Firewall Configuration

MOVEit Transfer was designed to be secure on production DMZ segments exposed to the Internet. MOVEit Transfer communicates only over ports MOVEit Transfer controls. This topic describes how to enforce this behavior on your firewall.

Overview

HTTPS, FTP over SSL (FTP/SSL, ftps) and/or FTP over SSH (FTP/SSH, sftp) are used to communicate with MOVEit Transfer. MOVEit Transfer also normally needs to access the SMTP services of another mail server to deliver notification messages.

Nonsecure HTTP services are optional and generally not recommended. If nonsecure services are enabled, MOVEit redirects users to the secure services. (IIS does not redirect.) Access to different services from different locations (such as internal vs internet) can also be controlled by the firewall. See diagram below,

• GREEN ARROWS indicate web (HTTP/S) services.

LIGHT BLUE ARROWS indicate FTP over SSL services.

• BLUE ARROWS indicate SSH services.
• GRAY ARROWS indicate other services (SMTP, RADIUS, LDAP).

Example Firewall Ruleset and Port Mapping Configurations Used with MOVEit Transfer

Deny All

To prevent outside forces from opening unauthorized connections to MOVEit Transfer, use the following rule:

• REQUIRED: Deny (ALL CONNECTIONS) to MOVEit Transfer

To prevent MOVEit Transfer from opening unauthorized connections to outside computers, use the following rule:

• REQUIRED: Deny MOVEit Transfer to (ALL CONNECTIONS)

Depending on the services you choose to run on MOVEit Transfer, you must open one or more ports. The criteria and specifics are covered below.

Remote Web Browsers (HTTP/S)

MOVEit Transfer normally listens for NONSECURE web connections on TCP port 80 and SECURE web connections on TCP port 443. Remote users MUST be able to connect to the secure port (443) from remote addresses. Optionally, you can also leave port 80 open if you want MOVEit Transfer to auto-redirect users connecting on the nonsecure port to the secure port instead.

• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-443
• Optional (and not recommended): Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-80

Remote Mobile Apps and Web Browsers (HTTP/S)

MOVEit Mobile normally listens for NONSECURE (HTTP) mobile client connections on TCP port 8080 and SECURE (HTTPS) web connections on TCP port 8443. If these ports are taken, you can configure different port numbers during mobile server installation and MOVEit system configuration. Mobile clients must be able to connect to the configured secure port. The nonsecure port enables the auto-redirect of mobile clients to the secure port.

• REQUIRED: Allow TCP (Remote) (Any Port) to the MOVEit Mobile Port for HTTPS, as configured during Mobile Server Installation; the default is: 8443
• Optional: Allow TCP (Remote) (Any Port) to the MOVEit Mobile Port for HTTP, as configured during Mobile Server Installation; the default is: 8080

Remote Secure FTP over SSL Clients (FTP/S)

If MOVEit Transfer FTP needs to support clients over the Internet, Ipswitch strongly recommends you REQUIRE PASSIVE MODE FTP TRANSFERS and LOCK PASSIVE DATA PORTS TO A SMALL RANGE on MOVEit Transfer FTP.

Warning: Only specifying FTP on your firewall will rarely be enough to allow secure FTP through (unless both client and server use the CCC option). Firewalls that understand FTP look for the phrase "PORT" in data channels and open temporary holes in the firewall for communications over the designated ports between the two machines on either side of the data channel. However, secure data channels are encrypted, meaning the firewall cannot open any temporary ports.

Explicit FTPS control connections take place on TCP port 21.

Implicit FTPS control connections take place on TCP port 990.

If you use FTPS on your MOVEit Transfer system, it is HIGHLY RECOMMENDED that you configure it to use both explicit and implicit modes (for greatest client compatibility), passive mode (to allow the server to select port numbers), and to use a restricted range of ports (to avoid opening up a hole that a Trojan horse could use).

CCC Command - Alternative to Range of High Open Ports

MOVEit Transfer supports the CCC FTP command. The CCC command allows FTP-aware firewalls to understand the PORT commands otherwise hidden by FTP over SSL. Specifically, the CCC command allows the PORT commands to be understood by firewalls by dropping the control channel out of encrypted mode and into cleartext mode.

