Previous Topic

Next Topic

Book Contents

Book Index

AS2 and AS3

In most situations MOVEit Central version 4 or greater is required to perform AS2 or AS3 file transfers. (MOVEit Central also supports AS1.) However, MOVEit DMZ version 4 or greater is also required to act as an AS2 server in these situations, and MOVEit DMZ (any version) a good choice for an AS3 server as well.

For a complete discussion of AS1, AS2 and AS3 and the specific ways the MOVEit family supports these protocols, please see the MOVEit Central documentation.

MOVEit DMZ's Role in AS2 File Transfers

MOVEit DMZ can accept and store AS2 messages and asynchronous AS2 MDNs that will be processed later (and often immediately) by MOVEit Central. MOVEit DMZ, rather than MOVEit Central, is used in the role of an AS2 server because MOVEit DMZ already serves the function of a secure, Internet-exposed HTTP(S) server and MOVEit Central already has an interface to MOVEit DMZ.

No additional license is required to accept and store AS2 messages and asynchronous AS2 MDNs on MOVEit DMZ because this feature is only useful when a separate AS1, AS2 and AS3 license has been purchased for MOVEit Central.

AS2 messages and asynchronous AS2 MDNs are uploaded and downloaded through HTTP(S) but are not part of the normal MOVEit DMZ file system. More specifically, all AS2 messages and AS2 MDNs will be found in special /AS/[partner-name] folders, created as needed (where [partner-name] is your partner's official trading name.) For example, if your partner John Smith sends you an AS2 message, it will be found in the /AS2/John Smith folder. Nonetheless, MOVEit DMZ administrators can view and delete AS2 message files through their usual web interface.

AS2 URL and File Specifics

MOVEit DMZ receives AS2 messages and asynchronous AS2 MDNs though its built-in as2receiver.aspx component. When your AS2 trading partners ask for the URL they should use to post AS2 messages for you, you will need to give them a URL containing as2receiver.aspx and the name of your host. An example of such a URL is https://as2.moveitdmz.com/as2receiver.aspx.

The same URL value is also used when requesting AS2 asynchronous MDNs as an AS2 destination step in MOVEit Central, but MOVEit Central lets you specify a macro of [AS2ReceiverURL] (in the MDN URL field) and figures out the exact URL at run time (because each AS2 Host can be linked to a specific MOVEit DMZ Host).

AS2 messages are normally stored as files bearing a name of AS2Data. If you want different MOVEit Central tasks to process different AS2 messages from the same partner, you may want to tag each type of AS2 message transmission separately so MOVEit Central tasks can rapidly distinguish between them. The way to tag different types of AS2 transmissions is to include a ?Tag=[some-as2-filename] argument on the URLs you hand out to your partners. For example, a modified URL of https://as2.moveitdmz.com/as2receiver.aspx?Tag=Blue would force MOVEit DMZ to save AS2 messages from partners using that URL as files named Blue rather than AS2Data.

Asynchronous AS2 MDNs are stored as files bearing a name of MDN=[AS2-ID] where [AS2-ID] is the ID of the original AS2 message. An example of an AS2 MDN filename is MDN=373c55dc-f4b6-4c1b-81a1-e39f3a1c22d7@9b751ee7-d32e-4138-8124-1c107f2cd5d2. Like AS2 messages, AS2 MDNs will be stored in folders named after the partners who sent them; MOVEit Central automatically knows where to look (because it uses the values configured for partner name in its AS2 Host definitions).

If your MOVEit DMZ hosts multiple Organizations and you want each to use its own store of AS2 messages and MDNs, you will also need to include an OrgID=[OrgID] tag (such as OrgID=8011) in the URLs you give to your partners and configure in your requests for asynchronous HTTP MDNs. For example, you would need to give partners URLs such as https://as2.moveitdmz.com/as2receiver.aspx?OrgID=8011 or https://as2.moveitdmz.com/as2receiver.aspx?Tag=Blue&OrgID=8011 and would need to configure a URL of [AS2ReceiverURL]?OrgID=8011 in your asynchronous HTTP MDN field if you wanted related AS2 messages and MDNs to go to a particular organization in a multiorganization configuration.

Both AS2 messages and asynchronous AS2 MDNs are deleted from MOVEit DMZ as soon as MOVEit Central successfully decrypts and/or validates them, determines that they are unfit or gives up after (re)trying to deliver any requested MDNs. AS2 messages that have requested synchronous MDNs will also be automatically deleted from MOVEit DMZ folders if MOVEit DMZ cannot deliver their respective MDNs. Additional automated clean up rules can also be applied to AS2 folders and files using the usual folder settings web interface in MOVEit DMZ.

MOVEit DMZ's Role in AS3 File Transfers

MOVEit DMZ can accept and store AS3 messages and AS3 MDNs that will be processed later by MOVEit Central or any other AS3 client. MOVEit DMZ, rather than MOVEit Central, is used in the role of an AS3 server because MOVEit DMZ already serves the function of a secure, Internet-exposed FTP(S) server.

No additional license is required to accept and store AS3 messages and AS3 MDNs on MOVEit DMZ because, according to the AS3 specification, any FTP server can function as an AS3 server. (That is, if you have licensed a MOVEit DMZ server, you already have an AS3 server.)

AS3 messages and AS3 MDNs are uploaded and downloaded through FTP and are thus part of the normal MOVEit DMZ file system. More specifically, all AS3 messages and AS3 MDNs will be found in the /Home/... or /Distribution/... folders and are otherwise treated as normal files.

Why MOVEit DMZ is best choice for AS3

MOVEit DMZ has been able to participate in AS3 transmissions as a secure FTP server for years. Traditionally, people have thought of that any FTP server with basic security features such as SSL with client certificate authentication could be used in AS3 transmissions. However, operational experience and security best practices have led many to higher expectations of their AS3 FTP server.

The MDN response files returned to AS3 file senders and used for non-repudiation can be signed, but are never encrypted. To protect these important files from tampering or unauthorized view, MOVEit DMZ offers its own built-in FIPS-validated encryption and cryptographic file integrity checks while at rest and in transit.

The FTP protocol can be tricky to implement across firewalls and NAT when SSL is introduced. To deal with these challenges, MOVEit DMZ offers comprehensive, remote-readable protocol logs and features that handle almost every possible FTP over SSL or NAT configuration. Three of the technologies MOVEit DMZ uses to avoid FTP firewall problems include a configuration of limited passive server port ranges (that has been widely copied in the industry since it was introduced in MOVEit DMZ), explicit configuration of NAT and a recent technology called Clear Command Channel (CCC).

Finally, the auditing facility in MOVEit DMZ can be used to help complete AS3 non-repudiation chains. In order for both sides in an AS3 exchange to agree that both parties have the same file, both sides must possess the same MDN. However, if the MDN is downloaded by the original file sender but there is a later dispute about whether or not this action actually took place, MOVEit DMZ tamper-evident audit logs can still be used to quickly show that the original file sender's MDN was made available and downloaded at a specific time by a specific user connected from a specific IP address.