Previous Topic

Next Topic

Book Contents

Book Index

Interface

These pages allows administrators to set the default policies - regarding HTTP, FTP, SSH, and Mobile interfaces - for all new users on the in the organization. Changes to the policies on these pages will be given the option of also being applied to all existing users in the organization. Policies set here can be changed per user in the User Profile (User Authentication section).

Note: For all of these interfaces, if you plan on using different interface policies for different groups of users, you may want to explore the various create users as a clone of... options available in MOVEit DMZ. For example, you may want all your users except those using External Authentication (EA) to present a certificate during the authentication process. To accomplish this, set the organization's default interface values to require client certs and set the EA source to clone a template user that does not require client cert authentication during new EA user creation.

HTTP

This page allows administrators to set the default HTTP interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. The policy options available are:

FTP

This page allows administrators to set the default FTP interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. The policy options available are:

Management of trusted Certificate Authorities (CAs) and user holding tank certificates is also performed here. For more information on trusted CAs, see the System Configuration - SSL and SSH - SSL - Client Certs - Trusted CAs document page. For more information on the SSL client certificate holding tank, see the System Configuration - SSL and SSH - SSL - Client Certs - Holding Tank document page.

Client Certificates

All client certs are either "self-signed" or "CA-signed". The "CA-" indicates that a "Certificate Authority" has signed the client cert and vouches for the identity of the bearer. Furthermore, CAs are divided into "commercial CAs" that sell client cert issue and signing services to the general public (e.g., Thawte, GeoTrust, etc.) and "corporate CAs" that perform the same client cert functions for their own users.

MOVEit supports self-signed certs, commercial CA-signed certs and corporate CA-signed certs. A client cert may be delivered as a "*.pfx" file with a password or users may need to request it may need to request a cert from a CA.

Various browsers have different ways to install client certs. Internet Explorer (IE) uses the Windows Certificate Store; you can install and manage client certs through IE's "Certificate" dialog. Windows will also launch a client cert import wizard that will automatically install most client certs into IE if you just double-click "*.pfx" client cert file.

The Mozilla/Firefox line of browsers uses its own client cert store. To install client certs in these browsers you must use their "Certificate Manager".

Various browsers also have different ways to select client certs for authentication. The most common way is for the browser to simply ask you (via a pop-up dialog) about which client cert to use. When connecting to a MOVEit server, users may be prompted through their browsers to select a client cert after they fill in their username and password or before they view the sign on screen.

However, most browsers also have options to automatically present a client cert if only one is installed or not ask about picking a client cert if one was not presented. In these cases client cert authentication may be being used behind the scenes (in the "one cert, so don't ask" case) or not at all (in the "no certs installed, so don't ask" case).

Finally, the private key on a user's client cert may be password protected. If this is the case users may need to type in the password they created when they opted to protect this client cert or key store as well. (Usually, such prompting takes place once per session.)

SSH

This page allows administrators to set the default SSH interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. The policy options available are:

Management of user holding tank keys is also performed here. For more information on the SSH client key holding tank, see the SSH Keys Holding Tank document page.

Mobile

This page allows administrators to set the default Mobile interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. Policies set here can be changed per user in the User Profile (User Authentication section).sys

The policy options available are: