Ipswitch Gateway 2017 Plus User Manual Download | Manualshive

Page: 10 / 37

background image

6

Ipswitch Gateway User's Guide

Ipswitch Gateway acts like a reverse proxy to provide an additional  layer of security for MOVEit  Transfer
customers. Inbound traffic cannot come through the firewall into the trusted zone; all sessions terminate in
the MOVEit  Transfer network segment. The outward-facing portion of the network (typically the Internet)
is separated from the MOVEit Transfer server, which is typically behind a firewall in a trusted zone on a
local private network. Ipswitch Gateway exchanges authentication, credentials, files, and other data
between remote clients and a MOVEit  Transfer server (Endpoint) located in the trusted zone. You do not
need open ports in your firewall to allow clients to communicate with MOVEit Transfer.

How it Works

During installation,  a secure SSTP tunnel (virtual private network) is created from the MOVEit Transfer
server to the Ipswitch Gateway computer (or virtual machine). Ipswitch Gateway then runs as a Windows
Service that provides reverse proxies and forwards only encrypted traffic to the MOVEit Transfer server
over the tunnel. All  communications between the client and server session are encrypted and streamed
through this connection. Ipswitch Gateway inspects all requests and if the requests look valid, forwards
them to the MOVEit  Transfer server (Endpoint) for fulfillment. Responses from MOVEit Transfer are sent
back to Ipswitch Gateway, which returns them to the user. This process is invisible to incoming clients.

Ipswitch Gateway supports the following protocols:

§

FTP (Implicit and explicit)

§

SSH/SFTP

§

HTTP/HTTPS

The Ipswitch Gateway Configuration Interface provides an easy way to configure and manage these
reverse proxies, their port and connection details, and current running status.

All clients supported by MOVEit Transfer are also compatible with Ipswitch Gateway:

Ipswitch Gateway also supports single,

high availability, and web farm environments

(on page 7).

«
...
8
9
10
11
12
...
»

Summary of Contents for Gateway 2017 Plus

Page 1: ...User Guide ...

Page 2: ......

Page 3: ...Launch Gateway Configuration Interface 12 Step 4 Configure the Firewall 13 Pre requisites 13 Notes 14 Step 1 Gateway Server Firewall Rules 14 Step 2 MOVEit Transfer Server Firewall Rules 16 Step 3 Verify Firewall Rules 19 Web FarmInstall 21 Upgrade 22 Step 1 Upgrade Gateway Server and Server Side SSTP Tunnel 22 Step 2 Upgrade Client Side SSTP Tunnel on a MOVEit Transfer Server 24 Endpoint and Prox...

Page 4: ......

Page 5: ...ce cards 1GB sec minimum for separate externaland internalservices recommended Production systems willbenefit from additional resources including faster additionaland multi core processors more RAM hard drive capacity and speed Supported Virtualization Environments VMware vSphere 64 bit guest servers Microsoft Hyper V 64 bit guest servers Release Notes ...

Page 6: ... On fresh installs the Ipswitch Gatewayinstallernowprompts forthe hostname ofthe Gateway system as viewedby endusers This is needed for processingHTTPSclient certificate authentication GW 741 Proxies When addinga proxy the Listen on IPAddress orHostname valueis now prepopulatedwith 0 0 0 0 which directs the proxy to listenon allavailable addresses at the givenport GW 726 Client Identity Client IP ...

Page 7: ...ver GW 829 SFTP Ipswitch Gateway s SFTPserverhas been improved soit can handle more simultaneous connection requests Previously theSFTPserver could refuse connections underheavyload GW 826 Settings A minor change was made to the message displayedwhenthe FTP passive port range was changed GW 820 Security Previously it was possible to configure a proxy on the Gateway server to contain certain HTMLta...

Page 8: ... manually startingeachproxy To do this foreach proxy underActions chooseStart Proxy GW 990 FTP The following specific FTPconfigurationon Gateway MOVEit TransferpreventsusersfromaccessingMOVEit Transferthrough Gateway using insecure FTP AllowFTP SSL Access Yes AllowInsecure FTPAccess Yes SSL Client Cert Required Yes Passwordalsorequiredwith SSLClient Cert Yes Workaround To utilize insecure FTP do n...

Page 9: ...created orapprovedthrough MOVEit Transfer Ipswitch Gatewayhas no such feature Thus users whohaveinstalled client certificates forapplications other than MOVEit Transfershouldignore those certificates whenmaking a selectionfromtheirbrowser s list ofcertificates GW 813 Upgrade Customers upgradingfroma previous releaseshould checkthat the new Host Name field is correct This field is in the Settings t...

Page 10: ...rver to the Ipswitch Gateway computer or virtualmachine Ipswitch Gateway then runs as a Windows Service that provides reverse proxies and forwards only encrypted traffic to the MOVEit Transfer server over the tunnel All communications between the client and server session are encrypted and streamed through this connection Ipswitch Gateway inspects allrequests and if the requests look valid forward...

