How to Enable FIPS in Reflection Desktop, Reflection 2014, or Reflection 2011

  • Document ID:7021501
  • Creation Date:06-Jul-2007
  • Modified Date:03-Jul-2018
    • Micro Focus Products:
      Reflection Desktop

Environment

Reflection Desktop (including Pro, for IBM, or for UNIX and OpenVMS) 16.0 or higher
Reflection 2014
Reflection Pro 2014
Reflection for UNIX and OpenVMS 2014
Reflection for IBM 2014
Reflection X 2014
Reflection Standard Suite 2011
Reflection for UNIX and OpenVMS 2011
Reflection for IBM 2011
Reflection Suite for X 2011
Reflection X 2011

Situation

Follow the steps in this technical note to enable FIPS (Federal Information Processing Standards) mode in Reflection Desktop 16, Reflection 2014, or Reflection 2011.

For general information about FIPS mode, see:

For Reflection 2014: https://www.attachmate.com/documentation/reflection-desktop-v16-1/rdesktop-guide/data/t_6499.htm

For Reflection 2014: https://docs.attachmate.com/reflection/2014/r1/help/en/user-html/6499.htm

For Reflection 2011: https://docs.attachmate.com/reflection/2011/r3/help/en/user-html/6499.htm

Note: To successfully connect in FIPS mode, your server must support "high-encryption" capabilities. Contact your Chief Information Security Officer for information about the implications and applicability of using FIPS 140-2 validated cryptography on all of your systems.

Resolution

Step 1 – Download and Copy the ReflectionPolicy.adm File

Download and unzip the Reflection policy template:

  1. From the Downloads website, download the file ReflectionPolicy.zip.
  2. Unzip the file to \%systemroot%\inf folder (for example, C:\Windows\inf\).

Step 2 – Install the Group Policy

To use this policy, the Reflection policy template must first be added to your Windows Group Policy editor by adding the ReflectionPolicy.adm file to the editor.

  1. Run Gpedit.msc from the command line, or open the properties for an Organizational Unit in the Active Directory Users and Computers console, click the Group Policy tab, and edit or create a new policy object.
  2. Expand the User Configuration tree.
  3. Right-click the Administrative Templates container and select Add/Remove Templates.
View Full Size
2216_0.gif
  1. In the Add/Remove Templates dialog box, click Add and browse to the \%systemroot%\inf folder (for example, “C:\Windows\inf”).
  2. Select the ReflectionPolicy.adm file. Open the template, and then close the Add/Remove Templates dialog box.

Step 3 – Configure FIPS-Only Mode

Once you have added the template, use it to configure the policy.

  1. In the Group Policy Object Editor, under User Configuration, expand the Administrative Templates. Expand Classic Administrative Templates (ADM).
  2. Click the Reflection Settings tree and, in the right pane, double-click "Allow non-FIPS mode."
View Full Size
2216_1.gif
  1. In the Allow non-FIPS mode screen, select Disabled, and then click OK.
2216_2.gif

Note: Do not change other Reflection policies included in the template.

Step 4 – Configure Reflection Security Settings

Follow these steps to configure workspace security settings.

For a VT SSL session:

  1. Create a new VT session.
View Full Size
2216_3.gif
  1. On the VT Document Settings screen, enter the Host name / IP address.
2216_4.gif
  1. Select the "Configure additional settings" check box. Click OK.
  2. Under Host Connection, click Set Up Connection Security.
2216_5.gif
  1. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
2216_6.gif
  1. Configure additional features as needed. Click OK.

For a 3270 or 5250 host session:

  1. In the Reflection Workspace, open or create a 3270 or 5250 document.
2216_7.gif
  1. On the 3270 or 5250 Document Settings pane, enter the Host name / IP Address, and select the "Configure additional settings" check box. Click OK.
2216_8.gif
  1. Under Host Connection, click Set Up Connection Security.
2216_9.gif
  1. Click Security Settings.
  2. On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
  3. Configure additional features as needed. Click OK.
View Full Size
2216_10.gif

How to Configure FIPS Mode on a Per Session Basis

If you prefer to configure FIPS mode for SSH on a per session basis, rather than using the group policy as described above, follow these steps:

To configure an existing VT terminal session:

  1. Open a VT terminal session and click the document settings button.
2216_11.gif
  1. Click Configure Connection Settings.
  2. Under Connection, select Secure Shell.
  3. Enter a Host name / IP Address.
  4. Click the "Security" button.
View Full Size
2216_12.gif
  1. Under Host Connection, click Set Up Connection Security.
  2. On the Encryption tab, select the "Run in FIPS mode" check box.
  3. Click OK.

To configure a new VT terminal session:

  1. Create a new VT session.
  2. On the VT Document Settings pane, enter the Host name / IP address.
  3. Select the "Configure additional settings" check box. Click OK.
  4. Under Host Connection, click Set Up Connection Security.

Troubleshooting Tips

The following error may display if you configure the FIPS-only mode policy, but do not configure the workspace security settings:

2216_13.gif

Figure 1. The selected operation/feature is not available in FIPS mode.

The following error may display if your host does not support high-encryption:

2216_14.gif

Figure 2. Reflection SSL/TLS could not establish an encrypted connection.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2216.