System Configuration - SSL and SSH - SSL - Client Certs - IIS Configuration

MOVEit DMZ relies on Microsoft's IIS server to provide HTTPS connection services. Therefore, MOVEit DMZ must also rely on IIS to also provide client certificate functionality.

MOVEit DMZ users must use client certificates that are ultimately trusted or stored in the Microsoft Certificate Trusted Root store, but MOVEit DMZ's certificate management interface usually takes care of this requirement behind the scenes. This section focuses on the IIS settings that the MOVEit DMZ installation/upgrade toggles to turn on client certificate support (by default) and a second supported option.

IIS Set to "Accept" Client Certs on Some Files

MOVEit DMZ's web interface supports client certificate authentication as soon as it is installed or upgraded to version 4.0 or higher. No manual changes to IIS are required; the installation/upgrade program sets the necessary IIS settings behind the scenes.

Authentication requirement flags on individual user accounts control whether client certificates are required and what client certificates can be used for authentication. (See "Web Interface - Users - Profile" for more information about this.)

Advantages/Disadvantages

• Advantage: Requires no additional set up or administrative work.
• Advantage: Easy to use when migrating users to client certificate environment.
• Advantage: Backwards compatible with existing clients and processes.
• Disadvantage: Auditors may prefer the "Require client certificates" box on IIS is checked.

"humancc.aspx" and "machinecc.aspx"

By default, MOVEit DMZ sets the "Accept client certificates" flag on two files: "humancc.aspx" and "machinecc.aspx." The "cc" in both files stands for "client certificate."

All web browser sessions must authenticate through human.aspx and all other clients must authenticate through machine.aspx. When a user attempts to authenticate through either "human.aspx" or "machine.aspx" and MOVEit DMZ notices that the user's account requires client certificate authentication, MOVEit DMZ will automatically redirect the user's session to "humancc.aspx" or "machinecc.aspx." At this point the user will be prompted for client certificate credentials (if using a web browser) or client certificate credentials will be consumed (if using another client). No "second sign on page" is presented; from the user's perspective the entire sign on operation requires only a single submission.

No other files or folders are marked to "Accept client certificates". Access to MOVEit DMZ resources is only possible after a user authenticates with any required client certificates, so only the authentication gateways need to be marked to "Accept client certificates".

Site-wide "Accept Client Certificates" Flag (Don't Set It!)

Do not set the site-wide "Accept client certificates" flag on your MOVEit DMZ IIS website. This configuration is not supported and is not necessary to require individual MOVEit DMZ users to use client certificates while authenticating.

Two signs that someone may have flipped the site-wide "Accept client certificates" on your "moveitdmz" IIS site are:

• Your IE users are prompted with a mysterious and empty dialog box when they connect to MOVEit DMZ. The empty box is IE's unusual way of telling the user that the site they just connected to has asked for a client certificate (that's what the IIS "Accept" flag does) but that the user doesn't have any client certificates that would work with the site.
• All file transfers stop working and all FTP and SSH signons are rejected.

IIS Set to "Require" Client Certs on Most Content

Setting the IIS site flag to "Require client certificates" is usually not necessary and is generally not recommended unless it is absolutely required. The large amount of work required by administrators, end users and operators of remote systems usually makes implementing a pure IIS "Require" environment harder than explaining to an auditor why MOVEit DMZ's application-level client certificates is a better choice.

Furthermore, the "Require client certificates" flag is only supported by MOVEit DMZ software under Windows Server 2003.

Advantages/Disadvantages

• Advantage: Auditors may like that the "Require client certificates" box on IIS is checked.
• Advantage: No one can sign on from a remote location without using a client certificate. (No exceptions.)
• Disadvantage: Admin users will lose remote access if they no longer have a valid client certificate.
• Disadvantage: Requires additional set up and administrative work.
• Disadvantage: Makes migrating users to client certificate environment tough.
• Disadvantage: Not backwards compatible with existing clients and processes.

Extra Localhost-Only IIS Site

MOVEit DMZ's FTP, SSH, ISAPI and related services often communicate with the core MOVEit DMZ application through HTTP/S-based XML transactions. To allow this conversation to continue in a "Require client certificates" environment, you must make a copy of the original "moveitdmz" IIS and set it to listen for localhost connections only.

To set up this extra site and configure MOVEit DMZ to use it in the context of setting the IIS site-wide "Require client certificates" flag, use the following procedure.

1. Open the IIS manager and "Export" the "moveitdmz" IIS site.
   • Right-click your existing MOVEit DMZ site
   • Choose "All tasks" and then "Save configuration to file"
2. Import the site you just exported and click through the "duplicate name" warning. (This warning is harmless and will allow you to import the site anyway.)
   • Right-click the "Web Sites" heading
   • Choose "New" and then "Web site from file"
   • Browse to the file created in step 1
   • Click on the "Read file" button, select the site name and click "OK"
3. Rename the new site. (The duplicate name situation will be harmful if you leave it.)
4. Open the new site and perform these steps in this order:
   • Set client certificate requirements to "Ignore"
   • Uncheck the "128-bit" SSL requirement box, if checked.
   • Uncheck the "Require SSL", if checked.
   • Remove any server certificates associated with the site.
   • Bind the site to 127.0.0.1 only (no host headers) and clear out the SSL port. Fill in the (non-SSL) port with a value of 80 if it is not currently populated.
5. Open the original "moveitdmz" site and make sure it is not explicitly bound to 127.0.0.1.
6. Open the MOVEit DMZ Configuration utility, go the "Paths" tab and set the machine URL to "http://localhost/machine.aspx".
7. At this point you can turn on the "Require client certificates" option on the "moveitdmz" site. If you are prompted, you should override settings on all folders and files except those listed in the "Exceptions" section below. Make sure that the file security setting for humancc.aspx and machinecc.aspx is to require SSL and to require client certificates.
8. Make sure that both sites are started.
9. Test with the MOVEit DMZ Check utility (may skip some tests) and later with live client sessions to make sure everything still works.

Exceptions

Although the default client certificate property on your "moveitdmz" IIS site will be set to "Require...", the following folders must always be marked "Ignore client certificates" to support the use of the Java Upload/Download Wizard.

• MOVEitISAPI: The "Ignore client certificates" checkbox must be checked to avoid client certificate complications when using the Java Upload/Download Wizard. It is safe to do this because this file transfer facility will not grant access to files unless a session was previously authenticated
• Java: The "Ignore client certificates" checkbox must be checked to avoid client certificate complications when using the Java Upload/Download Wizard. This folder is the home of the Java Upload/Download Wizard applet that is downloaded and run by web browsers. It is safe to do this because the contents of this folder are publicly available from any other MOVEit DMZ server.
• Images: The "Ignore client certificates" checkbox must be checked to avoid client certificate complications when using the Java Upload/Download Wizard. This folder is the home of the images used in the Java Upload/Download Wizard applet. It is safe to do this because the contents of this folder are publicly available from any other MOVEit DMZ server or publicly available to anyone with access to the (public) MOVEit DMZ sign on page.

The MOVEit DMZ installation and upgrade programs will reset "Ignore client certificates" on these folders automatically when they are run. (However, "Repair" installation actions will not reset these parameters.)

Reverting from "Require..." to "Accept..."

To revert from "Require..." to "Accept...", the easiest way to proceed is to set the IIS site-level client certificate requirement from "Require..." to "Ignore..." and then force a MOVEit DMZ upgrade (not just a "repair") to reset the appropriate properties on other elements in the IIS web site. (The latest procedure to force a complete MOVEit DMZ upgrade is available as an article in the Knowledge Base on the MOVEit support site.)

Otherwise, set the IIS site-level client certificate requirement from "Require..." to "Ignore..." (while choosing to override all subfolders) and then set the "Accept client certificates" flag on the "humancc.aspx" and "machinecc.aspx" files as shown here:

After completing either procedure, you may also wish to delete the extra localhost IIS site that setting the site-wide "Require..." flag requires. You may also need to change the "Machine URL" on the "Paths" tab of the DMZ Config Utility if your "moveitdmz" site is bound to a specific IP address.