Ipswitch Gateway 2017 Plus User Manual

User Guide

Contents

Release Notes 1

System Requiremen ts ..................................................................................................................................................1

V ersion 2017 Plus Limitations ...................................................................................................................................2

New Features ...............................................................................................................................................................2

Fixed Issues..................................................................................................................................................................3

K now n I ss ue s and W or k ar o un d s ................................................................................................................................3

Introduction 5

We b Farms an d Load Ba lancers .................................................................................................................................7

Install 8

Standard Install ............................................................................................................................................................8

Step 1: Install Gateway Server and Serv er-Side SSTP Tunnel ....................................................................8

Step 2: Install Client-S ide SSTP Tunnel on a MOV Eit Transfer S erver ...................................................11

Step 3 : Launch Gateway C onfiguration Interface .......................................................................................12

Step 4: Confi g ure the Fi rew all ......................................................................................................................13

Pre-re qu is ites .............................................................................................................................................................13

Notes...........................................................................................................................................................................14

Step 1 : Gateway Server Firewall Rule s ...................................................................................................................14

Step 2 : MOVEit Transf er Server Firewall Rules ....................................................................................................16

Step 3: Verify Firewall Rules ...................................................................................................................................19

Web Farm Instal l .......................................................................................................................................................21

Upgrade 22

Step 1 : Upgrade Gateway Serv er and Server -Side SSTP T unnel ..........................................................................22

Step 2: Upgrad e Cl ient-Side SSTP Tunnel on a MOVEit Transfer Server ...........................................................24

Endpoint a nd Prox ies 25

R em ote Ac ces s ...........................................................................................................................................................28

MOVE i t Transfer Ser ver Changes ...........................................................................................................................28

A dd a Pro xy ...............................................................................................................................................................28

Keys and Certs 30

Import Keys ...............................................................................................................................................................31

Delete K eys ................................................................................................................................................................32

R es et an SSH Key .....................................................................................................................................................32

Settings 32

Release Notes

Sy st em Requi rements

Ipswitch Gateway Server:

§ Wi ndows Server 2012R2 or 2016

§ 4 GB RAM

§ 40 GB hard dri ve

§ Dual-core or faster processor

§ Dual network interface cards (1GB /sec mini mum) for separate external and i nternal services

(recommended)

§ Production systems wi l l benefit from addi ti ona l resources, i ncluding faster, additi ona l and multi -core

processors, more RAM, hard drive capacity, and speed

§ Supported Virtual izati on Envi ronments:

§ V Mware vSphere (64-bit guest servers)

§ Microsoft Hyper-V (64-bi t guest servers)

2 Ipswitch Gatewa y User's Guid e

MOVEit Transfer Server:

GW-853

HTTP Prox y cer ti f ic ate l i steni ng port . Thi s po rt a cce pt s HT TP S r eque s ts f rom the use r

number . The defaul t cli ent cert i fi cate li stening por t is 24 43 , whi ch requir es

The G ateway' s hostn am e or I P address was added to the Setting s page . Y o u

GW-741

Proxies

When add i ng a pr ox y, the L i sten on IP Add r es s or Host n am e v al ue i s now pr epopu la t ed wi th 0 . 0 .0 . 0, whi ch di r ects the pr ox y t o li sten on al l ava i la bl e

GW-726

Client Identity

For eve ry pr oxy r eques t, I psw i tch Gatewa y no w sen d s to MO VEi t T ra nsfe r

§ MOVEi t Transfer 2017 Plus

§ Wi ndows Server 2016, Windows Serve r 2012 R2, Wi ndows Server 2012, or W i ndows Ser ver 2008

R2 (64-bit E nglish)

§ MOVEi t Mobile 1.3.1 (optional)

Version 2017 Plus Limitations

§ Lack of support for Ipswi tch® Failover

§ Multipl e organiza ti ons with uni que IP addresses

New Features

ID Category Issue

2017 Pl us intr oduc es a new set ti ng on th e H T TP proxy, the c li e nt duri ng cl ient certi fi cate aut hen tica ti on onl y, and after si gn i n, the user 's

sessi on to Ips wi tc h Gatew ay go es thro u g h the nor m al L i sten O n Por t

GW-852 Settings

GW-838 Install

GW-47 HTTP Prox y

a firewall rule.

m ay now e dit thi s nam e post -installation. Doing so restarts all running HTTP prox i es.

O n fr esh i nstal ls, the I psw i tc h G at ew ay inst al l er now prompts for the hostnam e of the G atew ay sys tem , as viewed by end user s. Thi s i s needed for processi ng H TTPS cli ent certi fi cate auth ent i cati on.

addr ess es at the give n por t. C li ent IP addresses and cli ent certi fi cat es no w propa g at e to MOVE i t

Transfer for all prox ies. Previously, all requests to MOV Eit Transfer seemed to ori ginat e fr om the G atew ay m achine, m ak i ng it necessar y to disable cer tain secu ri ty r el ated MOVEi t transfer f eature s, such as IP L ock outs, a nd si gn ou t logs and technical support links in MOVEit Transfer show e d the G ateway I P address inste ad of the cli ent IP addres s.

a header that con tai ns th e IP addres s of the brow ser that i s accessing G a tew ay. You no l onger ne ed to di sab l e I P l ock outs on the MO VE i t Transfer server.

Ipswi tch G ateway now im pl em ents auth en tica ti on to MOV E i t Transfer usi ng SS L cli ent certi fi cates, and SF TP publ i c keys.

Release Notes 3

GW-72 Licensing

Category

Issue

GW-855

MOVEit

O V E i t Session Ma na ge r and MO VEi t Logs we re r ec ogni z i ng the

Ipswi tch G ateway Web Admi n as 'MOV E i t Xf er' inter face. T his issue

U pdated S tep 3 > step 3 > C onfi gur e E ndpoi n t > I P Addr es s to r ead

he MO V E i t T ra nsfer ser ve r on the tunn e l conn ec ti on . Do

Pr evi ousl y i t wa s poss i bl e to con f i gur e a proxy on the G a tew ay se rve r

ai n certai n HT ML tags th at coul d be r efl ected back to the us er

i n the confi r m ati on m essa ge assoc i ated w ith sta rt/ s top /e d it a ction s.

GW-1073

Keys and Certs

w hen you sel ec t K ey s and C e rts > I m por t to

MOV E i t Transfer server . To unin sta ll , please ex ecute the G ateway i nstall er di rectl y on the MOV E i t Transfer machi ne and se lect S tep 2

Fi xed Issues

GW-842 HTTPS

GW-830 Documentation

GW-829 SFTP

GW-826 Settings

GW-820 Security

Star ti ng wi th the 2 01 7 Pl us rel ease, Ipsw itch G ateway m ust veri f y l icensing wi th MOV E i t Transfer bef ore l aunc hi ng the G atew ay C onfi gur ati on I nter fa c e du ri ng Step 3 of t he i nstal l, and a ny ti me the G atew ay server r eboot s.

has been fi x ed. Micr osoft E dge user s authe n tica ting wi th a cli ent certi fi cate m ust

restart their computer after importing the client certificate. This is a k nown l i m i ta ti on of the Mi cr osof t E dge br ow se r .

"The IP address entered here should be 192.168.1.2, which is the IP addr ess of t NO T use the actua l IP address of the MOVEi t Transfer se rve r.

Ipswi tch G ateway's SFTP server has been i m proved so i t can handle m or e si m ul taneou s con n ec ti o n requ e s ts. P revi ou s ly, the S FT P server coul d r ef use conn e c ti on s unde r he a vy l oad .

A m inor change was made to the m essa ge di sp lay ed w hen the FTP passiv e port r ange w as ch ang ed.

to cont

Thi s i ssue has been fi xed.

Known Issues and Workarounds

ID Category Issue

In Internet Explorer 11, upload a cli ent certi fi cate, the re i s no "Modi fi ed On" fi eld.

GW-1070 Install / Uninstall

The install does not create an i tem for the G atew ay cli ent under Pr ogram s and Featur es. To confi rm that the Ipswi tch Gateway Tunnel i s pr esent , go to N etw o rk and S har i n g C ent er on the

and then se l ect U ni nst a ll .

4 Ipswitch Gatewa y User's Guid e

GW-1068 Uninstall

Go to Settings > System > R emo te Access > SysA dmin &

B y def aul t the O utl o ok pl ugi n us es po r t 4 4 3 to i ni ti a te a conne ct i on

GW-992

Licensing

w hic h have bee n st op p ed for l i censi ng rea so ns may con ti nue to be

shorten thi s wa i ti ng peri o d by l oggi n g i nto t he Ips w i tc h G at ewa y adm i ni str ati ve i nte r fa ce and m a nua l ly sta r ti ng each pr oxy. To do

If the FT P cl ie nt shuts dow n dur i ng fi l e dow nl oad , the co nn e ct i on

up to 1 0 m i nutes. I f thi s happe ns m or e f r eque nt l y tha n no rmal , i t coul d pote nt i al l y exhaust the al l ow ed nu m be r of conn ec ti o n s on

: It i s r ecom mended tha t yo u use the MOVE i t Tr ansfe r C onfi g uti l i ty to c hange FT P P or ts > C onnec ti o n L i m i t fr om 32 to a l ar ger num ber such as 1 0 0 0 , to al l ow an adequa te num be r of cl i ents

: After upgr adi ng Gateway S erve r, r econne ct the SSTP

GW-1003 HTTPS

GW-990 FTP

GW-989 FTP

Aft er uni nst al l , Gatew ay' s I P i s not r em ove d fr om the MOVE i t Transfer 's trus ted hos t li st. To delete the G ateway IP f rom the tr usted hos t l i st, f oll ow these ste p s:

1 Si gn in to MOV E it Transfer as sysadmin. 2

Trusted H osts.

3 Under Trusted Hosts, cl ick Edi t Access Rules. 4 Next to the Gateway IP address (for example,

192.168.1.1), cl i ck X to del ete , and then cli ck Y es to confirm.

to MOVE it DMZ. With G atew ay depl oym ent, i f a user has a cli ent certi fi cate requi rem ent they wi l l run into issue s conn ecti ng to G a tew ay vi a a defa ult Outl oo k pl ugi n ins ta l l .

Workaround: C hange the de f au l t por t i n Outl oo k . When a MOVE i t Transfer adm i nistrator installs a new license that

enables Ipsw itc h G ateway , i t can take up to fi fteen m inutes f or G atew ay to notice that a new li cense i s avail abl e. He nce, pr ox i es

unavai l abl e f or up to 1 5 m inutes. The G ateway adm i nistra tor can

thi s, f or e ach pr ox y, under Actions choose Start Proxy. The f ol l ow i ng speci fi c FTP confi gur at ion on G ateway /MO V E it

Transfer prevents users from accessing MOVE it Transfer through G a tew ay using i ns ec ur e FT P:

All ow FTP/SSL Access: Y es All ow I nsecure FTP Acces s: Yes SS L Cl i ent Cert Requir ed: Yes Password also required with SSL Client C ert: Yes

Workaround: To uti l i z e i nsecur e F TP , do not set bo th “Al l ow Insecure FTP Access ” and “SS L Cl i ent Cert Requi red” to “Y es”.

between G ateway and MO V E i t Transfer S erver c oul d r emain ope n

MOV E i t Transfer Ser ver and cl i ents can no long er m ak e new connec ti on s unti l the ex i sti ng op en con ne ct i on s ar e closed.

Workaround

to connec t wi tho ut r each i ng the l i m i t ea sil y.

GW-985 Upgrade Dur i ng an upgr ad e, the SS TP conn ec ti on dr ops .

Workaround

connec ti on by m a nua ll y r unn i ng the W ind ow s sc h ed u l er t ask.

GW-840 Uninstall

Aft er uni nst al l , C omputer Ma na gment ( w i n+R > compm gmt.msc) sti ll shows L ocal U sers and G r oups > Users > G atewa yV PNU ser.

Introduction 5

GW-879 Si gn I n

Try A utomati c

thro ug h G ateway , you see a wi ndow that displ ay s avai l able

i ndow, the br ow se r re di rec t s

When usi ng H TT PS cl i ent ce rti f i cate s thr oug h a br ow ser , Ipsw it c h

pr om pt the use r onl y for cer ti f i cate s cr ea te d or app rov ed thr o ugh MO V E i t Tr ansfer , Ipsw i tc h G ate wa y ha s no suc h fe at ure . Thus ,

than MOVEi t Transfer sho ul d i gnore tho se certi fi cat es when m ak in g

C ustom er s upg r ad i ng f r om a previ ous re l ease sho u l d che ck tha t the

val ue, w hic h i s often i ncor r ec t. Thi s ne w set ti n g i s used f or cl i e nt

how ever , i t c ould be a pr oble m i f the serve r i s bei ng used f or R AS

hi s is unl i k el y, a s Ipsw i tch r eco m mends tha t

Thi s probl e m does not oc cu r w hen Gatew ay i s inst al l ed on Wi nd o ws

GW-849 Security

GW-813 Upgrade

GW-760 Install

O n the MO V E i t Tr ansfer si gn i n pa ge, w hen yo u cl i ck Signon certi fi cates. If you cli ck Cancel in this w you to an er r or pa ge tha t st at e s "Thi s site c an' t pro vi d e a secu r e connecti on" ( a certi fi cate was not pro vid ed) .

Workaround: If you see thi s er ror pag e, pre ss the bac k butt o n to re turn to the sig n i n page or r ef r esh the bro w ser page to display the avail able cer tif i cates again and choos e the corr e ct cert if icate.

G atew ay users m ay be offer ed be offer ed to choo se f rom m ore certi fi cates tha n woul d be the case i f they acce ssed MOV E i t Transfer directly. While MOV Ei t Transfer instructs the browser to

users who have installed client certificates for applications other

a selecti on fr om their browser's li st of cer tif ic ates.

new "Host Name" field is correct. This field is in the Settings tab of the admi ni strati ve i nterf ace. Ipsw itch G atew ay pro vid es a def aul t

certi fi cate authen tica ti on. After Ipswitch Gateway is installed on Windows Server 2016, the

R em ote Access Con nect i on Manag er se rvi ce w i ll not start. Thi s does not adver se ly af fect th e ope rat i on of I pswi tch Gateway;

fo r other pur p ose s . T Ip sw i tch G a tew ay be r un on a dedi ca te d se r ve r.

Server 2012R2.

Introduction

6 Ipswitch Gatewa y User's Guid e

Ipswitch Gateway acts like a reverse proxy to provide an additiona l l a y e r of se curity for MOVEit Transfe r customers. Inbound traffic cannot come thr ough the fi rewall into the trusted zone; al l sessi ons terminate i n the MOVEi t Transfer network segment. The outward-facing porti on of the network (t ypically the Internet) is separated from the MO VEi t Transfer server, which i s typical l y be hind a firewall in a trusted zone on a l ocal private network. Ipswi tch Gateway exchanges a uthentication, credenti a ls, fi les, and other data between remote clients and a MOV Eit Transfer serv er (Endpoint) l ocated i n the trusted zone. You do not need open ports in your firewal l to allow cl ients to communi cate wi th MO VEi t Transfer.

How it Work s During instal lation, a secure SSTP tunnel (vi rtual pri va te network) i s created from the M OVEit Transfer

server to the Ipswitch Gateway computer (or virtual machine ). Ipswitch Gateway then runs as a W indows Service that provides reverse proxies and forwards only e ncrypted traffic to the MOVEi t Transfer server over the tunnel . A ll communications between the client and server session are encrypted and streamed through this connection. Ipswi tch Gateway i nspects al l requests and if the requests l ook valid, forwards them to the MOVEi t Transfer server (Endpoi nt) for fulfillment. Responses from M OVEi t Transfer are sent back to Ipswitch Gateway, whi ch returns them to the user. This process i s i nvi si ble to incoming clients.

Ipswitch Gateway support s the following protocols:

§ FTP (Implicit and explicit)

§ SSH/SFTP

§ HTTP/HTTPS

The Ipswi tch Gateway Confi guration Interface provide s an easy way to confi gure and mana ge these reverse proxi es, their port and connection deta i ls, and current runni ng status.

A ll clients supported by MO VEi t Transfer are al so compati ble wi th Ipswitch Ga teway:

Ipswitch Gateway al so supports si ngl e , high availability, and web farm envir onments (on page 7).

