Environment
Reflection 2014
Reflection Pro 2014
Reflection for UNIX and OpenVMS 2014
Reflection for IBM 2014
Reflection X 2014
Reflection Standard Suite 2011
Reflection for UNIX and OpenVMS 2011
Reflection for IBM 2011
Reflection Suite for X 2011
Reflection X 2011
Situation
Follow the steps in this technical note to enable FIPS (Federal Information Processing Standards) mode in Reflection Desktop 16, Reflection 2014, or Reflection 2011.
For general information about FIPS mode, see:
For Reflection 2014: https://www.attachmate.com/documentation/reflection-desktop-v16-1/rdesktop-guide/data/t_6499.htm
For Reflection 2014: https://docs.attachmate.com/reflection/2014/r1/help/en/user-html/6499.htm
For Reflection 2011: https://docs.attachmate.com/reflection/2011/r3/help/en/user-html/6499.htm
Note: To successfully connect in FIPS mode, your server must support "high-encryption" capabilities. Contact your Chief Information Security Officer for information about the implications and applicability of using FIPS 140-2 validated cryptography on all of your systems.
Resolution
Step 1 – Download and Copy the ReflectionPolicy.adm File
Download and unzip the Reflection policy template:
- From the Downloads website, download the file ReflectionPolicy.zip.
- Unzip the file to \%systemroot%\inf folder (for example, C:\Windows\inf\).
Step 2 – Install the Group Policy
To use this policy, the Reflection policy template must first be added to your Windows Group Policy editor by adding the ReflectionPolicy.adm file to the editor.
- Run Gpedit.msc from the command line, or open the properties for an Organizational Unit in the Active Directory Users and Computers console, click the Group Policy tab, and edit or create a new policy object.
- Expand the User Configuration tree.
- Right-click the Administrative Templates container and select Add/Remove Templates.
- In the Add/Remove Templates dialog box, click Add and browse to the \%systemroot%\inf folder (for example, “C:\Windows\inf”).
- Select the ReflectionPolicy.adm file. Open the template, and then close the Add/Remove Templates dialog box.
Step 3 – Configure FIPS-Only Mode
Once you have added the template, use it to configure the policy.
- In the Group Policy Object Editor, under User Configuration, expand the Administrative Templates. Expand Classic Administrative Templates (ADM).
- Click the Reflection Settings tree and, in the right pane, double-click "Allow non-FIPS mode."
- In the Allow non-FIPS mode screen, select Disabled, and then click OK.
Note: Do not change other Reflection policies included in the template.
Step 4 – Configure Reflection Security Settings
Follow these steps to configure workspace security settings.
For a VT SSL session:
- Create a new VT session.
- On the VT Document Settings screen, enter the Host name / IP address.
- Select the "Configure additional settings" check box. Click OK.
- Under Host Connection, click Set Up Connection Security.
- On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
- Configure additional features as needed. Click OK.
For a 3270 or 5250 host session:
- In the Reflection Workspace, open or create a 3270 or 5250 document.
- On the 3270 or 5250 Document Settings pane, enter the Host name / IP Address, and select the "Configure additional settings" check box. Click OK.
- Under Host Connection, click Set Up Connection Security.
- Click Security Settings.
- On the SSL/TLS tab, select the "Use SSL/TLS security" check box.
- Configure additional features as needed. Click OK.
How to Configure FIPS Mode on a Per Session Basis
If you prefer to configure FIPS mode for SSH on a per session basis, rather than using the group policy as described above, follow these steps:
To configure an existing VT terminal session:
- Open a VT terminal session and click the document settings button.
- Click Configure Connection Settings.
- Under Connection, select Secure Shell.
- Enter a Host name / IP Address.
- Click the "Security" button.
- Under Host Connection, click Set Up Connection Security.
- On the Encryption tab, select the "Run in FIPS mode" check box.
- Click OK.
To configure a new VT terminal session:
- Create a new VT session.
- On the VT Document Settings pane, enter the Host name / IP address.
- Select the "Configure additional settings" check box. Click OK.
- Under Host Connection, click Set Up Connection Security.
Troubleshooting Tips
The following error may display if you configure the FIPS-only mode policy, but do not configure the workspace security settings:
Figure 1. The selected operation/feature is not available in FIPS mode.
The following error may display if your host does not support high-encryption:
Figure 2. Reflection SSL/TLS could not establish an encrypted connection.