Previous Topic

Next Topic

Book Contents

Book Index

SSL - Client Certs - IIS Configuration

MOVEit Transfer relies on Microsoft's IIS server to provide HTTPS connection services. Therefore, MOVEit Transfer must also rely on IIS to also provide client certificate functionality.

MOVEit Transfer users must use client certificates that are trusted or stored in the Microsoft Certificate Trusted Root store, but the MOVEit Transfer certificate management interface usually takes care of this requirement behind the scenes. This section focuses on the IIS settings that the MOVEit Transfer installation/upgrade toggles to turn on client certificate support (by default) and a second supported option.

IIS Set to Accept Client Certs on Some Files

The MOVEit Transfer web interface supports client certificate authentication as soon as it is installed or upgraded to version 4.0 or higher. No manual changes to IIS are required; the installation/upgrade program sets the necessary IIS settings behind the scenes.

Authentication requirement flags on individual user accounts control whether client certificates are required and what client certificates can be used for authentication. (See Web Interface - Users - Profile for more information.)

Advantages/Disadvantages

humancc.aspx and machinecc.aspx

By default, MOVEit Transfer sets the Accept client certificates flag on two files: humancc.aspx and machinecc.aspx. The "cc" in both files stands for "client certificate."

All web browser sessions must authenticate through human.aspx and all other clients must authenticate through machine.aspx. When a user attempts to authenticate through either human.aspx or machine.aspx and MOVEit Transfer notices that the user's account requires client certificate authentication, MOVEit Transfer will automatically redirect the user's session to humancc.aspx or machinecc.aspx. At this point the user will be prompted for client certificate credentials (if using a web browser) or client certificate credentials will be consumed (if using another client). No "second sign on page" is presented; from the user's perspective the entire sign on operation requires only a single submission.

No other files or folders are marked to "Accept client certificates". Access to MOVEit Transfer resources is only possible after a user authenticates with any required client certificates, so only the authentication gateways need to be marked to Accept client certificates.

Site-wide "Accept Client Certificates" Flag (Don't Set It!)

Do not set the site-wide Accept client certificates flag on your MOVEit Transfer IIS website. This configuration is not supported and is not necessary to require individual MOVEit Transfer users to use client certificates while authenticating.

Two signs that someone may have flipped the site-wide Accept client certificates on your moveitdmz IIS site are:

IIS Set to Require Client Certs on Most Content

Setting the IIS site flag to Require client certificates is usually not necessary and is generally not recommended unless it is absolutely required. A large amount of work is required by administrators, end users and operators of remote systems; a better choice is the MOVEit Transfer application-level client certificates.

Furthermore, the Require client certificates flag is only supported by MOVEit Transfer software under Windows Server 2003.

Advantages/Disadvantages

Extra Localhost-Only IIS Site

The MOVEit Transfer FTP, SSH, ISAPI and related services often communicate with the core MOVEit Transfer application through HTTP/S-based XML transactions. To allow this conversation to continue in a Require client certificates environment, you must make a copy of the original moveitdmz IIS and set it to listen for localhost connections only.

To set up this extra site and configure MOVEit Transfer to use it in the context of setting the IIS site-wide Require client certificates flag, use the following procedure.

  1. Open the IIS manager and Export the moveitdmz IIS site.
  2. Import the site you just exported and click through the duplicate name warning. (This warning is harmless and will allow you to import the site anyway.)
  3. Rename the new site. (The duplicate name situation will be harmful if you leave it.)
  4. Open the new site and perform these steps in this order:
  5. Open the original moveitdmz site and make sure it is not explicitly bound to 127.0.0.1.
  6. Open the MOVEit Transfer Configuration utility, go the Paths tab and set the machine URL to http://localhost/machine.aspx.
  7. At this point you can turn on the Require client certificates option on the moveitdmz site. If you are prompted, you should override settings on all folders and files except those listed in the "Exceptions" section below. Make sure that the file security setting for humancc.aspx and machinecc.aspx is to require SSL and to require client certificates.
  8. Make sure that both sites are started.
  9. Test with the MOVEit Transfer Check utility (may skip some tests) and later with live client sessions to make sure everything still works.

Exceptions

Although the default client certificate property on your moveitdmz IIS site will be set to Require..., the following folders must always be marked Ignore client certificates to support the use of the Java Upload/Download Wizard.

The MOVEit Transfer installation and upgrade programs will reset Ignore client certificates on these folders automatically when they are run. (However, Repair installation actions will not reset these parameters.)

Reverting from "Require..." to "Accept..."

To revert from Require... to Accept..., the easiest way to proceed is to set the IIS site-level client certificate requirement from Require... to Ignore... and then force a MOVEit Transfer upgrade (not just a "repair") to reset the appropriate properties on other elements in the IIS web site. You can find tips on how to perform a MOVEit Transfer upgrade at the MOVEit customer portal.

Otherwise, set the IIS site-level client certificate requirement from Require... to Ignore... (while choosing to override all subfolders) and then set the Accept client certificates flag on the humancc_aspx and machinecc_aspx files as shown here:

After completing either procedure, you may also wish to delete the extra localhost IIS site that setting the site-wide Require... flag requires. You may also need to change the Machine URL on the Paths tab of the MOVEit Transfer Config Utility if your moveitdmz site is bound to a specific IP address.