Introduction 7

Web Farm s and Lo ad Balancers

Ipswitch Gateway support s MOVEi t Transfer web far ms. A web farm is a coll ection of machine s that ea c h run a separate copy of MOV Eit Transfer, but al l copies share the same database, fil e system, and other resources. We b farms empl oy load bal ancers that allow an administrator to:

§ Advertise a single URL to all users, w ith a single SSL certificate

§ Distr ibute the load evenly over all application nodes t o i mprove performance

§ Provide fault tolerance; if an appli cati on node fails, the load bala ncer stops routi ng traffic to it unti l it

comes back up

Some MOVEi t Transfer web farms mi ght use the bui lt-i n M i crosoft Wi ndows Network Load Bal a ncing (NLB ) feat ure t o implement load balanc ing. NLB allows load balanc ing to be added to a cluster without havi ng a separate node in front of the worker nodes. The load-balancing is bui lt into the operati ng system and the feature i s provided col l e ctively by all worker nodes. Ipswitch does not support the built-in Microsoft Windows Network Load Bal a ncer (NLB ) in the ini tial release of Ipswitch Gateway.

Most enterprise web farm customer s empl oy tradi tional load bal ancers from hardware vendors like Ci sco and F5. The deployments bel ow focus on thi s scenario.

One load balancer, many Gateways The recommended l oad ba lancing scenario uses a si ngle loa d balancer and multiple Ipswi tch Gateways ,

each running on a separate machine. Ea ch Ipswi tch Gateway i s dedi cated to a specific MOVEi t Transfer node. A failure of a MOV E it Transfer node, its SSTP tunnel, or its associated Ipswi tch Gateway machine results in the automatic temporary removal of the node from the l oad balancer.

: The single loa d balancer is presumed to have high a vailability features that prevent i t from

Note

becoming a single poi nt of failure. This i s general ly a valid assumption for major l oa d bala ncer vendors.

8 Ipswitch Gatewa y User's Guid e

Install

Sel ect one of the foll owing instal l options:

§ Standard Install (on page 8)

§ Web Fa rm Install (on page 21)

Standard Install

Instal lation consists of three steps:

Step 1: Install Gateway Server and Server-Side SSTP Tunnel (on page 8) Step 2: Install Client-Side SSTP Tunne l o n a MOV E i t Tr ans fe r Server (on page 11) Step 3: Launch Gateway C onfiguration I nterface (on page 12) Step 4: Configure the F ire wall (on page 13)

S tep 1: Inst all Gatew ay Server an d S erver-Side SSTP Tunnel

Before you proceed, make sure the MOVEi t Transfer server i s i nstal led and running.

1 On a separate machine from MOVEi t Transfer, sign in with administrator credentials. 2 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and downloa d the

i nstal l e r for Ipswitch Gateway 2017 Pl us for MO VEi t Transfer.

3 Open the Ipswitch Gateway i nstal ler and cl i ck Run to run the i nstal l wi zard. 4 Welcome: S elect Step 1: Install a Gateway server (outside firewall) and a server side SSTP tunnel.

Click Next. The i nstal l e r l ooks for prerequi si te software.

5 Syst em Check: The installer verifies the follow ing:

§ Operating System Version: The machine must be running the Windows Server 2012R2 or Server

2016 operati ng system

§ Routing and Rem ote Access Service: A Windows server is required to properly configure the the

Routi ng and Remote Access (RRAS) service. Workstations are not supported.

§ Routing and Rem ote Access - IIS: If IIS is i nstal l e d and enabl ed, the IIS service will be disabled to

avoi d configurati on confli cts with the Re mote Access service and V PN. If not, the necessary components of Microsoft Inter net Information Services (IIS) will be instal l e d.

§ A dminist rato r privi leges Click Next.

6 Options: Ipswitch Gateway Folder: Sel ect a location to install the Ipswitch Gateway server files, and

then cli ck Next.

Install 9

7 Options: Gate way Configuration Inte rface . Designate a certificate to use as the identity of the Gateway

Confi gurati on interface. This certi fi cate wi ll be presented to Gateway administrators accessing the administrative user interface via a browser.

§ X.509 (*.pfx or *.p12) certificate from your computer (recommended): B rowse to l ocate the SSL *.pfx

or *.p12 file. Since in many cases the hostname of the Gateway server wil l be the hostname previousl y assigned to a MOV E it Transfer server, you may wi sh to use the certificate alrea dy i nstal l e d on your MOVEit Transfer server. If you need to create a *.pfx or *.p12 fil e from your MOV E i t Transfer serv er, see Cr e ate a *.pfx or *.p12 File (on page 10). Enter the Certificate password i n the space provided.

§ System-generated self-sign ed cert if icat e: By default, the installer populates the Certificate Name

field with Ipswitch Gateway (Demo) . In most cases, you wi ll simply accept the proposed val ue and continue. The Certifi cate Name va l ue is used to populate the CN parameter i n the *.pfx or *.p12 fi le.

Choose the network i nterface and port to l isten on:

§ Netw ork In t erface: Select a network interface (IP address) from the drop-down l ist. In most cases,

you wi ll want the Gateway to li sten on A ll Interfaces.

§ Port: Enter the TCP port to whi ch Gateway admini strators wi ll connect wi th a browser, to

admi nister Ipswi tch Gateway. It i s recommen de d that you accept the default of 9443. When configuring the TCP port for the admi nistrative interface, do not choose a port number that is l i ke ly to already be i n use by the system, such as 10043 . The default, 9443, is a good choice for most systems.

Click Next.

8 Options: Service User A ccoun t : D esi gnate which account Ipswitc h Gateway should use to run the

Gateway service process:

§ Local Syst em account

§ Different account: Enter the username and password of the different account.

Click Next.

9 Options: Certific ate for the SSTP Tunnel: Designate a certificate to use for the Secure Socket Tunnel

Protocol (SSTP) connecti on:

§ System-generated self-sign ed cert if icat e: For Certificate Name, enter the IP address or hostname

that wi ll be used to connect to this machine from the MOV Eit Transfer server.

§ C erti fi cate from the cert if icat e manager: Select an existing certi ficate from the drop-down list.

Public keys will not be shown here. Optiona l ly cl i ck View Details to see detai led informati on about that certi fi cate, in case you need to disti ngui sh between certificates with the same name.

Click Next.

10 Options: SSTP Tunnel Crede ntials: Enter a password for the GatewayV PNUser account that wil l run

the SSTP tunnel . If the account does not e xi st, a new account will be created using these credentials.

Important

: Write down these credentials. You will need them in subsequent steps.

Click Next.

11 Opt io ns: Gat ew ay S erver Host name: Enter a fully-qualified domain name of the Gateway machine.

This is used to create H TTP redirects and i s currently used onl y for cli ent certificate authentication. This hostname shoul d be visi ble to web browser s accessing the Gateway system. You can edi t the name l a ter i f requi red. Doi ng so wi l l restart all running HTTP proxi es.

12 Ready to Install: Veri fy the i nstal lation setup, and then cli ck Install.

A fter a few moments, the install ati on is complete.

10 Ipswitch Gatewa y User's Guid e

13 Click Finish.

: Your web browser may attempt to ope n the Gate way Configurati on Interface at this poi nt. You

Note

wi ll return to the Gateway Configurati on Interface after Step 2 (on page 11). Note: When you see the Enable Windows Fi rewall, i gnore it for now. You wil l configure the fi rewall

in Step 4 (on page 13).

14 On the Gateway server, open Network Policy Server. 15 Expand Policies and select Connection Request Policies. 16 Right-cl ick on Microsoft Routing and Rem ote Access Server Policy and s elec t Properties. 17 Go to the Settings tab. 18 Select Authentication Methods. 19 Select Override network policy authentication settings (if not sel ected). 20 Make sure that Microsoft: Secured password (EAP-MSCHAP v2) is enabl ed unde r EAP Types.

Proceed to Step 2 (on page 11).

Create a *.pfx or *.p12 File

If you need to create a .cer file, follow these steps:

1 Run I nt ernet Inf o rmati on Server ( IIS ) Manag er on the MOV E i t Transfer machine. 2 In the l eft pane, navigate to Sites, and then the name of your MOVEi t Transfer website. In most

cases, that is "moveitdmz".

