Backing up Cisco Unified Communications Manager through SFTP

Backing up your Cisco Unified Communications Manager through SFTP

Backing up and Restoring CUCM

 

The Cisco Unified Communications Manager (CUCM) is in use at many organisations to integrate data, voice and video applications.  It’s a nice product which provides a good balance between security and functionality.

As is often the case however, this sort of product very quickly becomes a critical piece of the infrastructure and consequently needs to be treated as such.  It’s therefore important to ensure that the configuration is routinely backed up in a secure fashion in order to recover your system should the need arise.

CUCM allows you to backup the configuration to a location on your network; because there will be credentials contained within the backup, it requires that you transfer the backup using a secure mechanism – SFTP.

Any file transfer server that provides the SFTP protocol is fine to use – some file transfer vendors even publish simple guides on how to configure for their specific software, however the steps to successful implementation are straightforward.

CUCM Backup: SFTP Server Configuration

 

  1. Create an account on the SFTP server that you will use to receive the backup and set up a folder for it.
  2.  

  3. You must create a user that has the ability to connect using just a password. Even though CUCM allows the use of SFTP, it does not permit connection using an SSH key. If your SFTP server has the ability to automatically forward on files to another location, you may wish to set this up at this time.
  4.  

  5. Next, go to CUCM and log into the Disaster Recovery System.  From here, select Backup, then Backup Device.  This is where you provide the details of your SFTP server.
  6.  

  7. Click on “Add New” and provide a friendly name for your SFTP server.  Beneath this, there is an area marked “Select Destination” – here you can enter the SFTP server details, path and credentials.  You can also select how many backups you want to keep in the SFTP server – handy if your SFTP server lacks automation capabilities.
  8.  

  9. Once you have done this, you can schedule the backup.  Go to Backup, the Scheduler and click “Add New” to create a new schedule.  As you might expect, you can now add the frequency that you want to send the backup to the SFTP server, including the day of the week and time of day.  Finally, save the schedule and click on “Enable Schedule”.

 

Et Voila!  Your CUCM configuration is now being securely backed up to your SFTP server.

Pro2col file transfer experts recommend the following Cisco-certified FTP servers:

Titan FTP Server

 Choose Titan FTP Server if you need a cost-effective solution for a tactical implementation

X Don’t choose this if you need to support additional protocols and use cases in the future. Titan FTP Server has limited scope for growth.

 

Discounted Price $1249 $1124

Globalscape EFT server

 This is a scalable solution. Choose Globalscape EFT Server if you want to support additional protocols and use cases in the future.

X Don’t choose this if you just need a single tactical implementation. Globalscape EFT Server won’t be the most cost-effective.

Discounted Price $2238 $2014

CUCM Backup FAQ’S

HOW TO BACKUP CUCM USING SFTP

CISCO has recommended some SFTP servers that they certify to use for backing up CUCM. These include Titan FTP Server and Globalscape EFT server. You can see how to configure these solutions in our step by step guide here.

CISCO CUCM BACKUP BEST PRACTICES

Cisco recommends SFTP servers that have been tested internally and jointly supported by TAC. Cisco does not support using the SFTP product freeFTPd. This is because of the 1 GB file size limit on this SFTP product.
Two supported SFTP servers can be found and downloaded for a trial here.

FTPS vs SFTP?

SFTP vs FTPS?

Nine facts to determine which protocol is right for your requirements

To determine the difference between FTPS and SFTP, let’s first look at the technology behind each protocol, then the strengths and limitations.

What is FTPS?

So what does FTPS stand for? File Transfer Protocol Secure.  FTP was around first – but not in a secured state initially. FTPS uses either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption. This is provided by the FTPS servers x.509 format public key certificate. The certificate may be trusted (provided by a trusted certification authority), or else self-signed. Using a self-signed certificate does not mean the level of encryption is any less, just that you have to be sure that the host is who they say they are. FTPS connections are made secure either implicitly or explicitly. FTPS servers generally listen for implicit connections on port 990 and explicit connections on port 21 – although of course the server administrator may choose to use different ports if they desire.

