Connect to Hosts using the Security Proxy Add-On

The Management and Security Server Security Proxy Add-On acts as a proxy for terminal sessions and provides token-based access control, routing encrypted network traffic to and from user workstations.

NOTE:The Security Proxy Add-On requires the base installation of Host Access Management and Security Server. It is not included with the Management and Security Server license. To activate this product, you must purchase a separate license.

Using the Security Proxy Add-On, you can set up the following types of centrally managed secure connections:

Connect using...

Description

Client Authorization

When using the default configuration for the Security Proxy, users are authorized using security tokens. Transmitted data between the client and the Security Proxy is encrypted; transmitted data between the Security Proxy and the host is not. The Security Proxy server should be installed behind a corporate firewall when used in this mode. See Connect using Client Authorization.

Pass Through

When configured as a Pass Through Proxy, the Security Proxy passes data to the destination host without regard to content (that is, it ignores any SSL handshaking data). You can secure data traffic using SSL between the client and the destination host by enabling SSL user authentication The process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint). on the destination host. When using a Pass Through proxy, client authorization is not an option. See Connect using Pass Through Mode.

End-to-End SSL/TLS Security

This option, available for 3270 sessions only, combines user authorization with SSL security for the entire connection. Single sign-on capability using the IBM Express Logon is also supported, provided the host supports SSL. See Connect using End-to-End Security and Express Logon in 3270 Sessions.

End-to-End SSH Security

In a standard configuration for a secure Reflection session, the connection between the client and security proxy server is encrypted using SSL/TLS, but the connection between the security proxy and the host uses unencrypted Telnet. By sending an SSH-encrypted connection through the security proxy tunnel, you can configure a secure Reflection session so that the entire communication path is encrypted from the client, through the proxy server, and on to the host.

Connect using Client Authorization

Use this procedure to create an Reflection emulation session that connects to the Security Proxy and requires a user token for client authorization. Client authorization is a configurable option in Security Proxy that is enabled by default.

To configure a session

  1. In a web browser, start Management and Security Server by setting the URL to:

    http://server:port /mss/AdminStart.html

    where server and port are replaced with the Administrative Server address.

  2. Log on as administrator.

  3. Click Administrative WebStation.

  4. From the left pane, click Session Manager.

  5. Click Add to open the Add New Session page.

  6. Under Windows-Based, select Reflection Workspace, and click Continue.

  7. Specify a trusted location on the user's workstation where settings files will be stored, and then click Launch.

    Reflection opens the new session document on your workstation in Administrative WebStation mode.

  8. Configure the new session document as follows:

    1. In the Create New Document dialog box, choose the type of session and then click Create.

    2. Enter the IP Address or Host name, configure other settings as required, and then select Configure additional settings.

    3. In the Settings dialog box, under Host Connection, click Set Up Connection Security.

    4. In the Configure Advanced Connection Settings dialog box, click Security Settings.

    5. In the Security Properties dialog box, select Use SSL/TLS security and then select Use Reflection security proxy.

  9. If you are prompted for a certificate, accept it, wait until the session connects, and then close the session.

  10. When prompted, confirm that you want to send the settings to the Administrative WebStation.

    In the WebStation Session Manager page, a message indicates that the session is saved.

  11. Click Map session access and use Access Mapper to configure which users have access to the session document.

  12. Point users to the Reflection URL (for example http://myserver/mss) to access Reflection sessions.

Connect using Pass Through Mode

Use this procedure to create Reflection emulation sessions that connect to a Security Proxy that is configured as a Pass Through proxy.

In Pass Through mode, the Security Proxy doesn't perform any SSL handshake, client/server authentication or encryption. If SSL is used in this mode, the SSL session is created between the client and destination host and encrypted data simply passes through the Security Proxy.

For instructions on configuring the Reflection Security Proxy, see the documentation included with Reflection Security Gateway.

To configure a session

  1. In a web browser, start Management and Security Server by setting the URL to:

    http://server:port /mss/AdminStart.html

    where server and port are replaced with the Administrative Server address.

  2. Log on as administrator and click Administrative WebStation.

  3. From the left pane, click Session Manager.

  4. Click Add to open the Add New Session page.

  5. Under Windows-Based, select Reflection Workspace, and click Continue.

  6. Specify a trusted location on the user's workstation where settings files will be stored, and then click Launch.

    Reflection opens the new session document on your workstation in Administrative WebStation mode.

  7. Configure the session document as follows:

    1. In the Create New Terminal Document dialog box, enter the IP Address or Host name and port, select the check box Configure additional settings, and click OK.

    2. In the Settings dialog box, under Host Connection, click Set Up Connection Security.

    3. In the Configure Advanced Connection Settings dialog box, click Security Settings....

    4. In the Security Properties dialog box, on the SSL/TLS tab, select Use SSL/TLS security, select Use Reflection security proxy, and enter the proxy name and port.

  8. After the session successfully connects, save the session.

    The session file is saved to the Administrative Server.

  9. Make the session available to specific users.

    NOTE:If you want to establish an SSL-secured connection between Reflection and the destination host using the Security Proxy in Pass Through mode, you may need to deselect Host name must match certificate or, preferably, add the Security Proxy as the Subject Alternate name in the host server certificate.

Connect using End-to-End Encryption in 3270 SSL/TLS Sessions

Use this procedure to configure end-to-end encryption. Without end-to-end encryption, only data between the client and proxy server is encrypted.

End-to-end encryption tunnels a direct SSL/TLS connection to the host, while still connecting through the Security Proxy Server. These connections require two certificates and SSL/TLS handshakes — one for the client/proxy server connection and another for the client/host connection.

To configure a session with end-to-end encryption

  1. In a web browser, start Management and Security Server by setting the URL to:

    http://server:port /mss/AdminStart.html

    where server and port are replaced with the Administrative Server address.

  2. Log on as administrator and click Administrative WebStation.

  3. From the left pane, click Session Manager.

  4. Click Add to open the Add New Session page.

  5. Under Windows-Based, select Reflection Workspace, and click Continue.

  6. Specify a trusted location on the user's workstation where settings files will be stored, and then click Launch.

    Reflection opens the new session document on your workstation in Administrative WebStation mode.

  7. Enter the host name and port and select Configure additional settings.

  8. In the Reflection Settings dialog box, under Host Connection, click Set Up Connection Security.

  9. Click Security Settings, and in the Security Properties dialog box, make the following required selections:

    1. Select Use SSL/TLS security.

    2. Select Use Reflection security proxy.

    3. From Security proxy settings, choose your Security proxy and Proxy port from the drop-down menus.

    4. In the Destination host box, type the host name.

    5. Select the End-to-End encryption check box.

      NOTE:You can modify the level of security by adjusting the SSL protocol version and encryption key-strength setting. Click PKI Manager to add the Certificate Revocation List (CRL) and Online Certificate Status protocols (OCSP) to certificate validation.

  10. Close the Security Settings dialog box, and then make any other modifications to the session before clicking saving it.

    The session opens and attempts to connect to the host. The session file is saved to the Administrative Server.

  11. In the Administrative WebStation, click Access Mapper and specify which users have access to the file. The users you specify can access the file from the Links List.

Connect using End-to-End Encryption in VT SSH Sessions

You can configure a Reflection Desktop session to send an SSH-encrypted connection through the Security Proxy Server.

In a standard Administrative WebStation configuration for a secure Reflection session, the connection between the client and security proxy server is encrypted using SSL/TLS, but the connection between the security proxy and the host uses unencrypted Telnet. By sending an SSH-encrypted connection through the security proxy tunnel, you can configure a secure Reflection session so that the entire communication path is encrypted from the client, through the proxy server, and on to the host.This feature has the following advantages:

  • Encryption is used for the entire connection.

  • The IP addresses and names of your secure hosts are not exposed outside of the internal network.

  • Only clients with a valid authorization token can launch a secure session.

  • The authorization token contains connection information. This enables the security proxy to send all secure host connections through a single port, eliminating the need to open multiple firewall ports.

  • All settings required for a connection (such as the trusted certificate, the personal certificate, user keys, and host keys) reside on the Administrative WebStation and are downloaded to users’ workstations when they start sessions.

You can set up this configuration using the Reflection VT Terminal type (used for UNIX and OpenVMS sessions).

To connect your VT session SSH connection through the Security Proxy Add-On

  1. In a web browser, start Management and Security Server by setting the URL to:

    http://server:port /mss/AdminStart.html

    where server and port are replaced with the Administrative Server address.

  2. Log on as administrator and click Administrative WebStation.

  3. Click Session Manager and add a new Reflection Workspace session.

  4. Enter a session name and click Continue.

  5. Click Launch to open the Reflection Desktop workspace.

  6. In the session window, create a new VT session and select Secure Shell for the connection type.

  7. Enter the host name and user name (optional; users are otherwise prompted when they connect). Then select Configure additional settings and click OK to open the Settings dialog box.

  8. Under Host Connection, click Set up Connection Security.

  9. In the Reflection Secure Shell Settings dialog box, on the Reflection Security Proxy tab, select Use Security Proxy, and then choose a Security proxy and a Proxy port.

    NOTE:The Destination host values you entered in step 6 should be entered automatically here. If you don't see them, select the Security proxy name from the drop-down list to populate these fields.

  10. Configure SSH connection settings such as the trusted certificate, the personal certificate, user keys, and host keys as required for your connection. For more information about configuring your SSH-specific settings, refer to the Reflection Help topic “Reflection Secure Shell Settings Dialog Box.

  11. Click OK to close the open dialog boxes and initiate the connection. Select Always to import the host key for these sessions.

    NOTE:If you do not want to include the user name in the configuration, cancel the connection. If you cancel, you will be unable to import the host key for the session.

  12. Save the session. When prompted, choose to send the settings for this session to the Administrative WebStation, and then exit the Reflection workspace.

All the files required for your configuration are uploaded to the Administrative WebStation. When a user launches the session, these files are downloaded to their workstation so that Reflection has access to all configuration data required to establish a connection.

NOTE:All non-default SSH settings required to establish a connection are saved in three files:

  • The sessionname.rssh file contains the public key (if public key authorization is used), the host key (if a host key is accepted while in administrative mode), and the settings normally stored in both the pki_config file and the config file. It also includes all SSL/TLS settings such as the TLS version, cipher suites, and applicable proxy data.

  • The sessionname.ps file stores any personal certificates included for the connection.

  • The sessionname.ts file includes any trust certificates.

When you send settings for the session to the Administrative WebStation, these files are uploaded along with the session document file.