Add a Proxy

An Endpoint can have multiple proxies. A proxy listens on a port for traffic of a certain protocol type and then forwards the encrypted traffic to a MOVEit Transfer Endpoint. Only a running proxy can route external traffic to the MOVEit Transfer Endpoint.

To add more proxies to an Endpoint:

1. Click Add Proxy and select the type of proxy to add:

   FTP

   HTTP

   SSH

2. Enter a Name for the proxy.
3. Enter the Listen On IP address or host name. This is the IP address and port where this proxy will listen. Proxies listen to all incoming traffic on a port. An address of 0.0.0.0 means that the proxy will listen on all available addresses at the given port. Must be a valid IP4 or IP6 address or a host name.
4. Enter additional Listen On information specific for each proxy type:
   • FTP:
     • Explicit FTP port: All connections to the Explicit FTP port require the client to issue an explicit command (i.e., "AUTH TLS") to initiate a secure connection. Encryption is optional (although it can still be required by the FTP server). Default port is 21.
     • Implicit FTP port: All connections to the Implicit FTP port will be encrypted. Implicit FTP traffic runs over a different port than Explicit FTP. Default port is 990.
     • SSL Key: Select the key for the proxy from the list to establish secure communication with the Endpoint. Proxies will not run without this key/certificate verification. When a proxy talks with the Endpoint, the key is verified against the Ipswitch Gateway Trust Store, which stores the certificates for the Endpoint. The list is empty if you haven't imported any keys (see Configure Keys and Certs). The keystore contains SSL keys for HTTPS and FTP proxies. A key is not required during proxy creation, but an SSL key is required before starting the proxy. The MOVEit Transfer server should use the same cert for FTPS and HTTPS. Install organization-specific certs in Ipswitch Gateway if necessary.
     • Require a secure connection: When checked, requires the client to issue an explicit command (i.e. "AUTH TLS") to to initiate a secure connection.
     • External IP for Passive FTP: If the check box is checked, the Ipswitch Gateway FTP server will return the proxy's advertised Endpoint address for an IP address. If the check box is unchecked, the IP field is enabled. Enter a passive IP address and the Ipswitch Gateway FTP server will return the passive IP address you enter here. If Ipswitch Gateway is installed in the cloud (the IP address that the operating system returns as the server's address is strictly local, and the cloud provider advertises a different public IP address that is not directly known by the operating system.

       The connection port is determined by the passive port range (3000-3004). The passive port range can be configured in the Settings tab.

   • HTTP:
     • Listen on port: Default port is 433. If you installed MOVEit Mobile, add a proxy listening on 8443 to route traffic to the Mobile Server in the trusted zone.
     • SSL Key: Select the key for the proxy from the list to establish secure communication with the Endpoint. Proxies will not run without this key/certificate verification. When a proxy talks with the Endpoint, the key is verified against the Ipswitch Gateway Trust Store, which stores the certificates for the Endpoint. The list is empty if you haven't imported any keys (see Configure Keys and Certs). The keystore contains SSL keys for HTTPS and FTP proxies. A key is not required during proxy creation, but an SSL key is required before starting the proxy. The MOVEit Transfer server should use the same cert for FTPS and HTTPS. Install organization-specific certs in Ipswitch Gateway if necessary.
     • Accept and redirect plain HTTP requests: When checked, any traffic sent to http://gateway will be redirected to https://gateway. Enter a Plain HTTP port to listen on (listens on port 80 by default). Enter a Redirect to https:// address, which is the hostname or address of the HTTP Location header sent to the client on a redirect from the non-SSL port to the SSL-port. This can be useful if the "SSL IP Address or Host Name" is specified by an IP address and you want users to see a host name in the redirect response. If this feature is unchecked, starting the proxy listens only on https and traffic sent to http will bounce or timeout.
   • SSH/SFTP:
     • Listen on port: Default port is 22.
     • SSH Key: Select the key for the proxy from the list to establish secure communication with the Endpoint. Proxies will not run without this key/certificate verification. When a proxy talks with the Endpoint, the key is verified against the Ipswitch Gateway Trust Store, which stores the certificates for the Endpoint. Select a previously deployed SSH key or select None to trigger key generation when the proxy starts. The SSH key generates on demand and is saved for use on a restart.
5. Enter a Send to port. This is the port number of the MOVEit Transfer server to which the proxy will send data. The default for HTTP is 443, the default for FTP is 990, and the default for SSH/SFTP is 22.
6. Click Save. The proxy displays beneath the Endpoint. The status of newly added proxies is Stopped.