Skip to content

Security Proxy Server

The Security Proxy Server provides token-based access control and encrypted network traffic to and from user workstations. The Security Proxy can be used by Reflection Desktop and Reflection for the Web.

Enabling the Security Proxy Server

For Reflection Desktop. The Security Proxy is enabled by installing an activation file, which is available for download and is licensed separately. To enable:

  1. In the MSS Administrative Console, click Configure Settings - Product Activation.

  2. Click ACTIVATE NEW and browse to and click the activation file for the security proxy: activation.security_proxy-<version>.jaw

    The Security Proxy is added to the Product list.

For Reflection for the Web. The Security Proxy entitlement is included in the Reflection for the Web activation file.


Configuring the Security Proxy

The Cluster Certificate is automatically shared across all nodes in a cluster, and is used as the identity for the Security Proxy. You must define and add the Cluster Certificate, which will be used by the Security Proxy.

Note

The Security Proxy Wizard, previously used to managed certificates, is no longer used for configuration.

To define and add the Cluster Certificate:

  1. Log in to the MSS Administrative Console at https://hostname/adminconsole.

  2. From the drop-down menu, click Cluster Management.

  3. Click Settings, and expand the Certificate and Private Key panels.

  4. Click Import File and navigate to your certificate and key.

  5. Select and import the files. Or, you can drag and drop the certificate and key files into the fields.

    To verify: first close and re-open your web browser; then access the session server and note the updated certificate that is reported by the browser's site information.

  6. Redeploy the Security Proxy service:

    a. In the Cluster Management console, click Services.

    b. Next to the mss-security-proxy service, click ellipsis Redeploy All.

    Important

    Be aware that end users may be affected when a service is redeployed.


Advanced Configuration

You can customize your Security Proxy installation by editing the Security Proxy service properties. Work with Customer Support to set custom properties, such as specifying non-default values for the TLS version, Crypto Suites, and OCSP.

  1. In the Cluster Management console, click Services.

  2. Next to the mss-security-proxy service, click ellipsis Edit Properties.

  3. Enter the Key and Value for each custom property.

  4. In some cases, you may be asked to Redeploy a service after editing the properties.
    Next to the mss-security-proxy service, click ellipsis Redeploy All.

    Important

    Be aware that end users may be affected when a service is redeployed.

Setting the Logging Level

To set logging properties for the Security Proxy Server:

  1. Open the Cluster Management console, and click Services.

  2. Next to the mss-security-proxy service, click ellipsis Edit Properties.

  3. For detailed logging, add this key/value pair.

    • Key: logging.level.root
    • Value: DEBUG

    Other values: INFO, WARN, SEVERE

To view the Security Proxy logs:

  1. From the MSS Administrative Console drop-down menu, open the Cluster Management console.

  2. On the Services page, click mss-security-proxy.

  3. Click ellipsis and View Recent Logs or Download Logs.

Using FIPS-Approved Mode

When the Security Proxy and terminal sessions are configured to run in FIPS-approved mode, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards.

To configure the Security Proxy to run in FIPS-approved mode, edit the mss-security-proxy service properties with this key/value pair:

  • Key: fipsApprovedMode
  • Value: on

For detailed steps to set properties for the Security Proxy service, see Advanced Configuration.

Running Reports

After you configure sessions to use the Security Proxy, you can run reports to view the current user activity and the connections per Security Proxy server.

See Run Reports - Security Proxy Server.