3 In the right pane, choose Bindings... 4 In the Si te Bindings di alog, choose https. 5 Choose Edit... 6 In the Edit Site Binding dialog, c hoos e SSL Certificate | View... 7 In the Certificate dialog, choose the Details tab. 8 Choose Copy to File... 9 In the Certi fi cate Export Wiza rd, choose Next. 10 In the Export Private Key wi ndow, choose Yes and choose Next. 11 In the Export File Format, choose PKCS#12 and choose Next. 12 Enter the password. 13 In the File to Export window, choose Browse... 14 In the Save A s di alog, sele ct a directory and enter a fil e name to which the certi fi cate should be saved,

such as moveittransfer.pfx

15 Choose Save. 16 In the File to Export window, choose Next. 17 In the Compl eting the Certifi cate Export Wizard window, choose Finish. 18 In the Certifi cate Export Wiza rd popup, choose OK. 19 In the Certifi cate dialog, choose OK to dismi ss the di a log. 20 In the Edi t Site Binding dialog, choose Cancel to dismiss the dialog. 21 In the Site B i ndings dial og, choose Close to close the dialog. 22 U pload the fil e to MOV E it Transfer, and then downl oad the fi l e on the Ipswitch Gateway mach ine.

Install 11

Step 2: Install Client-Si de SSTP T unnel on a MOVEi t T r a nsfer Server

1 Si gn in to the MOV E it Transfer server with administrator credenti a l s. 2 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and downl oad the

installer for Ipswitch Gateway for MOV Eit Transfer.

3 Open the Ipswitch Gateway i nstal ler and cl i ck Run to run the i nstal l wi zard. 4 Step 2: Install a client side SSTP Tunnel on your existing MOVEit Transfer server is preselected.

Click Next.

5 Syst em Check: The installer verifies that you have Ad ministrat or Privileg es.

: If you chose to use a sel f-signed certifi cate during the Ipswitch G ateway Tunnel server

Note

i nstal l a ti on, you must import that certifi cate from the server comput er i nto thi s computer's certificate store before continui ng with the instal lation.

Click Next.

6 Options: Connect SSTP tunnel to Gateway Server. Enter the Gateway Server Address or hostname to

establish a connection.

Important

in Step 1 (on page 8): Options: Gateway Confi guration Interface > System-generated self-signed certificate > Certificate Name.

Click Next.

7 If the SSTP certifi cate does not exi st on the cl ient-side ma chine, you must choose to either trust and

i mport the SSTP certificate from the Ipswitch Ga teway Tunnel, or not trust and not import i t:

§ I trust this cert if icat e. Import th is cert ifi cate i nt o the local tru sted certificat e st ore: Au to m at ic ally

§ I do n o t trust this certificate. Do not import this cer tificate: Does not i mport the SSTP certi fi cate.

8 Options: SSTP Tunne l Credentials: Enter the SSTP Tunnel C redenti a ls that you wrote down at the end

of Step 1 (on page 8). A n account wil l be created that wil l run the SSTP tunnel .

Note

enter Domainname\GatewayVPNUser instead of GatewayVPNUser Click Next.

9 Options: Sche duled Task Context Account: E nter the credentials for an exi sting local Wi ndows

account. This account will be used to i nitiate and monitor the SSTP tunnel . This user will be used as a context user by the scheduled task that wil l start and monitor the Gateway Tunnel C onne ction.

10 Ready to Install: Veri fy the i nstal lation setup, and then cli ck Install.

A fter a few moments, instal l ati on is complete.

11 Click Finish. 12 Next, you may need to manual ly start the V PN tunnel connecti on. On the MOVEit Transfer server,

open Network Connections.

13 Right-click Ipswitch Gateway Tunnel and select Properties. 14 Select the Security tab.

: What you enter here must be i de nti cal to what you entered for IP address or hostname

i mports and trusts the SSTP certificate.

Y ou must import the certificate manually. (Thi s option is not often used. Situa ti ons where you might sel e ct this option include importing the certifi cate manually to avoid the software from importing a certificate from a man-in-the middle attack, or changing certifi cates after i nstal lation.)

: If the Gateway Server computer requi res a domain name during connection,

12 Ipswitch Gatewa y User's Guid e

15 For Authentication, select Use Extensible Auth Protocol and select Microsoft Secured

password (EAP-MSCHAP v2) (encryption enabled) from the drop-down li st.

16 Open Administrative Tools > Task Scheduler. 17 Select Task Sch edul er Lib rary in the left panel. 18 Right-cl ick the task named Ipswitch Gateway Tunnel connect and select Run. Thi s wil l attempt to start

the tunnel connecti on.

Important

: Do NOT connect manual ly through the Network and Sharing C enter or the connection will

drop when the user logs out. Next, go to Step 3 (on page 12).

Step 3: Launch Gateway Configura tion I nterfa ce

1 Re turn to the Ipswitch Gateway server. 2 If a web browser opened the Gateway C onfi gurati on Interface at the e nd of Step 1 (on page 8), go to

that web page now and press click here. If the web page di d not open at the end of Step 1, open a web browser and go to https://localhost:portnumber, where portnumber i s the port you selected at the end of Step 1.

A page l aunches where you will configure the fi rst Endpoi nt. If your connection is not secure, click Advanced, Add Ex ception in your browser, and then Confirm Security Exception (Firefox steps shown; take simi l a r steps for other browsers).

: You cannot perform this step remotely. Y ou must be on the Ipswitch Gate way server to set up

Note

the first Endpoi nt.

3 Configure E ndpoint: Enter i nformation a bout a MOV E it Transfer server (Endpoint).

§ IP A dd ress: The IP address entered here should be 192.168.1.2, which is the IP address of the

MOVEi t Transfer server on the tunnel connection. Do NOT use the actual IP address of the MO VE it Tra nsfe r server.

§ Port (443 is the default)

§ Expected Host Nam e (optional)

§ Host Name Verification Policy:

• Default: The server you connect to must have a cert that matches one of the hostna mes listed. A

wi ldcard can occur in the common name (CN), and i n any of the subje ct-alts. The one di vergence from IE6 i s that we only check the first CN.

• Allow All: Allows you to connect to any server without performi ng a hostname chec k. For

testing purposes onl y - do not use i n a producti on environment.

§ Virtual Path (optional): Enter the virtual path if you've set up MOVEi t Transfer to run as a virtual

di rectory i n IIS. For example , movei tdmz.on a vi rtual machi ne.

Click Submit. Note that the MOVEi t Transfer server's IP address and host name (i f present) di spla y at the top of the configurati on pa ge now.

4 Verifying:

Verify t he MOVEit Transfer Server SSL Certificate(s). Revi ew the server certifi cate detail s for authenticity:

§ Key Type

§ H ost Names

Install 13

§ Issuer

§ Subject

§ Ser ial Numb er

§ Valid From

§ Expires

Click Trust to perform the SSL ha ndshake. The verifi cation process checks connecti on status, trusts SSL certs, validates the MOV Eit Transfer Endpoi nt, and l ogs i n to M OVEi t Transfer.

If you encounter a trust error, you wil l see the conflicting certifi cate chains wi th the new certifi cate on the l eft and the existi ng certifi cate from the Trust Store on the right. At thi s poi nt you can ei ther click Reset Endpoint to dele te the Endpoi nt and start over, or cli ck override to accept the mi smatched certi fi cate chain. The new certi fi cate becomes trusted and veri fi cation continue s to the next step.

Gat eway L icense V ali dat ion: Ipswi tch Gateway 2017 Pl us requires that your MOVEi t Transfer serv e r have a new l i cense wi th Gateway enabl e d. This is true for both fresh installs and upgrades. If you have not yet installed this new MOVE i t license, you wil l see the message "Li cense Not Found." You will be prompted to upgrade your MOV E it Transfer license and Retry.

Log in to the MOVEit Transfer server as sysadmin or orgadmi n a nd click Submit. A fter checking ciphe rs, the Endpoint is verifi e d. The verifi cation process wi l l reoccur automatically

whenever the system reboots.

5 Click Login to Gateway a nd si gn i n as sysadmin or orgadmin.

Y ou can Re-Verify or Dele te the Endpoi nt you just created from the si gn in screen. Y ou mi ght nee d to do this at a later point if the MOV E i t Transfer server's certificate identity changes or the MOV E it Transfer server location move s from one machine to another.

Next, Configure Endpoint and Proxies (on page 25).

