Configure Duplicate Reflection Gateway Proxy Systems

The Reflection Gateway Proxy system is required to support Transfer Sites. Two services run on this system:

  • Reflection Transfer Server

  • Reflection Secure Shell Proxy.

To support high availability, you will configure and test an initial instance of the Reflection Gateway Proxy system, then create an identically-configured system and use a load-balancing proxy to distribute the load between these systems.

Before you begin

  • Run the Setup program on each system. Use the Features tab to install the Reflection Gateway Proxy feature on each of these systems. Restart Windows on each system. This starts the services and creates initial default settings files.

  • Log onto Gateway Administrator. Go to System > File Servers and confirm that Transfer site file server is set to use an added SFTP Server. Using the default Reflection Gateway Proxy is not supported for a high availability configuration because there is no replication of data between the Reflection Gateway Proxy systems.

  • Select one of the Reflection Gateway Proxy systems for your initial configuration and testing. After you have this instance working, you will copy required files to duplicate the configuration on your other system.

Configure an initial Reflection Gateway Proxy system

  1. Start the Reflection Secure Shell Proxy console on the server you are using for initial configuration.

  2. On the Reflection Gateway Users pane, enable Allow access to Reflection Gateway users.

  3. For Gateway Administrator host, enter the network name or IP address of the load-balancing proxy configured to connect to Reflection Gateway Administrator.

  4. Click Activate and verify. Click Yes when prompted to restart the Reflection Transfer Server service.

    This action configures the connection between components and saves an internal password that is used to connect to Gateway Administrator. (Each time you click Activate and verify, the internal password is changed.) Changes are saved to the following files: the Secure Shell Proxy's trustedWebService.cer and RSITDatabase files and the Transfer Server's trustedWebService.cer and container.properties files.

  5. If your users will transfer files using the Transfer Client, you need to replace the default self-signed server certificate with a CA-signed certificate. See Replace the Default Server Certificate. This certificate should be configured to authenticate the server name that will be used for connecting to you your load-balancing proxy.

  6. Test your configuration. Use Gateway Administrator to create Transfer Sites and confirm that you can transfer files using the Transfer Client or your alternate SFTP client.

Copy required configuration files to the duplicate Reflection Gateway Proxy system

You will need to copy configuration files for both the Reflection Secure Shell Proxy and the Reflection Transfer Server. These files are stored in different locations as described in the procedure.

  1. On the destination server, stop the Reflection Secure Shell Proxy and the Reflection Transfer Server services.

  2. Locate the Reflection Secure Shell Proxy configuration files. The default location is:

    C:\ProgramData\Micro Focus\RSecureServer

  3. Copy the following files to the duplicate system.

    File

    Details

    rsshd_config.xml

    The Reflection Secure Shell Proxy configuration file. The settings saved to this file include the values you have specified on the Reflection Gateway Users tab for connecting to the Gateway Administrator host name and port.

    RSITDatabase

    The Reflection Secure Shell Proxy's encrypted credential cache.

    RSITDatabase.sec

    This file contains the key required to decrypt the credential cache and is required to use the cache.

    trustedWebService.cer

    Contains the public key used to authenticate Reflection Gateway Administrator. This file is created when you click the Activate and Verify button on the Reflection Gateway Users pane.

    hostkey

    The private key of the public/private host key pair used to authenticate this server.

    hostkey.pub

    The public key of the public/private host key pair used to authenticate this server.

  4. Locate the Reflection Transfer Server configuration files. The default location is:

    C:\Program Files\Micro Focus\ReflectionGateway\TransferServer

  5. Copy the following files to the duplicate system.

    Files

    Details

    container.properties

    In the conf subfolder.

    Includes settings and password for connecting to the Gateway Administrator. If configured, it incudes settings for using a CA-signed certificate.

    trustedWebService.cer

    In the etc subfolder.

    Public key of Gateway Administrator.

    servletcontainer.cer servletcontainer.jks

    -OR-

    Your CA-signed certificate package (typically a .p12, .pfx, or .jks file)

    These files contain the certificate and private key used to authenticate the server when users make HTTPS connections to the Reflection Transfer Server.

    • If you are using the default self-signed certificate, copy servletcontainer.cer and servletcontainer.jks located in the etc subfolder.

    • If you are using a CA-signed certificate, find the certificate package file in the location specified in the container.properties file. For example:

      servletengine.ssl.keystore=../etc/fips-compliant-cert.p12

      Copy this file to the same location on each of the other systems.

  6. Restart the Reflection Secure Shell Proxy and the Reflection Transfer Server on the duplicate system.