8.4 Connect to Hosts using the Security Proxy Add-On
The Security Proxy Add-On acts as a proxy for terminal sessions and provides token-based access control, routing encrypted network traffic to and from user workstations.
NOTE:The Security Proxy Add-On requires the base installation of Host Access Management and Security Server. It is not included with the Management and Security Server license. To activate this product, you must purchase a separate license.
Using the Security Proxy Add-On, you can set up the following types of centrally managed secure connections.
|
Connect using... |
Description |
|---|---|
|
|
When using the default configuration for the Security Proxy, users are authorized using security tokens. Transmitted data between the client and the Security Proxy is encrypted; transmitted data between the Security Proxy and the host is not. The Security Proxy server should be installed behind a corporate firewall when used in this mode. Before you create a connection, review the Requirements for connections through the Security Proxy and Getting to the Reflection Desktop Security Settings. Then see the instructions for creating and assigning secure sessions in the Management and Security Server Administrator Guide, in the Host Access Management and Security Server Documentation.
|
|
Pass Through |
When configured as a Pass Through Proxy, the Security Proxy passes data to the destination host without regard to content (that is, it ignores any SSL handshaking data) and does not provide client/server authentication or encryption. If SSL is used in this mode, the SSL session is created between the client and destination host and encrypted data simply passes through the Security Proxy. You can secure data traffic using SSL between the client and the destination host by enabling SSL user authentication The process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint). on the destination host. When using a Pass Through proxy, client authorization is not an option. Before you create a connection, review the Requirements for connections through the Security Proxy and Getting to the Reflection Desktop Security Settings. For instructions that show how to configure the Security Proxy, see the Management and Security Server Administrator Guide, in the Host Access Management and Security Server Documentation. NOTE:If you want to establish an SSL-secured connection between Reflection and the destination host using the Security Proxy in Pass Through mode, you may need to unselect or, preferably, add the Security Proxy as the Subject Alternate name in the host server certificate. To create a Reflection Desktop session that connects to the Security Proxy, see the instructions for creating secure sessions in the Management and Security Server Administrator Guide. |
|
This option, available for 3270 sessions only, combines user authorization with SSL/TLS security for the entire connection. Single sign-on capability using the IBM Express Logon Feature is also supported, provided the host supports SSL/TLS. See Connect using End-to-End Security in 3270 Sessions.
|
|
|
In a standard configuration for a secure Reflection session, the connection between the client and security proxy server is encrypted using SSL/TLS, but the connection between the security proxy and the host uses unencrypted Telnet. By sending an SSH-encrypted connection through the security proxy tunnel, you can configure a secure Reflection session so that the entire communication path is encrypted from the client, through the proxy server, and on to the host. See Connect using End-to-End Encryption in VT SSH Sessions 
|
