displays the total number of sessions in the past 24 hours. Domain statistics $DomainKBup Displays the total number of kilobytes uploaded. $DomainKBdown Displays the total number of kilobytes downloaded. $DomainFilesUp Displays the total number of files uploaded. essentially ($DomainFilesUp + $DomainFilesDown). $ServerKBps Displays the current aggregate data transfer rate in KB/s. 352 . $DomainDownloadAvgKBps Displays the average download rate in KB/s. $ServerSessions24HPlusOne Displays the total number of sessions in the past 24 hours plus one additional session. $DomainFilesDown Displays the total number of files downloaded.

Chapter 7: System variables $DomainAvg Displays the average aggregate data transfer rate (uploads and downloads) in KB/s. $DomainKBps Displays the current aggregate data transfer rate in KB/s. $UserKBDown Displays the total number of kilobytes downloaded. $UserLoggedIn Displays the total number of sessions. $DomainSessions24HPlusOne Displays the total number of sessions in the past 24 hours plus one additional session.Applies to all sessions attached to the user account $UserKBUp Displays the total number of kilobytes uploaded. $DomainSessions24H Displays the total number of sessions in the past 24 hours. $UserKBTot Displays the total amount of kilobytes transferred. $DomainUploadKBps Displays the current upload transfer rate in KB/s. $DomainDownloadKBps Displays the current download transfer rate in KB/s. $UserUploadAvgKBps Displays the average upload rate in KB/s. 353 . User statistics .

$UserAvg Displays the average aggregate data transfer rate (uploads and downloads) in KB/s. $UserSessions24HPlusOne Displays the total number of sessions in the past 24 hours plus one additional session. for example. $UserSessions24H Displays the total number of sessions in the past 24 hours. $TransferKBPerSecond Displays the effective (compressed) transfer rate in KB/s. 32. formatted for display. Last transfer statistics .164.Applies to the most recently completed successful data transfer $TransferBytesPerSecond Displays the effective (compressed) transfer rate in bytes/s.Applies to the most recently completed successful data $UserDownloadAvgKBps Displays the average download rate in KB/s. $UserKBps Displays the current aggregate data transfer rate in KB/s. $TransferBytes Displays the effective (compressed) number of bytes transferred.Last transfer statistics . $UserUploadKBps Displays the current upload transfer rate in KB/s. 354 . $UserDownloadKBps Displays the current download transfer rate in KB/s.

for example. For example. formatted for display. unformatted. A value of 200. formatted for display. $ActualTransferBytes Displays the actual (uncompressed) number of bytes transferred. unformatted. (FTP only) 355 . a value of 100. $ActualTransferBytesPerSecond Displays the actual (uncompressed) transfer rate in bytes/s. 32164. providing information such as compression level. $CommandResult Displays the command result in the return response of any command. $CompressionRatio Displays the ratio of compression for the transfer expressed as a percentage of the expected amount of data transferred. $NoFormatActualTransferBytes Displays the actual (uncompressed) number of bytes transferred.Chapter 7: System variables $NoFormatTransferBytes Displays the effective (compressed) number of bytes transferred. for example.164. $ActualTransferKB Displays the actual (uncompressed) number of kilobytes transferred. for example. 32. $TransferKB Displays the effective (compressed) number of kilobytes transferred. and so on.00 means the data compressed to half its original size. formatted for display.00 means the data could not be compressed. 32164. $ActualTransferKBPerSecond Displays the actual (uncompressed) transfer rate in KB/s.

(FTP only) $CurrentCompressedTransferBytes Displays the current effective (compressed) number of bytes transferred so far. and so on. such as "Z" for the MODE command indicating the compression type. unformatted. a file name for the STOR command. $Time Displays the current time according to the Serv-U File Server. in the local date format of the system. in the local time format of the system. (FTP only) $DataMode Displays the data transfer mode for an FTP data transfer. MODE. for example. such as RETR. (FTP only) $CurrentUncompressedTransferBytes Displays the current actual (uncompressed) number of bytes transferred so far. 32164. 32164. $Day Displays the day of the month. which may be either BINARY for binary mode transfers or ASCII for ASCII mode data transfers. or SIZE. 356 . $Month Displays the two-digit numeric month. for example.Date/Time $Command Displays the FTP command name. (FTP only) Date/Time $Date Displays the current date according to the Serv-U File Server. unformatted. (FTP only) $Parameters Displays the parameters used for the command.

$LoginID Displays the session's login ID. $Hour Displays the hour (24-hour clock).Chapter 7: System variables $TextMonth Displays the text version of the month. operates like $Name. Session information . $MaxAnonymous Displays the maximum number of anonymous users allowed to log in. $Minute Displays the minute. Server settings $MaxUsers Displays the maximum number of sessions allowed to log in. $2DigitYear Displays the two-digit year. which could be limited by the license.Applies to the current session $Name Displays the login ID of the attached user account. $Second Displays the second. $Year Displays the four-digit year. 357 . $Name can refer to the login ID for target user accounts but $LoginID refers only to the login ID of the session.

