5 1 0:Disabling unsecure transport modes

From SEPsesam
Other languages:


Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


Overview


To protect your data traffic against theft and other threats it is highly recommended to use the HTTPS protocol for transferring data over the network.

SEP sesam now supports HTTPS protocol for all control commands and network traffic. The HTTP and FTP interfaces can be switched off and all data traffic is performed over HTTPS interfaces.

Before you can disable HTTP and FTP interfaces, make sure to check existing tasks and events (backups, restores or migrations) and move them to HTTPS interfaces if necessary. You cannot remove an interface that is still in use.

Information sign.png Note
On Windows systems with a CPU that does not support AVX, the Sesam Transfer Protocol Server (STPD) automatically disables the HTTPS port. Consequently, the TLS key and certificate cannot be created. For more information refer to Known issues and limitations in version 5.0.0 Jaglion.

Deactivating the unsecure interfaces

To deactivate the HTTP and FTP interfaces and move the traffic to HTTPS, you need to disable the ports on the SEP sesam Server and all RDS and then remove the interfaces in SEP sesam configuration.

Disable the HTTP and FTP ports

  1. Locate the <sesam_var>/ini/stpd.ini file on the SEP sesam Server and on each RDS.
  2. Open the stpd.ini file using a text editor and comment out the unsecure ports (add the # symbol at the beggining of the row):
    [STPD_Server]
    # STPD_PORT=11001
    # STPD_HTTP_PORT=11000
    STPD_HTTPS_PORT=11443
    
    Only HTTPS port 11443 remains active.
  3. Save your changes and restart the server for the changes to take effect.

Remove the HTTP and FTP interfaces

On SEP sesam Server and all RDS you can remove all unsecure interfaces that use HTTP or FTP protocols.

  1. In the Main selection -> Components -> Topology, locate and right-click your SEP sesam Server and select Properties.
  2. In the list of configured interfaces delete the unsecure interfaces you no longer want to use.
    HTTP remove interface.jpg
  3. Click Apply to save the changes.
  4. Repeat this procedure also for all RDS as required.

If an existing task or event (backup, restore or migration) still uses the interface you want to remove, a warning is displayed and SEP sesam does not delete the interface.

HTTP remove interface-Warning.jpg

In this case find the task or event using this interface and switch it to a secure interface. You can also empty the Interface field (select blank value) to use any of available interfaces configured on the SEP sesam Server.

HTTP remove interface task.jpg

Setting HTTPS as default when aborting active data transfer

By default, SEP sesam always aborts data transfer (backup, restore, migration) over FTP. When you disable the port 11001, which is used for FTP traffic, these commands no longer work. You can set a global variable to use the HTTPS transport mode to abort an active data transfer.

You can set HTTPS as default by adding (or modifying) the following key in the global settings in the Web UI:

  1. In the navigation menu, click System Configuration -> System Settings.
  2. Click [+ New] to add the following key to the global settings (or modify the key value, if it already exists):
    gv_conf_use_com_stpd_kill|sesam|https
    where value=https means that the HTTPS protocol is used for aborting active data transfers and sesam is the user name.
    HTTPS set variable.jpg


See also

Configuring SSL Secured Communication for SEP sesam Backup Network - Ransomware Protection Best PracticesBackup Strategy Best Practices

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.