You must set the Real Server to route return traffic to the MOVEit WAF interface because transparency is set for the Virtual Services. Routing tables are required to achieve this.

Using the VPC Management Console, the route table for the MOVEit Transfer servers' subnet must be modified. Add a route to the routing table using the destination 0.0.0.0/0 to match all traffic. Set the Target type to Instance and ensure that MOVEit WAF is selected to force all traffic to return through the MOVEit WAF appliance.

For further help, refer to the full AWS documentation on adding custom routes and route table modifications.

If you are seeing the following scenario:

  • With transparency disabled, MOVEit WAF sends traffic to a healthy Real Server as normal and the Real Server responds.
  • With transparency enabled, MOVEit WAF sends traffic to a healthy Real Server as normal. However, no traffic is seen on the Real Server.

This is because of the source/destination checks setting in Amazon Web Services (AWS).

This change must be made on the interface that is on the same subnet as the Real Server.

For further information on Source/Destination Checks in AWS, refer to the following AWS content: Disabling Source/Destination Checks.

You can find this in the AWS portal by selecting the EC2 instance (MOVEit WAF) and going to: Actions > Networking > Change Source/Dest. Check. This must be disabled.