Introduction to Reflection Security Gateway 2014 R2
Reflection Security Gateway enables an administrator to create, configure, secure, and monitor both web- and Windows-based terminal sessions from one central location.
Reflection Security Gateway works with Attachmate Windows-based terminal emulation software to increase the security to your legacy host applications. By leveraging your current user authentication infrastructure, no changes are required to your legacy systems.
With Reflection Security Gateway 2014 R2, you can:
- Create and configure Windows-based terminal sessions to deploy to users.
- Use the Package Manager to automatically deploy packages for Windows-based sessions that include toolbars, macros, and other configuration elements by associating the package with a user or user group.
- Control access to emulation sessions using your current enterprise directory service, such as LDAP.
- Centrally audit access to host sessions.
- Revoke access to host sessions.
- Use activation files to add support for Web-based or other sessions without needing to restart the Management Server.
For a detailed list of the new features in Reflection Security Gateway 2014 R2, see KB 7022085.
Suggested Evaluation Path
Follow this recommended path for installing and evaluating Reflection Security Gateway 2014 R2:
2. Running the Automated Installer
3. Using the Administrative WebStation
4. Using Package Manager
5. Using Access Mapper
6. Controlling Authentication and Access Control
1. Preparing to Install
Before you begin, use this information to optimize your evaluation of Reflection Security Gateway 2014 R2.
Obtaining the Evaluation Copy
To request a 60-day time-limited evaluation copy of Reflection Security Gateway 2014 R2, complete the form on the Attachmate website: https://www.attachmate.com/products/reflection/secure-gateway/reflection-security-gateway-eval-form.html.
Before installation, identify the server you will use to evaluate Reflection Security Gateway 2014 R2 and check the system requirements.
Using the Installation Guide
Along with this technical note, you will use procedures documented in Installation Guide, which pertains to both Reflection for the Web and Reflection Security Gateway. The installation procedures are similar for each product.
The Installation Guide is available from the Attachmate website: https://www.attachmate.com/documentation/rweb-rsg-2014-r2/rweb-rsg-install/.
If You Are Upgrading
To avoid file conflicts, install the evaluation copy of Reflection Security Gateway 2014 R2 to a server that does not have Reflection Security Gateway, Reflection Administrator, or Reflection for the Web installed.
Requirements for Evaluation
For your initial evaluation, you can install Reflection Security Gateway 2014 R2 on a workstation; for production, however, Attachmate recommends installing Reflection Security Gateway on a server class operating system. The installation process is the same whether you install to a workstation or a server. The procedures in this technical note refer to installing on a server.
For evaluation purposes, use an automated installer and install all of the Reflection components onto the same computer. That computer should meet the following minimum hardware and software requirements:
||Reflection Security Gateway is platform independent. Automated installers are available for Windows, UNIX, and Linux.
Note: A graphical interface is needed for the non-Windows automated installers.
|Java Virtual Machine (JVM)
||Java Virtual Machine (JVM) 7 or higher capable of running Java applications.
||Any web browser using a JRE 7 or later
cascading style sheets.
For detailed browser requirements, see KB 7022028.
|Other Reflection software
||No previous version of Reflection Security Gateway or Reflection for the Web installed.
To avoid file conflicts, install the evaluation copy of Reflection
Security Gateway 2014 R2 to a machine that does not have either product
For an itemized list of the system requirements for each Reflection component and for the end usersâ computers, see the Installation Guide: Preparing to Install > System Requirements.
General Guidelines for Installing
After you check for compatible system requirements, read through these general guidelines:
- Be sure that you have the permissions necessary to install components on the designated server.
- Run the Reflection Security Gateway 2014 R2 installation on your designated computer.
- Use the automated installation wizard to install Reflection on a computer running Windows Server 2012, Windows Server 2008, Windows Server 2003, UNIX, or Linux.
If an automated installer is not available for the operating system on your designated computer, you could do a manual installation. See the Installation Guide for step-by-step instructions.
- If you plan to integrate a Reflection Security Gateway 2014 R2 installation (on a Windows server) with IIS, the automated installation process will prompt you for this option.
2. Running the Automated Installer
To identify and remember your entries during installation, use the checklist provided in the Installation Guide: https://www.attachmate.com/documentation/rweb-rsg-2014-r2/rweb-rsg-install/.
Click Installing Reflection > Automatic Installation and Configuration Checklist.
Print the checklist and note the system-specific information that you must enter (or accept) as you install Reflection Security Gateway. You can refer to the list later.
To Run the Installer
For evaluation purposes, run the automated installer to install all of the components onto the same computer at the same time.
- Download and extract the Reflection Security Gateway 2014 R2 evaluation file. Locate the /install_automated/ directory. The file location depends on your system and where you downloaded Reflection Security Gateway.
Double-click the automated installer for your operating system (Linux 32- or 64-bit, UNIX, or Windows 32- or 64-bit).
Note: Running the automated installer on Linux requires "execute" permission.
- Choose your language, and proceed through the wizard. When prompted, enter the information you noted on the Automatic Installation Checklist.
Note: You will see an explanation about the temporary self-signed certificate that was created during installation. The temporary certificate enables you to access the Reflection Security Gateway server securely until you are able to obtain a certificate signed by a recognized certificate authority.
- When the components are installed, leave the "Start server components now" checked, and click Next.
- On the Installation Complete page, you can open any of the installed components, including the Administrative WebStation. Click Finish.
Components that are automatically installed
These components are automatically installed onto the designated computer:
Tomcat servlet runner
Usage Metering Server
ID Management Server
*The Administrative WebStation provides the UI for the "Reflection Management Server."
As part of the configuration process, you can choose to enable or disable the Usage Metering Server and the ID Management Server.
Note: In a production environment, the server components (Reflection Management Server, Reflection Security Proxy Server, Reflection Metering Server, and ID Management Server) are platform independent and can be installed on any server-class operating system that supports Java, including Windows, Linux, and UNIX.
When you purchase Reflection Security Gateway 2014 R2, you may decide to install some components onto different computers. To do so, run the installer more than once and select the appropriate components to install on each machine.
3. Using the Administrative WebStation
Once Reflection Security Gateway 2014 R2 is installed, start the Administrative WebStation to begin evaluating the product features.
The Administrative WebStation is a centralized website that contains administrative tools and documentation. You can configure, secure, deploy, and monitor terminal sessions from this central location. The WebStation is password-protected to allow for remote administration and access by multiple administrators.
To Start the Administrative WebStation:
- Before opening the Administrative WebStation, start the Tomcat servlet runner:
If a Windows automated installer was used, Windows starts Tomcat automatically. Continue with step 2.
If a UNIX, Linux, or Solaris automated installer was used, then start Tomcat by running
- Open the Administrative WebStation.
In Windows, click Start > All Programs > Attachmate Reflection Security Gateway 2014 > Administrative WebStation.
If you are using UNIX or Linux, or if you are accessing the Administrative WebStation from a machine other than the web server, open your web browser and in the Address field, enter the appropriate URL for your configuration.
Replace the <server name> and <port#> entries with your site-specific information:
https://<server name>:<TLS/SSL port#>/rweb/AdminStart.html
http://<server name>:<http port#>/rweb/AdminStart.html
- When you first open the Administrative WebStation, you may see a security message about verifying the site's certificate or about the temporary self-signed security certificate created during installation. Click Yes to proceed.
- A security warning asks, "Do you want to run this application?" from Attachmate Corporation. The More Information link provides the certificate details.
Select "Run" or "Grant this session," depending on the message. If you do not want to see this alert again, select the adjacent checkbox.
- On the "Log in as Reflection administrator" screen, click your preferred language, enter the password that you created during installation, and then click Submit.
The page that opens confirms that you are accessing Reflection using the Administrator account. When configured, links to your terminal sessions will be listed here. This display is referred to as the Links List.
- In the bottom-right of the Links List panel, click Administrative WebStation. (Be sure to allow pop-ups in your browser.)
Note: As you navigate through the Administrative WebStation, use the Reflection navigation buttons and links rather than using your browserâs Back button.
Administrative WebStation Home
From the Home page, you have access to the tools to create, configure, and manage terminal sessions. The WebStation provides a wealth of introductory information, tutorials, and references.
Continue evaluating Reflection Security Gateway 2014 R2 by creating and configuring at least one terminal session.
Creating Windows-Based Terminal Sessions
With Reflection Security Gateway 2014 R2, you can create the following Windows-based sessions:
IBM 3270 Printer
IBM 5250 Printer
VT UNIX and OpenVMS
SSH â Reflection for Secure IT
VHI Design Tool
Before you can create a Windows-based session, you must have the respective Reflection, InfoConnect, EXTRA!, or Verastream Host Integrator software installed on your computer.
In the Administrative WebStation, use the Session Manager to create and configure the Reflection terminal sessions you want to deploy to end users.
To create a terminal session:
- Return to the Administrative WebStation Home page (click Home in the upper left), and click Session Manager.
- Click Add. The Windows-Based session types are listed.
- In the Add New Session page, select a Windows-Based session type, and enter a Session name for your terminal session, such as Reflection Workspace test.
- On the Configure a Windows-Based Reflection Session page, note the default settings:
- Settings files are stored in the user's My Documents\<Reflection folder>.
- End user files are not overwritten by settings stored on the web server.
- Click Launch.
If you want to test the connection to the host, enter the name of your host computer and click OK.
Note: When you launch a session, you may encounter a security warning that a certificate from Attachmate cannot be verified. Select Yes to continue. If you do not want to see this alert again, select "Always trust content from this publisherâ and click Yes.
Now you are ready to configure the emulation settings for the end-usersâ terminal session.
Configuring a Session
You can configure settings and test the emulation features in a launched Reflection session. You do not need to be connected to a host.
In the launched session, configure your session as usual, including your settings for display, keyboard mapping, printing, and file transfer. Click Help (upper right) for assistance.
Saving the Session
When you finish configuring the emulation features, save the session by clicking Save/Exit.
Note: In the Reflection Workspace, click the Save icon or File > Save. A prompt asks if you want to send the settings to the Administrative WebStation. Click Yes. To exit, click either the upper right X, or File > Close.
The session is then added to the Session Manager list in the Administrative WebStation, but not to the end user's list of available sessions (the Links List).
The Session Saved page provides the URL for the session and links to the Access Mapper and the Session Manager pages. The URL is also displayed when you open Session Manager and click the session.
You can manage the macros and settings installed on each user's machine by using Package Manager.
4. Using Package Manager
Package Manager enables you to automatically deploy configuration data for Windows-based sessions to specified users. To administer settings such as macros, keyboard maps, and hotspots, create a package and use Package Manager.
To use Package Manager:
- Create an .msi file that packages the files you want to deploy.
Use an MSI builder, such as the Attachmate Customization Tool, to package configuration files into custom install packages. See the tool's Help for more information.
The install packages might include toolbars, macros, keyboard maps, file transfer settings, printer settings, and other settings that support specific types of host emulation sessions.
Note: The msi package will be installed as the current user and therefore should be created as a user package.
- In Administrative WebStation, upload the package to the Reflection Management Server:
- In the Administrative WebStation, click Package Manager on the left.
- Click Add and then Browse to the .msi file you want to add or update. Add a description about the package.
- Click Save to upload the package to the Reflection Management Server.
5. Using Access Mapper
Access Mapper can be used to specify the sessions that appear on your users' Links Lists. Earlier, you used the Session Manager to add new sessions and Package Manager to add new packages.
- In the Administrative WebStation, click Access Mapper. Or, if the Session Saved page is still open, click the "Map session access" link to open the Access Mapper.
If you selected LDAP authorization, you have the option to search for individual users or groups. See Help for more information.
- Sessions. Check the session(s) you want to make available to users.
- Packages. Select the package you want to associate with the selected user or group of users. When a user logs on to the Links List, the package contents are deployed to the user's workstation. If you update the package, the newer one will be downloaded.
Once the package is downloaded, the .msi runs, and the contents of the package are installed to the locations specified in the MSI package.
Note: The process of downloading a package is independent of the process of launching a session from the Links List. The package download occurs whether or not the user opens the session.
- To add or edit sessions, use Session Manager. To add or edit packages, use Package Manager.
- Click Save Settings.
Files on the user's computer may be overwritten, depending on the options chosen when the MSI package was created.
To update or replace a package
You can update an MSI package by replacing the file.
- Make your changes to the MSI package (using the Attachmate Customization Tool or another MSI builder) and save it with the same file name.
- From Package Manager, click the .msi file that you want to replace.
- Click Browse, select the modified package, and then click Open.
- In the Description field, enter a version number or some other indicator that the package contents have changed, and then click Save.
6. Controlling Authentication and Access Control
Reflection Security Gateway 2014 R2 provides tools for using optional and advanced features. This section provides a brief description of the following features:
Reflection Security Gateway supports a variety of access control models. For instance, if your environment uses an LDAP-compatible directory service, you can use your existing LDAP database to map terminal sessions to users, groups, or folders.
For information about the authentication options, see these resources in the Administrative Web Station:
Under Activities: Access Control Setup > Help.
In the Administrative WebStation, click Security Setup. On the Security tab, you can set options for server access, passwords, smart card libraries, and cryptography settings.
HTTPS and SSL
By default, Reflection Security Gateway enables web browsers to use the HTTP protocol to communicate between the client computer and the management server. HTTP is enabled by default, and although HTTP is universally available to web browsers, it is not a secure protocol.
To secure the communication between the client and the web server, you can require web browsers to use the HTTPS protocol (which provides SSL encryption) when connecting to the Reflection Management Server. For more information, see the Security overview in the Administrative WebStation: Reference > Welcome > Overview > Security Overview.
Reflection Security Gateway 2014 R2 provides support for TLS 1.2 and Reflection PKI Services Manager. For more information, see the Help topic: Administrative WebStation > Security Setup > Security tab > Help.
Additional cryptography settings information is available from Security Overview in the Administrative WebStation: Under Reference, click Welcome > Overview > Security Overview.
Security Proxy Server (Optional)
Security is increased by using the Reflection Security Proxy to encrypt the data between the client and the security proxy. You can install the security proxy when you run the automated installer.
For more information about using the security proxy, see these resources:
Administrative WebStation, under Reference: Welcome > Overview > Security Overview > How Security Works.
Administrative WebStation, under Activities: Security Setup > Security Proxy tab > Help.
Usage Metering (Optional)
Usage metering can be used to audit and control access to both Windows- and Web-based Reflection sessions. You may want to install Reflection Security Gateway's usage metering component if your site needs to carefully balance network and server loads. For more information, see these resources:
Administrative WebStation, under Activities: Settings > Metering tab > Help.
Installation Guide: Configuring Components > Metering Server.
Many resources are available to help you install, configure, and troubleshoot Reflection Security Gateway 2014 R2.
The installation guide for Reflection for the Web 2014 R2 and Reflection Security Gateway 2014 R2 is on the Attachmate website: https://www.attachmate.com/documentation/rweb-rsg-2014-r2/rweb-rsg-install/.
Administrative WebStation in Reflection Security Gateway 2014
Context-sensitive help is available within the Reflection for the Web product. Use the Administrative WebStation Search to find topics in the Administrative WebStation and the Emulator Help.
Several Overview and How To topics are available under the Reference heading in the left nav. Click Resources > About Reflection to identify your installed version.
Technical Resources Page
For additional technical resources, including technical notes, documentation, and lifecycle, see https://support.microfocus.com/product/?prod=RSG2014.
Attachmate Technical Support
To request technical support, see https://support.microfocus.com/contact/ for contact information.
When You Finish Evaluating
To purchase Reflection Security Gateway or to request a Proof of Concept, contact Attachmate Sales at 1.800.872.2829 or email us at SalesRecept@attachmate.com.
When you install a fully licensed version of Reflection Security Gateway, your sessions and settings will be retained.
However, if you wish to remove all the sessions and settings, delete the ReflectionServer folder and its sub-folders on the designated machine.
Uninstalling Reflection Security Gateway
- On Windows Server 2012, Windows Server 2008, or Windows Server 2003, use Control Panel > Programs and Features.
- On Linux or UNIX, run the uninstaller: