Metadefender SFT using HTTPS protocol

This article provides step by step guide on how to switch Metadefender Secure File Transfer to HTTPS.

Step-by-step guide using self-signed certificate

1. Open the Secure File Transfer web application and login using an administrator account
2. From the left side menu, navigate to Configuration → Change URL
3. On the Change URL page, toggle on the HTTPS switch
   
   
   
   
4. Click on the Update button from the bottom of the Change URL page
5. Open the “<SFT installation directory>\Config” folder (e.g., "C:\Program Files (x86)\OPSWAT\Metadefender Secure File Transfer\Config\").
6. Open the “applicationhost.config” file using Notepad.

7. Find the “<sites>” XML tag and add the HTTPS binding to the “Metadefender SFT” website. Please see below for details:
   
   

   
   

   
   

   
   

   
   

   <binding protocol="https" bindingInformation="*:443:<YOUR_DOMAIN>"/>

   
   

   
   

   
   

   
   

   Your edited binding should look similar to the one shown below:
   
   
   

8. Optionally, remove the HTTP binding, if you only want SFT to work over HTTPS.

9. Save and close the “applicationhost.config” file.

10. Open the “<SFT installation directory>\Services>” folder (e.g. 'C:\Program Files (x86)\OPSWAT\Metadefender Secure File Transfer\Services')

11. Open the "pp.sft.rest.service.exe.config" file and edit the 'RestHostAddress' entry value to use the HTTPS protocol (e.g., 'https://{computer_name}:8000/sft_rest').

    

    
    

12. Save and close the "pp.sft.rest.service.exe.config" file.

13. Open a Command Prompt, running using administrator privileges and type the following command
    
    

    
    

    
    

    
    

    
    

    certutil -store MY

    
    

    
    

    
    

    
    

    
    

14. Copy the value from the 'Cert Hash' field and remove the spaces (e.g. the edited hash should look like this ef8a0fc5620b621a54fb367f1e7ee45e1ba6d006)
15. Generate a new GUID. One option would be to use the following online resourse: https://www.guidgenerator.com/online-guid-generator.aspx (e.g. generated GUID should look like this {CDA52389-5954-44C2-8CF0-38062D1572F8})

16. Switch back to the command prompt and run the following command

    
    

    
    

    
    

    
    

    netsh http add sslcert ipport=0.0.0.0:443 certhash=your_hash appid={your_guid}

    
    

    
    

    
    

    
    

    Replacing your_hash with the certificate hash from step #14 and your_guid with the GUID generated at step #15 (make sure the value of the GUID is surrounded by curly brackets - {}).
    e.g. netsh http add sslcert ipport=0.0.0.0:443 certhash=ef8a0fc5620b621a54fb367f1e7ee45e1ba6d006 appid={CDA52389-5954-44C2-8CF0-38062D1572F8}
    
    

    
    

17. Please follow the remaining steps, only if you also want to move the REST service to use a secure connection (i.e. enable HTTPS)
    Similar to the previous steps, run the following command:

    
    

    
    

    
    

    
    

    netsh http add sslcert ipport=0.0.0.0:8000 certhash=your_hash appid={your_guid}

    
    

    
    

    
    

    
    

    Replace your_hash and your_guid with the same values from the previous step
    e.g. netsh http add sslcert ipport=0.0.0.0:8000 certhash=ef8a0fc5620b621a54fb367f1e7ee45e1ba6d006 appid={CDA52389-5954-44C2-8CF0-38062D1572F8}   

    Note: If you are using PowerShell you must enclose the appid in quotes. 

18. Restart the Metadefender Secure File Transfer REST Service 
    1. In Commpand Prompt, run “net stop sftREST” 
    2. After the service stopped, run “net start sftREST”
19. Note: if there is an error when trying to start the service please see REST service cannot be started on default port 8000 to fix the issue
20. Open the "<SFT installation directory>\WebClient" folder (e.g. C:\Program Files (x86)\OPSWAT\Metadefender Secure File Transfer\WebClient\)
21. Open the config.json file in Notepad.
22. Change the "protocol" value to "https".
23. Leave port value unaltered (e.g. "8000"), unless the REST service listens on a different port, or you've changed the port in step #11 (e.g. 443). In this case, update the port accordingly.
24. Save and close the "config.json" file.
25. Restart the Metadefender Secure File Transfer Helper Service (execute “net stop sftHelper” and then “net start sftHelper” in command prompt)

26. Test that the site works by visiting https://<Domain> (Make sure to clear cookies or try in incognito browser)

Follow these steps in order to switch to https in a real environment.

Step-by-step guide using real certificate

1. Before you start, you will need the following prerequisites

   1. A trusted certificate issued by a certificate authority

   2. See here on installing a self-signed server certificate 

   3. See here on installing a CA-signed server certificate
      
      

2. Open the Secure File Transfer web application and login using an administrator account
3. From the left side menu, navigate to Configuration → Change URL
4. On the Change URL page, toggle on the HTTPS switch
   
   
   
   
5. Click on the Update button from the bottom of the Change URL page
6. Open the “<SFT installation directory>\Config” folder (e.g., "C:\Program Files (x86)\OPSWAT\Metadefender Secure File Transfer\Config\").
7. Open the “applicationhost.config” file using Notepad.

8. Find the “<sites>” XML tag and add the HTTPS binding to the “Metadefender SFT” website. Please see below for details:

   
   

   
   

   
   

   
   

   
   

   <binding protocol="https" bindingInformation="*:443:<YOUR_DOMAIN>"/>

   
   

   
   

   
   

   
   

   Your edited binding should look similar to the one shown below:

   
   
   

9. Optionally, remove the HTTP binding, if you only want SFT to work over HTTPS.

10. Save and close the “applicationhost.config” file.

11. Open the “<SFT installation directory>\Services>” folder (e.g. 'C:\Program Files (x86)\OPSWAT\Metadefender Secure File Transfer\Services')

12. Open the "pp.sft.rest.service.exe.config" file and edit the 'RestHostAddress' entry value to use the HTTPS protocol (e.g., 'https://{computer_name}:8000/sft_rest').

    

    
    

13. Save and close the "pp.sft.rest.service.exe.config" file.

14. Restart the Metadefender Secure File Transfer REST Service 
    1. In Commpand Prompt, run “net stop sftREST” 
    2. After the service stopped, run “net start sftREST”
15. Note: if there is an error when trying to start the service please see REST service cannot be started on default port 8000 to fix the issue
16. Open the "<SFT installation directory>\WebClient" folder (e.g. C:\Program Files (x86)\OPSWAT\Metadefender Secure File Transfer\WebClient\)
17. Open the config.json file in Notepad.
18. Change the "protocol" value to "https".
19. Leave port value unaltered (e.g. "8000"), unless the REST service listens on a different port, or you've changed the port in step #11 (e.g. 443). In this case, update the port accordingly.
20. Save and close the "config.json" file.
21. Restart the Metadefender Secure File Transfer Helper Service
    1. In Commpand Prompt, run “net stop sftHelper” 
    2. After the service stopped, run “net start sftHelper”

22. Test that the site works by visiting https://<Domain>. (Make sure to specify https:// ) (Also clear cookies or try in incognito browser)