Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection Security Gateway 2014
This technical note describes how to configure Reflection for the Web or Reflection Security Gateway to work with web proxies (also known as secure web access appliances, SSL accelerators, security appliances, and intelligent appliances).
A web proxy operates between client machines running a browser (usually on the Internet) and the machine running the Reflection management server (usually on the internal network). A web proxy can provide a number of features including access control, centralized management, and security.
When a user on the Internet requests a Reflection session, the URL in the browser is that of the web proxy. The web proxy forwards the request to the management server. If the original request uses the HTTPS protocol, the proxy converts it to HTTP. The management server sends the applet to the web proxy, again using HTTP, and the proxy sends the applet to the client using the original protocol, HTTPS. The management server inserts its own URL into the applet as an applet tag with HTTP protocol, since HTTP is the protocol used in the connection between the web proxy and the management server.
The applet then requests a configuration file from the web server using the management server URL contained in the applet, but the connection will fail because the server is not accessible through HTTP and is not directly accessible from the client. The solution is to add settings to the server.properties file to use HTTPS and to point the applet to the web proxy when it looks for the configuration file.
This technical note assumes that you have already installed Reflection for the Web or Reflection Security Gateway and the web proxy.
Step 1: Edit server.properties
Open ReflectionData\properties\server.properties in a text editor and add these lines to the file:
server.forcesslport=[proxy SSL port]
Note: The forcesslport parameter is optional. If you do not add this line, SSL port number 443 is used by default.
Save the server.properties file and restart the management server.
Step 2: Use HTTP Protocol
Web connections using the HTTPS protocol are generally more secure than those using the HTTP protocol, so Reflection provides a way to require HTTPS. However, in environments with web proxies, the HTTP protocol must be allowed because the proxy uses it for internal communications. The default protocol setting permits HTTP connections and is correct in this case. If you are adding a web proxy to an existing Reflection environment, however, you may already have required HTTPS. Therefore, you should ensure that Reflection permits the use of HTTP:
- In the Security Setup tool, open the Security tab.
- Under "Choose management server access protocol," select HTTP.
Step 3 (Optional): Allow Connections that Bypass the Proxy
In many environments, not all connections go through the web proxy. For example, connections from outside your firewall may go through the proxy, while connections from inside your network do not. The parameters added to the server.properties file (Step 1 above) must be overridden. Connections that bypass the proxy must retain their original protocol and must use the management server URL, not the web proxy.
To retain the original protocol and port used by the client, add forcessl=false to the user's URL; and to bypass the specified web proxy, add forcehostname=false.
For example, the URL for an administrator who is not connecting through the web proxy and is using HTTP might be similar to the following: