|
|
|
|
|
See also the FTP Certs Tab in FTP - Configuration and the Multiple SSL Certificates below if you plan on hosting multiple organizations with different SSL certificates on your MOVEit Transfer server.
The first page that appears to a user depends on the link they followed to the signon page. For most users, following links from an organization's main web site, the first page is the user's Home page. For users following links from notification emails, the first page is a page with details about a specific file.
The Sign On page appears as unbranded or branded.:
Using the default MOVEit Gray scheme.
An unbranded Sign On page displays the MOVEit Transfer logo and contact information for the site provider. (This information has been configured by a SysAdmin.)
An unbranded Login page will be displayed by default unless particular Organizations take steps to brand this page. The URL to invoke this page is typically of this form: http://moveit.nowhere.com
Using a customized scheme.
A branded Login page will display a particular Organization's logo, colors and contact information. (This information has been configured by an Administrator for that particular Organization through that Administrator's Settings page: SETTINGS > Appearance > Brand > Logo & Layout).
A branded Login page appears in either of two cases:
Particularly with older versions of MOVEit Transfer, copying a URL for a specific user, folder, file or other MOVEit Transfer profile might cause MOVEit Transfer to sometimes display (correctly) that your session has timed out when you next try to access this URL. The display of this message, however, is often misleading, especially if you intend to use this URL in a permanent link tag on a public web site. (For example, Ipswitch provides a direct link to the support page from which customers and evaluators may download its software.)
To always suppress this session expired message, append the following code to any URL you want to make publicly available:
&quiet=true
Normal MOVEit Transfer pages include a header with banner logo, a user information bar, and a left-hand navigation section, all of which allow the user to navigate their way to different pages within the application. Some companies may want to hide these sections, though, especially when MOVEit Transfer is used in a single-signon system as part of a larger web application. To do so, append the following code to the URL the user clicks to visit MOVEit Transfer:
&contentonly=1
This will cause the header, userbar, and left-hand navigation to be hidden for the rest of the session, or until the code above is repeated with a value of 0. Since the value is stored in the session, only the first MOVEit Transfer URL invoked by the portal application needs to have this code.
Because this feature is designed to allow MOVEit Transfer to be used within an existing web application via frames or iframes, when the contentonly flag is enabled, MOVEit Transfer will disable its normal cross-frame scripting protection code and allow the interface to be loaded by external framesets.
Normal MOVEit Transfer pages include a Sign Out link in the upper right corner, allowing the user to discontinue their session. When used in a single-signon system as part of a larger web application, this is generally not a desirable feature. Instead, it is usually desirable to provide the user with a link back to the main web application. To have MOVEit Transfer replace the Sign Out link with a custom Return link, append the following code to the URL the user clicks on to visit MOVEit Transfer:
&returnto=<your URL>
Replace <your URL> with the full URL of the web page you wish the user to return to. The URL must begin with either http:// or https://. Because the value is stored in the session, only the first MOVEit Transfer URL invoked by the portal application requires this code. However, MOVEit Transfer always uses the most recentt value provided for this option.
To set up a single signon that integrates MOVEit Transfer into an existing portal environment, submit an HTML form that silently prefills a username and password. To do this, submit the form information, including the regular MOVEit Transfer URL, using the POST method.
Note: Previous versions of MOVEit Transfer suggested using the HTTP GET method to send the session id. Security best practices call for using the POST method instead of the GET method. If your web integration uses HTTP GET, and you want to continue to use the GET method, you need to set the following registry entry to allow the continued use of this method.
Set the MOVEit Transfer registry value AllowInsecureQueryStrings to "1" to allow GET requests for sensitive transactions, and allow GET requests to include session IDs in apilink.aspx. For more information, see the Registry Settings section in the Technical Reference topic.
