Technical Notes

End-to-End Encryption Through the Security Proxy
Technical Note 1883
Last Reviewed 10-May-2007
Applies To
Reflection for the Web 2008 (All Editions except Standard)
Reflection for the Web version 8.5 through 9.6
Summary

This technical note explains how to configure Reflection for the Web to provide end-to-end encryption by tunneling an SSL/TLS direct connection to the host through a security proxy.

Note the following:

• Beginning in Reflection for the Web 2008, the security proxy server is not included in the Standard Edition.
• The host must support SSL direct connections to use this feature.

This document is presented in the following sections:

About End-to-End Encryption

In a standard configuration of secure Reflection for the Web sessions, the connection between the client and security proxy server is encrypted using SSL/TLS, but the connection between the security proxy and the host uses unencrypted Telnet. In some network environments it is necessary to have the entire communication path encrypted, from the client, through the proxy server, and to the host.

Starting in Reflection for the Web 8.5, Reflection can be configured for end-to-end encryption with token authorization. This feature enables the client to use SSL encryption to connect to the proxy and host securely, through an SSL tunnel. This feature has the following advantages:

• SSL encryption is used for the entire connection.
• The IP addresses and names of your secure hosts are not exposed outside of the internal network.
• Only clients with a valid authorization token can launch a secure session.
• The authorization token contains connection information. This enables the security proxy to send all secure host connections through a single port, eliminating the need to open multiple firewall ports.

Prepare for End-to-End Encryption

Two certificates and SSL handshakes are involved in each end-to-end encryption connection, one between the client and proxy server, and one between the client and host. Before enabling end-to-end encryption in Reflection for the Web you must configure Reflection for the Security Proxy Certificate and the Host Certificate.

Security Proxy Certificate

The Reflection for the Web security proxy must be installed and configured. Once the security proxy configuration is complete, the security proxy certificate is created and imported into the Reflection Management Server.

For further details about installing the security proxy, see the Reflection for the Web Installation Guide:

For information about configuring the security proxy when doing a manual installation, see Technical Note 1812.

Host Certificate

Once the security proxy configuration is complete, follow the steps below to

• Ensure that server verification is successful.
• Enable SSL on the host.
• Import the SSL host certificate into the Reflection Management Server's Terminal Emulator Applet Trusted Certificate store.

Server Verification

To configure your systems so that the SSL handshake between the client and host is successful, you must do one of the following:

Option 1: Use Subject Alternate Names

When creating the host certificate, list the host name of the proxy server as a subject alternate name (recommended).

Option 2: Turn Off Server Identity Verification

Server identity verification can be disabled globally (for all Reflection sessions), or per session.

1. In the Administrative WebStation, click Security Setup.
2. On the Security tab, clear the "Enable server identity verification" check box, and then click Save Settings.

1. In the Administrative WebStation, click Session Manager and select a session.
2. Click Applet Parameters.
3. In the Add Parameters section, select the Parameter serverIdentityOverride, and enter the Value False.
4. Click Continue > Save Settings.

Note: If you do not plan to disable server verification, you must modify your host certificate with a subject alternate name before you complete the import. The subject alternative name must match the server name used for the security proxy.

Enable SSL on the Host

Enable SSL on the host. For details, refer to your host documentation.

Import the Host Certificate

Follow the steps below to import the host certificate into Reflection:

1. In the Administrative WebStation, click Security Setup.
2. On the Certificates tab, scroll down to the Administer Terminal Emulator Applet Trusted Certificate List section and click "View or modify certificates trusted by the terminal emulator applet."
3. Import the certificate.

For more details on configuring SSL and creating certificates on the host, see Technical Notes 1759 and 1760.

Enable End-to-End Encryption

Follow these steps to enable end-to-end encryption.

1. Access the Reflection for the Web Administrative WebStation.
2. Click Session Manager and add a new session or select an existing session.
3. Click Launch.
4. In the session window, click Connection > Disconnect (if you are connected to a host), and then click Connection > Connection (or Session) Setup, and click SSL/TLS (or Security).
5. In Reflection for the Web 8.5-9.6, select Use SSL/TLS security and choose a Protocol.
6. Select the "Use Reflection security proxy," check box, and then choose a Security proxy and a Proxy port.
7. Enter a Destination host and Destination port (the Destination port should be the SSL port on the host, for example, buttercup.flowers.com:3000), and then select the "End to end encryption" check box.
8. Click OK to return to the main session window.
9. Click Save and Exit.

Related Technical Notes

1766	SSL Client Certificates and Reflection for the Web
1879	SSL Client Certificates and Reflection for the Web Security Proxy