Configure a Secure Aspera Faspex

Configure Aspera^®Faspex™ settings to ensure a secure server.

Aspera strongly recommends configuring your Aspera Faspex Server settings to ensure that your data remains secure. Aspera recommends the following steps for security settings for Aspera Faspex Server:

Secure Aspera Enterprise Server™ by doing the following:
- Secure an SSH server.
- Configure a firewall.
- Set up SSL for nodes.
For details on how to perform these tasks, see http://downloads.asperasoft.com/en/documentation/1.
For all Administrator accounts (existing and new), disallow login attempts from unknown IP addresses.

To update your Admin user permissions, go to Accounts and click the corresponding login name(s).

Within the Edit User screen, scroll down to the Permissions section and update the Allowed IP addresses for login field (input specific office, home, etc. IP addresses). Be sure to click "Save" at the bottom of the page to retain your settings. Perform the same actions when adding new admin users.

Important:
Aspera Faspex administrators have the ability to execute post-processing scripts on the server. In the event that an Administrative account is compromised, this capability can be a serious threat to your server's security. As such, Aspera strongly recommends that you update your Administrative user(s)' permissions in order to prevent unauthorized users from executing post-processing on your Aspera Faspex server.
Update the Incoming Transfers and Outgoing Transfers global Authorization settings for your installation of Aspera Enterprise Server™ or Aspera Connect Server™ (either through the GUI or by editing aspera.conf)
Launch Aspera Enterprise Server via asperascp, and then select the "Configuration" button, "Global" tab, and lastly, the Authorization tab.

Override the global, default setting of "allow" for both Incoming Transfers and Outgoing Transfers, and change both settings to "deny." You can then set transfer permissions on an individual user basis via the Users tab.
You can also modify the Incoming Transfers and Outgoing Transfers global Authorization settings within the aspera.conf file, which is located in
```
/opt/aspera/etc/
```
```
<default>
...
<authorization>
   <transfer>
      <in>
         <value>deny</value>       
      </in>
      <out>
         <value>deny</value>       
      </out>
   </transfer>
...	  
</authorization>
...
</default>
```

(Complete this step if your system is a dedicated Aspera Faspex Server and is not performing transfers with Aspera Enterprise Server or Aspera Connect Server) Only allow user "faspex" within Aspera Enterprise Server

Launch Aspera Enterprise Server via asperascp, and then select the "Configuration" button and "Users" tab. Ensure that faspex is the only user listed.

You can verify the faspex user and corresponding settings within the aspera.conf file, which is located in

/opt/aspera/etc/

<aaa>
<realms>
<realm>
<users>
   <user>
      <name>faspex</name>
	     <authorization>
		    <transfer>
               <in>
                  <value>token</value>
               </in>
               <out>
                  <value>token</value>
               </out>
            </transfer>
            <token>
               <encryption_key>CRYPTOGRAPHIC_STRONG_RANDOM_STRING</encryption_key>   			
            </token>
         <authorization>			
         <file_system>
            <access>
               <paths>
                  <path>
                     <absolute>E:\faspex_packages</absolute>
                     <read_allowed>false</read_allowed>
                     <dir_allowed>false</dir_allowed>
                     <write_allowed>false</write_allowed>
                  </path>
               </paths>
            </access>
         </file_system>
   </user>
</realm>
</realms>
</aaa>