This technical note describes how to create, configure, and manage Windows-based Reflection sessions using the Reflection Administrative WebStation, a web-based tool. These sessions can use services provided by the Reflection servers: the management server, the security proxy, and the metering server.
If you do not have Reflection for the Web, to use Reflection to manage Windows-based Reflection sessions, obtain a copy of Reflection Administrator. This gives you both the required Reflection servers, and a license to use the servers to manage Windows-based Reflection sessions.
This technical note contains the following topics:
The Reflection Administrative WebStation is a web-based tool used to centrally manage Reflection sessions. These sessions can use services provided by the Reflection servers:
Some features of these servers are listed in this section. Details for what to install and how to configure the servers are included in the remainder of this technical note.
When you use the WebStation to manage your Windows-based sessions, you can:
The Reflection security proxy provides secure connections to any host through the Reflection security proxy server, using SSL v3.0 or TLS v1.0 protocol. The data transmitted between the Reflection client and the security proxy is encrypted, but the data sent from the proxy server to the destination host is unencrypted. (Note: Reflection can be configured for end-to-end encryption in certain scenarios.)
The following Reflection products (or suite components) and versions can be used with the security proxy server.
|Product and Version
||Security proxy support with client authorization Enabled (the default)**
||Security proxy support with client authorization Disabled
|Reflection for UNIX and OpenVMS 2011
|Reflection for UNIX and OpenVMS 2008
|Reflection for UNIX and OpenVMS 14.x
|Reflection for HP with NS/VT 14.x
|Reflection for IBM 2011
|Reflection for IBM 2008
|Reflection for IBM 2007
|Reflection for IBM 14.x
|Reflection for Secure IT SSH or SFTP 7.x
|Reflection FTP Client 14.x
* These products do provide their own fully-integrated support for secure authentication and data encryption. For more details, refer to the product Help.
** Products that have security proxy support with client authorization enabled can appear in the login/links list.
If you are using the Reflection metering server, you can configure Windows-based Reflection products to report to the Reflection metering server. This enables you to audit, control access to, and report the usage of Reflection Windows-based session license use.
For information about configuring Reflection for the Web Windows-based sessions to work with the metering server, see Technical Note 2393.
The steps in this technical note refer to using the automated installers provided with Reflection for the Web and Reflection Administrator. Depending on your environment, you may need to manually install some components and do more extensive configurations. This note links to resources with further instructions.
Windows-based Reflection sessions are available only from Windows workstations that have the supporting Windows-based Reflection client software installed. To manage your Reflection sessions using the Administrative WebStation, the following software must be installed.
On each client machine and on each machine that will be used to launch the Administrative WebStation, install:
Use the automated installation to install Reflection Administrator or Reflection for the Web. De-select the optional components that you do not plan to use.
By default, the security proxy and the metering server are installed during the automated installation unless they are de-selected. Note: You can install either option at a later time, but more extensive configuration is required.
For ease of administration, proceed with your configuration of the Reflection web-based management features in this order.
The servlet runner must be started before you can use the Reflection management server (Note: The term "Reflection management server" refers to the Administrative WebStation plus the terminal emulation files.)
The procedure for starting the servlet runner varies depending on where and how you installed Reflection Administrator or Reflection for the Web. If you are using the Tomcat servlet runner provided with Reflection (installed either by the automated installer or tomcat.zip), follow these steps:
Note: In Reflection for the Web 2011, the path for the Tomcat server is apache-tomcat. In Reflection for the Web 2008, the path is jakarta-tomcat.
If you used the automated installer and you chose to install the servlet runner as a service, then the servlet runner starts automatically. You can start or stop the service in the Services list. In Windows Control Panel, click Administrative Tools > Services, and select Reflection Server.
If the servlet runner was not installed as a service, you can use the Start menu: Programs > Reflection Administrator OR Reflection for the Web > Start Servlet Runner.
If you installed using archive files, run the startup.bat file in the ReflectionServer\<apache|jakarta>-tomcat-<version number>\bin folder. (To close the servlet runner, run shutdown.bat in the same folder.)
Run the startup.sh file in the <installation path>/<apache|jakarta>-tomcat-<version number>/bin directory. (To close the servlet runner, run shutdown.sh in the same folder.)
Note: Be sure that necessary permissions have been set for the .sh files. Permissions should be set to allow full access for owner, and read and execute permissions for group and other. Use the following command: chmod 755 *.sh
If you are using a servlet runner other than the one provided with Reflection, refer to the servlet runner documentation for instructions to start the servlet runner.
If your host does not support a secure protocol, or if you want to take advantage of the features offered by the proxy server, you can use the Reflection security proxy to make secure SSL/TLS connections.
For information about configuring the security proxy, see the following technical note for your operating system.
|UNIX, Linux, and Mac OS X
After the security proxy server has been installed and configured, return to this technical note and proceed with III. Configuring Access Control.
The Administrative WebStation supports several authentication methods to specify which sessions can be accessed by individual users or groups of users. Authentication is optional. Only configure an authentication method if you want to restrict access to sessions by user or group identity.
Note: The remainder of this technical note assumes that you have selected "None." For information about other authentication methods, click Help in the Choose Authentication Method window.View Full Size
After you set the access control, you are ready to create and configure your Reflection sessions.
When you create or edit Windows-based Reflection sessions from the Administrative WebStation, the Reflection Windows-based client runs in "Administrative WebStation mode." In this mode, your sessions are saved automatically to the web server, and the Reflection management server automatically creates web pages with links that can be used to launch your sessions.
Follow these steps to use the Reflection Administrative WebStation to configure Windows-based Reflection sessions.
In Windows (on the web server): Click Start > Programs > Reflection Administrator OR Reflection for the Web > Administrative WebStation.
Alternate method (from any machine): Open the URL for the login page in your web browser. The URL uses this format:
https://<host name>:<port number>/<web application context>/AdminStart.html
If the port number is the default of 80 for HTTP or 443 for HTTPS, you can omit it. For example, the URL to open the Administrative WebStation might be:
Note: When you connect over HTTPS to a server using a self-signed certificate, your browser warns you about the certificate you created. This is expected behavior. In the warning message, click Yes to proceed, and the administrator login page will open. This warning message does not appear after you purchase a CA-signed certificate or if you connect using HTTP.
Note: The format of the information presented on this page varies depending on which Reflection product and version you are using.
In the launched Reflection session, configure your settings and security options.
Note: To import settings from an existing settings or client file, use the File > Open command. The settings file saved to the web server uses the session name that you entered for the session (on the Add New Reflection Session page), not the name of the imported settings file.
If you choose to not secure the Reflection session at this time, skip to step 4 to save and exit your session.
In Reflection for HP with NS/VT or Reflection for UNIX and Open VMS, click Connection > Connection Setup > Network. Select a protocol, and click the Security button.
In Reflection for IBM, click Connection > Session Setup > Security (button).
In Reflection X, click Settings > Security. The check box to Enable XDM AUTHORIZATION-1 method is cleared by default.
When you launch Reflection in Administrative WebStation mode, the SSL/TLS tab of Security Properties dialog box includes additional controls that make it easy to create sessions that connect to hosts via the proxy. (Note: This option is not available in Reflection X, Reflection FTP Client, or Reflection for Secure IT SSH or SFTP clients.)
Here is an example from Reflection for IBM version 14.x that uses the security proxy:
If you are using the security proxy, select the check boxes to Use SSL/TLS security and to Use Reflection security proxy. Then enter the Security proxy server and destination host information.
Note: This screen shot assumes that you selected "None" for the Reflection for the Web authentication method.
As the administrator, you can provide users with a URL that displays links to the configured Reflection sessions that they are authorized to access. The URL uses this format:
To see a list of the links generated for your individual Reflection sessions, open the Administrative WebStation and click Session Manager > View URLs. For example, the URL for an IBM 3270 session might look like this: