Feature Focus - Multihoming

The term "multihoming" generally suggests a single computer is handling requests addressed to multiple IP addresses. In MOVEit DMZ the definition is extended to mean a single MOVEit DMZ server is serving requests addressed to multiple hostnames with different SSL certificates and branding.

For example, if a single site was asked to support both "moveit.org1.com" and "www.safestor.us" for two different companies on the same MOVEit DMZ server, we would say that the MOVEit DMZ is multihoming.

Multihoming

However, if both "org1" and "safestor" used a common hostname of "mi.datacent.net" instead, we would be talking about setting up separate MOVEit DMZ Organizations but the MOVEit DMZ itself would NOT be multihoming.

Not Multihoming

Multihoming Configuration Elements

Elements by Service

To support multihoming, several MOVEit DMZ configuration items must be adjusted. These items can be broken down by the service they are related to.

• Core MOVEit DMZ Application
  • Create a separate organization for each hostname
  • Each organization's Base URL must be set to a unique hostname
  • Each organization should have its own branding
• HTTPS Server (IIS Service)
  • Create a separate IIS "site" for each hostname (Windows 2003 only)
  • Add multiple SSL certificates, one for each hostname
  • Configure multiple IP addresses, one for each hostname
• FTPS Server (MOVEit DMZ Service)
  • Set up the default SSL host certificate to match one of the organizations
  • Other organizations will use other ("alternate") SSL host certificates as configured by FTP IP address. Set this list of IP addresses up to match those configured under IIS
• SFTP Server (MOVEit DMZ Service)
  • Only one SSH server key is currently available through the SFTP service. (SSH server keys, unlike SSL server certs, do not have a "hostname" or other organization-identifying element.)

Elements by Configuration Utility

These items can also be broken down by the configuration utility that must be used to configure them.

• Internet Information Services (IIS) Manager
  • Request and install commercial SSL host certificates.
  • Configure a separate IIS site (Windows 2003) or binding (Windows 2008) for each organization.
• MOVEit DMZ Configuration Utility
  • Select the default SSL host certificate to match one of the organizations. ("FTP Certs" tab)
  • Select alternate SSL host certificates for each additional organization.
• MOVEit DMZ Web Interface (Signed on as a SysAdmin)
  • Add a new production organization for each hostname. ("Orgs" page)
  • Set each organization's Base URL to its hostname. ("Organization Profile" page)
• MOVEit DMZ Web Interface (Signed on as an Admin)
  • Let each organization control its own scheme/colors, logos and other branding elements through their existing Admin accounts.

Recommended Procedures

There are several ways to accomplish many of the tasks listed in the "Configuration Elements" section, but the following procedures are recommended.

Requesting, obtaining and installing multiple SSL certs for different organizations

Windows Server 2003

For Windows Server 2003, this problem is similar to one that some "singlehoming" MOVEit DMZ sites face today: "How do I request, obtain and install a new SSL cert for an existing site from a different CA?" The answer is the same in both cases:

1. Set up a new IIS site. You may name it whatever you wish.
2. Generate a new SSL request for certificate from the new site. Make sure the hostname on the certificate request is correct.
3. Keep the new IIS site around until you receive the SSL certificate response from your CA. Install it through the new site.
4. Switch to the real IIS site for which you were attempting to get the certificate. Switch the current cert over from the old one to the new one. ("Assign an existing certificate")
5. Test with a web browser to make sure your real IIS site is really serving the new certificate. If so, delete the new IIS site you used to obtain the certificate.

Building additional IIS sites for additional organizations

1. Open the IIS Manager and under Web Sites right-click on the "moveitdmz" and select All Tasks->Save Configuration to a file. Give the new file a name and save it to the destination specified.
2. Right-click on Web Sites and select New->Web Site (from file). Select the file that was saved in the previous step. Click Read File and select the "moveitdmz" location then click OK. You will be prompted that the site already exists, make sure to select Create a new site and then click OK.
3. Right-click on the second "moveitdmz" site (the identifier will be a very large number) and rename to help avoid confusion.

Changing IP Addresses or Ports in IIS

After the IIS sites are created they need to be configured to listen for different IP addresses or different ports on each site.

1. Open the IIS Manager and under Web Sites right-click on the "moveitdmz" site and select Properties.
2. Click the Advanced button next to IP address.
3. Edit the IP address or port for both the default and SSL sections. Remember each moveitdmz site needs to either listen for a different IP address or needs to be bound to a different port number. The recommended option is to have each site listen for a different IP address.
4. Repeat this procedure for the other moveitdmz site.

Windows Server 2008

For Windows Server 2008, you need not create additional IIS websites. Instead, you may create multiple SSL certificates at the webserver level, and then assign them to "bindings", as described below.

Creating and installing additional SSL certificates

1. Run Internet Information Services (IIS) Manager.
2. Choose the name of the server in the left pane.
3. In the Features View, double-click on Server Certificates.
4. Create a certificate request by choosing "Create Certificate Request..." in the right pane. After submitting the certificate request and receiving the response from the Certificating Authority, come back and choose "Complete Certificate Request". Alternatively, you can create a self-signed certificate, but this is not recommended because it will cause browser warning messages for your users.

Creating additional IIS bindings

This procedure, available only on Windows Server 2008, allows you to assign multiple IP addresses and SSL certificates to a single website, thus bypassing the complexity of creating multiple websites.

1. Run Internet Information Services (IIS) Manager.
2. Right-click the name of the website (usually moveitdmz) and choose Edit Bindings...
3. Choose the "https" line and choose Edit...
4. Change the IP address from All Unassigned to one of the configured IP addresses.
5. Choose the appropriate SSL certificate.
6. Choose OK.

For the second and subsequent organizations, repeat the above procedure in the Site Bindings dialog, but choose Add... to add bindings and SSL certificates for the remaining organizations.

How do I configure MOVEit DMZ to identify each IIS site as its own organization?

1. Make sure you are running MOVEit DMZ 3.4 or a later version. This software is required to display the proper branding on the sign on page based simply on the requested hostname.
2. Sign on as a SysAdmin.
3. Go to the "Orgs" page and click the NAME of a specific organization to get into it's "Organization Profile".
4. While viewing the "Organization Profile", click the first "edit" link.
5. Change the "Base URL" to match the hostname of the site. Include the "https://" prefix. For example, if the hostname is "support.moveitdmz.com", the Base URL should be "https://support.moveitdmz.com"
6. Save changes and repeat steps 3-5 for any remaining organizations.

How do I configure MOVEit DMZ to hand out different SSL certs on its FTP server for each organization?

The MOVEit DMZ FTP will offer the "Default Certificate" configured on the "FTP Certs" tab in the DMZConfig utility to all incoming FTP/SSL connections unless alternate certificates are configured in the "Alternate Certificates" window. Each "Server IP" value should match an IP address previously configured on an IIS site bearing an SSL certificate of the same name. (e.g., If an IIS site for "mi.dmz.net" is already listening for connections on IP address 10.1.1.2, add an alternate entry that will cause the FTP server to offer up the "mi.dmz.net" certificate to connections coming in to IP address 10.1.1.2.)

How do I handle future upgrades?

MOVEit DMZ upgrades will handle or avoid all elements of the multihoming process except for specific IIS setting changes made to sites other than the IIS site into which MOVEit DMZ was original installed. Release notes will detail any IIS site setting changes made between MOVEit DMZ versions; consult our support department for specific instructions to make changes by hand.