The Security Proxy Server provides token-based access control and encrypted network traffic to and from user workstations. See How the Security Proxy Works.
This article walks through the steps configure and deploy secure sessions using the Security Proxy.
Steps at a glance:
Use the automated installer to install and configure the Security Proxy Server. The Security Proxy can be installed on a different machine. Refer to the MSS Installation Guide for detailed steps.
NOTE: If you are not able to use the automated installer, contact Support for guidance.
Next step: Configure and Start the Security Proxy Server.
The Security Proxy Server must be configured to establish trust with the Management and Security Server (MSS). Use the Security Proxy Wizard to manage your Security Proxy settings and certificates.
Specifically, the Security Proxy Wizard:
generates or imports the certificate used to authenticate the Security Proxy Server.
sets up a server.properties file that contains information about each security proxy connection.
imports the certificate from the Administrative Server -- if you are using authorization to determine access levels.
NOTE:If you installed the Security Proxy using the automated installer, the Security Proxy Server is configured and started, and you can skip to Import the Security Proxy certificates.
Run the Security Proxy Wizard later to change settings or manage certificates.
Start the Security Proxy Wizard, according to where you installed the product.
On Windows: run [MssServerInstall]\securityproxy\bin\SecurityProxyServerWizard.exe
On Linux or UNIX:
The Security Proxy Wizard requires an X11 window to display its graphical interface. Use the console of an X window or an X session, and open a terminal window.
Run the executable:
The wizard opens with the server.properties file or to create a new one for this Security Proxy server.tab in focus. Choose whether to open an existing
Refer to theon each tab for more information.
On thetab, the Management and Security Server certificate.
On thetab, or a proxy.
On thetab, or a security proxy certificate.
Return to thetab and click to export the settings to the Administrative Server.
Specify or accept the default Administrative Server, Port, and Context. Click.
To verify that the server.properties is configured, return to the tab.
Clickto close the wizard and save your settings. You may need to restart the Security Proxy service.
To make changes to the Security Proxy settings later, simply re-run the Security Proxy Wizard.
Next step: Start the Security Proxy Server.
If the automated installer was used to install the Security Proxy on the same machine as the Administrative Server, the Security Proxy Server has been started. Continue with 3. Import the Security Proxy certificates.
If a non-automated installation method was used, you must start the Security Proxy Server.
After a server.properties file is configured for the Security Proxy Server, start the Security Proxy Server:
Or, run: [MssServerInstall]\securityproxy\bin\MssSecurityProxy.exe
To start or stop the service, open Windows Control Panel > Administrative Tools > Services, and select.
Note: When the automated installter is used, you can choose to install the servlet runner as a Windows service, in which case the servlet runner starts automatically.
On UNIX and Linux
For UNIX and Linux platforms, you can start and stop the service at run level changes using the method that is appropriate to your platform. Use -start and -stop parameters for the security proxy.
Or, run: [MssServerInstall]/securityproxy/bin/MssSecurityProxy
Note: When the automated installer is used, a link to the services is created in
Command line options
You can use these commands on all platforms to start and stop the Security Proxy:
To install as a service:
Change to your MSS install directory.
Then use a parameter.
On Linux or UNIX:
Use the daemon appropriate to your platform for installing or uninstalling the servlet runner as a service.
Note: The administrator must configure init scripts to start the Security Proxy server on startup.
Next step: Import the Security Proxy certificates.
When the Security Proxy and terminal sessions are configured to run in FIPS-approved mode, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards.
The current cryptomodules require a manual edit to the Security Proxy properties file to run in FIPS-approved mode.
If you are upgrading from a version that used fipsMode=approved, the new property is not automatically enabled and must be manually configured.
In the FIPS 140-2 Mode section, add or set the fipsApprovedMode= setting to on:
Restart the Security Proxy server.
Once the Security Proxy is installed and configured, open Management and Security Server to import the Security Proxy settings.
Open the> panel.
Clickand enter the required information. See for assistance.
To delete a Security Proxy server, check its box, and click.
Next step: Create Secure Sessions.
After the trust relationship is set between the Management and Security Server and Security Proxy, you can create secure sessions for your users.
In the MSS Administrative Console, open, and click .
Select your(and , if needed), and enter a .
As administrator, open thedialog. You may need to Disconnect first.
NOTE:The dialog labels vary, depending on your emulator product. Refer to the product documentation for details.
Click the option to.
Select a range or an individual TLS version:or .
A new configuration of the Security Proxy server, created by the MSS installer, enables both TLSv1.3 and TLSv1.2. The default settings allows a TLS connection, depending on the capabilities of the host or server to which you are connecting.
Note: Saved settings for TLSv1.1 and TLSv1 are honored but cannot be set for new installations.
Select aand a for this session.
Enter theand the .
If you check, the connection between the Security Proxy and the host will use TLS. Otherwise, that connection is not encrypted.
Click. Close the session, and click to send the settings to the Management and Security Server.
Next step: Assign Secure Sessions.
Now you can enable user access to the secure sessions.
In the Administrative Console, open.
for and click the user or group who should have access to the secure session.
Check thethat is configured to use the Security Proxy.
Deploy sessions to users.
Next step: After the sessions have been opened and used, you can Run Reports to view the activity.
In the Administrative Console, open Security Proxy Server Reports for more information.to view the activity from your Security Proxy servers. See the Run Reports -
When you upgrade Management and Security Server, note these requirements for the Security Proxy.
The <major>.<minor> version of the Security Proxy must be the same as Management and Security Server.
Be sure to download the upgraded Security Proxy activation file and run it with the automated installer. Or, install the activation file and activate the server. Refer to the MSS Installation Guide.
If Security Proxy is installed when you upgrade Management and Security Server, (including updates and service packs), complete these steps to be sure the Security Proxy server is synchronized with the MSS Administrative Server.
After you upgrade:
Open the(from the Start menu).
On thetab, review the configuration for each port, and click .
Note the Cipher Suites and Certificates:
Multiple cipher suites of the same key type can use the same certificate.
Management and Security Server automatically selects the certificate to use with the associated cipher suite. The selection is based on longest expiration date and other properties. For example:
To select a different certificate for a particular port:
Click thetab > .
Note (or change) the selected cipher suites.
Select an RSA certificate or DSA certificate for that type of cipher suite. Click.
On thetab, click .
Click> > to send the settings to the MSS Administrative Server.
The Security Proxy provides token-based access control and encrypted network traffic to and from user workstations.
The following diagram highlights the Security Proxy (steps 5 and 6) in the context of the overall Management and Security Server set up.
User connects to the Administrative Server.
User authenticates to a directory server (LDAP/Active Directory) or other identity management system (optional).
The directory server provides user and group identity (optional).
The Administrative Server sends an emulation session to the authorized client.
When the Security Proxy Server is configured for use by a session, the emulation client makes a TLS connection to Security Proxy and sends it a signed session token.
The Security Proxy Server validates the session token and establishes a connection to the specified host:port. The security proxy encrypts the data before forwarding it back to the user.
Note: The connection between the Security Proxy and the host is not encrypted — unless is selected in the session configuration.
When no Security Proxy is present or a session is not configured to use it, the authorized user connects directly to the host.