Transfer Site Administrative Topics
Transfer site directories are created within a base directory on a designated Transfer Site file server. The procedures in this section describe how to designate the Transfer Site file server and specify which directory is used as the base directory on that server.
Change the Transfer Site Directory used by the Reflection Secure Shell Proxy
The Transfer Site file server setting is configured in Gateway Administrator under System > File Servers. By default, Reflection Gateway creates Transfer Site directories on the Reflection Secure Shell Proxy running on the Reflection Gateway Proxy.
-
The base directory on the Reflection Secure Shell Proxy is configured using the Reflection Secure Shell Proxy console, not using Gateway Administrator. This can be a local folder on the Reflection Secure Shell Proxy computer or an accessible network share.
-
The name and location of the base directory you configure for your file server is not made visible to client users. The folder name that users see when they connect is the value you specify for Transfer site name when you create a Transfer Site. The actual subdirectory on the file server is the value you specify for Directory name, which can be the same or different.
The default base directory on the Reflection Secure Shell Proxy is:
C:\ProgramData\Micro Focus\RSecureServer\Reflection\
To modify the base directory on the Reflection Secure Shell Proxy
-
Start the Reflection Secure Shell Proxy console. It is installed in the Windows Start menu (or Apps list) under Micro Focus Reflection for Secure IT Gateway > Reflection Secure Shell Proxy.
-
On the Reflection Gateway Users pane, edit Reflection base path.
Note
You can specify a local path, a mapped drive, or a UNC path. If you specify a network location, set Micro Focus Reflection Gateway Administrator user access account to a user who has access to that location.
-
Save your settings (File > Save Settings).
Use an Added SFTP Server as the Transfer Site File Server
Use the following procedure to designate an added SFTP for Transfer Site file exchange. Typically this will be a server running in your internal network. This is the recommended configuration when the Reflection for Secure IT Gateway is running in the DMZ. With this configuration, data streams continuously through the proxy, eliminating the need to save files on this server. Data passed to the SFTP server is securely encrypted.
Before you begin
-
Add the SFTP server to the list of available servers using System > File Servers. Set the base directory for this server to the directory you want to use for Transfer Site file exchange.
Note
The name and location of the base directory you configure for your server is not made visible to client users. The folder name that users see when they connect is the value you specify for Transfer site name when you create a Transfer Site. The actual subdirectory on the file server is the value you specify for Directory name, which can be the same or different.
To designate an added SFTP server as the Transfer Site file server
-
Log on to Gateway Administrator using an account in the Administrators group (or any account that has the System setup role enabled).
-
Go to System > File Servers.
-
Use the Transfer site file server drop-down list to select the added SFTP server.
-
Click Save.
More Information
Configure Connections to Remote SFTP Servers from the Reflection Secure Shell Proxy
The File Transfer site file server setting in Gateway Administrator allows you to specify a single SFTP server for Transfer Site file exchange. Any Transfer Site you define using Gateway Administrator uses a directory on this server or a network location available to this server using a UNC path. This option is easy to use and configure, and is the recommended configuration.
It is also possible to configure directory access on additional servers using the SFTP Directories feature of the Reflection Secure Shell Proxy; however, directories made available this way are managed differently from Transfer Sites. Review the following limits and differences before you proceed.
- To control who has access to a Transfer Site created using Gateway Administrator, you add or remove users and groups on the Transfer Site page. To control who has access to an SFTP directory configured in the Reflection Secure Shell Proxy, you use the Subconfiguration feature.
The following procedure configures a shared directory on an SFTP server that will be available to all users.
To configure a connection to an SFTP server from the Reflection Secure Shell Proxy
-
Start the Reflection Secure Shell Proxy console. It is installed in the Windows Start menu (or Apps list) under Micro Focus Reflection for Secure IT Gateway > Reflection Secure Shell Proxy.
-
From the Configuration tab, click SFTP Directories in the left panel, then click Add. This opens the Accessible Directory Settings dialog box.
-
Enter a Virtual directory name. This is the folder name that will be visible to users.
-
Select Remote SFTP server. This opens the Remote SFTP Server Connection dialog box.
-
For Host, specify the name or IP address of the SFTP server.
-
Click Retrieve to retrieve the public key used to authenticate this server.
-
For Remote SFTP username and Password, enter the credentials of the user account that will provide access to the file system on the remote SFTP server.
-
Under Remote base directory, click Browse to select the directory you want to make available to users. This must be a directory accessible to the user you entered for Remote SFTP username.
-
-
Click Test Connection. You should see a message saying that the connection was successful.
-
Click OK to close the dialog boxes and return to the SFTP Directories pane.
Note
The User login directory option, including the default
/Home
directory, is not used for Reflection Gateway users. -
Save your settings (File > Save Settings).
Use the next procedure to limit access to a directory on an SFTP server to members of a Reflection Gateway group or to an individual Reflection Gateway user.
To configure directory access for a Reflection Gateway group or user
-
From the Reflection Secure Shell Proxy console Configuration tab, under Subconfiguration click either User Configuration or Group Configuration.
-
Click Add.
-
Click Domain (for user configuration) or set Group type to Domain (for group configuration).
-
For members of the ReflectionGateway LDAP server, set the domain name to
ReflectionGateway.
-
For members of an added LDAP server, use the Domain name as it appears on the LDAP Servers page in Gateway Administrator.
-
-
Enter the name of the user or group your are configuring.
-
In the left portion of the Group Configuration dialog box, click SFTP Directories.
-
Clear the Inherit directories check box.
-
Click Add to open the Accessible Directory Settings dialog box.
-
Configure the remote directory that will be available to this user or group, as described in the preceding procedure, starting with step 3.
-
Save your settings (File > Save Settings).
Security Recommendations for the Reflection Secure Shell Proxy
Use the following precautions to help ensure security on the Reflection Gateway Proxy (the system running the Reflection Secure Shell Proxy and the Reflection Transfer Server).
-
Do not join the server to a Windows domain.
-
Do not run non-essential services on the server that might provide user access, such as Telnet servers, FTP servers, and SQL servers.
-
In the Reflection Secure Shell Proxy console:
-
On the Reflection Gateway Users pane, leave Allow server access to Reflection Gateway users only and Restrict Reflection Gateway users to file transfer sessions selected. These default settings help minimize external user access to your system.
-
Change the user access account to an account with more limited privileges than the default service account.
-
Disable port forwarding for all users. To do this, clear both port forwarding options on the Permissions pane under Tunneling.
-
-
Configure firewalls that limit access to ports on your servers.