Configuring the Security Proxy in a Windows Environment

  • 7022328
  • 03-Jul-2003
  • 25-Mar-2018

Environment

Reflection for the Web 2011 (All Editions except Standard)

Situation

This technical note provides instructions for installing and configuring the security proxy server in a Windows environment.

Note the following:

  • This feature is not required to run Reflection for the Web.
  • For information about setting up the Reflection for the Web 2011 security proxy server in UNIX or Linux, see Technical Note 2569.

Resolution

Which Products Work with the Proxy Server?

The following Reflection products (or suite components) and versions can be used with the security proxy server:

Product and Version
Security proxy support with client authorization Enabled (the default) **
Security proxy support client authorization Disabled
Reflection for UNIX and OpenVMS 2011
Yes
Yes
Reflection for UNIX and OpenVMS 2008
No *
Yes
Reflection for UNIX and OpenVMS 14.x
Yes
Yes
Reflection for HP with NS/VT 14.x
Yes
Yes
Reflection for IBM 2011
Yes
Yes
Reflection for IBM 2008
No *
Yes
Reflection for IBM 2007
No *
Yes
Reflection for IBM 14.x
Yes
Yes
Reflection for Secure IT SSH or SFTP 7.x
No *
Yes
Reflection FTP Client 14.x
Yes
Yes

* These products provide their own fully-integrated support for secure authentication and data encryption. For more details, refer to the product Help.

** Products that have security proxy support with client authorization enabled can appear in the login/links list.

What is Client Authorization?

The Reflection security proxy helps protect the host from users who have not been authenticated or authorized. When you use the Reflection security proxy, data sent between the emulator and the proxy is SSL encrypted. In addition, when proxy client authorization is enabled (the default), users who have not been authenticated and authorized by the Reflection management server are rejected at the proxy and never get through to the host.

Not all Attachmate emulation products and versions support the client authorization token used by the security proxy for client authorization. If the Reflection product or version you are running does not support client authorization, you may choose to disable client authorization. With this feature disabled, Reflection can send data between the emulator and the proxy in SSL encrypted format, but no user authorization verification is performed at the proxy before the data is passed through to the host.

Installing and Configuring the Security Proxy Server

If you are using the automated installer to install both the Security Proxy and Reflection Management Server components, the proxy server is configured automatically.

However, if you are installing the Security Proxy component separately from the Reflection Management Server component (either at a different time, or on a different computer), then you must run the Security Proxy Wizard after the installation to configure the proxy server.

For detailed information about installing Reflection and running the Security Proxy Wizard, see the documentation in the product or online:

Creating a Connection through the Proxy

You can now use the Administrative WebStation's Session Manager to create a secure terminal session through the proxy server.

Create a Connection Using Reflection 2011

When creating a terminal session using a Reflection 2011 product, follow these steps to configure the connection to use the Reflection proxy server.

  1. Open the Reflection for the Web Administrative WebStation. Open Session Manager, click Add, select Reflection Workspace, and enter a Session name.
  2. Click Continue, and then click Launch.
  3. Enter the Host name, select the "Configure additional settings" check box, and then click OK.
  4. Under Host Connection, click "Set Up Connection Security" (or "Set Up <connection type> Security").
  5. Under Security, click Security Settings. (Skip this step for VT connections.)
  6. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
  7. Select the "Use Reflection security proxy" check box.
  8. Enter the name of your Reflection security proxy and the proxy port number that you have configured for the host you wish to reach, and then click OK > OK.

Create a Connection Using Reflection 12.0 - 14.x

When creating the terminal session from the Administrative WebStation or from a Reflection 12.0 - 14.x Windows-based product, follow these steps to configure the session to use the Reflection proxy server.

  1. Click Connection > Connection Setup, and then click Security.
  2. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
  3. Select the "Use Reflection security proxy" check box.
  4. Enter the name of your Reflection security proxy and the port number, and then click OK.
  5. Click Connect.

Prepare to Create a Connection Using Reflection 2008 or 2007

Before using the Reflection proxy server with Reflection 2008 or 2007 products, you must first Configure the Proxy Server to Run Without Client Authorization, which is a multi-step process explained below. After you disable client authorization, you can create a connection using Reflection 2008 or 2007.

Note the following:

  • For a list of supported products and version, see Which Products Work with the Proxy Server?
  • For information about what client authorization does, see What is Client Authorization?
  • You cannot use the Administrative WebStation's Session Manager to create login/links list entries for Reflection 2008 products; however, the Reflection 2008 Windows-based products can be configured to use the proxy server, if client authorization is disabled.
  • If a Reflection product is installed on the same machine as the Administrative WebStation, you cannot use the Session Manager on that machine to add Windows-based Reflection sessions. If you try, you will see the error "Your Windows-based application is version 15.x. Reflection for the Web does not support this version." To bypass this problem, access the Administrative WebStation > Session Manager from a workstation that does not have a Reflection 2008 or 2007 product installed on it.

Configure the Proxy Server to Run Without Client Authorization

Disabling client authorization enables the security proxy to work with all Attachmate emulation products. Note that when client authorization is disabled, no user authorization verification is performed at the proxy before the data is passed through to the host, making access to the host slightly less secured.

If you decide to disable client authorization, you must follow the steps below to disable client authorization and manually configure a proxy listening port and transport type for each destination host that users need to access.

Disable Client Authorization

  1. Access the Security Proxy Wizard (Start > All Programs > Attachmate Reflection for the Web > Utilities > Security Proxy Wizard.
  2. On the Advanced Settings tab, clear Client authorization. The message "Client Authorization has been disabled. You must specify a destination host and destination port for each proxy" is displayed. Click OK.

Create a Proxy for Your Destination Host

  1. On the Proxies tab, click Modify.
  2. Under Protocols, select Emulation or FTP, and then click Modify.
  3. Enter the Destination host name or IP address and the Destination port (for example, port 23 for Telnet).
  4. Under Protocols, select the second protocol type, and click Modify to configure the destination host and port or click Delete to remove the protocol if it is not needed.
  5. Click OK to return to the Proxies tab.
  6. To save your settings, click Save.
  7. In the Export Proxies dialog box, verify that the correct Management server, Port, and Context values are displayed, and then click Export to export the proxy information to the Administrative WebStation.

Add a Proxy to a Different Destination Host

If you wish to make multiple hosts available through the proxy server, follow these steps to configure a proxy for each additional host.

  1. On the Proxies tab, click Add.
  2. In the Local port field, enter the protocol port on which the proxy should listen for incoming connections.

This is the port that the terminal session uses to connect to the proxy server. The local port should not be the standard port for the host connection (for example, the SSL port of 443). Each proxy must have a unique local port that does not conflict with other server processes. To avoid conflicts, do not use ports specified in the /etc/services file for well-known services. For UNIX servers, avoid using the reserved ports from 1 to 1023, and do not use any ports that are already in use by other server processes, including other security proxies.

To see what ports are running on the machine, open a Windows command window (Start > Run, enter cmd, and then click OK). At the prompt enter netstat -a.

  1. Under Protocols, click Add.
  2. Select a Protocol.
  3. Enter your Destination host and Destination port, and then click OK > OK.
  4. Repeat steps 1 through 5 for each destination host and port number pair.
  5. Click Save > Export > OK, and then Exit.

You can now create secure terminal sessions from a Reflection 2008 or 2007 Windows-based product.

Create a Connection Using Reflection 2008 or 2007

When creating a terminal session using a Reflection 2008 or 2007 product, follow these steps to configure the connection to use the Reflection proxy server.

  1. Enter the Host name, select the "Configure additional settings" check box, and then click OK.
  2. Under Host Connection, click "Set Up Connection Security" (or "Set Up <connection type> Security").
  3. Under Security, click Security Settings. (Skip this step for VT connections.)
  4. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
  5. Select the "Use Reflection security proxy" check box.
  6. Enter the name of your Reflection security proxy and the proxy port number that you have configured for the host you wish to reach, and then click OK > OK.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 1320.