$FTot Displays the total number of files transferred. $Bdown Displays the total number of kilobytes downloaded. $BUp Displays the total number of kilobytes uploaded .Applies to the current session $IP Displays the client IP address. 358 .Session information . $BTot Displays the total number of kilobytes transferred. essentially ($FUp + $FDown). $Dir Displays the session's current directory. $FDown Displays the total number of files downloaded. $IPName Displays the reverse DNS name as obtained by performing a reverse DNS lookup on $IP. $Disk The local drive letter being accessed. $DFree Displays the amount of free space on $Disk in MB $FUp Displays the total number of files uploaded. $TConM Displays the total number of minutes the session has been connected.

Chapter 7: System variables $TConS Displays the number of seconds from 0 to 60 that the session has been connected. or any other error occurs. either per session or per user. "N/A" if not in use. carries over to $TconM. $RatioDown Displays the 'download' portion of the applied ratio. "Unlimited" if no quota is in use. either per bytes or per complete file. $RatioCredit Displays the current transfer credit for the applied ratio. "N/A" if not in use. $CurrentDirMaxSize Displays the maximum size of the current directory in MB. either megabytes or complete files. $RatioUp Displays the 'upload' portion of the applied ratio. "Unlimited" if no quota is in use. $RatioCreditType Displays the type of ratio credit granted for transfers. $QuotaMax Displays the maximum amount of disk space that can be used in MB. If permission is denied in the directory. 359 . "Unlimited" if no quota is in use. $QuotaLeft Displays how much disk quota is available in MB. $RatioType Displays the type of ratio being applied. $QuotaUsed Displays how much disk quota is currently being used in MB. If the directory has no size limit. the value "N/A" will be returned. the variable will return "unlimited".

It is intended only for events. $Password Displays the password associated with the user account. $Protocol Displays the current protocol being used (FTP. or SFTP (SSH2)). $UserEmailAddress Displays the user's email address. A blank name is returned if the user is a global server user that is not logging in. $DomainDescription Displays the description of the current domain that the session is logged into. $UserDomainName Uses either the logged in domain name or the user's parent domain name. It should NOT be used for welcome messages. It should only be used for events that need this specific information such as user creation. FTPS. $DomainName Displays the current domain that the session is logged into. $LocalHomeDirectory Displays the local home directory.Session information . HTTP. and the counter is reset each time Serv-U is started.Applies to the current session $SessionID Displays the unique session ID of the current session. Session IDs are counted from 000001. HTTPS. $TimeRemaining Displays the time remaining when blocking an IP address for an amount of time (available only in Event notifications). 360 .

$FileName Retrieves only the file name from $PathName. $ServerPort Displays the port number of the server. File information . Blank (no space or name) when the user's full name is empty. $SpaceFullName The same as "$FullName" with the addition of a space before the user's full name. $Port Displays the port number of the client. $FileSize Retrieves the size. of the file from $FileName. which is not necessarily the last transferred file $PathName Retrieves the full remote path.Applies to the last remotely accessed file.Chapter 7: System variables $FullName Displays the user's full name as entered into the "Full Name" field for a user account. Note: Using the $IPName variable inside of an event or sign-on message can cause a slight delay while the reverse DNS information for $IP is retrieved. Blank (no space or name) when the user's full name is empty. 361 . $ServerIP Displays the IP address of the server. $FullNameSpace The same as "$FullName" with the addition of a space after the user's full name. in bytes.

as it relates to Windows. but contains the file name prior to renaming. but contains the path prior to renaming. $OldPathName Retrieves the remote path name prior to renaming.fid. $LocalFileName Retrieves the name of the file as it is stored on the local computer. See $LocalPathName for details. $UAll Displays the total number of sessions that have connected to the Serv-U File Server since it was last started. $OldFileName Retrieves the remote file name prior to renaming.Current activity $FileSizeFmt Displays a formatted version of the file size.fid instead of /Temp/file. containing the thousands separator (comma or period depending on the computer's regional settings). Current activity $UNow Displays the current number of sessions on the Serv-U File Server. $OldLocalFileName Same as $LocalFileName. $FileSizeKB Displays a formatted floating point value representing the file size in KB. $LocalPathName Retrieves the fully qualified local path name for an operation. For example C:\Temp\File. 362 . $OldLocalPathName Same as $LocalPathName.

$UNonAnonThisDomain Displays the current number of sessions not attributed to the anonymous user on the connected domain.Chapter 7: System variables $U24h Displays the total number of sessions that have connected to the Serv-U File Server in the last 24 hours. $UAnonAll Displays the current number of sessions attributed to the anonymous user on the Serv-U File Server. 363 . $UAnonThisDomain Displays the current number of sessions attributed to the anonymous user on the connected domain. $UThisName Displays the current number of sessions attributed to the connected user account. $UNonAnonAll Displays the current number of sessions not attributed to the anonymous user on the Serv-U File Server.