Web Interface - Settings - Security Policies - Interface
If you plan on using different interface policies
for different groups of users, you may want to explore the
various
"create users as a clone of..." options available in MOVEit DMZ.
For example, you may want all your users except those using
External Authentication (EA)
to present a certificate during the authentication process.
To accomplish this, set the organization's default interface values
to require client certs and set the EA source to clone a
template user that does not require client cert authentication
during new EA user creation.
HTTP
This page allows administrators to set the default HTTP interface policy for all
new users on the system. Changes to the policy on this page will be given the option of
also being applied to all existing users in the organization. The policy options available
are:
- Allow HTTPS Access via Web Interface by Default: Determines whether
users will be allowed to access the system via web browsers.
- Allow HTTPS Access via HTTP Clients by Default: Determines whether
users will be allowed to access the system via other HTTP clients, such as
MOVEit Central, MOVEit DMZ API and the MOVEit Wizard.
- SSL Client Cert Required by Default: Determines whether users signing on to the
HTTPS interface will be required to present a valid SSL client certificate
in order to authenticate to the system.
- Password Also Required with SSL Client Cert by Default: Determines whether users
who sign on to the HTTPS interface with a valid SSL client certificate will
also be required to submit a valid password in order to authenticate to the system.
- Match Cert CN to Username/Full Name: When enabled, SSL client certificate
that have a CN value that matches the username or full name of the incoming user
AND is signed by a Certificate Authority trusted by the system will be considered
valid and acceptable for authentication purposes.
- Allow Username from Client Certificate: When enabled, users will be given the
option on the signon page to have MOVEit DMZ automatically determine their username from
their client certificate and attempt to sign them on. DMZ will first search its internal
certificate store for a matching certificate, then if possible it will search properly
configured LDAP external authentication sources. If a matching certificate is found, the
associated username is assumed and a signon is attempted. If a matching certificate is not
found, or the user requires a password
in addition to the client certificate, they will be returned to the signon page with a
message indicating the need for further credentials.
If a matching client certificate is found, and the user is successfully signed on
with the associated username, a long-term cookie will be set which will allow DMZ to
automatically forward them to the username autodetection routines in the future. Thus,
the user will always log directly on to the system whenever they bring up the web site,
as long as their client certificate is provided and is still valid.
FTP
This page allows administrators to set the default FTP interface policy for all
new users on the system. Changes to the policy on this page will be given the option of
also being applied to all existing users in the organization. The policy options available
are:
- Allow FTP/SSL Access by Default: Determines whether users will be allowed
to access the system via secure FTP over SSL.
- Allow Insecure FTP Access by Default: Determines whether users will be
allowed to access the system via insecure plain-text FTP. Requires Non-Secure FTP to be enabled and allowed
for the IP addresses for each user. See the FTP Configuration
doc page for more information.
- SSL Client Cert Required by Default: Determines whether users signing on to the
FTP over SSL interface will be required to present a valid SSL client certificate
in order to authenticate to the system.
- Password Also Required with SSL Client Cert by Default: Determines whether users
who sign on to the FTP over SSL interface with a valid SSL client certificate will
also be required to submit a valid password in order to authenticate to the system.
- Match Cert CN to Username/Full Name: When enabled, SSL client certificate
that have a CN value that matches the username or full name of the incoming user
AND is signed by a Certificate Authority trusted by the system will be considered
valid and acceptable for authentication purposes.
- Holding Tank retention: Determines how long SSL client certificates and SSH
client keys entered into the cert/key holding tank will be allowed to remain there.
Certs or keys older than this number of days will be removed from the holding tank.
Management of trusted Certificate Authorities (CAs) and user holding tank certificates is also performed here.
For more information on trusted CAs, see the
System Configuration - SSL and SSH - SSL - Client Certs - Trusted CAs document page. For more information on
the SSL client certificate holding tank, see the
System Configuration - SSL and SSH - SSL - Client Certs - Holding Tank document page.
SSH
This page allows administrators to set the default SSH interface policy for all new users
on the system. Changes to the policy on this page will be given the option of also being applied
to all existing users in the organization. The policy options available are:
- Allow SSH Access by Default: Determines whether users will be allowed to
access the system via SSH.
- SSH Key Required by Default: Determines whether users signing on to the
SSH interface will be required to present a valid SSH client key in order to
authenticate to the system.
- Password also required with valid SSH Key by Default: Determines whether users
who sign on to the SSH interface with a valid SSH client key will also be required to
submit a valid password in order to authenticate to the system.
- Holding Tank retention: Determines how long SSL client certificates and SSH
client keys entered into the cert/key holding tank will be allowed to remain there.
Certs or keys older than this number of days will be removed from the holding tank.
Management of user holding tank keys is also performed here. For more information on the SSH client key
holding tank, see the
SSH Keys Holding Tank document page.