Reflection for Secure IT

Specs

Reflection for Secure IT Gateway

Server Component: Supported Platforms:
  • Windows Server 2016 on Intel or equivalent (64-bit)
  • Windows Server 2012 R2 on Intel or equivalent (64-bit)
  • Windows Server 2012 on Intel or equivalent (64-bit)
  • Windows Server 2008 R2 on Intel or equivalent (64-bit)
  • VMWare vSphere Hypervisor (ESXi) running supported platforms
Gateway Administrator Web Application: Supported Browsers (JavaScript and cookies must be enabled):
  • Microsoft Internet Explorer (version 11 or later, Windows only)
  • Mozilla Firefox (current versions)
  • Google Chrome (current versions)
  • Apple Safari (current versions, Mac only)
PKI Services Manager 1.3.2 or later:
  • Required for authentication via X.509 certificates or smart cards
  • Available at no additional charge from the Reflection Gateway download page
Transfer Client: Supported Browsers (Java must be installed; JavaScript and cookies must be enabled):
  • Microsoft Internet Explorer (version 11 or later, Windows only)
  • Mozilla Firefox (current versions)
Connections from other Secure Shell Clients:
  • Using the Reflection Transfer Client to access Transfer Sites is not a requirement
  • Reflection for Secure IT Gateway users can also use the Reflection for Secure IT Secure Shell Client, the Reflection FTP Client configured for SFTP transfer, or any other SFTP-enabled SSH client.
Administrative tools:
  • Creation of Jobs to automate business processes
  • Delegated and Remote Administration
  • Post Transfer Actions for automating file processes after files are received
  • Scalable with support for 500+ connections
  • Automated email notification services including account creation, password reset, transfer site access, and file uploads and downloads
  • Gateway Administrator Console for secure remote administration
  • High availability with support for load balancing and clusters
  • Flexible deployment of components (co-located or separate servers)
  • Support for IPv6 and IPv4 across a network
  • Database storage of Gateway Administrator data
Secure file transfer:
  • SFTP version 4 and 5 protocol support
  • SFTP special features:
    • Smart Copy (to eliminate redundant copying of identical source and target files)
    • File transfers resume after interrupted downloads when the remote server is a Reflection for Secure IT server
  • Virtual directory and chroot environment support
  • Support for store and forward and file streaming through the DMZ
  • SFTP-enabled SSH server included 
Standards support:
  • Compliance with IETF Secsh Internet drafts and RFCs 4250–4254, 4256, 4462, 4344, 4345, and 4716
  • UTF-8 character support
  • Cryptographic library validation
    • FIPS 140-2 Level 1 (Certificate #1747 and Certificate #2768-validation in process)
Identity management:
  • Integration with Microsoft Windows Active Directory
  • Built-in user storage for local users
  • Real-time synchronization
  • Filtering
  • LDAP groups
Auditing:
  • Configurable Windows Event Log level (in Reflection Secure Shell Proxy only)
  • Debug logging with local and/or UTC time stamps
  • Dedicated audit log for all file transfers
Transfer client:
  • Customizable user interface
  • Password or X.509 certificate authentication
  • Web-based drag-and-drop file transfer
    • SFTP version 4 and version 5
    • Preconfigured in FIPS Mode
    • Preconfigured ciphers (AES128-CTR)
  • Local and server views
  • Transfer entire directory trees
  • Smart copy 
  • Checkpoint restart when the remote server is a Reflection for Secure IT server
  • UTF-8 encoding supports file names in any locale
  • English, French, German, and Italian language support

Reflection for Secure IT Client for UNIX

Secure Shell Access:
  • Secure remote terminal connections
  • Secure remote command execution
Secure file transfer:
  • SCP and SFTP special features
    • Smart Copy (to eliminate redundant copying of identical source and target files)
    • File transfer resume after interrupted downloads
    • Recursive directory copying
    • Remote-to-remote transfers (SCP)
    • Automatic ASCII mode for specified file extension types (SFTP)
  • SCP and SFTP version 4 protocol support
  • Support for High Performance Enabled file transfer
  • Unattended scheduled file transfers
Tunneling:
  • X11 protocol
  • Background and "one-shot" (single use) forwarding ports
  • TCP port forwarding (local and remote)
  • FTP protocol
Standards Support:
  • Compliance with IETF Secsh Internet drafts and RFCs 4250–4254, 4256, 4462, 4345, and 4716
  • UTF-8 character support
Cryptographic Library Validation:
  • FIPS 140-2 Level 1 (Certificate #1747 and #2398-AIX)

 

Algorithms:
  • Ciphers
    • AES (128-, 192-, and 256-bit CBC)
    • AES (128-, 192-, and 256-bit CTR)
    • 3DES (3 56-bit key EDE)
    • Blowfish (128-bit)
    • CAST (128-bit)
    • Arcfour (128- and 256-bit)
  • Key exchange
    • Diffie-Hellm
    • GSS-API key exchange
    • RSA
    • DSA 
  • MACS
    • HMAC-MD5
    • HMAC-MD5-96
    • HMAC-SHA1
    • HMAC-SHA1-96
    • HMAC-SHA256
    • HMAC-SHA512
    • RIPEMD160
    • Meets DoD requirements for SHA-2 
Accounting and Auditing:
  • Notification of exceeded maximum password attempts
  • Oracle Solaris Projects support
  • Dedicated audit log for all file transfers
Authentication:
  • Reflection PKI Services Manager
    • Centralized configuration and management of PKI functions across Reflection for Secure IT Server for Windows, Server for UNIX, and Client for UNIX
    • Standalone service module supported on most platforms supported by Reflection for Secure IT Server for Windows and Server for UNIX
    • DoD PKI certified
    • FIPS 140-2 Level 1-validated for most supported platforms (Certificate #2058)
    • RFCs 2253, 2560, and 3280
    • X.509 certificates for server and client authentication (X.509 versions 1-3)
    • Version 2 X.509 CRL
    • OCSP revocation checks
    • Support for LDAP and HTTP certificate and CRL repositories
    • Certificate extensions supported
      • CDP
      • IDP
      • AIA
      • Policy constraints
      • Basic constraints
      • Name constraints
      • Extended key usage
    • Customizable configuration on per trust anchor basis
    • Fully customizable mapping of SSH user account names to certificates
    • SOCKS proxy support
    • PKI client command line utility for querying services availability and certificate validity
  • Server authentication
    • Public key (RSA and DSA)
    • PKI X.509 certificates
    • Kerberos (gssapi-keyex)
  • User authentication
    • Password
    • Public key
      • RSA and DSA user keys
      • Agent forwarding
      • Host name aliasing for host key storage
      • PKCS#11 smart card support on Solaris 10 SPARC platforms
    • Keyboard interactive
      • RSA SecurlID
      • RADIUS
      • Keyboard—interactive password
    • PKI X.509 certificates
    • Kerberos (gssapi-with-mic)
Performance:
  • High Performance Enabled (HPN) support leverages dynamic TCP windows for improved file transfer performance
  • Granular control of data compression levels enables performance calibration
Operating systems:
  • HP-UX 11i v2 (PA-RISC)
  • HP-UX 11i v2 (Itanium)
  • HP-UX 11i v3 (Itanium)
  • IBM AIX 6.1 (POWER)
  • IBM AIX 7.1 (POWER)
  • Red Hat Enterprise Linux 5 (x86)*
  • Red Hat Enterprise Linux 5 (x86-64)*
  • Red Hat Enterprise Linux 6 (x86)*
  • Red Hat Enterprise Linux 6 (x86-64)*
  • Red Hat Enterprise Linux 7 (x86-64)*
  • Red Hat Enterprise Linux 7 (x86-64)*
  • *Customizable installation directory available for Solaris and Linux platforms
  • Oracle Solaris 10 (x86)*
  • Oracle Solaris 10 (x86-64)*
  • Oracle Solaris 11 (SPARC)*
  • Oracle Solaris 11 (x86-64)*
  • SUSE Linux Enterprise Server 10 (x86)*
  • SUSE Linux Enterprise Server 10 (x86-64)*
  • SUSE Linux Enterprise Server 10 zSeries (64-bit)*
  • SUSE Linux Enterprise Server 11 (x86)*
  • SUSE Linux Enterprise Server 11 (x86-64)*
System Requirements:
  • For all Itanium systems, the library libunwind is required (HP-UX, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server)
  • Network interface card
  • Any system that meets the minimum requirements for the UNIX/Linux operating system
  • Oracle Solaris UltraSPARC CPU

