Managed File Transfer and Secure FTP Software

Products: MOVEit DMZ

Should I enable FIPS Compliance Mode?

« Go Back

Information

 
Description

Question/Problem:

Should I enable FIPS Compliance Mode?

Product: MOVEitDMZ
Version: 5.5 and greater
Platform: All
Solution

Answer/Solution:

This option should only be enabled when using DMZ version 5.5 or greater.  However, enabling this option may cause some clients to stop working. 

Discussion:

Windows Server 2003 and 2008 both have an option to enable FIPS Compliance under Administrative Tools -> Local Security Policy -> Security Options called System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

When this option is selected, the FIPS compliance security policy option will be enabled for the system. When this mode is active, Windows will prevent all applications from using Microsoft-provided cryptographic algorithms and ciphers that are not FIPS compliant, usually meaning they are older and less secure. This includes protocols like SSL 2.0 and SSL 3.0, hash algorithms like MD5, and ciphers like DES, RC2, and RC4. Only FIPS compliant protocols, algorithms, and ciphers will be used. MOVEit DMZ is fully supported when running with FIPS compliance mode enabled, and its use is recommended for high security environments.

Clients that access the DMZ Web or DMZ FTP services are affected by this change, but DMZ SSH users are not.

Known Issues:

  1. Mac OS X clients (Safari, Firefox, etc.) using the Java Wizard against a MOVEit DMZ server on Windows Server 2003 or Windows Server 2008 with the FIPS option enabled may experience the Java Wizard failing to load.
  2. IE6 users using the Java Wizard against a MOVEit DMZ server on Windows Server 2003 or Windows Server 2008 with the FIPS option enabled may experience issues.  The Java Wizard will fail to load with a "java.io.IOException".  However, upgrading to IE7 should resolve this issue.
  3. IE6 users using the DMZ (COM API) against a MOVEit DMZ server on Windows Server 2003 or Windows Server 2008 with the FIPS option enabled may experience issues.  The DMZ API will fail with "3201: HttpSendRequestEx failed: The attempt to connect to the server failed".  However, upgrading to IE7 should resolve this issue.
  4. If MOVEit Central and MOVEit DMZ are installed on the same machine with IE6, MOVEit Central will fail to connect with the error "HttpSendRequestEx failed: The client and server cannot communicate, because they do not possess a common algorithm."  However, upgrading to IE7 should resolve the issue.
  5. Out-of-date Remote Desktop clients will fail to connect, as well as those who have the encryption level set lower than FIPS-compliance mode in their Group Policy. Check the Group Policy editor (gpedit.msc) on clients and the Terminal Services configuration on the server (tscc.msc).
  6. Uploads using Filezilla that are larger than just a few KB will fail with "550 STOR failed: The parameter is incorrect."
KeywordsFIPS, DMZQuickStart
Attachment 

 
Customer Service Softwaresalesforce.comHome | Product