Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Web-based Management of Windows-based Reflection Sessions
Technical Note 1740
Last Reviewed 11-May-2006
Applies To
Reflection Administrator version 8.0 through 9.x
Reflection for the Web version 8.0 through 9.x
Reflection Windows-based Products version 12.0 through 14.x
Summary

This technical note describes how to create, configure, and manage Windows-based Reflection sessions using web-based Reflection tools: Reflection Administrative WebStation, the security proxy, and the Reflection metering server.

Web-based management is available to Reflection administrators who have obtained the Reflection Administrator add-on component for use with their 12.0-14.x Reflection Windows-based products, or have installed and configured Reflection for the Web with the appropriate licensing.

This technical note contains the following topics:

Web-based Reflection Management Tools
Overview: What to Install and Configure
Configuring the Security Proxy (Optional)
Configuring Metering (Optional)
Configuring Access Control
Creating and Configuring Reflection Sessions
Configuring Automatic Updates
Links to Reflection Sessions
Resources

Web-based Reflection Management Tools

The web-based tools used to centrally manage Reflection sessions include:

  • Reflection Administrative WebStation

(Note: The term "Reflection management server" refers to the Administrative WebStation plus the terminal emulation files.)

  • Security Proxy
  • Metering server

The features of the web-based tools are listed here. Instructions for using them are included in the remainder of this technical note.

For optimal performance, we recommend that you pair the following product versions:

Reflection Administrator
Reflection Windows-based Products
Reflection Web-based Products
Version 8.0
Version 13.0*
Version 8.0
Version 9.x
Version 14.x*
Version 9.x

* Beginning in version 13.0, you can manage Reflection for Secure IT sessions and Reflection FTP sessions with Reflection Administrator.

Reflection Administrative WebStation

When you use the WebStation to manage your Windows-based sessions, you can:

  • Create a web page that enables users to click a link to launch configured Reflection sessions on their workstations using updated settings files.
  • Maintain settings files centrally on a web server or enable users to maintain their settings files locally after the initial download.
  • Use a single console (the WebStation) to manage Windows-based Reflection sessions for users who have installed Reflection software. (The Reflection for the Web console can also manage web-based sessions.)
  • Easily configure Windows-based Reflection sessions that use the Reflection security proxy server and its Secure Authorization technology.
  • Use Reflection's access control and authentication methods to specify which Reflection sessions are available to particular users or groups of users.
  • Use the Auto Update feature to configure automatic updates to session settings.
  • Understand the usage of Reflection 12.0-14.x sessions.

Security Proxy

The Reflection security proxy provides secure connections to any host through the Reflection security proxy server, using SSL v3.0 or TLS v1.0 protocols. The data transmitted between the Reflection client and the security proxy is encrypted, but the data sent from the proxy server to the destination host is unencrypted.

You can use the security proxy to configure secure connections even if your host is not running a Telnet server. For example, you might use the proxy server to secure your connections if you use Reflection for HP to connect to HP 3000 hosts using the VT-MGR protocol.

To use the security proxy, you must install and configure the security proxy on the web server.

Alternate method of configuring secure sessions. The Windows-based Reflection applications provide fully-integrated support for secure authentication and data encryption using a secure protocol that the host supports. Depending on the host type that Reflection will connect to, you can choose SSL/TLS, Secure Shell, Kerberos, or XDM Authorization.

These types of secure connections are configured when you create and configure Reflection sessions. No further installation is required.

Metering Server

You can use the Reflection metering server to audit and report the usage of Reflection version 12.0 -14.x sessions.

Overview: What to Install and Configure

The steps in this technical note refer to using the automated installers provided with Reflection Administrator and Reflection for the Web. Depending on your environment, you may need to manually install some components and do more extensive configurations. This note links to resources with further instructions.

What to Install

Windows-based Reflection sessions are available only from Windows workstations that have the supporting Reflection Windows-based client software installed. To manage your Reflection sessions using the Administrative WebStation, the following software must be installed in the appropriate locations:

On the administrative and user workstations

  • On each client machine and on each machine that will be used to launch the Administrative WebStation, install version 12.0-14.x of your Windows-based Reflection product(s):
Reflection for the Multi-Host Enterprise, Professional Edition
Reflection for the Multi-Host Enterprise, Standard Edition
Reflection Suite for X
Reflection for IBM
Reflection for HP with NS/VT
Reflection for UNIX and OpenVMS
Reflection X
Reflection for Secure IT
  • Web browser with a java virtual machine
  • On each workstation that will use the security proxy:

Microsoft Internet Explorer version 4.0 or higher installed with 128-bit encryption.

To verify that you have the correct encryption level, open Internet Explorer and click Help > About Internet Explorer. The Cipher Strength should be set to 128-bit. If it is not, download the High Encryption Pack from Microsoft:

http://www.microsoft.com/windows/ie/ie6/downloads/recommended/128bit/default.mspx

On the web server

  • Reflection Administrator or Reflection for the Web

Use the automated installation to install Reflection Administrator or Reflection for the Web. De-select the optional components that you do not plan to use.

  • Optional components (can be installed on different servers):
Reflection security proxy
Reflection metering server

By default, the security proxy and the metering server are installed during the automated installation unless they are de-selected. Note: You can install either option at a later time, but more extensive configuration is required.

If you choose to manually install Reflection Administrator or Reflection for the Web, refer to the installation guide and technical notes listed in the Resources section for instructions.

What to Configure

For ease of administration, proceed with your configuration of the Reflection web-based management features in this order:

1. Start the servlet runner for the Reflection management server.
2. Configure the optional server components you plan to use:
- Security proxy
- Metering
3. Configure Access Control.
4. Create and configure Reflection sessions.

Starting the Servlet Runner

The servlet runner must be started before you can use the Reflection managment server (including the Administrative WebStation). The procedure for starting the servlet runner varies depending on where and how you installed Reflection Administrator or Reflection for the Web.

If you are using the Tomcat servlet runner provided with Reflection (installed either by the automated installer or tomcat.zip), follow these steps:

On Windows NT and above platforms:

If you used the automated installer and you chose to install the servlet runner as an NT service, then the servlet runner starts automatically. You can start or stop the service in the Services list. In Windows Control Panel, click Administrative Tools > Services, and select Reflection Server.

If the servlet runner was not installed as an NT service, you can use the Start menu: Programs > Reflection Administrator OR Reflection for the Web > Start Servlet Runner.

If you installed using archive files, run the startup.bat file in the \ReflectionServer\jakarta-tomcat-[version number]\bin\ folder. (To close the servlet runner, run shutdown.bat in the same folder.)

On UNIX or Linux platforms:

Run the startup.sh file in the [installation path]/jakarta-tomcat-[version number]/bin/ directory. The command is: ./startup.sh (To close the servlet runner, run shutdown.sh in the same folder.)

Note: Be sure that necessary permissions have been set for the .sh files. Permissions should be set to allow full access for owner, and read and execute permissions for group and other. Use the following command: chmod 755 *.sh

If you are using a servlet runner other than the one provided with Reflection, refer to the servlet runner documentation for instructions to start the servlet runner.

Configuring the Security Proxy (Optional)

Use the Reflection security proxy to make secure SSL/TLS connections if your host does not support a secure protocol, or if you simply prefer to use the proxy server. To configure the security proxy, you will:

A. Run the Security Proxy Wizard.
B. Start the security proxy.
C. Distribute and import the security proxy certificate.

Note the following:

  • You cannot configure the security proxy for use with Reflection X sessions, Reflection FTP Client sessions, or Reflection for Secure IT SSH or SFTP client sessions.
  • The servlet runner must be started to complete the configuration. (See Starting the Servlet Runner.)
  • Each client machine must have Microsoft Internet Explorer version 4.0 or higher installed with 128-bit encryption. This provides the crypto libraries needed for the Reflection client to communicate with the Reflection security proxy server. To verify that you have the correct encryption level, see the instructions in What to Install.

A. Run the Security Proxy Wizard

Use the wizard to set properties and to import or generate the appropriate certificates. If you used the auto-installer to install the security proxy, follow the steps below.

If you manually installed the security proxy, see the Reflection for the Web Installation Guide (http://www.attachmate.com/docs/reflection/rweb/9.5/installguide.html) > Configuring Components > Security Proxy Server.

  1. Open the Security Proxy Wizard.

In Windows: Click Start > Programs > Reflection Administrator OR Reflection for the Web > Utilities > Security Proxy Wizard.

On UNIX, Linux, or Solaris platforms: Run the SecurityWizard.sh file located in the [installation path]/securityproxy/bin/ directory.

  1. Proceed with your configuration, according to the method you used to install the security proxy.
    • If you used the auto-installer and installed the security proxy along with the other Reflection Administrator or Reflection for the Web components, the security proxy server is already configured. Skip to step 5 below, Export the security proxy certificate.
    • If you used the auto-installer to install the security proxy separately (or a different server or after the other components were already installed), continue with step 3.
  1. On the Trusted Certificates tab:
    1. Click the Import button to import a trusted management server certificate to the security proxy server.
    2. Click Server.
    3. Enter the management server information, the http port, and a friendly name of your choosing. Note: The default servlet context is rweb.
    4. Click OK. The certificate name appears in the list.
  2. On the Proxies tab:
    1. Click the Export Settings button (near the bottom of the dialog box) to register the proxy with the Reflection management server.
    2. Verify the information in the Export Proxies dialog box. For "Port," use the management server's http port. Click Export and then click OK to confirm the export.
  3. Export the security proxy certificate.

If you have a Certificate Authority (CA)-signed certificate (from VeriSign or Thawte, for example), or if you are using an internal CA-signed certificate that was added to the users' browser trusted certificate store, follow these steps to import the certificate into the security proxy:

    1. On the Security Proxy Certificates tab, click the Import button.
    2. Enter the file name, Password, and Friendly name. Click OK.
    3. Continue with B. Start the Security Proxy.

If you are using a self-signed certificate, you need to distribute and install the security proxy certificate to all workstations that will be connecting through the proxy. Follow these steps:

    1. On the Security Proxy Certificates tab, click the Export button.
    2. In the Export dialog box, enter a location for the certificate in the "Look in" box.
View Full Size
1740_1.gif
    1. In the "File name" box, enter a name for the certificate with a .der extension. For example, MyCertificate.der. (Disregard the .pfx extension in the "Files of type" box.)
    2. Click Save. Click OK to confirm the export.

Note: This certificate file needs be installed on all PCs that will be connecting to this security proxy server. After you start the security proxy, follow the instructions in C. Distribute and Import the Security Proxy Certificate.

B. Start the Security Proxy

The procedure for starting the security proxy varies depending on how you installed it.

If the automated Windows installer was used to install the security proxy

  • and it was installed as an NT service (the default), the proxy was automatically started.

Note: If you made any changes on the Proxies tab in the Security Proxy Wizard, then stop and restart the Reflection Security Proxy from Windows services. (In Windows Control Panel, click Administrative Tools > Services, and select Reflection Security Proxy.)

  • but is was not installed as an NT service, use the Start menu: Click Start > Programs > Reflection Administrator OR Reflection for the Web > Start Security Proxy.

If a non-Windows automated installer was used to install the security proxy

Start the security proxy by running the shell script, SecurityProxy.sh, located in [install directory]\securityproxy\bin.

C. Distribute and Import the Security Proxy Certificate

As of version 13.04, this step is no longer necessary. In prior versions, the security proxy server certificate must be imported to the Reflection users' client workstations that will connect through the security proxy. Be sure to import the certificate to the administrative workstation's browser.

Note: If you are using a CA-signed certificate and it is already present on the user workstations, your security proxy configuration is complete. Skip to Configuring Metering (Optional).

To distribute the security proxy server certificate:

First, distribute the security proxy certificate (the *.der file) to the users who will connect through the security proxy. The certificate can be distributed by e-mail, from a network server, or floppy disk. Since this certificate contains only the public key of the server, it does not necessarily need to be securely distributed.

To import the security proxy certificate:

Then, import the certificate into Internet Explorer's trusted certificates store on each client PC. (Or, provide these instructions to the users.)

  1. Double-click the <certificate>.der file from the designated location.
  2. Click Install Certificate to open the Windows Certificate Wizard.
  3. Accept the defaults and click Next on each wizard screen.
  4. Click Finish to import the certificate to the certificate store. When you see a message saying, "The import was successful," click OK.
  5. To verify that the certificate was added to the list of the currently installed certificates, open Internet Explorer and click Tools > Internet Options > Content > Certificates > Trusted Root Certificate Authorities.

Scroll to find the imported certificate, which is listed using the proxy server's host name in the Issued To column.

Configuring Metering (Optional)

You can use the Reflection Metering server to audit your site's usage of Reflection version 12.0-14.x. For information about configuring metering and viewing reports, see your Reflection product documentation:

Expand the Metering Reflection Products topic.

Expand the Configuring Components > Metering Server topic.

Configuring Access Control

The Administrative WebStation supports several authentication methods to specify which sessions can be accessed by individual users or groups of users.

  1. In the Administrative WebStation, click Access Control Setup > Configure to see the list of options.
  2. Select an authentication method and click Next to configure it. The default is "None."
View Full Size
1740_2.gif

After you set the access control, you are ready to create and configure your Reflection sessions.

Creating and Configuring Reflection Sessions

When you create or edit Windows-based Reflection sessions from the Administrative WebStation, Reflection runs in Administrative WebStation mode. In this mode, your sessions are saved automatically to the web server, and the Reflection management server automatically creates web pages with links that can be used to launch your sessions.

Remember: Windows-based Reflection sessions are available only from Windows workstations that have the supporting Reflection client software installed.

Using the Administrative WebStation

The following steps outline how to use the Reflection Administrative WebStation to configure Windows-based Reflection sessions.

  1. Before you begin:
    • Confirm that the appropriate Reflection software products are installed on the Windows workstations (see What to Install)
    • Be sure that the servlet runner for the Reflection management server is started (see Starting the Servlet Runner).
  1. Open the Reflection Administrative WebStation:
    1. Choose the method according to your installation:

In Windows (on the web server): Click Start > Programs > Reflection Administrator OR Reflection for the Web > Administrative WebStation.

Alternate method (from any machine): Open the URL for the login page in your web browser. The URL uses this format:

https://[host name]:[port number]/[web application context]/AdminStart.html

If the port number is the default of 443 for HTTPS, you can omit it. For example, the URL to open the Administrative WebStation might be:

https://ServerName/rweb/AdminStart.html

Note: When you connect using a self-signed certificate, your browser warns you about the certificate you created. This is expected behavior. In the warning message, click Yes to proceed, and the administrator login page will open. This warning message does not appear after you purchase a CA-signed certificate or if you connect using HTTP.

    1. Log on as an administrator by entering the password that you specified during installation.
    2. Click Submit. A links list opens; click the Administrative WebStation link.
  1. Click Session Manager and click Add to create a new Reflection session.
  2. On the Add New Reflection Session page, select a session type and enter a session name. Then, click Continue.
View Full Size
1740_3.gif

Note: The format of the information presented on this page varies depending on which product you are using.

  1. On the Configure a Windows-Based Reflection Session page, specify your preferences for where and how files will be copied to user workstations. For more information about these options, click Help.
View Full Size
1740_4.gif
  1. Click Launch to start the new terminal session on your workstation in "Administrative WebStation mode."

Configure the Reflection Session

In the launched Reflection session, configure your settings and security options.

  1. Set your preferences. In the launched Reflection session, click Settings and then click each menu option to select your preferences.

Note: To import settings from an existing settings or client file, use the File > Open command. The settings file saved to the web server uses the session name that you entered for the session (step 4 above), not the name of the imported settings file.

  1. Set the security properties. Follow the steps below if you choose to use either a host-support security protocol in Reflection or the Reflection security proxy.

(If you choose to not secure the Reflection session at this time, skip to step 4 to save and exit your session.)

    1. In the launched Reflection session, open the Security Properties dialog box:

In Reflection for HP with NS/VT or Reflection for UNIX and Open VMS, click Connection > Connection Setup > Network. Select a protocol, and click the Security button.

In Reflection for IBM, click Connection > Session Setup > Security (button).

In Reflection X, click Settings > Security. The check box to Enable XDM AUTHORIZATION-1 method is cleared by default.

When you launch Reflection in Administrative WebStation mode, the SSL/TLS tab of Security Properties dialog box includes additional controls that make it easy to create sessions that connect to hosts via the proxy. (Note: This option is not available in Reflection X, Reflection FTP Client, or Reflection for Secure IT SSH or SFTP clients.)

Here is an example from Reflection for IBM:

View Full Size
1740_6.gif

    1. Select your preferred security protocol and enter the appropriate information. To use the security proxy, click the SSL/TLS tab.
    2. Enter the appropriate information.

If you are using the security proxy, select the check boxes to Use SSL/TLS security and to Use Reflection security proxy. Then enter the Security proxy server and destination host information.

    1. When the information is entered, click OK. Test your connection.
  1. Save and exit your Reflection session. When the Windows-based Reflection session exits:
    • The saved settings become part of the session configuration and are automatically saved to your web server.
    • If configured, the session's security protocol is listed in the Session Manager under Security Status.
    • You are returned to the Administrative WebStation, and the confirmation page provides a link to the Access Mapper.
  1. In Access Mapper, select which sessions you want to make available to all users. By default, sessions are available only to administrators.
View Full Size
1740_5.gif

Configuring Automatic Updates

You can use the Administrative WebStation's Auto Update feature to centrally deploy changes to Reflection settings files for these Windows-based applications: Reflection for IBM, Reflection for HP, Reflection for UNIX and OpenVMS, Reflection for ReGIS Graphics, or Reflection for Secure IT.

With this feature, a settings update file is maintained in a central location. Whenever users launch a session, Reflection automatically incorporates any changes you saved to the settings update file.

Configuring automatic updates for sessions not yet created

Follow these steps to automatically update the settings files in any new Reflection sessions that you add.

  1. Open the Administrative WebStation and click Settings in the navigation panel.
  2. On the General tab, select the check box to "Enable auto update when creating Windows-based Reflection sessions" (next to "Auto update files for Windows-based Reflection").
  3. In the "Location of auto update files" box, enter the URL or path to the folder you will use to store auto update files. The folder must be accessible to users running the applicable Windows-based Reflection sessions.

You can use a URL, a UNC path, or a mapped network drive. For example:

http://myserver.com/rweb/autoupdate/
file://myserver.com/rweb/autoupdate/
s:\rweb\autoupdate\

By default, each settings update file is assigned the same name as your Reflection session, followed by the appropriate file extension for updates in that session type. For example, if you add a new Reflection for IBM session called Joe and you set "Location of auto update files" to S:\rweb\, the session will look for updates in S:\rweb\Joe.rsu.

  1. Click Save Settings.

The result: When you create a new Windows-based Reflection session using the Administrative WebStation, the changes saved to the settings update file will be automatically incorporated when the session is launched.

Enabling automatic updating in existing sessions

Follow these steps to configure auto updates for an existing Reflection session.

  1. Launch the Administrative WebStation and open the Session Manager.
  2. Click the session you want to edit.
  3. Decide whether or not to change your selection about overwriting end user files. Click Launch.
  4. In the Reflection session, go to Setup > View Settings, then search for Auto Update File.
  5. Under Settings details, enter the location of the settings update file. (This can be a UNC path or a URL.) For more information, click the Setting Help button.
  6. Click OK to close the View Settings dialog box.
  7. On the File menu, click Save to save this change.

Creating and modifying a settings update file

Settings update files contain information about specific settings only. Whenever users launch sessions that have been configured to use Auto Updates, Reflection automatically incorporates the changes you saved to the settings update file.

To create or modify a settings update file:

  1. On the administrative workstation, use the Windows Start menu—not the Administrative WebStation—to launch a new (untitled) Windows-based session for any of these Reflection applications: Reflection for IBM, Reflection for HP, Reflection for UNIX and OpenVMS, or Reflection for ReGIS Graphics.
  2. Configure just those settings you want to deploy to end users.
  3. Click File > Save As and select Settings update from the "Save as type" list.
  4. Enter the name and location of auto update files that you specified earlier in the Administrative WebStation (step 3 in Configuring automatic updates for sessions not yet created.)
  5. Save the file.

For more information about working with these files, see "Settings update files" in the Reflection Help.

Links to Reflection Sessions

As the administrator, you can provide users with a URL that displays links to the configured Reflection sessions that they are authorized to access. The URL uses this format:

https://myserver/rweb

To see a list of the links generated for your individual Reflection sessions, open the Administrative WebStation and click Session Manager > View URLs. For example, the URL for an IBM 3270 session might look like this:

https://<server>:443/rweb/WIXSession.do?link=IBM*u00203270

Resources

Introduction to Reflection Administrator (pdf) http://www.attachmate.com/docs/reflection/radmin/8.0/ra_guide.pdf

Reflection for the Web 9.6 Installation Guide (pdf) http://www.attachmate.com/docs/reflection/radmin/9.6/installguide.html

Reflection for the Web Technical Notes Index, Technical Note 9988.

Related Technical Notes
1812 Setting Up the Reflection for the Web Security Proxy Server in UNIX, Linux, or Mac OS X
9988 Reflection for the Web Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.