Previous Topic

Next Topic

Book Contents

Book Index

FTP - Configuration

The MOVEit DMZ Config utility is used to configure the MOVEit FTP server. (Users, groups, folder settings and the like are generally maintained through the Web Interface or MOVEit API.) Run the configuration program by choosing the Start menu shortcut MOVEit DMZ Config. This program uses a tabbed dialog to group the settings by function.

MOVEit FTP will immediately apply configuration changes the next time a new connection is received.

Exception: If changes are made to the FTP explicit or implicit ports, the MOVEit FTP service must be restarted for these changes to take effect.

FTP Ports Tab

Control Ports

Data Ports

Miscellaneous Settings

FTP Certs Tab

Default Server Certificate: The default certificate is the SSL server certificate used for transport encryption. This certificate must have already been created and installed on the system. Typically, you will use the same certificate that you have already installed on your MOVEit web server.

Certificates are normally purchased through a certification authority such as Thawte or Verisign. However, free software is available to allow you to create your own at no cost. For example, the Certificate Services component of Windows Server can be used to create certificates. Using certificates you created yourself is generally not recommended, because client programs consider them to be non-trusted, and raise warning dialogs.

Alternate Certificates, Branding, Client Certs: Alternate SSL server certificates may be assigned to each IP address of your MOVEit server. This is a way to have MOVEit FTP use a different certificate for connections through different networks.

Note: If you wish to run a secure "multi-homed FTP server", you may need to configure these options. You cannot use alternate server certificates if you decide to bind to a single IP address.

For example, if MOVEit is connected to the internet through one network interface card (NIC) and to a local intranet through another NIC, you can give an alternate certificate for use by connections through the second NIC.

The Alternate Certificates, Branding, Client Certs list displays the columns Server IP and Certificate, as the alternate certificate is paired with a specific local IP address or IP mask.

In addition, the list has these columns:

Click Add to open the Add FTP Alternate Certificate dialog.

Embedded OLE File Template, D75, H100

In addition to linking particular certificates with particular IP addresses, you may also link a particular Organization to a particular IP address to present a different signon banner to FTP users rather than the default Org's banner.

You may also decide to enforce more stringent client certificate requirements, that is, require client certs on all FTP command ports for the particular alternate IP address (overriding the client certificate port settings of the default IP address binding, which is configured on the FTP Ports tab). If Yes is selected for this option in the dialog box, back in the Alternate Certificates, Branding, Client Certs list, the All Ports column will show "True" for that certificate entry.

In the Alternate Certificates, Branding, Client Certs list, you can select a certificate and either click Edit (which opens the Edit FTP Alternate Certificate dialog) or Remove.

Server Certification Selection List

Clicking any of the "..." server certificate browse buttons will pop up a list of server certificates to select. Be sure to pick a certificate with an Expires date later than today. To select a certificate, double-click it, or select it and click the OK button.

FTP IPs Tab

NAT for Passive FTP

Whether to map IP addresses for Network Address Translation (NAT) is an advanced feature for sites that use a firewall to do "NAT'ing". It applies only to passive mode transfers. If you choose to use this feature, you should provide a list of NAT rules in most-specific-to-least-specific order with a "catch-all" at the bottom. Each NAT rule consists of an IP mask, and the external IP address to use for clients matching that mask. Each mask has the form "m.m.m.m", where each m is a decimal number like 208, or a * wildcard. Each external IP address is the usual dotted decimal number and should be the external IP address to which the firewall maps your FTP server.

The most common configuration resembles the following example. This provides an internal IP address (10.2.1.33) to clients connecting from internal clients (10.*.*.*), but provides an external IP address to all other (external) clients.

ServerIP=*.*.*.*, NatIP=10.2.1.33, ClientIPs=10.*.*.* 
ServerIP=*.*.*.*, NatIP=66.170.5.130, ClientIPs=*.*.*.*

Another configuration involves "multihoming" where different hostnames have been mapped to different external IP addresses 66.170.5.130 and 66.170.5.131) which come in to two different internal IP addresses (10.2.1.33 and 10.2.1.34) on the same MOVEit DMZ machine. In this case we want to return the correct IP address for each external connection while still returning the correct address for internal clients.

ServerIP=10.2.1.34, NatIP=10.2.1.34, ClientIPs=10.*.*.* 
ServerIP=*.*.*.*, NatIP=10.2.1.33, ClientIPs=10.*.*.*
ServerIP=10.2.1.34, NatIP=66.170.5.131, ClientIPs=*.*.*.*
ServerIP=*.*.*.*, NatIP=66.170.5.130, ClientIPs=*.*.*.*

If your NAT rules consist solely of the rule:

ServerIP=*.*.*.*, NatIP=208.33.33.33, ClientIPs=208.*.*.*

...then a client accessing any IP address your machine from 208.122.3.4 will be told to perform passive transfers to 208.33.33.33, even though the actual internal IP address of your FTP server may be something completely different, for example, 192.168.1.10. Clients accessing your FTP server from outside the 208.* domain will be given the actual address of your FTP server (192.168.1.10).

If you have more than one NAT rule, you can change the order of evaluation by using the up- and down-arrow buttons to the right side of the list.

Rules to handle localhost or 127.0.0.1 addresses are not necessary. Connections from these addresses will always be instructed to connect their data channels to the same address.

Non-Secure FTP

Whether to allow access from Non-Secure FTP clients. This feature lets you open the FTP server up to clients that do not use secure FTP (encrypted) transfers. This significantly reduces the security of MOVEit because data can potentially be "sniffed" on the network. But in some circumstances, such as inside a company's intranet, that level of security is not important. Or, in other cases, there is simply no other way to transfer securely from a certain client. In order to open FTP up to non-secure transfers, you need to not only check the enabling box, you also need to add the specific IP addresses or IP masks that are allowed to perform these non-secure transfers. Non-secure mode is enabled using pairs of IP addresses. Each pair consists of a local IP address (or mask) on the MOVEit server, (corresponding perhaps to a specific network interface), and an external IP address or mask corresponding to a network FTP client. As with the NAT list, you can move entries up and down within the list.

Before any of the configured IP addresses will be allowed to connect insecurely, the Non-Secure FTP Enabled checkbox MUST be checked (and confirmed).

This option MUST be enabled before any user-level "allow non-secure FTP" interface setting can be used.

Warning: Non-Secure FTP carries the security risk of exposing usernames, passwords, file data, file names, folder paths and other control information to anyone listening.

Diagnostic Logs

The MOVEit FTP server's diagnostic log settings can be changed on the Status tab of the configuration utility. For more information about this tab, see the Configuration Utility topic.

Paths Tab

The MOVEit FTP server communicates with MOVEit using the Machine URL configured on this tab. For more information about this tab, see the Configuration Utility topic.

Initial Banner Language

The initial security banner and notice will be provided in the default language of the default organization, or in English, if no default organization exists. (See the Miscellaneous system settings page for more information about default organizations.) To change the language of the initial security banner and notice, log on to default organization on the system as an org admin. Change the org's default language using the International settings page.

Selecting SSL Versions and SSL Encryption Methods (SSL Tab)

In the MOVEit DMZ Config utility, you can use the SSL Tab to select the SSL versions and SSL encryption methods.