|
|
|
Encrypting Connections Between the Verastream Server and Host
Technical Note 10068
Last Reviewed 23-Feb-2007
Applies To
Verastream Host Integrator version 5.5 or higher
Summary
Figure 1: Encryption Between Components
Figure 2: SSH Tunnel Between Verastream Server and Host
Technical Note 10068
Last Reviewed 23-Feb-2007
Applies To
Verastream Host Integrator version 5.5 or higher
Summary
Verastream Host Integrator (VHI) environments use multiple connections that can be encrypted for increased security. For the connection between the Verastream Session Server and the host, you can use either SSL (beginning in version 6.5) or SSH port forwarding.
Encrypting the Verastream Connections
Verastream Host Integrator environments use multiple connections that must be individually configured for increased security. For example, in Figure 1, connections A, B, and C are secured using the following security features:
A: To encrypt communications between users and the web server, use Secure HTTP by installing SSL certificates on the web server.
B: To enable SSL-encrypted communications between the Verastream client (connector) and server, enable Verastream security in the Administrative WebStation. (Alternatively, clients can use the RequireSecureConnection API call.)
C: To encrypt the Telnet communications between the Verastream server and host, you can use either SSL or SSH port forwarding.
SSL: Beginning in VHI version 6.5, Telnet SSL and Telnet Extended SSL are supported. In Design tool, these options are available in the list of Transport Types in Session Setup. For more information, see http://www.attachmate.com/docs/verastream/vhi/6.5/help/designtool/hdlg_transporttype.html.
SSH Port Forwarding: For earlier VHI versions, or non-SSL enabled hosts, the remainder of this technical note describes how to use SSH port forwarding to encrypt the Telnet communication.
Note: Attachmate SSH software (Reflection for Secure IT) is available for various UNIX and Windows platforms. For more information on Reflection for Secure IT platform support, see Technical Note 1944.
Figure 1: Encryption Between ComponentsFor more information about other VHI encryption, authentication, and access control features, see http://www.attachmate.com/docs/verastream/vhi/6.5/help/server/SecurityOverview.html.
About SSH Port Forwarding
Port forwarding (or 'tunneling') allows insecure TCP/IP traffic, such as the Telnet traffic between the Verastream server and the host, to be forwarded through a secure SSH connection.
Verastream and Port Forwarding
To enable traffic between the Verastream server and the host to be sent through an SSH tunnel, you must establish the SSH connection, and then redirect the Verastream communication through the SSH tunnel.
Figure 2: SSH Tunnel Between Verastream Server and HostOnce the redirection has been established, all Telnet communication between the Verastream server and the host (port 23) is automatically forwarded through the SSH tunnel (port 22).
Installing SSH Software
Typically, the SSH client and server are installed on the Verastream server and the host, respectively, to avoid unsecured hops between systems.
Refer to the SSH documentation for installation instructions. For information on installing Reflection for Secure IT software, see the product documentation at http://support.attachmate.com/manuals/sshdocs.html.
Configuring Local Port Forwarding
Use the following information (in combination with Technical Note 1862) to configure the Reflection for Secure IT SSH client and server for Verastream port forwarding.
Note: Although this technical note talks specifically about configuring Reflection for Secure IT, the basic concepts presented in the note can be used to help you configure any third-party SSH client and server. Refer to the SSH product documentation for specific details.
Using Technical Note 1862
After completing Step I in Technical Note 1862, use the following information for Steps II and III.
Step II—Create a Local Tunnel
In Step II, when asked to create the local SSH tunnel, use these values.
| Field |
Step |
Use this Value |
| Forward local port |
4. |
Any port number over 1024 |
| Destination host (to remote) |
5. |
Localhost* |
| Port |
6. |
23 Note: Port 23 redirects Telnet |
*If the SSH server software is not running on the destination host, use the destination host name instead of Localhost.
Step III—Configuring the Application to use the SSH Tunnel
Where you configure VHI to use the SSH tunnel depends on your Verastream implementation. Wherever you have specified the host name and port number, you should now use these values:
| Host name |
Localhost* |
| Port number |
The number you specified in the 'Forward local port' field above.(A port number over 1024.) |
*If the SSH client software is not running on the Verastream server, use the host name where the SSH client is running instead of Localhost.
The host name and port number may be specified in the model, or in a deployment descriptor:
- To configure the Host name and port in the model, open the model in the Design Tool and then click Connection > Session Setup.
- To configure a different Host name and port in the session pool configuration for a simple deployment package, open the model in Design Tool and then click File > Deployment Options > Host tab. For more information on deployment, see Technical Note 10237 (version 6.0 or higher) or 10217 (version 5.5).
- For information on specifying the host-name and host-port in the model-configuration section of the configuration descriptor XML file, see "Writing the Descriptors" in the installed product help. For information on using deployment descriptors, see Technical Note 10237 (version 6.0 or higher) or 10217 (version 5.5).
