Setting Connection Preferences
Connection preferences define how Users connect to your Domain services.
Connection preferences are set in [Domain] > SERVICES > Connections. The preferences are applied to Users as they connect to the MFT Server.
The settings apply to all file transfer protocols including AS2, FTP/S, SFTP/SCP, HTTP/S, WebDAV, and AFTP. The image below depicts the preferences you can set.
Below is a description of the Connections fields. Select an option to enable it, then set the desired value or values.
Max concurrent connections — Identifies the maximum number of concurrent connections allowed.
Max connections/IP — Identifies the maximum number of active connections from a single client IP address.
Max connections/user — Identifies the maximum number of active connections from a single user.
Max downloads/session — Identifies the maximum downloads per client session.
Max uploads/session — Identifies the maximum number of uploads allowed per client session.
Max file download size — Identifies the maximum file download size in bytes, KiB, MiB, or GiB,
Max file upload size — Identifies the maximum file upload size in bytes, KiB, MiB, or GiB.
Max downloads — Identifies a download quota for the Domain that is reset every N days. If the download quota is exceeded, no further downloads are allowed until the download quota is reset. Quota options are specified in bytes, KiB, MiB, or GiB.
Max uploads — Identifies an upload quota for the Domain that is reset every N days. If the upload quota is exceeded, no further uploads are allowed until the upload quota is reset. Quota options are specified in bytes, KiB, MiB, or GiB.
Max transfers — Identifies a transfer quota for the Domain that is reset every N days. If the transfer quota is exceeded, no further file transfers are allowed until the transfer quota is reset. Transfers are the combined sum of uploads and downloads. Quota options are specified in bytes, KiB, MiB, or GiB.
Max transfer rate — Identifies the maximum transfer rate for the entire Domain. This limit applies to the aggregate of all connections for a given Domain, regardless of protocol. This value is set in KiBps, MiBps, or GiBps.
Disable user after X invalid password attempts in Y minutes for Z minutes — Disables account for a specified period of time if too many login attempts fail within a certain timeframe. See the Setting IP based access section that describes how you can override the disable feature for a user based on their IP address.
Disable IP after X invalid password attempts in Y minutes for Z minutes — Blocks IP from further access for a specified period of time if too many login attempts fail within a certain timeframe. See the Setting IP based access section that describes how you can override the disable feature for your chosen IP addresses.
Flag IP after X invalid password attempts in Y minutes for Z minutes — Flags IP for a specified period of time if too many login attempts fail within a certain timeframe.
Disable IP after X concurrent connections for Y minutes — Disables an IP address for a specified timeframe if too many concurrent connections occur, which might indicate a denial-of-service attack. If an IP is blocked or disabled, an IP Blocked Trigger event type is raised, and all connections from the offending IP are closed. See Setting IP based access describes how you can override the disable feature for IP addresses of your choosing.
Flag IP after X concurrent connections for Y minutes — Flags an IP address for a specified timeframe if too many concurrent connections occur. If an IP is flagged, an IP Flagged Trigger event type is raised.
IP Flagged event or IP Blocked event occurs, you must configure a Trigger to listen for the events (one Trigger per event). Each Trigger will consist of one or more Trigger Actions. The Actions specify what to do if the event occurs (e.g., email an MFT Server Admin). See Triggers for more information.
Close connection after — Closes a connection after a specified number of invalid authentication attempts are reached.
How to Block IP addresses when using MFT Gateway
If your MFT Server is deployed behind a NAT or reverse proxy like MFT Gateway, source addresses of all incoming connections are the IP address of MFT Gateway. Therefore, the disabling of IP addresses would result in blocking the Gateway's IP address and, consequently blocking all Users (including legitimate ones) that wish to connect to MFT Server. However, there is still a way to disable the IP address of a user by following the steps below.
First, select Flag IP after... instead of Disable IP after.... This will result in the flagging of the suspicious IP. See the image above to locate the described fields.
Next, create a Trigger (see Triggers) and select Parameters > Event type > IP Flagged from the dropdown list.
Next, add a Trigger Action. Select Gateway Block IP as the Action type. The Add "Gateway Block IP" Action dialog displays.
The Connection identifies the MFT Gateway system, and the Credentials identify the administrative Username and Password that has rights to access the MFT Gateway application.
Next, use the variables associated with the IP Flagged Event type to populate the Client IP, Client Port, Server IP and Server Port fields. Save the Action and connect it to the Workflow node. Save the Trigger.
If a User makes too many invalid login attempts, the IP Flagged Trigger event occurs, and the Action in the Trigger will execute (providing Conditions are met, if any are set). The Action blocks the user's IP address on the MFT Gateway instance. When this happens, a record is appended to [Domain] > AUDIT > Logging > Running - stating something like this: ...client IP <Ip address> has been blocked on the Gateway.
Additionally, when accessing the MFT Gateway Manager UI, the IP Access module includes an access denied record for the specified IP address.