MOVEit 2021 in review
Pro2col’s MOVEit expert Richard Auger, reviews MOVEit 2021 and looks at some of the key enhancements. He gives a first look opinion piece of the software and how MOVEit 2021 compares with its previous version (2020).
Transfer now allows you to rotate your encryption keys, allowing you to periodically re-encrypt your entire system. You manage this on an ORG by ORG level when logged in as sysadmin. You can schedule the rotation at regular intervals as a way of further securing your system. This is a nice feature that allows a little more peace of mind when thinking of the MOVEit already well-secured MOVEit filesystems.
The desktop client is a little more visible now – a link to download it has been placed in the action pane. For me, this causes a few issues that I wasn’t happy about: The link takes me to https://www.ipswitch.com/ not the Progress site, the installer is marked as 2020.1, and I would rather it actually be stored locally for distribution. You can, however, disable this link by updating the display profile in use. The client has multi-factor authentication enabled now, which helps to secure it.
There have been some improvements in the logging – you can now decide how frequently you will write to the log files by setting a flush interval. This is useful when you are looking at a problem ‘live’ (rather than retrospectively).
Other changes to note:
You can now brand emails in the same way as for the website itself.
You can select a second email address for critical alerts to go to, instead of just using the standard ‘error’ notification address. For example, you can avoid sending an email to the server support team in the event of a blocked user.
There are several enhancements to Automation – the first of which is the expansion of the S3 connector to allow S3 compatible storage to be used – useful when considering the growing number of S3 contenders in the marketplace.
As more people make their Automation web GUI publicly available, a user/IP lockout policy has been introduced. You can also set a ‘trusted’ IP address list.
Notification emails have been improved to allow HTML format mails to be sent. Not only can you improve the appearance of emails, but you can also pass HTML tags as a parameter into the body of the email (so for example, create a parameter for an HTML table to show all the files processed by the task.
The task builder has also been improved, allowing drag and drop of task elements.
Both Transfer and Automation have been enhanced sufficiently in this MOVEit 2021 release to make it worthwhile upgrading at the earliest convenience.
What’s new with MOVEit 2020.1?
The MOVEit 2020.1 release delivers a number of improvements to both Transfer and Automation, most of which focus on expanding functionality and improving end user experience.
MOVEit Transfer 2020.1 streamlines the end user login process by utilising SAML 2.0 to introduce single sign-on (SSO) as an authentication source. This is on top of improved optimisation of the login performance, which allows users to access Transfer as quickly and seamlessly as possible. In addition to enabling access via a web browser, SSO logins are also supported on the mobile and desktop clients.
The 2020.1 documentation states the below identity providers are supported, however any identity provider that supports the SAML 2.0 protocol should be compatible:
- Windows Server ADFS – 4.0 & 5.0
MOVEit Gateway now has extended functionality for multi-organisational setups, allowing administrators to configure the gateway to route traffic to different endpoints for each organisation. This means the URL and login page can be customised depending on the organisation, providing clarity to users about the platform they’re accessing.
Additions to Automation include a new SharePoint host, which works alongside Automation’s S3 and Blob connectors to further expand the application’s ability to work with cloud storage. This is particularly useful for organisations that are expanding and adapting their infrastructure.
This release also improves the integration between Automation and SMTP, adding the option to specify a name when setting up the from address on the SMTP host. This provides a clearer and more professional looking email notification, which could be particularly helpful if you’re sending notifications or files to users, as it will make the emails appear more trustworthy, and therefore less likely to be blocked by spam filters.
The Admin Console
A small yet effective update to the admin console’s security is the requirement to enter credentials even if people are connecting over localhost. Previously, if someone was able to gain RDP access to the server, it was likely they would have been able to gain full access to Automation without entering any further credentials.
Another change effective within both Transfer and Automation is the added support for MS SQL Server 2019 as a database, making MOVEit 2020.1 an appealing upgrade if your organisation is looking to future proof the application.
The final changes are to the REST functionality. As outlined below, most of the additions are for Transfer, however Automation benefits from new functionality for reporting on the scheduler status. This could be useful for system monitoring.
- Log and audit data access
- Create/define an organisation
- Implement and manage password aging and user expiration policies
- Log retention settings
- Report import
- Get scheduler status
A first look at Progress MOVEit 2020
Progress have released MOVEit 2020. It’s a major release with a number of enhancements, including a free mobile app, enhanced cloud integration and performance capabilities. Pro2col’s MOVEit expert Richard Auger reviews the changes in this top tip, and advises on who should upgrade.
Let’s start with the mobile app. Not enough has been done with this in previous years, but the app has now had quite a facelift. I found it to be far more responsive than its predecessor and the functionality seems much improved.
Upon configuring the app and opening it, I had a much friendlier view than previously, which I’m sure will be easier for end users to navigate.
I now have access to my contacts, making it easier to send files to people I know.
If you’re used to the older app (1.4), you’ll see that some of the look and feel is the same however:
One negative, I was surprised to find that the ‘MOVEit Mobile’ app did not uninstall or replace the existing ‘MOVEit Transfer’ app on my Android phone – be sure to do this for your users as the old app won’t connect to MOVEit Transfer 2020.
This is no longer ‘Ipswitch Gateway’, and has been rewritten to use SSH encryption for the tunnel between Transfer and Gateway. Following the upgrade, there are a couple of manual actions to perform on Transfer to tidy up (removing the old tunnel and the scheduled task), apart from that the install was straightforward. From the Gateway side everything looks the much the same as before.
Notice the ports that the proxies are redirecting to? This is then referenced in a whole new tab in the MOVEit Transfer configuration screen (see below). Apart from that (and you might notice the Progress Branding on the browser tab), mostly the application appears the same.
The biggest change to Transfer is without doubt the Gateway.
The new Gateway tab allows you to manage the configuration of the gateway from within Transfer config, rather than using RAS to achieve things. Here you can generate an SSH key for tunnel authentication/encryption. You no longer need the GateWayVPNUser local account for keeping the tunnel open.
If the Gateway server is stopped, the tunnel reconnects automatically when it starts again, or you can choose to manually control it using the control on the status tab (in fact, the Gateway runs a separate service, so you could script stopping/starting if required).
Another interesting new feature that you may want to look at is data classification.
If you are concerned about the data that your users are sending, you can assign data classification values to files – users then need to classify files before sending them out. I could be wrong however, but I couldn’t see that this does actually restrict sending or downloading of files. It will at least however give people pause before they send out confidential files.
Not much has changed in Automation. This release seems more of an opportunity to implement some changes that should have come along in the last couple of years.
First, there is now an Azure blob storage connector, which means no more scripting a connector. I don’t understand why this connector wasn’t included in the 2018 SP2 release, but better late than never. As with all new connectors, you need to be using the webadmin console in order to use the Azure connector but to be honest, the old VBAdmin console is becoming increasingly less relevant as time progresses.
You can now select which SSH encryption algorithms to use in individual hosts. I have mixed opinions on this. I can understand that it means I don’t need to reduce my security standards across the board if I have one trading partner with really old ciphers, but I worry that this would make it challenging to keep track of how secure Automation is without reviewing every SFTP host (and there could be a lot of them).
This is a feature that should prove useful when you have FTP hosts that format their directory listings a little differently:
You can now manipulate the directory listing to some extent without having to write a directory parsing script, although the option is still there if you need it.
Finally, there have been some performance improvements to the dashboard. Dashboard is the default starting place when you login (and too useful to not use), so the last thing that you want is to hit some slow queries. My Automation server is quite small, but I noticed an immediate improvement in performance.
MOVEit 2020 summary
Overall, I am recommending that if you have the Gateway module licenced, you upgrade to 2020 at your earliest convenience. I have seen a few issues with tunnel certificates expiring, or the RAS configuration which will both be avoided by upgrading. You can’t however upgrade Gateway or Transfer without upgrading the other at the same time.
Automation is probably only worth upgrading if you have a specific need (the Azure connector, FTP directory parsing or dashboard performance), otherwise I’d be tempted to wait and see what 2020 SP1 brings.
Our Managed File Transfer experts have reviewed the latest release, MOVEit 2019.2. This technical top tip explains the enhanced file uploader and REST API capability for MOVEit Transfer, and POP3 security for MOVEit Automation.
MOVEit Transfer upload wizard
The improvements to MOVEit Transfer come off the back of the expanded REST API functionality, namely the chunked file upload. This API enhancement allows large files to be uploaded without being limited by a web server’s restrictions on content size. This is particularly useful for the new upload wizard which now supports large file uploads.
The upload wizard now utilises the resumable file upload API. This allows stopped uploads to be retried, resuming from where they had previously stopped.
And lastly, the upload wizard now has an expandable notes box, making it easier to use if you are entering lots of text.
Other API enhancements now include the ability to:
- Manage Contacts List
- Get User Quota Information
- Return Folder List Permissions for a User
- Filter users that have accessed or not accessed folders
- Copy a Folder
- Move a File or Folder
- Get MOVEit Transfer Server Version
There are also numerous bug fixes and RSA DLP has been removed due to end of life.
MOVEit 2019.2 brings improvements to Automation’s POP3 security. Connections can now be secured by SSL.
The other main changes to Automation are to the versions of MySQL, Tomcat, OpenSSL and IP works DLL that are installed by the installer.
MOVEit 2019.1: A review of the new release
Pro2col MFT expert, Richard Auger reviews the MOVEit 2019.1 release. He provides first-hand experience of upgrading to version 2019.1 and shows some of his findings.
I’ll start with system requirements. Windows Server 2019 is now supported, in addition to 2012R2 and 2016. The packaged MySQL (and consequently the MySQL connector) has been upgraded from 5.7 to 8.0. The release notes claim that a range of ICAP-based AV and DLP solutions are now supported, although I believe this statement is an error; it looks like the AV requirements have been lifted verbatim from the Transfer 2019 release notes.
My first take on Automation is that 2019.1 looks much the same as 2019. I did find the 2019.1 dashboard loads quicker, when I ran cloned systems side-by-side for comparison. Aside from that there is no difference between the dashboards.
The last real change between the VB Admin and Web Admin GUI has now been partially addressed with the introduction of groups and permissions inside the web admin interface.
It’s easy to add a ‘resource group’ (renamed from ‘groups’ in the previous version to reduce confusion). Populating the group with tasks, hosts etc is straightforward, after which you can associate local or domain groups. Unlike the VB Admin permissions management, you cannot create Windows groups however.
There are a handful of updates and enhancements which will mostly go unnoticed. For example, there’s a new version of MySQL and some new REST API resources. There is, however, a new version of the zip/unzip scripts, which has been upgraded to use 7-zip. Functionally it behaves in the same way as before. There was already a version of the zip scripts (using 7-zip) for when the existing scripts couldn’t handle operations with larger files. This is now formalised in the new version.`
Similar to MOVEit Automation, Transfer has now been updated to run on Windows Server 2019, and MySQL is also upgraded to 8.0.16. There are new versions of Java and JQuery, which should be welcomed by anyone currently failing pen tests in this area. I like that Transfer is now fully 64bit, although admittedly I have not yet seen any benefits from this. One new feature I really quite like is that there are now MOVEit PerfMon counters to be captured. You can access these counters by a variety of means, including PowerShell. This is especially useful if you combine them with REST API transfers, as it allows you to check how busy your Transfer server is before deciding whether to upload a large file.
My MOVEit Transfer server is using local storage, but one of the most interesting changes in MOVEit Transfer 2019.1 is the ability to use Azure encryption if you are using Azure blob storage. Doing this will reduce the resource usage on the MOVEit server and shift it to Azure – which should be able to handle it better – rather than MOVEit.
There are no obvious changes in the web interface.
MOVEit 2019.1 Summary
So in summary, whilst this release has a small number of new features, it mostly focuses on performance and bringing out-of-date components inline. This makes it more appealing to security offices than administrators. It is too soon after the recent takeover by Progress for any significant changes in direction to have filtered down to the application.
A first look at MOVEit 2019
MOVEit Transfer 2019
Here at Pro2col we have just upgraded our MOVEit systems from 2018 SP2 to 2019. Here are our first thoughts:
The upgrade from Transfer 2018 SP2 to Transfer 2019 was extremely short, although clearly this would be longer when updating a system with more data in it. According to the installation guide however, Ipswitch have taken steps to reduce the time required in all cases.
Our MOVEit Transfer server is not making use of Microsoft Azure, but if your server is in Azure already, this version will allow you to store your files directly in Azure Blob storage. If you are upgrading (as opposed to a fresh install), you will need to run the ‘MOVEit Transfer Azure Blob Storage Conversion Assistant’ after the upgrade to 2019 has completed.
As of Transfer 2018 SP2 , you can use Azure SQL as your DB provider.
If you’ve started using the ‘Live View’ feature introduced in 2018 SP2, you’ll notice that 2019 brings a little more functionality. One small criticism that I have is that you must choose one of the four categories – it would perhaps be useful to be able to see all past transactions, regardless of the success or failure.
It’s quite straightforward to drill down on an entry for more detail, including either getting all details of a transaction or all recent transfers for a given userid.
A nice new feature is the ability to use security challenge questions. Assuming that you allow users to reset their own passwords, if you turn this on users will be prompted to enter a question set when they next login.
The questions are a canned set and there is unfortunately no obvious way to change them from the standard set. However, the questions don’t seem to be a common set used everywhere on the internet.
The MOVEit Automation 2019 Admin console is still available, however it becomes less and less important with each version – the number of functions that can only be performed through the web console is growing, the newest (and most awaited) is the system log.
The log is dynamic, searchable and may be filtered. The only drawback I can see so far is that you cannot filter on a task name, unless the name appears in the ‘message’ field.
As a user, once you’ve entered the questions, you can change them at any time by using the ‘my account’ link and supplying your password.
The answers are stored in the database in a hash in the ‘usersecurityquestions’ table. There is no obvious way for anyone to extract the answers.
Technically speaking, one of the most important changes that you probably won’t see is that the SFTP dll has been updated to 64 bit. This will obviously have a big impact on performance if you handle a large number of SFTP transactions.
For the number of changes that are in this version of MOVEit Transfer, I would not rush to upgrade unless there is a need to make use of Azure or to bolster SFTP performance. Having said that, I would recommend new installs to go to this version immediately.
MOVEit Automation 2019
This was a really straightforward installation, but not as quick as Transfer. For new installations, you can now make use of Azure SQL DB for the database backend, while for upgrades you will have to complete the upgrade, then run the conversion utility afterwards. The same utility is used to convert from MySQL to Azure SQL as for MySQL to MS SQL; there is no specific utility to migrate from MS SQL to Azure and it is assumed that this is outside the scope of MOVEit.
No configuration was required prior to launching the web admin console and all settings were retained.
There is however still a function that requires the older admin console; permissions management (i.e. delegated permissions).
Logs of the last five executions of any tasks are now being stored on the Automation server – these can be downloaded from the web console. If you find that your system is being negatively impacted (storage issue or memory required to write the logs), you can turn this off. You cannot override this at a task level however, only at system.
I like this new version of MOVEit Automation; the dashboard continues to get better and the logging functions are really useful – I would recommend users to upgrade in order to see the benefits of the logging via the web admin console.
MOVEit 2018 beta release review
Ipswitch released the latest version of the MOVEit product suite for beta testing last month. If you have not had the chance to download and check out what’s new, here are the highlights.
MOVEit Transfer 2018
Transfer has three new toys to play with, two of which have been on people’s wish lists for some time now. The first of these is Secure Folder Sharing.
End users can now create temporary users and grant them access to a folder themselves. To set this up, the administrator grants a user ‘share’ access to a folder using a new permission in the folder settings:
So in this instance the user ‘Bob’ (the ‘sharer’) will be able to create a new temp user, also by using the folder settings:
The external user (the ‘sharee’) then receives an invite to log in to the system in much the same way as a package user (and indeed, a user can be both). To avoid confusion, you may want to update the default temp user display profile so that it no longer takes the new user straight into their mailbox.
Next up, we have the new MOVEit Client.
This gets installed on client machines and doesn’t require any special rights to install. Users can upload and download files freely using the client, which makes desktop integration smoother. Both ‘drag and drop’ and the browse for folders methods work.
While the new client might not sound that exciting, it’s worth mentioning that it’s available on Windows, Mac AND Linux.
The final big change for Transfer is the introduction of a RESTful API. This offers an alternative method to the old COM object approach. Ipswitch have provided a number of example powershell and curl scripts to work from, which should be enough to get most people started. Pointing a browser to https://localhost/api/v1/swagger shows a plethora of commands ready for use (all described in the documentation).
Another couple of changes worth mentioning are an upgrade to the MOVEit Mobile Tomcat server version, plus the ability to configure MOVEit to send mails using an SSL/TLS connection. While this last is a welcome change, this functionality was already available if you installed a local mail relay on the server as detailed here: https://docs.ipswitch.com/MOVEit/DMZ90/Help/Admin/en/index.htm#23455.htm
You should in fact still do this if your system generates a high volume of emails.
There are three important changes for MOVEit Automation too; the first of these is the introduction of Amazon S3 buckets as a host type.
Amazon S3 buckets
I spent some time over the last few months writing S3 connector scripts, but being able to simply add an S3 host works much better.
The setup is straightforward, but it does come with the glimpse into the future; you can only manage the host via the web console, although it is still visible from the old VB client.
I found uploads and downloads was as simple as any other host type.
The second big change is the introduction of powershell as an alternative to VB for custom scripts. If you are one of the majority of administrators who have taken to powershell, this is without doubt the best new feature…
You no longer have to call powershell from the command line app in order to get to your script of choice.
Again though, you can only create powershell scripts from the webadmin interface. Unlike the VB scripts, there are no pre-loaded templates available for powershell. You need to create the script outside of MOVEit, then import the saved ps1 file. However, after import, you can edit the script in the browser. Both the display and editor functions colour code the script, simplifying its management, which is a nice feature.
The final major change for MOVEit Automation is the introduction of RESTful API. In the same way as for Transfer, you can interact with Automation via the REST API. And it isn’t just restricted to task manipulation; you can use the REST API to stop the scheduler, check for any running tasks and stop them if necessary before finally stopping the service. This makes it possible to perform controlled shutdowns for Windows patching.
And the fun doesn’t stop there – the REST API is available for use in powershell scripts executed in tasks, allowing you to reach any host publishing a REST interface.
MOVEit 2017 Plus SP1 released
The new version of MOVEit Transfer 2017 (Plus SP1) installs quite simply, upgrading in a short amount of time. The login screen is unchanged, but once you’ve signed on you’ll notice that the home page is quite different in this release.
As you can see, Ipswitch is switching to bold visuals. These draw the eye to key functions, saving you time scanning lines of options before selecting the one you want. All options fit easily and neatly onto the page now, with the upload and package options sitting top and central (package options are only available if you have licenced the Ad-Hoc module).
Click the Upload button and you’ll see arguably the most long-awaited change… Drag and drop functionality has been introduced!
Another nice feature that’s been added is the ability to request files. This creates a tempuser, sends them a logon invitation, then sends a request with a link to upload files to.
If you are already running Transfer 2017 Plus, you might want to hold off upgrading until the next release. There are no security updates and only a couple of minor fixes. If you are on an older version though, then it is worthwhile upgrading. You’ll get the many benefits of 2017 Plus as well – notably the Multi-Factor Authentication.
Please be aware of the requirements for browsers before attempting an upgrade. The minimum version of Internet Explorer is 11.
Finally, the newest version of the Mobile app has been updated to reflect the icons used in the rest of the system. You can’t request files, only exchange files or send packages:
Currently Ipswitch support MOVEit DMZ 8.2, 8.3, MOVEit Transfer 2017, 2017 Plus, 2017 Plus SP1. MOVEit DMZ 8.2 reaches end-of-life on 10th November 2017.
In MOVEit Automation, the changes are not so obvious and apply primarily to the Web Admin tool. For example, the gear icon and menu icons have been changed to a three dot menu to give a standard feel throughout the application.
Additionally, the available functions under Bulk Actions has been expanded for historical reporting activities. Task import has been added as an option when adding a new task (unavailable before).
There are some fixes for the web browser, but the only changes for the core application are the resolution of some SSH issues.
If you already make use of the web user interface or you have been experiencing the SSH issues resolved in this fix, then it makes sense to upgrade to SP1. Overall however there are no major changes in this version that would require an upgrade from one of the currently supported versions of MOVEit Automation.