Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Configuring HTTPS Proxy Settings for a Secure Reflection for the Web Session
Technical Note 1556
Last Reviewed 30-Nov-2007
Applies To
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 8.0 through 9.x
Summary

If your Reflection for the Web client computers reside in a network that uses an HTTPS proxy server, a secure Reflection for the Web terminal session may either be able to pass through the HTTPS proxy, or may have to bypass the HTTPS proxy, depending on several factors. HTTPS proxy settings can be configured either in a client computer's browser, or as applet parameters in a secure terminal session web page.

Note the following:

  • The information in this document applies only to secure Reflection for the Web sessions. Non-secure Reflection for the Web sessions cannot pass through a proxy server.
  • For proxy server pass through support, Reflection for the Web requires Microsoft Internet Explorer version 5.0 or higher. Reflection does not support this feature in Netscape.

Decide How to Configure Reflection

Before starting the configuration, you must first:

  • Determine whether to have the secure session bypass or pass through the HTTPS proxy.
  • Determine whether to configure the HTTPS proxy settings in the client browsers or the secure terminal session web page.

Bypass or Pass Through?

Secure Reflection for the Web terminal sessions may be able to pass through the HTTPS proxy or may need to bypass the HTTPS proxy. To determine how you need to configure Reflection to work in your network environment, consider the following guidelines:

  • What authentication scheme is your HTTPS proxy server using? Currently, Reflection for the Web is compatible only with Basic authentication. If your HTTPS proxy server uses a different authentication scheme (such as Microsoft NTLM Challenge/Response authentication), secure Reflection for the Web sessions will be unable to pass through the HTTPS proxy server and you will need to bypass the HTTPS proxy.
  • Can you assign port 443 as the listening port for the Reflection Security Proxy? Most HTTPS proxy servers can only tunnel SSL through port 443; therefore; the Reflection security proxy server will typically be configured to listen on port 443.

However, if a web server is installed on the same machine as the HTTPS proxy server (such as Microsoft Internet Information Server - IIS), port 443 is reserved for use by the web server and Reflection must be configured to bypass the HTTPS proxy server. (Alternately, the HTTPS proxy server can be installed on a separate machine from Microsoft IIS.)

However, if the Reflection Security Proxy server is installed on the same machine as the web server, port 443 is probably already being used by the web server; therefore, the security proxy will be unable to use port 443 and you need to bypass the HTTPS proxy. (Alternately, the Reflection Security Proxy server can be installed on a separate machine, or under certain circumstances, under a separate IP address on the same machine. If you would like more information about this topic, please contact Technical Support.)

Note: Beginning in Reflection for the Web 2008, the Security Proxy Server is not included in the Standard Edition.

Where to Configure the Settings?

You can configure the secure session to bypass or pass through the HTTPS proxy from either the browser (on individual client PCs) or the terminal session web page (as an applet parameter, applied to all users). To determine the best place to make the changes, consider the following guidelines:

Reasons to Configure HTTPS Proxy Settings in the Browser

When loading a secure terminal session, the Reflection for the Web terminal session applet reads Windows registry settings to determine if the client computer's browser is configured to pass secure HTTP through an HTTPS proxy server. If an HTTPS proxy server is identified in the browser settings, Reflection for the Web directs the secure connection to pass through this proxy.

Consider using this method if:

  • The client computers run Windows.
  • The client computers use Internet Explorer or Netscape 4.x to run Reflection for the Web. Note: Versions 6.0 or higher of Netscape are not supported.
  • The client computers reside behind different firewalls, some of which contain HTTPS proxy servers.

Because the httpsProxy applet parameter on the session web page can be used to specify only a single HTTPS proxy, it may be easier to configure individual user browsers rather than the session web page in this case.

However, If you choose to configure the HTTPS proxy settings from the session web page, you can create separate terminal sessions for each HTTPS proxy server, through which users from different locations can connect.

Reasons to Configure HTTPS Proxy Settings in the Session Web Page

HTTPS proxy settings can also be set by configuring the terminal session. Applet parameters configured in this manner override any HTTPS proxy settings configured in the browser and can be used to either specify or bypass an HTTPS proxy server during a secure session. This method can be used to configure HTTPS proxy settings for non-Windows clients, and can provide the ease of central administration in some environments.

This method is required if:

  • The client computers run operating systems other than Windows.
  • The client computers use browsers other than Internet Explorer or Netscape 4.x. (The Reflection terminal session applet can currently only auto-detect HTTPS proxy settings specified by Internet Explorer or Netscape on a Windows computer.)
  • The client computer is running Reflection for the Web 8.0 or earlier and does not use the Microsoft virtual machine (VM) and you plan to specify an HTTPS proxy. Note: For purposes of passing though the proxy, Reflection for the Web 8.0 or earlier cannot obtain HTTPS proxy settings when using the Sun Java VM. However, exceptions configured in the browser are effective if your goal is to bypass the proxy, even when using non-Microsoft VMs.

Also consider using this method if:

  • All of the client computers reside behind the same firewall and pass through the same HTTPS proxy server.

Configuring Reflection

Once you have decided whether Reflection should bypass or pass through the HTTPS proxy server, and whether to configure these settings through the browser or through the session web page, follow the instructions below to make the necessary modifications to your installation.

Configuring Reflection to Bypass the HTTPS Proxy

To configure Reflection to bypass an HTTPS proxy server, follow the instructions below for the configuration method you have decided upon. Steps are provided to configure the browser or the session web page.

Bypass Using Internet Explorer
Bypass Using a Session Web Page

Bypass Using Internet Explorer

Follow these steps to configure the settings in Internet Explorer 5.0 or higher.

  1. In Internet Explorer, select Internet Options on the Tools menu.
  2. In the Internet Options dialog box, click the Connections tab, and then click LAN Settings.
  3. Check the "Use a proxy server" checkbox, and then click Advanced.
  4. Note: If no HTTPS proxy server is specified in the Secure: field, the terminal session will not pass through an HTTPS proxy server and there is no need to make an exception.

In the Exceptions field of the Proxy Settings dialog box, enter the host name or IP address of the Reflection security proxy server. For example,

myreflectionproxy.domain.com

Click OK.

Bypass Using a Session Web Page

The proxyExcept parameter is used to specify an exception list of Reflection security proxy servers by host name or IP address. Client machines connect to the listed servers without passing through the configured HTTPS proxy server. Typically, a given session will use only one Reflection security proxy server. However, the proxyExcept parameter can accept a list of security proxy servers (separated by commas) in order to accommodate unusual cases.

Note:

  • The proxyExcept parameter is applicable only if the httpsProxy parameter is set. If the httpsProxy parameter is not configured, the proxyExcept parameter is ignored.
  • The name of the security proxy server used in the proxyExcept parameter is case sensitive; it must match the case of the security proxy server name used in creating the secure session.

If you do not know the IP address or name of the HTTPS proxy server (for example, if you are accessing an HTTPS proxy server at a remote client site), enter a fake HTTPS proxy value for the httpsProxy parameter. This allows the configured proxyExcept parameter to function.

The following example parameters and values force the client computers to bypass the HTTPS proxy server when using a secure Reflection session to connect to a Reflection security proxy server named RefSecProxy. In this case, the IP address of the HTTPS proxy server is not known, so the fake IP address "1.2.3.4" is used for the httpsProxy parameter.

Parameter
Value
httpsProxy
1.2.3.4:443
proxyExcept
RefSecProxy.mydomain.com

To configure the session web page, follow the steps in Configuring the Proxy Parameters.

Configuring Reflection to Pass Through the HTTPS Proxy

To configure Reflection to pass through an HTTPS proxy server, follow the instructions below for the configuration method you have decided upon. Steps are provided to configure the browser or the session web page.

Pass Through Using Internet Explorer 5.0 or Higher
Pass Through Using a Session Web Page

Pass Through Using Internet Explorer 5.0 or Higher

Follow these steps to configure the settings in Internet Explorer 5.0 or higher.

  1. In Internet Explorer, select Internet Options on the Tools menu.
  2. In the Internet Options dialog box, click the Connections tab, and then click LAN Settings.
  3. Check the Use a proxy server check box, and then click Advanced.
  4. In the Secure field of the Proxy Settings dialog box, enter the host name (or IP address) and port of the HTTPS proxy server you want the secure terminal session to pass through. Click OK.

Pass Through Using a Session Web Page

The httpsProxy parameter is used to specify the host name or IP address and port number of the HTTPS proxy server the client computer connects through while running secure Reflection sessions.

For example, the following parameter and value forces the client machine to use the HTTPS proxy server named myHTTPSProxy during the secure Reflection session:

Parameter: httpsProxy

Value: my HTTPSProxy:443

Use this parameter if you want all users to use the same HTTPS proxy server when running secure session (this parameter overrides the browser settings).

To configure the session web page, follow the steps in Configuring the Proxy Parameters.

Configuring the Proxy Parameters

In Reflection for the Web, the terminal session web page is created dynamically. Applet parameters are added through the Administrative WebStation's Session Manager. When the session is requested by a user, the html generated for the session will include these parameters.

To configure the terminal session, follow the steps below.

  1. Open the Administrative WebStation; click Tools > Session Manager.
  2. Click Create New Session or select a current session to modify.
  3. Under "Configure a Web-Based Reflection Session" complete the items as needed and select "Applet Parameters."
  4. In the Add parameters dialog box, select httpsProxy from the parameters list. In the Value field, enter the name or IP address of the HTTPS proxy server, a colon, and the port number: <name or IP address>:<port number>
  5. Click Add.
  6. If you are configuring Reflection to bypass the proxy, select proxyExcept from the parameters list (skip this step if you are configuring Reflection to pass through the proxy). In the Value field, enter the Reflection security proxy server name or IP address.
  7. Click Add.
  8. Click Continue.
  9. Select Launch, if necessary, to continue the session Configuration. Otherwise, click Save Settings.

In environments where some clients are able to navigate an HTTP proxy but others need to bypass their HTTP proxy (for example, because their HTTP Proxy requires NTLM authentication), use the retryWithoutHTTPProxy parameter. Set the value to "true."

Additional Information in the Administrative WebStation

For additional information on using applet parameters, open the Administrative WebStation in a browser. On the table of contents, click Advanced > Applet Attributes and Parameters. The httpsProxy, proxyExcept, and retryWithoutHTTPProxy parameters are listed by name in the Terminal Emulation Applet Index of Attributes and Parameters.

Related Technical Notes
9988 Reflection for the Web Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.