The term "multi-homing" generally suggests a single computer is handling requests addressed to multiple IP addresses. In MOVEit DMZ the definition is extended to mean a single MOVEit DMZ server is serving requests addressed to multiple hostnames with different SSL certificates and branding.
For example, if a single site was asked to support both "moveit.org1.com" and "www.safestor.us" for two different companies on the same MOVEit DMZ server, we would say that the MOVEit DMZ is multi-homing.
Multi-homing
However, if both "org1" and "safestor" used a common hostname of "mi.datacent.net" instead, we would be talking about setting up separate MOVEit DMZ Organizations but the MOVEit DMZ itself would NOT be multi-homing.
Not Multi-homing
Multi-homing Configuration Elements
Elements by Service
To support multi-homing, several MOVEit DMZ configuration items must be adjusted. These items can be broken down by the service they are related to.
Core MOVEit DMZ Application
Create a separate organization for each hostname
Each organization's Base URL must be set to a unique hostname
Each organization should have its own branding
HTTPS Server (IIS Service)
Add multiple SSL certificates, one for each hostname
Configure multiple IP addresses, one for each hostname
FTPS Server (MOVEit DMZ Service)
Set up the default SSL host certificate to match one of the organizations
Other organizations will use other ("alternate") SSL host certificates as configured by FTP IP address. Set this list of IP addresses up to match those configured under IIS
SFTP Server (MOVEit DMZ Service)
Only one SSH server key is currently available through the SFTP service. (SSH server keys, unlike SSL server certs, do not have a "hostname" or other organization-identifying element.)
Elements by Configuration Utility
These items can also be broken down by the configuration utility that must be used to configure them.
Internet Information Services (IIS) Manager
Request and install commercial SSL host certificates.
Configure a separate IIS binding (Windows 2008) for each organization.
MOVEit DMZ Configuration Utility
Select the default SSL host certificate to match one of the organizations. ("FTP Certs" tab)
Select alternate SSL host certificates for each additional organization.
MOVEit DMZ Web Interface (Signed on as a SysAdmin)
Add a new production organization for each hostname. ("Orgs" page)
Set each organization's Base URL to its hostname. ("Organization Profile" page)
MOVEit DMZ Web Interface (Signed on as an Admin)
Let each organization control its own scheme/colors, logos and other branding elements through their existing Admin accounts
Recommended Procedures
There are several ways to accomplish many of the tasks listed in the previous subsection, but the following procedures are recommended.
Requesting, obtaining and installing multiple SSL certs for different organizations
Windows Server 2008
For Windows Server 2008, you need not create additional IIS websites. Instead, you may create multiple SSL certificates at the webserver level, and then assign them to "bindings", as described below.
Creating and installing additional SSL certificates
Run Internet Information Services (IIS) Manager.
Choose the name of the server in the left pane.
In the Features View, double-click on Server Certificates.
Create a certificate request by choosing Create Certificate Request... in the right pane. After submitting the certificate request and receiving the response from the Certificating Authority, come back and choose Complete Certificate Request. Alternatively, you can create a self-signed certificate, but this is not recommended because it will cause browser warning messages for your users.
Creating additional IIS bindings
This procedure, available only on Windows Server 2008, allows you to assign multiple IP addresses and SSL certificates to a single website, thus bypassing the complexity of creating multiple websites.
Run Internet Information Services (IIS) Manager.
Right-click the name of the website (usually moveitdmz) and choose Edit Bindings....
Choose the https line and choose Edit....
Change the IP address from All Unassigned to one of the configured IP addresses.
Choose the appropriate SSLcertificate.
Choose OK.
For the second and subsequent organizations, repeat the above procedure in the Site Bindings dialog, but choose Add... to add bindings and SSL certificates for the remaining organizations.
How do I configure MOVEit DMZ to identify each IIS site as its own organization?
MOVEit supports the display of an organization’s branding based solely on the hostname provided in the base URL.
Sign on as a SysAdmin.
Go to the Orgs page and click the NAME of a specific organization to get into it's Organization Profile.
While viewing the Organization Profile, click the first edit link.
Change the Base URL to match the hostname of the site. Include the https:// prefix. For example, if the hostname is support.moveitdmz.com, the Base URL should be https://support.moveitdmz.com.
Save changes and repeat steps 3-5 for any remaining organizations.
How do I configure MOVEit DMZ to hand out different SSL certs on its FTP server for each organization?
The MOVEit DMZ FTP will offer the Default Certificate configured on the FTP Certs tab in the DMZConfig utility to all incoming FTP/SSL connections unless alternate certificates are configured in the Alternate Certificates window. Each Server IP value should match an IP address previously configured on an IIS site bearing an SSL certificate of the same name. (e.g., If an IIS site for mi.dmz.net is already listening for connections on IP address 10.1.1.2, add an alternate entry that will cause the FTP server to offer up the mi.dmz.net certificate to connections coming in to IP address 10.1.1.2.)
How do I handle future upgrades?
MOVEit DMZ upgrades will handle or avoid all elements of the multi-homing process except for specific IIS setting changes made to sites other than the IIS site into which MOVEit DMZ was original installed. Release notes will detail any IIS site setting changes made between MOVEit DMZ versions; consult our support department for specific instructions to make changes by hand.