Step 4: Configure the Firewall

Pre-requisites

§ Gateway server has been successfully instal led and configured in the DMZ according to Ga teway

installation documentation.

§ http://docs.ipswitch.com/MOVEit/Gateway2017Plus/Help/

14 Ipswitch Gatewa y User's Guid e

§ MOVEi t Transfer server has been successfu l ly instal led and confi gured i n the ne twork trusted zone

according to the MOVEIT Transfer installation documentation.

§ http://docs.ipswitch.com/MOVEit/DMZ95/Help/Admin/en/

§ SSTP V PN tunnel has been successful ly instal led and configured a ccording to Gateway i nstal lation

documentation.

Notes

§ The MOVEi t Transfer public rule to block al l publi c incoming connections is recommended to bl ock

any other rules the user may have set up, possi bly including by the MOV Eit Transfer instal ler. "Bl ock" rul es take precedence over " Allow" rul es.

§ Internal users wil l be able to access MOV E i t Transfer directly i f there is a second interface that is

marked as private by Windows. Note that network inte rfaces, includi ng the one used to connect to Gateway, are created as publi c by defaul t i n Windows. So the customer woul d ha ve to go out of thei r way to mark the second interface (i f any) as private. Incoming connecti ons through the tunne l a re regarded as private.

Step 1: Gateway Ser ver F irewal l Rul es

Note: The exampl e s shown below were created us i ng the Windows Fi rewall with Advanced Securi ty. If

using a generic (non-Windows) firewall, see Generic Firewall Rules (on page 21). 1 Create public network i nbound port rules to al low incoming connecti ons for the fol lowing ports:

a) Port 21 (FTPS Explicit) b) Port 22 (SSH) c) Port 443 (H TTPS) d) Port 2443 (H TTPS with client certificates) e) Port 80 (H TTP) f) Port 990 (FTPS Implici t) g) Ports 3000-3100 (FTPS Data)

Install 15

h) Port 10443 (SSTP Tunnel)

2 Under the Scope tab, modify the Remote IP Address for port 10443 to onl y allow connections from t h e

MO VE it Tra nsfe r server IP a dd re s s (for example , 192.168.1 96.2 37).

16 Ipswitch Gatewa y User's Guid e

3 Veri fy that the firewal l state i s enabled for publi c network locations.

Step 2: M OVEi t Transfer Server F irewal l Rul es

1 Modify the pre-define d inbound port rules for the foll owing ports and set them to only apply to the

private network profile. a) MOVEit DM Z F TP b) MOVEit DM Z S SH c) World Wide Web Services (HTTP Traffic-In)

Install 17

d) World Wide Web Services (HTTPS Traffic-In)

18 Ipswitch Gatewa y User's Guid e

2 Create a new publi c network inbound port rul e to block incoming connecti ons for all ports:

3 Ve ri fy that the fi rewall state i s enabled for both public and pri vate ne twork l ocations.

Install 19

Step 3: V erify Fi rewall Rules

Test 1:

1 Open a web browser on the Ga teway serv er and try to connect to the M OVEi t Transfer server IP

address.

Note

: If the firewall rules have been correctly de fi ned, the connection to the M OVEi t Transfer server

IP address shoul d ti me out.

Test 2:

2 Open a web browser on the Gateway server and try to connect to the Gateway serv er IP address.

20 Ipswitch Gatewa y User's Guid e

Note: If the firewall rules have been correctly defined, the connecti on to the M OVEi t Transfer server

IP address shoul d succeed.

Install 21

Generic Firewall Rules

When using an external firewal l, apply the fol lowing rul es. For the firewal l (if any) between the Internet and the Gate way Server, permit i nbound connecti ons on the

following ports:

§ Port 21 (FTPS Explicit)

§ Port 22 (SSH)

§ Port 443 (H TTPS)

§ Port 80 (H TTP) - optional - needed only if redi rects from port 80 to port 443 are desi red.

§ Port 990 (FTPS Implicit)

§ Port 2443 (H TTPS with cli e nt certificates)

§ Ports 3000-3100 (FTPS Data)

For the firewal l (if any) between the Ga teway Server and MOV Eit Transfer, permi t i nbound connecti ons to Gateway on Port 10443 (SSTP Tunnel ). This shoul d be permi tted only from the IP address of the MO VE it Tra nsfe r server.

If you wil l never be accessing M O VEi t Transfer directly a nd i nstead will always go through Ipswitch Gateway, for the external firewall (i f any) between the Gateway Server and MOV E i t Transfer, refuse all i nbound connecti ons to MOVEi t Transfer. (A ll i nbound connections will be through the tunnel.) If the firewall is not an external firewall , but rather is an operating system-based firewall like Windows Firewall that i s aware of private networks, then thi s rule shoul d a ppl y only to public networks.

Next, return to Configure the Firewall (on page 13), Step 3: Verify Firewall Rules.

Web Farm Instal l

To i nstall Ipswitch Gateway in a MOV Eit Transfer web farm, first create the MOVEi t Transfer web farm as per the MOV Eit Transfer doc umentation (http://docs.ipswitch.com/MOVEit/DMZ95/Help/Admin/en/).

For each web farm node, provision a separate Windows computer to run Ipswi tch Gateway for that node. Then for each web farm node:

1 Run the Ipswi tch Gateway i nstal ler on that node's Ipswi tch Gateway computer, cho osing option 1. 2 Run the Ipswi tch Gateway i nstal ler on that MOV E it Transfer web farm node, choosi ng option 2.

The purpose of Ipswi tch Gateway i s to i sola te M OVEi t Transfer nodes from the Internet. Thus , for security reasons, once the Gate way nodes have be en configured, firewall configurati ons should be altered to prevent the MOVEi t Transfer nodes from bei ng access e d di rectly via the Internet.

See also Web Farms and Load Balancers (on page 7).

22 Ipswitch Gatewa y User's Guid e

Upgrade

Important: B e fore you can upgrade to Gate way 2017 Plus, make sure your MOV Eit Transfer server is

updated with 2017 Pl us first. U pgrade consists of three steps:

Step 1: Upgrade Gateway Server and Server-Side SSTP Tunn e l (on page 22) Step 2: Upgrade Client-Side SSTP Tun ne l on a M O V E it Tr ansfer Se r v e r (on page 24)

Step 1: Upgrade Gateway Server and Server-Side SSTP Tunnel

Before you proceed, make sure the MOVEi t Transfer server i s instal led and running. To upgrade Ipswi tch Gateway 2017 SP1 to 2017 Plus:

1 Reboot the Ipswi tch Gateway machine . 2 After reboot, sign in with administrator credentials.

3 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and downloa d the

i nstal l e r for Ipswitch Gateway 2017 Pl us for MO VEi t Transfer.

4 Open the Ipswitch Gateway install er. 5 Welcome: S ele c t Step 1: Install a Gateway server (outside firewall) and a server side SSTP tunnel.

Click Next. The i nstal l e r l ooks for prerequi si te software.

6 S yst em Ch eck: The installer verifies the following:

§ Operating System Version: The machine must be running the Windows Server 2012R2 or Server

2016 operati ng system.

§ Routing and Rem ote Access Service: A Win do ws server is requi red to properly configure the the

Routi ng and Remote Access (RRAS) service. Workstations are not supported.

§ Routing and Rem ote Access - IIS: If IIS is i nstal l e d and enabl ed, the IIS service wil l be disabl e d to

avoi d configurati on confli cts with the Remote Access service and V PN. If not, the necessary components of Microsoft Inter net Information Services (IIS) will be instal l e d.

§ A dminist rato r privi leges Click Next.

7 Options: Gate way Configuration Inte rface . Designate a certificate to use as the i de nti ty of the Gateway

Confi guration interface. This certificate wil l be presented to Gateway administrators accessing the administrative user interface via a browser.

Upgrade 23

§ X.509 (*.pfx or *.p12) certificate from your computer (recommended): Browse to locate the SSL *.pfx

or *.p12 file. Since in many cases the hostname of the Gateway server will be the hostname previousl y assigned to a MOV E it Transfer server, you may wi sh to use the certificate alrea dy i nstal l e d on your MOVEit Transfer server. If you need to create a *.pfx or *.p12 fil e from your MOV E i t Transfer serv er, see Cr e ate a *.pfx or *.p12 File (on page 10). Enter the Certificate password i n the space provided.

