《MOVEit DMZ Manual.pdf》由会员分享,可在线阅读,更多相关《MOVEit DMZ Manual.pdf(103页珍藏版)》请在三一文库上搜索。
1、MOVEitDMZ Manual v7.0 Contents Introduction 3 Getting Started Sign On. 8 Uploading Files. 11 Downloading Files. 13 Viewing Packages. 14 Sending Packages 16 Sign Off. 18 General Information Client Support. 19 Security. 25 Regulations Privacy/Security/Auditing 29 Web Interface Home Page Overview. 31 W
2、izard Install 37 Common Navigation Top Bar. 40 Find File/Folder. 41 Go To Folder. 43 My Account. 44 Tech Support 49 Upload/Download Wizard. 50 Folders Overview. 67 File List 72 File View. 78 Settings. 81 Packages Overview. 90 Mailboxes 91 Viewing. 94 Sending. 96 Reviewing. 101 Contents 2 Introductio
3、n MOVEitDMZ Enterprise is a secure file transfer server. It is a vital component of the MOVEitfamily of secure file processing, storage, and transfer products developed by Ipswitch, Inc These products provide comprehensive, integrated, standards-based solutions for secure handling of sensitive infor
4、mation, including financial files, medical records, legal documents, and personal data. MOVEit DMZ safely and securely collects, stores, manages, and distributes sensitive information between your organization and external entities. Web browsers and no cost/low cost secure FTP clients can quickly, e
5、asily, and securely exchange files with MOVEit DMZ over encrypted connections using the HTTP over SSL (https), FTP over SSL (ftps) and FTP over SSH (sftp) protocols. And all files received by MOVEit DMZ are securely stored using FIPS 140-2 validated AES encryption, the U.S. Federal and Canadian gove
6、rnment encryption standard. In addition, a web interface offers easy online administration and monitoring of MOVEit DMZ activities while a programmable interface (via MOVEit DMZ API Windows and MOVEit DMZ API Java) makes MOVEit DMZ accessible to custom applications. MOVEit DMZ includes an optional M
7、OVEit Wizard plug-in that works with Internet Explorer, Firefox and Mozilla to help web-based users to quickly upload and download large and/or multiple files and folder trees to and from MOVEit DMZ. Encryption capabilities throughout the MOVEit product line are provided by MOVEit Crypto. The AES en
8、cryption in MOVEit Crypto has been FIPS 197 validated. The entire cryptographic module has been FIPS 140-2 validated after rigorous examination by cryptographic specialists in the United States National Institute of Standards and Technology (NIST) and Canadas Communications Security Establishment (C
9、SE). Introduction 3 MOVEit DMZ also has an approved Certificate of Networthiness (CoN) from the United States Army. This certification involves a review of how MOVEit DMZ meets Army requirements for network security, integration, interoperability, and ease of management and support. Physical Specifi
10、cations The MOVEit DMZ software itself resides on a Microsoft Windows Server platform hardened against threats from the Internet and trusted networks. Organizations that need to support very large volumes of file transfers and/or many users may require additional hardware, but for many organizations
11、 the minimum recommended specifications of a MOVEit DMZ should suffice: 2 GHz Pentium-compatible CPU 80 GB SATA or SAS Hard Drive 1 GB RAM 100/1000 Mb TCP/IP-capable ethernet interface The latest production recommendations can be found in the online Support Knowledge Base. Network Specifications In
12、a typical network topology MOVEit DMZ is best located on a secured “DMZ“ segment accessible to both internal and external users.“DMZ“ is short for DeMilitarized Zone - a network “no mans land“ where both internal and internet hosts are allowed to connect. By default, connections originating from a D
13、MZ network segment are not to be trusted and are usually not allowed unless there is a compelling case to allow a particular service through. Introduction 4 Web and secure FTP clients can upload and download files to MOVEit DMZ from internal and external networks. For security reasons, MOVEit DMZ is
14、 NOT permitted to establish connections with or push files to systems on either your internal network or on an external network. (If a “proxy push“ or “proxy store-and-forward“ solution is desired, MOVEit Central can be used with MOVEit DMZ to fill this role.) MOVEit DMZs Security Advantages Over Ot
15、her “Secure FTP“ Solutions There are three “areas“ where files are at risk when transferred between an external network (such as the Internet) and your internal network: When transferred over the INTERNET to a system in your DMZ. When temporarily stored on a system in your DMZ. When transferred from
16、 the system in your DMZ to a system on your internal network. Most secure Web and FTP file transfer products reside on a system in a DMZ and use industry-standard SSL or SSH to provide secure transfers between the INTERNET and DMZ. (MOVEit DMZ does as well.) Unfortunately, that is as far as most pro
17、ducts go; they fail to secure files stored on the DMZ (at risk if the DMZ box gets hacked) and fail to secure files being transfered between DMZ and MY ORG (at risk if a hacker sets up a sniffer inside the DMZ). MOVEit DMZ secures all three areas by using SSL/SSH-encrypted transfers for ALL transfer
18、s and by using FIPS 140-2 validated AES encryption to secure files on disk. In addition, only MOVEit DMZ offers complete end-to-end file integrity over FTP. In other words, files transferred with secure FTP or web clients which support file integrity checks through the MOVEit system can be proven to
19、 be 100% identical to their source files through the use of SHA-1 cryptographic hashes. (When combined with authentication, complete file integrity provides non-repudiation.) Accessing MOVEit DMZ Introduction 5 “Client“ access to MOVEit DMZ is available through several interfaces, including HTTPS, F
20、TP over SSL, and FTP over SSH. The built-in web interface provides access to anyone with a desktop web browser (see the complete list of supported browsers). Authorized administrators may configure the MOVEit DMZ server from authorized locations while customers and partners use a simpler portal to m
21、ove files in and out of the MOVEit DMZ system. Also available through the web interface, the optional MOVEit Upload/Download Wizard provides for faster and more reliable file transfers using the web than are normally available through “stock HTTP“. The MOVEit Wizard is also the only browser-based cl
22、ient that supports file integrity checking. A secure FTP interface is also available on the MOVEit DMZ server for people or programs with secure FTP clients. The MOVEit family offers two free, scriptable command-line clients, MOVEit Freely (FTP) and MOVEit Xfer (HTTPS) both of which support file int
23、egrity checking. Ipswitch also offers WS_FTP Professional, a Windows file transfer client with a robust feature set, which also supports file integrity checking. Many third-party companies manufacture secure FTP clients for desktops and servers which will also interface with MOVEit DMZs secure FTP o
24、ver SSL and FTP over SSH servers. For IT departments who desire more control over the MOVEit DMZ environment than the FTP protocol can provide, the MOVEit DMZ API products provide easy access to and control of MOVEit DMZ via a COM object (for Windows) or Java classes (for *nix, Windows, IBM, etc.).
25、MOVEit DMZ API also supports file transfers with full integrity checking and ships with several command-line utilities for administrators who would rather script than program. If desktop-to-server automation or the ability to access MOVEit DMZ as a local folder is desired, consider using MOVEit EZ.
26、MOVEit EZ is a “tray icon application“ which synchronizes content between a users desktop and MOVEit DMZ and schedules transfers. When coupled with MOVEit Central and the appropriate licensing, MOVEit DMZ supports AS2 and AS3 file transfer. (MOVEit DMZ can be used as a standalone AS3 server, but wit
27、hout MOVEit Central it has no way of encrypting or decrypting specific messages.) More information about these clients and the dozens of third-party clients which can also be used to securely exchange files with MOVEit DMZ can be found in the “Client Support“ document. Ad Hoc Transfer The Ad Hoc Tra
28、nsfer Module, which requires a separate license, provides a secure way to do person-to-person file transfers. Registered MOVEit DMZ users can use a browser or an Outlook plug-in to send files and/or a message (which is called a package) to an email address. Composing a MOVEit package that includes f
29、iles is like composing an email with attachments. However, there are differences. File attachments sent as part of a package are uploaded to a MOVEit DMZ server. A new package notification email will be sent to the recipients, to inform them that a package is waiting for them. Recipients can click o
30、n the web link in this notification, sign on to MOVEit DMZ, and view the package, where they can download the files. If enabled, a recipient can also reply to a package and send additional attachments, which will also be uploaded to the file transfer server. The organization administrator can set op
31、tions that determine who can send and receive packages, enforce user- and package-level quotas, and control package expiration Introduction 6 and download limits. Large files and multiple attachments can be sent quickly and securely, avoiding the limitations of a mail server. MOVEit Central If more
32、than ten scheduled file transfers, immediate movement of files to/from backend servers from MOVEit DMZ, or connectivity to other servers is desired, MOVEit Central is the best tool to use. MOVEit Central can support thousands of file transfer tasks and is used in production to securely move hundreds
33、 of thousands of files a day at major data centers. MOVEit Central instantly knows when a file has arrived on MOVEit DMZ or a Windows file system and can immediately begin transferring that file to its final destination. MOVEit Central supports the most popular secure protocols used across industrie
34、s, including FTP, SSH, FTP over SSL, SMIME, PGP, email and AS1/AS2/AS3. In short, when paired with MOVEit DMZ, MOVEit Central completes a secure transfer system which can securely receive, record and send files to/from to almost anyone supporting a secure transfer protocol. Introduction 7 Getting St
35、arted - Sign On The Sign On page is the first page you will see from the MOVEit DMZ site. This page contains fields for your Username and Password and a “Sign On“ button to send this information to MOVEit DMZ. Clicking on the keyboard icons next to the username and password fields will open a clicka
36、ble keyboard which can be used to enter your authentication information. Using the clickable keyboard can help thwart keystroke loggers. If you are logging on to the MOVEit DMZ site from a public computer, it is highly recommended you use the clickable keyboard to enter your username and password. I
37、f your organization supports multiple languages, MOVEit DMZ will provide links to switch the displayed language. Clicking one of the links will change the Sign On page to display in that language, and set a cookie so your language choice is used the next time you sign on. When you press the Sign On
38、button, your username and password are transmitted securely (via HTTPS) to MOVEit DMZ. If your sign on attempt fails, you will see an error message. If you attempt to sign on too many times in a short period of time you may get locked out of the system altogether. If you need Getting Started - Sign
39、On 8 assistance, use the “Tech Support“ link on the Sign On page to contact someone who can help you. If your sign on succeeds you will be rewarded with a success message. The page you will see immediately after signing on depends on how you got to the sign on page in the first place. If you clicked
40、 a link from your web browser or typed a short URL into your browser, you are now most likely at the Home Page. If you clicked a link from an email notification, you are now either looking at a package or file. Common Reasons Access is Denied For security reasons, the SAME message is displayed to an
41、yone who fails to sign on for any of the following reasons. (You will only be told that access was denied, not WHY access was denied!) Username is incorrect Password is incorrect Account has been suspended (for too many bad signon attempts, password aging, or manual administrator action) Account is
42、not allowed to sign on from this IP address IP address has been locked out (for too many bad signon attempts, often with different usernames) Client certificate has not been provided when one is required, or a bad client certificate has been provided. Requesting a Password Change Some organizations
43、may allow you to request an automatic password change if you have forgotten your password, to avoid a round trip though technical support staff. If this option is enabled, a “Request a password change“ link will be present at the bottom of the signon page. Clicking this link will open the Password C
44、hange Request page. This page will prompt you for your Getting Started - Sign On 9 username and provide instructions for completing the password change process. Once you enter your username and click the Request Password Change button, an email will be sent to your registered email address, if your
45、account has one, either with instructions for completing the password change, or a notice that the password change was denied. Client Certificates Your organization may require you to authenticate to MOVEit DMZ with an SSL (X.509) client certificate (“client cert“). This is common when “two-factor a
46、uthentication“ is required. All client certs are either “self-signed“ or “CA-signed“. The “CA-“ indicates that a “Certificate Authority“ has signed the client cert and vouches for the identity of the bearer. Furthermore, CAs are divided into “commercial CAs“ that sell client cert issue and signing s
47、ervices to the general public (e.g., Thawte, GeoTrust, etc.) and “corporate CAs“ that perform the same client cert functions for their own users. MOVEit DMZ supports self-signed certs, commercial CA-signed certs and corporate CA-signed certs, but only your organization can tell you which client cert
48、s it will accept for authentication. Your client cert may be delivered to you as a “*.pfx“ file with a password or it may be your responsibility to request a client cert from a CA; again only your organization knows the details of this process. Various browsers have different ways to install client
49、certs. Internet Explorer (IE) uses the Windows Certificate Store; you can either install and manage client certs through IEs “Certificate“ dialog (located on the “Content“ tab under IE7s “Tools“ menu). Windows will also launch a client cert import wizard that will automatically install most client certs into IE if you just double-click “*.pfx“ client cert file. The Mozilla/Firefox line of browsers uses its own client cert store. To install client certs in these browsers you must use their “Certificate Manager“. In Mozilla (1.7), this facility is foun