How does FTPS work?

An implicit connection starts with the client issuing a TLS “Client Hello” message. This message implies that the connection should be secure and if the server doesn’t receive it, the connection is immediately dropped. If however the server does receive the “Client Hello” message, it will send the server certificate to the client, which will authenticate it and use it to encrypt a session key which it then sends back to the server to encrypt the session with.

In the case of explicit FTPS, the client explicitly requests security by sending an “AUTH TLS” (or AUTH SSL) command straight after the connection is made. If the AUTH command is not sent, the FTPS server will treat the client connection as a ‘regular’ non-secure FTP session instead.

Interestingly, implicit connections are not listed in RFC 2228 (the FTPS documentation), only explicit connections.

In either case, once the session has started, the client will need to authenticate to the FTPS server – normally this will be by userid and password, but may also include client certificates if required. All FTP commands are quite naturally passed along the control channel (normally 21 for explicit or 990 for implicit), but FTPS then needs a separate channel for data communications (the actual sending of files or directory lists). The data channels are by default port 20 for explicit FTPS and port 989 for implicit FTPS. Data channels are opened as they are required, then immediately closed again (the control channel remains open for the duration of the session).

What is SFTP?

SFTP is not a form of FTP. In fact, FTPS and SFTP are completely unrelated and bear only a passing resemblance in the structure of many commands. SFTP is not FTP over an SSH connection, rather a distinct protocol in its own right which makes use of the underlying SSH protocol to provide connection security and authentication. Because it is using the underlying SSH protocol, it is normal to use the SSH port (generally port 22).

With SFTP we move away from using certificates for encryption and instead use public/private key pairs, which are not signed by trusted authorities. Like an FTPS self-signed certificate, the only area of doubt is that the SFTP server is who it professes to be – once you are confident that you have connected to the right server, you simply accept the server key and proceed to exchange files over an encrypted session.

The most important difference between FTPS and SFTP is that an SFTP server requires just one port to operate on – there is not a separate data and control channel to take care of.

In contrast to FTPS where clients occasionally provide a certificate for authentication, it is common practice for SFTP batch clients to authenticate by key only to avoid the need to store and maintain passwords.

When comparing SFTP vs FTPS speed, SFTP can be slower because there are more steps to secure the transfer.

SFTP vs FTPS: Nine differences

So having considered some basics of both FTPS and SFTP, let’s look at the difference between FTPS and SFTP. Mostly speaking, what one can do the other can too – there are a few exceptions though:
  1. FTPS will allow you to create custom commands
  2. SFTP has better control of file permissions, ownership and properties
  3. FTPS allows use of Trusted x.509 certificates
  4. An SFTP server only requires a single port to be open on the firewall
  5. FTPS supports EBCDIC transfers
  6. SFTP allows creation of symbolic links
  7. Windows servers and clients don’t natively support SFTP
  8. SFTP is simple to install and manage on Linux and Unix servers
  9. SFTP will be slower than FTPS because there are more steps to secure the transfer
Mostly the decision on which protocol to use comes down to the requirements of the organisation. If there is a prevalence of linux/unix servers in a network, SFTP may be the better choice. However, for Windows server SFTP is not the answer. It would require SFTP clients to be installed everywhere.

In addition, some firewall administrators would be happier to use SFTP with its single port, while some server administrators may not want SSH access to their servers enabled.

Otherwise it makes sense where possible to invest in file transfer server software that supports both protocols and leave the choice up to the clients.

FREQUENTLY ASKED QUESTIONS

Is FTPS secure enough?

Yes, both FTPS and SFTP are considered secure because they provide connection security through encryption. There are nine main difference between the two and the right one for you will depend on your requirements. Read more…

What does FTPS mean?

FTPS stands for File Transfer Protocol Secure. It uses either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption. Read more…

Which is faster SFTP or FTPS?

FTPS is usually faster than SFTP because there are fewer steps to secure the transfer. Read more….

What is the difference between SFTP vs FTPS?