§ System-generated self-sign ed cert if icat e: By default, the installer popul ates the Certifi cate Name

§ No changes - keep cu rrent certi fi cate co nf igu rati on . (default) Choose the network i nterface and port to l isten on:

§ Netw ork In t erface: Select a network interface (IP address) from the drop-down l ist. In most cases,

you wi ll want the Gateway to li sten on A ll Interfaces.

§ Port: E nt er the TCP port to which Gateway admi nistrators wi ll connect wi th a browser, to

admi nister Ipswi tch Gateway. It i s recommen de d that you accept the default of 9443. When configuring the TCP port for the admi nistrative interface, do not choose a port number that i s l i ke ly to already be i n use by the system, such as 10043 . The default, 9443, is a good choice for most systems.

Click Next.

8 Options: Ser vice Logon Account: Desi gnate which account Ipswi tch Gateway shou ld use to run the

Gateway service process:

§ Local System accoun t

§ Different account: Enter the username and password of the different account.

Click Next.

9 Options: SSTP Tunne l Certificate: Designate a certificate to use for the Secure Socket Tunnel Protocol

(SSTP) connection:

§ A new system-generated self-sign ed cert if icate: For Certificate Name, enter the IP address or

hostname that will be used to connect to this machine from the MOVEi t Transfer server .

§ Existin g cert if icat e fro m th e certificat e manager: Select an existing certi ficate from the drop-down

list. Public keys will not be shown here. Optiona l ly cl i ck View Details to see detai led informati on about that certi fi cate, in case you need to disti nguish between certifi cates with the same name.

§ No changes - keep cu rrent certi fi cate co nf igu rati on . (default) Click Next.

10 Upgrade: V eri fy the upgrade options, and then cl i ck Upgrade.

A fter a few moments, the setup program finishes updati ng Ipswitch Ga teway.

11 Click Finish.

: When you see the Enable Wi ndows Firewall message, ignore it for now.

Note Note: Your w eb browser may attempt to open the Gateway Confi gurati on Interface at thi s poi nt.

Proceed with the following steps before usi ng the Gate way Configurati on Interface.

12 On the Gateway server, open Network Policy Server. 13 Expand Policies and select Connection Request Policies. 14 Right-cl ick on Microsoft Routing and Rem ote Access Server Policy and s elec t Properties. 15 Go to the Settings tab.

24 Ipswitch Gatewa y User's Guid e

16 Select Authentication Methods. 17 Select Override network policy authentication settings (if not sel ected). 18 Make sure that Microsoft: Secured password (EAP-MSCHAP v2) is enabl ed unde r EAP Types.

Proceed to Step 2 (on page 24).

Step 2: Upgrade Client-Side SSTP Tunnel on a MOVEi t Transfer Server

1 Reboot the MOVEi t Transfer machine. 2 After reboot, sign in with administrator credential s. 3 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and downl oad the

i n sta ll e r for Ipswi tch G a te w a y fo r MOVE it Tran sfer.

4 Open the Ipswi tch Gateway i nstaller. 5 Step 2: Install a client side SSTP Tunnel on your existing MOVEit Transfer server is preselected.

Click Next.

6 Select Reinst all Ipsw it ch Gatew ay clien t co nn ecti on. Click Next. 7 S yst em Ch eck: The instal l er verifies the certifi cate and that you have Adm inist rat or P rivile ge s.

Note

: If you chose to use a sel f-signed certifi cate during the Ipswitch G ateway Tunnel server i nstal l a ti on, you must import that certifi cate from the server comput er i nto thi s computer's certificate store before conti nuing with the installation.

Click Next.

8 O pt io ns: Gat eway S erver A d dress. Enter the Gateway Server Address or hostname to establish a

connection.

Important

in Step 1 (on page 8): Options: Gateway Confi guration Interface > System-generated self-signed certificate > Certificate Name.

Click Next.

9 Options: SSTP Tunne l Credentials: Enter the SSTP Tunnel C redenti a ls that you specified during i nitial

in s ta llat ion . T hi s account runs the SSTP tunnel.

Note

enter Domainname\GatewayVPNUser instead of GatewayVPNUser Click Next.

10 Options: Schedule d Task Context Account: Enter the credentials for an existing local Windows

11 Ready to Install: Verify the installati on/upgrade setup, and then cli ck Install.

A fter a few moments, instal l ati on completes.

12 Click Finish. 13 On the MOVEit Transfer server, open Network Policy Server. 14 Expand Policies and select Connection Reque st Pol icies .

: What you enter here must be i de nti cal to what you entered for IP address or hostname

: If the Gateway Server computer requi res a domain name during connection,

Endpoint and Proxies 25

15 Right-cl ick on Microsoft Routing a nd Remote Access Server Policy and s elec t Properties.

1 MOVEit Endpoint IP Addre s s

16 Go to the Settings tab. 17 Select Authentication Methods. 18 Select Override network policy authentication settings (if not sel ected).

Endpoint and Proxies

19 Make sure that Microsoft: Secured password (EAP-MSCHAP v2) is enabl ed unde r EAP Types. The Endpoi nt page shows detai ls about the MOV E it Transfer Endpoint and its associ ate d proxi es.

Ipswitch Gateway 1.1 supports only one Endpoi nt. Initially only three default proxi es di spl ay for the Endpoint, one for each protocol type: FTP, HTTP,

and SSH/SFTP. A proxy l istens on a port for traffic of a certai n protocol type a nd forwards traffi c of that type to the Endpoint. There are usuall y three proxies per Endpoi nt, but there could be more or le ss.

26 Ipswitch Gatewa y User's Guid e

2 Show Deta ils

. You m ust be sign ed i n to the Ips wi tc h Gatew ay compu t er as a MOVE i t Tr ansfe r sysa dmin

Y ou m ay nee d to del ete the Endpoi nt i f t he MO V E i t Tra nsfer serve r i s down a nd y ou w ant tha t se r ve r' s

g E ndpo i nt. I f you de l ete the E ndp oi n t, you must con fi gu r e and ver i f y a new

E ndpoi nt. The I psw i tc h Gatewa y Tr ust S tore must con t ai n th e x50 9 cer ti f ic ate f or the E ndpoi nt to per f orm

: De l eti ng th e E ndpo i nt wi l l dele te al l of the E ndpoi nt ' s pr ox i e s too, even i f they ar e r unni ng . You

cannot und o th e del et i on of the E ndpo i nt . I f you del ete t he E ndp oin t, you 'l l be p rom pt ed to con fi gu r e and

Transfer Rate: T he aver a ge numbe r of byte s tr an sf er e d pe r sec on d by al l of the E ndpoi nt' s pr o x i e s (upl oad

m i nute i nte rva ls. Numbers ar e m ovi ng ave r ag e s for eac h

en t dat a. E ac h indi vi du a l pr ox y' s tra nsf e r r ate wi l l update

4 Pr oxy pro toc o l type

to the r i ght of the pr ox y and st op the pr ox y i f nece ssar y, the n cl i ck E di t

§ IP address. The IP address or hostname of the MOV E it Transfer server.

§ Port: The port of the MOV E it Transfer server.

§ Expected Host Nam e (optiona l): Host name of the MOVEi t Transfer Endpoint. If no host

name was gi ven duri ng install, w ill s h o w N/ A.

§ Host Name Verification Policy:

§ Default: The server you connect to must have a cert that matches one of the hostnam es

l i sted. A wildcard can occur in the common name (CN), and i n any of the subje ct-alts. The one di vergence from IE6 i s that we only check the first CN.

§ Allow All: Allows you to connect to any server without performi ng a hostname chec k. For

testing purposes onl y - do not use i n a producti on environment.

§ Virtual Path: The MOVEit Transfer server's virtual path.

Delete Endpo int

or orgadmin to de le te the E ndp o i nt.

pr ox i es to poi nt to a r unni n an SSL handsh ake . S ee Keys and Cert s (on pag e 30).

Warning

ver i fy a n E ndpoi nt af ter sig n i n.

and dow nl oa d ) f or 1-m i nute, 5 -m i nute a nd 1 5tim e pe riod.

Click Refresh to upd a te th e nu m ber s w i th cur r too.

: An i con sho w s the pro xy's prot o co l : FT P, H TTP or SS H /SF TP .

