Web-based Management of Windows-based Reflection Sessions

  • 7021491
  • 02-Oct-2003
  • 01-Apr-2018

Environment

Reflection 2014
Reflection Pro 2014
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection X 2014
Reflection for IBM 2011
Reflection for UNIX and OpenVMS 2011
Reflection X 2011
Reflection for IBM version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for HP with NS/VT version 14.x
Reflection X version 14.x
Reflection FTP Client version 14.0 or higher

Situation

This technical note describes how to create, configure, and manage Windows-based Reflection sessions using the Reflection Administrative WebStation, a web-based tool. These sessions can use services provided by the Reflection servers: the management server, the security proxy, and the metering server.

Note the following:

  • The term "Windows-based Reflection products" refers to non web-based Reflection products, such as Reflection for UNIX and OpenVMS, Reflection for IBM, and Reflection X.
  • Web-based management is available to Reflection administrators who have obtained Reflection Security Gateway 2014 or the Reflection Administrator 2011 add-on component for use with their Reflection Windows-based products, or who have installed and configured Reflection for the Web with the appropriate licensing.
  • If you are licensed for Reflection for the Web, you have the server components necessary to centrally manage Reflection Windows-based sessions; however, you must still obtain the appropriate licensing to run Reflection in this manner. Licensing is provided by purchasing Reflection Security Gateway 2014 or the Reflection Administrator 2011 add-on product.

If you do not have Reflection for the Web, to use Reflection to manage Windows-based Reflection sessions, obtain a copy of Reflection Security Gateway. This gives you both the required Reflection servers, and a license to use the servers to manage Windows-based Reflection sessions.

  • Windows-based Reflection sessions are available only from Windows workstations that have the supporting Windows-based Reflection client software installed.

Resolution

Web-based Reflection Management Tools—Overview

The Reflection Administrative WebStation is a web-based tool used to centrally manage Reflection sessions. These sessions can use services provided by the Reflection servers:

  • Management server
  • Security proxy server
  • Metering server

Some features of these servers are listed in this section. Details for what to install and how to configure the servers are included in the remainder of this technical note.

Management Server—Reflection Administrative WebStation

When you use the WebStation to manage your Windows-based sessions, you can:

  • Create a web page that enables users to click a link to launch configured Reflection sessions on their workstations using centrally deployed settings files.
  • Maintain settings files centrally on a web server or enable users to maintain their settings files locally after the initial download.
  • Use a single console (the WebStation) to manage web-based sessions or Windows-based Reflection sessions for users who have installed Reflection software.
  • Easily configure Windows-based Reflection sessions that use the Reflection security proxy server and its Secure Authorization token technology.
  • Use Reflection's access control and authentication methods to specify which Reflection sessions are available to particular users or groups of users.
  • Use the Auto Update feature to configure automatic updates to Reflection for IBM, Reflection for UNIX and OpenVMS or Reflection for HP with NS/VT session settings.
  • Audit, manage, and report the usage of Reflection sessions.

Security Proxy Server (Optional)

The Reflection security proxy provides secure connections to any host through the Reflection security proxy server, using SSL v3.0 or TLS v1.0 protocol. The data transmitted between the Reflection client and the security proxy is encrypted, but the data sent from the proxy server to the destination host is unencrypted. (Note: Reflection can be configured for end-to-end encryption in certain scenarios.)

The following Reflection products (or suite components) and versions can be used with the security proxy server.

Product and Version
Security proxy support with client authorization Enabled (the default)**
Security proxy support with client authorization Disabled
Reflection 2014
Yes
Yes
Reflection for UNIX and OpenVMS 2014
Yes
Yes
Reflection for UNIX and OpenVMS 2011
Yes
Yes
Reflection for UNIX and OpenVMS 14.x
Yes
Yes
Reflection for HP with NS/VT 14.x
Yes
Yes
Reflection for IBM 2014
Yes
Yes
Reflection for IBM 2011
Yes
Yes
Reflection for IBM 14.x
Yes
Yes
Reflection X 2014
Yes
Yes
Reflection X 2011
Yes
Yes
Reflection X 14.x
Yes
Yes
Reflection for Secure IT SSH or SFTP 7.x
No *
Yes
Reflection FTP Client 14.x
Yes
Yes

* These products do provide their own fully-integrated support for secure authentication and data encryption. For more details, refer to the product Help.

** Products that have security proxy support with client authorization enabled can appear in the login/links list.

Metering Server (Optional)

If you are using the Reflection metering server, you can configure Windows-based Reflection products to report to the Reflection metering server. This enables you to audit, control access to, and report the usage of Reflection Windows-based session license use.

For information about configuring Reflection for the Web Windows-based sessions to work with the metering server, see KB 7022192.

What to Install

The steps in this technical note refer to using the automated installers provided with Reflection for the Web, Reflection Security Gateway, and Reflection Administrator. Depending on your environment, you may need to manually install some components and do more extensive configurations. This note links to resources with further instructions.

Windows-based Reflection sessions are available only from Windows workstations that have the supporting Windows-based Reflection client software installed. To manage your Reflection sessions using the Administrative WebStation, the following software must be installed.

What to Install on the Administrative and User Workstations

On each client machine and on each machine that will be used to launch the Administrative WebStation, install:

  • Your Windows-based Reflection product(s). Note: Perform an Administrative installation if you want the option to configure Metering later.
  • A web browser with a Java virtual machine (JVM).

What to Install On the Web Server

  • Reflection Security Gateway, Reflection Administrator, or Reflection for the Web

Use the automated installation to install Reflection Security Gateway, Reflection Administrator, or Reflection for the Web. De-select the optional components that you do not plan to use.

  • Optional components (can be installed on different servers):
Reflection security proxy
Reflection metering server

By default, the security proxy and the metering server are installed during the automated installation unless they are de-selected. Note: You can install either option at a later time, but more extensive configuration is required.

What to Configure

For ease of administration, proceed with your configuration of the Reflection web-based management features in this order.

I. Starting the Servlet Runner

The servlet runner must be started before you can use the Reflection management server (Note: The term "Reflection management server" refers to the Administrative WebStation plus the terminal emulation files.)

The procedure for starting the servlet runner varies depending on where and how you installed Reflection Administrator or Reflection for the Web. If you are using the Tomcat servlet runner provided with Reflection (installed either by the automated installer or tomcat.zip), follow these steps:

Note: In Reflection for the Web 2014 or 2011, the path for the Tomcat server is apache-tomcat. In Reflection for the Web 2008, the path is jakarta-tomcat.

On Windows Servers

If you used the automated installer and you chose to install the servlet runner as a service, then the servlet runner starts automatically. You can start or stop the service in the Services list. In Windows Control Panel, click Administrative Tools > Services, and select Attachmate Reflection Server.

If you installed using archive files, run the startup.bat file in the ReflectionServer\<apache|jakarta>-tomcat-<version number>\bin folder. (To close the servlet runner, run shutdown.bat in the same folder.)

On UNIX or Linux Platforms

Run the startup.sh file in the <installation path>/<apache|jakarta>-tomcat-<version number>/bin directory. (To close the servlet runner, run shutdown.sh in the same folder.)

Note: Be sure that necessary permissions have been set for the .sh files. Permissions should be set to allow full access for owner, and read and execute permissions for group and other. Use the following command: chmod 755 *.sh

If you are using a servlet runner other than the one provided with Reflection, refer to the servlet runner documentation for instructions to start the servlet runner.

II. Configuring the Security Proxy (Optional)

If your host does not support a secure protocol, or if you want to take advantage of the features offered by the proxy server, you can use the Reflection security proxy to make secure SSL/TLS connections.

For information about configuring the security proxy, see the following technical note for your operating system.

Operating System
Technical Note
Microsoft Windows
KB 7022328
UNIX, Linux, and Mac OS X
Technical Note 1812

After the security proxy server has been installed and configured, return to this technical note and proceed with III. Configuring Access Control.

III. Configuring Access Control

The Administrative WebStation supports several authentication methods to specify which sessions can be accessed by individual users or groups of users. Authentication is optional. Only configure an authentication method if you want to restrict access to sessions by user or group identity.

  1. In the Administrative WebStation, click Access Control Setup > Configure to see the list of options.
  2. Select an authentication method and click Next to configure it. The default is "None."

Note: The remainder of this technical note assumes that you have selected "None." For information about other authentication methods, click Help in the Choose Authentication Method window.

View Full Size
1740_0_new.gif
After you set the access control, you are ready to create and configure your Reflection sessions.

IV. Creating and Configuring Reflection Sessions

When you create or edit Windows-based Reflection sessions from the Administrative WebStation, the Reflection Windows-based client runs in "Administrative WebStation mode." In this mode, your sessions are saved automatically to the web server, and the Reflection management server automatically creates web pages with links that can be used to launch your sessions.

Reminder:

  • Windows-based Reflection sessions are available only from Windows workstations that have the supporting Reflection client software installed.
  • Support for Windows-based Reflection 2014 sessions require Reflection Security Gateway 2014 or Reflection for the Web 2014 with the appropriate licensing.

Using the Administrative WebStation

Follow these steps to use the Reflection Administrative WebStation to configure Windows-based Reflection sessions.

  1. Before you begin, confirm that the appropriate Reflection software products are installed on the Windows workstations (see What to Install).
  2. Open the Reflection Administrative WebStation:
    1. Choose the method according to your installation:

In Windows (on the web server): Start > All Programs > Attachmate Reflection for the Web 2014 or Attachmate Reflection Security Gateway 2014 > Administrative WebStation

Alternate method (from any machine): Open the URL for the login page in your web browser. The URL uses this format:

https://<host name>:<port number>/<web application context>/AdminStart.html

If the port number is the default of 80 for HTTP or 443 for HTTPS, you can omit it. For example, the URL to open the Administrative WebStation might be:

https://ServerName/rweb/AdminStart.html

Note: When you connect over HTTPS to a server using a self-signed certificate, your browser warns you about the certificate you created. This is expected behavior. In the warning message, click Yes to proceed, and the administrator login page will open. This warning message does not appear after you purchase a CA-signed certificate or if you connect using HTTP.

    1. Log on as an administrator by entering the password that you specified during installation.
    2. Click Submit. A links list opens; click the Administrative WebStation link.
  1. Click Session Manager and click Add to create a new Reflection session.
  2. On the Add New Reflection Session page, select a session type and enter a session name. Then, click Continue.

Note: The format of the information presented on this page varies depending on which Reflection product and version you are using and licensed for.

  1. On the Configure a Windows-Based Reflection Session page, specify your preferences for where and how files will be copied to user workstations. For more information about these options, click Help.
  1. Click Launch to start the new terminal session on your workstation in "Administrative WebStation mode."

Configure the Reflection Session

Follow the steps for your product.

For Reflection 2014 or Reflection 2011 Workspace

In the launched Reflection 2014 or 2011 Workspace session, configure your settings and security options.

  1. Set your preferences. In the launched Reflection Workspace session, from the Create New Document window, select the appropriate Template for the desired host connectivity.

Note: To import settings from an existing settings or client file, clear the Create New Document dialog box and click the File (tab) > Open command. The settings file saved to the web server uses the session name that you entered for the session (on the Add New Reflection Session page), not the name of the imported settings file.

  1. Set the security properties. Follow the steps below if you choose to use either a host-supported security protocol in Reflection or the Reflection security proxy.

If you choose to not secure the Reflection Workspace session at this time, skip to step 3 to save and exit your session.

    1. In the launched Reflection Workspace session, open the Security Settings properties dialog box: File (tab) > Settings > Document Settings.

For IBM 3270 or 5250: Host Connection > Set Up Connection Security > Security Settings button.

For VT: Host Connection > Set Up Connection Security.

    1. To enable Security, check the Use SSL/TLS Security option. Select your preferred security protocol and enter the appropriate information. To enable Reflection Security Proxy, select the "Use Reflection Security Proxy" option and enter the appropriate information.
    2. When the information is entered, click OK to exit the Security Settings dialog box, and then click OK again to exit Document Settings to test your connection.
  1. Save and exit your Reflection Workspace session. When the Windows-based Reflection session exits:
    • The saved settings become part of the session configuration and are automatically saved to your web server.
    • If configured, the session's security protocol is listed in the Session Manager under Security Status.
  1. In Access Mapper, select which sessions you want to make available to all users. By default, sessions are available only to administrators.

For Reflection 14.x

In the launched Reflection session, configure your settings and security options.

  1. Set your preferences. In the launched Reflection session, click Setup and then click each menu option to select your preferences.

Note: To import settings from an existing settings or client file, use the File > Open command. The settings file saved to the web server uses the session name that you entered for the session (on the Add New Reflection Session page), not the name of the imported settings file.

  1. Set the security properties. Follow the steps below if you choose to use either a host-support security protocol in Reflection or the Reflection security proxy.

If you choose to not secure the Reflection session at this time, skip to step 4 to save and exit your session.

    1. In the launched Reflection session, open the Security Properties dialog box:

In Reflection for HP with NS/VT or Reflection for UNIX and Open VMS, click Connection > Connection Setup > Network. Select a protocol, and click the Security button.

In Reflection for IBM, click Connection > Session Setup > Security (button).

In Reflection X, click Settings > Security. The check box to Enable XDM AUTHORIZATION-1 method is cleared by default.

When you launch Reflection in Administrative WebStation mode, the SSL/TLS tab of Security Properties dialog box includes additional controls that make it easy to create sessions that connect to hosts via the proxy. (Note: This option is not available in Reflection X, Reflection FTP Client, or Reflection for Secure IT SSH or SFTP clients.)

Here is an example from Reflection for IBM version 14.x that uses the security proxy:

1740_6.gif

    1. Select your preferred security protocol and enter the appropriate information. To use the security proxy, click the SSL/TLS tab.
    2. Enter the appropriate information.

If you are using the security proxy, select the check boxes to Use SSL/TLS security and to Use Reflection security proxy. Then enter the Security proxy server and destination host information.

    1. When the information is entered, click OK, and then test your connection.
  1. Save and exit your Reflection session. When the Windows-based Reflection session exits:
    • The saved settings become part of the session configuration and are automatically saved to your web server.
    • If configured, the session's security protocol is listed in the Session Manager under Security Status.
    • You are returned to the Administrative WebStation, and the confirmation page provides a link to the Access Mapper.
  1. In Access Mapper, select which sessions you want to make available to all users. By default, sessions are available only to administrators.

Note: This screen shot assumes that you selected "None" for the Reflection for the Web authentication method.

Links to Reflection Sessions

As the administrator, you can provide users with a URL that displays links to the configured Reflection sessions that they are authorized to access. The URL uses this format:

http://myserver/rweb/WIXSession.do?link<Session Name>

To see a list of the links generated for your individual Reflection sessions, open the Administrative WebStation and click Session Manager > View URLs. For example, the URL for an IBM 3270 session might look like this:

http://<server>:443/rweb/WIXSession.do?link=IBM*u0020Session

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1740.