FIPS Mode

When you run in FIPS mode, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards. In this mode some standard connection options are not available.

The following security configurations are allowed in FIPS mode:

  • SSL/TLS connections using 3DES (168-bit) or AES (128-bit) encryption and SHA-1 hash.

  • Secure Shell connections using 3DES (168-bit) or AES (128, 192, or 256-bit) encryption and SHA-1 hash.

  • Kerberos connections, for user authentication only, using 3DES encryption and SHA-1 hash.

To run Reflection in FIPS mode

  1. Run the Group Policy editor using one of the following techniques:

    • Type the following at the command line:

      Gpedit.msc
    • In the Active Directory Users and Computers console, open the properties for an Organizational Unit, click the Group Policy tab, and edit or create a new policy object.

  2. Install the Reflection template (ReflectionPolicy.adm) if you have not already done so.

    NOTE:For information about how to download and install the Reflection policy template, see Technical Note 2216.

  3. Under Local Computer Policy > User Configuration > Administrative Templates > Reflection Settings, disable the setting Allow non-FIPS mode.

What is FIPS 140-2?

The United States Government's Federal Information Processing Standard (FIPS) 140-2 specifies security requirements for cryptographic modules. Cryptographic products are validated against a specific set of requirements and tested in 11 categories by independent, U.S. Government-certified testing laboratories. This validation is then submitted to the National Institute of Standards and Technology (NIST), which reviews the validation and issues a certificate. In addition, cryptographic algorithms may also be validated and certified based on other FIPS specifications. The list of validated products and the vendor's stated security policy (the definition of what the module has been certified to do) can be found at: http://csrc.nist.gov/groups/STM/cmvp/validation.htm.

IMPORTANT:If you are configuring Reflection to use FIPS mode, you should ensure that you are running a version that has met all FIPS 140-2 standards. Contact technical support for more information.