Reflection for Secure IT Client for Windows

Emulation Types:
  • VT500 and VT420
  • VT320, VT220, and VT100
  • VT-UTF8
  • Linux Console
  • BBS-ANSI and SCO-ANSI
  • QNX
  • xterm
Connectivity:
  • SSH1 protocol for compatibility with older protocol servers
  • SCP1 for compatibility with OpenSSH Servers
  • SSH2 protocol IETF SecSh Internet drafts (RFCs 4250–4254, 4256, 4462, 4344, 4345, and 4716)
Cryptographic Library Validation:
  • FIPS 140-2 Level 1 (Certificate #1747)
User-Friendly interfaces:
  • Familiar graphical user interface
  • Batch/command-line scripting via SSH, SFTP, and SCP commands
  • Convenient setup for multihop connection
Secure file transfer:
  • SCP
    • Replaces the nonsecure rcp command
    • SCP1 support
  • SFTP
    • Replaces the nonsecure FTP protocol
    • Complies with draft-ietf-secsh-filexfer
  • Secure, graphical FTP client utility
    • Support for wide variety of FTP servers by SFTP protocol, FTP over SSH, standard FTP (unencrypted), FTP over SSL/TLS, and Kerberized FTP (TLS)
  • Servers supported
    • Windows-based, IBM System z (Mainframe), IBM System i (AS/400), UNIX, NetWare, Unisys, HP 3000, and OpenVMS
    • File browsing on IBM mainframes with no host-side intrusion or modification
    • Site-to-site transfer between servers
    • Automation tools (script recorder and Microsoft OLE Automation)
    • Preserve timestamps and file attributes during SFTP transfers
Tunneling:
  • TCP port forwarding (Local/Remote)
  • FTP protocol (dual-channel)
  • X11 forwarding
  • Gateway port
  • RDP protocol (secures Microsoft remote desktop access)
Encryption Algorithms:
  • MACs
    • HMAC-SHA1 and HMAC-SHA1-96
    • HMAC-SHA256 and HMAC-SHA512
    • HMAC-MD5 and HMAC-MD5-96
    • RIPEMD160
  • Key exchange
    • RSA
    • Diffie-Hellman
  • Ciphers
    • AES (128, 192, and 256-bit CTR)
    • AES (128, 192, and 256-bit CBC)
    • 3DES (3 56-bit key CBC)
    • Blowfish (128-bit CBC)
    • CAST (128-bit)
    • Arcfour (128- and 256-bit)
Authentication:
  • Server authentication
    • Public key (RSA and DSA)
    • PKI X.509 certificates
    • GSSAPI
  • User authentication password
    • Local
    • Windows Domain (Active Directory) authentication
  • User authentication public key
    • RSA
    • DSA
    • Agent forwarding
    • Smart card support for agent forwarding
  • Keyboard interactive
    • RSA SecurID
    • RADIUS
    • Keyboard-interactive password
  • PKI X.509 certificates
    • Reflection Certificate Manager
    • Windows Certificate Manager (MSCAPI)
    • Online Certificate Status Protocol (OCSP) support
    • Certificate Revocation Lists (CRL)
    • LDAP/Active Directory retrieval of CRLs and intermediate CA certificates
    • PKCS #12 key and certificate storage
    • PKCS #11 smart card support
    • Shared trusted certificate store location
  • GSSAPI/Kerberos
    • Reflection Kerberos client
    • Microsoft SSPI logon credentials
    • Supports both user and host authentication using GSSAPI
Administrative tools:
  • Micro Focus Host Access Management and Security Server (MSS)*
    • Web-based console for central administration of settings files
    • Web-based deployment of settings files and updates
  • Application customization tool for settings and installation files (including MSI)
  • Support for Windows administration features
    • Windows Installer (MSI)
    • Active Directory
    • Roaming user and multiple user profiles
    • Group Policy
    • Application self-repair
International Support:
  • French
  • German
  • English
  • Japanese
Operating platforms:
  • Microsoft Windows 10 Pro**
  • Microsoft Windows 10 Enterprise**
  • Microsoft Windows 8.1 Pro**
  • Microsoft Windows 7 Enterprise**
  • Microsoft Windows 7 Ultimate**
  • Microsoft Windows Server 2016 with Remote Desktop Services (for multiuser environments)
  • Microsoft Windows Server 2012 R1 or R2 with Remote Desktop Services (for multiuser environments)
  • Microsoft Windows Server 2008 R1** or R2*** with Windows Terminal Server (for multiuser environments)
  • Citrix XenApp
System Requirements:
  • Any system that meets the minimum requirements for the Microsoft Windows operating system
  • Network interface card
  • Disk space varies depending on the features installed
  • *Requires additional licenses(s)
    • **32- and 64-bit editions
    • ***64-bit editions

