2.1 Connect to Hosts via Reflection Security Proxy
You can centrally manage host traffic and reduce host visibility by connecting emulation sessions through the Management and Security Server. To do this, Extra! sessions are created from the Administrative WebStation, which opens an administrative mode of Extra! for configuration.
The Management and Security Server offers several configuration options:
|
Client authorization Used in connections secured by the Management and Security Server to ensure that access to host systems is approved before the connection can proceed. When a user logs into the Management and Security Server, he or she only has access to terminal session files and other features for which he has been explicitly authorized to use. |
When using the default configuration for the Security Proxy, users are authorized using security tokens. Transmitted data between the client and the Security Proxy is encrypted; transmitted data between the Security Proxy and the host is not. The Security Proxy server should be installed behind a corporate firewall when used in this mode. See Connect to Hosts via Reflection Security Proxy.
|
|
Pass Through mode |
When configured as a Pass Through Proxy, the Security Proxy passes data to the destination host without regard to content (that is, it ignores any SSL/TLS handshaking data). You can secure data traffic using SSL/TLS between the client and the destination host by enabling SSL user authentication Client authentication (also referred to as user authentication) requires users to prove their identity using digital certificates (the default setting for the Reflection Security Proxy). Client authentication is typically required when an SSL session is first established. It will also be required by a TN 3270 server if the user is using the Express Logon Feature provided by some mainframe systems. on the destination host. When using a Pass Through proxy, Client authorization Used in connections secured by the Management and Security Server to ensure that access to host systems is approved before the connection can proceed. When a user logs into the Management and Security Server, he or she only has access to terminal session files and other features for which he has been explicitly authorized to use. is not an option. See Connect using Pass Through Mode. |
|
End-to-End Security |
TN 3270 sessions only. This option combines user authorization with SSL/TLS security for the entire connection. Single sign-on capability using the IBM Express Logon Also referred to as single sign-on (SSO), express logon is an IBM mainframe feature that lets users log on and connect to the host without entering a user ID and password each time. Express Logon authenticates the user on the mainframe by using her SSL client certificate in lieu of entering a user ID and password. is also supported, provided the host supports SSL/TLS. See Connect using End-to-End Security and Express Logon for 3270 Sessions.
|
