Configuring HTTPS Proxy Settings for a Secure Reflection for the Web Session

If your Reflection for the Web client computers reside in a network that uses an HTTPS proxy server, a secure Reflection for the Web terminal session may either be able to pass through the HTTPS proxy, or may have to bypass the HTTPS proxy, depending on several factors. HTTPS proxy settings can be configured either in a client computer's browser, or as applet parameters in a secure terminal session web page.

Note: The information in this document applies only to secure Reflection for the Web sessions. Non-secure Reflection for the Web sessions cannot pass through a proxy server.

Decide How to Configure Reflection

Before starting the configuration, you must first:

• Determine whether to have the secure session bypass or pass through the HTTPS proxy.
• Determine whether to configure the HTTPS proxy settings in the client browsers or the secure terminal session web page.

Bypass or Pass Through?

Secure Reflection for the Web terminal sessions may be able to pass through the HTTPS proxy or may need to bypass the HTTPS proxy. To determine how you need to configure Reflection to work in your network environment, consider the following guidelines:

• What authentication scheme is your HTTPS proxy server using? Currently, Reflection for the Web is compatible only with Basic authentication. If your HTTPS proxy server uses a different authentication scheme (such as Microsoft NTLM Challenge/Response authentication), secure Reflection for the Web sessions will be unable to pass through the HTTPS proxy server and you will need to bypass the HTTPS proxy.
• Can you assign port 443 as the listening port for the Reflection Security Proxy? Most HTTPS proxy servers can only tunnel SSL through port 443; therefore; the Reflection security proxy server will typically be configured to listen on port 443.

Where to Configure the Settings?

You can configure the secure session to bypass or pass through the HTTPS proxy from either the browser (on individual client PCs) or the terminal session web page (as an applet parameter, applied to all users). To determine the best place to make the changes, consider the following guidelines:

Reasons to Configure HTTPS Proxy Settings in the Browser

When loading a secure terminal session, the Reflection for the Web terminal session applet reads Windows registry settings to determine if the client computer's browser is configured to pass secure HTTP through an HTTPS proxy server. If an HTTPS proxy server is identified in the browser settings, Reflection for the Web directs the secure connection to pass through this proxy.

Consider using this method if:

• The client computers run Windows.
• The client computers use Internet Explorer, Mozilla Firefox, or Google Chrome to run Reflection for the Web.

• The client computers reside behind different firewalls, some of which contain HTTPS proxy servers.

Reasons to Configure HTTPS Proxy Settings in the Session Web Page

HTTPS proxy settings can also be set by configuring the terminal session. Applet parameters configured in this manner override any HTTPS proxy settings configured in the browser and can be used to either specify or bypass an HTTPS proxy server during a secure session. This method can be used to configure HTTPS proxy settings for non-Windows clients, and can provide the ease of central administration in some environments.

This method is required if:

• The client computers run operating systems other than Windows.
• The client computers use browsers other than Internet Explorer, Mozilla Firefox, or Google Chrome.

Also consider using this method if:

• All of the client computers reside behind the same firewall and pass through the same HTTPS proxy server.

Configuring Reflection

Once you have decided whether Reflection should bypass or pass through the HTTPS proxy server, and whether to configure these settings through the browser or through the session web page, follow the instructions below to make the necessary modifications to your installation.

Configuring Reflection to Bypass the HTTPS Proxy

To configure Reflection to bypass an HTTPS proxy server, follow the instructions below for the configuration method you have decided upon. Steps are provided to configure the browser or the session web page.

Bypass Using Internet Explorer, Mozilla Firefox, or Google Chrome

Follow these steps to configure the settings in Internet Explorer:

Note: The settings made in Internet Explorer will also be used by Mozilla Firefox and Google Chrome by default.

1. In Internet Explorer, select Internet Options on the Tools menu.
2. In the Internet Options dialog box, click the Connections tab, and then click LAN Settings.
3. Check the "Use a proxy server" check box, and then click Advanced.
4. Note: If no HTTPS proxy server is specified in the Secure: field, the terminal session will not pass through an HTTPS proxy server and there is no need to make an exception.

Bypass Using a Session Web Page

The proxyExcept parameter is used to specify an exception list of Reflection security proxy servers by host name or IP address. Client machines connect to the listed servers without passing through the configured HTTPS proxy server. Typically, a given session will use only one Reflection security proxy server. However, the proxyExcept parameter can accept a list of security proxy servers (separated by commas) in order to accommodate unusual cases.

Note:

• The proxyExcept parameter is applicable only if the httpsProxy parameter is set. If the httpsProxy parameter is not configured, the proxyExcept parameter is ignored.
• The name of the security proxy server used in the proxyExcept parameter is case sensitive; it must match the case of the security proxy server name used in creating the secure session.

If you do not know the IP address or name of the HTTPS proxy server (for example, if you are accessing an HTTPS proxy server at a remote client site), enter a fake HTTPS proxy value for the httpsProxy parameter. This allows the configured proxyExcept parameter to function.

The following example parameters and values force the client computers to bypass the HTTPS proxy server when using a secure Reflection session to connect to a Reflection security proxy server named RefSecProxy. In this case, the IP address of the HTTPS proxy server is not known, so the fake IP address "1.2.3.4" is used for the httpsProxy parameter.

To configure the session web page, follow the steps in Configuring the Proxy Parameters.

Configuring Reflection to Pass Through the HTTPS Proxy

To configure Reflection to pass through an HTTPS proxy server, follow the instructions below for the configuration method you have decided upon. Steps are provided to configure the browser or the session web page.

Pass Through Using Internet Explorer, Mozilla Firefox, or Google Chrome

Follow these steps to configure the settings in Internet Explorer.

Note: The settings made in Internet Explorer will also be used by Mozilla Firefox and Google Chrome by default.

1. In Internet Explorer, select Internet Options on the Tools menu.
2. In the Internet Options dialog box, click the Connections tab, and then click LAN Settings.
3. Check the Use a proxy server check box, and then click Advanced.
4. In the Secure field of the Proxy Settings dialog box, enter the host name (or IP address) and port of the HTTPS proxy server you want the secure terminal session to pass through. Click OK.

Pass Through Using a Session Web Page

The httpsProxy parameter is used to specify the host name or IP address and port number of the HTTPS proxy server the client computer connects through while running secure Reflection sessions.

For example, the following parameter and value forces the client machine to use the HTTPS proxy server named myHTTPSProxy during the secure Reflection session:

Use this parameter if you want all users to use the same HTTPS proxy server when running secure session (this parameter overrides the browser settings).

To configure the session web page, follow the steps in Configuring the Proxy Parameters.

Configuring the Proxy Parameters

In Reflection for the Web, the terminal session web page is created dynamically. Applet parameters are added through the Administrative WebStation's Session Manager. When the session is requested by a user, the html generated for the session will include these parameters.

To configure the terminal session, follow the steps below.

1. Open the Administrative WebStation; click Tools > Session Manager.
2. Click Create New Session or select a current session to modify.
3. Under "Configure a Web-Based Reflection Session" complete the items as needed and select "Applet Parameters."
4. In the Add parameters dialog box, select httpsProxy from the parameters list. In the Value field, enter the name or IP address of the HTTPS proxy server, a colon, and the port number: <name or IP address>:<port number>
5. Click Add.
6. If you are configuring Reflection to bypass the proxy, select proxyExcept from the parameters list (skip this step if you are configuring Reflection to pass through the proxy). In the Value field, enter the Reflection security proxy server name or IP address.
7. Click Add.
8. Click Continue.
9. Select Launch, if necessary, to continue the session Configuration. Otherwise, click Save Settings.

In environments where some clients are able to navigate an HTTP proxy but others need to bypass their HTTP proxy (for example, because their HTTP Proxy requires NTLM authentication), use the retryWithoutHTTPProxy parameter. Set the value to "true."

Additional Information in the Administrative WebStation

For additional information on using applet parameters, open the Administrative WebStation in a browser. On the table of contents, click Advanced > Applet Attributes and Parameters. The httpsProxy, proxyExcept, and retryWithoutHTTPProxy parameters are listed by name in the Terminal Emulation Applet Index of Attributes and Parameters.

Legacy KB ID