Reflection for Secure IT Server for UNIX

Secure shell access:
  • Secure remote terminal connections
  • Secure remote command execution

 

Secure file transfer:
  • SCP and SFTP version 4 protocol support
  • SCP and SFTP special features
    • Smart Copy (to eliminate redundant copying of identical source and target files)
    • File transfer resume after interrupted downloads
    • Recursive directory copying
    • Remote-to-remote transfers (SCP)
    • Automatic ASCII mode for specified file extension types (SFTP)
  • Support for High Performance Enabled (HPN) file transfer
  • Chroot environment support
  • Unattended scheduled file transfers
Access control:
  • Assignable rights (allow or deny)
    • Terminal shell access
    • Exec requests
    • File transfer access
    • SFTP activities (browse, download, upload, delete, and rename)
  • Assignable to (subconfigurations)
    • Global
    • Groups
    • Users
    • Per client system (by IP address or domain name)
Standards support:
  • Compliance with IETF Secsh Internet drafts and RFCs 4250-4254, 4256, 4462, 4345, and 4716
  • UTF-8 character support
Cryptographic library validation:
  • FIPS 140-2 Level 1 (Certificate #1747 and #2398-AIX)
Algorithms:
  • Ciphers
    • AES (128-, 192-, and 256-bit CTR)
    • AES (128-, 192-, and 256-bit CBC)
    • 3DES (3 56-bit key EDE)
    • Blowfish (128-bit)
    • CAST (128-bit)
    • Arcfour (128- and 256-bit)
  • MACS
    • HMAC-MD5
    • HMAC-MD5-96
    • HMAC-SHA1
    • HMAC-SHA1-96
    • HMAC-SHA256
    • HMAC-SHA512
    • RIPEMD160
    • Meets DoD requirements for SHA-2
  • Key exchange
    • Diffie-Hellman
    • GSS-API key exchange
    • RSA
    • DSA
Authentication:
  • Server authentication
    • Public key (RSA and DSA)
    • PKI X.509 certificates
    • Kerberos (gssapi-keyex)
  • User authentication
    • Password
    • Public key
      • RSA and DSA user keys
      • Key agent utility for private key management
      • Agent forwarding
      • Host name aliasing for host key storage
      • PKCS#11 smart card support on Solaris 10 SPARC platforms
    • Keyboard interactive
      • PAM (Pluggable Authentication Module)
      • RSA SecurID
      • RADIUS
      • Keyboard-interactive password
    • PKI X.509 certificates
    • Kerberos (gssapi-with-mic)
  • LDAP
    • Directory-accessed user shell configurations
    • Support for mkhomedir PAM module for automatic creation of LDAP user home directory
  • Reflection PKI Services Manager
    • Centralized configuration and management of PKI functions across Reflection for Secure IT Server for Windows, Server for UNIX, and Client for UNIX
