Ipswitch Gateway 2017 plus User manual

UserGuide

Contents

Release Notes 1

SystemRequirements..................................................................................................................................................1

Version 2017 Plus Limitations ...................................................................................................................................2

New Features ...............................................................................................................................................................2

Fixed Issues..................................................................................................................................................................3

Known Issues andWorkarounds................................................................................................................................3

Introduction 5

Web Farms and Load Balancers.................................................................................................................................7

Install 8

Standard Install............................................................................................................................................................8

Step 1: Install Gateway Serverand Server-Side SSTPTunnel....................................................................8

Step 2: Install Client-Side SSTP Tunnel on aMOVEit Transfer Server...................................................11

Step 3: Launch Gateway Configuration Interface.......................................................................................12

Step 4: Configurethe Firewall......................................................................................................................13

Pre-requis ites .............................................................................................................................................................13

Notes...........................................................................................................................................................................14

Step 1: Gateway Server Firewall Rules...................................................................................................................14

Step 2: MOVEit Transfer Server Firewall Rules....................................................................................................16

Step 3: Verify Firewall Rules ...................................................................................................................................19

Web FarmInstall.......................................................................................................................................................21

Upgrade 22

Step 1: Upgrade Gateway Server and Server-Side SSTP Tunnel..........................................................................22

Step 2:Upgrade Client-Side SSTP Tunnelon aMOVEit Transfer Server...........................................................24

Endpointand Proxies 25

RemoteAccess...........................................................................................................................................................28

MOVEit Transfer Server Changes...........................................................................................................................28

Adda Proxy ...............................................................................................................................................................28

Keys and Certs 30

Import Keys...............................................................................................................................................................31

Delete Keys................................................................................................................................................................32

Resetan SSH Key.....................................................................................................................................................32

Settings 32

SystemRequirements

Ipswitch Gateway Server:

§Windows Server 2012R2 or 2016

§4 GB RAM

§40 GB hard drive

§Dual-core or faster processor

§Dual network interface cards(1GB/sec minimum) for separate externaland internalservices

(recommended)

§Production systems willbenefit from additional resources,including faster, additionaland multi-core

processors, more RAM, hard drive capacity, and speed

§Supported Virtualization Environments:

§VMware vSphere (64-bit guest servers)

§Microsoft Hyper-V (64-bit guest servers)

Release Notes

2 IpswitchGatewayUser'sGuide

MOVEitTransfer Server:

§MOVEit Transfer 2017 Plus

§Windows Server 2016, Windows Server 2012 R2, Windows Server2012, or Windows Server 2008

R2 (64-bit English)

§MOVEit Mobile 1.3.1 (optional)

Version2017Plus Limitations

§Lack of support for Ipswitch® Failover

§Multiple organizations with unique IP addresses

NewFeatures

ID Category Issue

GW-853

HTTPProxy

2017 Plus introducesanewsettingon theHTTPproxy,theclient

certificatelisteningport.This portacceptsHTTPSrequests fromtheuser

duringclientcertificateauthenticationonly,andaftersignin,theuser's

sessiontoIpswitchGatewaygoesthroughthenormalListenOnPort

number.Thedefaultclientcertificatelisteningportis 2443, whichrequires

a firewall rule.

GW-852 Settings

TheGateway's hostnameorIPaddresswasaddedto theSettingspage.You

may nowedit this namepost-installation. Doing sorestartsallrunning

HTTPproxies.

GW-838 Install Onfreshinstalls,theIpswitchGatewayinstallernowpromptsforthe

hostnameoftheGatewaysystem,as viewedby endusers.Thisis needed

for processingHTTPSclientcertificate authentication.

GW-741

Proxies

Whenaddingaproxy,theListenon IPAddressorHostnamevalueis now

prepopulatedwith0.0.0.0, whichdirects theproxytolistenon allavailable

addressesatthegivenport.

GW-726

Client Identity

Client IP addressesandclient certificatesnowpropagatetoMOVEit

Transferforall proxies.Previously,allrequeststo MOVEit Transfer

seemedtooriginatefromtheGatewaymachine,makingit necessaryto

disablecertain securityrelatedMOVEittransferfeatures,suchas IP

Lockouts,andsignout logs andtechnicalsupport links in MOVEit

Transfershowed theGateway IPaddressinsteadoftheclientIPaddress.

Foreveryproxyrequest,IpswitchGatewaynowsendstoMOVEitTransfer

a headerthat containstheIPaddressofthebrowserthatis accessing

Gateway.YounolongerneedtodisableIPlockoutsontheMOVEit

Transferserver.

GW-47 HTTPProxy Ipswitch Gatewaynowimplements authenticationtoMOVEitTransfer

using SSLclient certificates,andSFTPpublickeys.

ReleaseNotes 3

GW-72 Licensing Startingwith the2017Plus release,IpswitchGatewaymustverify

licensing with MOVEitTransferbeforelaunchingtheGateway

ConfigurationInterfaceduringStep3oftheinstall,andanytimethe

Gateway serverreboots.

FixedIssues

Category

Issue

GW-855

MOVEit

OVEit SessionManagerandMOVEit Logs wererecognizing the

IpswitchGatewayWebAdmin as 'MOVEitXfer' interface.This issue

has beenfixed.

GW-842 HTTPS MicrosoftEdgeusersauthenticatingwith aclientcertificatemust

restart theircomputerafterimporting the clientcertificate. This is a

knownlimitationoftheMicrosoftEdgebrowser.

GW-830 Documentation

UpdatedStep3>step3>ConfigureEndpoint>IPAddresstoread

"The IP address enteredhere should be192.168.1.2, which is the IP

address oft

heMOVEitTransferserveronthetunnelconnection.Do

NOT usetheactualIPaddressoftheMOVEitTransferserver.

GW-829 SFTP IpswitchGateway'sSFTPserverhasbeen improvedsoitcan handle

more simultaneousconnectionrequests.Previously,theSFTPserver

couldrefuseconnectionsunderheavyload.

GW-826 Settings A minor changewasmadeto themessagedisplayedwhentheFTP

passiveportrangewas changed.

GW-820 Security

Previouslyit was possibletoconfigureaproxyon theGatewayserver

tocont

aincertain HTMLtagsthat couldbereflectedbackto theuser

in theconfirmationmessageassociatedwithstart/stop/editactions.

This issuehasbeenfixed.

KnownIssuesandWorkarounds

ID Category Issue

GW-1073

Keys and Certs

In Internet Explorer11,

whenyou selectKeys and Certs>Import to

upload aclient certificate,thereis no"ModifiedOn"field.

GW-1070 Install/ Uninstall Theinstalldoesnotcreatean itemfortheGateway clientunder

Programs andFeatures.ToconfirmthattheIpswitchGateway

Tunnelis present,gotoNetworkandSharing Centeronthe

MOVEit Transferserver.Touninstall,pleaseexecutetheGateway

installerdirectly ontheMOVEitTransfermachineand selectStep2

andthenselectUninstall.

4 IpswitchGatewayUser'sGuide

GW-1068 Uninstall Afteruninstall,Gateway'sIPis notremovedfromtheMOVEit

Transfer's trustedhostlist.TodeletetheGatewayIPfromthe

trustedhostlist,followthesesteps:

1 Sign in to MOVEit Transfer as sysadmin.

Go to Settings > System > RemoteAccess > SysAdmin &

Trusted Hosts.

3 Under Trusted Hosts, click Edit Access Rules.

4 Next to the Gateway IP address (for example,

192.168.1.1), click X to delete, and then click Yes to

confirm.

GW-1003 HTTPS

By defaulttheOutlookpluginusesport443toinitiateaconnection

to MOVEit DMZ.WithGatewaydeployment,ifa userhas aclient

certificaterequirementtheywill run intoissuesconnectingto

Gatewayviaa defaultOutlookplugininstall.

Workaround:ChangethedefaultportinOutlook.

GW-992

Licensing

When aMOVEit Transferadministrator installs a newlicense that

enables IpswitchGateway,itcan takeup tofifteen minutesfor

Gateway tonoticethatanewlicenseis available.Hence,proxies

whichhavebeenstoppedforlicensingreasonsmaycontinuetobe

unavailableforupto15minutes.TheGatewayadministratorcan

shortenthiswaitingperiodbyloggingintotheIpswitchGateway

administrativeinterfaceandmanuallystartingeachproxy.Todo

this,foreachproxy,underActionschooseStart Proxy.

GW-990 FTP ThefollowingspecificFTPconfigurationon Gateway/MOVEit

TransferpreventsusersfromaccessingMOVEit Transferthrough

GatewayusinginsecureFTP:

AllowFTP/SSLAccess:Yes

AllowInsecureFTPAccess:Yes

SSL ClientCert Required:Yes

Passwordalsorequiredwith SSLClient Cert: Yes

Workaround:ToutilizeinsecureFTP,donotsetboth“Allow

InsecureFTPAccess”and“SSLClientCert Required”to“Yes”.

GW-989 FTP

IftheFTP clientshutsdownduringfiledownload,theconnection

between GatewayandMOVEitTransferServercouldremainopen

upto10 minutes.Ifthis happensmorefrequently thannormal,it

couldpotentially exhausttheallowednumberofconnections on

MOVEit TransferServerandclientscanno longermakenew

connectionsuntiltheexistingopenconnectionsareclosed.

Workaround

:It is recommendedthatyouusetheMOVEitTransfer

Config utilitytochangeFTPPorts >Connection Limit from32 to a

largernumbersuchas1000,toallowanadequatenumberofclients

toconnectwithoutreachingthelimiteasily.

GW-985 Upgrade Duringanupgrade,theSSTPconnectiondrops.

Workaround

:AfterupgradingGatewayServer,reconnecttheSSTP

connectionbymanuallyrunningtheWindowsschedulertask.

GW-840 Uninstall Afteruninstall,ComputerManagment(win+R>compmgmt.msc)

still showsLocalUsersand Groups >Users>GatewayVPNUser.

Introduction 5

GW-879 SignIn OntheMOVEit Transfersigninpage,whenyouclick

TryAutomatic

Signon

through Gateway,youseeawindowthatdisplays available

certificates.Ifyou clickCancelin this w

indow,thebrowserredirects

youtoanerrorpagethatstates "Thissitecan'tprovideasecure

connection"(acertificatewas not provided).

Workaround:Ifyouseethis errorpage,pressthebackbutton to

returntothesigninpageorrefreshthebrowserpage todisplay the

availablecertificatesagainand choosethecorrectcertificate.

GW-849 Security

WhenusingHTTPSclientcertificatesthroughabrowser,Ipswitch

Gateway usersmaybeofferedbeofferedtochoosefrommore

certificates than wouldbethecaseifthey accessedMOVEit

Transfer directly.While MOVEit Transfer instructs the browserto

prompttheuseronly forcertificates createdorapprovedthrough

MOVEit Transfer,IpswitchGatewayhasnosuchfeature.Thus,

users whohaveinstalled client certificates forapplications other

thanMOVEit Transfershouldignorethosecertificateswhenmaking

a selectionfromtheirbrowser'slistofcertificates.

GW-813 Upgrade

Customers upgradingfroma previousreleaseshould checkthatthe

new"Host Name" field is correct. This field is in the Settings tabof

theadministrativeinterface.IpswitchGatewayprovidesadefault

value,whichis oftenincorrect.Thisnewsetting is usedforclient

certificateauthentication.

GW-760 Install AfterIpswitch Gatewayis installed on WindowsServer2016, the

RemoteAccess ConnectionManagerservicewillnotstart.This

does notadverselyaffecttheoperationofIpswitchGateway;

however,itcould beaproblemiftheserveris being usedforRAS

forotherpurposes.T

his is unlikely,as Ipswitchrecommendsthat

IpswitchGatewayberunonadedicatedserver.

This problemdoesnotoccurwhenGatewayis installedonWindows

Server 2012R2.

Introduction

6 IpswitchGatewayUser'sGuide

Ipswitch Gateway actslike a reverse proxy to provide an additional layer of securityfor MOVEit Transfer

customers.Inboundtraffic cannot come through the firewallinto the trusted zone; all sessions terminate in

the MOVEit Transfer network segment. The outward-facing portion of the network (typically the Internet)

is separated from the MOVEit Transfer server, which is typically behind a firewall in a trusted zone on a

local private network. Ipswitch Gateway exchangesauthentication, credentials, files, and other data

between remote clients and a MOVEit Transfer server (Endpoint) located in the trusted zone. You do not

need open ports in your firewallto allow clients to communicate with MOVEit Transfer.

How it Works

During installation, a secure SSTP tunnel(virtualprivate network) is created from the MOVEit Transfer

server to the Ipswitch Gateway computer(or virtualmachine). Ipswitch Gateway then runs as a Windows

Service that provides reverse proxies and forwards only encrypted traffic to the MOVEit Transfer server

over the tunnel. All communications between the client and server session are encrypted and streamed

through this connection. Ipswitch Gateway inspects allrequests and if the requests look valid, forwards

them to the MOVEit Transfer server(Endpoint) for fulfillment. Responses fromMOVEit Transfer are sent

back to Ipswitch Gateway, which returnsthem to the user. This process is invisible to incoming clients.

Ipswitch Gateway supports the following protocols:

§FTP (Implicit and explicit)

§SSH/SFTP

§HTTP/HTTPS

The Ipswitch Gateway Configuration Interface provides an easy way to configure and manage these

reverse proxies, their port and connection details, and current running status.

All clients supported by MOVEit Transfer are also compatible with Ipswitch Gateway:

Ipswitch Gateway also supports single, high availability, and web farm environments(on page 7).

Table of contents

Popular Server manuals by other brands

HP Tc2120 - Server - 256 MB RAM installation guide

Lenovo

Lenovo ThinkServer RD230 manual

Avocent

Avocent CPS810 Installer/user guide

Dell

Dell PowerEdge R6615 Installation and service manual

FreeWave

FreeWave HT2+ installation guide

GIGA-BYTE TECHNOLOGY

GIGA-BYTE TECHNOLOGY G492-Z50 user manual

Lanner

Lanner HTCA-E400 user manual

Bull

Bull NovaScale T840 E2 user guide

Asus

Asus RS740-E70RS24-EG Configuration guide

Meinberg

Meinberg LANTIME M300/TCR manual 

HP ProLiant SL335s G7 Maintenance and service guide

ZyXEL Communications

ZyXEL Communications VANTAGE RADIUS 50 user guide

Lantronix

Lantronix xDirect-IAP quick start guide

Fujitsu

Fujitsu PRIMEQUEST 2400E3 General description

IBM

IBM 9040-MR9 manual

IBM

IBM 306m - eServer xSeries - 8849 user guide

green hippo

green hippo Hippotizer Nevis+ quick start guide

IBM

IBM 8203-E4A Brochure & specs

Ipswitch Gateway 2017 Plus User manual

Popular Server manuals by other brands