MOVEit DMZ is capable of storing its encrypted files on a remote Windows fileshare. This is required for
Resiliency and
Webfarms configurations, but can also be used for standalone MOVEit
DMZ servers. Storing the encrypted files on a remote location improves security by making it harder to access those
files from a compromised webserver. This configuration can help MOVEit DMZ meet company requirements that no data
reside in a DMZ network segment.
Using a Remote Fileshare
MOVEit DMZ Resiliency accesses remote fileshares differently from a standalone or webfarm-enabled MOVEit DMZ server, so
for help configuring MOVEit DMZ Resiliency, see the
Resiliency Pre-Installation Guide.
For standalone and webfarm-enabled MOVEit DMZ servers, follow these steps to configure a file server to provide
remote filesystem support to MOVEit DMZ:
- Create a "moveitdmz" user on the file server. This user will be used by MOVEit DMZ to access the
file share. The account only needs to be present on the file server.
- Create a "MOVEitDMZ" folder on the file server. This folder is where MOVEit DMZ's encrypted files will
be stored.
- Give the "moveitdmz" user full permissions to the "MOVEitDMZ" folder. Add the "moveitdmz" user to the
list of access control entries through the Security tab on the folder's Properties dialog. Give the user full
permissions to the folder.
- Share the folder and give full permissions to remote users. Enable sharing on this folder through the
Sharing tab on the folder's Properties dialog. Add the "moveitdmz" user to the share's permissions and give the
user full control over the share (you may optionally remove all other users and/or groups from the share permissions
list).
The shared folder may now be used as the MOVEit DMZ file store location. If you are configuring a standalone MOVEit DMZ
server to use the shared folder, first shut down the MOVEit DMZ services and manually copy the contents of the existing
\MOVEitDMZ\Files folder on the server to the new shared folder. Next, apply the new remote folder settings using the MOVEit
DMZ Config program. Use the
Advanced button on the Paths tab to enter the UNC path of the shared folder, as well as the username and password of the
"moveitdmz" user configured above. Finally, start the MOVEit DMZ services and run the MOVEit DMZ Checker utility to make
sure file transfers are working properly. If there are any errors, see the Troubleshooting section.
Troubleshooting
When using a remote fileshare for its encrypted file store, MOVEit DMZ will mount the fileshare internally using the
configured username and password. If MOVEit DMZ is unable to download or upload files after changing to a remote fileshare,
the problem will usually be either an error mounting the share, or a permissions error with the share. Typically the error
code and message that MOVEit DMZ encountered when it tried to access the share will be reported back to the client that is
trying to upload or download a file. If this is not the case, see the DMZ_WEB.log file on the DMZ server for more details
about the error.
This is a list of some errors that might be encountered when using a remote share, and how to resolve them:
- Error mounting share: 1219 - Multiple connections to a server or shared resource by the same user, using more
than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
This error occurs when two or more processes are trying to access the same share. Often this will happen when running
the MOVEit DMZ Config program after accessing the remote fileshare using Windows Explorer. This can be fixed by disconnecting
existing connections to the fileshare before running other programs that need to access it. To see if there are any
connections open under the currently signed on user, open a command prompt window and type "net use", then hit enter.
Any existing connections to the fileshare being used by MOVEit DMZ should be disconnected by using the "net use /DELETE"
command (for help with the "net use" command, type "net use /?" then hit enter).
- Error mounting share: 1312 - A specified logon session does not exist. It may already have been terminated.
This error is usually caused by the program being run as the Local System account, which is not allowed to mount remote
fileshares. This can be fixed by running the program as a regular user, or as the Network Service account. Normally the
MOVEit DMZ install should automatically configure the services to run as either a custom service account, or the Network
Service account. See the configuration for other MOVEit DMZ services if one of the services is having this problem.
- Access is denied
This error occurs when the permissions of the "moveitdmz" fileshare user are not correct on the share, or the folder
itself. This can be fixed by making sure the user has full permissions on the folder, and full permissions on the share.