    • Standalone service module supported on most platforms supported by Reflection for Secure IT Server for Windows and Server for UNIX
    • DoD PKI certified
    • FIPS 140-2 Level 1-validated for most supported platforms (Certificate #2058)
    • RFCs 2253, 2560, and 3280
    • X.509 certificates for server and client authentication (X.509 versions 1-3)
    • Version 2 X.509 CRL
    • OCSP revocation checks
    • HSPD-12 support
    • Support for LDAP and HTTP certificate and CRL repositories
    • Certificate extensions supported
      • CDP
      • IDP
      • AIA
      • Policy constraints
      • Basic constraints
      • Name constraints
      • Extended key usage
    • Customizable configuration on per trust anchor basis
    • Fully customizable mapping of SSH user account names to certificates
    • SOCKS proxy supported
    • PKI client command line utility for querying services availability and certificate validity
  • Other
    • Configurable pre-authenticated session limit
Accounting/auditing:
  • Logon events for all authentication methods
  • Detailed file transfer event capture, including uploads, downloads, and directory listings
  • Notification of exceeded maximum password attempts
  • HP-UX SAM auditing and security tool support
  • Oracle Solaris Basic Security Module auditing support
  • Oracle Solaris Least Privilege Model support
  • AIX System Resource Controller support
  • Dedicated audit log for all file transfers
Performance:
  • High Performance Enabled (HPN) support leverages dynamic TCP windows for improved file transfer performance
  • Granular control of data compression levels enables performance calibration
Operating systems:
  • HP-UX 11i v2 (PA-RISC)
  • HP-UX 11i v2 (Itanium)
  • HP-UX 11i v3 (Itanium)
  • IBM AIX 6.1 (POWER)
  • IBM AIX 7.1 (POWER)
  • Red Hat Enterprise Linux 5 (x86)*
  • Red Hat Enterprise Linux 5 (x86-64)*
  • Red Hat Enterprise Linux 6 (x86)*
  • Red Hat Enterprise Linux 6 (x86-64)*
  • Red Hat Enterprise Linux 7 (x86-64)*
  • Oracle Solaris 10 (SPARC)*
  • Oracle Solaris 10 (x86)*
  • Oracle Solaris 10 (x86-64)*
  • Oracle Solaris 11 (SPARC)*
  • Oracle Solaris 11 (x86-64)*
  • SUSE Linux Enterprise Server 10 (x86)*
  • SUSE Linux Enterprise Server 10 (x86-64)*
  • SUSE Linux Enterprise Server 10 zSeries (64-bit)*
  • SUSE Linux Enterprise Server 11 (x86)*
  • SUSE Linux Enterprise Server 11 (x86-64)*
System requirements:
  • Any system that meets the minimum requirements for the UNIX/Linux operating system
  • Network interface card
  • For all Itanium systems, the library libunwind is required (HP-UX, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server)
  • Oracle Solaris UltraSPARC CPU

Reflection for Secure IT Server for Windows 8.2

Secure shell access:
  • Secure remote terminal connections
    • Configurable terminal provider (i.e., cmd.exe)
    • Configurable terminal default directory
    • Use of mapped drives to access network directories during terminal sessions
  • Secure remote command execution
Secure file transfer:
  • SCP and SFTP version 4 protocol support
  • SCP and SFTP special features
    • Smart Copy (to eliminate redundant copying of identical source and target files)
    • File transfer resume after interrupted downloads
  • SCP1 protocol support (for compatibility with OpenSSH clients)
  • Virtual directory and chroot environment support
Access control:
  • Assignable rights (allow or deny)
    • Terminal shell access
    • Exec requests
    • Local port forwarding
    • Remote port forwarding
    • SCP1 access
    • SFTP/SCP2 access
    • SFTP activities (Browse, Download, Upload, Delete, and Rename)
  • Assignable to (subconfigurations)
    • Global
    • Groups
    • Users
    • Per client system (by IP address or domain name)
  • Deny connections to users without Windows interactive access rights
  • Control over the number of connections allowed per user
  • Use of alternative credentials for accessing SFTP directories (for file transfers) and mapped drives (for terminal sessions)
Tunneling:
  • TCP port forwarding (local and remote)
  • FTP protocol (active and passive mode)
  • RDP protocol
Standards support:
  • Compliance with IETF Secsh Internet drafts and RFCs 4250–4254, 4256, 4462, 4344, 4345, and 4716
  • UTF-8 character support
Cryptographic library validation:
  • FIPS 140-2 validated (Certificate #1747)
Algorithms:
  • Ciphers
    • AES (128-, 192-, and 256-bit CTR)
    • AES (128-, 192-, and 256 bit-CBC)
    • 3DES (3 56-bit key EDE)
    • Blowfish (128-bit)
    • CAST (128-bit)
    • Arcfour (128- and 256-bit)
  • Key exchange
    • Diffie-Hellman
    • GSS-API key exchange
  • MACs
    • HMAC-MD5 (optional MD5 rejection available)
    • HMAC-MD5-96
    • HMAC-SHA1
    • HMAC-SHA1-96
    • HMAC-SHA256
    • HMAC-SHA512
    • RIPEMD160
    • Meets DoD requirements for SHA-2
Authentication:
  • Reflection PKI Services Manager
    • Centralized configuration and management of PKI functions across multiple Reflection for Secure IT Windows servers, UNIX servers, and UNIX clients
    • Standalone service module supported on most platforms supported by Reflection for Secure IT Windows and UNIX servers
    • DoD PKI certified
    • FIPS 140-2 validated (Certificate #2468)
    • RFCs 2253, 2560, and 3280
    • X.509 certificates for server and client authentication (X.509 versions 1-3)
    • Version 2 X.509 CRL
    • OCSP revocation checks
    • HSPD-12 support
    • Support for LDAP and HTTP certificate and CRL repositories
    • Support for Microsoft Windows Certificate Store
    • Certificate extensions supported
      • CDP
      • IDP
      • AIA
      • Policy constraints
      • Basic constraints
      • Name constraints
      • Extended key usage
    • Customizable configuration on per trust anchor basis
    • Fully customizable mapping of SSH user account names to certificates
    • SOCKS proxy support
    • PKI client command line utility for querying services availability and certificate validity
  • Server authentication
    • Public key (RSA and DSA)
    • PKI X.509 certificates
    • GSSAPI/Kerberos
  • User authentication
    • Password (local user and Windows domain user)
    • Public key
      • RSA user keys
      • DSA user keys
      • X.509 certificates
      • OpenSSH public key interoperability
    • Keyboard interactive
      • RSA SecurID
      • RADIUS
  • Keyboard-interactive password
    • GSSAPI/Kerberos
Auditing and logging:
  • Configurable Windows Event Log level
  • Configurable Debug Log with local and UTC time stamps
  • Notification of exceeded maximum password attempts
  • Dedicated audit log for all file transfers
Administrative tools:
  • Post Transfer Actions for automating important processes for files after they are received
  • ProcessPriority for limiting the amount of CPU resources consumed
  • Customizable locations for server configuration files
  • Section 508 support in the Reflection for Secure IT Server for Windows configuration utility
Operating systems:
  • Microsoft Windows Server 2016 (x86-64)
  • Microsoft Windows Server 2012 (x86-64)
  • Microsoft Windows Server 2008 R2 (x86-64)
  • Microsoft Cluster Service support
  • VMWare ESXi support
System requirements:
  • Any system that meets the minimum requirements for the Microsoft Windows operating system
  • Disk space varies depending on the features installed
  • Network interface card
release-rel-2019-3-2-1847 | Wed Mar 20 13:57:48 PDT 2019
1847
release/rel-2019-3-2-1847
Wed Mar 20 13:57:48 PDT 2019