Ipswitch Gateway 2017 Plus User Manual
User Guide
i
Contents
Release Notes 1
System Requiremen ts ..................................................................................................................................................1
V ersion 2017 Plus Limitations ...................................................................................................................................2
New Features ...............................................................................................................................................................2
Fixed Issues..................................................................................................................................................................3
K now n I ss ue s and W or k ar o un d s ................................................................................................................................3
Introduction 5
We b Farms an d Load Ba lancers .................................................................................................................................7
Install 8
Standard Install ............................................................................................................................................................8
Step 1: Install Gateway Server and Serv er-Side SSTP Tunnel ....................................................................8
Step 2: Install Client-S ide SSTP Tunnel on a MOV Eit Transfer S erver ...................................................11
Step 3 : Launch Gateway C onfiguration Interface .......................................................................................12
Step 4: Confi g ure the Fi rew all ......................................................................................................................13
Pre-re qu is ites .............................................................................................................................................................13
Notes...........................................................................................................................................................................14
Step 1 : Gateway Server Firewall Rule s ...................................................................................................................14
Step 2 : MOVEit Transf er Server Firewall Rules ....................................................................................................16
Step 3: Verify Firewall Rules ...................................................................................................................................19
Web Farm Instal l .......................................................................................................................................................21
Upgrade 22
Step 1 : Upgrade Gateway Serv er and Server -Side SSTP T unnel ..........................................................................22
Step 2: Upgrad e Cl ient-Side SSTP Tunnel on a MOVEit Transfer Server ...........................................................24
Endpoint a nd Prox ies 25
R em ote Ac ces s ...........................................................................................................................................................28
MOVE i t Transfer Ser ver Changes ...........................................................................................................................28
A dd a Pro xy ...............................................................................................................................................................28
Keys and Certs 30
Import Keys ...............................................................................................................................................................31
Delete K eys ................................................................................................................................................................32
R es et an SSH Key .....................................................................................................................................................32
Settings 32
1
Release Notes
Sy st em Requi rements
Ipswitch Gateway Server:
§ Wi ndows Server 2012R2 or 2016
§ 4 GB RAM
§ 40 GB hard dri ve
§ Dual-core or faster processor
§ Dual network interface cards (1GB /sec mini mum) for separate external and i nternal services
(recommended)
§ Production systems wi l l benefit from addi ti ona l resources, i ncluding faster, additi ona l and multi -core
processors, more RAM, hard drive capacity, and speed
§ Supported Virtual izati on Envi ronments:
§ V Mware vSphere (64-bit guest servers)
§ Microsoft Hyper-V (64-bi t guest servers)
2 Ipswitch Gatewa y User's Guid e
MOVEit Transfer Server:
GW-853
HTTP Prox y
cer ti f ic ate l i steni ng port . Thi s po rt a cce pt s HT TP S r eque s ts f rom the use r
number . The defaul t cli ent cert i fi cate li stening por t is 24 43 , whi ch requir es
The G ateway' s hostn am e or I P address was added to the Setting s page . Y o u
GW-741
Proxies
When add i ng a pr ox y, the L i sten on IP Add r es s or Host n am e v al ue i s now
pr epopu la t ed wi th 0 . 0 .0 . 0, whi ch di r ects the pr ox y t o li sten on al l ava i la bl e
GW-726
Client Identity
For eve ry pr oxy r eques t, I psw i tch Gatewa y no w sen d s to MO VEi t T ra nsfe r
§ MOVEi t Transfer 2017 Plus
§ Wi ndows Server 2016, Windows Serve r 2012 R2, Wi ndows Server 2012, or W i ndows Ser ver 2008
R2 (64-bit E nglish)
§ MOVEi t Mobile 1.3.1 (optional)
Version 2017 Plus Limitations
§ Lack of support for Ipswi tch® Failover
§ Multipl e organiza ti ons with uni que IP addresses
New Features
ID Category Issue
2017 Pl us intr oduc es a new set ti ng on th e H T TP proxy, the c li e nt
duri ng cl ient certi fi cate aut hen tica ti on onl y, and after si gn i n, the user 's
sessi on to Ips wi tc h Gatew ay go es thro u g h the nor m al L i sten O n Por t
GW-852 Settings
GW-838 Install
GW-47 HTTP Prox y
a firewall rule.
m ay now e dit thi s nam e post -installation. Doing so restarts all running
HTTP prox i es.
O n fr esh i nstal ls, the I psw i tc h G at ew ay inst al l er now prompts for the
hostnam e of the G atew ay sys tem , as viewed by end user s. Thi s i s needed
for processi ng H TTPS cli ent certi fi cate auth ent i cati on.
addr ess es at the give n por t.
C li ent IP addresses and cli ent certi fi cat es no w propa g at e to MOVE i t
Transfer for all prox ies. Previously, all requests to MOV Eit Transfer
seemed to ori ginat e fr om the G atew ay m achine, m ak i ng it necessar y to
disable cer tain secu ri ty r el ated MOVEi t transfer f eature s, such as IP
L ock outs, a nd si gn ou t logs and technical support links in MOVEit
Transfer show e d the G ateway I P address inste ad of the cli ent IP addres s.
a header that con tai ns th e IP addres s of the brow ser that i s accessing
G a tew ay. You no l onger ne ed to di sab l e I P l ock outs on the MO VE i t
Transfer server.
Ipswi tch G ateway now im pl em ents auth en tica ti on to MOV E i t Transfer
usi ng SS L cli ent certi fi cates, and SF TP publ i c keys.
Release Notes 3
GW-72 Licensing
ID
Category
Issue
GW-855
MOVEit
O V E i t Session Ma na ge r and MO VEi t Logs we re r ec ogni z i ng the
Ipswi tch G ateway Web Admi n as 'MOV E i t Xf er' inter face. T his issue
U pdated S tep 3 > step 3 > C onfi gur e E ndpoi n t > I P Addr es s to r ead
he MO V E i t T ra nsfer ser ve r on the tunn e l conn ec ti on . Do
Pr evi ousl y i t wa s poss i bl e to con f i gur e a proxy on the G a tew ay se rve r
ai n certai n HT ML tags th at coul d be r efl ected back to the us er
i n the confi r m ati on m essa ge assoc i ated w ith sta rt/ s top /e d it a ction s.
GW-1073
Keys and Certs
w hen you sel ec t K ey s and C e rts > I m por t to
MOV E i t Transfer server . To unin sta ll , please ex ecute the G ateway
i nstall er di rectl y on the MOV E i t Transfer machi ne and se lect S tep 2
Fi xed Issues
GW-842 HTTPS
GW-830 Documentation
GW-829 SFTP
GW-826 Settings
GW-820 Security
Star ti ng wi th the 2 01 7 Pl us rel ease, Ipsw itch G ateway m ust veri f y
l icensing wi th MOV E i t Transfer bef ore l aunc hi ng the G atew ay
C onfi gur ati on I nter fa c e du ri ng Step 3 of t he i nstal l, and a ny ti me the
G atew ay server r eboot s.
M
has been fi x ed.
Micr osoft E dge user s authe n tica ting wi th a cli ent certi fi cate m ust
restart their computer after importing the client certificate. This is a
k nown l i m i ta ti on of the Mi cr osof t E dge br ow se r .
"The IP address entered here should be 192.168.1.2, which is the IP
addr ess of t
NO T use the actua l IP address of the MOVEi t Transfer se rve r.
Ipswi tch G ateway's SFTP server has been i m proved so i t can handle
m or e si m ul taneou s con n ec ti o n requ e s ts. P revi ou s ly, the S FT P server
coul d r ef use conn e c ti on s unde r he a vy l oad .
A m inor change was made to the m essa ge di sp lay ed w hen the FTP
passiv e port r ange w as ch ang ed.
to cont
Thi s i ssue has been fi xed.
Known Issues and Workarounds
ID Category Issue
In Internet Explorer 11,
upload a cli ent certi fi cate, the re i s no "Modi fi ed On" fi eld.
GW-1070 Install / Uninstall
The install does not create an i tem for the G atew ay cli ent under
Pr ogram s and Featur es. To confi rm that the Ipswi tch Gateway
Tunnel i s pr esent , go to N etw o rk and S har i n g C ent er on the
and then se l ect U ni nst a ll .
4 Ipswitch Gatewa y User's Guid e
GW-1068 Uninstall
Go to Settings > System > R emo te Access > SysA dmin &
B y def aul t the O utl o ok pl ugi n us es po r t 4 4 3 to i ni ti a te a conne ct i on
GW-992
Licensing
w hic h have bee n st op p ed for l i censi ng rea so ns may con ti nue to be
shorten thi s wa i ti ng peri o d by l oggi n g i nto t he Ips w i tc h G at ewa y
adm i ni str ati ve i nte r fa ce and m a nua l ly sta r ti ng each pr oxy. To do
If the FT P cl ie nt shuts dow n dur i ng fi l e dow nl oad , the co nn e ct i on
up to 1 0 m i nutes. I f thi s happe ns m or e f r eque nt l y tha n no rmal , i t
coul d pote nt i al l y exhaust the al l ow ed nu m be r of conn ec ti o n s on
: It i s r ecom mended tha t yo u use the MOVE i t Tr ansfe r
C onfi g uti l i ty to c hange FT P P or ts > C onnec ti o n L i m i t fr om 32 to a
l ar ger num ber such as 1 0 0 0 , to al l ow an adequa te num be r of cl i ents
: After upgr adi ng Gateway S erve r, r econne ct the SSTP
GW-1003 HTTPS
GW-990 FTP
GW-989 FTP
Aft er uni nst al l , Gatew ay' s I P i s not r em ove d fr om the MOVE i t
Transfer 's trus ted hos t li st. To delete the G ateway IP f rom the
tr usted hos t l i st, f oll ow these ste p s:
1 Si gn in to MOV E it Transfer as sysadmin.
2
Trusted H osts.
3 Under Trusted Hosts, cl ick Edi t Access Rules.
4 Next to the Gateway IP address (for example,
192.168.1.1), cl i ck X to del ete , and then cli ck Y es to
confirm.
to MOVE it DMZ. With G atew ay depl oym ent, i f a user has a cli ent
certi fi cate requi rem ent they wi l l run into issue s conn ecti ng to
G a tew ay vi a a defa ult Outl oo k pl ugi n ins ta l l .
Workaround: C hange the de f au l t por t i n Outl oo k .
When a MOVE i t Transfer adm i nistrator installs a new license that
enables Ipsw itc h G ateway , i t can take up to fi fteen m inutes f or
G atew ay to notice that a new li cense i s avail abl e. He nce, pr ox i es
unavai l abl e f or up to 1 5 m inutes. The G ateway adm i nistra tor can
thi s, f or e ach pr ox y, under Actions choose Start Proxy.
The f ol l ow i ng speci fi c FTP confi gur at ion on G ateway /MO V E it
Transfer prevents users from accessing MOVE it Transfer through
G a tew ay using i ns ec ur e FT P:
All ow FTP/SSL Access: Y es
All ow I nsecure FTP Acces s: Yes
SS L Cl i ent Cert Requir ed: Yes
Password also required with SSL Client C ert: Yes
Workaround: To uti l i z e i nsecur e F TP , do not set bo th “Al l ow
Insecure FTP Access ” and “SS L Cl i ent Cert Requi red” to “Y es”.
between G ateway and MO V E i t Transfer S erver c oul d r emain ope n
MOV E i t Transfer Ser ver and cl i ents can no long er m ak e new
connec ti on s unti l the ex i sti ng op en con ne ct i on s ar e closed.
Workaround
to connec t wi tho ut r each i ng the l i m i t ea sil y.
GW-985 Upgrade Dur i ng an upgr ad e, the SS TP conn ec ti on dr ops .
Workaround
connec ti on by m a nua ll y r unn i ng the W ind ow s sc h ed u l er t ask.
GW-840 Uninstall
Aft er uni nst al l , C omputer Ma na gment ( w i n+R > compm gmt.msc)
sti ll shows L ocal U sers and G r oups > Users > G atewa yV PNU ser.
Introduction 5
GW-879 Si gn I n
Try A utomati c
thro ug h G ateway , you see a wi ndow that displ ay s avai l able
i ndow, the br ow se r re di rec t s
When usi ng H TT PS cl i ent ce rti f i cate s thr oug h a br ow ser , Ipsw it c h
pr om pt the use r onl y for cer ti f i cate s cr ea te d or app rov ed thr o ugh
MO V E i t Tr ansfer , Ipsw i tc h G ate wa y ha s no suc h fe at ure . Thus ,
than MOVEi t Transfer sho ul d i gnore tho se certi fi cat es when m ak in g
C ustom er s upg r ad i ng f r om a previ ous re l ease sho u l d che ck tha t the
val ue, w hic h i s often i ncor r ec t. Thi s ne w set ti n g i s used f or cl i e nt
how ever , i t c ould be a pr oble m i f the serve r i s bei ng used f or R AS
hi s is unl i k el y, a s Ipsw i tch r eco m mends tha t
Thi s probl e m does not oc cu r w hen Gatew ay i s inst al l ed on Wi nd o ws
GW-849 Security
GW-813 Upgrade
GW-760 Install
O n the MO V E i t Tr ansfer si gn i n pa ge, w hen yo u cl i ck
Signon
certi fi cates. If you cli ck Cancel in this w
you to an er r or pa ge tha t st at e s "Thi s site c an' t pro vi d e a secu r e
connecti on" ( a certi fi cate was not pro vid ed) .
Workaround: If you see thi s er ror pag e, pre ss the bac k butt o n to
re turn to the sig n i n page or r ef r esh the bro w ser page to display the
avail able cer tif i cates again and choos e the corr e ct cert if icate.
G atew ay users m ay be offer ed be offer ed to choo se f rom m ore
certi fi cates tha n woul d be the case i f they acce ssed MOV E i t
Transfer directly. While MOV Ei t Transfer instructs the browser to
users who have installed client certificates for applications other
a selecti on fr om their browser's li st of cer tif ic ates.
new "Host Name" field is correct. This field is in the Settings tab of
the admi ni strati ve i nterf ace. Ipsw itch G atew ay pro vid es a def aul t
certi fi cate authen tica ti on.
After Ipswitch Gateway is installed on Windows Server 2016, the
R em ote Access Con nect i on Manag er se rvi ce w i ll not start. Thi s
does not adver se ly af fect th e ope rat i on of I pswi tch Gateway;
fo r other pur p ose s . T
Ip sw i tch G a tew ay be r un on a dedi ca te d se r ve r.
Server 2012R2.
Introduction
6 Ipswitch Gatewa y User's Guid e
Ipswitch Gateway acts like a reverse proxy to provide an additiona l l a y e r of se curity for MOVEit Transfe r
customers. Inbound traffic cannot come thr ough the fi rewall into the trusted zone; al l sessi ons terminate i n
the MOVEi t Transfer network segment. The outward-facing porti on of the network (t ypically the Internet)
is separated from the MO VEi t Transfer server, which i s typical l y be hind a firewall in a trusted zone on a
l ocal private network. Ipswi tch Gateway exchanges a uthentication, credenti a ls, fi les, and other data
between remote clients and a MOV Eit Transfer serv er (Endpoint) l ocated i n the trusted zone. You do not
need open ports in your firewal l to allow cl ients to communi cate wi th MO VEi t Transfer.
How it Work s
During instal lation, a secure SSTP tunnel (vi rtual pri va te network) i s created from the M OVEit Transfer
server to the Ipswitch Gateway computer (or virtual machine ). Ipswitch Gateway then runs as a W indows
Service that provides reverse proxies and forwards only e ncrypted traffic to the MOVEi t Transfer server
over the tunnel . A ll communications between the client and server session are encrypted and streamed
through this connection. Ipswi tch Gateway i nspects al l requests and if the requests l ook valid, forwards
them to the MOVEi t Transfer server (Endpoi nt) for fulfillment. Responses from M OVEi t Transfer are sent
back to Ipswitch Gateway, whi ch returns them to the user. This process i s i nvi si ble to incoming clients.
Ipswitch Gateway support s the following protocols:
§ FTP (Implicit and explicit)
§ SSH/SFTP
§ HTTP/HTTPS
The Ipswi tch Gateway Confi guration Interface provide s an easy way to confi gure and mana ge these
reverse proxi es, their port and connection deta i ls, and current runni ng status.
A ll clients supported by MO VEi t Transfer are al so compati ble wi th Ipswitch Ga teway:
Ipswitch Gateway al so supports si ngl e , high availability, and web farm envir onments (on page 7).
Introduction 7
Web Farm s and Lo ad Balancers
Ipswitch Gateway support s MOVEi t Transfer web far ms. A web farm is a coll ection of machine s that ea c h
run a separate copy of MOV Eit Transfer, but al l copies share the same database, fil e system, and other
resources. We b farms empl oy load bal ancers that allow an administrator to:
§ Advertise a single URL to all users, w ith a single SSL certificate
§ Distr ibute the load evenly over all application nodes t o i mprove performance
§ Provide fault tolerance; if an appli cati on node fails, the load bala ncer stops routi ng traffic to it unti l it
comes back up
Some MOVEi t Transfer web farms mi ght use the bui lt-i n M i crosoft Wi ndows Network Load Bal a ncing
(NLB ) feat ure t o implement load balanc ing. NLB allows load balanc ing to be added to a cluster without
havi ng a separate node in front of the worker nodes. The load-balancing is bui lt into the operati ng system
and the feature i s provided col l e ctively by all worker nodes. Ipswitch does not support the built-in
Microsoft Windows Network Load Bal a ncer (NLB ) in the ini tial release of Ipswitch Gateway.
Most enterprise web farm customer s empl oy tradi tional load bal ancers from hardware vendors like Ci sco
and F5. The deployments bel ow focus on thi s scenario.
One load balancer, many Gateways
The recommended l oad ba lancing scenario uses a si ngle loa d balancer and multiple Ipswi tch Gateways ,
each running on a separate machine. Ea ch Ipswi tch Gateway i s dedi cated to a specific MOVEi t Transfer
node. A failure of a MOV E it Transfer node, its SSTP tunnel, or its associated Ipswi tch Gateway machine
results in the automatic temporary removal of the node from the l oad balancer.
: The single loa d balancer is presumed to have high a vailability features that prevent i t from
Note
becoming a single poi nt of failure. This i s general ly a valid assumption for major l oa d bala ncer vendors.
8 Ipswitch Gatewa y User's Guid e
Install
Sel ect one of the foll owing instal l options:
§ Standard Install (on page 8)
§ Web Fa rm Install (on page 21)
Standard Install
Instal lation consists of three steps:
Step 1: Install Gateway Server and Server-Side SSTP Tunnel (on page 8)
Step 2: Install Client-Side SSTP Tunne l o n a MOV E i t Tr ans fe r Server (on page 11)
Step 3: Launch Gateway C onfiguration I nterface (on page 12)
Step 4: Configure the F ire wall (on page 13)
S tep 1: Inst all Gatew ay Server an d S erver-Side SSTP Tunnel
Before you proceed, make sure the MOVEi t Transfer server i s i nstal led and running.
1 On a separate machine from MOVEi t Transfer, sign in with administrator credentials.
2 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and downloa d the
i nstal l e r for Ipswitch Gateway 2017 Pl us for MO VEi t Transfer.
3 Open the Ipswitch Gateway i nstal ler and cl i ck Run to run the i nstal l wi zard.
4 Welcome: S elect Step 1: Install a Gateway server (outside firewall) and a server side SSTP tunnel.
Click Next. The i nstal l e r l ooks for prerequi si te software.
5 Syst em Check: The installer verifies the follow ing:
§ Operating System Version: The machine must be running the Windows Server 2012R2 or Server
2016 operati ng system
§ Routing and Rem ote Access Service: A Windows server is required to properly configure the the
Routi ng and Remote Access (RRAS) service. Workstations are not supported.
§ Routing and Rem ote Access - IIS: If IIS is i nstal l e d and enabl ed, the IIS service will be disabled to
avoi d configurati on confli cts with the Re mote Access service and V PN. If not, the necessary
components of Microsoft Inter net Information Services (IIS) will be instal l e d.
§ A dminist rato r privi leges
Click Next.
6 Options: Ipswitch Gateway Folder: Sel ect a location to install the Ipswitch Gateway server files, and
then cli ck Next.
Loading...