Last Updated: June 18, 2018

The globus-connect-server-setup command configures the local Globus Connect Server endpoint based on the contents of the /etc/globus-connect-server.conf file. When you change settings in the configuration file, you must issue the globus-connect-server-setup command (as root) for the new settings to take effect on your endpoint. This page details the most common options configured in the /etc/globus-connect-server.conf file.

Note:A detailed description of every setting can be found in the comments within the globus-connect-server.conf file that gets created on your system during the Globus Connect Server install process.
Table of Contents

1. Frequently-used configuration settings

1.1. [Globus] section

  • The ClientId option sets the Client ID of the Globus Connect Server. This is created using the application located at developers.globus.org and selecting the New Globus Connect Server option. This value should be initially set to match the Client ID for the Globus app you create for your endpoint, and then should never be changed again.

  • The ClientSecret option sets the Client Secret of the Globus Connect Server. This is created using the application located at developers.globus.org and selecting the New Globus Connect Server option. This value should be initially set to match the Client Secret for the Globus app you create for your endpoint, and then should never be changed again unless you are changing the secret used by that Globus app using the tools provided at the above URL.

1.2. [Endpoint] section

  • The Name option sets the display name of the endpoint. The special value %(SHORT_HOSTNAME)s will substitute the first segment of the current machine’s public hostname. It is best if this name matches the Display Name you chose when you created the Globus app for this endpoint.

  • The ServerName option sets the public hostname of the Globus Connect Server server. The special value of %(HOSTNAME)s will use the hostname of the current machine. This value must be resolvable in public DNS to a public IP address for your system.

1.3. [LetsEncrypt] section

  • The Email option supplies an email address for Let’s Encrypt. You will get expiration warnings/notices regarding your endpoint’s certs at this email address, so it should be an email address that is regularly checked.

  • The AgreeToS option indicates that the user has explicitly agreed to the Let’s Encrypt Terms of Service. If not set to True, the globus-connect-server-setup scripts will provide a link to letsencrypt.org so user can view and acknowledge the ToS.

1.4. [GridFTP] section

  • The IncomingPortRange option sets the port range to use for incoming connections. The format is startport,endport. If not set, this will default to 50000,51000. The use of the default port range is strongly recommended (you can read why here).

  • The OutgoingPortRange option sets the port range to use for outgoing connections. The format is startport,endport. Only use this if your firewall restricts outgoing ports and gridftp won’t work otherwise. The default is not restrict outgoing TCP ports.

  • The DataInterface option sets the external hostname or IP address to use for data connections. Normally, you will not need to set a value for this option. This option is usually only set when it is desired to force the data channel traffic to use a specific interface - such as forcing data channel traffic to use a high-speed link or in NATed environments with split DNS. If not set in this file, then the default behavior is: — When run on an EC2 instance, the data interface will be automatically configured to use the public ipv4 address of the instance. — When run on a non-EC2 instance, if [Endpoint].ServerName is set, then that value is used. If this resolves to a private IP address, a warning will be issued. — Otherwise, this will not be set, and the gridftp server will tell clients to connect to the IP address that the control connection was established on.

  • The RequireEncryption option can be used to require an encrypted data connection for all transfers. If this is set to True, then transfers attempted without encryption will result in error.

2. NAT/Firewall support and configuration

The Globus Connect Server package provides configuration tools for several related services to enable administrators to easily configure a Globus endpoint. The globus-connect-server.conf file controls how the services used by Globus are configured, and includes configuration options to manage firewall-related configuration of services. Each service provided by the Globus Connect Server packages may be configured separately as described below.

Note that the descriptions below include examples of Globus Connect Server service configurations only. Configuring the firewalls themselves to allow the ports and host connections is not discussed. See the Open TCP ports section of the Globus Connect Server v5 Installation Guide for a discussions of the ports used by Globus Connect Server.

2.1. Configuring GridFTP

The options related to configuring GridFTP to work with firewalls and/or NAT are: [Endpoint].ServerName, [GridFTP].IncomingPortRange, [GridFTP].OutgoingPortRange, and [GridFTP].DataInterface.

By default, Globus Connect Server configures the GridFTP server assuming that incoming TCP connections are allowed to the port range 50000-51000 on the GridFTP server node for the data channel traffic and that the source port range for outbound data channel connections is not restricted.

2.2. Using GridFTP behind a NAT Firewall

To use a GridFTP behind a NAT firewall, the [Endpoint].ServerName value needs be set to a value that resolves in public DNS to a public IP address associated with the server hosting the endpoint. The firewall/NAT device must properly forward all traffic destined for the server’s public IP address to the correct internal address of the server. If operating in a split DNS environment, where the DNS name given in the [Endpoint].ServerName option resolves to a different IP address in internal DNS than the public IP address that the DNS name resolves to in public DNS, then the [GridFTP].DataInterface option should be set to be the same as the public IP address.

2.3. NAT Firewall Example

As an example, let us consider a site that is using NAT and also has a split DNS configuration. The DNS name for their server is public-gridftp.example.org, which is thus what the [Endpoint].ServerName option value is set to. The public-gridftp.example.org DNS name resolves to 1.2.3.4 in public DNS. However, for the site’s internal DNS, public-gridftp.example.org resolves to 192.168.0.1. Because of this, we’ll need to set the [GridFTP].DataInterface to 1.2.3.4 to that it will advertise the proper public IP address for data channel. If the [GridFTP].DataInterface value isn’t set to the proper public IP address in this case, then GridFTP will advertise the IP address that the local host resolves the [Endpoint].ServerName value to as its data interface - which would be 192.168.0.1 due to the split DNS configuration at the site. Since 192.168.0.1 is a private IP address, transfers with this GridFTP server will fail if it is advertising its own data interface as 192.168.0.1 to other Globus endpoints on the public Internet. Thus, we specifically configure GridFTP to advertise the correct public IP address of 1.2.3.4 for its data interface.

Example of partial globus-connect-server.conf file for the above case:

[Endpoint]
...
ServerName = public-gridftp.example.org
...
[GridFTP]
...
DataInterface = 1.2.3.4

2.4. Using GridFTP with Firewall Port Restrictions

To use a GridFTP server with a firewall with incoming and/or outgoing port restrictions, use the [GridFTP].IncomingPortRange and [GridFTP].OutgoingPortRange configuration options. The former restricts the TCP port range that the GridFTP server listens on for data channel connections. The [GridFTP].OutgoingPortRange option restricts the TCP source port range that the GridFTP server uses when creating outgoing data channel connection sockets. For both of these items, the syntax of the port range is startport,endport (e.g. 50000,51000).

The use of the default values for both [GridFTP].IncomingPortRange and [GridFTP].OutgoingPortRange is strongly recommended (you can read why here).

2.5. Port Restrictions Example

As an example, this partial globus-connect-server.conf file configures the GridFTP server to listen for data channel connections on ports from 4000 to 5000 instead of the default 50000 to 51000. This example also configures GridFTP to use local source ports from 6000 and 7000 when establishing outbound data channel connections.

The use of the default values for both [GridFTP].IncomingPortRange and [GridFTP].OutgoingPortRange is strongly recommended (you can read why here).

[GridFTP]
Server = public-gridftp.example.org
IncomingPortRange = 4000,5000
OutgoingPortRange = 6000,7000