MOVEit Transfer was designed to be secure on production DMZ segments exposed to the Internet. MOVEit Transfer communicates only over ports MOVEit Transfer controls. This topic describes how to enforce this behavior on your firewall.
HTTPS, FTP over SSL (FTP/SSL, ftps) and/or FTP over SSH (FTP/SSH, sftp) are used to communicate with MOVEit Transfer. MOVEit Transfer also normally needs to access the SMTP services of another mail server to deliver notification messages.
Nonsecure HTTP services are optional and generally not recommended. If nonsecure services are enabled, MOVEit redirects users to the secure services. (IIS does not redirect.) Access to different services from different locations (such as internal vs internet) can also be controlled by the firewall. See diagram below,
To prevent outside traffic from opening unauthorized connections to MOVEit Transfer, use the following rule:
REQUIRED: Deny (ALL CONNECTIONS) to MOVEit Transfer
To prevent MOVEit Transfer from opening unauthorized connections to outside computers, use the following rule:
REQUIRED: Deny MOVEit Transfer to (ALL CONNECTIONS)
Depending on the services you choose to run on MOVEit Transfer, you must open one or more ports. The criteria and specifics are covered below.
MOVEit Transfer normally listens for NONSECURE web connections on TCP port 80 and SECURE web connections on TCP port 443. Remote users MUST be able to connect to the secure port (443) from remote addresses. Optionally, you can also leave port 80 open if you want MOVEit Transfer to auto-redirect users connecting on the nonsecure port to the secure port instead.
Note: MOVEit Mobile Client uses HTTPS (Port 443).
If MOVEit Transfer FTP needs to support clients over the Internet, PSC strongly recommends you REQUIRE PASSIVE MODE FTP TRANSFERS and LOCK PASSIVE DATA PORTS TO A SMALL RANGE on MOVEit Transfer FTP.
Warning: Only specifying FTP on your firewall will rarely be enough to allow secure FTP through (unless both client and server use the CCC option). Firewalls that understand FTP look for the phrase "PORT" in data channels and open temporary holes in the firewall for communications over the designated ports between the two machines on either side of the data channel. However, secure data channels are encrypted, meaning the firewall cannot open any temporary ports.
Explicit FTPS control connections take place on TCP port 21.
Implicit FTPS control connections take place on TCP port 990.
If you use FTPS on your MOVEit Transfer system, it is HIGHLY RECOMMENDED that you configure it to use both explicit and implicit modes (for greatest client compatibility), passive mode (to allow the server to select port numbers), and to use a restricted range of ports (to avoid opening up a hole that a Trojan horse could use).
CCC Command - Alternative to Range of High Open Ports
MOVEit Transfer supports the CCC FTP command. The CCC command allows FTP-aware firewalls to understand the PORT commands otherwise hidden by FTP over SSL. Specifically, the CCC command allows the PORT commands to be understood by firewalls by dropping the control channel out of encrypted mode and into cleartext mode.
Using the CCC command creates the following security risks:
The security risk of the alternate solution - a limited number of open ports - is that another service could be installed on that server and could start listening on those ports.
Active FTP - Not Recommended
Active FTP is NOT recommended for Internet connections because remote firewalls will likely not permit active FTP data connections in, especially if they are encrypted.
REQUIRED: Allow TCP (Remote) (Any Port) to 1 Port-21
Passive FTP (Unrestricted) - Not Recommended
Setting Passive FTP up in unrestricted mode is not recommended because proper operation of this mode requires a wide range of high ports (thousands) to be open on the firewall.
MOVEit Transfer normally listens for SECURE FTP control connections on TCP port 21 (and 990 when using implicit mode). As a passive FTP server, MOVEit Transfer will then listen for a SECURE FTP data connection on the TCP high port (>1023) it negotiated with the client. These ports must be left open for proper communication.
Passive FTP (Restricted) - Recommended
MOVEit Transfer normally listens for SECURE FTP control connections on TCP port 21 (and 990 when using implicit mode). In restricted passive mode MOVEit Transfer listens for SECURE FTP data connections on a configurable finite range of contiguous TCP high ports (e.g., 3000,3001,3002,3003) that it specifies to a particular client. (Nothing extra needs to be configured on clients other than to specify passive mode transfers.) These ports must be left open for proper communication.
Additional Ports for Client Certificates
If you require that all your FTP/SSL traffic authenticate with client certificates, it is not necessary to set up additional FTP/SSL ports for this purpose. However, if you want to require some FTP/SSL connections/users to authenticate with client certificates while others do not face this requirement (common during migrations), you must set up additional ports for FTP/SSL client certificate authentication.
Client certificate authenticated sessions use the same data ports as regular FTP/SSL sessions, so no additional data ports are needed. However, a second Explicit control port and a second Implicit control port are typically assigned to a MOVEit Transfer FTP server in this situation. For example, MOVEit uses ports 21 and 990 to handle its non-client-cert-authenticated connections and ports 10021 and 10990 to handle its client-cert-authenticated connections.
MOVEit Transfer uses a one-port SSH tunnel to support FTP over SSH clients. The use of a single SSH tunnel has an advantage over the multiple encrypted data streams used by FTP over SSL: fewer ports need to be opened on a firewall. (FTP over SSH is a single port secure transfer protocol.) The one port normally used by SSH is TCP port 22.
The MOVEit Transfer server requires the use of an SMTP-compliant mail server to send email notifications. If your MOVEit Transfer server must pass through a firewall to reach a mail server, you must allow MOVEit Transfer access to it only over TCP port 25. If you want the ability to queue messages if your mail server is unreliable, need special authentication parameters to relay mail, or generally plan on sending many notifications at one time, consider setting up the local mail relay.
Note: The MOVEit Transfer server does not need to access an internal email server if you can point it to your upstream (ISP) mail relay instead.
If you intend to use RADIUS remote authentication, MOVEit Transfer must be able to communication via UDP to the remote RADIUS server. The UDP port normally used to support RADIUS is 1645, but this port is configurable.
If you intend to use LDAP remote authentication, MOVEit Transfer must be able to communication via TCP to the remote LDAP server. The TCP port normally used to support LDAP is 389 and the port normally used to support LDAP over SSL is 636, but these ports are configurable. (The use of LDAP over SSL is strongly recommended; most modern LDAP servers support this. For example, see Active Directory - SSL in Feature Focus - External Authentication for instructions to enable SSL access on Active Directory LDAP servers.)
If MOVEit Transfer will connect to a remote Microsoft SQL Server database, such as in a web farm, the MOVEit Transfer node must be able to communicate over the SQL Server ports. Port 1433 is the default SQL Server port, if you have configured a different port for your SQL Server instance, use that port instead of 1433. You must open port 1434 only if you plan on running SQL Server Studio or another SQL Server utility on the MOVEit Transfer application nodes themselves.
If MOVEit Transfer Web Farms is in use, each node and the NAS must allow Microsoft networking protocols between them. This is normally accomplished by opening TCP port 445 between the various machines. However, DO NOT leave this port open to or from the Internet.
Some sites, such as those regulated by the FDA, might need to ensure that the clock on MOVEit Transfer is kept in sync with a known, external source. The hostnames of external time sources such as time.nist.gov can be found on various lists of public time servers.
Time services (RFC 958) normally use UDP port 123. When setting up firewall rules to support external time service, you must allow UDP packets to travel from any high port on the MOVEit Transfer to remote UDP port 123, ideally on one or a small collection of remote servers. Return traffic using the same UDP port must also be able to return to your MOVEit Transfer server.
Notes:
If you elect to send MOVEit Transfer Audit Events to a SysLog server, you will likely need to allow UDP SysLog packets to travel from your MOVEit Transfer to the SysLog server on UDP port 514.
If you elect to send MOVEit Transfer Audit Events to a SNMP management console, you will likely need to allow UDP SNMP packets to travel from your MOVEit Transfer to the SNMP management console on UDP port 161.
This procedure has largely been replaced by the ability of the MOVEit Transfer API to run ad-hoc custom reports against most MOVEit Transfer configuration elements and audit entries remotely over a secure connection.
If you elect to set up an ODBC stunnel connection (as described in Advanced Topics - Database - Remote Access), you will likely need to allow connections from MOVEit Automation to MOVEit Transfer on TCP port 33062. This port is configurable and may be changed in both the stunnel_mysqlserver.conf and stunnel_mysqlclient.conf configuration files involved.
MOVEit Freely and MOVEit Buddy are secure FTP clients. See the Remote Secure FTP Over SSL Clients section above for required port information
MOVEit Automation typically communicates with MOVEit Transfer via HTTPS. See the Remote Web Browser (HTTP/S) section above for required port information.
The MOVEit Wizard, MOVEit Xfer, MOVEit Transfer API and MOVEit EZ clients all communicate with MOVEit Transfer via HTTPS. See the Remote Web Browser (HTTP/S) section above for required port information.
AS2 clients normally use HTTPS. In rare cases they can use HTTP instead. See the Remote Web Browser (HTTP/S) section above for required port information.
AS3 clients are secure FTP clients. See the Remote Secure FTP Over SSL Clients section above for required port information.