Interface

• To set default policies for HTTP, FTP, SSH, and Mobile interfaces for new users in the organization:

  Sign on as Admin. Select SETTINGS > Security Policies > Interface and select an interface type.

These settings determine the defaults for new users in the organization. If you make subsequent changes, you can apply the changes to all users (new and existing) or to only new users in the organization.

You can change the policy for individual users in USERS > username > User Authentication. For more information, see User Profile - User Authentication.

Note: For all of these interfaces, if you plan on using different interface policies for different groups of users, see the create users as a clone of... options available in MOVEit Transfer. For example, to have all users except those using External Authentication (EA) to present a certificate during the authentication process, set the organization's default interface values to require client certs, and set the EA source to clone a template user that does not require client cert authentication during new EA user creation.

HTTP

This page allows administrators to set the default HTTP interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. The policy options available are:

• Allow HTTPS Access via Web Interface by Default: Determines whether users will be allowed to access the system via web browsers.
• Allow HTTPS Access via HTTP Clients by Default: Determines whether users will be allowed to access the system via other HTTP clients, such as MOVEit Automation, MOVEit Transfer API and the MOVEit Wizard.
• SSL Client Cert Required by Default: Determines whether users signing on to the HTTPS interface will be required to present a valid SSL client certificate in order to authenticate to the system.

  Note: For SAML Single Signon users, the SSL Client Required option must be set to No.

• Password Also Required with SSL Client Cert by Default: Determines whether users who sign on to the HTTPS interface with a valid SSL client certificate will also be required to submit a valid password in order to authenticate to the system.
• Match Cert CN to Username/Full Name: When enabled, SSL client certificate that have a CN value that matches the username or full name of the incoming user AND is signed by a Certificate Authority trusted by the system will be considered valid and acceptable for authentication purposes.
• Allow Username from Client Certificate: When enabled, users will be given the option on the signon page to have MOVEit Transfer automatically determine their username from their client certificate and attempt to sign them on. MOVEit Transfer will first search its internal certificate store for a matching certificate, then if possible it will search properly configured LDAP external authentication sources. If a matching certificate is found, the associated username is assumed and a signon is attempted. If a matching certificate is not found, or the user requires a password in addition to the client certificate, they will be returned to the signon page with a message indicating the need for further credentials.
• If a matching client certificate is found, and the user is successfully signed on with the associated username, a long-term cookie will be set which will allow MOVEit Transfer to automatically forward them to the username autodetection routines in the future. Thus, the user will always log directly on to the system whenever they bring up the web site, as long as their client certificate is provided and is still valid.

FTP

This page allows administrators to set the default FTP interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. The policy options available are:

• Allow FTP/SSL Access by Default: Determines whether users will be allowed to access the system via secure FTP over SSL.
• Allow Insecure FTP Access by Default: Determines whether users will be allowed to access the system via insecure plain-text FTP. Requires Non-Secure FTP to be enabled and allowed for the IP addresses for each user. See the FTP Configuration doc page for more information.
• SSL Client Cert Required by Default: Determines whether users signing on to the FTP over SSL interface will be required to present a valid SSL client certificate in order to authenticate to the system.
• Password Also Required with SSL Client Cert by Default: Determines whether users who sign on to the FTP over SSL interface with a valid SSL client certificate will also be required to submit a valid password in order to authenticate to the system.
• Match Cert CN to Username/Full Name: When enabled, SSL client certificate that have a CN value that matches the username or full name of the incoming user AND is signed by a Certificate Authority trusted by the system will be considered valid and acceptable for authentication purposes.
• Holding Tank retention: Determines how long SSL client certificates and SSH client keys entered into the cert/key holding tank will be allowed to remain there. Certs or keys older than this number of days will be removed from the holding tank.

Management of trusted Certificate Authorities (CAs) and user holding tank certificates is also performed here. For more information on trusted CAs, see the System Configuration - SSL and SSH - SSL - Client Certs - Trusted CAs document page. For more information on the SSL client certificate holding tank, see the System Configuration - SSL and SSH - SSL - Client Certs - Holding Tank document page.

Client Certificates

All client certs are either "self-signed" or "CA-signed". The "CA-" indicates that a "Certificate Authority" has signed the client cert and vouches for the identity of the bearer. Furthermore, CAs are divided into "commercial CAs" that sell client cert issue and signing services to the general public (e.g., Thawte, GeoTrust, etc.) and "corporate CAs" that perform the same client cert functions for their own users.

MOVEit supports self-signed certs, commercial CA-signed certs and corporate CA-signed certs. A client cert may be delivered as a "*.pfx" file with a password or users may need to request it may need to request a cert from a CA.

Various browsers have different ways to install client certs. Internet Explorer (IE) uses the Windows Certificate Store; you can install and manage client certs through IE's "Certificate" dialog. Windows will also launch a client cert import wizard that will automatically install most client certs into IE if you just double-click "*.pfx" client cert file.

The Mozilla/Firefox line of browsers uses its own client cert store. To install client certs in these browsers you must use their "Certificate Manager".

Various browsers also have different ways to select client certs for authentication. The most common way is for the browser to open a dialog box that asks you which client cert to use. When connecting to a MOVEit server, users may be prompted through their browsers to select a client cert after they fill in their username and password or before they view the sign on screen.

However, most browsers also have options to automatically present a client cert if only one is installed or not ask about picking a client cert if one was not presented. In these cases client cert authentication may be being used behind the scenes (in the "one cert, so don't ask" case) or not at all (in the "no certs installed, so don't ask" case).

Finally, the private key on a user's client cert may be password protected. If this is the case users may need to type in the password they created when they opted to protect this client cert or key store as well. (Usually, such prompting takes place once per session.)

SSH

This page allows administrators to set the default SSH interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. The policy options available are:

• Allow SSH Access by Default: Determines whether users will be allowed to access the system via SSH.
• SSH Key Required by Default: Determines whether users signing on to the SSH interface will be required to present a valid SSH client key in order to authenticate to the system.
• Password also required with valid SSH Key by Default: Determines whether users who sign on to the SSH interface with a valid SSH client key will also be required to submit a valid password in order to authenticate to the system.
• Holding Tank retention: Determines how long SSL client certificates and SSH client keys entered into the cert/key holding tank will be allowed to remain there. Certs or keys older than this number of days will be removed from the holding tank.

Management of user holding tank keys is also performed here. For more information on the SSH client key holding tank, see the SSH Keys Holding Tank document page.

Mobile

This page allows administrators to set the default Mobile interface policy for all new users in the organization. Changes to the policy on this page will be given the option of also being applied to all existing users in the organization. Policies set here can be changed per user in the User Profile (User Authentication section).sys

The policy options available are:

• Allow access to the Mobile interface by default: Determines whether users will be allowed to sign on to MOVEit by using the Mobile app or web.

  Note: Ipswitch suggests that for security reasons you do not allow mobile access to admins, fileadmins or users that are used for bulk data transfers such as nightly FTPS/SFTP transfers.

• Allow caching of credentials on mobile devices: This determines whether mobile app users will be allowed to cache credentials on the device for quick sign-on using a PIN.
• Required PIN length: This specifies the minimum digits required for the PIN. Choose 4, 5, or 6 digits.

  Note: The app always requires that users do not repeat or increment numbers when creating the PIN. For example, the app does not allow 1111 or 12345 as a PIN.