Backing up Cisco Unified Communications Manager through SFTP

Backing up your Cisco Unified Communications Manager through SFTP

Backing up and Restoring CUCM

 

The Cisco Unified Communications Manager (CUCM) is in use at many organisations to integrate data, voice and video applications.  It’s a nice product which provides a good balance between security and functionality.

As is often the case however, this sort of product very quickly becomes a critical piece of the infrastructure and consequently needs to be treated as such.  It’s therefore important to ensure that the configuration is routinely backed up in a secure fashion in order to recover your system should the need arise.

CUCM allows you to backup the configuration to a location on your network; because there will be credentials contained within the backup, it requires that you transfer the backup using a secure mechanism – SFTP.

Any file transfer server that provides the SFTP protocol is fine to use – some file transfer vendors even publish simple guides on how to configure for their specific software, however the steps to successful implementation are straightforward.

CUCM Backup: SFTP Server Configuration

 

  1. Create an account on the SFTP server that you will use to receive the backup and set up a folder for it.
  2.  

  3. You must create a user that has the ability to connect using just a password. Even though CUCM allows the use of SFTP, it does not permit connection using an SSH key. If your SFTP server has the ability to automatically forward on files to another location, you may wish to set this up at this time.
  4.  

  5. Next, go to CUCM and log into the Disaster Recovery System.  From here, select Backup, then Backup Device.  This is where you provide the details of your SFTP server.
  6.  

  7. Click on “Add New” and provide a friendly name for your SFTP server.  Beneath this, there is an area marked “Select Destination” – here you can enter the SFTP server details, path and credentials.  You can also select how many backups you want to keep in the SFTP server – handy if your SFTP server lacks automation capabilities.
  8.  

  9. Once you have done this, you can schedule the backup.  Go to Backup, the Scheduler and click “Add New” to create a new schedule.  As you might expect, you can now add the frequency that you want to send the backup to the SFTP server, including the day of the week and time of day.  Finally, save the schedule and click on “Enable Schedule”.

 

Et Voila!  Your CUCM configuration is now being securely backed up to your SFTP server.

Pro2col file transfer experts recommend the following Cisco-certified FTP servers:

Titan FTP Server

 Choose Titan FTP Server if you need a cost-effective solution for a tactical implementation

X Don’t choose this if you need to support additional protocols and use cases in the future. Titan FTP Server has limited scope for growth.

 

Discounted Price $1249 $1124

Globalscape EFT server

 This is a scalable solution. Choose Globalscape EFT Server if you want to support additional protocols and use cases in the future.

X Don’t choose this if you just need a single tactical implementation. Globalscape EFT Server won’t be the most cost-effective.

Discounted Price $2238 $2014

CUCM Backup FAQ’S

HOW TO BACKUP CUCM USING SFTP

CISCO has recommended some SFTP servers that they certify to use for backing up CUCM. These include Titan FTP Server and Globalscape EFT server. You can see how to configure these solutions in our step by step guide here.

CISCO CUCM BACKUP BEST PRACTICES

Cisco recommends SFTP servers that have been tested internally and jointly supported by TAC. Cisco does not support using the SFTP product freeFTPd. This is because of the 1 GB file size limit on this SFTP product.
Two supported SFTP servers can be found and downloaded for a trial here.

FTPS vs SFTP?

SFTP vs FTPS?

Nine facts to determine which protocol is right for your requirements

To determine the difference between FTPS and SFTP, let’s first look at the technology behind each protocol, then the strengths and limitations.

What is FTPS?

So what does FTPS stand for? File Transfer Protocol Secure.  FTP was around first – but not in a secured state initially. FTPS uses either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption. This is provided by the FTPS servers x.509 format public key certificate. The certificate may be trusted (provided by a trusted certification authority), or else self-signed. Using a self-signed certificate does not mean the level of encryption is any less, just that you have to be sure that the host is who they say they are. FTPS connections are made secure either implicitly or explicitly. FTPS servers generally listen for implicit connections on port 990 and explicit connections on port 21 – although of course the server administrator may choose to use different ports if they desire.

How does FTPS work?

An implicit connection starts with the client issuing a TLS “Client Hello” message. This message implies that the connection should be secure and if the server doesn’t receive it, the connection is immediately dropped. If however the server does receive the “Client Hello” message, it will send the server certificate to the client, which will authenticate it and use it to encrypt a session key which it then sends back to the server to encrypt the session with.

In the case of explicit FTPS, the client explicitly requests security by sending an “AUTH TLS” (or AUTH SSL) command straight after the connection is made. If the AUTH command is not sent, the FTPS server will treat the client connection as a ‘regular’ non-secure FTP session instead.

Interestingly, implicit connections are not listed in RFC 2228 (the FTPS documentation), only explicit connections.

In either case, once the session has started, the client will need to authenticate to the FTPS server – normally this will be by userid and password, but may also include client certificates if required. All FTP commands are quite naturally passed along the control channel (normally 21 for explicit or 990 for implicit), but FTPS then needs a separate channel for data communications (the actual sending of files or directory lists). The data channels are by default port 20 for explicit FTPS and port 989 for implicit FTPS. Data channels are opened as they are required, then immediately closed again (the control channel remains open for the duration of the session).

What is SFTP?

SFTP is not a form of FTP. In fact, FTPS and SFTP are completely unrelated and bear only a passing resemblance in the structure of many commands. SFTP is not FTP over an SSH connection, rather a distinct protocol in its own right which makes use of the underlying SSH protocol to provide connection security and authentication. Because it is using the underlying SSH protocol, it is normal to use the SSH port (generally port 22).

With SFTP we move away from using certificates for encryption and instead use public/private key pairs, which are not signed by trusted authorities. Like an FTPS self-signed certificate, the only area of doubt is that the SFTP server is who it professes to be – once you are confident that you have connected to the right server, you simply accept the server key and proceed to exchange files over an encrypted session.

The most important difference between FTPS and SFTP is that an SFTP server requires just one port to operate on – there is not a separate data and control channel to take care of.

In contrast to FTPS where clients occasionally provide a certificate for authentication, it is common practice for SFTP batch clients to authenticate by key only to avoid the need to store and maintain passwords.

When comparing SFTP vs FTPS speed, SFTP can be slower because there are more steps to secure the transfer.

SFTP vs FTPS: Nine differences

So having considered some basics of both FTPS and SFTP, let’s look at the difference between FTPS and SFTP. Mostly speaking, what one can do the other can too – there are a few exceptions though:
  1. FTPS will allow you to create custom commands
  2. SFTP has better control of file permissions, ownership and properties
  3. FTPS allows use of Trusted x.509 certificates
  4. An SFTP server only requires a single port to be open on the firewall
  5. FTPS supports EBCDIC transfers
  6. SFTP allows creation of symbolic links
  7. Windows servers and clients don’t natively support SFTP
  8. SFTP is simple to install and manage on Linux and Unix servers
  9. SFTP will be slower than FTPS because there are more steps to secure the transfer
Mostly the decision on which protocol to use comes down to the requirements of the organisation. If there is a prevalence of linux/unix servers in a network, SFTP may be the better choice. However, for Windows server SFTP is not the answer. It would require SFTP clients to be installed everywhere.

In addition, some firewall administrators would be happier to use SFTP with its single port, while some server administrators may not want SSH access to their servers enabled.

Otherwise it makes sense where possible to invest in file transfer server software that supports both protocols and leave the choice up to the clients.

FREQUENTLY ASKED QUESTIONS

Is FTPS secure enough?

Yes, both FTPS and SFTP are considered secure because they provide connection security through encryption. There are nine main difference between the two and the right one for you will depend on your requirements. Read more…

What does FTPS mean?

FTPS stands for File Transfer Protocol Secure. It uses either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption. Read more…

Which is faster SFTP or FTPS?

FTPS is usually faster than SFTP because there are fewer steps to secure the transfer. Read more….

What is the difference between SFTP vs FTPS?

There are nine key differences:

  1. FTPS will allow you to create custom commands
  2. SFTP has better control of file permissions, ownership and properties
  3. FTPS allows use of Trusted x.509 certificates
  4. An SFTP server only requires a single port to be open on the firewall
    Read more…

A review of the current Managed File Transfer vendor landscape

Best Enterprise Managed File Transfer vendors 2020

A review of the current MFT vendor landscape

There’s a lot of out of date or inaccurate comparisons of enterprise Managed File Transfer (MFT) vendors online. This makes it difficult for businesses to research MFT vendors and select the right solution for their requirements. In a recent blog post, for example, we explained how far out of date the ten-year-old Garter MFT Vendors Magic Quadrant was.

This blog post gives an impartial overview of current enterprise Managed File Transfer vendors. But firstly, why should you listen to us? Having dealt solely with MFT for over 15 years we have a lot of experience. In fact we’re often asked to assist vendors with product research and development. We are also providers and developers of the only vendor-independent training programme: The Certified File Transfer Professional (CFTP).

The fragmentation of MFT

Arrows representing different MFT vendors directionsManaged File Transfer (MFT) is a technology that provides the secure transfer of data in an efficient and reliable manner. Unlike traditional file transfer tools, such as FTP and scripting, MFT core functionalities include the ability to secure files in transit and rest, and reporting and auditing of file activity. What also differentiates MFT from other forms of infrastructure and integration technologies is its unique focus on managing the transfer of large file sizes and volumes.”
Gartner IT Glossary

Over the last decade, file transfer solutions have fragmented into the following categories:

 

  • Enterprise File Sync and Share, or EFSS: This allows document collaboration and secure sharing of files between people;
  • ‘Extreme’ or fast file transfer: Very large files and data sets can be transferred quickly and securely, using a combination of UDP and TCP protocols;
  • Managed File Transfer (MFT): Primarily chosen for its automation capabilities, frequently coupled with a server and proxy.

The extension of Managed File Transfer

In recent years MFT vendors have extended the reach of their products to include an increasing number of end-points and integration options. This includes:

  • Cloud connectivity, both for storage and SaaS applications;
  • Some data transformation capabilities;
  • Extended SOAP and REST APIs.

These developments have propelled MFT to become the file delivery hub of a business and an alternative option for businesses considering an iPaaS solution. It combines on-premise with external connectivity to create hybrid business processes with governance and visibility.

Of course, different MFT vendors are at different points on this journey. If you would like to find out more, please get in contact and we can provide advice. We can also advise you on previous development release schedules and other factors that will ensure you back a Managed File Transfer vendor that will meet your future needs too.

Ultimately there is no ‘best Managed File Transfer vendor’, just the best one for your individual requirements.

Our top four enterprise Managed File Transfer vendors

In alphabetical order, our top four MFT vendors are as follows. This is based on functionality, ongoing development, release schedule, roadmap and vendor support.

 

Coviant Diplomat

Coviant Diplomat MFT is benefiting from a new lease of life under Greg Hoffer, the recently appointed CEO. The product is considered by the analysts as the value player in the market, strong on enterprise integration, cross platform and with an increasing number of application and cloud integration points. The company was formed in 2004 and according to LinkedIn has 11-50 employees. Coviant is based in San Antonio, Texas, USA.

Globalscape EFT

Globalscape have recently refocused all their efforts on EFT Server. A strong automation platform for Windows, 2020 will see the release of additional GDPR compliance capabilities and automation options. Globalscape was formed in 1996 and has 51-200 employees according to LinkedIn. The CEO is Robert Alpert, it is listed on the NYSE and the organisation is based in San Antonio, Texas, USA.

HelpSystems GoAnywhere MFT

GoAnywhere MFT is a cross plaform application, strong on cloud connectivity, with multiple out of the box connectors available. They bring out a major new release each year. Linoma, developers of GoAnywhere, were acquired by HelpSystems in 2016, who were formed in 1982 and has 501-1000 employees according to LinkedIn. The recently promoted CEO is Kate Bolseth and the organisation is based in Minneapolis, Minnesota, USA.

Ipswitch MOVEit

Ipswitch was acquired by Progress in 2019 for +$200m. Ipswitch acquired Messageway in 2010 to add integration and EDI to their portfolio, which now includes three separate file transfer product lines. Ipswitch was formed in 1991 and has 201-500 employees. The CEO is Michael Grossi and the organisation is based in Burlington, Massachusetts, USA.

Enterprise Managed File Transfer vendor landscape

Vendor Product Formed No. of employees CEO Head Office
managed file transfer vendors Diplomat MFT 2004 11-50 Greg Hoffer Wellesley, Massachusetts, USA
managed file transfer vendors EFT 1996 51-200 Robert Alpert San Antonio, Texas, USA
GoAnywhere 1982 501-1000 Kate Bolseth Minneapolis, Minnesota, USA
managed file transfer vendors MOVEit 1991 201-500 Michael Grossi Burlington, Massachusetts, USA
Vendor Product Formed No. of employees CEO Head Office
managed file transfer vendors Harmony 1976 201-500 Mahesh Rajasekharan Rockford, Illinois, USA
managed file transfer vendors Cornerstone 2000 11-50 Micheal J Ryan Annapolis, Maryland, USA
managed file transfer vendors Secure Transport 1996 1001 - 2500 Patrick Donovan Puteaux, France
managed file transfer vendors Oracle MFT 1977 10001+ Safra Catz Redwood City, California, USA
Vendor Product Formed No. of employees CEO Head Office
managed file transfer vendors JSCAPE MFT 1999 11-50 Van Glass Miami, Florida, USA
managed file transfer vendors Business Integration Suite MFT 1987 501-1000 Bernd Seeburger Bretten, Germany
managed file transfer vendors Serv-U 1996 1001 - 5000 Kevin B. Thompson Austin, Texas,USA
managed file transfer vendors Attunity MFT 1977 201-500 Shimon Alon Burlington, Massachusetts, USA

NEXT STEPS

MFT solutions have very similar features and capabilities, with vendors competing with one another to stay competitive. This makes it more difficult to work out which solution is best for your requirements as product datasheets largely say the same thing. Determining which solution is best is achieved by knowing not what they do but how they do it, the level of detail and complexity, and how they are delivered.

The easiest way for you to identify the right solution for your business is a discovery call with our MFT experts. They will chat with you to fully understand your existing requirements, ensure that you’ve considered what your future needs might be and give you various options in selecting your solution. Call us on 0333 123 1240.

Alternative, use our free comparison tool, which asks the right questions. You enter your requirements, giving as much detail as you can, and our experts will recommend the right solution for your current and future needs and budget. It’s completely free and there’s no obligation to buy through us.

Tuckton does #ChristmasJumperDay

#ChristmasJumperDay 2019

Let's get Tuckton involved

Businesses across Tuckton teamed up to raise a fantastic sum of money for Save the Children’s #ChristmasJumperDay on Friday 13th December. We smashed our original target, raising over £1600 in total, making us the top fundraiser across Dorset, Cornwall, Devon and Somerset.

Tuckton High Street was a hub of activity, with fundraising activities throughout the day. Jasmina from Pro2col won the Pigs in Blankets – Mince Pie and Spoon race. Her time of 12.75 seconds was honoured despite allegations her mince pie was glued to her spoon. Pictures in the gallery!

Local boxing celebrity Kate Farley judged the Christmas window competition, awarding prizes to the most impressive displays:

  • ​First place: Wilton’s Funeral Services
  • Second place: Hairworx hairdressers
  • Third place: Matthew Furnell Health & Nutrition

“I am writing to say a huge thank you to you and your team for supporting Christmas Jumper Day again and raising a fantastic £1,609! That’s amazing, massive well done to you and your team.”

Dania Shaw, Community Fundraising Manager South West at Save the Children UK

Three pupils from Stourfield Infant School won prizes for their beautiful Christmas jumper designs, judged by the team from Pandemonium. The day was rounded off with a warming winter BBQ and mulled wine at Flat White

Winners of the raffle – which include prizes from Lemon Tree Nails and BeautyTuckton Podiatry and Tuckton Dental Practice – will be notified in the next few days.

Thank you to all the businesses who got involved and the local residents who donated. Special thanks to our business partners who made generous donations that made up a large chunk of the funds raised.

All money raised has gone to Save the Children, changing children’s lives around the world. It’s surprising how even a small donation can add up to make a big difference:

  • £210 could equip 200 children in Indonesia with everything they need for school.
  • £100 could buy the essentials a family fleeing conflict in Syria need to survive the winter cold.
  • £50 could provide a child with a month’s supply of high-energy peanut paste, helping them recover from malnutrition.
  • £20 could provide a newborn baby and mother with the vital supplies they need to get the best start in life.
  • £10 could pay for a child’s schoolbag kit in Kenya to help children learn.

How do I monitor my Managed File Transfer system?

How do I monitor my Managed File Transfer system?

Most Managed File Transfer (MFT) products contain a dedicated reporting component, available either in the base licence or as an additional module which can be purchased and installed separately.

Many businesses will want to pass this reporting into their monitoring solution, to consolidate all their reporting in one place. But what’s the best way to do this? The majority of MFT solutions generate simple alerts to notify operators or administrators of potential problems. In this article, I’ll explore some of the ways that you can use these interfaces to best suit your needs.

