IBM Aspera Connect Server 3.5

IBM Aspera Connect Server 3.5.4

Windows 2008r2, 2012 Revision: 3.5.4.99710 Generated: 02/04/2015 16:38

| Contents | 2

Contents

Introduction............................................................................................................... 5

Standard Installation................................................................................................6Requirements.........................................................................................................................................................6Before Upgrading..................................................................................................................................................6Product Setup......................................................................................................................................................10Configuring the Firewall.................................................................................................................................... 21Securing your SSH Server................................................................................................................................. 22Testing a Locally Initiated Transfer................................................................................................................. 27

Connect Server Web UI Setup.............................................................................. 30Configuring your Web UI Settings.................................................................................................................... 30Customize your Web UI's Appearance.............................................................................................................. 33Configuring HTTP and HTTPS Fallback.......................................................................................................... 33Testing Web UI...................................................................................................................................................37

Transferring Files with the Application............................................................... 39Application Overview.........................................................................................................................................39Managing Connections....................................................................................................................................... 40Creating SSH Keys.............................................................................................................................................46Enabling a Transfer or HTTP Proxy..................................................................................................................49Transferring Files................................................................................................................................................52Advanced Transfer Mode................................................................................................................................... 55Configuring Transfer Notifications.................................................................................................................... 57Using Transfer Notifications.............................................................................................................................. 64Reporting Checksums......................................................................................................................................... 66

Managing Users.......................................................................................................70Setting Up Users.................................................................................................................................................70Test User-Initiated Remote Transfer.................................................................................................................. 71Setting Up Groups.............................................................................................................................................. 72Configuration Precedence...................................................................................................................................73Setting Up a User's Public Key......................................................................................................................... 74

General Configuration Reference......................................................................... 76Document Root................................................................................................................................................... 76Configuring Symbolic Links.............................................................................................................................. 77

Advanced Symbolic Link Options (ascp).............................................................................................. 77Server-Side Symbolic Link Handling.................................................................................................... 78

Authorization.......................................................................................................................................................79Bandwidth........................................................................................................................................................... 82Network............................................................................................................................................................... 86File Handling...................................................................................................................................................... 87

| Contents | 3

Global Transfer Settings........................................................................................ 92Global Bandwidth Settings.................................................................................................................................92Setting Up Virtual Links.................................................................................................................................... 93Transfer Server Configuration............................................................................................................................95

Managing the Node API........................................................................................ 97Node API Setup..................................................................................................................................................97Setting up Node Users........................................................................................................................................98Node Admin Tool............................................................................................................................................... 98aspera.conf for Nodes.........................................................................................................................................99Redis DB Backup/Restore................................................................................................................................ 103Setting up SSL for your Nodes........................................................................................................................103

Hot Folders............................................................................................................ 107Setting Up Hot Folders.....................................................................................................................................107Managing Hot Folders......................................................................................................................................110

Database Logger................................................................................................... 111Setting Up Database Logger............................................................................................................................ 111Configuring the Database Logger.................................................................................................................... 112

Pre- and Post-Processing (Prepost).....................................................................115Setting Up Pre/Post...........................................................................................................................................115Pre/Post Variables............................................................................................................................................. 116Pre/Post Examples............................................................................................................................................ 118Setting Up Email Notification..........................................................................................................................119Email Notification Examples............................................................................................................................122

Transferring from the Command Line.............................................................. 124Ascp Command Reference............................................................................................................................... 124Ascp General Examples....................................................................................................................................131Ascp File Manipulation Examples................................................................................................................... 132Ascp Transfers to Cloud Storage..................................................................................................................... 133Token Generation..............................................................................................................................................135Creating SSH Keys (Command Line)............................................................................................................136Ascp FAQs........................................................................................................................................................ 137

Configuring for the Cloud................................................................................... 140Configuring aspera.conf for S3........................................................................................................................ 140

Appendix................................................................................................................ 142Updating Aspera Service Account................................................................................................................... 142Product Limitations...........................................................................................................................................142FASP Transfer Policies.....................................................................................................................................143Generate an Internet Server Certificate (IIS)................................................................................................... 143Restarting Aspera Services...............................................................................................................................144Setting Policies for OpenSSH User................................................................................................................. 145

| Contents | 4

Optimizing Transfer Performance.................................................................................................................... 146Log Files........................................................................................................................................................... 147Updating the Product License.......................................................................................................................... 148Updating Aspera Service Account................................................................................................................... 149Upgrading Enterprise Server to Connect Server..............................................................................................150Uninstall............................................................................................................................................................ 152Setting Up Token Authorization.......................................................................................................................152Configuring Token Authorization from the GUI............................................................................................. 153Configuring Token Authorization With aspera.conf........................................................................................ 154Configuring for Faspex.....................................................................................................................................155Configuring for Shares..................................................................................................................................... 160

Troubleshooting..................................................................................................... 164Using the Troubleshooter................................................................................................................................. 164Error Adding Domain User..............................................................................................................................164Clients Can't Establish Connection.................................................................................................................. 165Configuring IIS for Web UI.............................................................................................................................167Uninstall Version 2.2.1 for Upgrade................................................................................................................ 170

Technical Support................................................................................................. 173

Feedback................................................................................................................ 174

Legal Notice........................................................................................................... 175

| Introduction | 5

Introduction

IBM Aspera Connect Server is a web-based file transfer server built upon Aspera's FASP transport. Connect Serveroffers the following features:

Feature Description

FASP transport technology File transfer protocol that dramatically speeds transfers over IP networks byeliminating the fundamental bottlenecks in conventional technologies. FASP featuresbandwidth control, resume, transfer encryption, content protection, and data integrityvalidation.

Transfer server Allows an unlimited number of concurrent client transfers. Uses virtual links tomanage aggregate bandwidth usage.

Connect Server Web UI A web-based interface that enables transfers for Aspera Connect clients. Includes theHTTP Fallback Server to allow clients without FASP connectivity to transfer usingHTTP or HTTPS.

Connect Server application A graphical file transfer application for initiating and managing transfers, and forconfiguring transfer users and server settings.

Hot Folders (Aspera Sync) A service, managed by the desktop application, that automates the transferring of filesfrom a specified directory.

Database Logger A MySQL adapter that logs the server's transfer activity to a database.

Pre- and Post-Processing(Prepost)

Executes customizable actions when transfer events - start and end of sessions andfiles - occur. An email notification script is included.

ascp command The command-line file transfer program.

| Standard Installation | 6

Standard Installation

Install the IBM Aspera transfer product and set up your computer for FASP file transfers.

RequirementsSoftware and hardware requirements for optimal product functionality

System requirements for IBM Aspera Connect Server:

• Product-specific Aspera license file.• Active Server Pages (ASP) must be enabled.• For Web UI, Internet Information Service (IIS) version 6, or version 7 with IIS 6 Compatibility Component

installed (See Microsoft TechNet: IIS 6 Compatibility Components Not Installed).• For usage in an Active Directory environment - Access to a domain administrator account for product installation.• Access to run WMI.• For Database Logging - A MySQL Database.• For Pre- and Post-Processing (Prepost) - Install Active Perl to enable Perl scripts.• Screen resolution 1024 x 768 or higher.

The following web browsers are supported by Connect Server:

Supported OS Supported Browsers

Windows 2008r2, 2012 Internet Explorer 8+, Firefox 27+, Google Chrome 32+

Mac OS X 10.7+ Safari 6+, Firefox 27+, Google Chrome 32+

Linux 64-bit Firefox 27+

If you plan to set up and use the Node API, you must also meet the following requirements on each node machine:

• In order to use this application on a cloud platform and access the object-based cloud storage, you must obtain anon-demand license. Please contact Technical Support.

• Identify a directory that you plan to use for sharing data. Later on (in the topic Node API Setup), we will use thisdirectory as the absolute path for the transfer user.

• Verify that the machine's hosts file has an entry for "127.0.0.1 localhost." For UNIX-based nodes, check/etc/hosts. For Windows nodes, check C:\WINDOWS\system32\drivers\etc\hosts.

• For UNIX-based nodes, verify that SELINUX is disabled via cat /etc/sysconfig/selinux. SELINUXcan be "permissive" or "disabled," but not "enforced."

Before UpgradingSteps to take before upgrading your IBM Aspera product.

The installer for Aspera Connect Server automatically checks for a previous version of the product on your system. Ifa previous version is found, the installer automatically removes it and upgrades your computer to the newer version.

On a Windows system, the installer displays the following message when an older version of the product is detected:

http://technet.microsoft.com/en_us/library/bb397374%28EXCHG.80%29.aspx

http://www.activestate.com/store/activeperl/download/


Although the installer performs your upgrade automatically, we highly recommend completing the tasks below beforestarting the installation/upgrade process. If you do not follow these steps, you risk installation errors or losing yourformer configuration settings. Skip any steps that do not apply to your specific product version.

Note: You cannot upgrade directly between different Aspera transfer products (such as from Point-to-Point to Desktop Client, or from Point-to-Point to Enterprise Server). To upgrade, you need to back up theconfiguration, uninstall the product, and perform a fresh install of the new version of the product. If you areupgrading your Enterprise Server to Connect Server, see Upgrading Enterprise Server to Connect Server onpage 150.

1. All Versions - Verify the version of your existing product

Depending on your current product version, the upgrade preparation procedure may differ. In the WindowsCommand Prompt ( Start menu > All Programs > Accessories > Command Prompt ), execute this command:

> ascp -A

This displays the product name and version number.

Warning:

When upgrading from 2.7.X to 3.X on Windows, please be aware that user names are now case sensitive.2. All Versions - Confirm your Aspera service account.

If you have already installed IBM Aspera Enterprise Server, Connect Server, Point-to-Point Client or DesktopClient on your computer, there is already a user account that has been designated to run the services for Asperaproducts. By default, the user name for the Aspera services account is svcAspera; however, this is not arequirement and you can select a different user to run the services. When you install additional Aspera productsor perform an upgrade to an existing Aspera product, you must identify the same account name and password thatyou set for your first Aspera product installation.

To confirm which user is designated as your Aspera service account in Windows 2003, Vista, and 7, right-click onMy Computer and select Manage > Services and Applications > Services. In Windows 2008, go to the ServerManager and select Configuration > Services. The account designated for each Aspera service is listed. Pleasemake note of this account for the installation of additional Aspera products or product upgrades. If you haveforgotten your Aspera service account password or would like to change the designated Aspera service account,please follow the instructions described in Updating Aspera Service Account on page 142.

3. All versions - Stop all FASP transfer-related applications and connections.

Before upgrading the application, close the following applications and services:

• ascp connections• SSH connections• The SSHD service and any SSHD processes. To stop the SSHD service, go to the Computer Management

window, which is accessible via Manage > Services and Applications > Services. Then, kill any SSHDprocesses (using the Windows Task Manager).

• The Connect Server application• asperasync service


4. All versions - Verify the website that runs Web UI

Aspera recommends that you set up the new Connect Server Web UI on the same website that your current WebUI is running on. During the installation, you will be able to select the website to use.

To find out which web site is running Web UI, go to Control Panel > Administrative Tools > InternetInformation Services (Manager). In the left panel, navigate into the (Computer name) > Web Sites. Thewebsite that runs Web UI should contain the "aspera" folder.

5. All versions - Back up the files

Depending on the version of your previous installation and the operating system, back up the files in the specifiedlocations:

Aspera Version Folder

2.5+ Note: If you have installed the product in a different location, change the pathaccordingly.

32-bit Windows Default Path:

• C:\Program Files\Aspera\Enterprise Server\etc\ (Configurationfiles, Shared Remote Hosts)

• C:\Program Files\Aspera\Enterprise Server\var\(Prepost scripts,Connect Server)

64-bit Windows Default Path:

• C:\Program Files (x86)\Aspera\Enterprise Server\etc\(Configuration files, Shared Remote Hosts)

• C:\Program Files (x86)\Aspera\Enterprise Server\var\(Prepostscripts, Connect Server)

Individual User Files' Default Path:

• <APPDATA>\Aspera\Enterprise Server\ (Individual user's remote hostsand hot folder info.)

Note: Use this command in a Command Prompt window to find out the currentuser's <APPDATA> path:

> echo %APPDATA%

2.2.x and earlier 32-bit Windows:

• C:\Program Files\Aspera\FASP\etc\ (Configuration files)


Aspera Version Folder• C:\Program Files\Aspera\FASP\var\(Prepost scripts, Connect Server)• C:\Program Files\Aspera\Aspera Scp\etc\(Remote Hosts an Hot

Folders info)

64-bit Windows:

• C:\Program Files (x86)\Aspera\FASP\etc\ (Configuration files)• C:\Program Files (x86)\Aspera\FASP\var\(Prepost scripts, Connect

Server)• C:\Program Files (x86)\Aspera\Aspera Scp\etc\ (Remote Hosts

and Hot Folders info)

If a previous version of Connect Server (Aspera Web) was set up and customized on your computer, back up thecustomized Connect Server installation in the following location and use it as a template to modify the new one:

C:\Inetpub\wwwroot\aspera\

6. Version 2.1.x - Verify Aspera's configuration file (aspera.conf) version

If you are upgrading from Connect Server version 2.1.x and have HTTP Fallback configured, you may need tomodify aspera.conf file to avoid upgrading errors. Open aspera.conf with a text editor:

Platform Path

32-bit Windows C:\Program Files (x86)\Aspera\FASP\etc\aspera.conf

64-bit Windows C:\Program Files\Aspera\FASP\etc\aspera.conf

Remove the version="2" from the opening tag <CONF>:

<CONF version="2">...

7. Version 2.2.x and earlier - Restore the saved "Remote Endpoints"This is a post-install step.

Since 2.5, a connection (a.k.a. "endpoint") can either be shared with all users, as in previous versions, or keptexclusive to the user who created it.

When you upgrade a product 2.2.x or earlier, on the first launch of the application, existing connections will beimported only for that user. Aspera recommends you launch it as an administrator account after the upgrade, sothat you can import the connections and share them with other users.

Note:

When you have finished the upgrade procedure, to share the imported connections with other users, launchthe application and go to Connections. Select a created connection and navigate into the Connection tab.Check Share this connection with all users on this computer for each connection to share. Refer toManaging Connections on page 40 for more information.


Product SetupA walkthrough of the setup process.

Important: If this is a product upgrade, ensure that you have reviewed all prerequisites detailed under thetopic "Before Upgrading."

IBM Aspera Connect Server is a web-based file server that enables file access through a browser, and transfers filesusing the IBM Aspera Connect Browser Plug-in. Additionally, you can set up HTTP Fallback to establish HTTP- orHTTPS-based file transfers with clients that don't have FASP connectivity.

Important: On Windows, Connect Server uses Internet Information Service (IIS) authentication. If usernames use the extended character set, both the client and server machine must be set to use the samecodepage, and the client must use IE 7 or later (other browsers don't support users names using extendedcharacters). For more information, refer to http://support.microsoft.com/kb/938418.

To install Connect Server, log into your computer with Administrator (or Domain Administrator if you are in anActive Directory environment) permissions, and follow the steps below.

1. Install Windows Internet Information Service (IIS)

The Connect Server Web UI requires Internet Information Service (IIS) 6, or IIS 7 with the IIS 6 Compatibilitycomponent. Depending on your version of Windows, IIS may not be installed by default. For instructions oninstalling/enabling IIS for your specific Windows OS, see the table below. Note that Windows 7, 8, and 2008require installation of IIS 7 with the IIS 6 Compatibility component. You also need to ensure that ASP, ASP.NET,and Basic Authentication services are installed.

OS Instructions

Windows 7, 8,and Vista

Note: Requires installation of IIS 7 with the IIS 6 Compatibility component.

In Windows 7 and 8, go to the Control Panel > Programs > Turn Windows features on oroff.

http://support.microsoft.com/kb/938418


OS Instructions

(Fig: Windows 7 and 8)

In Windows Vista, go to the Control Panel > Programs and Features > Turn Windowsfeatures on or off (located in the left panel).

(Fig: Windows Vista)

In the Turn Windows features on or off window, turn on the following features and click OK:

• Place a check next to Internet Information Services and then expand the tree.• Expand the Web Management Tools tree and place a check next to IIS 6 Management

Compatibility. Then, expand the IIS 6 Management Compatibility tree and place acheck next to each IIS 6 component.

• Within World Wide Web Services > Application Development Features, place a checknext to ASP and ASP.NET. Note that if you are running Windows 8, you can selecteither .NET 3.5 or .NET 4.5.

• Within World Wide Web Services > Common HTTP Features, place a check next toStatic Content.

• Within World Wide Web Services > Security, and place a check next to BasicAuthentication.


OS Instructions

(Fig: Windows 8)

Your computer may take a few minutes to configure itself. You can verify a successfulinstallation by navigating to "Administrative Tools." In Windows 7 and 8, go to ControlPanel > System and Security > Administrative Tools. In Windows Vista, go to ControlPanel > Administrative Tools.

Within "Administrative Tools," you should see the following features:

• Internet Information Services (IIS) 6.0 Manager (or IIS6 Manager on Windows Vista)• Internet Information Services (IIS) Manager (or IIS Manager on Windows Vista)

Windows 2008 Important: Requires installation of IIS 7 with the IIS 6Compatibility component.


OS InstructionsGo to Administrative Tools > Server Manager > Roles > Add Roles.

In the Add Roles Wizard, check Web Server (IIS). When checked, a popup window appearsthat requires you to identify features that are required for the Web server. Click AddRequired Features in the popup window and click Next. Read the information on thefollowing screen and then click Next again to proceed with adding required features.

Add the following role services as required features by checkmarking the appropriate boxesand click Next when finished.

• ASP.NET• ASP• Basic Authentication• IIS 6 Management Compatibility (entire tree)


OS Instructions

Once you read the confirmation message and click install, your server takes a few minutes toconfigure itself. You can verify a successful installation by navigating to your Role Summary.

Go to the Administrative Tools > Server Manager > Roles > Web Server (IIS) > RoleServices.


OS Instructions

Windows 2003 Go to Control Panel > Add or Remove Programs > Add/Remove Windows Components

(located in the left panel).

For Windows 2003, in the Windows Components Wizard window, place a checkmark next toApplication Server, and click Next.

(Fig: Windows 2003)

Your computer may take a few minutes to configure itself. You can verify a successfulinstallation by going to Control Panel > Administrative Tools. Here, you should see theInternet Information Services (IIS) Manager.

(Fig: Windows XP)


OS Instructions

(Fig: Windows 2003)

Important: When you elect to install the Connect Server Web UI feature (as directed in the steps below),the Aspera installer automatically configures the following settings in IIS:

• Disable Anonymous Authentication• Disable ASP.Net Impersonation• Enable Basic Authentication

If you do not install the Connect Server Web UI feature, then the settings will not be modified.2. Download the IBM Aspera product installer

Download the installer from the link below. Use the credentials provided to your organization by Aspera to access:

http://asperasoft.com/en/downloads/4

If you need help determining your firm's access credentials, contact Technical Support on page 173.3. For product upgrades, ensure you have prepared your machine to upgrade to a newer version.

Although the installer for Aspera Connect Server performs your upgrade automatically, Aspera highlyrecommends completing the tasks identified in the topic Before Upgrading. If you do not follow these steps, yourisk installation errors or losing your former configuration settings.

Warning: When upgrading from 2.7.X to 3.X on Windows, please be aware that user names for 3.X arecase sensitive.

4. Open the installation package and select the setup type

After downloading, open the installation package and follow the on-screen instructions.

Important: On Windows Vista, Windows 7, or Windows 2008 with UAC (User Account Control)enabled, you must run the installer as an Administrator. To do so, right-click the installation package andselect the option Run as administrator. You may be asked to enter the administrator's password to allowthe installer to make changes to your computer.

After the license agreement screen, click the desired setup type. If you are upgrading from a previous version, theinstaller will skip this step.

Important: When installing Connect Server, you must select one of the following:

- The Complete setup type (which includes the Web UI component).

http://www.asperasoft.com/en/downloads/4


or

- The Custom setup type, along with the Connect Server Web UI component.

The following setup options are available:

Setup Type Description

Typical Install the standard Enterprise Server without Web UI.

Custom Select the features and the path to install.

Complete Install all features, including an SSH Server (OpenSSH) and the Connect ServerWeb UI. To proceed with this option, ensure that IIS has already been installed onyour Windows OS (see Step 1, above).

Important: When you elect to install the Connect Server Web UI feature,the Aspera installer automatically configures the following settings in IIS:

• Disable Anonymous Authentication• Disable ASP.Net Impersonation• Enable Basic Authentication

If you do not install the Connect Server Web UI feature, the settings are notmodified.

Note: If your system has an existing SSH service installed (such as Cygwin), select the Custom setuptype and deselect SSH Server to avoid conflicts. For assistance, contact Technical Support on page173.

5. Select features and install path (Custom setup type)

If you selected the custom setup type, you will see the two additional steps during installation, as follows:

Check the features to install. If you wish to configure your own SSH Server for FASP transfers, deselect the SSHServer (so that the OpenSSH Service is not installed). Check the Connect Server Web UI only if you have aConnect Server license and you have installed IIS, as described in Step 1, above.


Select the destination folder for the installation. Under Install this application for:, choose between Anyonewho uses this computer (all users) to allow access for all system users, or Only for me to allow only your useraccount to use the application.

6. Set up Aspera service account

On Windows Vista, 2003, 2008, and 7, the installer prompts you to create or update an Aspera service account thatruns the services for Aspera products. These services include the following:

• Aspera Central• OpenSSH Service (optional)• Aspera NodeD• Aspera HTTPD• Aspera Sync

By default, the user name is svcAspera. If your machine is not joined to a Windows domain, then a local user(such as the default svcAspera) is all that is required to run Aspera services. If your machine is already joinedto a domain, or you need to support requirements #2 and/or #3 below, then the type of account specified will vary.Please refer to the following table:

No. Requirement Type of Service Account User

1 Provision local transfer usersonly.

Local account. Domain account with local admin privileges can beused, but is not required.

2 Provision Active Directoryaccounts for transfer users (userswho wish to transfer with yourserver are authenticated throughActive Directory).

Domain account with local admin privileges.

3 Transfer users store files on aremote file system (not on yourserver machine), such as an SMBfile share.

Domain account with local admin privileges. In some cases,additional actions are required to support this requirement. Pleasesee the aspera knowledgebase or contact Aspera Technical Supportfor assistance.

If the server is configured to accept the domain user login, use a domain account that has been added to the localadministrator's group to run the services. You must create this domain account on your Domain Controller first.

https://support.asperasoft.com/categories/20004723_aspera_knowledgebase


If the local account does not already exist, enter new credentials and click Next. If the account already exists (forexample, if created for the previous installation), enter the account password and click Next. If the existing user'spassword you have entered is incorrect, or you wish to change the Aspera service user, refer to Updating AsperaService Account on page 142.

If you are entering details for a domain account, then the user name must be in the form"[email protected]." Please refer to the example below.

7. Select a website for the Connect Server Web UI

During IIS installation, a default Web site configuration is created on your Web server (for example, "Default WebSite (ID:1)"). You may have elected to use this default directory to publish your Web content, or you may havecreated a directory at a file system location of your choice. In this step, select the website (default or other) thatyou created for the Connect Server Web UI.


Note: If you are upgrading Connect Server from a previous version, Aspera recommends you select thesame website that your current Web UI is running on.

8. Install the license

When installation is finished, launch the application to add or update the license. Go to:

Start Menu > All Programs > Aspera > Enterprise Server > Enterprise Server

If this is a fresh install, an Enter License window appears. Either click Import License File and select the licensefile, or Paste License Text to copy-and-paste the license file's content. When finished, the license informationappears in the window. Verify that it is correct and click Close.

/opt/aspera/etc/aspera-license

When finished, save and close the file. To verify the license info, run the following command:

If you are updating your product license after the installation, see Updating the Product License on page 148.9. (Optional) Configure SSL

For instructions on generating an Internet Server Certificate for IIS 6 (Windows 2003) or IIS 7 (Windows Vista,2008, 7), see Generate an Internet Server Certificate (IIS) on page 143.

10. (For upgrades) Check aspera.conf for errors

When upgrading your Aspera product to a newer version, it is recommended that you check the aspera.confconfiguration file for errors. Run the following command in a Command window to validate aspera.conf:

Platform Command

32-bit Windows "C:\Program Files\Aspera\Enterprise Server\bin\asuserdata" -v

64-bit Windows "C:\Program Files (x86)\Aspera\Enterprise Server\bin\asuserdata" -v

11. Troubleshooting

Problem Description

Installer freezes You may have another Aspera product running on your computer. To stop all FASPtransfer-related applications and connections, see Before Upgrading on page 6.

"Error 1721" If you are upgrading to the latest version and see "Error 1721" regarding theinstaller package, the installer may be having difficulty removing the previous


Problem Descriptioninstallation (2.2.1). For details, see Uninstall Version 2.2.1 for Upgrade on page170.

12. Set up your new Connect Server's Web UI (or verify your Web UI settings after an upgrade).

At this point, your IBM Aspera transfer product is installed; however additional steps are required to configure theWeb UI. For information on configuring the Web UI, see "Connect Server Web UI Setup".

Configuring the FirewallFirewall settings required by the product.

Your Aspera transfer product requires access through the ports listed in the table below. If you cannot establish theconnection, review your local corporate firewall settings and remove the port restrictions accordingly.

Product Firewall Configuration

Connect Server An Aspera server runs one SSH server on a configurable TCP port (33001 by default).

Important: Aspera strongly recommends running the SSH server on a non-defaultport to ensure that your server remains secure from SSH port scan attacks. Pleaserefer to the topic Securing your SSH Server on page 22 for detailed instructionson changing your SSH port.

Your firewall should be configured as follows:

• Allow inbound connections for SSH, which is on TCP/33001 by default, or on anothernon-default, configurable TCP port. If you have a legacy customer base utilizingTCP/22, then you can allow inbound connections on both ports. Please refer to the topicSecuring your SSH Server on page 22 for details.

• Allow inbound connections for FASP transfers, which use UDP/33001 by default,although the server may also choose to run FASP transfers on another port.

• If you have a local firewall on your server (like Windows Firewall), verify that it isnot blocking your SSH and FASP transfer ports (e.g. TCP/UDP 33001).

• For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/or HTTPS (e.g. TCP/8080, TCP/8443).

• For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g.TCP/80, TCP/443).

The firewall on the server side must allow the open TCP port to reach the Aspera server.Note that no servers are listening on UDP ports. When a transfer is initiated by an Asperaclient, the client opens an SSH session to the SSH server on the designated TCP port andnegotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients, the Windows operating system doesnot allow the Aspera FASP protocol to reuse the same UDP port for multiple connections.Thus, if you have multiple concurrent clients and your Aspera server runs on Windows,then you must allow inbound connections on a range of UDP ports, where the range ofports is equal to the maximum number of concurrent FASP transfers expected. These UDPports should be opened incrementally from the base port, which is UDP/33001, by default.For example, to allow 10 concurrent FASP transfers, allow inbound traffic fromUDP/33001 to UDP/33010.

Client Typically, consumer and business firewalls allow direct outbound connections from clientcomputers on TCP and UDP. There is no configuration required for Aspera transfers in thiscase. In the special case of firewalls disallowing direct outbound connections, typicallyusing proxy servers for Web browsing, the following configuration applies:


Product Firewall Configuration• Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by

default, when connecting to a Windows server, or on another non-default port for otherserver operating systems).

• Allow outbound connections from the Aspera client on the FASP UDP port (33001, bydefault).

• If you have a local firewall on your server (like Windows Firewall), verify that it isnot blocking your SSH and FASP transfer ports (e.g. TCP/UDP 33001).

Important: Multiple concurrent clients cannot connect to a Windows Asperaserver on the same UDP port. Similarly, multiple concurrent clients that areutilizing two or more user accounts cannot connect to a Mac OS X or FreeBSDAspera server on the same UDP port. If connecting to these servers, you will needto allow a range of outbound connections from the Aspera client (that have beenopened incrementally on the server side, starting at UDP/33001). For example, youmay need to allow outbound connections on UDP/33001 through UDP/33010 if 10concurrent connections are allowed by the server.

Important: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), thenyou will need to allow the Vlink UDP port (55001, by default) for multicast traffic. For additional informationon setting up Vlinks, please refer to the topic Setting Up Virtual Links on page 93.

Securing your SSH ServerSecure your SSH server to prevent potential security risks.

Introduction

Keeping your data secure is critically important. Aspera strongly recommends you take additional steps in setting upand configuring your SSH server so that it is protected against common attacks. Most automated robots will try tolog into your SSH server on Port 22 as Administrator, with various brute force and dictionary combinations in orderto gain access to your data. Furthermore, automated robots can put enormous loads on your server as they performthousands of retries to break into your system. This topic addresses steps to take in securing your SSH server againstpotential threats, including changing the default port for SSH connections from TCP/22 to TCP/33001.

Why Change to TCP/33001?

It is well known that SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject tocountless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effectivedeterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535).To standardize the port for use in Aspera transfers, we recommend using TCP/33001.

Please note that your Aspera transfer product ships with OpenSSH listening on both TCP/22 and TCP/33001. Assuch, Aspera recommends only exposing TCP/33001 through your organization's firewall and disabling TCP/22.

Note: Remote Aspera application connections attempt to establish an SSH connection using the default port33001. However, if the connection fails, the application attempts the connection using port 22.

The following explains how to change the SSH port to 33001 and take additional steps for securing your SSH server.The steps all require Administrator access privileges.

1. Locate and open your system's SSH configuration file

Open your SSH configuration file with a text editor. You will find this file in the following system location:

OS Version Path

32-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\sshd_config


OS Version Path

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\sshd_config

2. Add new SSH port

Note: Before changing the default port for SSH connections, please verify with your networkadministrators that TCP/33001 is open.

The OpenSSH suite included in the installer uses TCP/22 and TCP/33001 as the default ports for SSHconnections. Aspera recommends disabling TCP/22 to prevent security breaches of your SSH server.

Note: When changing the SSH port, you must also update the SshPort value in the <WEB...> sectionof aspera.conf. Please refer to Configuring your Web UI Settings for details.

Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disablePort 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment-out Port 22 in yoursshd_config file.

...#Port 22Port 33001...

Note: Aspera recognizes that disabling the default SSH connection port (TCP/22) may affect your clientusers. When you change the port, ensure that you advise your users on configuring the new port number.Basic instructions for specifying the SSH port for FASP file transfers can be found below. To changethe SSH port for Aspera Client, click Connections on the main window, and select the entry for yourcomputer. Under the Connection tab, click Show Advanced Settings and enter the SSH port number inthe SSH Port (TCP) field.

To make an impromptu connection to TCP/33001 during an ascp session, specify the SSH port (33001) with the -P (capital P) flag. Please note that this command does not alter ascp or your SSH server's configuration.

> ascp -P 33001 ...


3. Disable non-admin SSH tunneling

Note: The instructions below assume that OpenSSH 4.4 or newer is installed on your system. ForOpenSSH 4.4 and newer versions, the "Match" directive allows some configuration options to beselectively overridden if specific criteria (based on user, group, hostname and/or address) are met. If youare running an OpenSSH version older than 4.4, the "Match" directive will not be available and Asperarecommends updating to the latest version.

In OpenSSH versions 4.4 and newer, disable SSH tunneling to avoid potential attacks; thereby only allowingtunneling from Administrator group users. To disable non-admin SSH tunneling, open your SSH Serverconfiguration file, sshd_config, with a text editor.

Add the following lines to the end of the file (or modify them if they already exist):

...AllowTcpForwarding noMatch Group AdministratorsAllowTcpForwarding yes

Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that areset to the default Yes. Please review your sshd_config file for other instances and disable as appropriate.

4. Update authentication methods

Public key authentication can prevent brute force SSH attacks if all password-based authentication methods aredisabled. For this reason, Aspera recommends disabling password authentication in the sshd_config file andenabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes andcomment out PasswordAuthentication yes.

...PubkeyAuthentication yes#PasswordAuthentication yesPasswordAuthentication no...

Note: If you choose leave password authentication enabled, be sure PermitEmptyPasswords is setto "no".

PermitEmptyPasswords no

5. Restart the SSH server to apply new settings

When you have finished updating your SSH server configuration, you must restart the server to apply your newsettings. Restarting your SSH server will not impact currently connected users. To restart your SSH Server, go toControl Panel > Administrative Tools > Services. Locate the OpenSSH Service and click Restart.

6. Restrict user access

Restricting user access is a critical component of securing your server. When a user's docroot is empty (i.e.blank), that user has full access to your server's directories and files. To restrict the user, you must set a non-empty docroot, which automatically changes the user's shell to aspshell (Aspera shell). You can do so from theproduct GUI by going to Configuration > Users > Docroot > Absolute Path. Input a path in the blank field andensure that Override is checked.


Once you have set the user's docroot, you can further restrict access by disabling read, write and/or browse. Youmay do so via the product GUI (as shown in the screenshot above).

Field Description Values

Absolute Path The area of the file system (i.e. path) that is accessible to the Aspera user.The default empty value gives a user access to the entire file system.

Path or blank

Read Allowed Setting this to true allows users to transfer from the designated area ofthe file system as specified by the Absolute Path value.

• true• false

Write Allowed Setting this to true allows users to transfer to the designated area of thefile system as specified by the Absolute Path value.

• true• false

Browse Allowed Setting this to true allows users to browse the directory. • true• false

7. Review your logs periodically for attacks

Aspera recommends reviewing your SSH log periodically for signs of a potential attack. Launch Control Panel >Administrative Tools > Event Viewer. To see only SSH Server events, select View > Filter... to bring up thefilter settings. In Application Properties > Filter tab, select sshd in the Event source menu to display only SSHServer events. You may also apply other conditions when needed.


With a filter applied, you can review the logs in the Event Viewer main window, or select Action > Save Log FileAs... to export a log file using .txt or .csv format.

Look for invalid users in the log, especially a series of login attempts with common user names from the sameaddress, usually in alphabetical order. For example:

...Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4 port 1585 ssh2...Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4 port 1585 ssh2...

If you have identified attacks:

• Double-check the SSH security settings in this topic.• Report attacker to your ISP's abuse email (e.g. abuse@your-isp).

8. Set up transfer server authentication

For transfers mediated by a web application, the client browser sets up the context for the transfer using anHTTPS connection to the server, and then delegates the transfer to the Aspera FASP engine. The FASP enginethen connects to the transfer server. In so doing, it needs to ensure the server's authenticity in order to protect theclient against server impersonation and man-in-the-middle (MITM) attacks.

To verify the authenticity of the transfer server, the web app passes the client a trusted SSH host key fingerprintof the transfer server. When connecting to the transfer server, the client confirms the server's authenticity bycomparing the server's fingerprint with the trusted fingerprint.

To configure transfer server authentication, open the transfer server's aspera.conf file:

C:\Program Files[ (x86)]\Aspera\Enterprise Server\etc\aspera.conf

Locate the <server> section, and add the <ssh_host_key_fingerprint> option.


• <ssh_host_key_fingerprint>

<ssh_host_key_fingerprint>fingerprint</ssh_host_key_fingerprint>

To retrieve the SSH fingerprint, locate the transfers server's public or private key, and run the followingcommand on a Linux, Mac, or other UNIX computer:

# cd /etc/ssh# cat ssh_host_rsa_key.pub | cut -d' ' -f2 | base64 -d | sha1sum | cut -d' ' -f1

The following is an example SSH fingerprint:

43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8

By convention, Aspera uses a hex string without the colons ( : ). For example:

435143a1b5fc8bb70a3aa9b10f6673a8

The aspera.conf setting for this key would then be as follows:

<ssh_host_key_fingerprint>435143a1b5fc8bb70a3aa9b10f6673a8</ssh_host_key_fingerprint>

After modifying aspera.conf, be sure to restart the node service by running asperanoded:

> sc stop asperanoded> sc start asperanoded

Testing a Locally Initiated TransferTest client functionality by transferring to and from the Aspera Demo Server.

To make sure the software is working properly, follow these steps to test download and upload transfers between yoursystem and the Aspera Demo Server:

1. Add the Demo Server in the Connection Manager

Launch the application: Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server .

Then click Connections.

Note:

This topic shows a very basic configuration to establish a connection. For more detailed instructions aboutConnections, refer to Managing Connections on page 40.

In the Connection Manager, click to add a new connection, and enter the following info, leave other optionswith default values or blank:


Field Value

Host demo.asperasoft.com

User aspera

Authentication (Password) demoaspera

2. Test your connection to the remote serverClick Test Connection to determine whether you can reach the remote server with the settings you configured. Analert box opens and reports whether the connection is successful.

3. Connect to the Demo Server and download test files

From the main window, select the demo server entry and click the Connect button.

On the server file browser (right panel), browse to the folder /aspera-test-dir-large, select the file 100MB, andclick to download it to your local machine.


You should see the session appear in the Transfer tab.4. Upload to the Demo Server

When downloaded, try uploading the same files back to the Demo Server. Select the same file (100MB) on thelocal file browser (left panel), navigate to the folder /Upload on the server, and click to upload it.

| Connect Server Web UI Setup | 30

Connect Server Web UI Setup

Configure the server's Web UI settings and appearance.

Configuring your Web UI SettingsConfigure Connect Server's Web UI transfer settings by updating aspera.conf

The instructions below describe the process of configuring IBM Aspera Connect Server's Web UI transfer settings byupdating aspera.conf.

1. Locate and open aspera.conf

To configure Connect Server's Web UI transfer settings, locate aspera.conf and open it with a text editor:

OS Version File Location

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\aspera.conf

64-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\aspera.conf

2. Additionally, open Aspera's sample Web UI configuration file

Locate and open Aspera's sample Web UI configuration file, which can be found in the following directory:


32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\samples\aspera-web-sample.conf

64-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\samples\aspera-web-sample.conf

3. Modify the <WEB> section inside the sample Web UI configuration file and copy it into aspera.conf

Locate the <WEB> section and modify it based on your requirements. Then, copy the <WEB> section intoaspera.conf.

<CONF version="2">...<WEB SshPort = "33001" UdpPort = "33001" PathMTU = "0" HttpFallback = "no" HttpFallbackPort = "8080" HttpsFallbackPort = "8443" EnableDelete = "yes" EnableCreateFolder = "yes" AsperaServer = "" EnableUserSwitching = "no" HideRestrictedFolders = "yes" EnableSortByName = "false" EnableConnectUpdates = "yes"/></CONF>

Important: The default configuration example, above, assumes you are using TCP/33001 as your SSHport.


The table below provides descriptions of all Web UI configuration options.

Field Description Values Default

SshPort The TCP port for SSH transfercommunication.

integer between1 and 65535

33001

UdpPort The UDP port for FASP file transfer. integer between1 and 65535

33001

PathMTU Sets the maximum packet size for filetransmission. When using the value"0", FASP will automatically set theappropriate value for the network withinthis value.


0

HttpFallback Use HTTP Fallback transfer when UDP-port transfer fails.

yes / no no

HttpFallbackPort The TCP port for HTTP Fallback transfer. integer between1 and 65535

8080

HttpsFallbackPort The TCP port for HTTPS Fallbacktransfer.


8443

EnableDelete When set to "yes" (default), users withthe appropriate permissions can deletefiles and folders within the Web UI.

yes / no yes

EnableCreateFolder When set to "yes" (default), users withthe appropriate permissions can createnew folders using the "New Folder"button within the Web UI.

Note: Please note thatthe user can still uploada new folder even if"EnableCreateFolder" isset to "no."

yes / no yes

AsperaServer To use this computer solely for theConnect Server Web UI (and not for filetransfers), enter the IP address or hostname of the transfer server machine inthis field. In the case of a high-availabilityor clustered setup, this value shouldbe the IP address or host name of theVIP (where the VIP/cluster service/load balancer will manage the transferservers). Once added, Connect Serverallows the user to transfer to and fromthe file system on the indicated transferserver machine.

The IP addressor host nameof the transferserver machine

unspecified(transfer usinglocal machine)

MinimumConnectVersion Specifies the minimum version ofConnect that must be installed in orderfor users to be able to use Connect Server.If the minimum version is not installed,a message is displayed that indicates theminimum version required and provides

Version number 2.8.0.0


Field Description Values Defaulta download link. This option takes thevalue in the format of the Aspera Connectversion, for example, "3.0.0.12345".

Note: The default value forthis setting is also the lowestallowable value. If the valuespecified is below the defaultvalue, the Web UI enforces thedefault value.

EnableUserSwitching This option enables a feature that allows auser to switch to a different user account.When set to "yes", a Change Userbutton is added to the web page in theupper-right corner. Note that the featureonly allows users to log in to a differentaccount than the one they are exiting.

This is currently an experimental feature.

Note: On Windows ConnectServer, unicode user names arenot supported.

yes / no no

HideRestrictedFolders Hide folders that the user doesn't havepermission to read. When set to "no",the user can see all folders, and mayencounter error when trying to accessunaccessible folders.

yes / no no

EnableSortByName When value is "true," files are sortedinto a given order to be displayed inbefore being listed on the Connect ServerWeb UI.

Important: We recommendthat you keep the default settingof "false." If you browse adirectory that contains numerousfiles, then browsing performancemay be impacted due to the extrasorting that needs to occur.

true / false false

EnableConnectUpdates When the value is "yes," the ConnectServer Web UI will display a promptto upgrade the Connect browser pluginwhen an upgrade is available. When set to"no," this prompt will no longer appear,except for mandatory upgrades whenthe minimum version requirement forConnect is not met. This setting doesnot affect the installation message thatappears when Connect is not installed.

yes / no yes

4. Restart Aspera HTTPD


You may restart Aspera HTTPD within the Computer Management window, which is accessible via Manage >Services and Applications > Services.

Customize your Web UI's AppearanceCustomize Connect Server's Web UI header and footer

To customize Connect Server's Web UI header and footer, locate the following header and footer files:


32-bit Windows • Header - C:\Program Files\Aspera\Enterprise Server\var\www\user\aspdir-header.html• Footer - C:\Program Files\Aspera\Enterprise Server\var\www\user\aspdir-footer.html

64-bit Windows • Header - C:\Program Files (x86)\Aspera\Enterprise Server\var\www\user\aspdir-header.html

• Footer - C:\Program Files (x86)\Aspera\Enterprise Server\var\www\user\aspdir-footer.html

Once you have modified your header/footer file(s), save them in the custom directory, as shown below.


32-bit Windows • Header - C:\Program Files\Aspera\Enterprise Server\custom\www\aspdir-header.html• Footer - C:\Program Files\Aspera\Enterprise Server\custom\www\aspdir-footer.html

64-bit Windows • Header - C:\Program Files (x86)\Aspera\Enterprise Server\custom\www\aspdir-header.html

• Footer - C:\Program Files (x86)\Aspera\Enterprise Server\custom\www\aspdir-footer.html

Alternatively, you can integrate Aspera transfers into a custom web application. For more information, refer to AsperaDeveloper Network - Aspera Web.

Configuring HTTP and HTTPS FallbackConfigure HTTP/HTTPS Fallback using the Connect Server GUI or aspera.conf.

HTTP Fallback serves as a secondary transfer method when the Internet connectivity required for Aspera acceleratedtransfers (UDP port 33001, by default) is unavailable. When HTTP Fallback is enabled and UDP connectivity is lostor cannot be established, the transfer will continue over the HTTP (or HTTPS) protocol. The instructions below walkthrough the process of setting up HTTP/HTTPS fallback. For additional information on configuring different modesand testing, see the Aspera KB Article "HTTP fallback configuration, testing and troubleshooting."

1. Turn on HTTP/HTTPS Fallback.

These instructions assume that you have already configured your Connect Server's Web UI, as documentedin the topic "Connect Server Web UI Settings." If you have not done so, please review that topic beforeproceeding. To turn on HTTP/HTTPS Fallback, you must edit the <WEB/> section of aspera.conf. Thisconfiguration file can be found in the following directory:



http://asperasoft.com/technology/developers/#developernetwork_567

http://asperasoft.com/technology/developers/#developernetwork_567

https://support.asperasoft.com/entries/20153151_http_fallback_configuration_testing_and_troubleshooting




If you do not see the <WEB/> section, you will need to copy it from the file aspera-web-sample.conf,as described in "Connect Server Web UI Settings." Within the <WEB/> section, locate and confirm the followingentries:

<WEB ... HttpFallback = "yes"  HttpFallbackPort = "8080"  HttpsFallbackPort = "8443" />

If you modify aspera.conf, run the following command (from Enterprise Server's bin directory) to validateyour updated configuration file:

> C:\{Program Files or Program Files (x86)}\Aspera\Enterprise Server\bin\asuserdata -v

2. Configure HTTP/HTTPS Fallback settings.

You can configure HTTP/HTTPS Fallback either in the Connect Server GUI or in aspera.conf. To edit yoursettings, launch Connect Server and go to Configuration > Global (tab in left pane) > HTTP Fallback (tab inright pane).

Review the following settings:

• Set Enable HTTP to true.• If you want to allow fallback over HTTPS, set Enable HTTPS to true.• Verify that the value shown for HTTP Port matches that which is displayed in the aspera.conf file,

under the <WEB/> section (default: 8080). Refer to Step 1 for additional information.• (If applicable) Verify that the value shown for HTTPS Port matches that which is displayed in the

aspera.conf file, under the <WEB/> section (default: 8443). Refer to Step 1 for additional information.

3. Review additional HTTP Fallback settings.


Additional HTTP Fallback settings can be found under the Connect Server GUI's HTTP Fallback tab:

# Field Description Values Default

1 Cert File The absolute path to an SSL certificate file. If leftblank, the default certificate file that came withEnterprise Server is used.

file path blank

2 Key File The absolute path to an SSL key file. If left blank,the default certificate file that came with your AsperaEnterprise Server will be used.

file path blank

3 Bind Address This is the network interface address on which theHTTP Fallback server listens. The default value0.0.0.0 allows the HTTP Fallback server to accepttransfer requests on all network interfaces for thisnode. Alternatively, a specific network interfaceaddress may be specified.

valid IPv4address

0.0.0.0

4 RestartableTransfers

Setting this to true allows interrupted transfers toresume at the point of interruption.

• true• false

true

5 Session ActivityTimeout

Any value greater than 0 sets the amount of time,in seconds, that the HTTP Fallback server will waitwithout any transfer activity before canceling thetransfer. Notice that this option cannot be left at0, otherwise interrupted HTTP Fallback sessionswill get stuck until server or asperacentral isrestarted.

positive integer -

6 HTTP Port The port on which the HTTP server listens. Valid portnumbers range between 1 and 65535.

positive integer 8080

7 HTTPS Port The port on which the HTTPS server listens. Validport numbers range between 1 and 65535.


8 Enable HTTP Enables the HTTP Fallback server that allows failedUDP transfers to continue over HTTP.

• true• false

false

9 Enable HTTPS Enables the HTTPS Fallback server that allows failedUDP transfers to continue over HTTPS.

• true• false

false

4. Specify a token encryption key.

The token encryption key is the secret text string that is used to authorize transfers configured to require a token.

Note: If HTTP/HTTPS fallback is enabled, a token encryption key is required. If HTTP/HTTPS isconfigured without the encryption key, initiating a transfer with the download button generates thefollowing error:

Error: internal error - unable to start token generation

You can specify a token encryption key from the Enterprise/Connect Server GUI or in aspera.conf. Toconfigure your token encryption key within the GUI, launch your Enterprise/Connect Server application and clickConfiguration. Go to Global > Authorization, check the option Token Encryption Key and enter a key stringof your choice (in the example below, the string "secret").


To specify the token encryption key in aspera.conf, open the file with a text editor, and add or update theauthorization section's encryption_key (the example below uses the string "secret"; however, it canbe any string):

Important: After changing your Aspera token settings (either via aspera.conf or the GUI), you mustrestart AsperaHTTPD. For instructions, see the final step in this topic.

5. Restart Aspera Central and Aspera HTTPD to apply new settings.

To restart Aspera HTTPD and Aspera Central, go to the Computer Management window, which isaccessible via Manage > Services and Applications > Services.


Testing Web UITest Aspera Connect client transfers through Web UI.

Follow the steps below to test your client transfers through the Web UI.

Note: The instructions require steps to be taken on both the Connect Server system and a client computer.Make sure you are performing the steps on the specified machine.

1. Clients: Test the connection to the Web UI

To test your connection to the Connect Server Web UI, go to the following address with a client computer'sbrowser:

Scope URL

HTTP http://server-ip-or-name/aspera/user

HTTPS https://server-ip-or-name/aspera/user

2. Connect Server: Set up a test user account

Prepare a system user (asp1), and add the user to Connect Server with the specified docroot. Launch theapplication (Start menu>All Programs>Aspera>Enterprise Server>Enterprise Server ) and clickConfiguration.

In the Server Configuration, select the Users tab and click . Enter the system user's name (asp1).

Select the user's Docroot tab, check Absolute Path and enter or select an existing path as the user's docroot (forexample, C:\sandbox\asp1 ). Set all other options true. Click OK or Apply when finished.

Note: On the operating system, the system user should have read and write permissions to its docroot.


Note: Use the -c option only if this is the first time running htpasswd to create the webpasswd file. Donot use the -c option otherwise.

3. Client: Test the Web UI with the client machine

Prepare a client computer with the supported OS and browser to test connecting to the Web UI. See theIntroduction on page 5 for supported platform and browser. Browsing the Web UI from the client machine, youshould see the Aspera Connect browser plugin installation instruction on the web page. Click either Install Now or Download Aspera Connect and follow the instructions.

In the Web UI, click Upload and select one or more files to send to Connect Server. When finished, select theuploaded files on the Web UI, and click Download.

Note:

When adding files to the Web UI, do not use the following characters in the filenames:

/ \ " : ' ? > < & * |

For further information about the Aspera Connect browser plugin, see the Aspera Connect User Guide.

If you are having difficulties establishing FASP transfers using the Web UI, see Clients Can't Establish Connection onpage 165.

http://asperasoft.com/en/documentation/8

| Transferring Files with the Application | 39

Transferring Files with the Application

Using the desktop application to transfer files.

Application OverviewDesktop application overview.

To launch the application, go to Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server .

Note: The Configuration button shown in the screenshots below is only enabled when the application is runas an Administrator.

Item Description

A The transfer mode. Reveal the local/remote file browsers.

B The transfer details mode. Show the selected transfer session's details and the transfer controloptions.

C Bring up the Connection Manager window to manage the remote endpoints.

D Bring up the Server Configuration window to configure the computer's FASP transfer settings.

E Set the local computer's default transfer settings such as the FASP global bandwidth and thenumber of simultaneous transfers in the queue, and the SMTP server's information for transfernotifications.

F Browse the local file system to find files to transfer.

G When not connected, this panel shows connections that lists the saved connections. Whenconnected, it becomes the remote file browser.

H Display previous, ongoing, and queued transfers. Manage the priority.

I Display all configured Hot Folders. Start or manage Hot Folders.

All options in the File Browser, including the file browser's contextual menu (Mouse right-click):


Item Description

A Path indicator/selector.

B Go to the parent directory.

C Create a new folder, or set up a Hot Folder.

D Choose between the list views and the detail view.

E Create a new folder, or set up a Hot Folder.

F Bring up the advanced upload or download window.

G Decrypt the selected file if it is encrypted with the content protection.

H Choose between the detail or the list views. Refresh the folder.

I Options to manipulation the selected files.

J Show the selected files' properties.

Managing ConnectionsAdd and manage the remote FASP servers.

To connect to a remote computer or to a server in the cloud, you need to add it to the Connection Manager beforeestablishing the connection. If you are planning to perform transfers with an S3 bucket, you must meet the followingprerequisites:

• You (username) have permissions to access the S3 bucket.• You know your username's S3 Access ID and Secret Key.• To transfer files from and/or to an S3 storage device using an S3-direct connection, you cannot have a docroot. A

local docroot will result in a failed transfer. Be sure to confirm your docroot settings before attempting a transfer.

Start the application: Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server . In the mainwindow, click Connections to open the Connection Manager.


In the Connection Manager, click to create a new connection. You can also use to duplicate a selected connection(i.e. copy all information into a new profile) and to delete a connection profile.

To name or rename a connection, click the orange connection profile name that appears at the top of the screen. TheRename Connection dialog appears. You can also launch the Rename Connection dialog by clicking once on analready selected connection name in the left panel of the Connection Manager. When you have entered the new name,save it by clicking OK (once in the Rename Connection dialog and again in the Connection Manager).

The Connection Manager includes the following configuration tabs:


Tab Description

Connection The basic host information, such as the address, login credentials, and connection ports.

Transfer The transfer session-related options, such as the transfer speed and retry rules.

Tracking Options for tracking the transfer session, including the confirmation receipt and the emailnotifications.

Filters Create filters to skip files that match certain patterns.

Security Enable the transfer encryption and the content protection.

File Handling Set up resume rule, preserve transferred file attributes, and remove source files.

The following tables detail all options in these tabs:

Connection

Option Description

Host Required The server's address, such as 192.168.1.10 or companyname.com.

User The login user for the server.

Authentication Choose either password or public key for authentication. To use the key-basedauthentication, see Creating SSH Keys on page 46.

Storage Type Use this drop-down menu to configure storage in the cloud. Note that the default option islocal storage.

Storage types include the following:

• Akamai NetStorage• Amazon S3: Once selected, you will be required to input your Access Id / Secret

Access Key and identify a bucket. Note that the local machine must be reasonably time-synchronized in order to communicate with the Amazon servers. You can also select theAdvanced button to modify the following settings:

• Host: Amazon S3 hostname (default: s3.amazonaws.com).• Port: Default is port 443.• HTTPS connection for file browsing: Enable for secure browsing.• Server-side file encryption: Enable for AES256 encryption.• Reduced redundancy storage class: Assign objects to a to the "reduced

redundancy" storage class (durability of 99.99%).• Google Storage• Windows Azure• Windows Azure SAS

Note: You can only choose special storage if you have full access to that storage onthe cloud-based machine.

Target Directory The default directory when connecting to this computer. When leaving it blank, browsingthe remote host brings up either the user account's document root (docroot), or the last-


Option Descriptionvisited folder; when specifying a path, connecting to the host always brings up the exactdirectory. The default directory is shown in the Connections panel.

Share thisconnection ...

Check this box to share this connection with other users on your computer. When aconnection is authenticated through Public Key, the SSH keys used by this connectionshould be shared as well. Refer to Creating SSH Keys on page 46.

Advanced Settings >SSH Port (TCP)

The TCP network port. Default: 33001. Note that if connecting on 33001 fails, theapplication attempts to establish a connection on port 22. If the connection on 22 succeeds,the setting is updated to 22.

Advanced Settings >fasp Port (UDP)

The UDP network port: Default: 33001.

Advanced Settings >Connection Timeout

Time out the connection attempt after the selected time.

Test Connection Click this button to test the connection to the remote server with the settings you configured.An alert box opens and reports whether the connection is successful.

Transfer

Option Description

Transfer Name Choose between the following option: Automatically generate allows the user interface togenerate the transfer name; Automatically generate and add prefix uses auto-generatedname with prefix; Specify uses the user-specified name.

Policy Select the transfer policy. Refer to FASP Transfer Policies on page 143.

Speed Check this option to specify the transfer rate. The target rate is constrained by the globalbandwidth in the Preferences window. Refer to Global Bandwidth Settings on page 92.

Retry Check this option to automatically retry the transfer after a recoverable failure. Whenchecked, set the amount of time the transfer should be retried in seconds, minutes or hours.You may set the initial and maximum retry intervals by clicking the More Options... button.

• Initial interval: The first retry waits for the initial interval. Input in seconds, minutes orhours.

• Maximum interval: After the initial interval, the next interval doubles until themaximum interval is met, and then stops retrying after the retry time is reached. Input inseconds, minutes or hours.

Example 1:

10s initial interval, 60s maximum interval, retry for 180sRetry at (seconds): 10s 30s 70s 130s 180sInterval progression (seconds): 10s 20s 40s 60s 60s 50s

Example 2:

30s initial interval, 120s maximum interval, retry for 600sRetry at (seconds): 30s 90s 210s 330s 450s 570s 600sInterval progression (seconds): 30s 60s 120s 120s 120s 120s 30s

Show AdvancedSettings

Click the Show Advanced Settings button to reveal the following options:


Option Description• Specify FASP datagram size (MTU): By default, the detected path MTU is used. Once

you enable this checkbox, you can specify a value between 296 and 10000 bytes.• Disable calculation of source files size before transferring: By enabling this checkbox,

you can turn off the job size calculation on the client-side (if allowed by the server).

Tracking

Option Description

Generate deliveryconfirmation receipt

Check the option to create the delivery receipt file in the specified location.

Send emailnotifications

Send out email notifications based on specified events (start, complete, and error). Refer toUsing Transfer Notifications on page 64 for more information.

Filters

Click Add and enter the pattern to exclude files or directories with the specified pattern in the transfer. The excludepattern is compared with the whole path, not just the file name or directory name. Two special symbols can be used inthe setting of patterns:

Symbol Name Description

* Asterisk Represents zero to many characters in a string, for example *.tmp matches.tmp and abcde.tmp.

? Question mark Represents one character, for example t?p matches tmp but not temp.

Examples:

Filter Pattern Matched files

*dirName path/to/dirName, another/dirName

*1 a/b/file1, /anotherfile1

*filename path/to/filename, /filename

path?/file? path1/fileA, pathN/file5

Security

Option Description

Encryption When checked, FASP encrypts files while transferring. Encryption may decreaseperformance, especially at higher transfer speeds and with slower computers.

Content Protection Two options: Encrypt uploaded files with a password encrypts the uploaded files withthe specified password. The protected file has the extension .aspera-env appended tothe file name; Decrypt password-protected files downloaded prompts for the decryptionpassword when downloading encrypted files.

Note: When a transfer falls back to HTTP or HTTPS, content protection is no longer supported. If an HTTPfallback occurs while downloading, then--despite entering a passphrase--the files will remain encrypted(enveloped). If HTTP fallback occurs while uploading, then--despite entering a passphrase--the files willNOT be encrypted (enveloped).


File Handling

Option Description

Resume Check Resume incomplete files to enable the resume feature. In the When checking files fordifferences options: Compare file attributes only checks if the existing file is the same size;Compare sparse file checksums performs a sparse checksum on the existing file. Comparefull file checksums perform a full checksum on the existing file. In the When a completefile already exists at the destination, select an overwrite rule when the same file exists at thedestination.

File Attributes • Enable the Preserve Access Time checkbox to set the access time of the destination fileto the same value as that of the source file.

• Enable the Preserve Modification Time checkbox to set the modification time of thedestination file to the same value as that of the source file.

• Enable the Preserve Source Access Time checkbox to keep the access time of thesource file the same as its value before the transfer.

Note: Access, modification, and source access times cannot be preserved for node andShares connections that are using cloud storage.

Source Deletion Check Automatically delete source files after transfer to delete the successfully-transferred files from the source. Check Delete source directories to also remove the folder.

Important: When managing connections, changes will not be saved until you click the OK button. SelectingCancel will discard any unsaved changes made in the Connection Manager, including the addition andremoval of connections.

To connect to this remote host, double-click the connection from the Connection panel, or select it and click Connect.

Importing and Exporting Connections

You may also import your connection list to and export your connection list from a text file. To export yourconnection list, right-click the remote server panel and select Export. To import your connection list, right-click theremote server panel and select Import. Both options are shown below (with "export" selected).


Note:

• If you are exporting a connection that uses keys, then you will need to back up those keys manually andimport separately.

• A shared connection that is exported and imported by a non-administrator will import as a regularconnection (not as shared).

• Email templates are not exported with the connection.

Creating SSH KeysCreate a key-pair for your computer.

Public key authentication (SSH Key) is a more secure alternative to password authentication that allows users to avoidentering or storing a password, or sending it over the network. Public key authentication uses the client computerto generate the key-pair (a public key and a private key). The public key is then provided to the remote computer'sadministrator to be installed on that machine. To use your Aspera product's transfer-client functionality with publickey authentication, follow the steps below.

You can use the application GUI to generate key-pairs and to import existing key-pairs. You can also generate key-pairs using the command-line; for instructions, see Creating SSH Keys (Command Line) on page 136.

1. Create a key pair using the GUI

Start the application by launching Start menu > All Programs > Aspera > Enterprise Server > EnterpriseServer . From the menu bar, select Tools > Manage Keys.

In the SSH Keys dialog, click to bring up the New SSH Key Pair window.


The SSH Keys dialog is also available from the Connections tab in the Connections Manager. When you selectPublic Key for authentication, the Manage Keys button appears; clicking it opens the SSH Keys dialog.

In the New SSH Key Pair window, enter the requested information. When finished, click OK:

Field Description

Identity Give a name to your key pair, such as your user name.

Passphrase (Optional) Set a passphrase on your SSH key, which will be prompted for wheneverit needs to use the key. If you don't want the user to be prompted for passphrase whenlogging in, leave this field blank.

Type Choose between RSA (default) and DSA keys.

Access When sharing a connection with a public key authentication, or a connection that is usedwith a Hot Folder, that key should have this option checked.

2. Distribute the public key

Then, you will need to provide the public key file (for example id_rsa.pub) to your server administrator, so thatit can be set up for your server connection. To copy or export the public key, select the key in the Public KeyManager window, click Copy Public Key to Clipboard, and paste the string into an email and address it to theserver administrator, or click Export to File and save the public key as a file. For information on how to install thepublic key on the server, see Setting Up a User's Public Key on page 74; however, keep in mind that the servercould be installed on an operating system that is different from the one where your client is installed.


3. Set up connections using public key authentication

When your public key has been installed on the remote host by its server administrator, click the Connections tobring up the Connection Manager.

Under the Connection tab, select Public Key from the Authentication pull-down menu and select the key that isinstalled on this host.


Note: When you are sharing a connection with public key authentication (Share this connection with allusers on this computer checkbox is checked), the SSH key should be shared as well.

To import keys created outside the GUI, go to Tools > Manage Keys to open the SSH Keys dialog. Clicking the button in the upper-left corner of the dialog opens a file browser. You can import the key pair by selecting either theprivate key or the public key, to copy both keys into the user's .ssh directory. You cannot import a key pair if a keypair with the same identity already exists in the .ssh directory.

Imported key pairs can be shared with other users. In the SSH Keys dialog, selecting a key and clicking the button opens the Edit SSH Key Pair dialog. Check the Access box to allow shared connections to use this key. Sharedkeys are moved to the Enterprise Server etc directory.

Enabling a Transfer or HTTP ProxySetting up your connection if you are behind a proxy server

If, for network-security reasons, you are behind a proxy server or an HTTP proxy server, you can enable theseproxies for file transfer by configuring settings in the Preferences dialog. Preferences can be accessed either from thePreferences button in the upper-right corner of the desktop client window menu, or from the Tools button in the maintoolbar.

If you have admin privileges, you can enable transfer proxies for all users by setting global preferences. If you are anon-admin user, you can override global transfer-proxy settings for your own account, including enabling or disablingthe feature.

By default, proxy settings are turned off.

Global Proxy Settings

To enable or adjust proxy settings globally, select Tools > Global Preferences. You must have admin privileges to setglobal preferences:

In the Proxy dialog, you can set the following:


Enable transfer proxy

• Check the Enable transfer proxy checkbox.• Enter the proxy server's hostname or IP address and port number.• Enable the Secure checkbox if your proxy server allows secure connections.• Enter your username and password to authenticate with your proxy server.

Enable HTTP proxy

• Check the Enable HTTP proxy checkbox.• Enter the HTTP proxy's hostname or IP address and port number.• If your HTTP proxy requires authentication, enable the Authenticated checkbox and enter the username and

password for your HTTP proxy.


By default, all proxy settings are turned off. For global preferences, clicking Restore System Defaults clears allsettings.

User Proxy Settings

To override the global settings, you can enter personal settings for your own account. Select Tools > Preferences orclick the Preferences link in the upper-right corner of the desktop client window:

Under Proxy, the values inherited from the global proxy settings will be filled in initially. You can set the following:

Enable transfer proxy

• Check or uncheck Enable transfer proxy to enable or disable transfer proxy.• Enter the proxy server's hostname or IP address and port number.• Enable the Secure checkbox if your proxy server allows secure connections.• Enter your username and password to authenticate with your proxy server.

You can also clear your personal settings by clicking Restore Defaults. Your settings will revert to the current globalsettings.

If you are an admin, you can access the global proxy dialog by clicking the Global Preferences button.

Enable HTTP proxy

• Check the Enable HTTP proxy checkbox.• Enter the HTTP proxy's hostname or IP address and port number.• If your HTTP proxy requires authentication, enable the Authenticated checkbox and enter the username and

password for your HTTP proxy.


By default, all proxy settings are set to the global values. For personal preferences, clicking Restore Defaults changesall settings to the global values.

Transferring FilesInitiate and manage file transfers.

Caution: Do not use the following characters in filenames:

/ \ " : ' ? > < & * |

1. Connect to the remote host

Start the application by launching Start menu > All Programs > Aspera > Enterprise Server > EnterpriseServer , and double-click the connection within the Connection panel, or select it and click Connect.

In the connections panel, the Target Directory shows either a specific path when the target directory is set, or thelast-visited folder when left blank. For how to set up the target directory, see Managing Connections on page40.

2. Initiate the transfer

To transfer a file to or from the remote computer, select the file to transfer and then click the upload or downloadarrow.


3. Transfer files using drag-and-drop or copy-and-paste.

You can transfer files or folders between the right and left browser panels using drag-and-drop or copy-and-paste.

Within either the left or right browser panel, you can move files or folders using drag-and-drop or cut-and-paste,and you can copy them using copy-and-paste.

You can also initiate an upload using drag-and-drop from Windows Explorer to the right browser panel.4. Transfer files without browsing the remote host

If you have entered the target directory for this connection (See Managing Connections on page 40), youcan also transfer files without browsing the remote computer. To do so, select the files from the left panel (local),select the connection name from the right panel (remote) and click to push files to the remote computer's targetdirectory (as shown in the screenshot), or to pull files from it.

Note: If you attempt to transfer too many files, regardless of the method, the transfer is disabled and thefollowing warning message is displayed:Too many files selected. Select fewer files, or transfer the folder containing your selection instead.

The file limit is OS dependent.

The limit does not apply to copy-and-paste operations within the same file browser panel.5. Manage the transfer sessions in the Transfers panel

Once the transfer has been successfully initiated, a progress bar will appear in the Transfers panel. If you havemultiple ongoing transfers, use the and to change the selected transfer's priority. The # field indicates thetransfer's order in the queue. Also the , , and can be used to control the selected transfer session.


6. (Optional) Make adjustments to a transfer session's target rate, minimum rate and/or policy (if allowed)

The Details button provides additional visibility and control (if granted the proper permissions) over transfers.Select a transfer session from the Transfers panel and click Details to view details and/or adjust settings.

The following items are on the Details display:

Item Name Description

A Details (tab) Transfer details, including status (rate and ETA) and statistics(session size, files transferred vs. total files to be transferred,average speed, time elapsed, RTT delay and average loss inpercent).

B Files (tab) All files being transferred in this session, along with each files'size and transfer progress.

C Transfer controls Set the transfer policy and transfer rate, if allowed. For additionalinformation, see FASP Transfer Policies on page 143.

D Transfer Monitor The transfer graph. Note that you may use the sliders to adjust thetransfer rate up or down (if allowed).

7. Update preferences for the transfer rate and maximum number of concurrent transfers

If you have administrator privileges, you can set the target transfer rate for all users from the Global Preferencesdialog. As an individual user, you can override the global settings from My Preferences. To update thesesettings, go to Tools > Global Preferences or Tools > Preferences. You can also open My Preferences from thePreferences button in the upper-right corner of the application's main window; from there you can also reach theGlobal Preferences dialog by clicking Global Preferences.


The following options are available under the Transfers tab:

Item Description

Global Bandwidth Limits The aggregated bandwidth cap for all FASP transfers on this computer. For moreadvanced bandwidth settings, see Bandwidth on page 82. (Set by administratorsonly.)

Default Target Rate The initial download and upload rates for all transfers.

Maximum ActiveTransfers

The maximum number of concurrent upload transfers and download transfers.

For information about settings under the Email tab, see Configuring Transfer Notifications on page 57.

Advanced Transfer ModeMore options for initiating transfers, such as filters, security, and scheduling.

You can start a transfer in advanced mode to set per-session transfer options that override the default transfer settings.To initiate a transfer in advanced mode, right-click a file or folder to open the context menu and select Upload (in theclient panel) or Download (in the server panel).

The advanced transfer dialog includes the following configuration tabs:

Tab Description

Transfer The transfer session-related options, such as the transfer speed and retry rules.


Tab Description

Tracking Options for tracking the transfer session, including the confirmation receipt and the emailnotifications.




Scheduling Schedule this transfer.

Note: All configuration tabs, except Scheduling, are identical to those in the Connection Managerconfiguration screen. For information on these tabs, see Managing Connections on page 40. TheScheduling tab is described below.

Scheduling

To enable transfer scheduling, check the box for Schedule this transfer. When finished, click Transfer. Thefollowing scheduling options are available:

Option Description

Time Specify the transfer time.

Transfer repeats Select a repeat mode.

For a single transfer, select Does not repeat and select a time and date.

For a daily transfer, select Daily and select a start time and an end date (either Never or adate and time).

For a daily transfer on weekdays only, select Monday - Friday and an end date (eitherNever or a date and time).

For a weekly transfer, select Weekly, select which day of the week, and specify an end date(either Never or a date and time). Note that with this option you can specify more than oneday of the week to set specific days when the transfer should repeat.

For transfers that should repeat more frequently than daily, select Periodically and fill in thenumber of minutes between transfers.

When submitting a scheduled transfer, you will see it listed under the Transfers tab, along with an icon ( ) under the# column. To modify the transfer, right-click it and select Edit to reveal the transfer settings.


Note: When scheduling transfers, ensure that the application is running. Unlike Hot Folders, scheduledtransfers do not run when the application is closed.

Configuring Transfer NotificationsSet up transfer notifications and modify the templates.

Transfer notification emails (which are based on default or customized mail templates) are triggered by three transfersession events: start, completion and error. Follow the instructions below to configure the SMTP server and/or tocreate/modify your email templates.

1. Launch Connect Server with Administrator permissions

Configuring transfer notifications requires Administrator permissions. Log into your computer with yourAdministrator account and launch the application ( Start menu > All Programs > Aspera > Enterprise Server >Enterprise Server ).

2. Configure global mail preferences

Note: To configure global mail preferences, you must have Administrator permissions.

To set up global mail preferences, launch the application with Administrator permissions, and select Tools >Global Preferences.

Click the Mail button to configure settings for email notifications. In the dialog that appears, check Enableemail notifications to turn on email notifications for all users. If enabled, both a from address and outgoing emailserver host name are required. To ensure that the mail server information is correct, click Send test email-- a testmessage will be sent to the from address.


To enable notifications on Hot Folder transfers, check Send email notifications for hot folders.

User Mail Preferences

To override all global/default mail settings and enter personal settings for your own account, select Tools > GlobalPreferences or click the Preferences link in the upper-right corner of the main application window:


This opens the My Preferences > Mail dialog. When initially opened, this dialog is populated with the inheritedglobal default values as set by an admin user. From here you can overwrite the inherited mail settings, includingenabling or disabling notifications. To restore settings to the global values, click the Restore Defaults button.

3. Bring up the Mail Templates window

Templates are used to generate the content of notification emails. You can associate them with connections, hotfolders, and individual transfers. We provide a default template. They can be changed to customize notificationemails.

Click Tools > Mail Templates to bring up the Mail Templates window.


In the Mail Templates window, click to create a template based on existing ones, or select an existing templateand click to edit it.

The mail template supports MIME (Multipurpose Internet Mail Extensions) multipart messages that includesboth the HTML and plain text versions of the mail body. In the Edit Template window, Enter the template in thespecified field:


Item Description

Name The template name.

HTML The HTML mail body. Click Insert Image to insert an image into the template. Theselected image will be copied to the template directory. You may preview the template byclicking Preview.

Text The plain text mail body. You may preview the template by clicking Preview.

Access Check the option Share this template with all users on this computer to allow othersystem users to access this template.

4. Modify mail templates

Mail templates serve as models for the email that will be sent.

To modify mail templates, go to Tools > Mail Templates to bring up the template management window.

The templates are rendered using Apache Velocity (Apache Velocity User Guide). Content is generated for anemail according to its template. A conditional statement only generates content if the condition matches. A foreachloop generates content for each iteration of the loop. Within a template, there are two predefined variables:

• $formatter - Contains some utility methods• $notifications - Holds the transfer notifications

To iterate over notifications, use a foreach loop:

#foreach ($event in $notifications.getEvents()) ...#end

This declares a local $event variable that can be used within the for-each loop.

The following conditional statements can be used in the templates:

#if ...#else ...#end

All statements are categorized in four parts: conditional, session information, time, and statistics.

Conditional

http://velocity.apache.org/engine/releases/velocity_1.6.2/user_guide.html


Use these tests in an if statement. For example:

#if ($event.isFailed()) ...#end

Statement Description

$event.isStarted() If the transfer session is started.

$event.isCompleted() If the transfer session is completed.

$event.isEnded() If the transfer session is ended.

$event.isFailed() If the transfer session is failed.

Session Information


$event.getSourceHost() The source hostname (or host address if the hostname is notdiscoverable).

$event.getSourceHostAddress() The source host address.

$event.getSourcePaths() The source file path.

$event.getDestinationHost() The destination hostname (or host address if the hostname isnot discoverable).

$event.getDestinationHostAddress() The destination host address.

$event.getDestinationPath() The destination file path.

$event.getInitiatingHost() The session-initiating hostname (or host address if thehostname is not discoverable).

$event.getInitiatingHostAddress() The session-initiating host address.

$event.getId() The session ID.

$event.getName() The session name.

$event.getType().getDescription() The session state. Three outputs: "STARTED", "FAILED", and"COMPLETED".

$event.getUser() The transfer login.

$event.getFiles() The files that are being transferred. Use this statement in aforeach loop: (Any text after ## is a comment)

#foreach ($file in $event.getFiles()) ## $file is a new variable visible in this foreach loop. ## $file holds the complete file path and file name. ## $formatter.decodePath() is used to ensure a correct string decoding. $formatter.decodePath($file)#end


Statement DescriptionAnd use the counter $velocityCount in an if statement to limitthe output file count. For example, to list only the first ten files:

#foreach ($file in $event.getFiles()) #if ($velocityCount > 10) #break #end $file#end

$event.getMessage() The message entered in the notification's "Message" field.

$event.getError() The error message.

Time


$formatter.date(var, "lang", "format") Formatting the date and time output. Enter three values in theparenthesis:

• Replace var with the following two statements; for example,$event.getStartTime()

• Replace the var with an abbreviate language name; forexample, en for English.

• The format is the display format. Use these symbols:

• yyyy The year. E.g. 2010• MM Month of the year. E.g. 03• dd Day of the month. E.g. 28• HH Hour of the day.• mm Minute.• ss Second.• z Time zone.• EEE The abbreviated weekday name.

For example, "EEE, yyyy-MM-dd HH:mm:ss z" showsFri, 2010-03-26 16:19:01 PST .

$event.getStartTime() The session start time.

$event.getEndTime() The session end time.

Statistics


$event.getSourceFileCount() The number of source files.

$event.getCompletedFileCount() The number of files that successfully transferred.

$event.getFailedFileCount() The number of files that failed to transferred.

$event.getAverageRatePercentage() The average transfer rate in bps. Enclose this statement with$formatter.formatRate() to simplify the output.

$event.getAverageLossPercentage() The average packet loss percentage.



$event.getSourceSizeB() The source file size. Enclose this statement with$formatter.toBestUnit() to simplify the output.

$event.getTransferredB() The transferred file size. Enclose this statement with$formatter.toBestUnit() to simplify the output.

$event.getWrittenB() The destination file size. Enclose this statement with$formatter.toBestUnit() to simplify the output.

When configured, you can apply the notifications to a connection host, or a transfer session. For details, see UsingTransfer Notifications on page 64.

Using Transfer NotificationsUse transfer notifications to send emails based on transfer events.

Transfer notifications can be sent for three transfer events: start, complete, and error. Follow these instructions toselect and apply them to your transfer sessions:

1. Preview mail templates

You can preview existing templates to decide which one to use. In the application ( Start menu > All Programs >Aspera > Enterprise Server > Enterprise Server ), go to Tools > Mail Templates... to bring up the MailTemplate window.

In the Mail Templates window, select an existing template and click to open the edit screen.

Mail templates supports MIME multipart messages, which include both HTML and plain text versions. In the EditTemplate window, click Preview to view the template's output example.


2. Set up notifications for a connection

You can set up notifications for connections. When transferring with the host, emails will be sent to specifiedrecipients on selected events.

To do so, click Connections, choose the connection, and select the Tracking tab. Check Send email notificationsto enable this feature. Enter the following information, and then click OK:

Item Description

When Check the events to send notifications for.

To Enter the recipients, comma separated.

Template Select a mail template.

Message Optionally enter a message to include in the notifications.

3. Set up notifications for a transfer


Email notifications can also be applied to transfer sessions. Right click the file browser and select Upload... orDownload... to open the advanced transfer window, select the Tracking tab, and check Send email notificationsto enable this feature. Refer to the previous section for help on setting the options.

Reporting ChecksumsConfigure IBM Aspera Connect Server to report checksums for transferred files.

Internally, Connect Server determines the success of transfers by using checksums to verify that file contents at adestination match what was read at the source. Connect Server can also be configured to report these checksums tousers.

Note: Checksum reporting requires that both the server and client nodes be running Enterprise Server,Connect Server, or Point-to-Point 3.4.2 or higher.

By default, checksum reporting is turned off. The feature can be enabled and configured on the server using any of thefollowing methods:

• entering configuration options in aspera.conf• setting configuration options in the desktop client GUI• on a per-transfer basis, using a command-line option with ascp

If used, the command-line option overrides settings in aspera.conf and the GUI.

Each method allows you to enable checksum reporting by selecting or setting the following options:

md5 - Calculate and report an MD5 checksum.sha1 - Calculate and report an SHA-1 checksum.any - Allow the checksum format to be whichever format the client requests.

Additional options in aspera.conf and the GUI allow you to configure where checksum reports should be saved.

Enabling from aspera.conf

Open the aspera.conf file on your server and add the <file_checksum> option to the <file_system>section, as in the example below.

Note: The none option is no longer supported as of 3.4.2. If your aspera.conf file has a<file_checksum> setting of none, transfers will fail with the error "Server aborted Session: Invalidconfiguration file".

To enable and configure the file manifest where checksum report data will be stored, add settings for<file_manifest> and <file_manifest_path>; for example:

<file_system> ... <file_checksum>md5</file_checksum>  <file_manifest>text</file_manifest>  <file_manifest_path>C:\Users\Public\reports</file_manifest_path>  ...


</file_system>

The following table provides details on the configuration options for checksum reporting:

Conf Option / GUI ConfigSetting

Description Values Default

<file_checksum>

File checksum method

Enable checksum reporting, specifying the type ofchecksum to calculate for transferred files.

md5, sha1, orany

any

<file_manifest>

File Manifest

When set to text a text file "receipt" of all fileswithin each transfer session is generated. If set todisable, no file manifest is created. The file manifestis a file containing a list of everything that wastransferred in a given transfer session. The filenameof the file manifest itself is automatically generatedbased on the transfer session's unique ID.

text, disable disable

<file_manifest_path>

File Manifest Path

The location where manifest files are to be written.The location can be an absolute path or a pathrelative to the transfer user's home.

If no path is specified, the file will be generatedunder the destination path at the receiver, and underthe first source path at the sender.

Note: File manifests can only be storedlocally. Thus, if you are using S3, or othernon-local storage, you must specify a localmanifest path.

path name blank

Enabling from the GUI

Click Configuration to open the Server Configuration window. Select the Global, Groups, or Users tab, dependingon whether you want to configure checksum reporting for all users, or for a particular group or user. Under the FileHandling tab, locate the setting for File checksum method. Check the override box and for the effective value, selectmd5, sha1, or any.


To enable the file manifest from the GUI, locate the File Manifest setting. Check the override box and set theeffective value to text.

Locate the File Manifest Path setting on the line just below. Check the override box and set the effective value to afolder where the manifest files are to be saved.


In the above examples, when files are transferred, the manifest is generated to a text file called aspera-transfer-transfer_id-manifest.txt in the folder C:\Users\Public\reports.

For details about the settings for File checksum method, File Manifest, and File Manifest Path, see the table ofconfiguration options in the previous section.

Enabling from the ascp Command Line

To enable checksum reporting on a per-transfer-session basis, run ascp with the --file-checksum=hash option,where hash is sha1, md5, or any.

From the ascp command line, you can also enable the manifest with the option --file-manifest=outputwhere output is either text or none. You can set the path to the manifest file with the option --file-manifest-path=path.

For example:

> ascp --file-checksum=md5 --file-manifest=text --file-manifest=C:\Users\Public\reports file [email protected]:/destination_path

Setting up a Pre/Post-processing Script

An alternative to enabling and configuring the file manifest to collect checksum reporting is to set up a pre/post-processing script to report the values.

The checksum of a successfully transferred file is stored in the pre/post environment variable FILE_CSUM. Thisenvironment variable can be used in pre/post scripts to capture file checksums. For example, the following scriptoutputs the checksum to the file C:\Users\Public\reports\cksum.log:

if "%TYPE%"=="File" ( if "%STARTSTOP%"=="Stop" ( echo "The file is: %FILE%" >> C:\Users\Public\reports\cksum.log echo "The file checksum is: %FILE_CSUM%" >> C:\Users\Public\reports\cksum.log ))

For information on how to set up pre- and post-processing scripts such as the above and how to use builtin pre/postenvironment variables, see Pre- and Post-Processing (Prepost) on page 115.

| Managing Users | 70

Managing Users

Add users for the FASP connection authentication, and set up user transfer settings.

Setting Up UsersSet up system user accounts for FASP file transfers.

Warning: If you have upgraded from 2.7.X to 3.X on Windows, you should be aware that starting with 3.Xuser names are case sensitive.

Your Aspera server uses your system accounts to authenticate connections. These system accounts must be added andconfigured before attempting an Aspera transfer. When creating transfer accounts, you may also specify user-basedsettings, including those for bandwidth, document root (docroot) and file handling.

Note: You must create systems accounts for transfer users before they can be configured on your Asperaserver. After these system accounts have been created and initialized on your local host, follow the stepsbelow to configure their transfer accounts.

1. Add a system user to your Aspera server.

Launch the application (Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server) andclick Configuration.

In Server Configuration, select the Users tab and click the button.

2. Enter user's name and optional domain, and set login requirement.

Within the Add User box, enter the user's name and optional domain, then click OK. Note that for domain users,you can set a requirement that they must log into their accounts using the DOMAIN\username format (whichis also recommended by Aspera). To set this requirement, click the Options button under the Users tab in theServer Configuration window. Enable the checkbox to set the requirement for new users and/or click the Convertexisting users button to set the requirement for existing domain accounts.

Note: You cannot add a username with the "@" symbol, except when using the user@domain format. Foradditional information, see Product Limitations.


3. Set up user's docroot.

You can limit a user's access to a given directory using the document root (docroot). To set it up, clickConfiguration>UsersusernameDocroot. Check the Override box for Absolute Path and enter or select anexisting path as the user's docroot -- for example, C:\sandbox\asp1 . Make sure that at least the ReadAllowed and Browse Allowed are set to true. When finished, click OK or Apply.

If there is a pattern in the docroot of each user, for example, C:\sandbox\username, you can take advantageof a substitutional string. This allows you to assign an independent docroot to each user without setting itindividually for each user.

Substitutional String Definition Example

$(name) The system user's name. C:\sandbox\$(name)

$(DOMAIN) The domain user's domain name. C:\sandbox\$(DOMAIN)\$(name)

Set up a docroot with a substitutional string as follows: in the Server Configuration dialog, select the Global taband the Docroot tab, and enter the docroot into the Absolute Path field. This value will be duplicated in all usersettings.

Test User-Initiated Remote TransferTest FASP transfers initiated from a client computer.

Follow the steps below to test your server's incoming connections from a client machine.

Important: These instructions require you to take steps on both the Connect Server and a client computer.Ensure that you are performing the task on the indicated machine. As a prerequisite, Connect Server musthave at least one transfer user. For instructions on adding a transfer user, see Setting up Users.

1. (On your client machine) Verify your connection to Connect Server.


On the client machine, use the ping command in a Command Prompt window to verify connectivity to the host.In this example, the address of Connect Server is 10.0.0.2.

> ping 10.0.0.2PING 10.0.0.2 (10.0.0.2): 56 data bytes64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=8.432 ms64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=7.121 ms64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=5.116 ms64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=4.421 ms64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=3.050 ms...

2. (On your client machine) Initiate a transfer to Connect Server.

Attempt to establish a connection from your client machine to Connect Server. To do so, run the followingcommand on your client machine (where asp1 is our example transfer user):

> ascp -P 33001 -T --policy=fair -l 10000 -m 1000 /client-dir/files [email protected]:/dir

Item Value

Host Address 10.0.0.2

Transfer User asp1

Files to upload /client-dir/files

Destination Folder {user's docroot}/dir

Transfer Options • Maximum transfer rate = 10 Mbps (-l 10000)• Minimum transfer rate = 1 Mbps (-m 1000)• Change default TCP port used for FASP session initiation = 33001 (-P 33001).

Please note that this command does not alter ascp or your SSH server's configuration.• Disable encryption (-T)• Fair transfer policy (--policy=fair)

3. (For clients connecting to a Connect Server) Test the Web UI with a client machine.

Browse to your Connect Server URL from the client machine. Here, you should see the Aspera Connect browserplugin installation instructions. After installing the browser plugin, click Upload and select one or more files tosend to the server. When finished, attempt to Download the same files.

Important: When adding files to Web UI, avoid using the following characters in the file names:

/ \ " : ' ? > < & * |

For additional information on Aspera Connect browser plugin, refer to the Aspera Connect User Guide.

If you cannot establish a connection to Connect Server, see Clients Cannot Establish Connection.

Setting Up GroupsCreate system groups on your computer, and set up transfer settings for the group and its members.

You can set up transfer settings based on your system's user groups. If users within a group do not have individualtransfer settings, then the group's transfer settings will be applied. Please note that Connect Server doesn't create usergroups on the Operating System for you, so you must ensure that the groups currently exist before adding them toyour Aspera product. Follow the steps below to add user groups to Connect Server.

http://asperasoft.com/en/documentation/8


1. Determine the user group(s) that you would like to add to your Aspera transfer product

Ensure that you have an existing user group on your operating system, or create a new user group. For informationon creating user groups, see your operating system documentation.

2. Add the user group to your Aspera transfer product

Launch Connect Server (Start menu > All Programs > Aspera > Enterprise Server > Enterprise Server) andclick Configuration.

Within the Server Configuration window, select the Groups tab, click and input the user group's name.

3. Configure the group's transfer settings

Go to Configuration and select the Groups tab. Choose your group, and utilize the Docroot, Authorization,Bandwidth, Network, File Handling and Precedence tabs to configure the transfer settings. Refer to thehyperlinked topics below for additional information.

Category Description

Document Root on page 76 The document root settings.

Authorization on page 79 Connection permissions, token key, and encryption requirements.

Bandwidth on page 82 Incoming and outgoing transfer bandwidth and policy settings.

Network on page 86 Network IP, port, and socket buffer settings.

File Handling on page 87 File handling settings, such as file block size, overwrite rules, and excludepattern.

Configuration Precedence on page73

When a user is a member of multiple groups, the precedence setting canbe used to determine priority.

Configuration PrecedenceThe priority of user, group, global-level and default settings.

Connect Server gives precedence to settings as follows, where user settings have the highest priority and defaultsettings have the lowest.

(1) User

(2) Group(s) (If a user belongs to more than one group, a precedence can be set for each group.)

(3) Global

(4) Default


If a user is a member of multiple groups, a precedence setting can be assigned to each group. The following tableshows the setting values that a user asp1 is assigned in bold. In this example, asp1 is a member of both the adminand xfer groups. The admin group's precedence setting is 0, which supersedes the xfer group's setting of 1:

Options User asp1'sSettings

Group admin'sSettings

Group xfer'sSettings

Global Settings Default Settings

Target rate 5M 10M 15M 40M 45M

Min rate n/a 2M 8M 3M 0

Policy n/a n/a Low Fair Fair

Docroot n/a n/a n/a C:\pod\$(name) n/a

Encryption n/a n/a n/a n/a any

You can configure a group's precedence from the GUI or by editing aspera.conf. To configure it from the GUI,launch the application and click Configuration.

In the Server Configuration dialog, select the Groups tab, choose a group, and select the Precedence tab. (ThePrecedence tab does not appear if there are no groups.) Click the Override checkbox to override the inherited value(default), and enter a precedence number for the group.

Note: A group's precedence setting must be greater than or equal to 0, where 0 is the highest precedencelevel.

Before assigning group precedence by editing aspera.conf, first ensure that the groups have already been added in theapplication, so that they will appear as entries in aspera.conf.

Locate the aspera.conf file as follows:


Setting Up a User's Public KeyInstall the public key provided by the clients to their user account.

Public key authentication is an alternative to password authentication, providing a more secure authentication methodthat allows users to avoid entering or storing a password, or sending it over the network. It is done by using the clientcomputer to generate the key-pair (a public key and a private key), provide the public key to the server or the point-to-point, and have the public key installed on that machine.

Important: The Web UI currently doesn't support the key-based authentication. This feature is for transfersinitiated in the application (Including the Hot Folders) and the ascp command.


1. Obtain the client's public key

The client should send you an e-mail with the public key, either a text string attached in the secure e-mail, or savedas a text file. In this example, the client's login user account is asp1.

For instructions of creating public keys, refer to Creating SSH Keys on page 46, or Creating SSH Keys (CommandLine) on page 136 for command_line instructions.

2. Install the client's public key to its login user account

To install the account's public key, create a folder called .ssh in the user's home directory. This example sets up thepublic key for the following user:

Item Value

User name asp1

User's home directory C:\Documents and Settings\asp1

Open a Command Prompt (Start menu > All Programs > Accessories > Command Prompt) and execute thefollowing commands to create the user's public key folder:

> cd "C:\Documents and Settings\asp1"> md .ssh

Use a text editor to create the following file, without file extension:

C:\Documents and Settings\asp1\.ssh\authorized_keys

Add the user's public key-string into this file and save it. The user should now be able to establish FASPconnections with public key authentication.

Note:

Some text editors append the file extension automatically, such as .txt. Make sure to remove the fileextension from the file authorized_keys.

| General Configuration Reference | 76

General Configuration Reference

The general transfer configuration options.

This section covers the general configuration options, which can be used for global, group, and user settings.

Document RootThe document root settings.

The document root (docroot) configuration options can be found in the application's Configuration ( Start menu >All Programs > Aspera > Enterprise Server > Enterprise Server ), within Global, Groups and Users sections.

The following table lists all configuration options:


Absolute Path The Absolute Path is a path to the docroot, the area ofthe file system that is accessible to Aspera users. Thedefault empty value gives users access to the entirefile system. In aspera.conf, you can set multipledocroots and make them conditional based on the IPaddress from which the connection is made. To do so, setthe absolute path as follows:

<absolute peer_ip="ip_address">path</absolute>

Note:

You may also specify an Amazon S3 docrootin the following URI format: s3://MY_ACCESS_ID:[email protected]/my_bucket/my_path

file path orAmazon S3URI

blank


Field Description Values Default(where each of the MY_ACCESS_ID,MY_SECRET_KEY and my_bucket/my_path parts must be url_encoded).

S3 server side options are specified throughan additional query part in the URI, as shownbelow.

s3://MY_ACCESS_ID:[email protected]/my_bucket/my_path?storage-class=REDUCED_REDUNDANCY&server-side-encryption=AES256

Valid values are as follows:

• For storage-class: STANDARD (default ifnot specified) or REDUCED_REDUNDANCY.

• For server-side-encryption: AES256 is theonly valid value.

Read Allowed Setting this to true allows users to transfer from thedesignated area of the file system as specified by theAbsolute Path value.

• true• false

blank

Write Allowed Setting this to true allows users to transfer to thedesignated area of the file system as specified by theAbsolute Path value.

• true• false

blank

Browse Allowed Setting this to true allows users to browse thedirectory.

• true• false

blank

Configuring Symbolic LinksThis section describes how Aspera handles symbolic links in ascp. Both client-side and server-side handling can beconfigured using the command-line options and the aspera.conf file respectively.

Client-Side Symbolic Link Handling

See Advanced Symbolic Link Options (ascp) on page 77 for information about configuring client-side handlingfor symbolic links.

Server-Side Symbolic Link Handling

See Server-Side Symbolic Link Handling on page 78 for information about configuring server-side handling forsymbolic links.

Advanced Symbolic Link Options (ascp)

Client-side handling of symbolic links is configured from the following ascp command line:

> ascp --symbolic-links=option

The following section describes the possible configuration options:


Configuration Options

Option Description

copy Copy only the alias file. If a file with the same nameexists at the destination, the symbolic link will not becopied.

copy+force Copy only the alias file. If a file with the same nameexists at the destination, the symbolic link will replacethe file. If the file of the same name at the destination is asymbolic link to a directory, it will not be replaced.

follow Follow symbolic links and transfer the linked files. Thisis the default option.

skip Ignore the symbolic link.

Server-Side Symbolic Link Handling

The following section describes how Aspera handle symbolic links in ascp based on settings configured in theaspera.conf file. The aspera.conf file can be found in the following location:




Configuration Options

The following configuration options are set in the <file_system> section of the aspera.conf file:

<file_system> <symbolic_links>list_of_comma-separated_options</symbolic_links> </file_system>

Note: If no option is specified, the configuration defaults to create, follow.

Option Description Client Behavior Server Behavior

create Create symbolic links witharbitrary targets. This isoption set by default.

Skip if not configured. Symbolic links are alwayscopied to the server if theclient requests.

follow Follow symbolic linkswith targets inside docroot.If at any point the pathgoes outside the docroot,ascp will not complete thetransfer. This is option setby default.

Symbolic links are alwayscopied to the server if theclient requests.

Note: If thedocroot is asymbolic linkand is specifiedas the sourceor destination:As the receiver,follow the targetwidely (no docrootconstraint) and

Skip if not configured.Follow symbolic links withtargets inside the docroot.

Note: If thedocroot is asymbolic linkand is specifiedas the sourceor destination:As the sender,follow the targetwidely (no docrootconstraint) and


Option Description Client Behavior Server Behaviorunconditionally(regardlessof symboliclink action(s)configured/requested).

unconditionally(regardlessof symboliclink action(s)configured/requested).

follow_wide Follow symbolic links witharbitrary targets, even ifthe targets are outside thedocroot.

Symbolic links are alwayscopied to the server if theclient requests.

Note: If thedocroot is asymbolic linkand is specifiedas the sourceor destination:As the receiver,follow the targetwidely (no docrootconstraint) andunconditionally(regardlessof symboliclink action(s)configured/requested).

none Take no action with thesymbolic link.

AuthorizationConnection permissions, token key, and encryption requirements.

The Authorization configuration options can be found in the application's Configuration ( Start menu > AllPrograms > Aspera > Enterprise Server > Enterprise Server ), within Global, Groups, and Users sections.




Incoming Transfers The default setting of allow enables users to transferto this computer. Setting this to deny will preventtransfers to this computer. When set to token, onlytransfers initiated with valid tokens will be allowedto transfer to this computer. Token-based transfersare typically employed by web applications such asFaspex and require a Token Encryption Key.

• allow• deny• token

allow

Incoming External ProviderURL

The value entered should be the URL of theexternal authorization provider for incomingtransfers. The default empty setting disables externalauthorization. Aspera servers can be configured tocheck with an external authorization provider. ThisSOAP authorization mechanism can be useful toorganizations requiring custom authorization rules.

HTTP URL blank

Incoming External ProviderSOAP Action

The SOAP action required by the externalauthorization provider for incoming transfers.Required if External Authorization is enabled.

text string blank

Outgoing Transfers The default setting of allow enables users to transferfrom this computer. Setting this to deny will preventtransfers from this computer. When set to token, onlytransfers initiated with valid tokens will be allowedto transfer from this computer. Token-based transfersare typically employed by web applications such asFaspex and require a Token Encryption Key.

• allow• deny• token

allow

Outgoing External ProviderURL

The value entered should be the URL of theexternal authorization provider for outgoingtransfers. The default empty setting disables externalauthorization. Aspera servers can be configured tocheck with an external authorization provider. This

HTTP URL blank


Field Description Values DefaultSOAP authorization mechanism can be useful toorganizations requiring custom authorization rules.

Outgoing External ProviderSoap Action

The SOAP action required by the externalauthorization provider for outgoing transfers.Required if External Authorization is enabled.

text string blank

Token Encryption Cipher The cipher used to generate encrypted authorizationtokens.

• aes-128• aes-192• aes-256

aes-128

Token Encryption Key This is the secret text phrase that will be used toauthorize those transfers configured to require token.Token generation is part of the Aspera SDK. Seethe Aspera Developer's Network (Token-basedAuthorization Topic) for more information.

text string blank

Token Life (seconds) Sets token expiration for users of web-based transferapplications.

positiveinteger

86400 (24hrs)

Token Filename Hash Which algorithm should filenames inside transfertokens be hashed with. Use MD5 for backwardcompatibility.

• sha1• MD5• sha256

sha1

Strong Password Required forContent Encryption

When set to true, require the password for contentencryption to contain at least 6 characters, of whichat least 1 is non-alphanumeric, at least 1 is a letter,and at least 1 is a digit.

• true• false

false

Content Protection Required When set to true,

• Users will be required on upload to enter apassword to encrypt the files on the server.

• Users will be given the option whendownloading to decrypt during transfer.

Important: When a transfer falls back toHTTP or HTTPS, content protection is nolonger supported. If HTTP fallback occurswhile downloading, then--despite entering apassphrase--the files will remain encrypted(i.e., enveloped). If HTTP fallback occurswhile uploading, then--despite entering apassphrase--the files will NOT be encrypted(i.e., enveloped).

• true• false

false

Do encrypted transfers inFIPS-140-2-certified encryptionmode

When set to true, ascp will use a FIPS 140-2-certified encryption module. Note: When this featureis enabled, transfer start is delayed while the FIPSmodule is verified.

• true• false

false

Encryption Allowed Describes the type of transfer encryption accepted bythis computer. When set to any the computer allowsboth encrypted and non-encrypted transfers. Whenset to none the computer restricts transfers to non-encrypted transfers only. When set to aes-128 the

• any• none• aes-128

any

http://developer.asperasoft.com/web/token_auth.html

http://developer.asperasoft.com/web/token_auth.html


Field Description Values Defaultcomputer restricts transfers to encrypted transfersonly.

BandwidthIncoming and outgoing transfer bandwidth and policy settings.

The Bandwidth configuration options can be found in the application's Configuration ( Start menu > AllPrograms > Aspera > Enterprise Server > Enterprise Server ), within Global, Groups and Users sections.



Incoming Vlink ID The value sets Vlink ID for incomingtransfers. Vlinks are a mechanism to defineaggregate transfer policies. The default settingof 0 disables Vlinks. One Vlink—the virtualequivalent of a network trunk—represents abandwidth allowance that may be allocated to

pre-defined value 0


Field Description Values Defaulta node , a group, or a user. Vlink ID is definedin each Vlink created in Aspera Console.Vlink ID is a unique numeric identifier.

Incoming Target Rate Cap(Kbps)

The value sets the Target Rate Cap forincoming transfers. The Target Rate Cap isthe maximum target rate that a transfer canrequest, in kilobits per second. No transfermay be adjusted above this setting, at anytime. The default setting of Unlimitedsignifies no Target Rate Cap. Clientsrequesting transfers with initial rates abovethe Target Rate Cap will be denied.

positive integer unlimited

Incoming Target RateDefault (Kbps)

This value represents the initial rate forincoming transfers, in kilobits per second.Users may be able to modify this rate in realtime as allowed by the software in use. Thissetting is not relevant to transfers with aPolicy of Fixed.


Incoming Target Rate Lock After an incoming transfer is started, its targetrate may be modified in real time. The defaultsetting of false gives users the ability toadjust the transfer rate. A setting of trueprevents real-time modification of the transferrate.

• true• false

false

Incoming Minimum RateCap (Kbps)

The value sets the Minimum Rate Cap forincoming transfers. The Minimum Rate Capis a level specified in kilobits per second,below which an incoming transfer will notslow, despite network congestion or physicalnetwork availability. The default valueof Unlimited effectively turns off theMinimum Rate Cap.


Incoming Minimum RateDefault (Kbps)

This value represents the initial minimumrate for incoming transfers, in kilobits persecond. Users may be able to modify this ratein real time as allowed by the software in use.This setting is not relevant to transfers with aPolicy of Fixed.

positive integer 0

Incoming Minimum RateLock

After an incoming transfer is started, itsminimum rate may be modified in real time.The default setting of false gives usersthe ability to adjust the transfer's minimumrate. A setting of true prevents real-timemodification of the transfer rate. This settingis not relevant to transfers with a Policy ofFixed.

• true• false

false

Incoming BandwidthPolicy Default

The value chosen sets the default BandwidthPolicy for incoming transfers. The defaultpolicy value may be overridden by clientapplications initiating transfers.

• fixed• high• fair

(regular)

fair


Field Description Values Default• low

Incoming BandwidthPolicy Allowed

The value chosen sets the allowed BandwidthPolicy for incoming transfers. Asperatransfers use fixed, high, fair and lowpolicies to accommodate network-sharingrequirements. When set to any, the serverwill not deny any transfer based on policysetting. When set to high, transfers with aPolicy of high and less aggressive transferpolicies (e.g. fair or low) will be permitted.When set to fair, transfers of fair and low willbe permitted, while fixed transfers will bedenied. When set to low, only transfers witha Bandwidth Policy of low will be allowed.


(regular)• low

any

Incoming BandwidthPolicy Lock

After an incoming transfer is started, itsPolicy may be modified in real time. Thedefault setting of false gives users theability to adjust the transfer's Policy. A settingof true prevents real-time modification ofthe Policy.

• true• false

false

Outgoing Vlink ID The value sets Vlink ID for outgoingtransfers. Vlinks are a mechanism to defineaggregate transfer policies. The default settingof 0 disables Vlinks. One Vlink—the virtualequivalent of a network trunk—represents abandwidth allowance that may be allocated toa node , a group, or a user. Vlink ID is definedin each Vlink created in Aspera Console. TheVlink ID is a unique numeric identifier.

pre-defined value 0

Outgoing Target Rate Cap(Kbps)

The value sets the Target Rate Cap foroutgoing transfers. The Target Rate Cap isthe maximum target rate that a transfer canrequest, in kilobits per second. No transfermay be adjusted above this setting, at anytime. The default setting of Unlimitedsignifies no Target Rate Cap. Clientsrequesting transfers with initial rates abovethe Target Rate Cap will be denied.


Outgoing Target RateDefault (Kbps)

This value represents the initial rate foroutgoing transfers, in kilobits per second.Users may be able to modify this rate in realtime as allowed by the software in use. Thissetting is not relevant to transfers with aPolicy of Fixed.


Outgoing Target Rate Lock After an outgoing transfer is started, its targetrate may be modified in real time. The defaultsetting of false gives users the ability toadjust the transfer rate. A setting of trueprevents real-time modification of the transferrate.

• true• false

false



Outgoing Minimum RateCap (Kbps)

The value sets the Minimum Rate Cap foroutgoing transfers. The Minimum Rate Capis a level specified in kilobits per second,below which an outgoing transfer will notslow, despite network congestion or physicalnetwork availability. The default valueof Unlimited effectively turns off theMinimum Rate Cap.


Outgoing Minimum RateDefault

This value represents the initial minimumrate for outgoing transfers, in kilobits persecond. Users may be able to modify this ratein real time as allowed by the software in use.This setting is not relevant to transfers with aPolicy of Fixed.

positive integer 0

Outgoing Minimum RateLock

After an outgoing transfer is started, itsminimum rate may be modified in real time.The default setting of false gives usersthe ability to adjust the transfer's minimumrate. A setting of true prevents real-timemodification of the transfer rate. This settingis not relevant to transfers with a Policy ofFixed.

• true• false

false

Outgoing Bandwidth PolicyDefault

The value chosen sets the default BandwidthPolicy for outgoing transfers. The defaultpolicy value may be overridden by clientapplications initiating transfers.


(regular)• low

fair

Outgoing Bandwidth PolicyAllowed

The value chosen sets the allowed BandwidthPolicy for outgoing transfers. Aspera transfersuse fixed, high, fair and low policies toaccommodate network-sharing requirements.When set to any, the server will not deny anytransfer based on policy setting. When set tohigh, transfers with a Policy of high and lessaggressive transfer policies (e.g. fair or low)will be permitted. When set to fair, transfersof fair and low will be permitted, while fixedtransfers will be denied. When set to low,only transfers with a Bandwidth Policy oflow will be allowed.


(regular)• low

any

Outgoing Bandwidth PolicyLock

After an outgoing transfer is started, its Policymay be modified in real time. The defaultsetting of false gives users the ability toadjust the transfer's Policy. A setting of trueprevents real-time modification of the Policy.

• true• false

false


NetworkNetwork IP, port, and socket buffer settings.

The Network configuration options can be found in the application's Configuration ( Start menu > All Programs >Aspera > Enterprise Server > Enterprise Server ), within Global, Groups and Users sections.

The following table explains all configuration options:


Bind IP Address Specify an IP address for server-side ascp to bind itsUDP connection. If a valid IP address is given, ascpsends and receives UDP packets only on the interfacecorresponding to that IP address.

Important: The bind address should only bemodified (changed to an address other than127.0.0.1) if you, as the System Administrator,understand the security ramifications of doingso, and have undertaken precautions to securethe SOAP service.

valid IPv4address

blank

Bind UDP Port Prevent the client-side ascp process from using thespecified UDP port.

integerbetween 1and 65535

33001

Disable Packet Batching When set to true, send data packets back to back (nosending a batch of packets). This results in smoother datatraffic at a cost of higher CPU usage.

• true• false

false

Maximum Socket Buffer(bytes)

Upper bound the UDP socket buffer of an ascp sessionbelow the input value. The default of 0 will cause theAspera sender to use its default internal buffer size,which may be different for different operating systems.

positiveinteger

0



Minimum Socket Buffer(bytes)

Set the minimum UDP socket buffer size for an ascpsession.

positiveinteger

0

RTT auto correction Enable auto correction of base (minimum) RTTmeasurement. This feature is helpful for maintainingaccurate transfer rates in hypervisor-based virtualenvironments.

• true• false

false

Reverse path congestioninference

Enable reverse path congestion inference, where thedefault setting of "true" prevents the transfer speed of asession from being adversely affected by congestion inthe reverse (non data-sending) transfer direction. Thisfeature is useful for boosting speed in bi-directionaltransfers.

• true• false

true

File HandlingFile handling settings, such as file block size, overwrite rules, and exclude pattern.

The File Handling configuration options can be found in the application's Configuration ( Start menu > AllPrograms > Aspera > Enterprise Server > Enterprise Server ), within Global, Groups and Users sections.




Read Block Size (bytes) This is a performance-tuning parameter for an Asperasender (which only takes effect if the sender is a server).It represents the maximum number of bytes that can bestored within a block as the block is being transferredfrom the source disk drive to the receiver. The defaultof 0 will cause the Aspera sender to use its defaultinternal buffer size, which may be different for differentoperating systems.

positiveinteger,where500MB or524,288,000bytes bytesis themaximumblock size.

0

Write Block Size (bytes) This is a performance-tuning parameter for an Asperareceiver (which only takes effect if the receiver is aserver). It represents the maximum bytes within a blockthat an ascp receiver can write to disk. The defaultof 0 will cause the Aspera receiver to use its defaultinternal buffer size, which may be different for differentoperating systems.

positiveinteger,where500MB or524,288,000bytes bytesis themaximumblock size.

0

Use File Cache This is a performance tuning parameter for an Asperareceiver. Enable or disable per-file memory caching atthe data receiver. File level memory caching improvesdata write speed on Windows platforms in particular, butwill use more memory. We suggest using a file cache onsystems that are transferring data at speeds close to theperformance of their storage device, and disable it forsystem with very high concurrency (because memory

• true• false

true


Field Description Values Defaultutilization will grow with the number of concurrenttransfers).

Max File Cache Buffer(bytes)

This is a performance tuning parameter for an Asperareceiver. This value corresponds to the maximal sizeallocated for per-file memory cache (see Use FileCache). Unit is bytes. The default of 0 will cause theAspera receiver to use its internal buffer size, which maybe different for different operating systems.

positiveinteger

0

Resume Suffix File name extension for temporary metadata files usedfor resuming incomplete transfers. Each data file inprogress will have a corresponding metadata file withthe same name plus the resume suffix specified by thereceiver. Metadata files in the source of a directorytransfer are skipped if they end with the sender's resumesuffix.

Note: When you change the resume suffix,you need to restart Aspera Sync in order for hotfolders to pick new settings up. Go to ControlPanel > Administrative Tools > Services andrestart Aspera Sync.

text string .aspx

Preserve Attributes Configure file creation policy. When set to none, donot preserve the timestamp of source files. When setto times, preserve the timestamp of the source files atdestination.

• none• times

blank

Overwrite Overwrite is an Aspera server setting that determineswhether Aspera clients are allowed to overwrite fileson the server. By default it is set to allow, meaning thatclients uploading files to the servers will be allowedto overwrite existing files as long as file permissionsallow that action. If set to deny, clients uploading filesto the server will not be able to overwrite existing files,regardless of file permissions.

• allow• deny

allow

File Manifest When set to text a text file "receipt" of all files withineach transfer session is generated. If set to disable,no File Manifest is created. The file manifest is a filecontaining a list of everything that was transferred in agiven transfer session. The filename of the File Manifestitself is automatically generated based on the transfersession's unique ID. The location where each manifest iswritten is specified by the File Manifest Path value. If noFile Manifest Path is specified, the file will be generatedunder the destination path at the receiver, and under thefirst source path at the sender.

• text• disable

none

File Manifest Path Specify the location to store manifest files. Can be anabsolute path or a path relative to the transfer user'shome.

Note: File manifests can only be stored locally.Thus, if you are using S3, or other non-localstorage, you must specify a local manifest path.

text string blank



File Manifest Suffix Specify the suffix of the manifest file during file transfer. text string .aspera-inprogress

Pre-Calculate Job Size Configure the policy of calculating total job size beforedata transfer. If set to any, follow client configurations(-o PreCalculateJobSize={yes|no}). If set to no, disablecalculating job size before transferring. If set to yes,enable calculating job size before transferring.

• any• yes• no

any

Storage Rate Control Enable/Disable disk rate control. When enabled, adjusttransfer rate according to the speed of receiving I/Ostorage, if it becomes a bottleneck.

• true• false

true

File Exclude Pattern List Exclude files or directories with the specified patternin the transfer. Add multiple entries for more exclusionpatterns. Two symbols can be used in the setting ofpatterns:

• * (Asterisk) Represents zero to many charactersin a string, for example, *.tmp matches .tmp andabcde.tmp.

• ? (Question Mark) Represents one character, forexample, t?p matches tmp but not temp.

text entries blank

Partial File Name Suffix Filename extension on the destination computer whilethe file is being transferred. Once the file has beencompletely transferred, this filename extension isremoved.

If hot folders will be used as the upload destination, thepartial filename suffix should be set even if it meanssetting it to the default value .partial. Setting it preventspartial files from being downloaded from a hot folder.

Note: When you change the partial file namesetting, you need to restart Aspera Sync inorder for hot folders to pick up new settings.Go to Control Panel > Administrative Tools >Services and restart Aspera Sync.

Note: This option only takes effect when it isset on the receiver side.

text string blank

File checksum method The type of checksum to calculate for transferred files.The content of transfers can be verified by comparingthe checksum value at the destination with the valueread at the source. Check the override box and for theeffective value, select md5, sha1, or any. For detailson configuring and using the checksum feature, seeReporting Checksums on page 66.

Async Log Directory An alternative location for the Aspera Sync server's logfiles. If empty, log files go to the default location, or thelocation specified by the client with -R.

Async Log Level The amount of detail in the Sync server activity log.Choices are disable, dbg1, and dbg2.



Async Snapdb Directory An alternative location for the Aspera Sync server'ssnapshot DB files.

| Global Transfer Settings | 92

Global Transfer Settings

The system-wide and default FASP transfer settings for your computer.

Global Bandwidth SettingsAllocate the global bandwidth for FASP file transfers.

Aspera's FASP transport has no theoretical throughput limit. Other than the network capacity, the transfer speed maybe limited by rate settings and resources of the computers. This topic describes how to optimize the transfer rate bysetting up the global rate settings.

To set global FASP bandwidth, bring up the application and select Tools > Global Preferences. Global bandwidthcan be set by administrators only.

In the Global Preferences dialog select Transfers, and enter the download and upload bandwidth values in theSystem-Wide Settings field and click the checkboxes to enable the settings.


Item Description

System-Wide Settings The aggregated bandwidth cap for all FASP transfers on this computer. For moreadvanced bandwidth settings, see Bandwidth on page 82.

Default Target Rate The initial download and upload rates for all transfers.

Maximum Active Transfers The maximum number of concurrent upload transfers and download transfers.

Note:

When setting the global bandwidth, the application is in fact creating virtual links (Vlink) and applying themto the default transfer settings. For more information about Vlinks, see Setting Up Virtual Links on page93.

The global settings for download and upload bandwidth limits cannot be reset by non-admin users. However, userscan view the global limit from the My PreferencesTransfers dialog. They can also adjust the default target rate andmaximum number of active transfers.

My Preferences can be opened from Tools > Preferences or from the Preferences button in the upper-right corner ofthe application window.

Setting Up Virtual LinksCreate and apply the aggregate bandwidth cap.

Virtual link (Vlink) is a feature that allows "virtual" bandwidth caps. Transfer sessions assigned to the same "virtual"link conform to the aggregate bandwidth cap and attain an equal share of it. This section first shows you how to set upVlinks, then explains how to apply it to computers or users.

Follow these steps to configure Vlinks:

1. Create Vlinks

To configure Vlinks, launch the application ( Start menu > All Programs > Aspera > Enterprise Server >Enterprise Server ) and click Configuration. Select Vlinks tab in the left panel.


Click to add a new Vlink entry, assign a number between 1 and 255.

Here is a list of all Vlink configuration options:


1 Vlink Name The Vlink name. This value hasno impact on actual bandwidthcapping.

text string blank

2 On Select true to activate this Vlink;select false to deactivate it.

• true• false

false

3 Capacity (kbps) This value reflects the virtualbandwidth cap in Kbps. Whenapplying this Vlink to a transfer(e.g. Default outgoing), thetransfer's bandwidth will berestricted by this value.

positive integer inKbps

50000

2. Apply a Vlink to a transfer

You can assign a Vlink to a global, a user, or a group settings. This example assigns a Vlink to a user's incomingtransfer session.

Bring up the Configuration window and select the Users tab, select the user to apply Vlink. In the right panel,select the Bandwidth tab, check the option Incoming Vlink ID and select the Vlink to apply (choose ID fromdrop-down list):


Important: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), thenyou will need to allow the Vlink UDP port (55001, by default) for multicast traffic.

Transfer Server ConfigurationSet up the transfer server and more global/default settings.

Note: To configure the transfer server, you must run the application with admin or root privileges in order toenable the Configuration screen.

To configure IBM Aspera Connect Server, in the application ( Start menu > All Programs > Aspera > EnterpriseServer > Enterprise Server ) click Configuration.

To configure the computer's Aspera Central transfer server, click Global tab in the left panel and select the TransferServer.

The Aspera Central transfer server's configuration options:


Address This is the network interface address on which thetransfer server listens. The default value 127.0.0.1enables the transfer server to accept transfer requestsfrom the local computer; The value 0.0.0.0 allowsthe transfer server to accept requests on all networkinterfaces for this node. Alternatively, a specific networkinterface address may be specified.

Valid IPv4address

127.0.0.1

Port The port at which the transfer server accepts transferrequests.

Positive integerbetween 1 and65535

40001

Persistent Storage Retain data that is stored in the database between rebootsof Aspera Central.

• Enable• Disable

Enable



Files per session The maximum number of files that can be retained forpersistent storage.

Positive integer 1000

Persistent StoragePath

Path to store data between reboots of Aspera Central.If the path is currently a directory, then a file is createdwith the default name central-store.db. Otherwise, thefile will be named as specified in the path.

Valid system path (if product isinstalled indefault directory)

Maximum age(Seconds)

Maximum allowable age (in seconds) of data to beretained in the database.

Positive integer 86400

Exit Central onstorage error

Terminate the Aspera Central server if an error writing tothe database occurs.

• Ignore• Exit

Ignore

Compactdatabase onstartup

Enable or disable compacting (vacuuming) the databasewhen the transfer server starts.

• Enable• Disable

Enable

For the general configuration options (Authorization, Bandwidth, Network, File Handling, and Docroot), refer to thefollowing sections:


Authorization on page 79 Connection permissions, token key, and encryption requirements.

Bandwidth on page 82 Incoming and outgoing transfer bandwidth and policy settings.

Network on page 86 Network IP, port, and socket buffer settings.

File Handling on page 87 File handling settings, such as file block size, overwrite rules, and excludepattern.

Document Root on page 76 The document root settings.

For additional Connect Server features (Database Logger, HTTP Fallback), refer to the following sections:


Database Logger on page 111 Using a MySQL database to keep track of all transfers on your server.

Configuring HTTP and HTTPSFallback on page 33

Configure the HTTP Fallback server for your Connect Server, allowing filetransfer through HTTP.

| Managing the Node API | 97

Managing the Node API

Managing the IBM Aspera Enterprise Server Node API

Node API SetupSetting up the Node API.

IBM Aspera Connect Server v3.0+ features the Node API, which is a daemon that offers REST-inspired fileoperations and a transfer management API. The Node API has the following functionality:

• Provides an HTTPS (by default port 9092) and HTTP (by default port 9091) interface.• API encoded in JSON.• API is authenticated and the node daemon uses its own application-level users (i.e., "node users").• Features a node admin utility called “asnodeadmin,” which can be utilized to add and manage "node users."• Logs to C:\Program Files\Aspera\Enterprise Server\var\log or C:\Program Files

(x86)\Aspera\Enterprise Server\var\log.

You can use the Node API to set up the following configurations:

• Set up a remote transfer server for Aspera Faspex. In this configuration, the Aspera Faspex Web UI is on MachineA, while the transfer server (an Enterprise Server node) is on Machine B. Machine A communicates with MachineB over HTTPS, by default.

• Set up nodes for Aspera Shares. In this configuration, the Aspera Shares Web UI is on Machine A, while contentnodes (Enterprise Server nodes) are created on Machines B, C and D. Users can then be granted permission toaccess specific directories (i.e. shares) on nodes B, C and D.

To set up the Aspera Node API, follow the instructions below. These instructions assumed that you have alreadyinstalled Enterprise (or Connect) Server 3.0+.

1. Create a Node API username.

Aspera's Web applications authenticate to the remote node service using a Node API username and password. Thefollowing command creates a Node API user/password and associates it with a file transfer user, asp1, which youwill create in the next step. The Node API credentials can then be used to create nodes. Note that different nodesmay use different Node API username/password pairs.

> asnodeadmin.exe -a -u node_api_username -p node_api_passwd -x asp1

Note that adding, modifying, or deleting a node-user triggers automatic reloading of the configuration and licensefiles, as well as the user database.

2. Create a file transfer user.

The file transfer user authenticates the actual ascp transfer, and must be an operating system account on thenode. Create a transfer user—for example, asp1—on your operating system (Control Panel > User Accounts).(Creating a user account requires administrator permissions.)

Note: After creating a Windows user account, log in as that user as least once in order for Windows to setup the user's home folder—for example, C:\Users\asp1. Once the user's home folder has been created, logback in as an administrator and continue the steps below.

After you've created the operating system account, set up this user in Connect Server. For instructions on settingup a user, see .

Note: The file transfer user requires a docroot. After setting a user's docroot, be sure to perform a reload,as described in aspera.conf for Nodes.


Caution: Aspera recommends that you not use spaces in your docroot. If your docroot contains spaces,you may not receive all email notifications relating to transfer activity.

3. (Optional) Change HTTPS port and/or SSL certificate.

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (onport 9092, by default). To modify the HTTPS port, see aspera.conf for Nodes. For information on maintaining andgenerating a new SSL certificate, see Setting up SSL for your Nodes on page 103.

Setting up Node UsersUsing asnodeadmin to set up node users

The asnodeadmin program can be used to manage (add, modify, delete, and list) node users. For each node user,you must indicate the following:

• Node username• Node user's password• Transfer/system username, which must be an operating system account on the node. This username is critical,

since it's the user who authenticates the actual ascp transfer. If the transfer user is not mapped to the node user,then you will receive an error.

Recall in the topic "Node API Setup," we created a node user and linked this user to file transfer user "asp1." Forasnodeadmin usage, please refer to the topic "Node Admin Tool."

Important: Note that adding, modifying or deleting a node-user triggers automatic reloading of the conf andlicense files, as well as the user database.

Usage Examples

(All short options; use asnodeadmin.exe -h to see the corresponding long options).

1. Add user “usr1” with password “pwd1” (will be prompted to enter if the -p option is not given) and associatedtransfer/system user “aspera”:

> asnodeadmin.exe -au usr1 -x aspera [-p pwd1]

2. Add user “usr2” with password “pwd2” and associated system/transfer user “root”:

> asnodeadmin.exe -au usr2 -p pwd2 -x root

3. Modify user “usr1” by assigning it a different password, “pwd1.1”:

> asnodeadmin.exe -mu usr1 -p pwd1.1

4. List users in the current user DB:

> asnodeadmin.exe -l

5. Delete user “usr1”:

> asnodeadmin.exe -du usr1

Node Admin ToolUsage Instructions for asnodeadmin

The help file below displays asnodeadmin options, which can be used to configure node users.


Note: Executing asnodeadmin requires admin privileges.

> asnodeadmin.exe -h

Usage: asnodeadmin.exe [options]

Options:-h,--help Display usage.-A,--version Display version.-f conf_file Conf file pathname (default: aspera.conf).--reload Reload configuration settings, including the conf file (also done implicitly upon user add, modify and delete).-a,--add Add a user (also reloads configuration).-d,--del[ete] Delete an existing user (also reloads configuration).-m,--mod[ify] Modify an existing user (also reloads configuration).--acl-add Add new ACLs for a user. May be used with -m or -a.--acl-set Sets ACLs (clears old ACLs) for a user. May be used with -m or -a.--acl-del Deletes ACLs for a user. May be used with -m.--acl-list Lists all current ACLs for a user.--internal Required for adding, modifying, or deleting internal users.-l,--list List users.-u,--user=username Specify username.-p,--{pwd|password}=passwd Specify password.-x,--xuser=xfer_username Specify system transfer user.-b,--backup=filename Back_up user data to a file.-r,--restore=filename Restore user data from a file.-P Display hashed passwords as well when listing users.-L local_log_dir Local logging directory (default: no logging).-D... Debug level (default: no debug output).--transfer-log-del xnid Delete an individual transfer from the activity log.--transfer-log-cleanup Delete all transfers from the activity log older than activity_retention_hrs.--db-shutdown Shut down the database.

aspera.conf for NodesEditing aspera.conf for your node configuration.

In your aspera.conf file, use the <server> section (shown below) to configure your node machines. The aspera.conf file is found in the following location:




Note: Each of the settings below requires certain services to be restarted in order for any changes to takeeffect. The services to restart are noted in the To Activate Changes column in the table below, and thecommands to restart these services are given at the end of this topic.


<server> <server_name>your_hostname</server_name>  <http_port>9091</http_port>  <https_port>9092</https_port>  <enable_http>false</enable_http>  <enable_https>true</enable_https>  <cert_file>  C:\Program Files\Aspera\Enterprise Server\etc\aspera_server_cert.pem </cert_file> <max_response_entries>1000</max_response_entries>  <max_response_time_sec>10</max_response_time_sec>  <db_dir>C:\Program Files\Aspera\Enterprise Server\var</db_dir>  <db_port>31415</db_port>  <enable_sslv2>true</enable_sslv2>  <ssl_ciphers>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:...</ssl_ciphers>  <ssl_protocol>sslv23</ssl_protocol> </server>

Setting Description Default Value ToActivateChanges...

<server_name> Hostname or IP address. hostname Restartnodeservice

<http_port> HTTP service port. 9091 Restartnodeservice

<https_port> HTTPS service port. 9092 Restartnodeservice

<enable_http> Enable HTTP for the Node APIservices.

false Restartnodeservice

<enable_https> Enable HTTPS for the Node APIservices.

true Restartnodeservice

<cert_file> Full pathname of SSL certificate(.pem and existing support for.chain).

C:\ Program Files [(x86)]\Aspera\Enterprise Server\etc\aspera_server_cert.pem

Restartnodeservice



<max_response_entries> Maximum number of entries toreturn in a response..

1000 Reloadnodeconfiguration.

<max_response_time>s Maximum amount of time to waitfor a long-running operation.

10 Reloadnodeconfiguration.

<db_dir> Path to the directory where thedatabase file is saved. Beforechanging this value, you shouldback up your database. See RedisDB Backup/Restore on page103.

C:\Program Files [(x86)]\Aspera\Enterprise Server\var

Restartthe nodeand DBservices.

<db_port> Database service port. Beforechanging this value, you shouldback up your database. See RedisDB Backup/Restore on page103.

31415 Restartthe nodeand DBservices.

<ssl_ciphers> The SSL encryption ciphersthat the server will allow, eachseparated by a colon (:). Thisoption may also be set in the<client> section, in which case,when this machine functions asa client, the specified ciphersare requests to the server. If anyof the ciphers in the server'sallow list coincide with thosein the client's request list,communication is allowed;otherwise it is denied.

If you override this setting,the override is always used.However, if you do not overrideit, the default setting depends onthe settings for <ssl_protocol>.If <ssl_protocol> is to sslv23,then a large, relatively weakselection of suites is allowed.If the protocol is anything else,then a smaller, stronger selectionof suites is allowed. Many olderweb browsers cannot handle thestronger set of suites, in whichyou may experience compatibilityissues.

All of the following:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHADHE-RSA-AES256-SHADHE-DSS-AES256-SHAAES256-SHAAES128-SHA256DHE-RSA-AES128-SHADHE-DSS-AES128-SHARC2-CBC-MD5

Restartnodeservice.

<ssl_protocol> The SSL protocol versions thatthe server will allow. This optionmay also be set in the <client>section, in which case, when this

sslv23 Restartnodeservice.



machine is a client, the specifiedprotocols function as requests tothe server. If any of the protocolsin the server's allow list coincidewith those in the client's requestlist, communication is allowed;otherwise it is denied.

Supported values: sslv3, tlsv1,tlsv1.1, tlsv1.2, and sslv23.Despite its name,specifyingsslv23 (the default) allows allsupported protocols, including allTLS versions.

<enable_sslv2> Setting to true (default) enablesSSLv2. If <ssl_protocol>is not set (or is explicitly setto its default sslv23), setting<enable_sslv2> to false allowsonly SSLv3 and TLSv1.x—thatis, all protocols except SSLv2.If <ssl_protocol> is set to anyvalue other than sslv23, settingsfor <enable_sslv2> settings haveno effect.

true Restartnodeservice.

Note: Executing the commands below requires admin privileges.

Restarting the Node Service

> sc stop asperanoded> sc start asperanoded

Reloading the Node Configuration

> asnodeadmin.exe --reload

Restarting the Node and DB Services

> sc stop asperanoded> asnodeadmin.exe --db-shutdown> sc start asperanoded

Note: The DB service is started automatically when you restart the node service.


Redis DB Backup/RestoreInstructions for backing up and restoring the database.

To back up and restore the Redis database (and your user data up to the point-in-time of the backup operation), followthe instructions below. Note that the backup and restore operations should be used for the following scenarios:

• If you need to change the Redis database port number (<db_port/> in aspera.conf), you should first back upthe Redis database. Once you have changed the port number, you need to restore the database.

• Basic backup and restore (after a data-loss event).

1. Back up the Redis database.

Use the following command to back up your Redis database (before changing the port number):

> asnodeadmin.exe -b C:\your\backup\dir\database.backup

Important: When backing up the Redis database, all user data up to that point-in-time will be saved tothe backup file. Restoring the database (see Step 2, below) does not delete users added after this snapshotwas taken. Thus, if you added any users after backing up the database, then they will still exist in thesystem and will not be affected by the restore operation.

2. Restore the Redis database.

Use the following command to restore your Redis database:

> asnodeadmin.exe -r C:\your\backup\dir\database.backup

Recall the "Important Note" in Step 1, which stated that restoring the database does not delete users added afterthe database snapshot was taken. If you do not want to keep users that have been added since the last backupoperation, you can delete them after performing the restore with the asnodeadmin command -du username.

3. Restart the asperanoded service.

Use the following command(s) to restart the asperanoded service (requires a restart rather than a reload):

Windows 32-bit

C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc stop asperanodedC:\Program Files (x86)\Aspera\Enterprise Server\bin> sc start asperanoded

Windows 64-bit

C:\Program Files\Aspera\Enterprise Server\bin> sc stop asperanodedC:\Program Files\Aspera\Enterprise Server\bin> sc start asperanoded

Setting up SSL for your NodesCommunicating with Aspera nodes over HTTPS

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on Port9092, by default). For example, if you are running the Faspex Web UI or the Shares Web UI on Machine A, you canencrypt the connection (using SSL) with your transfer server or file-storage node on Machine B. Enterprise Servernodes are pre-configured to use Aspera's default, self-signed certificate (aspera_server_cert.pem), located inthe following directory:

• (Windows 32-bit) C:\Program Files (x86)\Aspera\Enterprise Server\etc• (Windows 64-bit) C:\Program Files\Aspera\Enterprise Server\etc

To generate a new certificate, follow the instructions below.


About PEM Files: The PEM certificate format is commonly issued by Certificate Authorities. PEM certificateshave extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGINCERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, andprivate keys can all be put into the PEM format.

1. Create a working directory

In a Command Prompt window (Start menu > All Programs > Accessories > Command Prompt), create a newworking directory as follows:

> cd c:\> mkdir ssl> cd c:\ssl

2. Copy openssl.cnf to your working directory

Enter the following commands in your Command Prompt window:

OS Version Commands

32-bit Windows> copy "C:\Program Files\Common Files (x86)\Aspera\common\apache\conf\openssl.cnf" "C:\ssl\"> cd C:\ssl

64-bit Windows> copy "C:\Program Files\Common Files\Aspera\common\apache\conf\openssl.cnf" "C:\ssl\"> cd C:\ssl

3. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request

In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Command Prompt window,enter the following command (where my_key_name.key is the name of the unique key that you are creating andmy_csr_name.csr is the name of your CSR):

> openssl req -config "c:\ssl\openssl.cnf" -new -nodes -keyout my_key_name.key -out my_csr_name.csr

Note that in the example above, the .key and .csr files will be written to the c:\ssl\ directory.4. Enter your X.509 certificate attributes

After entering the command in the previous step, you will be prompted to input several pieces of information,which are the certificate's X.509 attributes.

Important: The common name field must be filled in with the fully qualified domain name of the serverto be protected by SSL. If you are generating a certificate for an organization outside of the US, see http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes.

Generating a 1024 bit RSA private key....................++++++................++++++writing new private key to 'my_key_name.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----

http://www.iso.org/iso/english_country_names_and_code_elements

http://www.iso.org/iso/english_country_names_and_code_elements


Country Name (2 letter code) [US]:Your_2_letter_ISO_country_codeState or Province Name (full name) [Some-State]:Your_State_Province_or_CountyLocality Name (eg, city) []:Your_CityOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Your_CompanyOrganizational Unit Name (eg, section) []:Your_DepartmentCommon Name (i.e., your server's hostname) []:secure.yourwebsite.comEmail Address []:[email protected]

You will also be prompted to input "extra" attributes, including an optional challenge password. Please note thatmanually entering a challenge password when starting the server can be problematic in some situations (e.g.,when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the"enter" button.

...Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

After finalizing the attributes, the private key and CSR will be saved to your root directory.

Important: If you make a mistake when running the OpenSSL command, you may discard the generatedfiles and run the command again. After successfully generating your key and Certificate Signing Request,be sure to guard your private key, as it cannot be re-generated.

5. Send CSR to your signing authority

You now need to send your unsigned CSR to a Certifying Authority (CA). Once completed, you will have valid,signed certificate.

Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on theirWebsite. Please check with your CA for additional information.

6. (Optional) Generate a Self-Signed Certificate.

At this point, you may need to generate a self-signed certificate because:

• You don't plan on having your certificate signed by a CA• Or you wish to test your new SSL implementation while the CA is signing your certificate

You may also generate a self-signed certificate through OpenSSL. To generate a temporary certificate (which isgood for 365 days), issue the following command:

openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt

7. Create the PEM file.

After generating a new certificate, you must create a pem file that contains both the private key and thecertificate. To do so, copy and paste the entire body of the key and cert files into a single text file and savethe file as aspera_server_cert.pem (before overwriting, be sure to back-up the existing pem file asaspera_server_cert.old), in the following directory:

• (Windows 32-bit) C:\Program Files\Aspera\Enterprise Server\etc• (Windows 64-bit) C:\Program Files (x86)\Aspera\Enterprise Server\etc

8. Enable SSL options in aspera.confSee aspera.conf for Nodes on page 99 for information about enabling specific SSL protocols with<ssl_protocol> and enabling specific encryption ciphers with <ssl_ciphers>.

9. Restart the node service.

You must restart (not reload) the Aspera node service after generating a new certificate. To do so, run thefollowing command(s):


Windows 32-bit

C:\Program Files\Aspera\Enterprise Server\bin> sc stop asperanodedC:\Program Files\Aspera\Enterprise Server\bin> sc start asperanoded

Windows 64-bit

C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc stop asperanodedC:\Program Files (x86)\Aspera\Enterprise Server\bin> sc start asperanoded

| Hot Folders | 107

Hot Folders

Set up the folder synchronization through the FASP transfers.

Setting Up Hot FoldersConfigure a local and a remote folder for the sychronization.

With hot folders, you can monitor selected (and configured) folders for changes and automatically transfer newor modified files. Hot folders can be used for one-way replication between two locations or simply as a way offorwarding files in your workflow. The hot folders feature uses IBM Aspera Sync, which runs as a service in thebackground.

Note: In order for the hot folder feature to work, the peer machines must be running compatible versions ofSync. The 3.5 version of Sync requires peers with either Sync 3.5 or Sync 1.5.6. Installations of IBM AsperaEnterprise Server, Connect Server, Point-to-Point Client, and Desktop Client include these versions of Sync asfollows:

• Version 3.5 products include Sync 3.5.• Version 3.4.6 products include Sync 1.5.6.

To set up the hot folders, use the file browser in the application ( Start menu > All Programs > Aspera > EnterpriseServer > Enterprise Server ) to navigate into the path you wish to set up as the hot folder. Right-click the paneland select New > Hot Folder to bring up the New Hot Folder dialog. You can also launch it from File > New > HotFolder.

The New Hot Folder window includes the following configuration tabs:

Tab Description

Hot Folder Set up the source, the destination, and the synchronization interval.

Transfer The transfer speed and transfer policy.

Tracking Turn on and configure email notification(s) for transfer start, completion and/or error.




| Hot Folders | 108

Hot Folder

Option Description

Name The hot folder's name. Use the default name or enter your own. The default name is thename of the Windows folder.

Source Specify the source for the hot folders.

Destination Specify the destination for the hot folders.

Send Changes Select when to perform the synchronization. Use Send immediately to synchronizewhenever a file in the folder is changed. Use Daily at to specify a daily time to synchronize.

Note: When the specified time is reached, file transfers from the hot folder areallowed for one hour, including any new files added during that window. The one-hour window supports retries.

Use the Periodic scan interval to specify the regularity Aspera Drive scans your hot foldersfor updates and changes.

Note: In some scenarios when file notification is not available, this feature must beactivated in order to detect file changes in your hot folders.

Generate This button restores the default setting (if the field was cleared or modified).

Transfer

Option Description

Policy Select the transfer policy. Refer to FASP Transfer Policies on page 143.

Speed Check this option to specify the transfer rate.

Tracking

Option Description

Send EmailNotifications

Check this box to enable email notifications and to display configuration options. Note thatnotifications are not sent until they are enabled under "Preferences." Please refer to the topicConfiguring Transfer Notifications on page 57 for details.

Important: For hot folder email notifications to work, the GUI has to remainopen.

When (not displayeduntil checkbox isenabled)

Select one or more events that trigger the notification (transfer start, completion and/orerror).

To (not displayeduntil checkbox isenabled)

Enter recipients' email address(es).

Template (notdisplayed untilcheckbox is enabled)

Select a notification template from the drop-down list. You may add, delete, edit andpreview templates by clicking the "Manage Templates" button.

Message (notdisplayed untilcheckbox is enabled)

Include a custom message with the notification.

| Hot Folders | 109

Filters

Click Add and enter the pattern to exclude files or directories with the specified pattern in the transfer. The excludepattern is compared with the whole path, not just the file name or directory name. As shown below, the asterisk (*)can be used in the setting of patterns:

Symbol Name Description

* Asterisk Represents zero to many characters in a string, for example *.tmpmatches .tmp and abcde.tmp.

Examples:

Filter Pattern Matched files

*dirName path/to/dirName, another/dirName

*1 a/b/file1, /anotherfile1

*filename path/to/filename, /filename

Note: The temporary files used by Aspera to resume incomplete files are ignored according to the resumesuffix setting of the sender. For more information about the resume suffix, see File Handling on page 87.

Security

Option Description

Encryption When checked, FASP encrypts files while transferring. Encryption may decreaseperformance, especially at higher transfer speeds and with slower computers.

Content Protection Two options: Encrypt uploaded files with a password encrypts the uploaded files withthe specified password. The protected file has the extension .aspera-env appended to the filename; Decrypt password-protected files downloaded prompts for the decryption passwordwhen downloading encrypted files.

File Handling

Option Description

Resume Check Resume incomplete files to enable the resume feature. In the When checking files fordifferences options: Compare file attributes only checks if the existing file is the same size;Compare sparse file checksums performs a sparse checksum on the existing file. Comparefull file checksums perform a full checksum on the existing file.

File Attributes Check Preserve file timestamps to preserve the transferred files' timestamps.

Source Deletion Check Automatically delete source files after transfer to delete the successfully-transferred files from the source. Check Delete source directories to also remove the folder.

Important: If you are using a transfer proxyor an HTTP proxy, the hot folders feature uses global proxysettings only, not the My Preferences proxy settings. For information about enabling a proxy server, seeEnabling a Transfer or HTTP Proxy on page 49.

Note: Any empty folders created in a hot folder are not pushed to the server. However, empty folders thathave been created on the server are pulled to the local destination.

| Hot Folders | 110

Managing Hot FoldersMonitor and control the configured Hot Folders.

You can manage created Hot Folders in the Hot Folders panel:

In the Hot Folders panel, you can monitor the synchronization status, and use the , , and buttons to control theHot Folders' transfer.

To edit existing Hot Folders, right-click the entry in the Hot Folders panel and select Edit... . You can also create anew one by selecting New....

| Database Logger | 111

Database Logger

Using a MySQL database to keep track of all transfers on your server.

Setting Up Database LoggerImport Database Logger's schema to the MySQL database, and set up the proper access permissions.

The Database Logger is a feature that record all the server's Aspera transactions to a MySQL database. Follow thesteps below to set it up.

Important: To migrate the database from Version {X} to the latest version, please refer to the last step in theinstructions below.

1. Prepare the MySQL Database Server

The Database Logger supports MySQL Server 5 and above. Prepare a system with MySQL installed andconfigured. The latest MySQL software download can be found at http://dev.mysql.com/downloads/.

2. Create the database

Locate the Database Logger schema file in the following location:

OS Version Path

32-bit Windows C:\Program Files\Aspera\Enterprise Server\var\create_logger_database.sql

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\var\create_logger_database.sql

Copy the file to the computer that runs the MySQL Server, and use the following commands to import this fileinto the database. This example uses the following settings:

Item Value

MySQL login root

Database Loggerschema file location:

c:\create_logger_database.sql

> mysql -u root -p < c:\create_logger_database.sql> mysql -u root -p aspera_consolemysql> show tables;

When finished, the database aspera_console will be imported to the MySQL Server. You should see the tables ofthis database.

3. Set up the MySQL user for Database Logger

A database user with proper permissions is required for Database Logger. In the following example, the useraccount is created with the setup:

Item Value

MySQL login logger

Password logger-password

http://dev.mysql.com/downloads/


Item Value

IP address of remotemachine

10.0.0.5

1> CREATE USER 'logger'@'10.0.0.5' IDENTIFIED by 'logger-password';2> GRANT SELECT, INSERT, UPDATE ON aspera_console.fasp_files TO 'logger'@'10.0.0.5';3> GRANT SELECT, INSERT, UPDATE ON aspera_console.fasp_sessions TO 'logger'@'10.0.0.5';4> GRANT SELECT, INSERT, UPDATE ON aspera_console.fasp_nodes TO 'logger'@'10.0.0.5';5> GRANT INSERT ON aspera_console.fasp_rates TO 'logger'@'10.0.0.5';6> FLUSH PRIVILEGES;

4. Modify MySQL Settings (Only if MySQL server is on Windows)

If you are running the database on a Windows machine, open the MySQL config file, for example:

C:\Program Files\MySQL\MySQL Server (Version)\my.ini

Find the line that says [mysqld], and add the line immediately under it:

skip-name-resolve

5. (For database migrations only) Use the *.sql scripts to migrate the database.

To migrate your database to the most current version, use the scripts provided in the following directory:

OS Version Path

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\var\

64-bit Windows C:\Program Files\Aspera\Enterprise Server\var\

The command to execute the scripts is shown below, however, they must be executed in a specific order.

> mysql -u root -p < migrate_logger_database_VER1_to_VER2.sql

The required order is displayed below.

> mysql -u root -p < "migrate_logger_database_7715_to_11340.sql" > mysql -u root -p < "migrate_logger_database_11340_to_34300.sql" > mysql -u root -p < "migrate_logger_database_34300_to_60784.sql"

The Database Logger's schema can be found in the document Aspera Database Logger Schema.

Configuring the Database LoggerUpdate the settings in the Aspera configuration to establish connections with the MySQL database.

Here is a list of all the Database Logger configuration options:


1 Host IP The MySQL server's IP address. valid IPv4 address 127.0.0.1

2 Port The MySQL server's port number. integer between 1and 65535

4406

3 User User login for the database server. text string blank

http://asperasoft.com/download/docs/product/HOWTO/aspera_database_logger_schema.html



4 Password The database user account's password. text string blank

5 Database Name Name of the database used to store Asperatransfer data.

text string blank

6 Threads The number of parallel connections usedfor database logging. A higher valuemay be useful when a large number offiles are being transferred within a giventimeframe.

integer between 1and 40

10

7 Stop Transfers onDatabase Error

Quits all ongoing transfers and no newtransfers are permitted when a databaseerror prevents data from being written tothe database. Set this to true if all transfersmust be logged by your organization.

• true• false

false

8 Show SessionProgress

Setting this value to true will log transferstatus such as number of files transferred,and bytes transferred, at a given interval.

• true• false

true

9 Session ProgressInterval

The frequency at which an Aspera nodelogs transfer session information, inseconds. up to 65535 seconds.


1

10 Show File Events Setting this value to true enables thelogging of complete file paths and filenames. Performance may be improvedwhen transferring datasets containingthousands of files. Also see File PerSession for setting a threshold for thenumber of files to log per session.

• true• false

true

11 Show File Progress Setting this value to true will log filestatus such as bytes transferred, at a giveninterval.

• true• false

true

12 File ProgressInterval

The frequency at which an Aspera nodelogs file transfer information, in seconds.


1

13 Files Per Session The value set will be the cut-off point forfile names logged in a given session. Forinstance, if the value is set to 50, the first50 file names will be recorded for anysession. The session will still record thenumber of files transferred along withthe number of files completed, failed orskipped. The default setting of 0 logs allfile names for a given session.

positive integer orzero (all file names)

0

14 Ignore Empty Files Setting this to true will block the loggingof zero-byte files.

• true• false

false

15 Ignore No-transferFiles

Setting this to true will block the loggingof files that have not been transferredbecause they exist at the destination at thetime the transfer started.

• true• false

false



16 Show Rate Events Setting this to true will log changes madeto the Target Rate, Minimum Rate, andTransfer Policy by any user or Asperanode administrator during a transfer.

• true• false

true

17 Node Registration Setting this to true will cause the databaselogger to register the node automaticallyon startup.

• true• false

true

| Pre- and Post-Processing (Prepost) | 115

Pre- and Post-Processing (Prepost)

Execute scripts before and after the FASP file transfers on your server.

