FTP - Configuration
The MOVEit DMZ Configuration Utility program is used to
configure the MOVEit DMZ FTP server.
(Users, groups, folder settings and the like are generally maintained through the Web Interface or MOVEit DMZ API.)
Run the configuration program by choosing the Start menu shortcut
"MOVEit DMZ Config" This program uses a tabbed dialog to group the settings
by function.
MOVEit DMZ FTP will immediately apply configuration changes the next time a
new connection is received.
Exception: If changes are made to the FTP explicit or implicit ports, the MOVEit DMZ FTP service must be restarted for these
changes to take effect.
Control Ports
- Explicit:The default for the explicit FTP port is
21, the value used by most FTP servers.
The explicit port requires the use of the AUTH command for TLS-C or TLS-P secure
communication. Set to "0" to disable this port and type of FTP over SSL.
- Implicit: The default port for implicit secure FTP is 990.
The implicit port is for FTP clients that negotiate a secure connection
immediately at startup. Set to "0" to disable this port and type of FTP over SSL.
- Client Certs Explicit:
The "client certs" explicit port is like the regular "explicit port"
except it requires all connecting FTP clients to authenticate with an SSL
client certificate.
Set to "0" to disable this port and type of FTP over SSL.
- Client Certs Implicit:
The "client certs" implicit port is like the regular "implicit port"
except it requires all connecting FTP clients to authenticate with an SSL
client certificate.
Set to "0" to disable this port and type of FTP over SSL.
Data Ports
- Active: The active TCP port is the local TCP port from which active mode data connections
to remote clients will be initiated.
When not running in passive mode, FTP servers connect to clients to
transfer data. Most FTP servers use a randomly-assigned local port number for this
purpose. (The local port number is the TCP port number from which connections
are made.) This works fine for many sites, but some sites have restrictive rules
configured on their firewalls. MoveIT DMZ FTP allows you to tell the FTP server to
always use the same port number on the initiating end of the connection. A typical
value for this obscure setting is 20 for explicit FTP or 989 for implicit. You
can only choose one of those two values, however. If you want the usual behavior of a
randomly-assigned port number, use a setting of 0. If you are in doubt, just use the
setting of 20.
- Passive Range: This is a feature which helps sites which position a firewall between the MOVEit DMZ FTP computer
and end users. (i.e., almost everyone)
When running in passive mode, FTP dynamically creates ports on
which it listens for data connections from the remote FTP clients. In order to
accommodate this behavior, network administrators must allow incoming connections on these
ports. The port numbers used for this purpose are normally greater than 1023, but
otherwise cannot be predicted in advance. And because sessions are encrypted, there
is no way for even a smart firewall to learn the port numbers on-the-fly. Hence,
firewalls must normally be configured to allow outside users to connect to any port
greater than 1023.
To address this, MOVEIT DMZ FTP provides an option to enforce the
range of ports that it will choose when in passive mode. If you choose this option,
you must select a range of ports on which FTP will listen for data connections; for
instance, 2000-2200.
The advantage of this option is that is allows your network administrator to
"open up" only a limited range of ports to which remote FTP clients can
connect. This provides a modest increase in security on your site (when compared to opening up 64,000 or even just 4,000 ports!).
By default, the configured range is 3000-3003.
Most sites will want to keep this range down to 4-100 consecutive ports.
(The range used by most Windows client applications is 1024-5000).
- Enforce passive port range: Check this to enforce the range configured above.
(Otherwise, a port range of 1024-5000 will apply.)
Miscellaneous Settings
- Bind to IP Address: Leave blank to bind to all available IP addresses (default).
Enter a specific IP address to bind the FTP server (both explicit and implicit ports) to a specific IP address.
- Connection Limit: The maximum number of control connections the FTP server
will listen to at any particular time. The default is 32. Be sure to set this number
to a value larger than the number of FTP ports in your passive range.
- Require passive transfers: Check this to disallow active mode data connections.
Most sites will want to check this option unless a significant number of their FTP clients
use CCC and all firewalls involve know how to dynamically open FTP data ports.
- Allow CCC command: This option (disabled by default) allows the FTP over SSL interface to support the Cleartext Command Channel "CCC" command.
This allows the FTP/SSL command channel to switch back from an encrypted channel to cleartext after a username and password have been safely sent and interpreted.
CCC allows FTPS sessions to take advantage of firewalls that know how to handle NAT with non-secure FTP without opening fixed ports.
WARNING: CCC carries the security risk of exposing file names, folder paths and other control information to anyone listening.
- Default Server Certificate: The default certificate is the SSL server certificate used for transport encryption. This certificate must have already been
created and installed on the system. Typically, you will use the same certificate
that you have already installed on your MOVEit DMZ web server.
Certificates are normally purchased through a certification authority such as Thawte or
Verisign. However, free software is available to allow you to create your own at no
cost. For example, the Certificate Services component of Windows Server
can be used to create certificates.
Using certificates you created yourself is generally not recommended, because
client programs consider them to be non-trusted, and raise warning dialogs.
- Alternate Certificates, Branding, Client Certs:
Alternate SSL server certificates may be assigned to each IP address of your MOVEit server.
This is a way to have MOVEit DMZ
FTP use a different certificate for connections through different networks. For example,
if MOVEit DMZ is connected to the internet through one network interface card (NIC) and
to a local intranet through another NIC, you can give a different certificate for
use by connections through each NIC. One will be the default, entered above. Any
additional certificates are paired with a specific local IP address or IP mask. (If you wish to run a secure "multi-homed FTP server",
you may need to configure these options. You cannot use alternate server certificates if you decide to bind to a single IP address.)
In addition to linking particular certificates with particular IP addresses, you may also link
a particular Organization to particular IP addresses to present a different Org's pre-signon banner to FTP users
rather than the default Org's banner. You may also decide to enforce more stringent client certificate
requirements (i.e., require client certs on all ports) for particular IP addresses.
Finally, you can elect to require client certificates on all FTP command ports for each alternate IP address, overriding
the client certificate port settings of the default IP address binding, which is configured on the FTP Ports tab. If this
option is selected for an alternate server certificate entry, the All Ports column will show "True".
Server Certification Selection List
Clicking any of the "..." server certificate browse buttons will pop up a list of server certificates to
select. Be sure to pick a certificate with an "Expires" date later than today. To select a certificate, double-click it,
or select it and click the OK button.
NAT for Passive FTP
Whether to map IP addresses for Network Address Translation (NAT) is an advanced feature for sites that use
a firewall to do "NAT'ing". It applies only to passive mode transfers. If you choose to use this feature, you should
provide a list of NAT rules in most-specific-to-least-specific order with a "catch-all" at the bottom. Each NAT rule
consists of an IP mask, and the external IP address to use for clients matching that mask. Each mask has the form
"m.m.m.m", where each m is a decimal number like 208, or a * wildcard. Each external IP address is the usual dotted
decimal number and should be the external IP address to which the firewall maps your FTP server.
The most common configuration resembles the following example. This provides an internal IP address (10.2.1.33)
to clients connecting from internal clients (10.*.*.*), but provides an external IP address to all other (external)
clients.
ServerIP=*.*.*.*, NatIP=10.2.1.33, ClientIPs=10.*.*.*
ServerIP=*.*.*.*, NatIP=66.170.5.130, ClientIPs=*.*.*.*
Another configuration involves "multihoming" where different hostnames have been mapped to different external IP
addresses 66.170.5.130 and 66.170.5.131) which come in to two different internal IP addresses (10.2.1.33 and
10.2.1.34) on the same MOVEit DMZ machine. In this case we want to return the correct IP address for each external
connection while still returning the correct address for internal clients.
ServerIP=10.2.1.34, NatIP=10.2.1.34, ClientIPs=10.*.*.*
ServerIP=*.*.*.*, NatIP=10.2.1.33, ClientIPs=10.*.*.*
ServerIP=10.2.1.34, NatIP=66.170.5.131, ClientIPs=*.*.*.*
ServerIP=*.*.*.*, NatIP=66.170.5.130, ClientIPs=*.*.*.*
If your NAT rules consist solely of the rule:
ServerIP=*.*.*.*, NatIP=208.33.33.33, ClientIPs=208.*.*.*
...then a client accessing any IP address your machine from 208.122.3.4 will be told to perform passive transfers
to 208.33.33.33, even though the actual internal IP address of your FTP server may be something completely different,
for example, 192.168.1.10. Clients accessing your FTP server from outside the 208.* domain will be given the actual
address of your FTP server (192.168.1.10).
If you have more than one NAT rule, you can change the order of evaluation by using the up- and down-arrow buttons
to the right side of the list.
Rules to handle "localhost" or "127.0.0.1" addresses are not necessary. Connections from these addresses will
always be instructed to connect their data channels to the same address.
Non-Secure FTP
Whether to allow access from Non-Secure FTP clients. This feature lets you
open the FTP server up to clients that do not use secure FTP (encrypted) transfers. This
significantly reduces the security of MOVEit DMZ because data can potentially be
"sniffed" on the network. But in some circumstances, such as inside a company's
intranet, that level of security is not important. Or, in other cases, there is
simply no other way to transfer securely from a certain client. In order to open
FTP up to non-secure transfers, you need to not only check the enabling box, you also
need to add the specific IP addresses or IP masks that are allowed to perform
these non-secure transfers. Non-secure mode is enabled using pairs of IP
addresses. Each pair consists of a local IP address (or mask) on the MOVEit DMZ server,
(corresponding perhaps to a specific network interface), and an external IP address
or mask corresponding to a network FTP client. As with the NAT list, you can move
entries up and down within the list.
Before any of the configured IP addresses will be allowed to connect insecurely, the
"Non-Secure FTP Enabled" checkbox MUST be checked (and confirmed).
This option MUST be enabled before any user-level "allow non-secure FTP" interface setting can be used.
WARNING: Non-Secure FTP carries the security risk of exposing usernames, passwords, file data, file names,
folder paths and other control information to anyone listening.
Diagnostic Logs
The MOVEit DMZ FTP server's diagnostic log settings can be changed on the Status tab of the configuration utility.
See the "Configuration Utility" document
for more information about this tab.
Paths Tab
The MOVEit DMZ FTP server communicates with MOVEit DMZ using the "Machine URL" configured on this tab.
See the "Configuration Utility" document
for more information about this tab.
Initial Banner Language
In multi-language systems, the initial security banner and notice will be provided in the default language of the default
organization, or the system, if no default organization exists (see the
Miscellaneous system settings page for more information
about default organizations). To change this language, if there is a default organization
on the system, log on to that organization as an org admin and change the org's default language using the
International settings page. If there is no
default organization on the system, the system default language would need to be changed. This setting is available only
to SysAdmins, and can be found in the System Languages
settings page.