Before you even consider how you want to interface your MFT to your monitoring, you need to take a long look at whether something is, in fact, worth monitoring. For example, would you want to be alerted when someone fails to login to your FTP server? If it’s a wannabe hacker and their IP address gets automatically locked out, then probably not. If it’s a production batch account, then probably yes. Think about your MFT system in component pieces and judge each part on its own merit. Just because you monitor some of it, you don’t have to do it all.

1. The problem with email

One of the easiest monitoring methods is to generate an email when something goes wrong. Unfortunately though, this is also one of the biggest monitoring failures for a couple of reasons.

First, relying on email does not preclude a failure or delays in your mail system. Emails can potentially get lost or marked as spam by the mail server if enough are generated. Secondly, if you are only notified of failure, but you don’t receive any emails, is your system working?

2. Simple network management protocol

SNMP is a protocol designed for monitoring a network and its various devices. There are several monitoring solutions commercially available, however you need to check your MFT system to determine if it is able to create an SNMP trap. If not, you are limited to just monitoring the MFT server(s).

3. Log watcher

Most monitoring tools contain a log watcher of some description. The monitoring solution can be set to read your log files on a regular basis and will generally remember which parts of the log have already been read. An alert is raised when a certain regular expression is encountered in the log file.

Be careful when using this approach that you do not inadvertently change the log levels of the MFT solution and that error text does not change with software upgrades.

4. Event log

Some MFT solutions allow writing to Windows event logs, which you can then monitor with any commercial monitoring solution. On a Linux or Unix system, you would perhaps be checking the /var/log directory (system logs are written to /var/log/messages).

5. Database

If your MFT solution writes log records to a database, use a query launched from the monitoring solution to routinely extract error events. Depending upon the frequency of execution, this can give near real-time results.

6. And finally… scripting

If your MFT product provides an API, why not use some scripting to generate events? A Cron or Windows scheduled task can routinely check directly into your system for noteworthy events.

Now that you’ve worked out a way to get the events from your MFT system into your Monitoring solution, you need to consider how you want to be alerted. Of course, this is the responsibility of the monitoring solution, but consider how you would like to grade the events that you receive. Do they all require your immediate attention, or can you apply a priority to some, while others can wait? In practice, it makes sense to prioritise events before passing them to the monitoring solution.

Whichever method you use to pass events to the Monitoring tool, you may find that you also have the opportunity to execute certain activities when you detect an issue. Many monitoring tools possess this functionality (If you script your monitoring interface, this can be used too). A good example of this may be to restart a failed interface, or enable an alternate workflow.

If you need help setting up your monitoring, please contact Pro2col. Our experts deliver professional services on all aspects of your MFT solution.

We’ve been specialising in solutions that securely transfer data, integrate with on-premise, hybrid and cloud systems since 2004. We are partners for the majority of the leading file transfer vendors, delivering accredited support services.

 

Open PGP keys under attack: Does this affect your MFT solution?

Open PGP keys under attack:

Does this affect your MFT solution?

PGP is the industry standard for securing communications and a common feature of MFT. But it’s recently been at the centre of hacking fears. This guest blog post from Coviant Software CEO Greg Hoffer will alleviate any concerns relating to your Managed File Transfer (MFT) solution.

It was bound to happen one day: the OpenPGP Standard Key Server implementation has fallen victim to attack. When the Pretty Good Privacy (PGP) Keyserver system allows anyone to affix changes (“attestations”) to a given key –these never, ever get deleted. As a result, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software. This is a clear security issue leading to a “denial of service” attack, rendering that public key unusable for encrypting information.

So how does this affect your MFT solution? It is has no negative impact at all. I have never experienced any customer that uses a KeyServer for OpenPGP key distribution. When creating a transaction to move files between a MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. Thus, since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.

Let’s all use this situation as a reminder to be very untrusting when dealing with the security of sensitive data, and not provide an infrastructure that allows anonymous, unregulated edits to information that is vital to secure communications.

Greg Hoffer

CEO, Coviant Software

Your MFT solution is a critical part of your infrastructure, with many business processes depending on it. Without regular maintenance and training, you are risking security and efficiency, and ultimately not getting the best value from your solution.

Our health check service reviews the performance of your software, checking your configuration, version, clean-up rules and more. Our technical consultants will produce and present a report advising on risks we have identified and remedial actions.

Call 0333 123 1240 or contact us online to book a health check today.