Setting Up Pre/PostEnable the pre- and post-processing on your server.

Your Aspera server executes a batch script at a pre-defined location.

OS Version Path

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\var

64-bit Windows C:\Program Files\Aspera\Enterprise Server\var

This script is executed as a result of four (4) transfer events:

• Session start• Session end• Start of each individual file transfer in the session• End of each individual file transfer in the session

aspera-prepost.bat can also execute additional batch scripts, Perl scripts, native executables and Java programs.Aspera sets several environment variables for aspera-prepost.bat, as well as for you to use in your own, customscripts. These environment variables are described in detail within the topic Pre/Post Variables on page 116.Depending on usage, pre_ and post_processing may consume a great amount of system resources. Please evaluateyour own system performance and apply this feature appropriately.

Caution: Please take caution in creating pre- and post-processing scripts, as an unsafe script can compromisea server. As with CGI scripts, it is recommended that you take precautions in testing a pre/post script beforeplacing it into use (e.g., taint checking, ensuring proper quotes, etc.). Also note that a pre/post script will runas the same user who authenticates for the transfer. To prevent a pre/post script from performing an actionwith elevated or special user permissions, the script needs to check the $USER variable.

Follow the steps below to set up pre/post processing for your Aspera transfer product.

1. (Optional) Install Perl-script Support

Pre- and post-processing supports the Perl programming language. In a Command Prompt window (Start menu >All Programs > Accessories > Command Prompt), use the following command to verify if Perl is supported onyour system:

> perl -v

If Perl is supported by your system, you will see a confirmation message displaying the Perl version. If Perl is notsupported, and you would like to use Perl scripts in your pre/post processing, you can download and install ActivePerl from the link http://www.activestate.com/store/activeperl/download/.

2. Set up the batch script file

Navigate to the following directory:

OS Version Path

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\var

64-bit Windows C:\Program Files\Aspera\Enterprise Server\var

http://www.activestate.com/store/activeperl/download/


Locate the following file:

aspera-prepost-email.bat

Important: This file runs the perl script aspera-notif.pl, which is an email notification script thatsends email messages (according to user-defined filters) to recipients. Filters and lists are defined in theAspera configuration file aspera.conf, located in \Aspera\Enterprise Server\etc\.

Copy the contents of aspera-prepost-email.bat into a new file, and name it as follows:

aspera-prepost.bat3. Create your scripts

The pre/post processing script, aspera-prepost.bat, can contain the pre/post processing steps, as well as executeother programs (including other .bat scripts). Often, aspera-prepost.bat checks for certain conditions (based on theenvironment variables) and then calls a specific external executable based on those conditions. Recall that aspera-prepost.bat is executed as a result of four (4) transfer events:

• Session start• Session end• Start of each individual file transfer in the session• End of each individual file transfer in the session

You can use the variables TYPE and STARTSTOP to specify a particular state. For the complete list of allvariables, refer to Pre/Post Variables on page 116.

4. Include custom commands in aspera-prepost.bat

As a best practice, store your custom scripts in the following directory:

OS Version Path

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\custom

64-bit Windows C:\Program Files \Aspera\Enterprise Server\custom

When you create custom scripts, move them into the suggested directory and add the scripts (as commands) tothe file aspera-prepost.bat. For example, to add the custom script "script1.pl" to your pre/post script, insert thefollowing line (into aspera-prepost.bat):

...c:\Perl\bin\perl.exe ..\custom\script1.pl...

Pre/Post VariablesThe predefined variables for setting up the pre- and post-processing.

The following tables list all pre/post variables:

Note: Pre/post variables are case-sensitive.

For Type Session and Type File

Variable Description Values Example

COOKIE The user-defined cookie string. string "%COOKIE%" == "cookie-string"



DIRECTION The transfer direction. • send• recv

"%DIRECTION%" == "send"

ERRCODE The error code. string "%ERRCODE%" == "1"

ERRSTR The error string. string "%ERRSTR%" == "FASPerror"

MANIFESTFILE The full path to the manifest file. string "%MANIFESTFILE%" == "c:\log"

PEER The peer name or IP address. string or validIPv4 address

"%PEER%" == "10.0.0.1"

SECURE Transfer encryption. • yes• no

"%SECURE%" == "no"

SESSIONID The session id. string "%SESSIONID%" == "1"

STARTSTOP The status start or stop. • Start• Stop

"%STARTSTOP%" == "Start"

STATE The transfer state. • started• success• failed

"%STATE%" == "success"

TOKEN The user-defined security token. string "%TOKEN%" == "token-string"

TYPE The event type. • Session• File

"%TYPE%" == "Session"

USER The user name string "%USER%" == "asp1"

USERSTR The user string, such as additionalvariables.

string "%USERSTR%" == "-q"

For Type Session


FILE_CSUM Destination checksum of the mostrecently transferred file.

string "%FILE_CSUM%" =="checksum"

FILE1 The first file. string "%FILE1%" == "first-file"

FILE2 The second file. string "%FILE2%" == "second-file"

FILECOUNT The number of files. positiveinteger

"%FILECOUNT%" >= "5"

FILELAST The last file. string "%FILELAST%" == "last-file"

LICENSE The license account and serial number. string "%LICENSE%" == "license-string"

MINRATE The initial minimum rate, in Kbps. positiveinteger

"%MINRATE%" == "50"



PEERLICENSE The peer's license account and serialnumber.

string "%PEERLICENSE%" =="license-string"

RATEMODE The transfer policy. • adapt• fixed

"%RATEMODE%" == "adapt"

SOURCE The full path of the source file. string "%SOURCE%" == "C:\tmp"

TARGET The full path of the target directory. string "%TARGET%" == "."

TARGETRATE The initial target rate, in Kbps. positiveinteger

"%TARGETRATE%" == "100"

TOTALBYTES The total bytes transferred. positiveinteger

"%TOTALBYTES%" >="100000000"

TOTALSIZE The total size of files being transferredin bytes.

positiveinteger

"%TOTALSIZE%" >="500000000"

For Type File


DELAY The measured network delay, inms.

positive integer "%DELAY%" <= "1"

FILE The file name. string "%FILE%" == "file-name"

LOSS The network loss in percentage. double-digit fixed point value "%LOSS%" >= "5.00"

OVERHEAD The total number of duplicatepackets.

positive integer "%OVERHEAD%" >= "1"

RATE The transfer rate in Kbps. double-digit fixed point value "%RATE%" >= "10.00"

REXREQS The total number ofretransmission requests.

positive integer "%REXREQS%" >= "3"

SIZE The file size in bytes. positive integer "%SIZE%" >= "5000000"

STARTBYTE The start byte if resumed. positive integer "%STARTBYTE%" >="100000"

Pre/Post ExamplesPre- and post-processing script examples.

1. Windows batch - Call the Email Notification when files are transferred to a specified host

In Windows batch, call the Email notification function only on files that are destined for a specific host10.0.114.111:

set DESTINATION=10.0.114.111if "%TYPE%" == "Session" ( if "%STARTSTOP%"=="Stop" ( if "%PEER%" == "%DESTINATION%" ( "C:\Perl\bin\perl.exe" aspera-notif.pl > nul 2>&1 ) )


)

2. Windows batch - Call the Email Notification when files are larger than 1GB

In Windows batch, call the Email Notification only when the files are larger than 1GB (1073741824 bytes):

set FILESIZE=1073741824if "%TYPE%" == "Session" ( if "%STARTSTOP%"=="Stop" ( if %TOTALSIZE% GEQ %FILESIZE% ( "C:\Perl\bin\perl.exe" aspera-notif.pl > nul 2>&1 ) ))

3. Windows batch - Combine the two examples above

In a Windows batch file, call the Email notification function on files that are later than 1GB (1073741824 bytes),and destined for a specific host 10.0.114.111:

set FILESIZE=1073741824set DESTINATION=10.0.114.111if "%TYPE%" == "Session" ( if "%STARTSTOP%"=="Stop" ( if %TOTALSIZE% GEQ %FILESIZE% ( if "%PEER%" == "%DESTINATION%" ( "C:\Perl\bin\perl.exe" aspera-notif.pl > nul 2>&1 ) ) ))

Setting Up Email NotificationConfigure the email notification, a prepost application.

Email Notification is a built-in Pre- and Post-Processing application that generates customized emails based ontransfer events. Your server should have Pre- and Post-Processing configured in order to run this application. Referto Setting Up Pre/Post on page 115. Email Notification requires an SMTP server that matches the followingconfigurations:

• An open SMTP server you can reach on your network• The SMTP Server must not use any external authentication or SSL.

Follow these steps to set it up:

1. Prepare the Email Notification configuration template

Open the aspera.conf file:

OS Version File Path



Locate or create the section <EMAILNOTIF>...</EMAILNOTIF>:

<CONF version="2"> ... <EMAILNOTIF> <MAILLISTS


mylist = "[email protected], [email protected]" myadminlist = "[email protected]" />

<FILTER MAILLISTS = "mylist" TARGETDIR = "/content/users" />

<MAILCONF DEBUG = "0" FROM = "[email protected]" MAILSERVER = "mail.example.com" SUBJECT = "Transfer %{SOURCE} %{TARGET} - %{STATE}" BODYTEXT = "Aspera transfer: %{STATE}%{NEWLINE}%{TOTALBYTES} bytes in %{FILECOUNT} files: %{FILE1}, %{FILE2}, ...%{FILELAST}." /> </EMAILNOTIF></CONF>

You can find the aspera.conf example in this path:

OS Version File Path

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\samples\aspera-email-sample.conf

64-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\samples\aspera-sample-email.conf

2. Set up the basic Notification function in <MAILCONF />

<MAILCONF /> defines the general email configuration, including the sender, the mail server, and the body text.In the SUBJECT and BODYTEXT options, the Pre- and Post-Processing variables can be used with the format%{variable}, such as %{STATE} for the variable STATE. For the complete list of the variables, Refer to Pre/PostVariables on page 116.

MAILCONF Field Description Values Example

FROM Required The e-mailaddress to send notificationsfrom.

a valid emailaddress

FROM="[email protected]"

MAILSERVER Required The outgoingmail server (SMTP).

A valid URL MAILSERVER="mail.example.com"

SUBJECT General subject of the e-mail.

text string SUBJECT="Transfer:%{STATE}"

BODYTEXT General body of the e-mail. text string BODYTEXT="Transfer has %{STATE}."

DEBUG Print debugging info andwrite to the logs.

"0" = off, "1"= on

DEBUG="0"

3. Create mailing lists in <MAILLISTS />

<MAILLISTS /> defines sets of mailing lists. For example, to create the following mailing list:

Item Value

Mailing list name list1

Emails to include [email protected], [email protected]


Specify the mailing list in the form:

<MAILLISTS list1 = "[email protected], [email protected]"/>

4. Set up mailing filters in <FILTER />

<FILTER /> defines E-mail Notification conditional filters. When the conditions are met, a customized email willbe sent to the indicated mailing list. Multiple filters are allowed.

The values in the filter are matched as substrings, for example, USER = root means the value would match stringslike root, treeroot, and root1. The Pre- and Post-Processing variables can be used with the format %{variable},such as %{STATE} for the variable STATE. For the complete list of the variables, Refer to Pre/Post Variables onpage 116.

FILTER Field Description Values Example

MAILLISTS Required The e-mail lists to send to.Separate lists with comma (,).

text string MAILLISTS="mylist"

USER Login name of the user whotransferred the files.

text string USER="asp1"

SRCIP Source IP of the files. a valid IPv4address

SRCIP="10.0.1.1"

DESTIP Destination IP of the files. a valid IPv4address

DESTIP="10.0.1.5"

SOURCE The top-level directories and filesthat were transferred.

text string SOURCE="/folder1"

TARGETDIR The directory that the files were sentto.

text string TARGETDIR="/folder2"

SUBJECTPREFIX The Email subject, preceded by theSUBJECT in <MAILCONF />.

text string SUBJECTPREFIX="Sub"

BODYPREFIX The e-mail body, preceded by theBODYTEXT in <MAILCONF />.

text string BODYPREFIX="Txt"

TOTALBYTESOVER Send e-mail when total bytestransferred is over this number. Thisonly applies to e-mails sent at the endof a transfer.

positiveinteger

TOTALBYTESOVER="9000"

SENDONSESSION Send e-mail for the entire session. yes / no SENDONSESSION="yes"

SENDONSTART Send e-mail when transfer isstarted. This setting is dependent onSENDONSESSION="yes".

yes / no SENDONSTART="yes"

SENDONSTOP Send e-mail when transfer isstopped. This setting is dependent onSENDONSESSION="yes".

yes / no SENDONSTOP="yes"

SENDONFILE Send e-mail for each file within asession.

yes / no SENDONFILE="yes"


Email Notification ExamplesEmail Notification configuration examples.

This topic demonstrates the Email Notification setup with the following examples:

1. Notify when a transfer session is completed

When a transfer session is finished, an e-mail with brief session summary will be sent to "list1".

<EMAILNOTIF> <MAILLISTS list1 ="[email protected], [email protected]" />

<MAILCONF FROM="Aspera Notifier <[email protected]>" MAILSERVER="smtp.companyemail.com" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." />

<FILTER MAILLISTS="list1" SENDONSESSION="yes" SUBJECTPREFIX="Aspera Transfer - %{USER} " BODYPREFIX="Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}" /></EMAILNOTIF>

2. Notify when a session is initiated and completed

Send a transfer notice e-mail when a transfer is initiated. Send a summary e-mail when finished.

<EMAILNOTIF> <MAILLISTS list1 ="[email protected], [email protected]" /> <MAILCONF FROM="Aspera Notifier <[email protected]>" MAILSERVER="smtp.companyemail.com" SUBJECT=" by %{USER}" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." />

<FILTER MAILLISTS="list1" SENDONSTART="yes" SENDONSTOP="no" SUBJECTPREFIX="Transfer Started" BODYPREFIX="Source: %{PEER}%{NEWLINE} Target: %{TARGET}" />

<FILTER MAILLISTS="list1" SENDONSTART="no" SENDONSTOP="yes" SUBJECTPREFIX="Transfer Completed" BODYPREFIX=" Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}%{NEWLINE} Source: %{PEER}%{NEWLINE} Target: %{TARGET}%{NEWLINE} Bytes Transferred: %{TOTALBYTES} Bytes%{NEWLINE}


" /></EMAILNOTIF>

3. Send different email text for regular transfers and for Aspera Sync transfers

When Aspera Sync triggers a transfer (assuming only Aspera Sync uses the folder /sync-folder), an emailmessage will be sent to "mediaGroup". When a regular transfer occurs (files are sent to /upload), a differentnotification will be sent to "mediaLead" and "adminGroup".

<EMAILNOTIF> <MAILLISTS mediaGroup ="[email protected], [email protected]" mediaLead ="[email protected]" adminGroup ="[email protected], [email protected]" />

<MAILCONF FROM="Aspera Notifier <[email protected]>" MAILSERVER="smtp.companyemail.com" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." />

<FILTER MAILLISTS="mediaGroup" SENDONSESSION="yes" DESTIP="192.168.1.10" TARGETDIR="/sync-folder" SUBJECTPREFIX="Aspera Sync #1 - From %{PEER}" BODYPREFIX="Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}" />

<FILTER MAILLISTS="mediaLead,adminGroup" SENDONSESSION="yes" TARGETDIR="/upload" SUBJECTPREFIX="Transfer - %{USER}" BODYPREFIX=" Status: %{STATE}%{NEWLINE} Source: %{PEER}%{NEWLINE} File Count: %{FILECOUNT}%{NEWLINE} Bytes Transferred: %{TOTALBYTES} Bytes%{NEWLINE} " /></EMAILNOTIF>

| Transferring from the Command Line | 124

Transferring from the Command Line

Ascp Command Reference

The ascp (Aspera secure copy) executable is a command-line FASP transfer program. This topic covers the completecommand usage, including general syntax guidelines, supported environment variables, a synopsis, and commandoptions.

General Syntax Guidelines

Item Decription

symbols used in the paths Use single-quote (' ') and forward-slashes (/) on all platforms.

Characters to avoid / \ " : ' ? > < & * |

Environment Variables

If needed, you can set the following environment variables for use with the ascp command:

Item Initiation Command

Password ASPERA_SCP_PASS=password

Token ASPERA_SCP_TOKEN=token

Cookie ASPERA_SCP_COOKIE=cookie

Content Protection Password ASPERA_SCP_FILEPASS=password

Proxy Server Password ASPERA_PROXY_PASS=proxy_server_password

Ascp Usage

ascp options [[user@]srcHost:]source_file1[,source_file2,...] [[user@]destHost:]target_path

Important: If you do not specify a username for the transfer, the local username will be authenticated (bydefault). In the case of a Windows machine and a domain user, the transfer server will strip the domain fromthe username (for example, authenticating Administrator, rather than DOMAIN\Administrator).Thus, you will need to specify a domain explicitly, if applicable to the user.

Ascp Options

Option Description

-h, --help Display usage.

-A, --version Display version and license information; then exit.

-T Disable encryption for maximum throughput.

-d Create target directory if it doesn't already exist.


Option Description

-p Preserve file timestamps for source modification time (mtime) and last accesstime (atime).

Important: On Windows, mtime and atime may be affected when the systemautomatically adjusts for Daylight Savings Time (DST). For details, see theMicrosoft KB article, http://support.microsoft.com/kb/129574.

Important: On Isilon IQ OneFS systems, last access time (atime) is disabledby default (see sysctl efs.bam.atime_enabled). You will see atimeis set to be the same as mtime when using -p option. Use the command"sysctl efs.bam.atime_enabled=1" to enable the preservation ofatime on your Isilon system.

-q Quiet mode (to disable progress display).

-v Verbose mode (prints connection and authentication debug messages in the logfile). For information on log files, see Log Files.

-6 Enable IPv6 address support. When using IPv6, thenumeric host can be written inside brackets. For example,[2001:0:4137:9e50:201b:63d3:ba92:da] or[fe80::21b:21ff:fe1c:5072%eth1].

-D | -DD | -DDD Specify the debug level, where each D is an additional level of debugging.

-l max_rate Set the target transfer rate in Kbps (default: 10000 Kbps). If the ascp client doesnot specify a target rate, it will be acquired from aspera.conf (server-side,as the local aspera.conf target rate setting doesn't apply). If local or serveraspera.conf rate caps are specified, the "starting" (default) rates will be nothigher than the cap.

-m min_rate Set the minimum transfer rate in Kbps (efault: 0. If the ascp client does notspecify a minimum rate, it will be acquired from aspera.conf (server-side,as the local aspera.conf minimum rate setting doesn't apply). If local orserver aspera.conf rate caps are specified, the "starting" (default) rates willbe not higher than the cap.

-u user_string Apply a user string, such as variables for pre- and post-processing.

-i private_key_file Use public key authentication and specify the private key file. Typically, theprivate key file is in the directory $HOME/.ssh/id_[algorithm].

-w{r|f} Test bandwidth from server to client (r) or client to server (f). Currently a betaoption.

-K probe_rate Set probing rate (Kbps) when measuring bottleneck bandwidth.

-k{0|1|2|3} Enable resuming partially transferred files at the specified resume level (default:0). Note that this must be specified for your first transfer; otherwise, it will notwork for subsequent transfers. Resume levels:

0 - Always retransfer the entire file.1 - Check file attributes and resume if the current and original attributesmatch.2 - Check file attributes and do a sparse file checksum; resume if the currentand original attributes/checksums match.3 - Check file attributes and do a full file checksum; resume if the currentand original attributes/checksums match.



Option DescriptionNote that when a complete file exists at the destination (no .aspx), the sourcefile size is compared with the destination file size. When a partial file and avalid .aspx file exist at the destination, the source file size is compared with thefile size recorded inside the .aspx file.

-Z dgram_size Specify the datagram size (MTU) for FASP. By default, the detected path MTUis used. (Range: 296 - 10000 bytes)

Note: As of version 3.3, datagram size can also be enforced by the server using<datagram_size> in aspera.conf. If size is set with both -Z (client side) and<datagram_size> (server side), the <datagram_size> setting is used. If theclient-side is pre-3.3, datagram size is determined by the -Z setting, regardlessof the server-side setting for <datagram_size>. In this case, if there is no -Zsetting, datagram size is based on the discovered MTU and the server logs themessage "LOG Peer client doesn't support alternative datagram size".

-g read_size Set the read-block size, a performance-tuning parameter for an Aspera sender(which only takes effect if the sender is a server). It represents the maximumnumber of bytes that can be stored within a block as the block is beingtransferred from the source disk drive to the receiver. The default of 0 will causethe Aspera sender to use its default internal buffer size, which may be differentfor different operating systems. Note that 500M (524,288,000 bytes) is themaximum block size.

-G write_size This is a performance-tuning parameter for an Aspera receiver (which onlytakes effect if the receiver is a server). It represents the maximum bytes withina block that an ascp receiver can write to disk. The default of 0 will cause theAspera receiver to use its default internal buffer size, which may be differentfor different operating systems. Note that 500M (524,288,000 bytes) is themaximum block size.

-L local_log_dir Specify a logging directory in the local host, instead of using the defaultdirectory.

-R remote_log_dir Specify a logging directory in the remote host, instead of using the defaultdirectory.

-S remote_ascp Specify the name of the remote ascp binary (if different).

-e prepost Specify an alternate pre/post command. Be sure to use the complete path and filename.

-O fasp_port Set the UDP port to be used by FASP for data transfer. (Default: 33001)

-P ssh-port Set the TCP port to be used for FASP session initiation. (Default: 33001)

-C nid:ncount Use parallel transfer on a multi-node/core system. Specify the node id (nid)and count (ncount) in the format 1:2, 2:2. Assign each participant to anindependent UDP port.

-E pattern Exclude files or directories with the specified pattern from the transfer. Thisoption can be used multiple times to exclude many patterns. Up to 16 patternscan be used by using -E. Two symbols can be used in the pattern, as shownbelow.

* (asterisk) represents zero or more characters in a string, for example*.tmp matches .tmp and abcde.tmp.? (question mark) represents a single character, for example t?p matchestmp but not temp.


Option Description

-f config_file Specify an alternate Aspera configuration file (default is aspera.conf).

-W token_string Specify the token string for the transfer.

-@[range_low:range_high] Transfer only part of a file. This option only works when downloading a singlefile and does not support resuming. The argument to "-@" may omit either orboth numbers, and the ":" delimiter. For example, -@3000:6000 transfersbytes between positions 3000 to 6000; -@1000: transfers from 1000 to the endof the file; and -@:1000 transfers from beginning to 1000.

-X rexmsg_size Adjust the maximum size in bytes of a retransmission request. (Max: 1440).

--mode=mode Specify the transfer direction, where mode is either send or recv.

--user=username The user name to be authenticated by the transfer server.

Important: If you do not specify a user name for the transfer, the localusername will be authenticated (by default). In the case of a Windowsmachine and a domain user, the transfer server will strip the domain from theusername (e.g. authenticating "Administrator," rather than "DOMAIN\Administrator"). Thus, you will need to explicitly specify a domain, ifapplicable to the user.

--host=hostname The server's address.

--policy=fixed | high| fair | low

Set the transfer policy. For a description of policies, see fasp Transfer Policies.

Important: If --policy is not set, ascp will use the server-side policysetting ("fair by default)."

--file-list=filename Sources in the file-list are inserted as if they appear on the command-line (rightafter the --file-list=filename option). The file list supports UTF-8 filesand input from the stdin through "-". The sources can exist on either the localhost or the remote host (in terms of download), but not on both.

srcsrc2...srcN

Important: Multiple file-list and file-pair-list options are notsupported in a single ascp command. If multiple files are specified, all but thelast one will be ignored. In addition, you cannot use the file-list optionwhile also entering file names on the command line. Only files within the file-list will succeed.

--file-pair-list=filename

Specify source-destination pairs in a file. Note that there is no command-lineequivalent. In the case of file-pair-list files, each source and each destinationmust be separated by line endings.

src1dst1src2dst2...srcNdstN


Option DescriptionImportant: Multiple file-list and file-pair-list options are notsupported in a single ascp command. If multiple files are specified, all but thelast one will be ignored. In addition, you cannot use the file-pair-listoption while also entering file names on the command line. Only files within thefile-pair-list will succeed.

----source-prefix=prefix Add prefix to the beginning of each source path.

--symbolic-links=method Specify rule to handle symbolic links. This option takes following values:(Default: follow)

follow - Follow symbolic links and transfer the linked files.copy - Copy only the alias file. If a file with the same name exists on thedestination, the symbolic link will not be copied.copy+force - Copy only the alias file. If a file with the same name existson the destination, the symbolic link will replace the file. If the file of thesame name on the destination is a symbolic link to a directory, it will not bereplaced.skip - Skip the symbolic links.

--remove-after-transfer

Add this option to remove all source files (excluding the source directory) oncethe transfer has completed.

--remove-empty-directories

Add this option to remove an empty source directory once the transfer hascompleted.

--skip-special-files Add this option to skip special files (for example, devices and pipes).

--file-manifest=output Generate a list of all transferred files, where output is none or text (Default:none)

--file-manifest-path=directory

Specify the path to the file manifest.

Important: File manifests can only be stored locally. Thus, if you are using S3,or other non-local storage, you must specify a local manifest path.

--file-manifest-inprogress-suffix=suffix

Specify the suffix of the file manifest's temporary file.

--precalculate-job-size

Add this option to calculate total size before transfer. Please note that the serverside conf file setting overrides the ascp command line option.

--overwrite=method Overwrite files with the same name. This option takes following values (Default:diff):

always - Always overwrite the file.never - Never overwrite the file. However, note that if the parent folder is notempty, its access, modify, and change times may still be updated.diff - Overwrite if file is different from the source (i.e., if a complete fileexists at the destination (no .aspx file) and is the same as the source file, thenleave it unmodified (no change on timestamp/attributes either); otherwisere-transfer the whole source file). Note this policy interacts with the resumepolicy.older - Overwrite if file is older than the source.

Important: When --overwrite=diff, you must also consider theresume policy (-k{0|1|2|3}). If -k0 (or no -k specified), the source anddestination files are always deemed to be different, thereby implying alwaysoverwrite. If -k1, the source and destination files are compared based on file


Option Descriptionattributes (currently, just file size). If -k2, the source and destination files arecompared based on sparse checksum. If -k3, the source and destination files arecompared based on full checksum.

--file-crypt=crypt Encrypt or decrypt files. Replace CRYPT with encrypt or decrypt.Passphrase is required.

--file-checksum=hash Report checksums for transferred files, where hash is sha1, md5, or none.

--partial-file-suffix=suffix

Filename extension on the destination computer while the file is beingtransferred. Once the file has been completely transferred, this filenameextension will be removed. (Default: blank)

Note: This option only takes effect when it is set on the receiver side.

--src-base=prefix Specify the prefix to be stripped off from each source object. The remainingportion of the source path is kept intact at the destination.

For example, the "clips" directory on the remote computer contains thefollowing folders and files:

/clips/outgoing/file1/clips/outgoing/folderA/file2/clips/outgoing/folderB/file3

In this case, to transfer all folders and files within the "outgoing" folder (but notthe "outgoing" folder, itself), run the following command:

> ascp -d --src-base=/clips/outgoing/ [email protected]:/clips/outgoing/ /incoming

Result: The following folders and files appear in the "incoming" directory at thedestination:

(docroot)/incoming/file1(docroot)/incoming/folderA/file2(docroot)/incoming/folderB/file3

Files outside of the source base (for example, /temp/file4) are skipped fromtransmission and warnings are generated.

Without --src-base

If --src-base is not used, and the source item is a folder, the contents of thefolder are transferred, along with the folder itself. For example:

> ascp -d [email protected]:/clips/outgoing/ /incoming

Result:

(docroot)/incoming/outgoing/file1(docroot)/incoming/outgoing/folderA/file2(docroot)/incoming/outgoing/folderB/file3


Option DescriptionIf --src-base is not used, and the source item is a file, only the file istransferred, not the folders in the file's path. For example:

> ascp -d [email protected]:/clips/outgoing/file1 [email protected]:/clips/outgoing/folderA/file2 /incoming

Result:

(docroot)/incoming/file1(docroot)/incoming/file2

For further examples, with and without --src-base, see Ascp FileManipulation Examples on page 132

--proxy=proxy_url Specify the address of the Aspera proxy server. proxy_url takes the form of:

dnat[s]://[username]@server:port

The default ports for DNAT and DNATS protocols are 9091 and 9092.

--preserve-file-owner-uid

(OS X and Linux/UNIX systems only.) Preserve transferred files' ownerinformation (uid).

Note: This option requires the transfer user be authenticated as a superuser.

--preserve-file-owner-gid

(OS X and Linux/UNIX systems only.) Preserve transferred files' groupinformation (gid).

Note: This option requires the transfer user be authenticated as a superuser.

--ignore-host-key If you're prompted to accept a host key when connecting to a remote host, ascpignores the request.

--check-sshfp=fingerprint Check against the server SSH host key fingerprint (for example,f74e5de9ed0d62feaf0616ed1e851133c42a0082).