The original GET example suggested adding this snippet to the MOVEit Transfer URL:
&username=myusername&password=mypassword&transaction=signon
The following shows an example of the POST method:
<BODY onload="document.forms[0].submit();">
<FORM action="https://moveit.yourcompany.com" method="POST">
<INPUT type="hidden" name="invisible-username" value="{myusername}"/>
<INPUT type="hidden" name="invisible-password" value="{mypassword}"/>
<NOSCRIPT>
<P>Press this button to continue:</P>
<INPUT type="submit" value="Continue"/>
</NOSCRIPT>
</FORM>
</BODY>
Installations that want to expose subfolder URLs without OrgIDs. (for example, a site wants users of Woodstock Bank to access MOVEit as https://www.myorg.com/woodstockbank and users of Bull Valley Credit Union access MOVEit as https://www.myorg.com/bullvalley). This arrangement is common at data centers where ownership wants to minimize annual certificate costs by hosting related sites on a single server.
To accomplish this, do the following for each subfolder you want to configure.
default.aspx as the default doc in that folder.default.aspx file and make changes as necessary:<% ' This redirect script sends users who type in "friendly" URLs
' to MOVEit's front door with the appropriate parameters.
'* * * * * * * * * * * * * * * * * * * * * * * * *
'* Set your Organization's ID here!!!
Dim OrgID as String = "1234"
'* * * * * * * * * * * * * * * * * * * * * * * * *
'* Set the official URL of your MOVEit DMZ here!!!
'* (Make sure this URL has a VALID certificate.)
Dim URL as String = "https://moveit.stdnet.com"
'* * * * * * * * * * * * * * * * * * * * * * *
'* Do NOT modify the code below this line!!!
Response.Redirect(URL & "?OrgID=" & OrgID)
%>
Providing a special URL to end users forced them to initiate a (non-Wizard) download immediately after signing on (if not already authenticated). This procedure is typically performed by a MOVEit Transfer API application that creates its own notifications or web pages, but the same technique can be used by any application that can create a link for a user to click.
Use the following syntax to initiate a direct download. Items to be filled in are in square brackets. Be sure your requests actually only use one line.
https://[MOVEitDMZ_Hostname]/human.aspx?
Username=[EndUser_Username]&arg01=[MOVEitDMZ_FileID]&
arg05=0/[DownloadAs_Filename]&arg12=downloaddirect&
transaction=signon&quiet=true
The following example prepares to sign on as Penguin to download a file with ID#910286 as dwn.gif.
https://dotnet.stdnet.com/human.aspx?
Username=penguin&arg01=9102186&
arg05=0/dwn.gif&arg12=downloaddirect&
transaction=signon&quiet=true
This crafted URL can be used with other crafted URLs such as Simple Single Signon Support or the MOVEit Transfer API session redirect to ensure that the user is signed on before attempting a transfer. (Otherwise, the user will be prompted for a username and password.)
Note: Different browsers might handle direct file downloads from MOVEit Transfer in different ways; sometimes files are automatically opened by the browser using the default application for that filetype, while other times the user is prompted to save the file before opening it. If the behavior the end users are experiencing is not the desired behavior, add the argument noattch=0 to the direct download URL. This causes MOVEit Transfer to add a Content-Disposition: attachment header to the direct download response, which will cause some browsers to treat the downloaded file differently than normal.
To support having different SSL certificates for different MOVEit Transfer organizations, you must have a unique IP address / port combination, and SSL certificate, for each organization. (IIS 7.0 on Windows 2008 does not require separate sites.) (See Feature Focus - Multihoming for more information.) If you are willing to share a named certificate across organizations, none of these extra steps are required.
For example, if SampleHoster wants to host secure.acme.com and ftps.whammo.com on the same MOVEit Transfer machine, each with a unique SSL certificate, then SampleHoster is multihoming. However, if SampleHoster wants to host vault.samplehoster.com and allow access to vault.samplehost.com/acme and vault.samplehost.com/whammo (one, shared SSL certificate), SampleHoster requires only:
Both of these configurations have been deployed by data centers and MOVEit Transfer supports both equally well in production. The main reason cited for using individual SSL certificates for each organization is that it completes the branding experience. The main reasons cited for using single shared SSL certificate is that it reduces management effort and SSL certificate costs.