Security

Faspex Accounts

Configuration Option	Description
Session timeout	Sessions will timeout after the specified number of minutes of inactivity.
Deactivate users	Deactivate the user account when login attempts fail under the specified circumstance. Note that deactivated Directory Service (DS) users will be reactivated on a subsequent sync with the DS server.
Prevent concurrent login (checkbox)	If enabled, users can only be logged in from one client at a time.
Use strong passwords (checkbox)	If enabled, requires newly created passwords to contain at least one letter, one number and one symbol. Note that existing passwords will remain valid. Administrators may also change the strong password criteria by editing the faspex.yml file, which is located in the following directory: /opt/aspera/faspex/config/faspex.yml Inside faspex.yml, paste the following (where `StrongPasswordRegex` is the password criteria as a regular expression and `StrongPasswordRequirements` is the description that appears to the user underneath the field): StrongPasswordRegex: (?=.[A-Z])(?=.(\d\|\W\|_)).{7,} StrongPasswordRequirements: "Password must meet this criteria..."
Keep user directory private (Yes/No)	When set to Yes, prevents a Faspex user (even if they have permissions to send to all Faspex users) from being able to see the entire user directory. You can override this setting on a user-by-user basis by editing their permissions. IMPORTANT NOTE: When the privacy setting is turned on (set to Yes), users who have been assigned the role of Workgroup Admin can still view the entire list of Faspex users via the Workgroup Members page.

Registrations

Configuration Option	Description
Self registration	Determines if non-users can create or request user accounts. Choose between none (not allowed), moderated (an administrator must approve the account before it is created), and unmoderated (once a user registers, his or her account will be automatically created). If you allow self-registration, the moderated setting is recommeded for security. SECURITY WARNING: If self-registration is enabled, then it could be utilized to find out whether a certain account exists on the server. That is, if you attempt to self-register a duplicate account, then you will receive a prompt stating that the user already exists. After a user self-registers (either moderated or unmoderated), his or her account will inherit the permissions of the configured template user and will automatically become members of designated workgroup(s). To configure the template user, go to Accounts > Pending Registrations > template user . To set the workgroups that newly created users will join, click the workgroups link. Although self-registered users are not allowed to send packages to other self-registered users, by default, you can modify this setting by checkmarking the Self-registered users can send to one another checkbox. IMPORTANT NOTE: To prevent a self-registered account from having the same email address as a full Faspex user, Administrators can add a special option to faspex.yml. You will find faspex.yml in the following directory: /opt/aspera/faspex/config/faspex.yml Inside faspex.yml, within the "Production:" section, paste the following option and set it to `true`: EnforceSelfRegisteredUserEmailUniqueness: true
Terms of service	(Optional) If text is set, then users will be required to accept the statement in order to create an account.
Notify the following emails to approve	This field appears when moderated is selected, above. Input one or more email addresses to notify for moderation. Note that these email addresses are not validated against existing Faspex administrators and/or managers.
Self-registered users can send to one another	When checked, self-registered users will be allowed to send packages to other self-registered users.

MODERATED SELF-REGISTRATION NOTE: If users are allowed to self-register, then they will see a Request an account link on the login page. After a user clicks this link and completes the form, then you (as the administrator) will be prompted under Accounts > Pending Registrations > Actions to Approve or Deny his or her account.

Outside email addresses

Configuration Option	Description
Allow inviting external senders (checkbox)	When enabled, external senders (those who do not have Faspex accounts) can be invited to send a package. An Administrator can enable/disable this feature for specific users from the Accounts > [Username] page, while still retaining the server-wide setting of enabled or disabled. Please refer to Create a New Faspex User for details on this user setting.
Allow public URL	A Public URL can be used by external senders to submit packages to both registered Faspex users and dropboxes. The benefit of using a Public URL is in the time-savings, such that external senders no longer need to be individually invited to submit a package (although that functionality still exists). When a Public URL is enabled and posted to a an email, instant message, website, etc., the following workflow occurs: The external sender clicks the Public URL (which could be for either a dropbox or a registered Faspex user). The sender is directed to page where he or she is asked to input and submit an email address. A private URL is automatically emailed to the sender. The sender clicks the private URL and is automatically redirected to a dropbox or Faspex-user package submission page. Once the package is submitted through the private URL, the dropbox or Faspex user receives it. Thus, when the field Allow public URL is enabled (e.g. set to `Allow`), the Public URL feature is turned on for all Faspex dropboxes and registered users. If the Allow dropboxes to individually enable/disable their own public URLs checkbox is enabled as well, then individual dropboxes can override the server setting and turn off this feature. Individual Faspex users, on the other hand, can override the Public URL server setting for their own accounts by going to Preferences > Misc > Enable public URL and disabling the checkbox. IMPORTANT NOTE: An Administrator can enable/disable the Public URL feature for specific users from the Accounts > [Username] page, while still retaining the server-wide setting of enabled or disabled. Please refer to Create a New Faspex User for details on this user setting.
Allow sending to external email addresses (checkbox)	Faspex packages can be sent to people who do not have Faspex accounts. When set to `Allow`, all Faspex users will be able to send to external email addresses, by default. When set to `Deny`, you must enable this behavior within each individual user account (by checking the option for Sending to external email in their account settings). Please refer to Create a New Faspex User for details on this user setting.
Package link expires (checkbox and text field)	When enabled, the package link will expire after the specified number of days.
Expire after full package download (checkbox)	If this checkbox is enabled, the package link will expire after one (1) download (which applies when the link is forwarded, as well). After the first download, the file(s) must be resent in a new package--via the Faspex Server--for the recipient to be able to download them again.

Encryption

Configuration Option	Description
Encrypt transfers (checkbox)	Enable this checkbox to encrypt your transfers (AES-128). If enabled, HTTP fallback transfers will also be encrypted.
Use Encryption-at-Rest (EAR) (radio buttons and checkbox)	Always: Always use EAR. When enabled, users will be required, on upload, to enter a password to encrypt the files on the server. Subsequently, recipients will be required to enter the password to decrypt protected files as they are being downloaded. Note that if a user elects to keep downloaded files encrypted, then they do not need to enter a password until they attempt to decrypt the files locally. This feature is not fully enforced unless the Faspex Server Administrator also updates the aspera.conf configuration file (which is not automatically modified by Faspex). The Administrator may update aspera.conf manually, as well as using the Aspera Enterprise Server GUI. For additional information, please refer to Note on Encryption at Rest. Never: (this is the default for new installations) Do not use EAR Optional: User may choose at send time whether to encrypt or not Allow dropboxes to have their own encryption settings: (off is the default for new installations) If this global setting is unchecked, you cannot set EAR for individual dropboxes. If checked, you can adjust EAR settings for each dropbox. Please see Create and Manage Dropboxes for details.

Configuration Option

Description

Encrypt transfers (checkbox)

Enable this checkbox to encrypt your transfers (AES-128). If enabled, HTTP fallback transfers will also be encrypted.

Use Encryption-at-Rest (EAR) (radio buttons and checkbox)

Always: Always use EAR. When enabled, users will be required, on upload, to enter a password to encrypt the files on the server. Subsequently, recipients will be required to enter the password to decrypt protected files as they are being downloaded. Note that if a user elects to keep downloaded files encrypted, then they do not need to enter a password until they attempt to decrypt the files locally. This feature is not fully enforced unless the Faspex Server Administrator also updates the aspera.conf configuration file (which is not automatically modified by Faspex). The Administrator may update aspera.conf manually, as well as using the Aspera Enterprise Server GUI. For additional information, please refer to Note on Encryption at Rest.
Never: (this is the default for new installations) Do not use EAR
Optional: User may choose at send time whether to encrypt or not
Allow dropboxes to have their own encryption settings: (off is the default for new installations) If this global setting is unchecked, you cannot set EAR for individual dropboxes. If checked, you can adjust EAR settings for each dropbox. Please see Create and Manage Dropboxes for details.

Product

Version

Revision

Security

Faspex Accounts

Registrations

Outside email addresses

Encryption