Name: A user-de fi ned name for the pr ox y. To e di t the pr ox y na m e cl i ck under Actions. For F TP proxie s, you'll see:

FTP pr ox y al l ow s only sec ur e tr af f ic

FTP pr ox y al l ow s insec ure tr af f ic

To edi t t his opti on , cl i ck fr om the sam e dr op-do w n l i st. C heck or unch ec k Al l ow I nsec ur e FT P.

If the pr ox y i s runni ng , cl i ck the proxy nam e to show or hi de transfer metric s for that pr o xy:

§ Transf er Rat e: The average number of bytes transfered per secon d by the proxy, showi ng

moving a verages for 1-mi nute, 5-minute a nd 15-mi nute intervals.

§ Commands (FTP and SFTP onl y): The average numbe r of command s process ed by the

proxy, showing moving averages for 1-minute, 5-minute and 15-minute i ntervals.

§ Running: Shows how l ong the proxy has been running.

§ Sessions (FTP and SSH/SFTP only): The number of active sessions.

§ Requests (HTTP only): The number of requests

Endpoint and Proxies 27

: The I P addre ss and port on w hi ch the pr oxy w i ll li sten. N o other proxy can l i sten on that por t

7 Send T o: The MO VEi t T ra nsfer E ndpo i nt ad dre s s a nd por t to whi ch the pro x y w i l l send encr y pte d d at a.

9 Status

G a tew ay r outes e x ter nal tr af f ic to the E ndpo i nt onl y thr ou g h a r unn i ng proxy. You m ust stop a pr ox y

10 Actions

tificate configured with that E ndpoint still matches the certifi cate presented by

A dd P rox y: Select ftp, ssh/sftp or http. See Add a Pr oxy (on pag e 28) for more information.

Listen On

num ber f or th at E ndpoi n t. T hi s val ue is empty i ni ti al l y. Y ou m ust cl i ck to add a L i sten O n port bef ore you can r un the pro xy.

§ FTP: L i sten on addr esses and por t s di spl ay for E xpl i ci t FTP and I m pl i ci t F TP . See A dd a Proxy (on

page 28) for details.

§ HTTP: L i sten on addr es se s a nd po rts di spl ay f or S S L Addre ss, C l i ent C er t Addr ess, and HTTP

R edirect Address . See Add a P rox y (on pa ge 28) for details.

Key: The k ey used to ver i f y the proxy wi th the E ndpo i nt certificate. This value is empty initially. You must click

The pr oxy is stoppe d i ni ti al l y. Y ou must star t i t m anual l y af ter addi ng and con f i gu ri ng i t. Ipsw i tch

bef ore edi ti ng the E ndpo i nt or de l eti ng a k ey that the pr oxy use s. An er ror i ndi cator di spl a ys for pr ox i e s that cou l d not be re sta r ted on r ebo ot .

to select a key befor e you can r un the prox y. See al so Keys and Certs (on pag e 30).

: The c urr en t st at e of the pr ox y, ei ther r unni ng or stop pe d . If r unni ng, r unn i ng ti me displ ays .

§ Edit: Change any of the proxy settings you selected when creating the proxy, such as the

proxy name, Li sten On IP address and port, K ey, and Send to Port. Note: You must stop a proxy before you can edi t i t. Eve rythi ng except a name change requi res a computer restar t.

§ Start / Stop Proxy

: You can start and stop an Endpoi nt's proxies inde pende ntl y. Y ou must start a proxy manual ly after adding and configuri ng it. Proxies restart automati cally after computer restart only if they were running when the appl i cati on stopped. B efore a proxy starts, Ipswitch Gateway veri fi es that the proxy's Endpoi nt is confi gured with a valid hash, and that the cer the remote server. If a proxy i s stopped unexpect edly, you may need to edit the proxy's settings to fix i t.

§ Delete: If the proxy i s running when you try to delete it, you'll receive a warning message.

28 Ipswitch Gatewa y User's Guid e

Remote Access

Y ou can access Ipswi tch Gateway remot ely if an existi ng Endpoi nt is acti ve. On the remote computer, open a browser and enter the Ipswi tch Ga teway IP address and port. Si gn in to Ipswitch Gateway with MOVEi t Transfer sysadmi n or orgadmin credent i a ls. You may change the E ndpoint remotel y in this way. A ny change requi res that new sysadmi n or orgadmi n credentials be entered for the updated E ndpoi nt to verify that i t is i n fact an Ipswi tch-supported Endpoi nt and that the current use r has sysadmin or orgadmi n access to that Endpoi nt.

If there i s no active Endpoi nt (i f an E ndpoint is down or has been moved), you must go to the Ipswitch Gateway computer, open a browser and enter the l ocation of the Gateway Confi gurati on Interface (https://localhost:9443). You may then change the existing Endpoi nt but you will still have to enter val id sysadmi n or orgadmin credenti als for the updated Endpoi nt.

When an existi ng Endpoi nt is updated, all proxi es using that endpoint will automatically point to the new IP ad d re ss (i f a n y ).

MOVEit Transfer Server Changes

If the MOVEit Transfer server's certi ficate identi ty changes or the MOVE i t Transfer serv er location moves from one machine to another, go to the Ipswi tch Gateway computer, si gn in to the Gateway Confi gurati on Interface, and from the sign in page cli ck Re-verify or Delete to reconfigure that E ndpoint.

Add a Proxy

An Endpoi nt can have mul ti ple proxies. A proxy li stens on a port for traffic of a certai n protocol type a nd then forwards the encrypted traffi c to a MOVEi t Transfer Endpoint. Onl y a runni ng proxy can route external traffic to the MOVEi t Transfer Endpoint.

To add more proxies to an Endpoint:

1 Click Add P roxy and sel ect the type of proxy to add:

FTP HTTP SSH

2 Enter a Name for the proxy. 3 Enter the Liste n On IP address or host name. Thi s i s the IP address and port where this proxy wil l

liste n. Pro xie s liste n to a l l incoming traffic on a port. The default a ddress of 0.0.0.0 means that the proxy will listen on al l available addresses at the gi ve n port. Must be a valid IP4 or IP6 address or a host name.

4 Enter additional Li sten On information specific for each proxy type:

§ FTP:

Endpoint and Proxies 29

• Explicit FTP port: A l l connections to the Explicit FTP port requi re the client to issue an explici t

command (i.e., "A UTH TLS") to initiate a secure connecti on. Encryption is optional (although it can sti l l be required by the FTP server). Default port is 21.

• Implicit FTP port: All connecti ons to the Impli cit FTP port wil l be encrypted. Impli cit FTP

traffi c runs over a di fferent port than E xplicit FTP. Defaul t port i s 990.

• SSL K ey : Select the key for the proxy from the list to establi sh secure communi cation with the

(see Configure Keys and Certs (on page 30)). The keystore contai ns SSL keys for HTTPS and FTP proxie s. A key is not requi red during proxy creation, but an SSL key is required before starti ng the proxy. The MOV E it Transfer server sho ul d use the same cert for FTPS and H TTPS. Instal l organi z ation-specific certs in Ipswitch Gateway if necessary.

• Requi re a secure con nect io n: When checked, requi res the cli e nt to i ssue an expl icit command

(i.e. "AUTH TLS") to to initiate a secure connecti on.

• External IP f or Passive FT P: If the check box is checked, the Ipswitch Gateway FTP server will

return the proxy's advertised Endpoi nt address for an IP address. If the check box i s unchecked, the IP field is enabled. Enter a passive IP address and the Ipswitch Gateway FTP server wil l return the passive IP address you enter here. If Ipswitch Gateway i s i nstal led in a cloud envi ronment, uncheck the box and enter the Gateway VM 's public IP address.

The connection port is determi ned by the pa ssive port range, which can be confi gured in the Settings (on page 32) tab.

§ HTTP:

• Listen On Port: Default port i s 433. If you instal led MOVEi t Mobile, add a proxy li steni ng on

8443 to route traffic to the Mobi le Server in the trusted zone.

• Client Cert Port: Thi s port accepts HTTPS request s from the user duri ng client certifi cate

authenti cation. Default port i s 2443. After sign i n, the user's sessi on to Ipswitch Ga teway goes through the normal L i sten On Port number.