--apply-local-docroot Apply the local docroot. This option is equivalent to setting the environmentvariable ASPERA_SCP_DOCROOT.

ascp Options for HTTP Fallback

Option Description

-y {0|1} Enable HTTP Fallback transfer server when UDP connection fails. Set to 1 to enable(default: 0).

-j {0|1} Encode all HTTP transfers as JPEG files. Set to 1 to enable (default: 0).

-Y key_file The HTTPS transfer's key file name.

-I cert_file The HTTPS certificate's file name.

-t port Specify the port for HTTP Fallback Server.

-x proxy_server Specify the proxy server address used by HTTP Fallback.


Ascp General ExamplesExamples of initiating FASP file transfers using the ascp command.

This topic demonstrates the ascp command with the following examples:

1. Fair-policy transfer, without encryption

Transfer with fair rate policy, with maximum rate 100 Mbps and minimum at 1 Mbps:

> ascp -T --policy=fair -l 100m -m 1m /local-dir/files [email protected]:/remote-dir

2. Fixed-policy transfer, without encryption

Transfer all files in \local-dir\files to 10.0.0.2 with target rate 100 Mbps and encryption OFF:

> ascp -T -l 100m /local-dir/files [email protected]:/remote-dir

3. Specify a UDP port

To perform a transfer with UDP port 42000:

> ascp -l 100m -O 42000 /local-dir/files [email protected]:/remote-dir

4. Authenticate with public key

To perform a transfer with public key authentication with key file /Documents and Settings/asp1/.ssh/asp1:

> ascp -T -l 10m -i "/Documents and Settings/asp1/.ssh/asp1" local-dir/files [email protected]:/remote-dir

5. Authenticate with a login that contains space

Enclose the target in double-quotes when spaces are present in the username and remote path:

> ascp -l 100m local-dir/files "User [email protected]:/remote directory"

6. Transfer with a network shared location

Send files to a network shares location \\1.2.3.4\nw-share-dir, through the computer 10.0.0.2:

> ascp local-dir/files [email protected]:"//1.2.3.4/nw-share-dir/"

7. Parallel transfer on a multi-core system

Use parallel transfer on a dual-core system, together transferring at the rate 200Mbps, using UDP ports 33001 and33002. Two commands are executed in different Terminal windows:

> ascp -C 1:2 -O 33001 -l 100m /file [email protected]:/remote-dir &> ascp -C 2:2 -O 33002 -l 100m /file [email protected]:/remote-dir

8. Use content protection

Upload the file space\file to the server 10.0.0.2 with password protection (password: secRet):

> set ASPERA_SCP_FILEPASS=secRet&& ascp -l 10m --file-crypt=encrypt local-dir/file [email protected]:/remote-dir/

Download from the server 10.0.0.2 and decrypt while transferring:

> set ASPERA_SCP_FILEPASS=secRet&& ascp -l 10m --file-crypt=decrypt [email protected]:/remote-dir /local-dir


If the password-protected file is downloaded without descrypting (file1.aspera-env, with aspera-envappended), on the local computer, decrypt the file as file1:

> set ASPERA_SCP_FILEPASS=secRet&& asunprotect -o file1 file1.aspera-env

Ascp File Manipulation ExamplesExamples of manipulating files using the ascp command.

This topic demonstrates file manipulation using the ascp command with the following examples:

1. Upload directory contents to remote computer

Upload the "/content/" directory to the remote server.

> ascp /data/content/ [email protected]:/storage/

Result => /storage/content/*

Upload the "/content/" directory to the remote server, but strip the srcbase path and preserve the rest of thefile structure.

> ascp --src-base=/data/content /data/content/ [email protected]:/storage

Result => /storage/*2. Upload directory contents to remote computer and create the destination folder if it does not already exist

Upload the "/content/" directory to the remote server and create the "/storage2" folder since it does notexist.

> ascp -d /data/content/ [email protected]:/storage2/

Result => /storage2/content/*3. Download directory contents from remote computer

Download the "/content/" directory to the remote server, but strip the srcbase path and preserve the rest of thefile structure.

> ascp --src-base =/storage/content [email protected]:/storage/content/ /data

Result => /data/*4. Upload selected files and directories to a remote computer and preserve directory structure

Upload the selected file and directory to the remote server, but strip the srcbase path and preserve the rest of thefile structure.

> ascp --src-base=/data/content /data/content/monday/file1 /data/content/tuesday/ [email protected]:/storage

Results => /storage/monday/file1 AND /storage/tuesday/*5. Download selected files and directories from a remote computer and preserve directory structure

Download the selected file and directory from the remote server, but strip the srcbase path and preserve the rest ofthe file structure.

> ascp --src-base=/storage/content [email protected]:/storage/content/monday/file1 [email protected]:/storage/content/tuesday/ /data


Results => /data/monday/file1 AND /data/tuesday/*6. Remove source files from the local computer after transferring them to the remote computer

Remove the "/content/" directory of the local computer after the contents (excluding partial files) have beentransferred to the remote computer.

> ascp -k2 -E "*.partial" --remove-after-transfer --remove-empty-directories /data/content [email protected]:/storage

Result => /storage/content/*

Remove the "/content/" directory of the local computer after the contents (excluding partial files) have beentransferred to the remote computer. Strip the srcbase path and preserve the rest of the file structure

> ascp -k2 -E "*.partial" --src-base=/data/content --remove-after-transfer --remove-empty-directories /data/content [email protected]:/storage

Result => /storage/*

Important: For version 2.7.1, the "-d" option is required when specifying the "--src-base" option ifthe target directory does not exist. As of version 2.7.3+, this constraint has been removed.

Ascp Transfers to Cloud StorageExamples of using the ascp command to initiate FASP transfers to cloud storage.

If you have access to cloud storage that is hosted by Aspera On Demand, you can use ascp to transfer to it.

With Docroot Already Configured

If your transfer server account already has a docroot set up, ascp transfers to S3 storage, Google storage, Akamai,Softlayer, and Azure are the same as regular ascp transfers:

ascp options myfile username@server:/targetpath

For examples, see Ascp General Examples on page 131.

In some cases, ascp transfers to cloud storage can be made without a preconfigured docroot. See the examplesbelow.

With No Docroot Configured: S3

If the transfer server account does not have a docroot, you can still transfer to S3 as long as you know your S3 AccessID and Secret Key and you have an S3 bucket. The syntax is:

ascp options --mode=send --user=username --host=s3_server_addr files_to_send \


s3://access_id:[email protected]/s3_bucket

For example:

ascp --mode=send --user=bob --host=s3.asperasoft.com myfiles \s3://1K3C18FBWF9902:[email protected]/demos2014

With No Docroot Configured: Softlayer

If the transfer server account does not have a docroot, you can still transfer with the following syntax:

ascp options --mode=send --user=root --host=ip_addr files_to_send \swift://softlayer_username:[email protected]/container

Example Upload:

ascp --mode=send --user=root --host=192.155.218.130 bigfile.txt \swift://XYZOS303446-2:bob:[email protected]/test

Example Download:

ascp --mode=recv --user=root --host=192.155.218.130 \swift://XYZOS303446-2:bob:[email protected]/test/bigfile.txt /tmp/

With No Docroot Configured: Azure

If the transfer server account does not have a docroot, you can still transfer. First set an Aspera environment variablewith the password:

Windows Command Prompt: set ASPERA_SCP_PASS = password

Linux: export ASPERA_SCP_PASS=password

Then run ascp with the following syntax:

ascp options --mode=send --user=username --host=server files_to_send azu://storage:[email protected]/abc

For example:

Windows Command Prompt: set ASPERA_SCP_PASS = fslk47CLwlj

Linux: export ASPERA_SCP_PASS=fslk47CLwlj

ascp --mode=send --user=AS037d8eda429737d6 --host=dev920350144d2.azure.asperaondemand.com bigfile.txt \azu://astransfer:[email protected]/abc


Token GenerationUsage and examples for astokengen

Overview

A token authorizes the download of one or more files, or an upload of one or more files into a directory (calleddestination root). It supports the traditional “cp” paradigm of ascp (copy file1, file2, file3 to directory) or source/destination pairs (ascp --file-pair-list).

Functionality

• Authorizes uploads of one or more files to a destination• Authorizes downloads of one or more files or directories• Authorizes uploads of one or more files as source/destination pairs• Authorizes downloads of one or more files as source/destination

Usage

1. astokengen --mode=send [OPTS] -u USER --dest=PATH [-v TOKEN] 2. astokengen --mode=send [OPTS] -u USER --file-pair-list=FILENAME --dest=DEST

[-v TOKEN] 3. astokengen --mode=recv [OPTS] -u USER -p PATH [-p PATH …] [-v TOKEN] 4. astokengen --mode=recv [OPTS] -u USER --file-list=FILENAME [-v TOKEN] 5. astokengen --mode=recv [OPTS] -u USER --file-pair-list=FILENAME [-v TOKEN] 6. astokengen -t TOKEN [OPTS]

Option (short form) Option (long form) Description

-A --version Print version information.

--mode=MODE Direction of the transfer mode (send | recv)

-p --path=PATH Source path

--dest=DEST Destination path

-u --user=USER Generate the token for this user name. This name is embeddedin the token and also used to retrieve further information fromaspera.conf (user_value and token_life_seconds).

--file-list=FILE Specifies a file name that contains a list of sources for adownload token. Each line of the file contains a single source andblank lines are ignored.

--file-pair-list=FILE

Specifies a file name that contains a multiplexed list of sourceand destination pairs for an upload or download token. Each pairof lines encodes one source and one destination and blank linesare ignored.

-v TOKEN Verify token against user and path parameters.

-t TOKEN Display the contents of the token.

-k PASSPHRASE Passphrase to decrypt token. For use with -t.

-b Assume user name and paths are encoded in base64.


Examples

Description Example

Example file list/monday/first_thing.txt/monday/next_thing.txt /monday/last_thing.txt

Example file-pairlist /monday/first_thing.txt

/archive/monday/texts/first_thing /monday/next_thing.txt /archive/monday/texts/next_thing /monday/last_thing.txt /archive/monday/texts/last_thing

Common upload In a common upload, only the destination is encoded into the token.

astokengen --user=USER --dest=PATH --mode=send

The destination is encoded into the token. Source paths are not allowed and will causeastokengen to fail. --path and --file-list are illegal in this case.

Paired upload The destination is pre-pended to each of the destinations in the paired list file and they are allencoded into the token. The destinations are in each odd numbered line of the file (1, 3, 5, 7,etc).

astokengen --user=USER --dest=PATH --file-pair-list=FILENAME --mode=send

--path and --file-list are illegal in this case.

Commondownload

The specified paths are encoded into the token.

astokengen --user=USER --path=FILE1 --path=FILE2 --mode=recv astokengen --user=USER --file-list=FILENAME --mode=recv

--dest and --file-pair-list are illegal in this case.

Paired download The source files from the pair list are encoded in the token. The sources are in each evennumbered line of the file (0, 2, 4, 6, 8, etc.).

astokengen --user=USER --file-pair-list=FILENAME --mode=recv

--dest, --path and --file-list are illegal in this case.

Creating SSH Keys (Command Line)Create a key pair for your computer.

If you are using this machine as a client to connect to other Aspera servers with public key authentication, you canalso create key-pairs in command line. Follow these instructions:

Note: You can also use the application GUI to create SSH keys or import existing keys for use with aselected user account. For instructions, see Creating SSH Keys on page 46.

1. Create a .ssh in your home directory


Create a .ssh folder in your user account's home directory if it does not exist:

> md user_home_dir\.ssh

Go to the .ssh folder and continue:

> cd user_home_dir\.ssh

2. Run ssh-keygen to generate an SSH key-pair

Run the following command in the .ssh folder. The program prompts you for the key-pair's filename. PressENTER to use the default name id_rsa. For a passphrase, you can either enter a password, or press return twice toleave it blank:

> ssh-keygen -t rsa

3. Retrieve the public key file

When created, the key-pair can be found in your home directory's .ssh folder (assuming you generated the keywith the default name id_rsa):

user_home_dir\.ssh\id_rsa.pub

Provide the public key file (for example, id_rsa.pub) to your server administrator, so that it can be set up for yourserver connection. The instructions for installing the public key on the server can be found in the Setting Up aUser's Public Key on page 74; however, the server may be installed on an operating system that is different fromthe one where your client has been installed.

4. Start a transfer using public key authentication with the ascp command

To transfer files using public key authentication on the command line, use the option -i private_key_file. Forexample:

> ascp -T -l 10M -m 1M -i "user_home_dir\.ssh\id_rsa" myfile.txt [email protected]:\space

In this example, you are connecting to the server (10.0.0.2, directory /space) with the user account jane and theprivate key user_home_dir\.ssh\id_rsa.

Ascp FAQs

This topic lists frequently asked questions regarding ascp command:

1. How do I control the transfer speed?


You can specify a transfer policy that determines how a FASP transfer utilizes the network resource, and you canspecify target and minimum transfer rates where applicable. With the ascp command, use the following flags tospecify transfer policies that are fixed, fair, high, and low:

Policy Command template

Fixed--policy=fixed -l target_rate

Fair--policy=fair -l target_rate -m min_rate

High--policy=high -l target_rate -m min_rate

Low--policy=low -l target_rate -m min_rate

2. What should I expect in terms of transfer speed? How do I know if something is "wrong" with the speed?

Aspera's FASP transport has no theoretical throughput limit. Other than the network capacity, the transfer speedmay be limited by rate settings and resources of the computers. To verify that your system's FASP transfer canfulfill the maximum bandwidth capacity, prepare a client machine to connect to this computer, and test themaximum bandwidth.

Note: This test will typically occupy the majority of a network's bandwidth. It is recommended that thistest be performed on a dedicated file transfer line or during a time of very low network activity.

On the client machine, start a transfer with fixed policy. Start with a lower transfer rate and increase graduallytoward the network bandwidth (e.g. 1m, 5m, 10m...). Monitor the transfer rate and make sure that it fulfills yourbandwidth:

$ ascp -l 1m source-file destination

To improve the transfer speed, you may also upgrade the following hardware components:

Component Description

Hard disk The I/O throughput, the disk bus architecture (e.g. RAID, IDE, SCSI, ATA, and FiberChannel).

Network I/O The interface card, the internal bus of the computer.

CPU Overall CPU performance affects the transfer, especially when encryption is enabled.

3. How do I ensure that if the transfer is interrupted / fails to finish, it will resume the transfer without re-transferringthe files?

Use the -k flag to enable resume, and specify a resume rule:

• -k 0 Always retransfer the entire file.• -k 1 Check file attributes and resume if they match.• -k 2 Check file attributes and do a sparse file checksum; resume if they match.• -k 3 Check file attributes and do a full file checksum; resume if they match.

4. How does Aspera handle symbolic links?

ascp command follows symbolic links by default. There is a -o SymbolicLink flag that offers handlingoptions:

• --symbolic-links=follow: Follow symbolic links and transfer the linked files.• --symbolic-links=copy: Copy only the alias file.


• --symbolic-links=skip: Skip the symbolic links.5. What are my choices regarding file overwrites on the destination computer?

In ascp, you can specify the overwriting rule with the following flags:

• --overwrite=always: Always overwrite the file.• --overwrite=never: Never overwrite the file.• --overwrite=diff: Overwrite if file is different from the source.• --overwrite=older: Overwrite if file is older than the source.

Note: For --overwrite=diff, if a complete file exists on the destination computer (i.e., no .aspxfile) and is the same as the source file, then the destination file will remain unmodified (no changeon timestamp/attributes either). Otherwise the entire source file will be retransferred. Note this policyinteracts with the resume policy.

| Configuring for the Cloud | 140

Configuring for the Cloud

Cloud Configuration for Enteprise Server Nodes

Configuring aspera.conf for S3The following example explains how to modify aspera.conf for AWS S3 transfers. You must meet the followingprerequisites before modifying aspera.conf:

• You have permissions to access the S3 bucket.• You know your username's S3 Access ID and Secret Key.

Note: For Aspera on Demand, you can also enter these settings from Console.

<?xml version='1.0' encoding='UTF-8'?><CONF version="2"><server> <server_name>aspera.example.com</server_name> </server><aaa> <realms><realm><users> <user> <name>UserName</name> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>YourSuperSecretKey</encryption_key> </token> </authorization> <file_system> <access> <paths> <path> <absolute></absolute> <read_allowed>true</read_allowed>  <write_allowed>true</write_allowed>  <dir_allowed>true</dir_allowed>  <restrictions>  <restriction>s3://*</restriction> <restriction>!azu://*</restriction> </restrictions> </path> </paths> </access> </file_system> </user> </users></realm></realms>

| Configuring for the Cloud | 141

</aaa></CONF>

Docroot Restrictions for URI Paths

A configuration with both a docroot absolute path (docrooted user) and a restriction is not supported.

The primary purpose of restrictions is to allow access to certain storage (for example, Amazon S3) for clients thathave their own storage credentials. In this case, instead of using docroots in aspera.conf, use a docroot restriction.

Configuration:

<paths> <path> <restrictions> <restriction>s3://*</restriction> </restrictions> </path></paths>

You can also configure restrictions once for all users by setting <restriction> in the default section.

Functionality:

A docroot restriction limits the files a client is allowed to access for browsing and transfers. Files are rejectedunless they match any restrictions that are present. Restrictions work for URI paths (for example, s3://*) and areprocessed in the following order:

1. If a restriction starts with "!", any files that match are rejected.2. If a restriction does not start with a "!", any files that match are kept.3. If any restrictions other than "!" exist, and the file does not match any of them, the file is rejected.4. Files that fail restrictions during directory iteration are ignored as if they do not exist.

| Appendix | 142

Appendix

Updating Aspera Service AccountLookup or change the user account that runs Aspera services.

On Windows, a special user account (Aspera service account) is used to run the services for Aspera products. Theservices include Aspera Central, Aspera HTTPD, Aspera Sync, and OpenSSH Service (if selected to install)). Duringthe installation, you are prompted to create a new Aspera service account, or add an existing user account for thispurpose.

This topic covers the configuration of the Aspera service account, including updating the existing Aspera serviceaccount's password, and changing the Aspera service account.

1. Update the existing Aspera service account's password

During the installation, if you are having any problems entering the existing Aspera service account's credentials,change the user's password. To do so, right-click on My Computer and select Manage > Local Users andGroups > Users. Right-click on the account name and select Set Password....

2. Change Aspera service account

Replace the logon user running all Aspera services, open Command Prompt (Start menu > All Programs >Accessories > Command Prompt) and use the asuser-services.bat command.

In the Command Prompt, navigate into the path that contains this command:

OS Version Command

32-bit Windows> cd "\Program Files (x86)\Aspera\Enterprise Server\bin"

64-bit Windows> cd "\Program Files\Aspera\Enterprise Server\bin"

For example, to use an existing domain user ([email protected] / myPassword), execute the command:

> asuser-services.bat [email protected] myPassword

If you are entering a non-existent user account, this command will create the system user. For example, to set up anew user as the Aspera service account:

> asuser-services.bat newUser newUserPassword

If you are running a non-english version of Windows, your administrator group may not be "Administrators".When updating Aspera service account, add a third parameter that specifies the local admin group:

> asuser-services.bat newUser newUserPassword Administratores

Product LimitationsDescribes any limitations that currently exist for Aspera transfer server and client products.

• Path Limit: The maximum number of characters that can be included in any pathname is 512 characters.• Usernames with "@" symbol: You cannot add a username with an "@" symbol through the Aspera GUI. You

can, however, perform the following actions: (1) Set up a Hot Folder to sync with a Linux server using a Linux

| Appendix | 143

account containing the "@" symbol; and (2) Connect to and start a transfer with a Linux server through the AsperaGUI with user credentials containing the "@" symbol.

FASP Transfer PoliciesThe character of the FASP transfer policies.

The transfer policy and speed determine how you utilize the network resource for FASP file transfers. Here is thedescription of all transfer policies:

Policy Description

Fixed FASP attempts to transfer at the specified target rate, regardless of the actual network capacity.This policy transfers at a constant rate and finishes in a guaranteed time. This policy willtypically occupy a majority of the network's bandwidth, and is not recommended in most filetransfer scenarios. In this mode, a maximum (target) rate value is required.

High FASP monitors the network and adjusts the transfer rate to fully utilize the available bandwidthup to the maximum rate. When congestion occurs, a FASP session with high policy transfersat a rate twice of a session with fair policy. In this mode, both the maximum (target) and theminimum transfer rates are required.

Note: This policy is not available in the Connect browser plug-in.

Fair FASP monitors the network and adjusts the transfer rate to fully utilize the available bandwidthup to the maximum rate. When other types of traffic builds up and congestion occurs, FASPshares bandwidth with other traffic fairly by transferring at an even rate. In this mode, both themaximum (target) and the minimum transfer rates are required.

Low (or Trickle) Similar to Fair mode, the Low (or Trickle) policy uses the available bandwidth up to themaximum rate, but much less aggressive when sharing bandwidth with other network traffic.When congestion builds up, the transfer rate is decreased all the way down to the minimum rate,until other traffic retreats.

Generate an Internet Server Certificate (IIS)Generate an Internet Server Certificate for IIS 6 (Windows XP, 2003) or IIS 7 (Windows Vista, 2008, 7)

Follow the steps below to generate an Internet Server Certificate for IIS 6 (Windows XP, 2003) or IIS 7 (WindowsVista, 2008, 7).

1. Request and install the Internet Server Certificate

Note: This step assumes you have already installed IIS on your system. For additional information or ifyou have not already completed the installation of IIS, please refer to the topic Product Setup on page 10before continuing.

Navigate to the IIS instructions below using the links for your specific version of Windows:

OS Version Instructions

Windows XP, 2003 (IIS 6.x) How to enable SSL for your customers

Windows Vista, 2008, 7 (IIS 7.x) Configuring Internet Server Certificates (IIS 7)


http://technet.microsoft.com/en_us/library/cc731977%28WS.10%29.aspx

| Appendix | 144

After you have successfully generated and installed your signed Internet Server Certificate, as well as restartedIIS, go to the following URL to test your SSL setup:

https://your-host-name/

2. (Optional) Generate a Self-Signed Certificate

At this point, you may need to generate a self-signed certificate because:

• You don't plan on having your certificate signed by a CA• Or you wish to test your new SSL implementation while the CA is signing your certificate

To create and install an IIS self-signed testing certificate, following the instructions below for your specificWindows Operating System:

OS Version Instructions

Windows XP, 2003 (IIS 6.x) Download and execute the IIS 6.0 Resource Kit Tools (freelydownloadable) from the Microsoft Download Center. Once installed, goto Start menu > All Programs > IIS Resources > SelfSSL and launchSelfSSL. In the SelfSSL command prompt, run the following command:

> selfssl

Note that instructions will be listed in the command prompt. Type y whenprompted to confirm installation.

Windows Vista, 2008, 7 (IIS 7.x) See Create a Self-Signed Server Certificate in IIS 7.

When complete, you can test your self-signed certificate by going to the following URL:

https://localhost/

Restarting Aspera ServicesInstructions on restarting Aspera services after configuration changes

You may restart Aspera Central, Aspera HTTPD and Aspera NodeD within the Computer Management window,which is accessible via Manage > Services and Applications > Services.

http://www.microsoft.com/en_us/download/details.aspx?id=17275

http://technet.microsoft.com/en_us/library/cc753127(WS.10).aspx

| Appendix | 145

Setting Policies for OpenSSH UserSetting local security policies (post-Aspera product installation) for the user who runs OpenSSH

Your Aspera transfer product's installer includes the implementation of an SSH Server (OpenSSH) for userauthentication and for the setup of transfer sessions. Alternatively, you can opt not to install OpenSSH (i.e., youclick the Custom button within the installer and then de-select the option for the SSH Server), and choose to set itup post-install, instead. If you choose to set up OpenSSH, post-Aspera product installation, then you must create auser account to run the SSH service, and assign the proper permissions. You can set up the SSH service user accountand associated permissions automatically using the script asuser-services.bat, which can be found in the followinglocation:

Platform Location

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\bin\

64-bit Windows C:\Program Files\Aspera\Enterprise Server\bin\

You may also set up the SSH service user account manually, although you must also manually assign the properpermissions. You may do so through Administrative Tools > Local [Security] Policy > Local Policies > UserRights Assignment. The SSH user account must be made a member of the local Administrators group and thengranted the following rights:

• Act as a part of the Operating System• Adjust memory quotas• Create a token• Log on as a service• Replace a process level token

Important: If your clients need to access network resources (e.g., transferring files to or from a Windowsshare), then you must create a domain account that has proper access to these resources; otherwise, you maycreate a local account.

| Appendix | 146

Optimizing Transfer PerformanceTips about testing and improving your computer's transfer performance.

To verify that your system's FASP transfer can fulfill the maximum bandwidth capacity, prepare a client machine toconnect to this computer, and do the following tests:

1. Start a transfer with Fair transfer policy

On the client machine, open the user interface and start a transfer. Go to the Details to open the Transfer Monitor.

To leave more network resources for other high-priority traffic, use the Fair policy and adjust the target rate andminimum rate by sliding the arrows or entering values.

2. Test the maximum bandwidth

Note:

This test will typically occupy a majority of the network's bandwidth. It is recommended that this test beperformed on a dedicated file transfer line or during a time of very low network activity.

Use Fixed policy for the maximum transfer speed. Start with a lower transfer rate and increase gradually towardthe network bandwidth.

To improve the transfer speed, you may also upgrade the related hardware components:

| Appendix | 147

Component Description

Hard disk The I/O throughput, the disk bus architecture (e.g. RAID, IDE, SCSI, ATA, and FiberChannel).

Network I/O The interface card, the internal bus of the computer.

CPU Overall CPU performance affects the transfer, especially when encryption is enabled.

Log FilesLocate the log files related to the Aspera product.

The log file includes detailed transfer information and can be useful for review and support requests.

To view the application log, go to Tools > View Log.

To review logs of other components, click Open Logs Folder to open the folder that contains transfer logs:

OS Version Path

32-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\var\log

64-bit Windows C:\Program Files\Aspera\Enterprise Server\var\log

The following files are available in the log folder. Older logs are stored with the same filename, appended withincremental numbers (e.g. ascmd.0.log).

File Name Description

ascmd.log File browsing and manipulation in user interface.

asconfigurator.log Server configuration information.

asperacentral.log A server-side service that handles transfers, web services and database logging.

aspera-scp-transfer.log The FASP transfers.

aspera-scp-http-transfer.log The HTTP Fallback server.

asperasync.log The Hot Folders (File synchronization).

Users can set the logging level for transfers from the My Preferences dialog. My Preferences can be opened fromTools > Preferences or from the Preferences button in the upper-right corner of the application window.

| Appendix | 148

The five logging levels to select from are: Off, Error, Warn, Info, and Debug. The system default is Info.

Updating the Product LicenseUpdate your product license.

To update the license key, launch the application ( Start Menu > All Programs > Aspera > Enterprise Server >Enterprise Server ) and go to Menu bar > Tools > License to bring up the License window.

To update your license from the GUI, open Tools > License.

| Appendix | 149

You may click the Import License File... and select the license file, or Paste License Text... to copy-and-paste thelicense file's content. When finished, the license information will appear in the window. Verify that it is correct andclick Close.

Lastly, if you are using the Node API, you must reload the asperanoded service.


Updating Aspera Service AccountLookup or change the user account that runs Aspera services.

On Windows, a special user account (Aspera service account) is used to run the services for Aspera products (AsperaCentral, Aspera HTTPD, Aspera Sync, and OpenSSH Service (if selected to install)). During the installation, you areprompted to create a new Aspera service account, or add an existing user account for this purpose.

This topic covers the configuration of the Aspera service account, including updating the existing Aspera serviceaccount's password, and changing the Aspera service account.

1. Update the existing Aspera service account's password

During the installation, if you are having any problems entering the existing Aspera service account's credentials,change the user's password. To do so, right-click on My Computer and select Manage > Local Users andGroups > Users. Right-click on the account name and select Set Password....

2. Change Aspera service account

Replace the logon user running all Aspera services, open Command Prompt (Start menu > All Programs >Accessories > Command Prompt) and use the asuser-services.bat command.

| Appendix | 150

In the Command Prompt, navigate into the path that contains this command:

OS Version Command

32-bit Windows> cd "\Program Files (x86)\Aspera\Enterprise Server\bin"

64-bit Windows> cd "\Program Files\Aspera\Enterprise Server\bin"

For example, to use an existing domain user ([email protected] / myPassword), execute the command:

> asuser-services.bat [email protected] myPassword

If you are entering a non-existent user account, this command will create the system user. For example, to set up anew user as the Aspera service account:

> asuser-services.bat newUser newUserPassword

If you are running a non-english version of Windows, your administrator group may not be "Administrators".When updating Aspera service account, add a third parameter that specifies the local admin group:

> asuser-services.bat newUser newUserPassword Administratores

Upgrading Enterprise Server to Connect ServerHow to upgrade from IBM Aspera Enterprise Server to IBM Aspera Connect Server.

If you are upgrading a previous version of Enterprise Server to Connect Server, follow these steps:

1. Set up Internet Information Service (IIS) for Web UI

Before upgrading from Enterprise Server to Connect Server, you must install the Internet Information Service(IIS) on your computer. Please refer to the topic Product Setup on page 10, Step 1, for detailed information.

2. Download the latest Connect Server installer

Download the Connect Server installer from the location below. Use the credentials provided to your organizationby Aspera to access the link.


Run the installer and follow the on-screen instructions to update your software to the latest version.3. Change existing installation to include the Connect Server Web UI

Go to Control Panel > Add or Remove Programs, select Aspera Enterprise Server and click Change. ClickNext in the Aspera Enterprise Server Setup wizard screen, and click Change.


| Appendix | 151

In the Custom Setup screen, click Connect Server Web UI and select Will be installed on local hard drive.Click Next to proceed.

4. Import Connect Server license

To update the license key, launch the application ( Start Menu > All Programs > Aspera > Enterprise Server >Enterprise Server) and go to Menu bar > Tools > License to bring up the License window.

| Appendix | 152

You may click the Import License File and select the license file, or Paste License Text to copy-and-paste thelicense file's content. When finished, the license information will appear in the window. Verify that it is correctand click Close.

UninstallHow to uninstall the Aspera product from your computer.

The un-install can be done in Control Panel, depending on the version of your Windows, choose Add/RemovePrograms or Uninstall a program. Prior to removing the application, close the following applications and services:

• ascp connections• SSH connections• User interface• asperasync Services

Setting Up Token Authorization

When accounts on a transfer server are configured to require token authorization, only transfers initiated with a validtoken are allowed to transfer to or from the server. The token authorization requirement can be set for individualusers, entire user groups, or globally for all users. Token authorization can be set independently for incoming transfersand outgoing transfers.

Token authorization is a requirement for initiating transfers with the Shares product.

Set up token authorization for a transfer user as follows:

1. Choose or create the transfer user on the server.The examples below use the transfer user asp1.

2. Log in as the user to ensure that any created files are owned by the user.Create the directory .ssh and the file authorized_keys if they don't already exist. For example:

C:\Users\asp1\.ssh\authorized_keys

3. Append the token-authorization public key to the user's authorized_keys file.Aspera provides a public key in the file aspera_id_dsa.pub stored in the following location:

C:\Program Files[ (x86)]\Aspera\Enterprise Server\var\aspera_id_dsa.pub

4. Ensure that .ssh and .ssh/authorized_keys are owned by the user.

Update the directory permissions by right-clicking the .ssh folder and selecting the Security tab. Here, you can setpermissions to read, write, and execute (full control).

| Appendix | 153

5. Make sure the user has no password.If the system does not allow this, create a very large password.

6. Make sure the user's login shell is aspshell.For information on setting this, see Securing your SSH Server on page 22.

7. Configure the user for token authorization

To configure user authorization from the GUI, see Configuring Token Authorization from the GUI on page 153.

To configure user authorization from aspera.conf, see Configuring Token Authorization With aspera.conf on page154.

Note:

Instead of setting authorization for each user individually, you can set it for a group, or set it globally forall users.

8. Create a node user and associate it with the transfer user.The examples below use the Node API user nuser.

> asnodeadmin.exe -au nuser -p nuser_passwd -x asp1

Configuring Token Authorization from the GUI

Requirements:

• You have created a transfer user on your server.• You have set up the transfer user with an SSH public key as described in Setting Up Token Authorization on page

152.

The examples below use a transfer user called asp1.

1. On the main screen of the desktop client, click the Configuration link (upper right).

| Appendix | 154

This opens the Server Configuration dialog.2. Select the Users tab and choose a user to configure.

Alternatively, select the Groups tab and choose a group to configure, or select the Global tab to configure optionsfor all users.

3. In the right panel of the Server Configuration dialog, select the Authorization tab.

4. For Incoming Transfers check the override box. Under Effective Value, select token from the dropdown menu.

5. Similarly, do the same for Outgoing Transfers.

6. For Token Encryption Key, check the override box, and under Effective Value, enter the token encryption key.The encryption key should be a string of random characters (at least 20 recommended).

7. When you're done, click Apply to save the changes, or click OK to save the changes and close the dialog.

Alternatively, instead of configuring token authorization individually for each user, you can select the Groups taband apply these settings to groups of users. Or, you can select the Global tab and apply these settings to all users.

Configuring Token Authorization With aspera.conf

Requirements:

• You have created a transfer user on your server.• You have set up the transfer user with an SSH public key as described in Setting Up Token Authorization on page

152.

The examples below use a transfer user called asp1.

1. Locate aspera.conf and open it with a plain-text editor


2. Add an authorization section for the userIn the following example, the user section for asp1 contains an <authorization> section that specifies thefollowing:

| Appendix | 155

• a <transfer> section specifying that both incoming and outgoing transfers (in and out) should use tokenencryption

• a <token> section with an encryption key, which should be string of random characters (at least 20recommended)

Alternatively, you can configure token-authorization settings in a <group> section to be applied to all users in thegroup. Or, you can configure the settings in the <default> section to apply them globally for all users.

<user> <name>asp1</name> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>gj5o930t78m34ejme9dx</encryption_key> </token> </authorization> <file_system> ... ... </file_system> </name></user>

Configuring for FaspexThe steps below describe configuring IBM Aspera Connect Server as the transfer server for IBM Aspera Faspex.

1. Install Enterprise/Connect Server.

If you haven't already, follow the steps in Standard Installation on page 6 to install Connect Server (the transferserver).

The transfer server can be set up in either of the following configurations:

• locally, on the same host as Faspex• remotely, on a separate host

Note: For a local setup, most configuration is taken care of automatically when Faspex is installed in alater step. For this reason, Enterprise Server/Connect Server should be installed first.

All steps must be performed with administrator permissions.2. (LOCAL SETUP ONLY) Check aspera.conf settings and adjust if necessary.

In the aspera.conf file (C:\Program Files[ (x86)]\Aspera\Enterprise Server\etc\aspera.conf) check thefollowing:

• Look for <persistent_store> in the <central_server> section, and be sure that it is set to enable (defaultvalue). This setting allows the retention of historical transfer data used by the stats collector.

• Look for the <dir_allowed> setting for the faspex user, and ensure that it's set to true.

If you change settings, you must restart asperacentral and asperanoded.

To restart these services, go to Control Panel > Administrative Tools > Services, right-click Aspera Centraland Aspera NodeD, and select Restart.

| Appendix | 156

Note:

If you are installing Connect Server locally (on the same machine as Faspex), continue by installingFaspex as described in the Aspera Faspex Admin Guide.

If you are setting up Connect Server as a remote transfer server node, continue with the steps below.

3. Create the system user on the transfer-server host.

The system user authenticates the actual ascp transfer and must be an operating system account. To create a newsystem user faspex on your Windows system, go to Control Panel>User Accounts. After adding the faspex user,change the user's password.

4. Create and configure the Faspex packages directory.

Create the directory:

C:\faspex_packages5. Add the faspex user to Enterprise/Connect Server.

Launch the desktop application and click Configuration.

In Server Configuration, select the Users tab. Then click the button.

In the Add User dialog that appears, fill in the name "faspex" and click OK; faspex is then added to the user list.

To specify a docroot, make sure faspex is selected in the user list, and open the Docroot tab in the rightpanel. For the Absolute Path setting, check the Override box, and under Effective Value fill in /Users/

| Appendix | 157

faspex/faspex_packages. For the read, write, and browse settings, check the Override boxes and select

true.

You can also add and configure the faspex user for Connect Server by modifying aspera.conf, instead of using theapplication GUI. For details, see Setting Up Users on page 70.

6. Modify aspera.conf.

The aspera.conf file is found in the following location:

C:\Program Files [(x86)]\Aspera\Enterprise Server\etc\aspera.conf

Below is a typical aspera.conf file. Yours may differ, particularly if you have installed other Aspera products.Copy any absent portions from the example below. Modify the following settings, as necessary:

• Add the Faspex package directory as a docroot. In the file below, look for the <absolute> tag to see how thedocroot has been defined in this installation, and adjust yours accordingly.

• Look for the <server_name> tag, and ensure that server_ip_or_name has been replaced with the name or IPaddress of your server.

• Look for <persistent_store> in the <central_server> section, and be sure that it is set to enable (the defaultvalue).

• Look for the <dir_allowed> setting for the faspex user, and ensure that it's set to true.

<?xml version='1.0' encoding='UTF-8'?><CONF version="2">

<central_server> <address>127.0.0.1</address> <port>40001</port> <compact_on_startup>enable</compact_on_startup> <persistent_store>enable</persistent_store> <persistent_store_on_error>ignore</persistent_store_on_error> <persistent_store_max_age>86400</persistent_store_max_age> <event_buffer_overrun>block</event_buffer_overrun></central_server><default> <file_system> <pre_calculate_job_size>yes</pre_calculate_job_size> </file_system.</default><aaa. <realms> <realm. <users> <user. <name.faspex</name> <file_system> <access.

| Appendix | 158

<paths> <path> <absolute.C:\faspex_packages</absolute> <show_as>/</show_as> <dir_allowed>true</dir_allowed> </path> </paths> </access. <directory_create_mode>770</directory_create_mode> <file_create_mode>660</file_create_mode> </file_system> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>af208360-dbdd-4033-a35b-2370941f37e9</encryption_key> </token> </authorization> </user> </users> </realm> </realms></aaa><http_server> <http_port>8080</http_port> <enable_http>1</enable_http> <https_port>8443</https_port> <enable_https>1</enable_https></http_server><server> <server_name>server_ip_or_name</server_name></server></CONF>

After modifying aspera.conf, restart Aspera Central and Aspera NodeD services.

You can restart these services from the Windows Computer Management window, accessible from Manage >Services and Applications > Services.

| Appendix | 159

7. Verify that you have a valid transfer server license installed.

Verify that the transfer server has a valid Faspex-enabled license for Connect Server. To check this from thecommand line, run ascp -A and review the enabled settings list. For example:

Enabled settings: connect, mobile, cargo, node, proxy, http_fallback_server, group_configuration, shared_endpoints, desktop_gui

If the list includes connect and http_fallback_server, you have a Faspex-enabled server license.

You can also check the license from the Connect Server desktop client GUI. The License dialog (Tools > License)includes the fields Connect Clients Enabled and Http Fallback Server Enabled. If both are set to Yes, you havea Faspex-enabled license.

Because this Faspex configuration uses Connect Server as a remote transfer service, it requires the Aspera NodeAPI. For this reason, whenever you update your Connect Server license (see Updating the Product License onpage 148), you must reload the asperanoded service afterwards. Reload the asperanoded service by runningasnodeadmin.exe, found in the following location:


32-bit Windows C:\Program Files\Aspera\Enterprise Server\bin\asnodeadmin.exe

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\bin\asnodeadmin.exe


8. Set up the node user.

Set up the node user and associate it with the faspex user by running the asnodeadmin command, as in thefollowing example--where node-admin is the node user, s3cur3_p433 is the node user's password, and faspex isthe system user. Then run asnodeadmin again to reload asperanoded.

> asnodeadmin.exe -a -u node-admin -p s3cur3_p433 -x faspex

| Appendix | 160


9. Install the Connect key.

First, locate your Connect key:

C:\Program Files [(x86)]\Aspera\Enterprise Server\var\aspera_id_dsa.pub

Then, create a .ssh folder (if it does not already exist) in the faspex user's home folder:

OS Version Folder Location

Windows XP C:\Documents and Settings\faspex\.ssh

Windows Vista,Windows 7+

C:\Users\faspex\.ssh

Use a text editor to create (or modify) the following file, without the file extension, in the .ssh folder:

authorized_keys

Add the faspex user's key string into this file and save it. Note that some text editors add a .txt extension to thefilename automatically. Be sure to remove the extension if it was added to the filename.

10. Ensure the firewall is set up correctly on your transfer serverFor details, see Configuring the Firewall on page 21.

11. Configure your remote transfer server in the Faspex Web GUI.

Follow the instructions in Aspera Faspex Admin Guide: Transfer Server for configuring your remote transferserver in the Faspex Web GUI underServer > File Storage.

Configuring for SharesThe steps below show how to set up IBM Aspera Connect Server as a transfer server for IBM Aspera Shares. Theprocedure assumes you have already set up your Shares application. For general information on setting up a transferserver (using the Node API), see Managing the Node API on page 97.

1. Install Enterprise/Connect Server.

Follow the instructions in Standard Installation on page 6 to install Connect Server either locally (on the samehost as Shares) or remotely.

The steps below must be performed with administrator permissions.2. Create a Node API username.

Aspera's Web applications authenticate to the remote node service using a Node API username and password. Thefollowing command creates a Node API user/password and associates it with a file transfer user, asp1, which youwill create in the next step. The Node API credentials can then be used to create nodes. Note that different nodesmay use different Node API username/password pairs.

> asnodeadmin.exe -a -u node_api_username -p node_api_passwd -x asp1

Note that adding, modifying, or deleting a node-user triggers automatic reloading of the configuration and licensefiles, as well as the user database.

3. Create a file transfer user.

The file transfer user authenticates the actual ascp transfer, and must be an operating system account on thenode. Create a transfer user—for example, asp1—on your operating system (Control Panel > User Accounts).(Creating a user account requires administrator permissions.)

| Appendix | 161

Note: After creating a Windows user account, log in as that user as least once in order for Windows to setup the user's home folder—for example, C:\Users\asp1. Once the user's home folder has been created, logback in as an administrator and continue the steps below.

After you've created the operating system account, set up this user in Connect Server. For instructions on settingup a user, see .

Note: The file transfer user requires a docroot. After setting a user's docroot, be sure to perform a reload,as described in aspera.conf for Nodes.

Caution: Aspera recommends that you not use spaces in your docroot. If your docroot contains spaces,you may not receive all email notifications relating to transfer activity.

4. Copy the public key to the transfer user’s SSH file.

For example, if the file transfer user is asp1, the standard location for the public key is in the user's home folder,as follows:

Windows XP, 2003 C:\Documents and Settings\asp1\.ssh\authorized_keys

Windows Vista, 2008, 7, 8 C:\Users\asp1\.ssh\authorized_keys

The Aspera-provided key file is located in:

C:\Program Files [(x86)]\Aspera\Enterprise Server\var\aspera_id_dsa.pub

Open a command prompt window and run the following commands to create the user's public key folder:

> cd user_home_folder> md .ssh

Use a text editor to create the following file (with no file extension), if the file does not already exist:

user_home_folder\.ssh\authorized_keys

Copy the contents of aspera_id_dsa.pub to the authorized_keys file. Update the folder permissions in WindowsExplorer by right-clicking the .ssh folder, selecting Properties, and then selecting the Security tab. Here, you canset permissions to read, write, and execute (full control).

| Appendix | 162

5. (Optional) Change HTTPS port and/or SSL certificate.

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (onport 9092, by default). To modify the HTTPS port, see aspera.conf for Nodes. For information on maintaining andgenerating a new SSL certificate, see Setting up SSL for your Nodes on page 103.

6. Modify aspera.conf

Make the following changes in the aspera.conf file, located in C:\Program Files [(x86)]\Aspera\EnterpriseServer\etc:

• In the <central_server> section, look for <persistent_store> and be sure that it is set to enable (the defaultvalue). This setting allows the retention of historical transfer data used by the stats collector.

• In the <server> section, look for the <server_name> tag, and replace server_ip_or_name with the name or IPaddress of your server. If the <server> section does not exist, create it.

• Ensure there is an <http_server> section and that <enable_http> and <enable_https> are set to"1" (enabled).

<central_server> <persistent_store>enable</persistent_store></central_server><server> <server_name>server_ip_or_name</server_name></server><http_server> <http_port>8080</http_port> <enable_http>1</enable_http> <https_port>8443</https_port> <enable_https>1</enable_https></http_server>

Whenever you change these settings, you must restart asperacentral and asperanoded.

To restart these services, go to Control Panel > Administrative Tools > Services, right-click Aspera Centraland Aspera NodeD, and select Restart.

| Appendix | 163

7. In aspera.conf, enable token authorization for transfer users.

If you haven't done so already, set up the transfer user with an SSH public key as described in Setting Up TokenAuthorization on page 152.

In your aspera.conf file, add an authorization section for a transfer user as shown for the user asp1 in the examplebelow. The authorization section should specify the following:

• a <transfer> section specifying that both incoming and outgoing transfers (in and out) should use tokenencryption

• a <token> section with an encryption key, which is a string of random characters (at least 20 charactersrecommended).

<user> <name>asp1</name> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>gj5o930t78m34ejme9dx</encryption_key> </token> </authorization> <file_system> ... ... </file_system></user>

Alternatively, you can configure token-authorization settings in a <group> section to be applied to all users in thegroup. Or, you can configure the settings in the <default> section to apply them globally for all users.

For additional details on configuring token authorization, see Setting Up Token Authorization on page 152.8. Ensure that the firewall is set up correctly on your transfer server

For details, see Configuring the Firewall on page 21.

| Troubleshooting | 164

Troubleshooting

Using the TroubleshooterTroubleshoot a remote client's problem connecting to your server.

You can use the transfer application's troubleshooting tool to verify a user's login problem on your computer.

To use the troubleshooting tool, launch the application. and select Help > Troubleshoot. The troubleshooter willidentify potential problems with your Aspera software configuration.

Error Adding Domain UserTroubleshooting steps for addressing errors encountered while adding domain users.

This topic addresses the following issues:

Issue Error Message

When attempting to add a user via ServerConfiguration > Users, you receive an "ErrorAdding User" message.

Error creating user domain\username: Access Denied (16) -Unable to check for user domain\username's existence. Accessdenied? Missing Domain?

When attempting to switch the Aspera serviceaccount via asuser-services.bat, you receive a"User set up error" message.

[email protected] may not be an existing domain account.Please create the domain account and re-run. (Windows error:1722)

During the MSI product installation, you attemptto define the Aspera service account as a domainuser account and you receive an error message.

[email protected] may not be an existing domain account.Please create the domain account then re-run.

If you have encountered any of the preceding issues, follow the troubleshooting steps below.

1. Confirm that you are using a Domain Admin account to perform the actions listed in the table above.2. Confirm that the Domain Admin account used to perform the actions listed in the table above has Local

Administrator privileges.If it does not, add the account to the local Administrators group.


3. In addition to Local Administrator privileges, grant the account GenericRead access to the target user account inActive Directory. To do so, follow the sub-steps below.Windows 2003

Step Description

A From a computer and user account that has access to Active Directory, open Active DirectoryUsers and Computers.

B Click on the domain where the account exists.

C Select Users, right-click the user account, and then click Properties.

D Click the Security tab, then Add the user account performing the actions listed in the table above,and mark Allow for Read permissions.

E Click Apply and then OK.

Windows 2008 R2

Step Description

A From a computer and user account that has access to Active Directory, go to AdministrativeTools > Active Directory Administrative Center.

Note: The Active Directory Administrative Center is installed when you add the ActiveDirectory Domain Services (AD DS) server role through the Windows 2008 R2 ServerManager.

B Select Users, right-click the user account, and then click Properties.

C Select Extensions > Security.

D Add the user account performing the actions listed in the table above, and mark Allow for Readpermissions.

E Click Apply and then OK.

Important: You may need to reboot the server to ensure that the Active Directory changes have beenpropagated to the server.

4. Re-attempt the original action(s).

Clients Can't Establish ConnectionTroubleshoot the problem that your clients cannot connect to your IBM Aspera Connect Server.

The following diagram shows the troubleshooting procedure if clients can't establish a FASP transfer connection toyour Connect Server. Follow the instructions to identify and resolve problems:


1. Test SSH ports and HTTP port

To verify the SSH and HTTP connection ports, on the client machine, open a Terminal or a Command Prompt,and use the telnet command to test it. For example, to test connection to a computer (10.0.1.1) through a port(TCP/33001), use this command:

> telnet 10.0.1.1 33001

On Connect Server, test both the SSH connection ports and the web server ports (HTTP and HTTPS).

If the client cannot establish connections to your Connect Server, verify the port number and the firewallconfiguration on the Connect Server machine.

2. Test UDP ports

If you can establish an SSH connection but not a FASP file transfer, there might be a firewall blockage of FASP'sUDP port. Please verify your UDP connection.

3. Verify SSH service status

If there is no firewall blockage between the client and your Connect Server, on the client machine, try establishinga SSH connection in a Terminal or a Command Prompt: (Connect Server address: 10.0.1.1, TCP/33001)

$ ssh [email protected] -p 33001

If the SSH service runs normally, the client should see a message prompting to continue the connection or fora password. However, if you see a "Connection Refused" message, which indicates that the SSH service isn'trunning, review your SSH service status. Ignore the "permission denied" message after entering the password,which is discussed in next steps.

4. Verify the IIS configuration

If the client can access your Connect Server through the HTTP or HTTPS port, but the client's browser doesn'tbring up Aspera Web UI, there may be configuration problems when setting up the IIS. Refer to Configuring IISfor Web UI on page 167 and review the configuration.

5. Verify that the user account is added in Connect Server, with docroot configured


If your Connect Server responds to the client's SSH login attempt, try prompting for login credentials, the useraccount may not be properly configured for FASP connections. Make sure that the login information is correct,and refer to Setting Up Users on page 70 to review the user account's configuration. Web UI requires login usersto have docroot configured.

If you still encounter connection problems after going through these steps, contact Technical Support on page 173.

Configuring IIS for Web UISet up Microsoft Windows IIS (Internet Information Services) to host Web UI.

The Web UI for IBM Aspera Connect Server is a web-based file server that enables the file access through a browser,and transfer files using the Aspera Connect browser plugin. Additionally, you can set up the HTTP Fallback toestablish HTTP- or HTTPS-based file transfers with clients that don't have the FASP connectivity. On Windows, WebUI is built upon Internet Information Service (IIS).

Note:

Connect Server on Windows uses IIS authentication. If user names use the extended character set, boththe client and server machine must be set to use the same codepage, and the client must use IE 7 or later(other browsers don't support users names using extended characters). For more information, refer to http://support.microsoft.com/kb/938418.

Follow these steps to set up IIS for Web UI:

1. Set up the Internet Information Service (IIS) for Web UI

The IIS for Web UI should have the following items configured:

• Supports Active Server Pages (ASP)• Supports Basic Authentication• On Windows Server 2008, you should have the ASP, ASP.NET, and the Basic Authentication services installed.

Follow the instructions for the version of your Windows to enable the IIS's ASP and the Basic Authenticationsupport:

OS Instructions

XP, 2003 Go to Control Panel > Administrative Tools > Internet Information Service (Manager).In the left panel, navigate into the "Server's name" > Web Sites > (web site name) >aspera > user, right-click it and select Properties.

In the Properties window, select the Directory Security tab and click the Edit under theAnonymous access and authentication control (or Authentication and access control on




OS InstructionsWindows 2003). In the Authentication Methods window, check only the option Basicauthentication (password is sent in clear text).

On Windows XP x64 and 2003, ASP web service extension should be allowed. Go toControl Panel > Administrative Tools > Internet Information Service (Manager). Selectthe Web Service Extensions > Active Server Pages and click Allow.

Vista, 2008, 7 Go to Start menu > Administrative Tools > Internet Information Services (IIS)Manager. In the left panel, navigate into the (Server name) > Sites > (web site name) >aspera. In the right panel, double-click the Authentication under the IIS section.


OS Instructions

In the Authentication window, do the following settings:

• Disable the Anonymous Authentication.• Disable the ASP.net Impersonation.• Enable the Basic Authentication.

2. Add IIS 6 compatibility, ASP.NET and Basic Authentication role services (IIS 7-only)

If your computer is running IIS 7 or higher, II6 compatibility components, ASP.NET and Basic Authenticationrole services should be added. Go to the Control Panel > Administrative Tools > Server Manager. Navigateinto Server Manager > Roles > Web Server (IIS) and click Add Role Services.

In the Add Role Services, check the following options:

• IIS 6 Management Compatibility• ASP.NET• Basic Authentication

All sub-options in these items should be included, as illustrated in this graph:


With all role services checked, click Next and follow the instructions to install it.3. Enable SSL certificate (Optional)

If you wish to set up SSL certificate for Web UI, download and execute the IIS 6.0 Resource Kit Tools: MicrosoftDownload Center: Internet Information Services (IIS) 6.0 Resource Kit Tools.

When installed, go to Start menu > All Programs > IIS Resources > SelfSSL and launch SelfSSL. In theSelfSSL's Command Prompt, execute the following command, enter y when prompted:

> selfssl

4. Restart IIS

When you have finished updating IIS's configuration, go to Control Panel > Administrative Tools > InternetInformation Service (Manager). In the left panel, select the "Server's name" > Web Sites > (web site name),start or restart it to apply the new settings.

To access Web UI, on a client machine, go to the following address with a browser:

Scope URL

HTTP http://<server-ip-or-name>/aspera/user

HTTPS https://<server-ip-or-name>/aspera/user

Note:

When adding files to Web UI, avoid using the following characters in the file names:

/ \ " : ' ? > < & * |

Uninstall Version 2.2.1 for UpgradeRemove problematic releases between version 2.2.1.17909 and 2.2.1.18906.

If you are upgrading or uninstalling a version of IBM Aspera Connect Server between 2.2.1.17909 and 2.2.1.18906,and are not running the SSH server provided as part of the product package, then you may encounter an error whileremoving the old installation.

Error 1721: There is a problem with this Windows Installer package. A program required for this install to completecould not be run. Contact your support personnel or package vendor.

In this case, follow these steps to uninstall it:

1. Locate the cached installer package

http://tinyurl.com/5e9mk

http://tinyurl.com/5e9mk


To locate the cached installer package, download the msiinv from this link. When downloaded, place themsiinv.exe under C:\msiinv\ directory.

Open Command Prompt and execute the following command to generate a text file with a list of all installedapplications:

> C:\msiinv\msiinv.exe -p > c:\msiinv\installed_apps.txt

Open this file with a text editor, locate the section that starts with "Aspera Enterprise Server":

Aspera Enterprise ServerProduct code: {C040AA04-ABDD-4F82-9BBF-76B4C088CEDC}Product state: (5) Installed....Version: 2.2.1.18906...Local package: C:\WINDOWS\Installer\9a8cc93.msi...

First, locate the line "Version" and verify that the build number is between 17909 and 18906. Second, locate theline "Local package" in preparation for Step 2.

2. Locate and modify the cached installer package

Next, download orca, an installer modification tool, from the this link.

When downloaded, double-click the installer, follow the instructions and select the Typical setup type. Open Orcawhen finished, select File > Open, enter the path of the cached installer from Step 1:

When opened, find the InstallExecuteSequence from the Tables column, right-click on StopSSHD from theAction list and click Drop Row. Click File from the Toolbar and click Save File. When finished, close orca.

http://www.asperasoft.com/download/sw/3rd_party_tools/msiinv.exe

http://download.asperasoft.com/download/sw/3rd_party_tools/orca.msi


3. Remove the old installation

Remove the previous installation through Control Panel > Add/Remove Programs.

| Technical Support | 173

Technical Support

For further assistance, you may contact Aspera through the following methods:

Contact Info

Email [email protected]

Phone +1 (510) 849-2386

Request Form https://support.asperasoft.com/anonymous_requests/new/

The technical support service hours:

Support Type Hour (Pacific Standard Time, GMT-8)

Standard 8:00am – 6:00pm

Premium 8:00am – 12:00am

We are closed on the following days:

Support UnavailableDates

Weekends Saturday, Sunday

Aspera Holidays Refer to our Website.

https://support.asperasoft.com/anonymous_requests/new/

http://www.asperasoft.com/support/

| Feedback | 174

Feedback

The Aspera Technical Publications department wants to hear from you on how Aspera can improve customerdocumentation. To submit feedback about this guide, or any other Aspera product document, visit the Aspera ProductDocumentation Feedback Forum.

Through this forum, you can let us know if you find content that is not clear or appears incorrect. Aspera alsoinvites you to submit ideas for new topics, and for improvements to the documentation for easier reading andimplementation. When you visit the Aspera Product Documentation Feedback Forum, remember the following:

• You must be registered to use the Aspera Support Website at https://support.asperasoft.com/.• Be sure to read the forum guidelines before submitting a request.

https://support.asperasoft.com/categories/20024688-product-documentation-feedback

https://support.asperasoft.com/categories/20024688-product-documentation-feedback

https://support.asperasoft.com/

| Legal Notice | 175

Legal Notice

© 2008-2014 Aspera, Inc., an IBM Company. All rights reserved.

Licensed Materials - Property of IBM5725S58© Copyright IBM Corp., 2008, 2014. Used under license.US Government Users Restricted Rights- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.

Aspera, the Aspera logo, and FASP transfer technology are trademarks of Aspera, Inc., registered in the UnitedStates. Aspera Connect Server, Aspera Drive, Aspera Enterprise Server, Aspera Point-to-Point, Aspera Client,Aspera Connect, Aspera Cargo, Aspera Console, Aspera Orchestrator, Aspera Crypt, Aspera Shares, the AsperaAdd-in for Microsoft Outlook, and Aspera Faspex are trademarks of Aspera, Inc. All other trademarks mentionedin this document are the property of their respective owners. Mention of third-party products in this document isfor informational purposes only. All understandings, agreements, or warranties, if any, take place directly betweenthe vendors and the prospective users.