As an administrator, you can manage remote access using the following distinct controls:
  • IP Lockouts

    Unblock client connection requests initiated from IP addresses for cases where that IP address was automatically locked out based on your organizations policy configuration. For example, IP addresses can be locked out after several failed attempts at authentication.

  • IP Whitelist

    Add a rule to include the IP address on the IP Whitelist (for certain, cases where traffic from specific IP addresses is trusted).

  • IP Switching

    Set an allowable IP range for access to accommodate ranges allowed by a proxy or firewall.

IP Lockouts

When an IP address is locked out, it is locked out across all organizations at a particular site.

Important: Once an IP address is unlocked it is unlocked for all organizations.
There are two main behaviors for this control:
  • As Admin user you may unlock an IP address one at a time. (Default behavior)
  • If site policy makes it available, the Unlock All IP Addresses button displays. This control unlocks ALL IP Addresses for all Orgs at once. (Your System Administrator applies this policy).
Figure 1. Locked Out IP Addresses (with unlock all control available as shown)

Notifications Triggered

If IP address is locked out, SysAdmin users who have their notification property set to On+Admin will receive an email notification that the lockout has occurred.

If there is only one non-system organization configured, Admin users in that org who have their notification property set to On+Admin will also receive email notifications.

Only SysAdmins may set IP Lockout Policy. (See the IP Lockout Policy section of the System Remote Access Policy page for more information). IP lockouts are enabled by default and set to lock out IP addresses after 15 bad attempts in any 5 minute period.

After you unlock an IP address, the user who triggered the IP lockout will still be locked and inactive. You can change the user's Account Status in the User Profile.

Whitelisted IP Addresses

Whitelisted IP addresses have trusted access without safeguards of IP Lockout policy rules. This case can be useful for scenarios where:
  • Internal clients access MOVEit Transfer from behind a shared firewall.
  • Clients access MOVEit from a properly managed and trusted third-party application.
Figure 2. Whitelisted IP Address Entry

IP Switching

To prevent session hijacking, MOVEit Transfer normally does not allow the IP address used by a session to change over the course of that session. However, some firewalls and proxy servers use pools of IP addresses to assign to users who access the Internet and can sometimes assign different IP addresses to a user even within a single session. In order to allow these users full access to the server, the IP Switching feature allows administrators to set an allowable range within which a session IP address can change.

By default, the IP Switching option is set to None, which corresponds to a subnet mask of 255.255.255.255, or /32. This prevents any sort of IP address switching. Other available values are:

  • Class C (255.255.255.0 or /24): Allows the session IP address to vary within the Class C portion of the address. For example, if the original session IP address was 1.1.1.1, switching to 1.1.1.2 would be allowed, but switching to 1.1.2.2 would not.
  • Class B (255.255.0.0 or /16): Allows the session IP address to vary within the Class B portion of the address. For example, if the original session IP address was 1.1.1.1, switching to 1.1.2.2 would be allowed, but switching to 1.2.2.2 would not.
  • Class A (255.0.0.0 or /8): Allows the session IP address to vary within the Class A portion of the address. For example, if the original session IP address was 1.1.1.1, switching to 1.2.2.2 would be allowed, but switching to 2.2.2.2 would not.
  • All (0.0.0.0 or /0): Allows all IP address switching.