There are nine key differences:

  1. FTPS will allow you to create custom commands
  2. SFTP has better control of file permissions, ownership and properties
  3. FTPS allows use of Trusted x.509 certificates
  4. An SFTP server only requires a single port to be open on the firewall
    Read more…

How do I monitor my Managed File Transfer system?

How do I monitor my Managed File Transfer system?

Most Managed File Transfer (MFT) products contain a dedicated reporting component, available either in the base licence or as an additional module which can be purchased and installed separately.

Many businesses will want to pass this reporting into their monitoring solution, to consolidate all their reporting in one place. But what’s the best way to do this? The majority of MFT solutions generate simple alerts to notify operators or administrators of potential problems. In this article, I’ll explore some of the ways that you can use these interfaces to best suit your needs.

Before you even consider how you want to interface your MFT to your monitoring, you need to take a long look at whether something is, in fact, worth monitoring. For example, would you want to be alerted when someone fails to login to your FTP server? If it’s a wannabe hacker and their IP address gets automatically locked out, then probably not. If it’s a production batch account, then probably yes. Think about your MFT system in component pieces and judge each part on its own merit. Just because you monitor some of it, you don’t have to do it all.

1. The problem with email

One of the easiest monitoring methods is to generate an email when something goes wrong. Unfortunately though, this is also one of the biggest monitoring failures for a couple of reasons.

First, relying on email does not preclude a failure or delays in your mail system. Emails can potentially get lost or marked as spam by the mail server if enough are generated. Secondly, if you are only notified of failure, but you don’t receive any emails, is your system working?

2. Simple network management protocol

SNMP is a protocol designed for monitoring a network and its various devices. There are several monitoring solutions commercially available, however you need to check your MFT system to determine if it is able to create an SNMP trap. If not, you are limited to just monitoring the MFT server(s).

3. Log watcher

Most monitoring tools contain a log watcher of some description. The monitoring solution can be set to read your log files on a regular basis and will generally remember which parts of the log have already been read. An alert is raised when a certain regular expression is encountered in the log file.

Be careful when using this approach that you do not inadvertently change the log levels of the MFT solution and that error text does not change with software upgrades.

4. Event log

Some MFT solutions allow writing to Windows event logs, which you can then monitor with any commercial monitoring solution. On a Linux or Unix system, you would perhaps be checking the /var/log directory (system logs are written to /var/log/messages).

5. Database

If your MFT solution writes log records to a database, use a query launched from the monitoring solution to routinely extract error events. Depending upon the frequency of execution, this can give near real-time results.

6. And finally… scripting

If your MFT product provides an API, why not use some scripting to generate events? A Cron or Windows scheduled task can routinely check directly into your system for noteworthy events.

Now that you’ve worked out a way to get the events from your MFT system into your Monitoring solution, you need to consider how you want to be alerted. Of course, this is the responsibility of the monitoring solution, but consider how you would like to grade the events that you receive. Do they all require your immediate attention, or can you apply a priority to some, while others can wait? In practice, it makes sense to prioritise events before passing them to the monitoring solution.

Whichever method you use to pass events to the Monitoring tool, you may find that you also have the opportunity to execute certain activities when you detect an issue. Many monitoring tools possess this functionality (If you script your monitoring interface, this can be used too). A good example of this may be to restart a failed interface, or enable an alternate workflow.

If you need help setting up your monitoring, please contact Pro2col. Our experts deliver professional services on all aspects of your MFT solution.

We’ve been specialising in solutions that securely transfer data, integrate with on-premise, hybrid and cloud systems since 2004. We are partners for the majority of the leading file transfer vendors, delivering accredited support services.

 

Criteria to consider when choosing the right Managed File Transfer product

Criteria to consider when choosing the right Managed File Transfer product

What should you consider when choosing a Managed File Transfer product? As well as matching technical features against your requirements, it is really important to look at the lifecycle of the product you are evaluating.
As with everything in life there is a natural evolution or life cycle that every product will go through i.e. inception, growth, maturity to decline. Of course the length of time in each phase will vary based on a number of different factors like marketing, on-going product development, customer input and a strategic commitment to R&D.  Under these conditions a product’s growth can continue for a long time. But there are some things that you can help identify a product that is in or near the declining phase of its lifecycle.