Page 11: ...worker nodes The load balancing is built into the operating system and the feature is provided collectively by all worker nodes Ipswitch does not support the built in Microsoft Windows Network Load Balancer NLB in the initial release of Ipswitch Gateway Most enterprise web farm customers employ traditionalload balancers from hardware vendors like Cisco and F5 The deployments below focus on this sc...

Page 12: ...t Transfer 3 Open the Ipswitch Gateway installer and click Run to run the install wizard 4 Welcome Select Step1 Install a Gateway server outside firewall and a server side SSTP tunnel Click Next The installer looks for prerequisite software 5 System Check The installer verifies the following Operating System Version The machine must be running the Windows Server 2012R2 or Server 2016 operating sys...

Page 13: ...lready be in use by the system such as 10043 The default 9443 is a good choice for most systems Click Next 8 Options Service User Account Designate which account Ipswitch Gateway should use to run the Gateway service process Local System account Different account Enter the username and password of the different account Click Next 9 Options Certificate for the SSTP Tunnel Designate a certificate to...

Page 14: ... to Sites and then the name of your MOVEit Transfer website In most cases that is moveitdmz 3 In the right pane choose Bindings 4 In the Site Bindings dialog choose https 5 Choose Edit 6 In the Edit Site Binding dialog choose SSLCertificate View 7 In the Certificate dialog choose the Details tab 8 Choose Copyto File 9 In the Certificate Export Wizard choose Next 10 In the Export Private Key window...

Page 15: ...l or not trust and not import it I trust this certificate Import this certificate into the local trusted certificate store Automatically imports and trusts the SSTP certificate I do not trust this certificate Do not import this certificate Does not import the SSTP certificate You must import the certificate manually This option is not often used Situations where you might select this option includ...

Page 16: ...ps shown take similar steps for other browsers Note You cannot perform this step remotely You must be on the Ipswitch Gateway server to set up the first Endpoint 3 ConfigureEndpoint Enter information about a MOVEit Transfer server Endpoint IP Address The IP address entered here should be 192 168 1 2 which is the IP address of the MOVEit Transfer server on the tunnelconnection Do NOT use the actual...

Page 17: ... for both fresh installs and upgrades If you have not yet installed this new MOVEit license you will see the message License Not Found You will be prompted to upgrade your MOVEit Transfer license and Retry Log in to the MOVEit Transfer server as sysadmin or orgadmin and click Submit After checking ciphers the Endpoint is verified The verification process willreoccur automatically whenever the syst...

Page 18: ...it Transfer directly if there is a second interface that is marked as private by Windows Note that network interfaces including the one used to connect to Gateway are created as public by default in Windows So the customer would have to go out of their way to mark the second interface if any as private Incoming connections through the tunnelare regarded as private Step 1 Gateway ServerFirewall Rul...

Page 19: ...Install 15 h Port 10443 SSTP Tunnel 2 Under the Scope tab modify the Remote IP Address for port 10443 to only allow connections from the MOVEit Transfer server IP address for example 192 168 196 237 ...

Page 20: ...d for public network locations Step 2 MOVEit TransferServerFirewall Rules 1 Modify the pre defined inbound port rules for the following ports and set them to only apply to the private network profile a MOVEit DMZ FTP b MOVEit DMZ SSH c World Wide Web Services HTTP Traffic In ...

Page 21: ...Install 17 d World Wide Web Services HTTPS Traffic In ...

Page 22: ...switchGateway User s Guide 2 Create a new public network inbound port rule to block incoming connections for allports 3 Verify that the firewall state is enabled for both public and private network locations ...

Page 23: ...er and try to connectto the MOVEit Transfer server IP address Note If the firewall rules have been correctly defined the connection to the MOVEit Transfer server IP address should time out Test 2 2 Open a web browser on the Gateway server and try to connectto the Gateway server IP address ...

Page 24: ...20 IpswitchGateway User s Guide Note If the firewall rules have been correctly defined the connection to the MOVEit Transfer server IP address should succeed ...

Page 25: ...nel If the firewall is not an external firewall but rather is an operating system based firewalllike Windows Firewall that is aware of private networks then this rule should apply only to public networks Next return to Configure the Firewall on page 13 Step3 Verify Firewall Rules Web Farm Install To install Ipswitch Gateway in a MOVEit Transfer web farm firstcreate the MOVEit Transfer web farm as ...

Page 26: ...lect Step1 Install a Gateway server outside firewall and a server side SSTP tunnel Click Next The installer looks for prerequisite software 6 System Check The installer verifies the following Operating System Version The machine must be running the Windows Server 2012R2 or Server 2016 operating system Routing and Remote Access Service A Windows server is required to properly configure the the Rout...

Page 27: ...fault 9443 is a good choice for most systems Click Next 8 Options Service LogonAccount Designate which account Ipswitch Gateway should use to run the Gateway service process Local System account Different account Enter the username and password of the different account Click Next 9 Options SSTP Tunnel Certificate Designate a certificate to use for the Secure Socket TunnelProtocol SSTP connection A...

Page 28: ...ter s certificate store before continuing with the installation Click Next 8 Options Gateway Server Address Enter the Gateway Server Address or hostname to establish a connection Important What you enter here must be identical to what you entered for IP address or hostname in Step 1 on page 8 Options Gateway Configuration Interface System generated self signed certificate Certificate Name Click Ne...

Page 29: ...led under EAP Types The Endpoint page shows details about the MOVEit Transfer Endpoint and its associated proxies Ipswitch Gateway 1 1 supports only one Endpoint Initially only three default proxies display for the Endpoint one for each protocoltype FTP HTTP and SSH SFTP A proxy listens on a port for traffic of a certain protocoltype and forwards traffic of that type to the Endpoint There are usua...

Page 30: ...ete allof the Endpoint s proxies too evenifthey are running You cannotundo the deletionofthe Endpoint Ifyou delete the Endpoint you llbe promptedto configure and verify an Endpoint aftersign in 3 TransferRate The averagenumberofbytes transfered persecond byallofthe Endpoint s proxies upload and download for1 minute 5 minute and 15 minute intervals Numbers are moving averages foreach time period Cl...

Page 31: ...o the Endpointonly through a runningproxy You must stopa proxy before editing theEndpointordeletinga key that theproxy uses An errorindicatordisplaysforproxies that could not be restartedon reboot 10 Actions Edit Change any of the proxy settings you selected when creating the proxy suchas the proxy name Listen On IP address and port Key and Send to Port Note You must stop a proxy before you can ed...

Page 32: ...ing that endpoint will automatically point to the new IP address if any MOVEit TransferServerChanges If the MOVEit Transfer server s certificate identity changes or the MOVEit Transfer server location moves from one machine to another go to the Ipswitch Gateway computer sign in to the Gateway Configuration Interface and fromthe sign in page click Re verify or Delete to reconfigure that Endpoint Ad...

Page 33: ...and enter the Gateway VM s public IP address The connection port is determined by the passive port range which can be configured in the Settings on page 32 tab HTTP Listen On Port Default port is 433 If you installed MOVEit Mobile add a proxy listening on 8443 to route traffic to the Mobile Server in the trusted zone Client Cert Port This port accepts HTTPS requests from the user during client cer...

Page 34: ... the port number of the MOVEit Transfer server to which the proxy will send data The default for HTTP is 443 the default for FTP is 990 and the default for SSH SFTP is 22 6 Click Save The proxy displays beneath the Endpoint The status of newly added proxies is Stopped Click Keys and Certs to view all keys uploaded to the Ipswitch Gateway keystore Initially the Keys and Certs list will is empty You...

Page 35: ...cessfulimport the new key displays in the Keys list Duplicate Keys warning If you uploaded the same key twice you llsee a yellow Duplicate Keys warning notifying you that the key has already been uploaded You can either upload another key file or return to the Key List Key Conflicts warning If the key you uploaded conflicts with the alias name of another key in the Ipswitch Gateway keystore you ll...

Page 36: ... a proxy On the Keys and Certs page click the boxed number to view the specific proxies using that key To delete a key click and select Delete then confirm the deletion Reset an SSH Key 1 Go to the Endpoints on page 25 page and stop the ssh sftpproxy 2 Return to the Keys and Certs on page 30 page and delete the SSH key on page 32 3 Go back to the Endpoint page and start the ssh sftpproxy to genera...

Page 37: ...pswitch Inc Allrights reserved This document as wellas the software described in it is furnished under license and may be used or copied only in accordance with the terms of such license Except as permitted by such license no part of this publication may be reproduced photocopied stored on a retrievalsystem or transmitted in any form or by any means electronic mechanical recording or otherwise wit...

Reviews:

No comments

Related manuals for Gateway 2017 Plus

eserver pSeries 690

Brand: IBM Pages: 142

eServer 370 xSeries

Brand: IBM Pages: 218

BladeCenter PS703

Brand: IBM Pages: 298

BladeCenter T Type 8720

Brand: IBM Pages: 180

APSolute Vision

Brand: Radware Pages: 81

Transport GT26-B4987

Brand: TYAN Pages: 125

UltraNEXUS-HD Flex

Brand: Leightronix Pages: 5

FlexWATCH 1110L

Brand: Seyeon Technology Pages: 96

Brand: Vxl Pages: 2

S7000FC4UR - Server System - 0 MB RAM

Brand: Intel Pages: 13

Brand: Data-Tronix Pages: 29

Brand: Data-Tronix Pages: 30

Brand: Infrant Technologies Pages: 8

PRIMERGY RX300 S6

Brand: Fujitsu Pages: 132

PRIMERGY RX300 S5

Brand: Fujitsu Pages: 112

PRIMERGY RX2540 M4

Brand: Fujitsu Pages: 86

PRIMERGY RX2540 M6

Brand: Fujitsu Pages: 121

PRIMERGY RX4770 M6

Brand: Fujitsu Pages: 468

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands