Due to SMB vulnerability on a XCOM for Windows server it is necessary to enable SMB signing on that server.
Does XCOM internally use SMB internally or is there any relation between them . If yes please help with complete details of it and the SMB version it uses ?
Will enabling SMB signing have any impact on the XCOM file transfers?
Release : 11.6
XCOM does not directly use SMB internally.
XCOM operates at the OSI Application Layer and from XCOM's point of view SMB signing is transparent, so enabling it should have no impact on XCOM.
Some additional advice:
1. As SMB is a network file sharing protocol, if in the XCOM file transfers a file specification is being used which is references a network drive (UNC/NAS file specification to read/write files) then it would be a good idea to ensure that the SMB signing change will not impact the relevant userid still having the required access to that file e.g.
- when sending files the userid that starts the XCOM service can read the local file
- when receiving files the USERID parameter being used in the transfer can write the remote file
2. From researching on the web it appears that enabling SMB signing may also involve the use of Kerberos instead of NTLM e.g. Overview of
Server Message Block signing. To use Kerberos it is strongly advised to ensure that the DOMAIN parameter is set for the USERID being used in any transfers to avoid unforeseen errors e.g. XCOM for Windows using Kerberos (NTLM disabled) gives XCOMN0287E
3. There is also a recent XCOM for Windows 11.6 SP03 PTF LU07574 for a UNC scenario that should be installed.
In general it is strongly advised that customers be fully up to date on maintenance which can be accessed from here:
https://support.broadcom.com/group/ecx/solutionfiles?sellable=XCOMSR059&os=WINDOWS-ALL&release=11.6&solution=XCOM%20Data%20Transport%20for%20Windows%20Family%20Server%20WINDOWS-ALL&subfamily=XCOM
XCOM PTFs are cumulative in terms of the fixes they contain, so it is only necessary to install the latest PTF listed on the above page to pick up the LU07574 fix.
4. It is also highly recommended to first enable SMB signing in a test/lower environment (if available) before doing so in production environments.