Technical Notes

Configuring the Security Proxy in a Windows Environment
Technical Note 1320
Last Reviewed 13-Nov-2008
Applies To
Reflection for the Web 2008 (All Editions except Standard)
Reflection for the Web version 8.0 through 9.6
Summary

This technical note provides instructions for installing and configuring the security proxy server in a Windows environment.

Note the following:

• This feature is not required to run Reflection for the Web.
• Beginning in Reflection for the Web 2008, the security proxy server is not included in the Standard Edition.
• For information about setting up the security proxy in UNIX, Linux, or Mac OS X, see Technical Note 1812.

Which Products Work with the Proxy Server?

The following Reflection products and versions can be used with the security proxy server:

Product and Version	Security proxy support with client authorization Enabled (the default)	Security proxy support client authorization Disabled
Reflection for UNIX and OpenVMS 2008	No *	Yes
Reflection for UNIX and OpenVMS 12.0 - 14.x	Yes	Yes
Reflection for HP with NS/VT 12.0 - 14.x	Yes	Yes
Reflection for IBM 2008	No *	Yes
Reflection for IBM 2007	No *	Yes
Reflection for IBM 12.0 - 14.x	Yes	Yes
Reflection X 2008	No *	Yes
Reflection X 12.0 - 14.x	No *	Yes
Reflection for Secure IT SSH or SFTP 6.0 - 7.x	No *	Yes
Reflection FTP Client 13.04 - 14.x	Yes	Yes

* These products provide their own fully-integrated support for secure authentication and data encryption. For more details, refer to the product Help.

What is Client Authorization?

The Reflection security proxy helps protect the host from direct user contact. When you use the Reflection security proxy, data sent between the emulator and the proxy is SSL encrypted. In addition, when proxy client authorization is enabled (the default), users who have not been authenticated and authorized by the Reflection management server are rejected at the proxy and never get through to the host.

Not all Attachmate emulation products and versions support the client authorization token used by the security proxy for client authorization. If the Reflection product or version you are running does not support client authorization, you may choose to disable client authorization. With this feature disabled, Reflection can send data between the emulator and the proxy in SSL encrypted format, but no user authorization verification is performed at the proxy before the data is passed through to the host.

Installing and Configuring the Security Proxy Server

If you are using the automated installer to install both the Security Proxy and Reflection Management Server components, simply run the installation and choose to install the Security Proxy NT Service when prompted. In this scenario the proxy server is configured automatically.

However, if you are installing the Security Proxy component separately from the Reflection Management Server component (either at a different time, or on a different computer), then you must run the Security Proxy Wizard after the installation to configure the proxy server.

For detailed information about installing Reflection, see the documentation in the product or online:

After the installation:

1. Run the Security Proxy Wizard (Start > All Programs > Attachmate Reflection for the Web > Utilities > Security Proxy Wizard).
2. On the Trusted Certificates tab, click Import, click Server, and import the Reflection management server certificate.
3. On the Proxies tab, click Add, or select an existing proxy port and click Modify.
4. Enter a local port number (if one is not already assigned).
5. Under Protocols, specify the type of protocol for the proxy: emulation, FTP, or both (the default). Click Help on the tab for more information.
6. Click OK.
7. Click Export Settings to export the proxy server settings to the Reflection management server.
8. Click Save, and then click Exit.
9. Stop and restart the Reflection Security Proxy.

Creating a Connection through the Proxy

You can now use the Administrative WebStation's Session Manager or a version 12.0 - 14.x Reflection Windows-based product to create a secure terminal session through the proxy server.

Create a Connection Using Reflection 12.0 - 14.x

When creating the terminal session from the Administrative WebStation or from a Reflection 12.0 - 14.x Windows-based product, follow these steps to configure the session to use the Reflection proxy server.

1. Click Connection > Connection Setup, and then click Security.
2. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
3. Select the "Use Reflection security proxy" check box.
4. Enter the name of your Reflection security proxy and the port number, and then click OK.
5. Click Connect.

Prepare to Create a Connection Using Reflection 2008 or 2007

Before using the Reflection proxy server with Reflection 2008 or Reflection 2007 products, you must first Configuring the Proxy Server to Run Without Client Authorization, which is a multi-step process explained below. After you disable client authorization, you can create a connection using Reflection 2008 or 2007.

Note the following:

• For a list of supported products and version, see Which Products Work with the Proxy Server?
• For information about what client authorization does, see What is Client Authorization?
• You cannot use the Administrative WebStation's Session Manager to create login/links list entries for Reflection 2008 products; however, the Reflection 2008 Windows-based products can be configured to use the proxy server, if client authorization is disabled.
• If a Reflection 2008 or 2007 product is installed on the same machine as the Administrative WebStation, you cannot use the Session Manager on that machine to add Windows-based Reflection sessions. If you try, you will see the error "Your Windows-based application is version 15.x. Reflection for the Web does not support this version." To bypass this problem, access the Administrative WebStation > Session Manager from a workstation that does not have a Reflection 2008 or 2007 product installed on it.

Configuring the Proxy Server to Run Without Client Authorization

Disabling client authorization enables the security proxy to work with all Attachmate emulation products. Note that when client authorization is disabled, no user authorization verification is performed at the proxy before the data is passed through to the host, making access to the host slightly less secured.

If you decide to disable client authorization, you must follow the steps below to disable client authorization and manually configure a proxy listening port and transport type for each destination host that users need to access.

Disable Client Authorization

1. Access the Security Proxy Wizard (Start > All Programs > Attachmate Reflection for the Web > Utilities > Security Proxy Wizard.
2. On the Advanced Settings tab, clear Client authorization. The message "Client Authorization has been disabled. You must specify a destination host and destination port for each proxy" is displayed. Click OK.

Create a Proxy for Your Destination Host

1. On the Proxies tab, click Modify.
2. Under Protocols, select Emulation or FTP, and then click Modify.
3. Enter the Destination host name or IP address and the Destination port (for example, port 23 for Telnet).
4. Under Protocols, select the second protocol type, and click Modify to configure the destination host and port or click Delete to remove the protocol if it is not needed.
5. Click OK to return to the Proxies tab.
6. To save your settings, click Save.
7. In the Export Proxies dialog box, verify that the correct Management server, Port, and Context values are displayed, and then click Export to export the proxy information to the Administrative WebStation.

Add a Proxy to a Different Destination Host

If you wish to make multiple hosts available through the proxy server, follow these steps to configure a proxy for each additional host.

1. On the Proxies tab, click Add.
2. In the Local port field, enter the protocol port on which the proxy should listen for incoming connections.

3. Under Protocols, click Add.
4. Select a Protocol.
5. Enter your Destination host and Destination port, and then click OK > OK.
6. Repeat steps 1 through 5 for each destination host and port number pair.
7. Click Save > Export > OK, and then Exit.

You can now create secure terminal sessions from a Reflection 2008 or 2007 Windows-based product.

Create a Connection Using Reflection 2008 or 2007

When creating a terminal session using a Reflection 2008 or 2007 product, follow these steps to configure the connection to use the Reflection proxy server.

1. Enter the Host name, select the "Configure additional settings" check box, and then click OK.
2. Under Host Connection, click "Set Up Connection Security" (or "Set Up <connection type> Security").
3. Under Security, click Security Settings. (Skip this step for VT connections.)
4. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
5. Select the "Use Reflection security proxy" check box.
6. Enter the name of your Reflection security proxy and the proxy port number that you have configured for the host you wish to reach, and then click OK > OK.

Related Technical Notes

1557	Reflection Security Proxy Server Performance Factors
1600	Using Certificates with Reflection for the Web
1740	Web-based Management of Windows-based Reflection Sessions
1778	Installing Reflection Metering on an iSeries or AS/400 with WebSphere Application Server Express
1812	Setting Up the Reflection for the Web Security Proxy Server in UNIX, Linux, or Mac OS X
1824	Installing Reflection for the Web Metering Server in UNIX
9988	Reflection for the Web Technical Notes