Step 4: Configure the Firewall

Pre-requisites

• Gateway server has been successfully installed and configured in the DMZ according to Gateway installation documentation.
  • http://docs.ipswitch.com/MOVEit/Gateway11/Help/
• MOVEit Transfer server has been successfully installed and configured in the network trusted zone according to the MOVEIT Transfer installation documentation.
  • http://docs.ipswitch.com/MOVEit/DMZ83/Help/Admin/en/
  • http://docs.ipswitch.com/MOVEit/DMZ90/Help/Admin/en/
• SSTP VPN tunnel has been successfully installed and configured according to Gateway installation documentation.

Notes

• The MOVEit Transfer public rule to block all public incoming connections is recommended to block any other rules the user may have set up, possibly including by the MOVEit Transfer installer. "Block" rules take precedence over "Allow" rules.
• Internal users will be able to access MOVEit Transfer directly if there is a second interface that is marked as private by Windows. Note that network interfaces, including the one used to connect to Gateway, are created as public by default in Windows. So the customer would have to go out of their way to mark the second interface (if any) as private. Incoming connections through the tunnel are regarded as private.

Step 1: Gateway Server Firewall Rules

Note: The examples shown below were created using the Windows Firewall with Advanced Security. The rules listed would need to be applied to the firewall that is being used in your environment.

1. Create public network inbound port rules to allow incoming connections for the following ports:
   1. Port 21 (FTPS Explicit)
   2. Port 22 (SSH)
   3. Port 443 (HTTPS)
   4. Port 80 (HTTP)
   5. Port 990 (FTPS Implicit)
   6. Ports 3000-3100 (FTPS Data)
   7. Port 10443 (SSTP Tunnel)

   

2. Under the Scope tab, modify the Remote IP Address for port 10443 to only allow connections from the MOVEit Transfer server IP address (for example, 192.168.196.237).

   

3. Verify that the firewall state is enabled for public network locations.

   

Step 2: MOVEit Transfer Server Firewall Rules

1. Modify the pre-defined inbound port rules for the following ports and set them to only apply to the private network profile.
   1. MOVEit DMZ FTP
   2. MOVEit DMZ SSH
   3. World Wide Web Services (HTTP Traffic-In)
   4. World Wide Web Services (HTTPS Traffic-In)

      

      

      

      

2. Create a new public network inbound port rule to block incoming connections for all ports:

   

3. Verify that the firewall state is enabled for both public and private network locations.

   

Step 3: Verify Firewall Rules

Test 1:

1. Open a web browser on the Gateway server and try to connect to the MOVEit Transfer server IP address.

   Note: If the firewall rules have been correctly defined, the connection to the MOVEit Transfer server IP address should time out.

   

   Test 2:

2. Open a web browser on the Gateway server and try to connect to the Gateway server IP address.

   Note: If the firewall rules have been correctly defined, the connection to the MOVEit Transfer server IP address should succeed.