Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Connecting Through a Firewall Using Reflection for the Web
Technical Note 1786
Last Reviewed 03-May-2007
Applies To
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 8.0 through 9.x
Summary

You can connect to your host through a firewall using Reflection for the Web. This technical note describes the process of connecting to a host and provides four examples of connecting to a host through a firewall using specific ports and protocols.

Overview

Reflection for the Web uses a three-step process to connect to a host.

  1. The client computer uses a browser to communicate with the web server.
  2. The web server downloads the Reflection for the Web applet to the client.
  3. The Reflection for the Web applet connects to the host.
1786_0.gif

With this basic understanding of how Reflection for the Web makes host connections, it is easier to understand why specific ports must be opened when you add a firewall to the environment.

There are many ways to incorporate Reflection for the Web into a network environment with a firewall. The four scenarios described below are simple scenarios designed to illustrate the concept of opening ports to allow Reflection for the Web to communicate with the host. The examples provided may or may not reflect your environment.

Scenario One—No security to host
Scenario Two—Security proxy server
Scenario Three—Security proxy server using common port
Scenario Four—Direct, secure host connection

Scenario One—No security to host

Scenario One depicts an example of connecting through a firewall if no security is used with the host. The communication between the client and the host is not encrypted. If you require a secure environment, this scenario is not recommended.

  1. Using a browser, the client computer communicates with the web server over HTTP (typically port 80, not encrypted) or over HTTPS (typically port 443, encrypted).
  2. The web server downloads the Reflection for the Web applet to the client computer.
  3. The Reflection for the Web applet connects to the host through the firewall over a protocol that the host supports. For example, the applet may connect over Telnet (not encrypted) through port 23. If you connect to an HP3000, usually the NS/VT protocol (not encrypted) through port 1570 is used. The host computer must be accessible from outside the firewall.
1786_1.gif

Scenario Two—Security proxy server

In this scenario, the Reflection for the Web security proxy server is added. Communication between the client and the security proxy server is encrypted.

Note: Beginning in Reflection for the Web 2008, the security proxy server is not included in the Standard Edition.

  1. Using a browser, the client computer communicates with the web server over HTTP (typically port 80, not encrypted) or over HTTPS (typically port 443, encrypted).
  2. The web server serves the Reflection for the Web applet to the client computer.
  3. The Reflection for the Web applet on the client computer connects to the security proxy server through the firewall using a preconfigured port, in this example, port 8000.

The security proxy server must be accessible from outside the firewall. The communication between the client applet and the security proxy is encrypted (Telnet encrypted with SSL or NS/VT encrypted with SSL).

  1. The proxy server decrypts the packets and forwards them to the host over Telnet (not encrypted) through port 23. If the host computer is an HP3000, the NS/VT protocol (not encrypted) through port 1570 is used.
1786_2.gif

See Technical Note 1320 for information about configuring the security proxy in a Windows environment.

Scenario Three—Security proxy server using common port

To reduce the number of ports open in your firewall, you may want to use a common port for traffic going to the Reflection security proxy. For example, if port 443 is already open for HTTPS traffic, you may want to configure the security proxy to use this port also. In this scenario, the client is connecting to the host through the firewall via the Reflection for the Web security proxy server. This scenario assumes that the client uses HTTP (port 80) or HTTPS (port 443) to connect to the web server, and uses SSL through port 443 to connect to the security proxy server.

Note: Beginning in Reflection for the Web 2008, the security proxy server is not included in the Standard Edition.

  1. The client computer connects to the web server through port 80 if using HTTP (not encrypted) or through port 443 if using HTTPS (encrypted).
  2. The web server serves the Reflection for the Web applet to the client computer.
  3. The Reflection for the Web applet on the client computer connects to the security proxy server through the firewall over SSL using port 443. The security proxy server must be accessible from outside the firewall.
  4. The proxy server decrypts the packets and forwards them to the host over Telnet (not encrypted) using port 23. If the host computer is an HP3000, the NS/VT protocol (not encrypted) through port 1570 is used.
1786_3.gif

Note: If you are using an HTTP/HTTPS stateful filtering firewall (such as DMZShield), it may be incompatible with the proxy server because the protocol in the SSL pipe is Telnet and not HTTP.

Scenario Four—Direct, secure host connection

This scenario illustrates a session between the client and host through a firewall in which the data is encrypted both inside and outside the firewall. This scenario requires the host computer to have either an SSL-encrypted Telnet server or an SSH server installed and configured.

  1. The client computer connects to the web server through port 80 if using HTTP (not encrypted) or through port 443 if using HTTPS (encrypted).
  2. The web server serves the Reflection for the Web applet to the client computer.
  3. The Reflection for the Web applet on the client computer connects to the host through the firewall by using either SSH (encrypted) typically over port 22 or direct SSL (encrypted) typically over port 992.
1786_4.gif

For more information about configuring Reflection for the Web to use SSH, see Technical Note 1761. Additional information about configuring Reflection for the Web to use SSL is contained in Technical Notes 1759 and 1760.

Related Technical Notes
1320 Configuring the Security Proxy in a Windows Environment
1759 Connecting to an iSeries or AS/400 Using SSL and Reflection for the Web
1760 Connecting to z/OS or OS/390 Mainframe Using SSL and Reflection for the Web
1761 Using Secure Shell in Reflection for the Web
1812 Setting Up the Reflection for the Web Security Proxy Server in UNIX, Linux, or Mac OS X
9988 Reflection for the Web Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.