MOVEit Transfer is capable of storing its encrypted files on a remote Windows fileshare. This is required for Webfarms configurations, but can also be used for standalone MOVEit Transfer servers. Storing the encrypted files on a remote location improves security by making it harder to access those files from a compromised webserver. This configuration can help MOVEit Transfer meet company requirements that no data reside in a DMZ network segment.
Using a Remote Fileshare
For standalone and webfarm-enabled MOVEit Transfer servers, follow these steps to configure a file server to provide remote filesystem support to MOVEit Transfer:
Create a moveitdmz user on the file server. This user will be used by MOVEit Transfer to access the file share. The account only needs to be present on the file server.
Create a MOVEitDMZ folder on the file server. This folder is where the MOVEit Transfer encrypted files will be stored.
Give the moveitdmz user full permissions to the MOVEitDMZ folder. Add the moveitdmz user to the list of access control entries through the Security tab on the folder's Properties dialog. Give the user full permissions to the folder.
Share the folder and give full permissions to remote users. Enable sharing on this folder through the Sharing tab on the folder's Properties dialog. Add the moveitdmz user to the share's permissions and give the user full control over the share (you may optionally remove all other users and/or groups from the share permissions list).
The shared folder may now be used as the MOVEit Transfer file store location. If you are configuring a standalone MOVEit Transfer server to use the shared folder, first shut down the MOVEit Transfer services and manually copy the contents of the existing \MOVEitDMZ\Files folder on the server to the new shared folder. Next, apply the new remote folder settings using the MOVEit Transfer Config program. Use the Advanced button on the Paths tab to enter the UNC path of the shared folder, as well as the username and password of the moveitdmz user configured above. Finally, start the MOVEit Transfer services and run the MOVEit Transfer Checker utility to make sure file transfers are working properly. If there are any errors, see the Troubleshooting section below.
Troubleshooting
When using a remote fileshare for its encrypted file store, MOVEit Transfer will mount the fileshare internally using the configured username and password. If MOVEit Transfer is unable to download or upload files after changing to a remote fileshare, the problem will usually be either an error mounting the share, or a permissions error with the share. Typically the error code and message that MOVEit Transfer encountered when it tried to access the share will be reported back to the client that is trying to upload or download a file. If this is not the case, see the DMZ_WEB.log file on the MOVEit Transfer server for more details about the error.
This is a list of some errors that might be encountered when using a remote share, and how to resolve them:
Error mounting share: 1219 - Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. This error occurs when two or more processes are trying to access the same share. Often this will happen when running the MOVEit Transfer Config program after accessing the remote fileshare using Windows Explorer. This can be fixed by disconnecting existing connections to the fileshare before running other programs that need to access it. To see if there are any connections open under the currently signed on user, open a command prompt window and type net use, then hit enter. Any existing connections to the fileshare being used by MOVEit Transfer should be disconnected by using the net use /DELETE command (for help with the net use command, type net use /? then hit enter).
Error mounting share: 1312 - A specified logon session does not exist. It may already have been terminated. This error is usually caused by the program being run as the Local System account, which is not allowed to mount remote fileshares. This can be fixed by running the program as a regular user, or as the Network Service account. Normally the MOVEit Transfer install should automatically configure the services to run as either a custom service account, or the Network Service account. See the configuration for other MOVEit Transfer services if one of the services is having this problem.
Access is denied This error occurs when the permissions of the moveitdmz fileshare user are not correct on the share, or the folder itself. This can be fixed by making sure the user has full permissions on the folder, and full permissions on the share.
