Many organisations have only a modest requirement for file transfer facilities It's common to find companies shoving files around as email attachments, for example. Tumbleweed SecureTransport is designed for use in installations where file exchange is a core requirement, and where to use an ad-hoc system of random file-flinging would bring inefficiencies and perhaps even additional bandwidth costs.
The package is available either as a software product (Windows, Solaris, AIX or Red Hat Linux) or, as was the case with our review copy, on an appliance with Linux pre-installed. Tumbleweed seems to use the same appliances for several of its products, and so like the MailGate product we reviewed recently, the unit was a rack-mountable appliance-style PC with a little LCD display and a basic set of buttons with which you can shutdown/restart the unit and set the IP address information.
Even if you have the appliance version, you need to run the setup routine on a SSH-connected command line by hand. This is because there's stuff in the initial configuration that depends on your particular network installation. The process is pretty simple, though (it asks you a bunch of questions, and much of the time you simply hit Enter to choose the defaults it throws at you) and it takes only a few minutes to be up and running; once the unit's humming, you manage it via an HTTPS connection to port 444.
The ST server allows you to build file repositories into which users can connect using a variety of protocols, from FTPS (secure FTP), through HTTPS, to AS2. The configuration GUI therefore lets you set up all the parameters required to work with such protocols – users, groups, directory services (you can have internal user lists or hook up to an LDAP source) and security-related concepts such as digital certificates. The GUI isn't the nicest in the world (there's a list of top-level sections along the top of the screen, and you switch between sub-sections via a pull-down menu) but it's functional - though we hope Tumbleweed enlists the help of a GUI designer next time. Rather scarily, there are a few settings that you have to add via the command line: let's hope these become GUI options by the next version.
You can access the server in a number of ways. At the basic level is a simple browser interface, though a nicer approach is to use the ST ActiveX control if you have Windows clients (once you've enabled it on the server, it'll be automatically downloaded to clients that connect). There's also a proper ST Windows client, or if you wish you can opt for a third-party FTP package (obviously you'll need a client that can do FTPS).
You can use the server as a stand-alone entity if you wish, but larger installations might want to consider the SecureTransport Edge. The ST Edge is a secondary device that stores no data, but acts as an interface between the end user and the main ST server – the idea being that you can put your ST server in a secure part of the network, and then present it via any number of ST Edge servers that are located in the DMZ. It wasn't obvious to us at first why you'd want to do this, but then we realised: to put the ST server in the DMZ is to punch a hole through the firewall to allow worrying stuff like LDAP directly into your corporate directory server – something that many network managers would refuse to do.
SecureTransport is one of those products that addresses a business requirement you often don't know you have. Few network managers find themselves thinking: "What I really need is an integrated, secure file transfer server", but when you've looked at the unit you realise that it's actually an attractive, useful device that integrates sensibly with the corporate infrastructure. The only downside to the product is the management GUI, which really would benefit from the attention of a decent interface designer. Apart from that, we're impressed with the unit's usefulness.
Simple file exchange services can be implemented using traditional email or file transfer protocols and combining them with concepts such as S/MIME and PGP. If you have a significant requirement, though, this type of device does it all in one box.