Securing Faspex |
Modify security settings for Faspex user accounts, self-registration, external senders and encryption. Go to Server > Configuration > Security to view or modify your server's security settings for Faspex user accounts, self-registration, external senders, and encryption.
Configuration Option | Description |
---|---|
Session timeout | Sessions time out after the specified number of minutes of inactivity. |
Lock users | Lock the user account when login attempts fail under the specified circumstance or after a specified number of days of inactivity. |
Remove users | Remove users after a specified number of days of inactivity. |
Prevent concurrent login | If enabled, users can only be logged in from one client at a time. |
Passwords expire | When activating global password expiration, all users with default
password policies are updated with a password expiration date specified by
the password expiration interval. Admins can override this global policy in
a user's account settings. See Configure User Settings. Note: When changing password expiration interval, changes to password
expiration date do not occur until next password change for each user if
password expiration is already active.
|
Prevent password reuse | Prevent users from reusing passwords. Enter the number of previous passwords users cannot reuse. |
Use strong passwords | If enabled, requires newly created passwords to contain at least one
letter, one number and one symbol. Existing passwords remain valid. Admins
may also change the strong password criteria by editing the
faspex.yml file, which is located in the following directory:/opt/aspera/faspex/config/faspex.yml Inside faspex.yml, paste the following code (where StrongPasswordRegex is the password criteria as a regular expression and StrongPasswordRequirements is the description that appears to the user underneath the field): StrongPasswordRegex: (?=.*[A-Z])(?=.*(\d|\W|_)).{7,} StrongPasswordRequirements: "Password must meet this criteria..."For more information on faspex.yml, see Configuring Faspex with faspex.yml |
Require new users to change password on first login | If this feature is enabled, new users must enter a new password when they first log in. |
Allow locked out users to unlock themselves | If this feature is enabled, locked out users can select the Forgot my password button to have a password reset email sent to them. Using the link, they can reset their email and log in. |
Keep user directory private |
When set to Yes, prevents a Faspex user (even if they have permissions to send to all Faspex users) from being able to see the entire user directory. You can override this setting on a user-by-user basis by editing their permissions. Important: When the privacy setting is turned on (set to
Yes), users who have been assigned the role
of Workgroup Admin can still view the entire list of Faspex users via the Workgroup
Members page.
|
Users can see global distribution lists by default | Select to give all users access to the global distribution lists. If this option is disabled, admins must configure a user's settings to grant access to global distribution lists. |
Ignore invalid recipients | Prevent a package from failing to send even when addressed to invalid recipients. Faspex skips any invalid user and delivers the package to all valid recipients in the list. |
Allow users to change their email address | Enable users to change their own email addresses in their account preferences (see Configure Personal Account Preferences). If this feature is disabled, only admins can change a user's email address. |
Send welcome email to all new users | Faspex sends a welcome email to all users. This welcome email includes
a link to download Aspera products, a password reset link, and a link to
login to Faspex. Note: The password reset link expires after one
week.
|
Configuration Option | Description |
---|---|
Self-registration | Choose whether non-users can create or request user accounts.
Warning: If self-registration is enabled, then it could be
utilized to find out whether a certain account exists on the server.
That is, if you attempt to self-register a duplicate account, you
receive a prompt stating that the user already
exists.
After a user self-registers (either moderated or unmoderated), his or her account inherits the permissions of the configured template user and automatically becomes a member of designated workgroups. To configure the template user, go to Accounts > Pending Registrations and select the user. To set the workgroups that newly created users join, click the workgroups link. Although self-registered users are, by default, not allowed to send packages to other self-registered users, you can modify this setting by selecting Self-registered users can send to one another. Important: To prevent a
self-registered account from having the same email address as a full
Faspex user, Admins can add a special option to
faspex.yml. You can find
faspex.ymlin the following directory:
/opt/aspera/faspex/config/faspex.yml Inside faspex.yml, within the "Production:" section, paste the following option and set it to "true": EnforceSelfRegisteredUserEmailUniqueness: true |
Terms of service | Enter a statement that users are required to accept in order to self register an account. If you do not enter a statement, users are not required to accept terms of service to create an account. |
Notify the following emails to approve | This field appears when you choose the Moderated
registration policy. Enter one or more email addresses to notify for
moderation. Note: These email addresses are not validated against existing
Faspex admins or managers.
|
Require external users to register | Select to force external users to register a Faspex account to download packages sent
to them. External users register with the same process as self-registered
users. For more information about requesting accounts, see Requesting an Account. Note: You must first allow users to send
packages to external email addresses by selecting the Allow
sending to external email addresses. For more
information, see the description for the option below.
|
Use default registration policy for external users | Select this option to use the same registration policy you chose for
self registration for external users registering accounts. Note: This option
appears when you selected Require external users to
register. You must choose a registration policy for self
registration to select this option.
|
Registration policy for external users | If you do not use the default registration policy, choose either
Moderated or Unmoderated.
|
Terms of service for external users | Enter a statement that external users are required to accept in order to create an account. If you do not enter a statement, users are not required to accept terms of service to create an account. |
Notify the following emails to approve external users | This field appears when you choose the Moderated
registration policy. Enter one or more email addresses to notify for
moderation. Note: These email addresses are not validated against existing
Faspex admins or managers.
|
Self-registered users can send to one another | Select to allow self-registered users to send packages to other
self-registered users. Note: Self-registered users must have permission to
send to all Faspex users. If a self-registered user does not have
permission to send to all Faspex users, the Self-registered
users can send to one another option has no effect. For
more information giving a user permission to send to all Faspex users,
see Configure User Settings.
|
Configuration Option | Description |
---|---|
Allow inviting external senders | When Allow inviting external senders is
selected, external senders (those who do not have Faspex accounts) can be invited to send a
package to a user. Important: An admin can enable or disable
this feature for specific users while still retaining the server-wide
setting of enabled or disabled. Go to Accounts
and select the user to enable or disable this feature. For more
information on this setting, see Configure User Settings.
|
Allow public URL |
Allow a user to send a Public URL to users without Faspex accounts. These external users can submit packages to registered Faspex users through this public URL. For more information about Public URLs, see Configuring Public URLs. Select Allow public submission URLs to globally
enable the feature and allow admins to configure this feature on a
user-by-user basis. Set the server default to
Allow or Deny.
Tip: An admin can enable or disable this feature for specific
users while still retaining the server setting.
|
Allow sending to external email addresses | Select Allow sending to external email addresses to enable all
Faspex users to send packages to external email addresses. This feature is enabled by default. Select Allow sending to external email addresses to globally enable the feature and allow admins to configure this feature on a user-by-user basis. Set the server default to Allow or Deny. Tip: An admin can enable or
disable this feature for specific users while still retaining the server
setting.
|
Package link expires | This field appears when you select Allow sending to external email addresses. When enabled, the package link expire after the specified number of days. |
Expire after full package download | This field appears when you select Allow sending to external email addresses. If this checkbox is enabled, the package link expires after one download. This is also applicable when the link is forwarded. After the first download, the files must be re-sent in a new package through Faspex for the recipient to be able to download them again. |
Configuration Options | Description |
---|---|
Encrypt transfers | Select to encrypt all transfers with the AES-128 encryption method. HTTP fallback transfers are also encrypted. |
Use encryption-at-rest | Encryption-at-Rest (EAR) requires users, on upload, to enter a password
to encrypt the files on the server. Package recipients are required to enter
the encryption password to decrypt protected files as they are being
downloaded. If a user chooses to keep downloaded files encrypted, they are
not required to enter a password until they attempt to decrypt the files
locally. Encryption-at-Rest is supported by the IBM Aspera Connect Browser Plug-in
Note: This EAR setting only applies to transfers initiated through
Faspex. Transfers initiated using ascp from the
command line or the Enterprise Server GUI are not encrypted unless
configured in the aspera.conf file. For more information on encrypting
ascp transfers, see the IBM Aspera Enterprise
Server Admin Guide.
|
Allow dropboxes to have their own encryption settings | Select to allow admins to adjust Encryption-at-Rest settings for each dropbox. For more information on creating and configuring dropboxes, see Creating a Dropbox. |