If you are updating from any version 9 or below start reading here:
Server Manager has changed: Instead of being a pop-out configuration dialog, Server Manager has now been fully integrated into the user interface in a much more user-friendly format. For reference, please see: Server Management
If you are updating from version 10 or below...:
User Manager has changed: Instead of being a pop-out configuration dialog, User Manager has now been fully integrated into the user interface in a much more user-friendly format. For reference, please see: User Management
If you are updating from version 12.2.2 or below...:
There are now service account options in the Installer: When you run the installer, you will now see several options regarding the service account running Cerberus. You can select the 'Use Current' configuration (recommended for the least disruption). If you are using 'Local System' to run Cerberus and you select this, the installation will continue. If you already have a dedicated service account running Cerberus and select this option, you will be prompted for the password.
The next option is to have Cerberus create a dedicated Standard Service Account, which will be a new local user account on the server. You also have the option to switch to an existing Local Account or existing Service account. In both these cases, a username and password will need to be provided.
You can verify what service account option you are using by checking 'services.msc'. Right-click on 'Cerberus FTP Server' and 'Properties', then the 'Log On' tab. You'll either see 'Local System' or see custom credentials specified.
While moving away from ‘LocalSystem’ is the right choice, in the long run, please be aware that a change to service credentials should be tested thoroughly before being applied to production environments.
You must ensure the new service account has privileges on all virtual directory paths used by Cerberus FTP Server. Files referenced in configuration, like certificates and private key files must also be accessible. When moving to a domain service account, you must also ensure the account has read-access to all users and groups integrated with Cerberus FTP Server. Finally, the account must be able to read and write to all the settings files in C:\ProgramData\Cerberus LLC\Cerberus FTP Server.
By default, Cerberus used to revert back to using 'Local System' when updating and customers using custom service accounts had to restore the credentials before restarting the service. With these new updater options, this will no longer be the case.
If you are updating from version 12.3.4 or below...:
The Cerberus desktop User Interface now uses Microsoft WebView2 to render the UI pages, instead of Internet Explorer:
This is a Microsoft Edge (Chromium) platform that allows developers to bring web experiences into native apps. Cerberus has moved to this platform to display desktop user interface pages instead of relying on Internet Explorer. This is to modernize the Cerberus user interface and also improve performance.
While it is NOT required as the Cerberus user interface will continue to use Internet Explorer if you don't install WebView2, we recommend WebView2 as it significantly improves UI performance.
The installer will attempt to download and install this platform if it detects it is not installed. To reduce the possibility of an issue when updating, it is possible to do a manual install of WebView2 BEFORE updating Cerberus. That way Cerberus won't try to install it when you update.
Here is the Microsoft page describing WebView2 which also has install links.
https://developer.microsoft.com/en-US/microsoft-edge/webview2/#download-section
It is recommended that you use the 'x64' link in the 'Evergreen Standalone Installer'. Optionally you can download the 'Evergreen Bootstrapper' which is a tiny installer that downloads the Evergreen Runtime matching device architecture and installs it locally. There is also a link that allows you to programmatically download the Bootstrapper.
If you are updating from version 12.10.1 or below...:
Cerberus has been upgraded to use Open SSL 3.0.x with TLS v1.3 support:
Please read this document CAREFULLY before updating!: OpenSSL to 3.0.7 with TLS 1.3 support:
If you have FIPS 140-2 mode turned on at 'Server Manager' > 'Security' > 'General' and have users connecting to your Cerberus via SFTP using SSH Key Pair authentication, instead of password, when you update to our most current release, it's very possible, that some older/outdated SFTP clients will no longer be able to connect. This is because older SFTP client software uses older authentication algorithms, and doesn't support the newer, more secure algorithms that FIPS requires in OpenSSL 3.0.x.
and Why won't some SSH SFTP clients connect after updating Cerberus to 12.11?
If you have users connecting using older software, there are three solutions/workarounds.
-
Best solution: Users either update their client software, if possible, to a compatible version, or if the software is no longer under development, they may have to consider rewriting their connections to use a different, more modern, client.
-
Workaround: Temporarily turn off FIPS 140-2 mode until users are able to fix their client software. I note you are a healthcare company. If you turn off FIPS, you may no longer be HIPPA compliant if you are audited.
-
Workaround: Remain on a release of Cerberus prior to 12.11.0 until users are able to update their client software. This would allow you to keep FIPS mode turned on, BUT you will no longer be able to update Cerberus until users have updated their client software. Because of that, this should strictly be temporary!
-
If none of this is possible, you can also consider switching to an ECDSA (rather than the typical RSA) certificate for SFTP connections as ECSDA ciphers are supported by most new AND older client software. More here: How do I generate an ECDSA CSR with Win64 OpenSSL and install the certificate?
If you have FIPS mode turned OFF, you can safely update without concern.
See below for the instructions for updating. It's a quick, straightforward process. The update process is the same regardless of whether you have FIPS mode turned on or not.
Steps to update:
DO NOT use the auto-updater! You will encounter issues updating from version 10 or below if you use it.
Manually download and run the latest Installer
Manually download the latest installer. The installer will upgrade an existing installation to the latest release. To download and run the latest installer:
- Go to the Cerberus Download page
- Download the latest installer. (Please note that as of Cerberus version 12, a 32-bit version is no longer available or supported)
- Shut down the Cerberus FTP Server UI. Go to the File menu and select the Exit menu option. DO NOT use the 'red X' on the upper right! You should also shut down the Cerberus FTP Server Window Service. The installer will normally be able to shut down the service, but on rare occasions, the automatic shutdown will not work. Shutting down the Cerberus Windows Service before installation ensures an error-free installation and that all your users and settings are preserved.
- Launch the installer. You should select the default options for any questions in the installer (See notes about the installer enhancements above). The installer will automatically remove your existing installation and install the latest release. All of your existing users and settings will be preserved.
- Finish the installation and you are done. The latest version of Cerberus FTP Server should now be installed and running.
You should expect only about a 5-minute actual interruption of the service.
If you have any questions regarding any of the above, please contact Cerberus Support.
Comments
0 comments
Article is closed for comments.