Environment
Reflection Desktop Pro
Reflection Desktop for X
Situation
X Manager and X Manager for Domains are server applications, and need to create one or more listening ports for clients to connect. By default, they are configured to allow access to any X client. This configuration works well for most users; however, in some environments it is preferred or required to secure X Manager and X Manager for Domains.
The three following options exist for securing X Manager and X Manager for domains. Disallowing remote IP connections is the most secure. This article will provide an overview of each, as well as instructions for configuring them.
1) Disallow remote IP connections
2) Enable host-based authorization
3) Enable user-based authorization
Note that all three of these settings can only be made per-session. It is not possible to configure these settings globally.
Resolution
Disallowing remote IP connections is the most effective way of securing X Manager and X Manager for Domains because no X11 ports need to be left open in the firewall, and the only X clients which would be able to connect would be those which have either been run through an encrypted Secure Shell tunnel (common) or have been run locally, on the same system as X Manager or X Manager for Domains (uncommon).
Here are steps to disallow remote IP connections.
1) Select the session definition you wish to modify.
2) Click on the Security tab.
3) Deselect Allow remote IP connections.
Note that with remote IP connections disabled, launching X clients with Secure Shell will require the client setting of Tunnel X11 connections to be enabled, which is the default.
Enabling host-based authorization allows the configuration of a list of hosts from which X clients will be allowed to connect from. X clients from all other hosts will be denied.
Here are steps to enable host-based authorization.
1) Select the session definition you wish to modify.
2) Click on the Security tab.
3) Ensure that Allow remote IP connections is enabled.
4) Select the Host-based authorization feature, after which a text box will open entitled Authorized Hosts.
5) In the Authorized Hosts text box, type host names which you want to allow X client connections from, separating each name by new lines, spaces, commas or semi-colons.
Enabling user-based authorization disallows any X clients from connecting which have not been verified using MIT-MAGIC-COOKIE-1 authorization. MIT-MAGIC-COOKIE-1 authorization occurs when a program named xauth is run as part of the X client connection process. Reflection X Advantage will run xauth by default when user-based authorization is enabled.
Here are steps to enable user-based authorization.
1) Select the session definition you wish to modify.
2) Click on the Security tab.
3) Ensure that Allow remote IP connections is enabled.
4) Select User-based authorization.
Note that host-based and user-based authorizations can be both be used; however, the X client will be allowed if either authorization succeeds. To clarify, Reflection X Advantage will not require both authorizations to succeed in this scenario.
Additional Information
Please see the help for additional information.