This topic highlights some of the areas you need to consider when setting up MOVEit DMZ to integrate within your organization and network.
MOVEit DMZ can be almost entirely administered from a web browser. Some system configuration tasks are handled within the Configuration Utility, which is a Windows application. Backup and restore activities are also handled outside of the MOVEit DMZ web interface.
Admin vs. SysAdmin
The difference between Admin and SysAdmin can be initially confusing, but it provides a logical and scalable separation of operations. SysAdmin is the more powerful permission class, but SysAdmin file and secure message privileges are minimal. (For example, SysAdmins can set up a user but cannot read that user's files.) For this reason, Ipswitch generally encourages people to use Admin accounts for daily administration (working with users, folders, etc.) and save SysAdmin account sign ons for special occasions (new org, IP lockout change, etc.)
More specifically, SysAdmins have exclusive access to the settings detailed in the documentation sections referenced below:
Web Interface - Settings - System
Web Interface - Schemes
Web Interface - Organizations
...but are never allowed to upload/download files or send/receive secure messages in any organization other than the System organization.
Modern versions of MOVEit DMZ force you to set up both a SysAdmin and an Admin account when you install and encourage you to use the new Admin account unless you absolutely need to use a SysAdmin account. In fact, SysAdmin accounts are only permitted to sign on from the console (i.e., localhost, 127.0.0.1 or local IP addresses) by default. (To change this, you must sign on as a SysAdmin from the console and expand the IP range from which System Organization SysAdmins are allowed to sign in.)
After you get comfortable with some key features, you will probably want to come up with answers to several policy and procedure issues. Fortunately, the flexibility of MOVEit DMZ allows you to answer these almost any way you want; options exist to establish and enforce many different policies in MOVEit DMZ. (Ipswitch can also help you come up with answers to these questions if you are unsure or need some advice.)
Authentication Policies
Passwords - How long/strong do you want your passwords? How often should they be changed? How will you get them to your users (fax/phone, emailed when the user is created)? Are users allowed to reset their own passwords? If so, will you require users to sign on with their old credentials first?
Interfaces - Will you allow FTP/SSL, FTP/SSH, HTTPS and/or AS2/AS3? Will you ever allow non-secure FTP? Do you want users connecting to "port 80" HTTP to be automatically redirected to your secure web interface or do you just want to drop the connection? Are you offering enough interface options to allow your clients to do ad-hoc and automated transfers?
Shared Accounts - Will you ever allow shared accounts? If so, do you want individuals using the shared account to see files that others using the account have uploaded?
Groups - How will you organize your users in groups? Where you have a choice, would you rather grant permissions, etc. by group or by user? Would you like certain users to enjoy delegated permissions over certain folders, users, etc.?
External Authentication - Will all users authenticate to MOVEit DMZ's local database? Will they authenticate through a trusted LDAP or RADIUS server instead? Will there be a mix?
Naming Conventions - Should usernames be "first initial, last name", employee numbers, company names or something else? Should full names contain the names of key people and/or their organizational role or just a company role? Will you be using different conventions for internal/external users?
Lockouts and Expiration - How many tries should a user get before that user is locked out? How many tries should a particular IP address get before that IP is locked out? How long should we let a user dodge a requested password change before we disable the account? Should we automatically shut down accounts that have not been used in a while or have gone over their contract date?
Allowed Hosts and IPs - By default MOVEit DMZ sets up an IP access policy that allows end users to connect from anywhere but only allows administrators to connect from an internal private network. Is this tight enough? Are there exceptions? Do you really want to specify a list/range of IP addresses and hostnames for each user instead?
Client Certificates/Keys - Using these credentials is often more secure but usually requires more work. If you are using client certificates, what Certificate Authority(ies) will you use? Do you need "two factor" authentication or will the use of a particular cert/key be enough?
Automated Users - Most sites set up a FileAdmin user for their MOVEit Central file transfer automation tool, but your end users or other internal processes may be completely automated too. Do you want these users to be exempt from periodic password changes? Do you want them further restricted by IP address, client cert/key or interface to mitigate the risk of an automated username or password getting compromised?
Folder Policies
Structure - Do you want users to each have their own tree of folders in their home folder or do you want a shared folder structure? Should user home folders be in one top-level folder, or in multiple folders? Do you want to simply lock users to a single folder and "dumb down" the interface to keep them from making any mistakes? What should the main shared folder be named?
Permissions - What permissions should users enjoy on various folders? On their home folder, by default? Do you want upload quotas? Do you want filename restrictions?
Clean Up/Notification - How often should MOVEit DMZ automatically delete old files and folders? How rapidly (if at all) should it send notifications about whether or not files were uploaded OK, have been downloaded or have not been downloaded by some deadline?
Naming Conventions - Should users' home folders bear the name of their usernames, their full names, user IDs (unique ID generated by MOVEit DMZ) or something else? Should MOVEit DMZ folder trees reflect internal trees or be named for specific customer needs? Will you be using specific folder names and file names to help people and automated tasks figure out what to do with various files?
