Multi-homing

Multi-homing MOVEit Transfer implies a central environment is handling requests directed at distinct hosts or multiple IP addresses. In MOVEit Transfer, this can mean that a single MOVEit Transfer instance is serving requests addressed to one or more hostnames with their respective SSL certificates and branding.

Typical uses of multi-homing include:

Separating application-level access of MOVEit Transfer (cloud, SaaS, and application service provider scenario, for example).
Different IP addresses/domains for different access protocols (HTTPS and HTTP, for example).
Application end-point branding/domain recognition.
Redundancy.

For example, if a single site was asked to support both "moveit.example.com" and "safestore.contoso.com" for two different companies on the same MOVEit Transfer server, we would say that the MOVEit Transfer is multi-homing.

Multi-homing

multi_homing

1	MOVEit Transfer Clients	Mobile, desktop, and tablet end-users.
2	Hosted Sites (for example)	Bindings for two or more file transfer endpoints. Typical endpoints can vary in protocol and configuration, but each requires a distinct IP address binding and certificate.
3	Certificates	Certificates with bindings to the different hosted sites.
4	File Transfer Applications	Protocols provided by MOVEit Transfer.
5	File Transfer Server	MOVEit Transfer server running on premises or in the cloud. Multi-homing deployment configuration enables secure file access to clients independent of perceived branding, domain name, and protocol. The actual server would typically run on a rack server or as part of a cloud solution.

Multi-homing Configuration Elements

Elements by Service

To support multi-homing, several MOVEit Transfer configuration items must be adjusted. These items can be broken down by the service they are related to.

Core MOVEit Transfer Application
- Create a separate organization for each hostname
- Each organization's Base URL must be set to a unique hostname
- Each organization should have its own branding
HTTPS Server (IIS Service)
- Add multiple SSL certificates, one for each hostname
- Configure multiple IP addresses, one for each hostname
FTPS Server (MOVEit Transfer Service)
- Set up the default SSL host certificate to match one of the organizations
- Other organizations will use other ("alternate") SSL host certificates as configured by FTP IP address. Set this list of IP addresses up to match those configured under IIS
SFTP Server (MOVEit Transfer Service)
- Only one SSH server key is currently available through the SFTP service.
- (SSH server keys, unlike SSL server certs, do not have a "hostname" or other organization-identifying element.)

Elements by Configuration Utility

These items can also be broken down by the configuration utility that must be used to configure them.

Internet Information Services (IIS) Manager
- Request and install commercial SSL host certificates.
- Configure a separate IIS binding (Windows 2008) for each organization.
MOVEit Transfer Configuration Utility
- Select the default SSL host certificate to match one of the organizations. ("FTP Certs" tab)
- Select alternate SSL host certificates for each additional organization.
MOVEit Transfer Web Interface (Signed on as a SysAdmin)
- Add a new production organization for each hostname. ("Orgs" page)
- Set each organization's Base URL to its hostname. ("Organization Profile" page)
MOVEit Transfer Web Interface (Signed on as an Admin)
- Let each organization control its own scheme/colors, logos and other branding elements through their existing Admin accounts

Recommended Procedures

There are several ways to accomplish many of the tasks listed in the previous subsection, but the following procedures are recommended.

Requesting, obtaining and installing multiple SSL certs for different organizations

Windows Server 2008

For Windows Server 2008 and later, you need not create additional IIS websites. Instead, you may create multiple SSL certificates at the webserver level, and then assign them to bindings.

Creating and installing additional SSL certificates

Run Internet Information Services (IIS) Manager.
Choose the name of the server in the left pane.
In the Features View, double-click on Server Certificates.
Create a certificate request by choosing Create Certificate Request... in the right pane. After submitting the certificate request and receiving the response from the Certificating Authority, come back and choose Complete Certificate Request. Alternatively, you can create a self-signed certificate, but this is not recommended because it will cause browser warning messages for your users.

Creating additional IIS bindings

Assign multiple IP addresses and SSL certificates to a single website, thus bypassing the complexity of creating multiple websites (available only Windows Server 2008 and later).

Run Internet Information Services (IIS) Manager.
Right-click the name of the website (usually moveitdmz) and choose Edit Bindings....
Choose the https line and choose Edit....
Change the IP address from All Unassigned to one of the configured IP addresses.
Choose the appropriate SSL certificate.
Choose OK.

For the second and subsequent organizations, repeat the above procedure in the Site Bindings dialog, but choose Add... to add bindings and SSL certificates for the remaining organizations.

How do I configure MOVEit Transfer to identify each IIS site as its own organization?

MOVEit supports the display of an organization’s branding based solely on the hostname provided in the base URL.

Sign on as a SysAdmin.
Go to the Orgs page and click the NAME of a specific organization to get into its Organization Profile.
While viewing the Organization Profile, click the first edit link.
Change the Base URL to match the hostname of the site. Include the https:// prefix. For example, if the hostname is support.moveitdmz.com, the Base URL should be https://support.moveitdmz.com.
Save changes and repeat steps 3-5 for any remaining organizations.

How do I configure MOVEit Transfer to hand out different SSL certs on its FTP server for each organization?

The MOVEit Transfer FTP will offer the Default Certificate configured on the FTP Certs tab in the MOVEit Transfer Config utility (DMZConfig.exe) to all incoming FTP/SSL connections unless alternate certificates are configured in the Alternate Certificates window. Each Server IP value should match an IP address previously configured on an IIS site bearing an SSL certificate of the same name. (for example, If an IIS site for dmz.example.net is already listening for connections on IP address 10.1.1.2, add an alternate entry that will cause the FTP server to offer up the dmz.example.net certificate to connections coming in to IP address 10.1.1.2.)

How do I handle future upgrades?

MOVEit Transfer upgrades will handle or avoid all elements of the multi-homing process except for specific IIS setting changes made to sites other than the IIS site into which MOVEit Transfer was originally installed. Release notes will detail any IIS site setting changes made between MOVEit Transfer versions; consult our support department for specific instructions to make changes by hand.