System Configuration - Admin 101

Except for annual tasks such as SSL certificate renewal and application, MOVEit DMZ can be almost entirely administered from a web browser.

Admin vs. SysAdmin

The difference between "Admin" and "SysAdmin" can be initially confusing, but it provides a logical and scalable separation of operations. SysAdmin is the more powerful permission class, but SysAdmin file and secure message privileges are minimal. (For example, SysAdmins can set up a user but cannot read that user's files.) For this reason, Ipswitch generally encourages people to use Admin accounts for daily administration (working with users, folders, etc.) and save SysAdmin account sign ons for special occasions (new org, IP lockout change, etc.)

More specifically, SysAdmins have exclusive access to the settings detailed in the documentation sections referenced below:

• Web Interface - Settings - System
• Web Interface - Schemes
• Web Interface - Organizations

Modern versions of MOVEit DMZ force you to set up both a SysAdmin and an Admin account when you install and encourage you to use the new Admin account unless you absolutely need to use a SysAdmin account. In fact, SysAdmin accounts are only permitted to sign on from the console (i.e., localhost, 127.0.0.1 or local IP addresses) by default. (To change this, you must sign on as a SysAdmin from the console and expand the IP range from which System Organization SysAdmins are allowed to sign in.)

For a complete explanation of Admins, SysAdmins and other user permissions classes, please see the "Web Interface - Users - Permissions" documentation. For a complete explanation of what orgs are and when they should be used, please see the "Web Interface - Organizations - Overview (Definition)" documentation.

Policies and Procedures

After you get comfortable with some key features, you will probably want to come up with answers to several "policy and procedure" issues. Fortunately, the flexibility of MOVEit DMZ allows you to answer these almost any way you want; options exist to establish and enforce many different policies in MOVEit DMZ. (Ipswitch can also help you come up with answers to these questions if you are unsure or need some advice.)

Authentication Policies

• Passwords - How long/strong do you want your passwords? How often should they be changed? How will you get them to your users (fax/phone, emailed when the user is created)? Are users allowed to reset their own passwords? If so, will you require users to sign on with their old credentials first?
• Interfaces - Will you allow FTP/SSL, FTP/SSH, HTTPS and/or AS2/AS3? Will you ever allow non-secure FTP? Do you want users connecting to "port 80" HTTP to be automatically redirected to your secure web interface or do you just want to drop the connection? Are you offering enough interface options to allow your clients to do ad-hoc and automated transfers?
• Shared Accounts - Will you ever allow shared accounts? If so, do you want individuals using the shared account to see files that others using the account have uploaded?
• Groups - How will you organize your users in groups? Where you have a choice, would you rather grant permissions, etc. by group or by user? Would you like certain users to enjoy delegated permissions over certain folders, users, etc.?
• External Authentication - Will all users authenticate to MOVEit DMZ's local database? Will they authenticate through a trusted LDAP or RADIUS server instead? Will there be a mix?
• Naming Conventions - Should usernames be "first initial, last name", employee numbers, company names or something else? Should full names contain the names of key people and/or their organizational role or just a company role? Will you be using different conventions for internal/external users?
• Lockouts and Expiration - How many tries should a user get before that user is locked out? How many tries should a particular IP address get before that IP is locked out? How long should we let a user dodge a requested password change before we disable the account? Should we automatically shut down accounts that have not been used in a while or have gone over their contract date?
• Allowed Hosts and IPs - By default MOVEit DMZ sets up an IP access policy that allows end users to connect from anywhere but only allows administrators to connect from an internal private network. Is this tight enough? Are there exceptions? Do you really want to specify a list/range of IP addresses and hostnames for each user instead?
• Client Certificates/Keys - Using these credentials is often more secure but usually requires more work. If you are using client certificates, what Certificate Authority(ies) will you use? Do you need "two factor" authentication or will the use of a particular cert/key be enough?
• Automated Users - Most sites set up a FileAdmin user for their MOVEit Central file transfer automation tool, but your end users or other internal processes may be completely automated too. Do you want these users to be exempt from periodic password changes? Do you want them further restricted by IP address, client cert/key or interface to mitigate the risk of an automated username or password getting compromised?

Folder Policies

• Structure - Do you want users to each have their own tree of folders in their home folder or do you want a shared folder structure? Should user home folders be in one top-level folder, or in multiple folders? Do you want to simply lock users to a single folder and "dumb down" the interface to keep them from making any mistakes? What should the main shared folder be named?
• Permissions - What permissions should users enjoy on various folders? On their home folder, by default? Do you want upload quotas? Do you want filename restrictions?
• Clean Up/Notification - How often should MOVEit DMZ automatically delete old files and folders? How rapidly (if at all) should it send notifications about whether or not files were uploaded OK, have been downloaded or have not been downloaded by some deadline?
• Naming Conventions - Should users' home folders bear the name of their usernames, their full names, user IDs (unique ID generated by MOVEit DMZ) or something else? Should MOVEit DMZ folder trees reflect internal trees or be named for specific customer needs? Will you be using specific folder names and file names to help people and automated tasks figure out what to do with various files?