Ad Hoc Transfer Policies
Licensing, Option Enabled - First, make sure you have a valid Ad Hoc Transfer license (using the DMZ Config utility) and that you have enabled this feature through the Registered Users link on the Settings page's Ad Hoc Transfer section, next to Access. Also make sure the Package Log Viewing property on the organization's Profile (accessible with a SysAdmin account) is on if you want your Admins to see who is sending Ad Hoc packages within your organization.
Address Book Contacts and Unregistered Recipients - Who should be able to talk to whom? Do you want to allow everyone to contact everyone else, including unregistered users, or do you want to control Ad Hoc Transfer relationships? Who should be able to create and send packages to unregistered recipients on the fly?
Unregistered Recipients and Senders - When unregistered recipients sign in - and when unregistered senders self-register - should they be treated as per-package "guest users", or should they be registered as "temporary users" for a limited amount of time? Are there any domains that MOVEit DMZ should not be able to create temporary users for (such as your own or a free mail service)? How long should temporary users remain before they are automatically purged?
Secure Note transfer vs. Email Note, per package sender option, and related options - Do you want to be assured of secure transfers, not only of files, but also of every note that senders compose when creating MOVEit Ad Hoc Transfer packages? Or would you rather provide your users with a consistently Outlook-style, email-oriented notification operation (with only the attached/uploaded files being sent exclusively by MOVEit)? Do you want to offer both flavors of operation by offering senders a per package choice? In addition, do want to add security for the packages' Senders and Subjects (of packages sent from the Web Interface and Mobile only; these settings do not affect packages sent from the Outlook Plug-in)?
Permissions - Do you want attachment quotas? Do you want filename restrictions?
Retention - How long should we keep packages online? Should we delete them or archive them?
Appearance
Banner and Scheme - What banner logo will you use? What scheme will you use to match the colors and fonts to your main corporate site? What logo will you use for the mobile app and web?
Display Profiles - Which parts of the web interface should your users see when they are signed on? Before they sign on? Do you have to worry about "power users"? Do you want to offer all users the ability to change language before sign on? Do you want to offer or withhold the ability for users to change their user interface's language when or after they sign on?
International Languages - Which language do you want to you want to be the default for the organization: English, French, German, or Spanish?
Notifications - How much information (username, fileID, file names, etc.) should be sent in clear-text email notifications? Who should appear to be the sender? Are there any notification templates that you would like to alter? Do your users prefer good-looking HTML notifications or functional text notifications?
Sign On Banners, Etc. - What should you display to users before they are allowed to sign on? What kind (if any) information will you put in the home page announcement? How should the first status message a user sees after signing on read?
Logging and Reporting
Filtering Logs - Can you find what you want in the audit logs? Can you figure out why the following common problems occurred from the audit logs? (User could not sign on. File could not be uploaded, downloaded, etc. Folder or user could not be created, deleted, etc. ) Are you comfortable selecting columns, sorting and hiding/showing sign on and notification entries?
Reports - What reports will you use regularly? Do you want to schedule them? Do you expect to perform further processing on CSV or XML formatted reports? Do you want to alter the template used for HTML reports?
Retention - How long should we keep audit records? Should we delete them or archive them?
Real World Administration
People - Who is/are the main administrator(s) of each MOVEit DMZ organization? Are they the same people in charge of the firewall? Are there administrative tasks that can be delegated through GroupAdmins or using features such as allow users to reset own password?
Automation - Are you using the automated features of MOVEit DMZ (such as old file/folder cleanup, notification, report creation) to your full advantage? If you own a companion MOVEit Central server, is it automating all the file transfers it can? Are your end user and internal transfers as automated as they can be?
Disaster Recovery - How are you backing up your server? Do you have the MOVEit DMZ licenses you need for your backup servers? Is your backup/restore procedure automated? Have you tested it? Does your main site need active-active failover?
End User Documentation - Do your end users know how to connect to you and where to go to upload/download files? (Or use secure messaging, as applicable.) (See Advanced Topics - User Forms for some suggestions here.) Do they know how to ask for help? Is there additional documentation you could post online to help? (MOVEit DMZ's Tech Support link/page and Custom Help Link feature help here.)
Administrative Documentation - Is your configuration documented and explainable? (You can use the DMZBackup utility if you simply need a backup of the current configuration.) Do you know how to pull/schedule the reports that fulfill your audit requirements? Your billing requirements? Other business requirements?
Other Tasks
What else you do next depends a great deal on the application for which you are using MOVEit DMZ. (See Common Setup for a brief list of common applications.) However, most administrators will shortly find themselves making use of Groups to organize the way users may access files and folders. Many administrators will also be interested in setting up strong password requirements (on the Settings page) and/or folder settings to allow for automated cleanup of old files (on individual Folder pages.)
Ongoing Maintenance
As an administrator you will most likely "hover over" the Logs page more than any other page. (You will likely want to familiarize yourself with the various log filters available.) Most of your changes will involve adding and removing individual users, or tracking down and dealing with files which have been placed in the wrong place, not processed by internal systems appropriately, etc.
