Reflection ZFE 1.0 Features and Release Notes

  • 7021844
  • 05-Mar-2015
  • 01-Apr-2018


Reflection ZFE version 1.0


Reflection ZFE provides terminal emulation for 3270, 5250, and VT host types, while requiring only an HTML 5-capable browser. Reflection ZFE simplifies management, provides centralized patching and security rollouts, and removes the need for desktop administration. This technical note lists the features and known issues in this release and provides information about how to obtain the product.

Note: Reflection ZFE 1.1 released October 2015. See KB 7021525.


Product Overview

Reflection ZFE consists of a session server, a management server (Reflection Security Gateway), and the web client. Session allocation, authorization, and authentication are handled through the Reflection Security Gateway (RSG) Administrative WebStation.

The Reflection Management Server provides the engine that serves the sessions to all users that need to connect to your host data. The web client is a terminal emulator that can be accessed through a browser. Once assigned a session, your user has access to the host, provided they have browser access.


  • Supported emulation types: 3270, 5250, VT/SSH
  • Requires only a modern browser—no Java required for end users
  • Centralized management of sessions
  • Sessions can be assigned to all users, individual users, or groups
  • Secure end-to-end connections via TLS/SSL
  • Use of WebSockets to enhance real-time interaction with host
  • Broad platform support
  • Keyboard remapping
  • Metering of sessions

Known Issues

If you encounter an issue in Reflection ZFE, contact Attachmate Technical Support.

Current issues:

  • Recommended Browsers

It is highly recommended that Reflection ZFE users use Google Chrome or Mozilla Firefox. While Reflection ZFE 1.0 supports Microsoft Internet Explorer (IE) 10+, there are known performance issues with IE's JavaScript engine that may negatively affect the end user experience with Reflection ZFE.

  • "Mixed content" error

When an administrator uses a mix of HTTP and HTTPS, connection requests are blocked and a "mixed content" error displays. To avoid this error:

    • If Reflection Security Gateway is accessed via HTTP, then Reflection ZFE sessions must be accessed (create/edit) via HTTP.
    • If Reflection Security Gateway is accessed via HTTPS, then Reflection ZFE sessions must be accessed (create/edit) via HTTPS.
  • Cannot edit session while logged into Reflection ZFE in another tab

When creating or editing sessions in Reflection Security Gateway, it is best to log out of the Reflection ZFE server that will be used for creating or editing the session. Not doing so can lead to unexpected behavior during the create/edit process.

  • Reflection Security Gateway (RSG) authentication session expires

See KB 7022088 for more information.

  • Key Mapping

Certain keys on a numeric keypad and some browser-specific keys cannot be mapped. For example in Chrome, Ctrl+n and Ctrl+w cannot be mapped.

  • Some antivirus software blocks WebSockets

Reflection ZFE requires a WebSocket connection between the web browser and the server. Antivirus software might prevent WebSocket connections, especially when ports 80 or 8080 are used. If you think your antivirus software may be preventing WebSockets, first try a different port. For troubleshooting, see

  • Sessions configured across multiple Reflection ZFE servers

When a Reflection ZFE session is created, a particular Reflection ZFE server is specified by the administrator. When that session is launched from the Links List, it will always be opened on the server specified by the administrator. If there are multiple session servers in the environment, this may lead to unexpected behavior.

  • VT issues

The following issues may occur with VT sessions:


    • Heavy text output, such as from "Is -IR" may cause slow performance.
    • Scrolling regions may appear slow and/or choppy.
    • Cursor movement may be slow and/or choppy.
    • Internet Explorer is particularly slow, and performance degrades further when higher-than-default values are used for rows and columns.

Character sets

    • Graphical characters and some character sets are not supported.
    • Some non-English characters may cause the terminal display to freeze.

Other VT issues

    • A blinking rectangle is the only cursor style current supported.
    • Insert/delete column (DECIC, DECDC) may fail.
    • VT400 will not recognize DECSCL.
    • In rare occasions, using VT102-style features with BCE, the left margin is displaced a few inches to the right.
    • Pasting a string containing square brackets '[' or ']' will fail.
    • Pan Down (SU) and Pan UP (SD) Scroll Left (SL), and Scroll Right (SR) are not supported.
    • Some VT320 Window Reports (such as DECTTC, DECTLTC, and DECRPDE) fail.
    • Setting columns per page (DECSCPP) or lines per page (DECSLPP) may fail.
  • Known hosts entries

Only ssh-rsa and ssh-dss are valid as public key types for Reflection Security Gateway known_hosts entries. Key types that contain the string "-sha2-256" are not recognized.

  • Extraneous sessions may be launched when using the Links List

When a session is launched from the Reflection Security Gateway Links List, the resulting URL can lead to extra sessions being launched if the user refreshes the page or navigates away from Reflection ZFE and then returns to the session.

  • Field Outline in a 3270 session

The 3270 attributes for field outlines are not fully supported. Reflection ZFE currently supports underline and overline; however, left vertical line, right vertical line, and combinations of the four line types are not yet supported.

  • "(ECL1011) Error connecting to host: Connection to host failed."

This misleading error message displays when a TLS/SSL connection to a host fails because the certificate was not added to the trusted certificate store. The error is not a connection issue; it is a certificate issue.

If you encounter this error, check the Reflection Security Gateway trusted certificate store. In Administrative Web Station, click Security Setup > Certificates tab. Scroll to View or modify certificates trusted by the terminal emulator applet. If the certificate is not listed, Import it.

  • SSL 3.0 is disabled by default

For security reasons, enabling SSL 3.0 is not recommended. However, for hosts that absolutely require SSL 3.0, you can follow these steps to enable the protocol:

    1. Stop the applications or services that will be using SSL 3.0.
    2. Open <install_dir>/jre/lib/security/ in a text editor.
    3. Remove or comment out the line jdk.tls.disabledAlgorithms=SSLv3.
  • TLS/SSL connections are disabled on machines using IBM JDK 7.1 or 8

See KB 7021339 for more information.

  • Session connections are slow and may time out on some platforms when connecting to a host via TLS/SSL

See KB 7021340 for more information.

Obtaining the Product

After you purchase Reflection ZFE, the product is available to download from Attachmate Downloads: For more information on using the Download Library, see KB 7021965.

For information about purchasing or evaluating Reflection ZFE, please email

Installing the Product

For information about installing the product, see the Reflection ZFE Installation and Deployment Guide:

Technical Resources

For more information about Reflection ZFE, see the Technical Resources page:

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2771.