Security Proxy Server
The Security Proxy Server provides token-based access control and encrypted network traffic to and from user workstations. The Security Proxy can be used by Reflection Desktop and Reflection for the Web.
Enabling the Security Proxy Server
For Reflection Desktop. The Security Proxy is enabled by installing an activation file, which is available for download and is licensed separately. To enable:
-
In the MSS Administrative Console, click Configure Settings - Product Activation.
-
Click ACTIVATE NEW and browse to and click the activation file for the security proxy:
activation.security_proxy-<version>.jaw
The Security Proxy is added to the Product list.
For Reflection for the Web. The Security Proxy entitlement is included in the Reflection for the Web activation file.
Configuring the Security Proxy
The Cluster Certificate is automatically shared across all nodes in a cluster, and is used as the identity for the Security Proxy. You must define and add the Cluster Certificate, which will be used by the Security Proxy.
Note
The Security Proxy Wizard, previously used to managed certificates, is no longer used for configuration.
To define and add the Cluster Certificate:
-
Log in to the MSS Administrative Console at
https://hostname/adminconsole
. -
From the drop-down menu, click Cluster Management.
-
Click Settings, and expand the Certificate and Private Key panels.
-
Click Import File and navigate to your certificate and key.
-
Select and import the files. Or, you can drag and drop the certificate and key files into the fields.
To verify: first close and re-open your web browser; then access the session server and note the updated certificate that is reported by the browser's site information.
-
Redeploy the Security Proxy service:
a. In the Cluster Management console, click Services.
b. Next to the
mss-security-proxy
service, click Redeploy All.Important
Be aware that end users may be affected when a service is redeployed.
Advanced Configuration
You can customize your Security Proxy installation by editing the Security Proxy service properties. Work with Customer Support to set custom properties, such as specifying non-default values for the TLS version, Crypto Suites, and OCSP.
-
In the Cluster Management console, click Services.
-
Next to the
mss-security-proxy
service, click Scale. -
You must explicitly scale the number of instances needed.
Note
By default, the Security Proxy is set to zero (0) instances because it is capable of handling a high volume of connections, and requires resource allocation that is commensurate to its performance.
-
Next to the
mss-security-proxy
service, click Edit Properties. -
Enter the Key and Value for each custom property.
-
In some cases, you may be asked to Redeploy a service after editing the properties.
Next to themss-security-proxy
service, click Redeploy All.Important
Be aware that end users may be affected when a service is redeployed.
Setting the Logging Level
To set logging properties for the Security Proxy Server:
-
Open the Cluster Management console, and click Services.
-
Next to the
mss-security-proxy
service, click Edit Properties. -
For detailed logging, add this key/value pair.
- Key:
logging.level.root
- Value:
DEBUG
Other values:
INFO
,WARN
,SEVERE
- Key:
To view the Security Proxy logs:
-
From the MSS Administrative Console drop-down menu, open the Cluster Management console.
-
On the Services page, click
mss-security-proxy
. -
Click and View Recent Logs or Download Logs.
Using FIPS-Approved Mode
When the Security Proxy and terminal sessions are configured to run in FIPS-approved mode, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards.
To configure the Security Proxy to run in FIPS-approved mode, edit the mss-security-proxy
service properties with this key/value pair:
- Key:
fipsApprovedMode
- Value:
on
For detailed steps to set properties for the Security Proxy service, see Advanced Configuration.
Running Reports
After you configure sessions to use the Security Proxy, you can run reports to view the current user activity and the connections per Security Proxy server.