• SSL K ey : Select the key for the proxy from the list to establi sh secure communi cation with the

Endpoint. Proxies wi ll not run wi thout thi s key/certi fi cate veri fi cation. When a proxy talks wi th the E ndpoint, the key i s veri fi ed agai nst the Ipswitch Gateway Trust Store, which store s the certi fi cates for the Endpoint. The list i s empty if you haven't i mported any keys (see Configure Keys and Certs (on page 30)). The keystore contai ns SSL keys for HTTPS and FTP proxie s. A key is not requi red during proxy creation, but an SSL key is required before starti ng the proxy. The MOV E it Transfer server sho ul d use the same cert for FTPS and H TTPS. Instal l organi z ation-specific certs in Ipswitch Gateway if necessary.

• Accept and redirect plain HTTP requests: When checked, any traffic sent to http: //gateway wi ll

be redirected to https://gateway. Enter a Plain H TTP port to li sten on (listens on port 80 by default). Enter a Redirect t o https: // address, which i s the hostname or address of the HTTP Location he ade r sent to the client on a redi rect from the non-SSL port to the SSL-port. This can be useful i f the "SSL IP A ddress or H ost Name" is speci fi ed by an IP address and you want users to see a host name in the redirect response. If this feature is unchecked, star ti ng the proxy listens only on https and traffi c sent to http wi ll bounce or timeout.

§ SSH/SFTP:

30 Ipswitch Gatewa y User's Guid e

• Listen on port: Default port i s 22.

Key type: SSH or SSL

i cal l y show the nam e of the k ey f i l e you upl oad . If you tr y to i m por t a k ey w i th a dupli cat e

nam e , you may r ename the k ey to f aci l i tate the i m por t. T he new k ey w i ll import but you m ust ent e r a dif f er ent

• SSH Key: Select the key for the proxy from the li st to establish secure communicati on with the

Endpoint. Proxies wi ll not run wi thout thi s key/certi fi cate veri fi cation. When a proxy talks wi th the E ndpoint, the key i s veri fi ed agai nst the Ipswitch Gateway Trust Store, which store s the certi fi cates for the Endpoint. Sel ect a previousl y deployed SSH key or sel ect None to trigger key gene rati on when the proxy starts. The SSH ke y gene rates on demand and i s saved for use on a restart. The optional Redirect value is the hostname or address of the HTTP Location he ade r sent to the client on a redi rect from the non-SSL port to the SSL-port. Thi s can be useful i f the "SSL IP A ddress or H ost Name" is speci fi ed by an IP address and you want users to see a host name in the redirect response.

5 Enter a Send to port. Thi s is the port number of the M OVEi t Transfer server to whi ch the proxy will

send data. The defaul t for H TTP is 443, the default for FTP is 990, and the defaul t for SSH/SFTP i s

22.

Keys and Certs

6 Click Save. The proxy displays beneath the Endpoi nt. The status of newly a dded proxi es i s Stopped. Click Keys and Certs to vi e w all keys upl oade d to the Ipswitch Gateway keystore. Ini ti a lly the Keys and

Certs list wi l l is empty. You must uploa d a key he re before i t will be avai l a ble i n the Add a Proxy screen. Y ou must assi gn a key to a proxy for verificati on with the M OVEi t Transfer Endpoint certifi cate.

The K eys l ist displ ays the fol l owing informati on for each key:

Import k eys. K eys w i l l not appe ar her e un l ess you upl oa d t hem . Se e Import Keys (on page 31). Name. This will typ

al i as for it in the box pr ovi ded . B eneath the k ey ali as is either the serial number (SSL) or fingerprint (SSH).

Keys and Certs 31

: Number of pr ox i es cur r entl y usin g th e k ey. C l i ck the num be r to vi e w the spec i f i c pr ox i es usi ng t ha t

Expiration Date: Date w hen th e key ex pi res.

5 View Details

Import: Im port a k ey into the G atew ay keyst ore . S ee Import Keys (on page 31).

Proxies

key.

§ SSH keys: Friendly Name and Fingerprint di spl a y for the key.

§ SSL keys: Fri endly Name, Issuer, Subject, Ser ial Number, V alid As Of, and Expi res On

di spla y for the key.

Delete: You can del ete a k ey onl y whe n i t i s not in use by a pr oxy. S ee Delete Key s (on pag e 32).

Import Keys

To import a key into the Ipswitch Gateway keystore:

1 On the Keys and Certs page, cli ck Import. 2 Drag a key fil e (.pfx or .p12) into the boxed area or click to browse and locate the file. A si ngle .pfx or

.p12 fi le may contai n multipl e keys.

3 Add the Password for the key fil e. 4 Click Import. A fter successf ul import, the new key displa ys in the Keys list.

Dupl icat e Keys warning: If you uploade d the same key twice, you'll see a ye llow Duplicate K e ys warning notifying you that the key has already been upl oade d. Y ou can ei ther upl oa d another key fil e or return to the Key List.

Key C on fl ict s warning: If the key you upl oa ded confli cts with the alias name of another key i n the Ipswi tch Gateway keystore, you'll see a yell ow K ey C on fl ict s warning. The key you attempted to uploa d will di spla y on the left and the existi ng key displa ys on the right. Y ou can do one of the following in this scenario:

§ Ignore: The new key wil l not import.

§ Overwrite: The new key wil l repl a ce the exi sting key.

§ Rename: The new key wi ll import but you must enter a di fferent al ias for it i n the box provided.

Click Resolve Key Conflicts.

: If you uploa d multi pl e keys at the same ti me, some keys may be duplicates or have key conflicts and

Note

others may not. K eys wi thout confli ct displa y further down the page. Click to return to the Ke ys list at any ti me.

32 Ipswitch Gatewa y User's Guid e

Delete Keys

Y ou may need to del e te a key wi th an expired SSL certifi cate, a key that i s no l onger needed, or one that was uploa ded in error.

Y ou can del e te a key onl y when it is not in use by a proxy. On the Keys and Certs page, cli ck the boxed number to view the specific proxies using that key.

To delete a key, click

, and select Delete, then confirm the del etion.

Reset an SSH Key

1 Go to the Endpoints (on page 25) page and stop the ssh/sftp proxy. 2 Return to the Keys and Certs (on page 30) page and delete the SSH key (on page 32).

Settings

3 Go back to the Endpoint page and start the ssh/sftp proxy to generate a ne w key.

Settings 33

The foll owing Ipswi tch Gateway 2017 Pl us settings are avai lable:

§ Gat eway' s Host Name or IP A dd ress: The name of the computer running Ipswi tch Ga teway 2017 Plus

as specifi ed duri ng instal lation. You can edi t the name if requi red. Doi ng so wil l restart all running H TTP proxi es. This setti ng is used to create H TTP redi rects and is currentl y used only for cl ient certificate authentication. The user's bro wser can use this hostname to access the Gateway system.

§ Passive Port Ran ge (for FTP connecti ons): The defaul t range is 3000-3100, the same as the MOVEi t

Transfer default. The Passive Port Range does not need to be the same as MOVEit Transfer's but it's probably be st for consistency. The number of ports allowed shoul d not exceed the number al lowed by MOVEit Transfer.

: A passive port range l imits the number of concurrent transfers.

Note Note: You may be warned that any running FTP proxies wil l be restarted when changing the port

range.

§ Reset Store Passwords: Update the Key Store and Trust Store with a n autogene rated password.

copied onl y in accordance with the terms of such l icense. Exc ept as permitted by such license, no part of this publ ication may be reproduced, photocopie d, stored on a retrie val system, or transmitted, i n any form or by any means, el e ctronic, mechanical, recording, or otherwise, without the expres s prior written con sen t of Ipswi tch, Inc.

The content of this document i s furnished for informati ona l use onl y, i s subject to change without notice, and should not be construed as a commi tment by Ipswitch, Inc. While every effort has been made to assure the accuracy of the information cont ained herein, Ipswitch, Inc. assumes no responsi bility for errors or omissions. Ipswitch, Inc., also assumes no liability for damages resul ti ng from the use of the i nformation containe d in this document.

Ipswitch, and the Ipswi tch logo, MOVEit and the MOVEi t logo, and Ipswi tch Gateway and the Ipsw i tch Gateway logo a re trademarks of Ipswitch, Inc. Other produc ts and thei r brands or company names, are or may be trademarks or registered trademarks, and are the property of their respective companies.

This document was publ i shed on Thursd ay, November 02, 2017 at 14: 51.

Ipswitch Gateway 2017 Plus User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual