Ipswitch Gateway 2017 Plus User manual
UserGuide
i
Contents
Release Notes 1
SystemRequirements..................................................................................................................................................1
Version 2017 Plus Limitations ...................................................................................................................................2
New Features ...............................................................................................................................................................2
Fixed Issues..................................................................................................................................................................3
Known Issues andWorkarounds................................................................................................................................3
Introduction 5
Web Farms and Load Balancers.................................................................................................................................7
Install 8
Standard Install............................................................................................................................................................8
Step 1: Install Gateway Serverand Server-Side SSTPTunnel....................................................................8
Step 2: Install Client-Side SSTP Tunnel on aMOVEit Transfer Server...................................................11
Step 3: Launch Gateway Configuration Interface.......................................................................................12
Step 4: Configurethe Firewall......................................................................................................................13
Pre-requis ites .............................................................................................................................................................13
Notes...........................................................................................................................................................................14
Step 1: Gateway Server Firewall Rules...................................................................................................................14
Step 2: MOVEit Transfer Server Firewall Rules....................................................................................................16
Step 3: Verify Firewall Rules ...................................................................................................................................19
Web FarmInstall.......................................................................................................................................................21
Upgrade 22
Step 1: Upgrade Gateway Server and Server-Side SSTP Tunnel..........................................................................22
Step 2:Upgrade Client-Side SSTP Tunnelon aMOVEit Transfer Server...........................................................24
Endpointand Proxies 25
RemoteAccess...........................................................................................................................................................28
MOVEit Transfer Server Changes...........................................................................................................................28
Adda Proxy ...............................................................................................................................................................28
Keys and Certs 30
Import Keys...............................................................................................................................................................31
Delete Keys................................................................................................................................................................32
Resetan SSH Key.....................................................................................................................................................32
Settings 32
1
SystemRequirements
Ipswitch Gateway Server:
§Windows Server 2012R2 or 2016
§4 GB RAM
§40 GB hard drive
§Dual-core or faster processor
§Dual network interface cards(1GB/sec minimum) for separate externaland internalservices
(recommended)
§Production systems willbenefit from additional resources,including faster, additionaland multi-core
processors, more RAM, hard drive capacity, and speed
§Supported Virtualization Environments:
§VMware vSphere (64-bit guest servers)
§Microsoft Hyper-V (64-bit guest servers)
Release Notes
2 IpswitchGatewayUser'sGuide
MOVEitTransfer Server:
§MOVEit Transfer 2017 Plus
§Windows Server 2016, Windows Server 2012 R2, Windows Server2012, or Windows Server 2008
R2 (64-bit English)
§MOVEit Mobile 1.3.1 (optional)
Version2017Plus Limitations
§Lack of support for Ipswitch® Failover
§Multiple organizations with unique IP addresses
NewFeatures
ID Category Issue
GW-853
HTTPProxy
2017 Plus introducesanewsettingon theHTTPproxy,theclient
certificatelisteningport.This portacceptsHTTPSrequests fromtheuser
duringclientcertificateauthenticationonly,andaftersignin,theuser's
sessiontoIpswitchGatewaygoesthroughthenormalListenOnPort
number.Thedefaultclientcertificatelisteningportis 2443, whichrequires
a firewall rule.
GW-852 Settings
TheGateway's hostnameorIPaddresswasaddedto theSettingspage.You
may nowedit this namepost-installation. Doing sorestartsallrunning
HTTPproxies.
GW-838 Install Onfreshinstalls,theIpswitchGatewayinstallernowpromptsforthe
hostnameoftheGatewaysystem,as viewedby endusers.Thisis needed
for processingHTTPSclientcertificate authentication.
GW-741
Proxies
Whenaddingaproxy,theListenon IPAddressorHostnamevalueis now
prepopulatedwith0.0.0.0, whichdirects theproxytolistenon allavailable
addressesatthegivenport.
GW-726
Client Identity
Client IP addressesandclient certificatesnowpropagatetoMOVEit
Transferforall proxies.Previously,allrequeststo MOVEit Transfer
seemedtooriginatefromtheGatewaymachine,makingit necessaryto
disablecertain securityrelatedMOVEittransferfeatures,suchas IP
Lockouts,andsignout logs andtechnicalsupport links in MOVEit
Transfershowed theGateway IPaddressinsteadoftheclientIPaddress.
Foreveryproxyrequest,IpswitchGatewaynowsendstoMOVEitTransfer
a headerthat containstheIPaddressofthebrowserthatis accessing
Gateway.YounolongerneedtodisableIPlockoutsontheMOVEit
Transferserver.
GW-47 HTTPProxy Ipswitch Gatewaynowimplements authenticationtoMOVEitTransfer
using SSLclient certificates,andSFTPpublickeys.
ReleaseNotes 3
GW-72 Licensing Startingwith the2017Plus release,IpswitchGatewaymustverify
licensing with MOVEitTransferbeforelaunchingtheGateway
ConfigurationInterfaceduringStep3oftheinstall,andanytimethe
Gateway serverreboots.
FixedIssues
ID
Category
Issue
GW-855
MOVEit
M
OVEit SessionManagerandMOVEit Logs wererecognizing the
IpswitchGatewayWebAdmin as 'MOVEitXfer' interface.This issue
has beenfixed.
GW-842 HTTPS MicrosoftEdgeusersauthenticatingwith aclientcertificatemust
restart theircomputerafterimporting the clientcertificate. This is a
knownlimitationoftheMicrosoftEdgebrowser.
GW-830 Documentation
UpdatedStep3>step3>ConfigureEndpoint>IPAddresstoread
"The IP address enteredhere should be192.168.1.2, which is the IP
address oft
heMOVEitTransferserveronthetunnelconnection.Do
NOT usetheactualIPaddressoftheMOVEitTransferserver.
GW-829 SFTP IpswitchGateway'sSFTPserverhasbeen improvedsoitcan handle
more simultaneousconnectionrequests.Previously,theSFTPserver
couldrefuseconnectionsunderheavyload.
GW-826 Settings A minor changewasmadeto themessagedisplayedwhentheFTP
passiveportrangewas changed.
GW-820 Security
Previouslyit was possibletoconfigureaproxyon theGatewayserver
tocont
aincertain HTMLtagsthat couldbereflectedbackto theuser
in theconfirmationmessageassociatedwithstart/stop/editactions.
This issuehasbeenfixed.
KnownIssuesandWorkarounds
ID Category Issue
GW-1073
Keys and Certs
In Internet Explorer11,
whenyou selectKeys and Certs>Import to
upload aclient certificate,thereis no"ModifiedOn"field.
GW-1070 Install/ Uninstall Theinstalldoesnotcreatean itemfortheGateway clientunder
Programs andFeatures.ToconfirmthattheIpswitchGateway
Tunnelis present,gotoNetworkandSharing Centeronthe
MOVEit Transferserver.Touninstall,pleaseexecutetheGateway
installerdirectly ontheMOVEitTransfermachineand selectStep2
andthenselectUninstall.
4 IpswitchGatewayUser'sGuide
GW-1068 Uninstall Afteruninstall,Gateway'sIPis notremovedfromtheMOVEit
Transfer's trustedhostlist.TodeletetheGatewayIPfromthe
trustedhostlist,followthesesteps:
1 Sign in to MOVEit Transfer as sysadmin.
2
Go to Settings > System > RemoteAccess > SysAdmin &
Trusted Hosts.
3 Under Trusted Hosts, click Edit Access Rules.
4 Next to the Gateway IP address (for example,
192.168.1.1), click X to delete, and then click Yes to
confirm.
GW-1003 HTTPS
By defaulttheOutlookpluginusesport443toinitiateaconnection
to MOVEit DMZ.WithGatewaydeployment,ifa userhas aclient
certificaterequirementtheywill run intoissuesconnectingto
Gatewayviaa defaultOutlookplugininstall.
Workaround:ChangethedefaultportinOutlook.
GW-992
Licensing
When aMOVEit Transferadministrator installs a newlicense that
enables IpswitchGateway,itcan takeup tofifteen minutesfor
Gateway tonoticethatanewlicenseis available.Hence,proxies
whichhavebeenstoppedforlicensingreasonsmaycontinuetobe
unavailableforupto15minutes.TheGatewayadministratorcan
shortenthiswaitingperiodbyloggingintotheIpswitchGateway
administrativeinterfaceandmanuallystartingeachproxy.Todo
this,foreachproxy,underActionschooseStart Proxy.
GW-990 FTP ThefollowingspecificFTPconfigurationon Gateway/MOVEit
TransferpreventsusersfromaccessingMOVEit Transferthrough
GatewayusinginsecureFTP:
AllowFTP/SSLAccess:Yes
AllowInsecureFTPAccess:Yes
SSL ClientCert Required:Yes
Passwordalsorequiredwith SSLClient Cert: Yes
Workaround:ToutilizeinsecureFTP,donotsetboth“Allow
InsecureFTPAccess”and“SSLClientCert Required”to“Yes”.
GW-989 FTP
IftheFTP clientshutsdownduringfiledownload,theconnection
between GatewayandMOVEitTransferServercouldremainopen
upto10 minutes.Ifthis happensmorefrequently thannormal,it
couldpotentially exhausttheallowednumberofconnections on
MOVEit TransferServerandclientscanno longermakenew
connectionsuntiltheexistingopenconnectionsareclosed.
Workaround
:It is recommendedthatyouusetheMOVEitTransfer
Config utilitytochangeFTPPorts >Connection Limit from32 to a
largernumbersuchas1000,toallowanadequatenumberofclients
toconnectwithoutreachingthelimiteasily.
GW-985 Upgrade Duringanupgrade,theSSTPconnectiondrops.
Workaround
:AfterupgradingGatewayServer,reconnecttheSSTP
connectionbymanuallyrunningtheWindowsschedulertask.
GW-840 Uninstall Afteruninstall,ComputerManagment(win+R>compmgmt.msc)
still showsLocalUsersand Groups >Users>GatewayVPNUser.
Introduction 5
GW-879 SignIn OntheMOVEit Transfersigninpage,whenyouclick
TryAutomatic
Signon
through Gateway,youseeawindowthatdisplays available
certificates.Ifyou clickCancelin this w
indow,thebrowserredirects
youtoanerrorpagethatstates "Thissitecan'tprovideasecure
connection"(acertificatewas not provided).
Workaround:Ifyouseethis errorpage,pressthebackbutton to
returntothesigninpageorrefreshthebrowserpage todisplay the
availablecertificatesagainand choosethecorrectcertificate.
GW-849 Security
WhenusingHTTPSclientcertificatesthroughabrowser,Ipswitch
Gateway usersmaybeofferedbeofferedtochoosefrommore
certificates than wouldbethecaseifthey accessedMOVEit
Transfer directly.While MOVEit Transfer instructs the browserto
prompttheuseronly forcertificates createdorapprovedthrough
MOVEit Transfer,IpswitchGatewayhasnosuchfeature.Thus,
users whohaveinstalled client certificates forapplications other
thanMOVEit Transfershouldignorethosecertificateswhenmaking
a selectionfromtheirbrowser'slistofcertificates.
GW-813 Upgrade
Customers upgradingfroma previousreleaseshould checkthatthe
new"Host Name" field is correct. This field is in the Settings tabof
theadministrativeinterface.IpswitchGatewayprovidesadefault
value,whichis oftenincorrect.Thisnewsetting is usedforclient
certificateauthentication.
GW-760 Install AfterIpswitch Gatewayis installed on WindowsServer2016, the
RemoteAccess ConnectionManagerservicewillnotstart.This
does notadverselyaffecttheoperationofIpswitchGateway;
however,itcould beaproblemiftheserveris being usedforRAS
forotherpurposes.T
his is unlikely,as Ipswitchrecommendsthat
IpswitchGatewayberunonadedicatedserver.
This problemdoesnotoccurwhenGatewayis installedonWindows
Server 2012R2.
Introduction
6 IpswitchGatewayUser'sGuide
Ipswitch Gateway actslike a reverse proxy to provide an additional layer of securityfor MOVEit Transfer
customers.Inboundtraffic cannot come through the firewallinto the trusted zone; all sessions terminate in
the MOVEit Transfer network segment. The outward-facing portion of the network (typically the Internet)
is separated from the MOVEit Transfer server, which is typically behind a firewall in a trusted zone on a
local private network. Ipswitch Gateway exchangesauthentication, credentials, files, and other data
between remote clients and a MOVEit Transfer server (Endpoint) located in the trusted zone. You do not
need open ports in your firewallto allow clients to communicate with MOVEit Transfer.
How it Works
During installation, a secure SSTP tunnel(virtualprivate network) is created from the MOVEit Transfer
server to the Ipswitch Gateway computer(or virtualmachine). Ipswitch Gateway then runs as a Windows
Service that provides reverse proxies and forwards only encrypted traffic to the MOVEit Transfer server
over the tunnel. All communications between the client and server session are encrypted and streamed
through this connection. Ipswitch Gateway inspects allrequests and if the requests look valid, forwards
them to the MOVEit Transfer server(Endpoint) for fulfillment. Responses fromMOVEit Transfer are sent
back to Ipswitch Gateway, which returnsthem to the user. This process is invisible to incoming clients.
Ipswitch Gateway supports the following protocols:
§FTP (Implicit and explicit)
§SSH/SFTP
§HTTP/HTTPS
The Ipswitch Gateway Configuration Interface provides an easy way to configure and manage these
reverse proxies, their port and connection details, and current running status.
All clients supported by MOVEit Transfer are also compatible with Ipswitch Gateway:
Ipswitch Gateway also supports single, high availability, and web farm environments(on page 7).
Introduction 7
WebFarmsandLoadBalancers
Ipswitch Gateway supports MOVEit Transfer web farms. Aweb farm is a collection of machines that each
run a separate copy of MOVEit Transfer, but allcopies share the same database, file system, and other
resources.Web farmsemploy load balancers that allow an administrator to:
§Advertise a single URL to all users, with a single SSL certificate
§Distribute the load evenly over all application nodes to improve performance
§Provide fault tolerance; if an application node fails, the load balancer stops routing traffic to it until it
comes back up
Some MOVEit Transfer web farms might use the built-in Microsoft Windows Network Load Balancing
(NLB) feature to implement load balancing. NLB allows load balancing to be added to a cluster without
having a separate node in front of the worker nodes. The load-balancing is built into the operating system
and the feature is provided collectively by all worker nodes. Ipswitch doesnot support the built-in
Microsoft Windows Network Load Balancer (NLB) in the initial release of Ipswitch Gateway.
Most enterprise web farm customers employ traditionalload balancers from hardware vendors like Cisco
and F5. The deployments below focus on this scenario.
One load balancer, many Gateways
The recommended load balancing scenario uses a single load balancer and multiple Ipswitch Gateways,
each running on a separate machine. Each Ipswitch Gateway is dedicated to a specific MOVEit Transfer
node. A failure of a MOVEit Transfer node, its SSTP tunnel, or its associated Ipswitch Gateway machine
results in the automatic temporary removalof the node from the load balancer.
Note: The single load balancer is presumed to have high availability features that prevent it from
becoming a single point of failure. This is generally a valid assumption for major load balancer vendors.
8 IpswitchGatewayUser'sGuide
Select one of the following install options:
§Standard Install (on page 8)
§Web Farm Install (on page 21)
StandardInstall
Installation consists of three steps:
Step 1: Install Gateway Server and Server-SideSSTP Tunnel (on page 8)
Step 2: Install Client-Side SSTP Tunnel ona MOVEit TransferServer (on page 11)
Step 3: Launch Gateway Configuration Interface (on page 12)
Step 4: Configure the Firewall (on page 13)
Step 1: Install Gateway Server and Server-Side SSTPTunnel
Before you proceed, make sure the MOVEit Transfer serveris installed and running.
1 On a separate machine from MOVEit Transfer, sign in with administrator credentials.
2 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and download the
installer for Ipswitch Gateway 2017 Plus forMOVEit Transfer.
3 Open the Ipswitch Gateway installer and click Run to run the install wizard.
4 Welcome: Select Step1: Install a Gateway server (outside firewall) and a server side SSTP tunnel.
Click Next. The installer looks for prerequisite software.
5 System Check: The installer verifies the following:
§Operating System Version: The machine must be running the Windows Server 2012R2 or Server
2016 operating system
§Routing and Remote Access Service: A Windows server is required to properly configure the the
Routing and Remote Access (RRAS) service. Workstations are not supported.
§Routing and Remote Access - IIS: If IIS is installed and enabled, the IIS service will be disabled to
avoid configuration conflicts with the Remote Access service and VPN. If not, the necessary
components of Microsoft Internet Information Services (IIS) willbe installed.
§Administrator privileges
Click Next.
6 Options:Ipswitch Gateway Folder: Select a location to install the Ipswitch Gateway server files, and
then click Next.
Install
Install 9
7 Options:Gateway ConfigurationInterface. Designate a certificate to use as the identity of the Gateway
Configuration interface. This certificate willbe presented to Gateway administrators accessing the
administrative user interface via a browser.
§X.509 (*.pfx or *.p12) certificate from your computer (recommended): Browse to locate the SSL*.pfx
or *.p12 file. Since in many cases the hostname of the Gateway serverwillbe the hostname
previously assigned to a MOVEit Transfer server, you may wish to use the certificate already
installed on your MOVEit Transfer server.If you need to create a *.pfxor *.p12 file from your
MOVEit Transfer server, see Create a *.pfx or *.p12 File (on page 10). Enter the Certificate
password in the space provided.
§System-generated self-signed certificate: By default, the installer populates the Certificate Name
field with Ipswitch Gateway (Demo). In most cases, you willsimply accept the proposed value
and continue. The Certificate Name value is used to populate the CN parameter in the *.pfx or
*.p12 file.
Choose the network interface and port to listen on:
§Network Interface: Select a network interface (IP address) from the drop-down list. In mostcases,
you will want the Gateway to listen on All Interfaces.
§Port: Enter the TCP port to which Gateway administrators willconnect with a browser,to
administer Ipswitch Gateway. Itis recommended that you accept the default of 9443. When
configuring the TCP port for the administrative interface, do not choose a port number that is
likely to already be in use by the system, such as 10043. The default, 9443, is a good choice for
most systems.
Click Next.
8 Options:Service User Account:Designate which account Ipswitch Gateway should use to run the
Gateway service process:
§Local System account
§Different account: Enter the username and password of the different account.
Click Next.
9 Options:Certificate fortheSSTPTunnel:Designate a certificate to use for the Secure Socket Tunnel
Protocol(SSTP) connection:
§System-generated self-signed certificate: For Certificate Name, enter the IP address or hostname
that will be used to connect to this machine from the MOVEit Transfer server.
§Certificatefrom the certificate manager: Select an existing certificate from the drop-down list.
Public keys will not be shown here. Optionally click View Details to see detailed information about
that certificate, in case you need to distinguish between certificates with the same name.
Click Next.
10 Options:SSTP Tunnel Credentials: Enter a password for the GatewayVPNUser account that willrun
the SSTP tunnel. If the account does not exist, a new accountwillbe created using these credentials.
Important: Write down these credentials. You will need them in subsequent steps.
Click Next.
11 Options:Gateway Server Hostname: Enter a fully-qualified domain name of the Gateway machine.
This is used to create HTTP redirects and is currently used only for client certificate authentication.
This hostname should be visible to web browsers accessing the Gateway system.You can edit the
name later if required. Doing so will restart all running HTTP proxies.
12 Ready to Install: Verify the installation setup, and then click Install.
After a few moments, the installation is complete.
10 IpswitchGatewayUser'sGuide
13 Click Finish.
Note: Your web browser may attemptto open the Gateway Configuration Interface at this point. You
will return to the Gateway Configuration Interface after Step 2 (on page 11).
Note: When you see the Enable Windows Firewall, ignore it for now. You will configure the firewall
in Step 4 (on page 13).
14 On the Gateway server, open NetworkPolicy Server.
15 Expand Policies and select ConnectionRequest Policies.
16 Right-click on Microsoft Routing and Remote Access Server Policy and select Properties.
17 Go to the Settingstab.
18 Select AuthenticationMethods.
19 Select Override network policy authentication settings (if not selected).
20 Make sure that Microsoft:Secured password (EAP-MSCHAPv2) is enabled under EAP Types.
Proceed to Step 2 (on page 11).
Createa *.pfxor*.p12File
If you need to create a .cer file, follow these steps:
1 Run Internet Information Server (IIS) Manager on the MOVEit Transfer machine.
2 In the left pane, navigate to Sites, and then the name of your MOVEit Transfer website. In most
cases, that is "moveitdmz".
3 In the right pane, choose Bindings...
4 In the Site Bindings dialog, choose https.
5 Choose Edit...
6 In the Edit Site Binding dialog, choose SSLCertificate| View...
7 In the Certificate dialog, choose the Details tab.
8 Choose Copyto File...
9 In the Certificate Export Wizard, choose Next.
10 In the Export Private Key window, choose Yesand choose Next.
11 In the Export File Format, choose PKCS#12 and choose Next.
12 Enter the password.
13 In the File to Export window, choose Browse...
14 In the SaveAs dialog, select a directory and enter a filename to which the certificate should be saved,
such as moveittransfer.pfx
15 Choose Save.
16 In the File to Export window, choose Next.
17 In the Completing the Certificate Export Wizard window, choose Finish.
18 In the Certificate Export Wizard popup, choose OK.
19 In the Certificate dialog, choose OKto dismiss the dialog.
20 In the Edit Site Binding dialog, choose Cancelto dismiss the dialog.
21 In the Site Bindings dialog, choose Closeto close the dialog.
22 Upload the file to MOVEit Transfer, and then download the file on the Ipswitch Gateway machine.
Install 11
Step 2: Install Client-Side SSTPTunnelonaMOVEitTransfer Server
1 Sign in to the MOVEit Transfer serverwith administrator credentials.
2 Go to the Customer Portal (https://ipswitchft.secure.force.com/cp/CPHome) and download the
installer for Ipswitch Gateway for MOVEit Transfer.
3 Open the Ipswitch Gateway installer and click Run to run the install wizard.
4 Step 2: Install a client side SSTPTunnel on your existing MOVEitTransfer server is preselected.
Click Next.
5 System Check: The installer verifies that you have Administrator Privileges.
Note: If you chose to use a self-signed certificate during the Ipswitch Gateway Tunnelserver
installation, you must import that certificate from the server computer into this computer's certificate
store before continuing with the installation.
Click Next.
6 Options:Connect SSTPtunnel to Gateway Server. Enter the Gateway Server Address or hostname to
establish a connection.
Important: What you enter here must be identical to what you entered for IP address orhostname
in Step 1 (on page 8):Options: Gateway Configuration Interface > System-generated self-signed
certificate > Certificate Name.
Click Next.
7 If the SSTP certificate does not exist on the client-side machine, you must choose to either trust and
import the SSTP certificate from the Ipswitch Gateway Tunnel, or not trust and not import it:
§I trust this certificate. Import this certificate into the local trusted certificate store: Automatically
imports and trusts the SSTP certificate.
§Ido not trust thiscertificate. Do not import thiscertificate: Does not import the SSTP certificate.
You must import the certificate manually. (This option is not often used. Situations where you
might select this option include importing the certificate manually to avoid the software from
importing a certificate from a man-in-the middle attack, or changing certificatesafter installation.)
8 Options:SSTP Tunnel Credentials: Enter the SSTP TunnelCredentials that you wrote down at the end
of Step 1 (on page 8). An account willbe created that will run the SSTP tunnel.
Note: If the Gateway Server computer requires a domain name during connection,
enter Domainname\GatewayVPNUser instead of GatewayVPNUser
Click Next.
9 Options:Scheduled Task Context Account:Enter the credentials for an existing local Windows
account. This account willbe used to initiate and monitor the SSTP tunnel. This user willbe used as a
context user by the scheduled task that willstart and monitor the Gateway TunnelConnection.
10 Ready to Install: Verify the installation setup, and then click Install.
After a few moments, installation is complete.
11 Click Finish.
12 Next, you may need to manually start the VPN tunnel connection. On the MOVEit Transfer server,
open Network Connections.
13 Right-click Ipswitch Gateway Tunnel and select Properties.
14 Select the Security tab.
12 IpswitchGatewayUser'sGuide
15 For Authentication, select UseExtensible AuthProtocol and select MicrosoftSecured
password (EAP-MSCHAPv2)(encryption enabled) from the drop-down list.
16 Open Administrative Tools > Task Scheduler.
17 Select Task Scheduler Library in the left panel.
18 Right-click the task named IpswitchGateway Tunnel connect and select Run. This will attempt to start
the tunnel connection.
Important: Do NOT connect manually through the Network and Sharing Center or the connection will
drop when the user logs out.
Next, go to Step 3 (on page 12).
Step 3: LaunchGateway Configuration Interface
1 Return to the Ipswitch Gateway server.
2 If a web browser opened the Gateway Configuration Interface at the end of Step 1 (on page 8), go to
that web page now and press clickhere. If the web page did not open at the end of Step 1, open a web
browser and go to https://localhost:portnumber, where portnumberis the port you selected at the end
of Step 1.
A page launches where you willconfigure the first Endpoint. If your connection is not secure,
click Advanced, AddException in your browser, and then ConfirmSecurity Exception (Firefox steps
shown; take similar steps for other browsers).
Note: You cannot perform this step remotely. You must be on the Ipswitch Gateway server to set up
the first Endpoint.
3 ConfigureEndpoint: Enter information about a MOVEit Transfer server (Endpoint).
§IP Address: The IP address entered here should be 192.168.1.2, which is the IP address of the
MOVEit Transfer server on the tunnelconnection. Do NOT use the actualIP address of the
MOVEit Transfer server.
§Port (443 is the default)
§Expected Host Name (optional)
§Host Name Verification Policy:
•Default: The server you connect to must have a cert that matches one of the hostnameslisted. A
wildcard can occur in the common name (CN), and in any of the subject-alts. The one
divergence from IE6 is that we only check the first CN.
•AllowAll: Allows you to connect to any server without performing a hostname check. For
testing purposes only - do not use in a production environment.
§Virtual Path (optional): Enter the virtual path if you've set up MOVEit Transfer to run as a virtual
directory in IIS. For example, moveitdmz.on a virtualmachine.
Click Submit. Note that the MOVEit Transfer server's IPaddressand host name (if present)display at
the top of the configuration page now.
