Environment
Reflection 2014 R1 SP1
Reflection Pro 2014 R1 SP1
Reflection X 2014 R1 SP1
Reflection for UNIX and OpenVMS 2014 R1 SP1
Reflection Security Gateway 2014 (except Limited Edition)
Situation
This technical note shows how to configure a Reflection Desktop 16 or Reflection 2014 session to send an SSH-encrypted connection through the Reflection Security Gateway Proxy Server.
Resolution
Background
Figure 1. Security Proxy Tunneling for SSH
In a standard Administrative WebStation configuration for a secure Reflection session, the connection between the client and security proxy server is encrypted using SSL/TLS, but the connection between the security proxy and the host uses unencrypted Telnet. By sending an SSH-encrypted connection through the security proxy tunnel, you can configure a secure Reflection session so that the entire communication path is encrypted from the client, through the proxy server, and on to the host.
This feature has the following advantages:
- Encryption is used for the entire connection.
- The IP addresses and names of your secure hosts are not exposed outside of the internal network.
- Only clients with a valid authorization token can launch a secure session.
- The authorization token contains connection information. This enables the security proxy to send all secure host connections through a single port, eliminating the need to open multiple firewall ports.
- All settings required for a connection (such as the trusted certificate, the personal certificate, user keys, and host keys) reside on the Administrative WebStation and are downloaded to users’ workstations when they start sessions.
You can set up this configuration using the Reflection VT Terminal type (used for UNIX and OpenVMS sessions).
Prerequisites
To make these SSH connections through the Security Proxy, you must have the following:
- The host must have an SSH server installed.
- Reflection 2014 R1 SP1 and later must be installed locally on your workstation PC. Note: Earlier versions and other products (such as Reflection 2014 R1, Reflection 2011, Reflection 14.x, or EXTRA!) are not supported.
- You must have access to the Reflection Security Gateway 2014 Security Proxy and Administrative WebStation servers.
- Host Sessions must be opened from the Reflection Administrative WebStation or the Links List page.
- Sessions must be configured from the Administrative WebStation in Reflection Security Gateway 2014.
- The Reflection Security Proxy must be running with Client authorization enabled.
Note: Reflection for the Web 2014 is not licensed for connections from Reflection Desktop 16 or Reflection 2014 clients. You must have a Reflection Security Gateway 2014 activation file installed to configure Reflection Desktop 16 or Reflection 2014 sessions.
Procedure
To connect your VT session SSH connection through the Security Proxy, complete the following steps:
- Access the Reflection Administrative WebStation.
- Click Session Manager and add a new Reflection Workspace session.
- Enter a session name and click Continue.
- Click Launch to open the Reflection Workspace.
- In the session window, create a new VT session and select Secure Shell for the connection type.
- Enter the host name and user name (optional; users are otherwise prompted when they connect). Then select Configure additional settings and click OK to open the Settings dialog box.
- Under Host Connection, click Set up Connection Security.
- In the Reflection Secure Shell Settings dialog box, on the Reflection Security Proxy tab, select Use Reflection Security Proxy, and then choose a Security proxy and a Proxy port.
Note: The Destination host values you entered in step 6 should be entered automatically here. If you don't see them, select the Security proxy name from the drop-down list to populate these fields.
- Configure SSH connection settings such as the trusted certificate, the personal certificate, user keys, and host keys as required for your connection. (For more information about configuring your SSH-specific settings, refer to the Reflection 2014 Help topic “Reflection Secure Shell Settings Dialog Box” at https://docs.attachmate.com/reflection/2014/r1/tshelp/en/user-html/secure_shell_dialog_r200x_ch.htm.)
- Click OK to close the open dialog boxes and initiate the connection. Select Always to import the host key for these sessions.
Note: If you do not want to include the user name in the configuration, cancel the connection. If you cancel, you will be unable to import the host key for the session.
- Save the session. When prompted, choose to “send the settings for this session to the Administrative WebStation,” and then exit the Reflection workspace.
All the files required for your configuration are uploaded to the Administrative WebStation. When a user launches the session, these files are downloaded to their workstation so that Reflection has access to all configuration data required to establish a connection.
Note: All non-default SSH settings required to establish a connection are saved in three files:
- The sessionname.rssh file contains the public key (if public key authorization is used), the host key (if a host key is accepted while in administrative mode), and the settings normally stored in both the pki_config file and the config file. It also includes all SSL/TLS settings such as the TLS version, cipher suites, and applicable proxy data.
- The sessionname.ps file stores any personal certificates included for the connection.
- The sessionname.ts file includes any trust certificates.
When you send settings for the session to the Administrative WebStation, these files are uploaded along with the session document file.