10 things to look at when evaluating an MFT solution

  1. No product development road map.
  2. Road map is primarily made up of sustaining fixes.
  3. No big enhancements being released in the near term i.e. 6 – 8 months.
  4. No big enhancement(s) released in the last year i.e. reporting, dashboards, etc.
  5. Not up to date with the basic table stakes of MFT functionality. This could also apply to an immature product as well. But if a product has been around for some years and is lacking some basic MFT functionality that should be a big red flag.
  6. Declining Sales. It is easier find out this information for publicly traded companies than private ones.
  7. Little or no marketing promotions for the product(s) you are evaluating.
  8. Still using Old Technology Paradigms, ie: a product doesn’t have the most up to date versions of technology such as encryption algorithms, protocols etc.
  9. Little or no R&D infrastructure.
  10. Based on the competitive dynamics of the MFT industry, if company is not electing to employ one of three strategies: Maintain, Defend, or Innovate your product is in the declining phase of its lifecycle.
Your solution will become a critical component of your organisation’s business workflow, so it’s important to know you are choosing a committed vendor.

We work with some of the industry’s leading vendors. In addition to having a close relationship with them, we understand their position in the marketplace, where their product roadmaps are headed and can help to steer you towards the most appropriate technology for your requirements.  Contact us to see how we can help with your file transfer project.

Researching Managed File Transfer? Download our independent Buyer’s Guide

Researching Managed File Transfer?

Download our independent Buyer’s Guide

​We know it’s difficult to research and select new software, especially one as fundamental as Managed File Transfer. It underpins your security, efficiency, cloud strategy and digital transformation. None of these are areas where you can take risks.

That’s why we created the Managed File Transfer Buyer’s Guide. It helps you mitigate these risks, so you can confidently select the right solution for your business requirements.

Why did we create the Managed File Transfer Buyer’s Guide?

There are three main reasons we wrote this: To save you time, to save you money and because our independence and expertise means we are best placed to advise.

 

  • To save you time and money

    Managed File Transfer is a big investment. Whether you’re buying for the first time or replacing an outdated solution, you don’t want to make an expensive mistake.
    There are over forty vendors on the marketplace, each pushing their product. Of course they will tell you it is right for your business. But perhaps Managed File Transfer isn’t right for you after all? Or maybe there’s a product that will deliver your requirements better and for a cheaper price?
    To research every product thoroughly will take a lot of time and resource. We have distilled the essential information into this guide, so you can understand whether you need MFT, which business problems MFT can address and how, plus advice for the different stages of your project.

  • Other Buyer’s Guides aren’t up to much

    There’s no-one else who can create a truly independent Buyer’s Guide with our level of expertise. They are either written by vendors trying to push their product, or by businesses without our level of experience.
    Pro2col deal solely with MFT and have done for over 15 years. Each of our senior technical consultants has over nine years’ experience. We are thought leaders in the industry, assisting vendors with product research and development, and are providers and developers of the only vendor-independent training programme: The Certified file Transfer Professional (CFTP).
    Our technical expertise is sought the world-over by businesses and vendors alike. Access this expertise for free now.

What does the Managed File Transfer Buyer’s Guide include?

  • Explanation of MFT and whether you have a current or future business need.
  • A series of common business problems MFT solves, including automation, security and visibility.
  • Which MFT features or modules address which requirement?
  • Use cases explaining how different industries use MFT.
  • Advice for the different stages of an MFT project.
  • Access to more downloadable resources to help you through each stage of your product.

MFT utility case study: Water Plus

MFT utility case study: Water Plus

Managed File Transfer (MFT) reduces overheads for utility start-up Water Plus

Managed File Transfer (MFT) reduces overheads for utility start-up Water Plus

This case study describes how Pro2col delivered a smooth launch and cut costs for a utility start-up. It is an MFT utility use case.

