Accessing Your Vault's File Staging Server

Each Vault in your domain has its own file staging server. The file staging server is a temporary storage area for files. For Veeva EDC, the staging server can be accessed via the vault-level FTP connection.

The file staging server deletes files according to the following rules:

  • The server automatically deletes extracted files and folders every 72 hours by default.
  • Deleted files are not recoverable.

Learn more about how the file staging server works for vaults .

Server URL

The URL for each staging server is the same as the corresponding Vault, for example, veepharm.veevavault.com.

How to Access File Staging Servers

You can access your staging server using your favorite FTP client, the Vault API, through the command line, or by using the Vault File Manager.

Vault File Manager Details

You can view, upload, move, rename, and delete files and folders on your Vault’s file staging server using Vault File Manager. Users with the Vault Owner or System Admin security profile can view and access the root folders of all Vault users in the File Staging tab. Users with the Vault File Manager Access * permission can view their root folder on the *File Staging tab.

Client Settings

Use the following settings with an FTP client:

  • Protocol: Explicit FTPS or FTPES
  • Encryption: Require explicit FTP over TLS (FTPS). This is a security requirement. Your network infrastructure must support FTPS traffic.
  • Port: This does not typically need to be added and will default to Port 21.
  • Host: vlt-{PODID}-ftp.veevavault.com. For example, 37 is the PODID if your Vault is on POD VV1-37. This value will change if your Vault is migrated to a different POD.
    • For convenience, some Vaults may be able to use the host: {domain}.veevavault.com. For example: veepharm is the domain in veepharm.veevavault.com. This does not work in all configurations.
  • Timeout: 180 seconds if uploading large files.
  • User: {DNS}.veevavault.com+{USERNAME}. This uses the same user name that you log in with. For example: veepharm.veevavault.com+tchung@veepharm.com.
  • Password: Your login password for this Vault. This is the same password used for your standard login. You can also use a valid session ID.
  • Login Type: Normal
  • Transfer File Type: Transfer files as binary
  • Transfer Mode: Passive
    • Active mode is unsupported
  • TLS Session Reuse: If your client has this setting, disable it.

Remote Verification: If you have remote verification enabled on a proxy or a firewall, FTP traffic from computers on your network to Veeva file staging servers might be refused. If possible, work with your IT department to disable remote verification. If it cannot be disabled, contact Veeva Support.

Network & Firewall Settings

In addition to your FTP client settings, your network environment may require some modification. Before trying to connect to the File Staging Server via FTPES, ensure your network and firewall are configured as follows:

  • Outbound firewall filters must permit TCP traffic on these ports to the Host:
    • 21
    • 56000-56100
    • If you are using the Vault Domain in the Host setting:
      • port 21 needs to be open to the Host IP address
      • 56000-56100 need to be open to the vlt-{PODID}-ftp.veevavault.com IP address.
      • If you have multiple Vaults on multiple PODs, please contact support for an address range that encompasses all of them.
  • Firewall filters should be configured by IP address, not DNS name
    • Your network team can retrieve the address from DNS
    • Some firewalls will use the DNS name for reverse lookups, which will fail. Others will scan the TLS handshake to get the connection domain name value and fail the data connections as they do not look like normal web traffic.
  • If the client is behind a Network Address Translation (NAT) device, the NAT device must ensure that all connections generated by the FTPES session are translated to the same source IP address.
    • NAT devices with IP address pools without “stickiness” are incompatible with the FTPES service.
    • This limitation also impacts Active-Active firewalls with separate NAT addresses but without “stickiness” for the TCP connections.