Using the CCC command creates the following security risks:

• It is possible to sniff the now cleartext port command to connect to the secure FTP server and either steal data by connecting as if they were the real client, or cause a denial of service attack by preventing the real client from connecting.
• It is possible to sniff folder names, file names and custom commands such as "change password" while the control channel is unencrypted.

The security risk of the alternate solution - a limited number of open ports - is that another service could be installed on that server and could start listening on those ports.

Active FTP - Not Recommended

Active FTP is NOT recommended for Internet connections because remote firewalls will likely not permit active FTP data connections in, especially if they are encrypted.

REQUIRED: Allow TCP (Remote) (Any Port) to 1 Port-21

• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-990
• REQUIRED: Allow TCP MOVEitDMZ Port-20 to (Remote) (Any Port)
• REQUIRED: Allow TCP MOVEitDMZ Port-989 to (Remote) (Any Port)

Passive FTP (Unrestricted) - Not Recommended

Setting Passive FTP up in unrestricted mode is not recommended because proper operation of this mode requires a wide range of high ports (thousands) to be open on the firewall.

• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-21
• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-990
• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ (High Ports)

MOVEit Transfer normally listens for SECURE FTP control connections on TCP port 21 (and 990 when using implicit mode). As a passive FTP server, MOVEit Transfer will then listen for a SECURE FTP data connection on the TCP high port (>1023) it negotiated with the client. These ports must be left open for proper communication.

Passive FTP (Restricted) - Recommended

• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-21
• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-990
• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Ports-3000_3003
  (administrator's discretion)

MOVEit Transfer normally listens for SECURE FTP control connections on TCP port 21 (and 990 when using implicit mode). In restricted passive mode MOVEit Transfer listens for SECURE FTP data connections on a configurable finite range of contiguous TCP high ports (e.g., 3000,3001,3002,3003) that it specifies to a particular client. (Nothing extra needs to be configured on clients other than to specify passive mode transfers.) These ports must be left open for proper communication.

Additional Ports for Client Certificates

If you require that all your FTP/SSL traffic authenticate with client certificates, it is not necessary to set up additional FTP/SSL ports for this purpose. However, if you want to require some FTP/SSL connections/users to authenticate with client certificates while others do not face this requirement (common during migrations), you must set up additional ports for FTP/SSL client certificate authentication.

Client certificate authenticated sessions use the same data ports as regular FTP/SSL sessions, so no additional data ports are needed. However, a second Explicit control port and a second Implicit control port are typically assigned to a MOVEit Transfer FTP server in this situation. For example, Ipswitch uses ports 21 and 990 to handle its non-client-cert-authenticated connections and ports 10021 and 10990 to handle its client-cert-authenticated connections.

Remote Secure FTP over SSH Clients (SSH)

MOVEit Transfer uses a one-port SSH tunnel to support FTP over SSH clients. The use of a single SSH tunnel has an advantage over the multiple encrypted data streams used by FTP over SSL: fewer ports need to be opened on a firewall. (FTP over SSH is a single port secure transfer protocol.) The one port normally used by SSH is TCP port 22.

• REQUIRED: Allow TCP (Remote) (Any Port) to MOVEitDMZ Port-22

Email Notification (SMTP)

The MOVEit Transfer server requires the use of an SMTP-compliant mail server to send email notifications. If your MOVEit Transfer server must pass through a firewall to reach a mail server, you must allow MOVEit Transfer access to it only over TCP port 25. If you want the ability to queue messages if your mail server is unreliable, need special authentication parameters to relay mail, or generally plan on sending many notifications at one time, consider setting up the local mail relay.

Note: The MOVEit Transfer server does not need to access an internal email server if you can point it to your upstream (ISP) mail relay instead.

• REQUIRED: Allow TCP MOVEitDMZ (High Ports) to (YOUR MAIL SERVER) Port-25

Remote Authentication (RADIUS)

If you intend to use RADIUS remote authentication, MOVEit Transfer must be able to communication via UDP to the remote RADIUS server. The UDP port normally used to support RADIUS is 1645, but this port is configurable.

• OPTIONAL: Allow UDP MOVEitDMZ (High Ports) to (YOUR RADIUS SERVER) Port-1645

Remote Authentication (LDAP)

If you intend to use LDAP remote authentication, MOVEit Transfer must be able to communication via TCP to the remote LDAP server. The TCP port normally used to support LDAP is 389 and the port normally used to support LDAP over SSL is 636, but these ports are configurable. (The use of LDAP over SSL is strongly recommended; most modern LDAP servers support this. For example, see Active Directory - SSL in Feature Focus - External Authentication for instructions to enable SSL access on Active Directory LDAP servers.)

• OPTIONAL: Allow TCP MOVEitDMZ (High Ports) to (YOUR LDAP SERVER) Port-389
• OPTIONAL: Allow TCP MOVEitDMZ (High Ports) to (YOUR LDAP SERVER) Port-63

Remote Microsoft SQL Server database

If MOVEit Transfer will connect to a remote Microsoft SQL Server database, such as in a web farm, the MOVEit Transfer node must be able to communicate over the SQL Server ports. Port 1433 is the default SQL Server port, if you have configured a different port for your SQL Server instance, use that port instead of 1433. You must open port 1434 only if you plan on running SQL Server Studio or another SQL Server utility on the MOVEit Transfer application nodes themselves.

• REQUIRED: Allow TCP MOVEitDMZ to (Your MS SQL Server) (Port 1433) for SQLServer default instance
• Optional: Allow TCP MOVEitDMZ to (Your MS SQL Server) (Port 1434) for SQL Admin Connection

MOVEit Transfer Web Farms

If MOVEit Transfer Web Farms is in use, each node and the NAS must allow Microsoft networking protocols between them. This is normally accomplished by opening TCP port 445 between the various machines. However, DO NOT leave this port open to or from the Internet.

Time Service

Some sites, such as those regulated by the FDA, might need to ensure that the clock on MOVEit Transfer is kept in sync with a known, external source. The hostnames of external time sources such as time.nist.gov can be found on various lists of public time servers.

Time services (RFC 958) normally use UDP port 123. When setting up firewall rules to support external time service, you must allow UDP packets to travel from any high port on the MOVEit Transfer to remote UDP port 123, ideally on one or a small collection of remote servers. Return traffic using the same UDP port must also be able to return to your MOVEit Transfer server.

Notes:

• Your firewall might also be able to act as a time server. In this situation, the firewall queries external time servers itself instead of permitting every machine behind the firewall to get its own time.
• Servers that are members of a domain are automatically time synchronized with the domain controller, so no external time server is necessary.

SysLog Service

If you elect to send MOVEit Transfer Audit Events to a SysLog server, you will likely need to allow UDP SysLog packets to travel from your MOVEit Transfer to the SysLog server on UDP port 514.

SNMP Service

If you elect to send MOVEit Transfer Audit Events to a SNMP management console, you will likely need to allow UDP SNMP packets to travel from your MOVEit Transfer to the SNMP management console on UDP port 161.

ODBC stunnel (Largely Obsolete)

This procedure has largely been replaced by the ability of the MOVEit Transfer API to run ad-hoc custom reports against most MOVEit Transfer configuration elements and audit entries remotely over a secure connection.

If you elect to set up an ODBC stunnel connection (as described in Advanced Topics - Database - Remote Access), you will likely need to allow connections from MOVEit Automation to MOVEit Transfer on TCP port 33062. This port is configurable and may be changed in both the stunnel_mysqlserver.conf and stunnel_mysqlclient.conf configuration files involved.

MOVEit Freely & MOVEit Buddy

MOVEit Freely and MOVEit Buddy are secure FTP clients. See the Remote Secure FTP Over SSL Clients section above for required port information

MOVEit Automation

MOVEit Automation typically communicates with MOVEit Transfer via HTTPS. See the Remote Web Browser (HTTP/S) section above for required port information.

MOVEit Wizard, MOVEit Xfer, MOVEit Transfer API or MOVEit EZ

The MOVEit Wizard, MOVEit Xfer, MOVEit Transfer API and MOVEit EZ clients all communicate with MOVEit Transfer via HTTPS. See the Remote Web Browser (HTTP/S) section above for required port information.

AS2 Clients

AS2 clients normally use HTTPS. In rare cases they can use HTTP instead. See the Remote Web Browser (HTTP/S) section above for required port information.

AS3 Clients

AS3 clients are secure FTP clients. See the Remote Secure FTP Over SSL Clients section above for required port information.