Water Plus needed to install a new MFT solution within a very tight deadline, otherwise they wouldn’t get their licence.

The company is a standalone venture, set up by Severn Trent and United Utilities. Deregulation in 2017 meant 400k non-household customers were transferred to the new company overnight. They had no infrastructure, a tight budget and very little time.

The solution was a system that could be set up quickly, provide the exact security and automation requirements they needed, and offer ongoing UK-based support.

Pro2col: On-tap specialists

Water Plus knew they wanted a Managed File Transfer solution, but they needed support selecting the right product and modules, then installing it. They approached Pro2col – the highly trusted UK partner of many MFT providers – who analysed their requirements and suggested an enterprise-level solution with an MFT Gateway for additional security, plus auditing and reporting features. “Using Pro2col kept start-up costs down as installation was fifty to seventy-five per cent faster with Pro2col’s engineers onsite,” said Chris Leach, Application Manager, Water Plus.

Process automation

​Managed File Transfer reduces the need for time-consuming and repetitive manual processing. Companies run more efficiently and keep costs down. It helps Water Plus manage files and data with multiple workflows in place. “We would need an additional team of five to transfer files manually at peak times,” said Chris. “Instead, files can arrive a few minutes before processing without any issues. A member of staff couldn’t do that, especially at scale. MFT doesn’t need lots of people, saving huge staffing costs. It all works in the background. There is less chance of human error and less chance of files or data being sent that shouldn’t.” For example, meter readings are automatically translated into the right format and stored in a certain place on the server. This can then drive multiple processes, such as email acknowledgements, generating bills and printing, right through to processing payment.

Security concerns

​“Security was a major factor”, says Chris. “If you have files coming in and going out all over the place, there’s a lack of control. That means no security and no audit. The solution Pro2col recommended offered one single system that only needed one external IP in the DMZ for all the files so there’s less chance of getting hacked.” The additional MFT Gateway provides a single point for files to enter or leave the network that is completely secure and under your control. Nothing comes through the Gateway without permission. There are added customer benefits, noted Chris. “I can do all my white listing from one box and customers only need to white list one IP address.”

Auditing and reporting

GDPR makes a data trail essential. You have to know who saw a file and when. Reporting can be set up to automatically deliver this visibility. “I know which files are in the system and who touched them at what time,” Chris explained. “If we have a query, I can go and pull it up. If that was done manually or via email, even using secure portals, there’s no audit and no tracking. That’s a big benefit.” Reporting is also really important to work alongside automated processes to prevent some predictable system problems. Potential issues are flagged, such as a file that is too large. Chris sets the trigger points and actions which can – for example – split the file up into smaller sizes to prevent overnight batch processing errors.

“Bringing Pro2col onsite made installation between 50-75% faster.”

 

Chris Leach
Application Manager

 

 

Room to grow

The MFT solution was scalable, which meant Water Plus could build it out as requirements grew. “As we began to understand the business needs better,” says Chris, “we realised we needed a process for ad hoc file transfers. The solution had a module we could easily add-on, which did that. It was quick and easy to set up.” Water Plus added this secure person-to-person transfers module to their solution two years later.

Ongoing support

Ongoing UK-based support is a major benefit for businesses using software from US MFT vendors. “The communication Pro2col provides is clear and concise. When they’ve spotted issues, solutions have come straight away. They’re always on it.” He added, “Pro2col were there in the early days to help us get the software up and running. We got ideas quickly and they found the root cause of any issues. Overall, Chris reports many benefits from their MFT solution, including “reduced overheads and reduced single-team support and development.”

“The communication Pro2col provides is clear and concise. When they’ve spotted issues, solutions have come straight away.”

Chris Leach
Application Manager

Pro2col are independent experts in secure data transfer working with businesses to identify, implement and manage the right solution for their requirements. We help transform infrastructure, streamline processes, and increase productivity, collaboration and data security. Since 2004 Pro2col have helped over 800 business, spanning 30+ countries and a range of industry sectors.