Configuring webMethods.io MFT Settings

Configure listener preferences, audit settings, and general settings.

Features in webMethods.io MFT Settings

Throttling

Throttling provides the capability to manage the rate of file transfers. It allows you to set limits on bandwidth usage to avoid a scenario where your organization’s entire network capacity is consumed by file transfers. Throttling allows you to control the following:

The maximum number of client connections that can be made to webMethods.io MFT at any given time.
The maximum outgoing and incoming file transfer speeds allowed across all listeners for a webMethods.io MFT instance.

Restrictions for Files

Restrict particular operations for files that match a specified pattern. Set the following server restrictions:

Restrict server availability to specific days in a week.
Restrict particular actions for files that match a specified pattern.
For example, restrict users from uploading files that end with `.exe`.
Restrict access to subfolders in a directory that matches a specified pattern.

SSL Ciphers

Ciphers are algorithms that encrypt or decrypt data. Specify the SSL ciphers that webMethods.io MFT applies to all SSL listeners associated with a server instance.

File-based Encryption and Decryption

File-based encryption and decryption enables you to encrypt files before you store them on your drive. Encrypted files are decrypted when they are transferred back using the same key that was used to encrypt them. webMethods.io MFT encrypts and decrypts files instream rather than after the file is fully transferred.

When encryption and decryption keys are configured at multiple levels (user, server, and folder), webMethods.io MFT enforces the following order of preference:

Users
Folders
Servers

For example, if user A accesses port 10 and uploads a file in VFS TestFolder123, then webMethods.io MFT checks if the encryption or decryption key is available for user A. If no key is available at the virtual folder level, then webMethods.io MFT checks for the user settings for the key. If no key is present at the user settings level, then webMethods.io MFT checks the server level settings for the key. If no key is present at the server level settings, then files are not encrypted or decrypted during upload or download.

Hammering

Hammering is a term used to describe a type of network activity in which a client repeatedly attempts to access a server or perform certain actions against the server’s configuration, often in a way that exceeds normal or expected usage patterns.

Use the hammering configurations to do the following:

Connection. Monitors the number of connections made by a client within a specified time interval (Max Attempts within a second). If the number of connections exceeds the configured limit, the client's IP address is banned for the duration specified in the ban duration setting. If the ban duration is set to 0, the ban is permanent.
Note: The connection configuration is possible only for SFTP and FTPS but not for HTTPS.
Password. Determines the maximum number of incorrect password attempts allowed from a single IP address. If the configured limit exceeds, the IP address is banned.
Command. Determines the maximum number of unauthenticated command attempts allowed before banning an IP address. For instance, if the maximum attempts are set to two and a user attempts to perform an operation more than twice (such as uploading or deleting a file), the IP address associated with the user is banned.
Ban IP addresses of users after the first incorrect password attempt. Allows you to create a specific user group for which the client IP address is banned after the first incorrect password attempt. This is particularly useful for safeguarding important users, such as administrators or user accounts used for automation purposes. If someone attempts to log in using one of these users and provides an incorrect password, the IP address associated with the attempt is banned.
Ban specified IP addresses. Sets the duration of time for which a client's IP address is banned after the first incorrect password attempt for a specific user group. The ban time can be configured to last for a specified period, after which the IP address ban is automatically removed.
Cache Invalid user name. Remembers the invalid users who attempt to log in using any listeners. These invalid users are cached for a certain period of time, with the default being 60 seconds. During subsequent login attempts, the session is terminated before the user is checked for authentication if their details are still cached from a previous invalid attempt.
Banned IPs. Displays the IP addresses that are banned due to the configured settings, along with the reason for the ban. In some scenarios, user information may not be available if the IP address was banned due to the Connection settings, but the IP address is still banned as per the correct configuration. If an administrator deletes a row in this section and saves the Listener Preferences, IP address ban restriction is removed and access from that IP address is allowed.
IP restrictions. Allows for the definition of a set of allowed or denied IP addresses. For example, if the listeners are accessible only from clients within a specific IP address range, these IP addresses can be configured as allowed. Any client requests from IP addresses outside of this range are not allowed to access the listeners. Alternatively, if you do not want IP addresses in a specific range to access the listeners, these IP addresses can be configured as denied.

Note: Both Allow and Deny configurations are possible, but contradictory configurations can result in unpredictable behavior. For example, if the same IP address range is configured as both Allow and Deny, the runtime behavior of the application will be unpredictable.

After a client triggers the hammering setting by performing actions that match the pre-set configurations, the IP address is not immediately banned. Instead, a background process checks for hammering on the server from any specific IP address every few seconds. If the process detects hammering from a particular IP address, that address is banned for the duration that is configured.

Listener Preferences

Configure global settings for all listeners. These settings are applicable for all listeners associated with webMethods.io MFT.

Go to Settings > Listener preferences.

Select the webMethods.io MFT instance from the Instance list and specify the following settings:

Throttling options

Field	Description
Maximum simultaneous user connections	Type the maximum number of client connections allowed for the server at any given time.
Maximum outgoing speed (Kb/sec)	Type the maximum allowable speed in kilobytes per second for outbound transfers across all listeners.
Maximum incoming speed (Kb/sec)	Type the maximum allowable speed in kilobytes per second for inbound transfers across all listeners.
Active time window	Select the days of a week you want the server to be available to the user.
File name filters	Configure the file name filters to allow or deny commands (upload, download, list, rename) for files that match a specified pattern. For example, restrict a user from uploading files that end with “.exe”. When you configure the file name filters for Listener Preferences and Users, the User file name filter configuration overrides the Listener Preferences configuration. The file name filter is applied on the filename received by the server. For example, if a .pdf file is uploaded after changing the file extension to .txt, then webMethods.io MFT considers it as a .txt file when applying the filters.
Patterns	Click to add one or more patterns to restrict a particular operation for certain files, and specify the following details: Command. Select a operation to restrict ( List, Upload, Download or Rename) from the list. Filter type. Select a filter type (Starts with, Ends with, or Contains) from the list. File name. Type a portion of the file name that the Filter type criterion should evaluate (for example, “exe”). Note: Wildcard characters and regular expressions are not supported. That is, you cannot use characters such as * or % to represent any sequence of characters.
Block paths matching these patterns	Click to restrict access to specific folders and subfolders in the file system, and specify the following: Pattern. Type the file system path you want to block. Regular expressions or wildcards characters are permitted. Tip: Precede a pattern with a tilde character (~) to apply the pattern for all occurrences. For example, to deny user access to the folder /system/bin type: `~/system/bin/*`

Hammering options

Field	Description
Ban IP address after unsuccessful attempts	Ban a user’s IP address after a certain number of connection, password, or command execution attempts. Select the values for Connection, Password, and Command rows to configure the following settings: Maximum attempts. Type the maximum number of allowed attempts. Max attempts within. (sec) Type the duration in seconds. Ban duration. (min) Type the number of minutes to ban the IP address.
Ban the IP addresses of users after the first incorrect password	Ban the IP address associated with a specific user after the user’s first incorrect password attempt. Click and type the user name for whom you want to ban the IP address.
Ban specified IP addresses	Do one of the following after adding the IP addresses associated with users after the first incorrect password attempt: Select Permanently to ban the user’s IP address permanently. Select Ban duration and type the number of minutes for which the user’s IP address should be banned.
Cache invalid usernames for (sec)	Type the number of seconds to hold the name of invalid users in the cache temporarily. The temporary caching of invalid usernames is useful for blocking robots that make repeated attempts to discover valid user credentials. When a robot scans webMethods.io MFT during the user validation process, this option blocks subsequent login attempts made using an invalid user name for the specified number of seconds. If the username is valid, webMethods.io MFT ignores this setting.
Slow down hack attempt scans	Select this option to incrementally slow down responses to a client that appears to be a robot scanning for writable directories on your server by establishing an FTP connection. This setting doubles the response time of the server for each subsequent response to the client, thereby rendering such robots less effective. Selecting this option does not result in any extra load on the CPU.
Send email notification when IP is banned	Select this option to receive notifications on e-mail when an IP address is banned. Type the e-mail address in the following field.
IP restrictions	Click to add one or more IP addresses for which webMethods.io MFT can accept or deny connection requests and specify the following details: Select Allow or Deny from the list. Type the IP address range in the From and To boxes.