4 Verifying:
Verify the MOVEitTransfer Server SSLCertificate(s). Review the server certificate details for
authenticity:
§Key Type
§Host Names
Install 13
§Issuer
§Subject
§Serial Number
§Valid From
§Expires
Click Trust to perform the SSLhandshake. The verification process checks connection status, trusts
SSLcerts, validates the MOVEit Transfer Endpoint, and logs in to MOVEit Transfer.
If you encounter a trust error, you willsee the conflicting certificate chains with the new certificate on
the left and the existing certificate from the Trust Store on the right. At this point you can either
click Reset Endpoint to delete the Endpoint and start over, or click override to accept the mismatched
certificate chain. The new certificate becomes trusted and verification continues to the next step.
Gateway License Validation:Ipswitch Gateway 2017 Plus requires that your MOVEit Transfer server
have a new license with Gateway enabled. This is true for both fresh installs and upgrades. If you have
not yet installed this new MOVEit license, you will see the message "License Not Found."You will be
prompted to upgrade your MOVEit Transfer license and Retry.
Log in to the MOVEitTransfer server as sysadmin or orgadmin and click Submit.
After checking ciphers, the Endpoint is verified. The verification process willreoccur automatically
whenever the system reboots.
5 Click Login to Gatewayand sign in as sysadmin or orgadmin.
You can Re-Verify or Delete theEndpoint you just created from the sign in screen. You might need to
do this at a later point if the MOVEit Transfer server's certificate identity changes or the MOVEit
Transfer server location moves from one machine to another.
Next, Configure Endpoint and Proxies (on page 25).
Step 4: ConfiguretheFirewall
Pre-requisites
§Gateway server has been successfully installed and configured in the DMZ according to Gateway
installation documentation.
§http://docs.ipswitch.com/MOVEit/Gateway2017Plus/Help/
14 IpswitchGatewayUser'sGuide
§MOVEit Transfer server has been successfully installed and configured in the network trusted zone
according to the MOVEIT Transfer installation documentation.
§http://docs.ipswitch.com/MOVEit/DMZ95/Help/Admin/en/
§SSTP VPN tunnel has been successfully installed and configured according to Gateway installation
documentation.
Notes
§The MOVEit Transfer public rule to block all public incoming connections is recommended to block
any other rules the user may have set up, possibly including by the MOVEit Transfer installer.
"Block" rules take precedence over "Allow" rules.
§Internalusers will be able to access MOVEit Transfer directly if there is a second interface that is
marked as private by Windows. Note that network interfaces, including the one used to connectto
Gateway, are created as public by default in Windows. So the customer would have to go out of their
way to mark the second interface (if any) as private. Incoming connections through the tunnelare
regarded as private.
Step1:GatewayServerFirewallRules
Note: The examples shown below were created using the Windows Firewallwith Advanced Security. If
using a generic (non-Windows) firewall, see Generic Firewall Rules (on page 21).
1 Create public network inbound port rules to allow incoming connections for thefollowing ports:
a) Port 21 (FTPS Explicit)
b) Port 22 (SSH)
c) Port 443 (HTTPS)
d) Port 2443 (HTTPS with client certificates)
e) Port 80 (HTTP)
f) Port 990 (FTPS Implicit)
g) Ports 3000-3100 (FTPS Data)
Install 15
h) Port 10443 (SSTP Tunnel)
2 Under the Scope tab, modify the Remote IPAddress for port 10443 to only allow connections from the
MOVEit Transfer server IP address(for example, 192.168.196.237).
16 IpswitchGatewayUser'sGuide
3 Verify that the firewall state is enabled for public network locations.
Step2:MOVEit TransferServerFirewallRules
1 Modify the pre-defined inbound port rules for the following ports and set them to only apply to the
private network profile.
a) MOVEit DMZ FTP
b) MOVEit DMZ SSH
c) World Wide Web Services (HTTP Traffic-In)
Table of contents
