Add a Proxy

An Endpoint can have multiple proxies. A proxy listens on a port for traffic of a certain protocol type and then forwards the encrypted traffic to a MOVEit Transfer Endpoint. Only a running proxy can route external traffic to the MOVEit Transfer Endpoint.

To add more proxies to an Endpoint:

1. Click Add Proxy and select the type of proxy to add:

   FTP (Note: FTP includes FTPS support.)

   HTTP

   SSH (Note: This is for SFTP)

2. Enter a Name for the proxy.
3. Enter the Listen On IP address or host name. This is the IP address and port where this proxy will listen. Proxies listen to all incoming traffic on a port. The default address of 0.0.0.0 means that the proxy will listen on all available addresses at the given port. Must be a valid IP4 or IP6 address or a host name.
4. Enter additional Listen On information specific for each proxy type:
   • FTP:
     • Explicit FTP port: All connections to the Explicit FTP port require the client to issue an explicit command (i.e., "AUTH TLS") to initiate a secure connection. Encryption is optional (although it can still be required by the FTP server). Default port is 21. By default, MOVEit Transfer's explicit FTP functionality is secure and encrypted. Therefore, the Require a secure connection check box should be selected.
     • Implicit FTP port: All connections to the Implicit FTP port will be encrypted. Implicit FTP traffic runs over a different port than Explicit FTP. Default port is 990.
     • SSL Key: Select the certificate for the proxy from the list. This is the certificate that is presented when connecting to MOVEit Transfer through MOVEit Gateway. Proxies will not run without this certificate. The list is empty if you haven't imported any keys (see Configure Keys and Certs). A key is not required during proxy creation, but an SSL key is required before starting the proxy. The MOVEit Gateway server should use the same certificate for FTPS and HTTPS.
     • Require a secure connection: When checked, requires the client to issue an explicit command (i.e. "AUTH TLS") to to initiate a secure connection.
     • External IP for Passive FTP: If the check box is checked, the MOVEit Gateway FTP server will return the proxy's advertised Endpoint address for an IP address. If the check box is unchecked, the IP field is enabled. Enter a passive IP address and the MOVEit Gateway FTP server will return the passive IP address you enter here. If MOVEit Gateway is installed in a cloud environment, uncheck the box and enter the Gateway VM's public IP address.
     • Organization ID (Optional) (2020.1 or later): The Organization ID that is passed to MOVEit Transfer when this proxy is used.
   • SSH/SFTP:
     • Listen on port: Default port is 22.
     • SSH Key: Select the key for the proxy from the list to establish secure communication with the Endpoint. Proxies will not run without this key/certificate verification. When a proxy talks with the Endpoint, the key is verified against the MOVEit Gateway Trust Store, which stores the certificates for the Endpoint. Select a previously deployed SSH key or select None to trigger key generation when the proxy starts. The SSH key generates on demand and is saved for use on a restart.
     • Organization ID (Optional) (2020.1 or later): The Organization ID that is passed to MOVEit Transfer when this proxy is used.

       The connection port is determined by the passive port range, which can be configured in the Settings tab.

   • HTTP:
     • Listen On Port: Default port is 433. If you installed MOVEit Mobile, add a proxy listening on 8443 to route traffic to the Mobile Server in the trusted zone.
     • Client Cert Port: This port accepts HTTPS requests from the user during client certificate authentication. Default port is 2443. After sign in, the user's session to MOVEit Gateway goes through the normal Listen On Port number.
     • SSL Key: Select the certificate for the proxy from the list. This is the certificate that is presented when connecting to MOVEit Transfer through MOVEit Gateway. Proxies will not run without this certificate. The list is empty if you haven't imported any keys (see Configure Keys and Certs). A key is not required during proxy creation, but an SSL key is required before starting the proxy. The MOVEit Gateway server should use the same certificate for FTPS and HTTPS.
     • Accept and redirect plain HTTP requests: When checked, any traffic sent to http://gateway will be redirected to https://gateway. Enter a Plain HTTP port to listen on (listens on port 80 by default). Enter a Redirect to https:// address, which is the hostname or address of the HTTP Location header sent to the client on a redirect from the non-SSL port to the SSL-port. This can be useful if the "SSL IP Address or Host Name" is specified by an IP address and you want users to see a host name in the redirect response. If this feature is unchecked, starting the proxy listens only on https and traffic sent to http will bounce or timeout.
     • Organization (Optional) (2020.1 or later): This is the Licensed Organization information, which allows Gateway users to configure the Gateway server to point to a single MOVEit Transfer server that is responsible for multiple Organizations using the HTTPS protocol.
       • ID: The ID of the Organization in MOVEit Transfer. This is the Organization that users will see when connecting with the configured Hostname.
       • Hostname (FQDN): The fully qualified domain name (FQDN) of the Organization.For example, moveit.progress.com
       • Certificate: Select the certificate for the Organization from the list, or set to Default to use the certificate configured for this proxy. This is the certificate that is presented when connecting to MOVEit Transfer through MOVEit Gateway using the configured Hostname. For more information about adding certificates, see Import Keys.
5. Enter a Send to port. This is the port number or range of port numbers of the MOVEit Transfer server to which the proxy will send data. The FTP default is 5990, and the SSH/SFTP default is 5022. HTTP requests are sent across a range of ports. The port range must match the values specified in the Transfer Configuration. For more information, see Configuring the Connection with MOVEit Gateway.
6. Click Save. The proxy displays beneath the Endpoint. The status of newly added proxies is Stopped.