File-based encryption options

Field	Description
Activate	Select this option to activate the file-based encryption.
Public PGP key alias	Type or browse the certificate alias for the public PGP key.

File-based decryption options

Field	Description
Activate	Select this option to activate the file-based decryption.
Private PGP key alias	Type or browse the certificate alias for the private PGP key.

Protocol options

Field	Description
Welcome message	Type a welcome message for display in the client console (for example, webMethods.io MFT web client, FileZilla client, and so on) when a user logs in.
Download in binary	Select this option to download files only in binary mode. This prevents webMethods.io MFT from altering the line endings of the ASCII text files even if the FTP client requests it.
Upload in binary	Select this option to upload files only in binary mode.
Allow extended passive and port commands	Select this option to allow extended passive and port commands such as, Extended Passive Mode (EPSV) and Extended Data Port (EPRT). This ensures compatibility between the client and server. Note: Before you enable this option, ensure that your client supports these commands.
Disable MTDM notifications	Select this option to prevent users from modifying the timestamps of when a file was uploaded.
Delete partial uploads	Select this option to delete any incomplete file uploads.
ZIP compression level	Set the ZIP compression level according to your needs for file size and data transfer speed. Select one of the following options: None. No compression. Results in the largest file size of the three options, with the longest transfer time. Fast. Fastest compression. Performs little compression, but compression time is the fastest of the three options. Best. Maximum compression. Provides the smallest file size possible after compression, with the shortest transfer time, but requires more time to perform the compression compared to the other two options.

Click Save to update the server instance with the global settings.

Audit Settings

Configure logs to be recorded for all or specific assets through audit settings.

To configure audit settings

Go to Settings > Audit Settings.
Select the Enable audit logs option, and select either all or specific assets for which you want logs to be recorded. You must select at least one asset if you enable this option. Audit logs are disabled by default.
Click Save.

The logs for the selected assets are audited and appear in the Audit log page.

General Settings

Configuring webMethods.io MFT to Send Emails

Configure webMethods.io MFT to send emails in the following scenarios:

Configure email tasks for post-processing and scheduled actions.
To send emails when a new user is created.
To send an email when a user changes the password.

To configure the default email settings in the user interface

Go to Settings > General Settings.
In User email settings, select the Activate email alerts for user creation/update option.

Specify the details in User email settings. The following table lists the supported email fields:

Field	Description
From	Send email on behalf of the user.
Subject	Subject of the email.
Template for user email	Email template for the user creation alert. Configure the following server variables in your user email template: {firstName}: First name of the user. {lastName}: Last name of the user. {username}: User ID for the user. {password}: Password for the user. {serverList}: Listener URLs for the user.
Template for password email	Email template for the password creation alert. Configure the following server variables in your password email template: {firstName}: First name of the user. {lastName}: Last name of the user. {password}: Password for the user.
Template for password reset	Email template for the password reset alert. Configure the following server variables in your password reset email template: {firstName}: First name of the user. {lastName}: Last name of the user. {passwordResetLink}: Link for resetting the password. {expiryTimeStamp}: Time of expiry for the password reset link.

Click Save.

Note: The following two email alerts will be sent to the user when the user password is changed:
Email with the user ID and server details.
Email with the new password details.

To disable the automatic email alerts when you create a new user or update a user password

Go to Settings > General Settings.
In User email settings, clear the Activate email alerts for user creation/update checkbox.
Click Ok.

Note: You must be an administrator to disable the email alerts.

Password Settings

To configure the password complexity of partner users.

Go to Settings > General settings > Password settings, where the following aspects can be set:
- Minimum number of lower-case letters
- Minimum number of upper-case letters
- Minimum number of special characters
- Minimum number of numeric characters
- Minimum length of the password
Click Save.

These aspects are applied to all the instances and the restrictions apply to the following scenarios:

The password restrictions are honored while creating new partner users with Generate random password and Create new password options.
The password restrictions do not impact the already existing partner users.

Miscellaneous Settings

To configure time zone for date and time variables

Go to Settings > General settings > Miscellaneous settings.
Select a time zone from the drop-down list.
Click Save.

webMethods.io MFT applies the selected time zone to the date and time variables wherever applicable.

White Labeling

webMethods.io MFT webClient facilitates safe and secure file transfers with HTTPS protocol, and is accessible through the public domain.

Customize your webMethods.io MFT webClient theme as per your company branding, boost your brand visibility, and strengthen customer loyalty using While Labeling.

This feature facilitates you to configure your customized login and landing page header logo, title bar icon and copyright content. When you share the webClient URL with your customers, your company details and branding appear on the web page.

To customize the Login page

Log in to your tenant.
Go to Settings > White Labeling.
Click Custom to customize the following:
- Login page details such as company logo and copyright information.
- Landing page logo including the default and custom brand colors.
- Title bar favicon and header.
On the Login page,
- Click to upload new logo, browse through your local file system and upload the file.
  
  The preview automatically appears on the right side.
  
  Select Apply logo to landing page if the same look-and-feel has to be applied to the landing page.
  
  Logo resolution is limited to 800x200 pixels. The supported file types are: JPEG, JPG, and PNG. File size is limited to 200 KB.
- Provide Copyright content. Click Next to access Landing page settings.
  
  Copyright content is limited to 1000 characters. The following HTML tag specific symbols are not supported:
  
  ', ", &, <, >
On the Landing page, select the following:
- Click to upload new logo button and browse through your local file system to update the landing page logo.
  
  When your users login to the webClient, the first page they arrive at is the landing page.
  
  Logo resolution is limited to 800x200 pixels. The supported file types are: JPEG, JPG, and PNG. File size is limited to 200 KB.
- Select a custom color scheme for the header logo from the available options, and click Next.
Title header and favicon: Provide a page title and title icon. Click Save.

This page allows your users to update the title header and the favicon. Favicon resolution is limited to 150x150 pixels. The supported file type is ICO. File size is limited to 200 KB. Title header is limited to 60 characters and does not support these characters:

', ", &, <, >
Click Save.

These changes take effect immediately for the users accessing the webClient.

Azure Active Directory

You can configure Integration Server based Common Directory Services (CDS) in webMethods.io MFT. Apart from CDS, webMethods.io MFT also supports Azure Active Directory (AD) as an external directory service using Microsoft graph library.

Before you Begin

webMethods.io MFT user name is the Principal Name in Azure AD.
Azure AD user login fails, if the Active toggle button is disabled.

Basic Flow

To enable Azure AD user management:

Go to Azure console and register webMethods.io MFT as an application. Copy the following information provided by Azure console during the registration process:
- Tenant ID
- Client ID
- Client secret
- Configuration URL
Log in to your tenant.
Go to Settings > User directory. Click Active under Azure active directory, paste the details copied from Azure console in the relevant fields. Click Test Connection, verify the connection and click Save.

Next Steps

Azure AD users appear automatically in all user and group related sections. Azure AD users cannot be updated or created from webMethods.io MFT, they can only be viewed.
Azure AD implementation provides access to partner users only, and these users do not have access to webMethods.io MFT user interface. Partner user permissions provided in the UI permissions section are therefore not applicable to Azure AD users.