Ad Hoc Transfer Policies

• Licensing, Option Enabled - First, make sure you have a valid Ad Hoc Transfer license (using the DMZ Config utility) and that you have enabled this feature through the "Registered Users" link on the "Settings" page's "Ad Hoc Transfer" section, next to "Access". Also make sure the "Package Log Viewing" property on the organization's Profile (accessible with a SysAdmin account) is on if you want your Admins to see who is sending Ad Hoc packages within your organization.
• Address Book Contacts and Unregistered Recipients - Who should be able to talk to whom? Do you want to allow everyone to contact everyone else, including unregistered users, or do you want to control Ad Hoc Transfer relationships? Who should be able to create and send packages to unregistered recipients on the fly?
• Unregistered Recipients and Senders - When unregistered recipients sign in - and when unregistered senders self-register, should they be treated as per-package "guest users", or should they be registered as "temporary users" for a limited amount of time? Are there any domains that MOVEit DMZ should not be able to create temporary users for (such as your own or a free mail service)? How long should temporary users remain before they are automatically purged?
• Permissions - Do you want attachment quotas? Do you want filename restrictions?
• Retention - How long should we keep packages online? Should we delete them or archive them?

Appearance

• Banner and Scheme - What banner logo will you use? What scheme will you use to match the colors and fonts to your main corporate site?
• Display Profiles - Which parts of the web interface should your users see when they are signed on? Before they sign on? Do you have to worry about "power users"? Do you want to support French- and Spanish-speaking users?
• Notifications - How much information (username, fileID, file names, etc.) should be sent in clear-text email notifications? Who should appear to be the sender? Are there any notification templates that you would like to alter? Do your users prefer good-looking HTML notifications or functional text notifications?
• Sign On Banners, Etc. - What should you display to users before they are allowed to sign on? What kind (if any) information will you put in the home page announcement? How should the first status message a user sees after signing on read?

Logging and Reporting

• Filtering Logs - Can you find what you want in the audit logs? Can you figure out why the following common problems occurred from the audit logs? (User could not sign on. File could not be uploaded, downloaded, etc. Folder or user could not be created, deleted, etc. ) Are you comfortable selecting columns, sorting and hiding/showing sign on and notification entries?
• Reports - What reports will you use regularly? Do you want to schedule them? Do you expect to perform further processing on CSV or XML formatted reports? Do you want to alter the template used for HTML reports?
• Retention - How long should we keep audit records? Should we delete them or archive them?

Real World Administration

• People - Who is/are the main administrator(s) of each MOVEit DMZ organization? Are they the same people in charge of the firewall? Are there administrative tasks that can be delegated through GroupAdmins or using features such as "allow users to reset own password"?
• Automation - Are you using the automated features of MOVEit DMZ (such as old file/folder cleanup, notification, report creation) to your full advantage? If you own a companion MOVEit Central server, is it automating all the file transfers it can? Are your end user and internal transfers as automated as they can be?
• Disaster Recovery - How are you backing up your server? Do you have the MOVEit DMZ licenses you need for your backup servers? Is your backup/restore procedure automated? Have you tested it? Does your main site need active-active failover?
• End User Documentation - Do your end users know how to connect to you and where to go to upload/download files? (Or use secure messaging, as applicable.) (See "Advanced Topics - User Forms" for some suggestions here.) Do they know how to ask for help? Is there additional documentation you could post online to help? (MOVEit DMZ's "Tech Support" link/page and "Custom Help Link" feature help here.)
• Administrative Documentation - Is your configuration documented and explainable? (You can use the DMZBackup utility if you simply need a backup of the current configuration.) Do you know how to pull/schedule the reports that fulfill your audit requirements? Your billing requirements? Other business requirements?

Other Tasks

What else you do next depends a great deal on the application for which you are using MOVEit DMZ. (See Common Setup for a brief list of common applications.) However, most administrators will shortly find themselves making use of Groups to organize the way users may access files and folders. Many administrators will also be interested in setting up strong password requirements (on the "Settings" page) and/or folder settings to allow for automated cleanup of old files (on individual "Folder" pages.)

Ongoing Maintenance

As an administrator you will most likely "hover over" the Logs page more than any other page. (You will likely want to familiarize yourself with the various log filters available.) Most of your changes will involve adding and removing individual users, or tracking down and dealing with files which have been placed in the wrong place, not processed by internal systems appropriately, etc.