Reflection for Secure IT

Specs

Reflection for Secure IT

  • Reflection for Secure IT Gateway

    Server Component: Supported Platforms:

    • Windows Server 2016 on Intel or equivalent (64-bit)
    • Windows Server 2012 R2 on Intel or equivalent (64-bit)
    • Windows Server 2012 on Intel or equivalent (64-bit)
    • Windows Server 2008 R2 on Intel or equivalent (64-bit)
    • VMWare vSphere Hypervisor (ESXi) running supported platforms

    Gateway Administrator Web Application: Supported Browsers (JavaScript and cookies must be enabled):

    • Microsoft Internet Explorer (version 11 or later, Windows only)
    • Mozilla Firefox (current versions)
    • Google Chrome (current versions)
    • Apple Safari (current versions, Mac only)

    PKI Services Manager 1.3.2 or later:

    • Required for authentication via X.509 certificates or smart cards
    • Available at no additional charge from the Reflection Gateway download page

    Transfer Client: Supported Browsers (Java must be installed; JavaScript and cookies must be enabled):

    • Microsoft Internet Explorer (version 11 or later, Windows only)
    • Mozilla Firefox (current versions)

    Connections from other Secure Shell Clients:

    • Using the Reflection Transfer Client to access Transfer Sites is not a requirement
    • Reflection for Secure IT Gateway users can also use the Reflection for Secure IT Secure Shell Client, the Reflection FTP Client configured for SFTP transfer, or any other SFTP-enabled SSH client.

    Administrative tools:

    • Creation of Jobs to automate business processes
    • Delegated and Remote Administration
    • Post Transfer Actions for automating file processes after files are received
    • Scalable with support for 500+ connections
    • Automated email notification services including account creation, password reset, transfer site access, and file uploads and downloads
    • Gateway Administrator Console for secure remote administration
    • High availability with support for load balancing and clusters
    • Flexible deployment of components (co-located or separate servers)
    • Support for IPv6 and IPv4 across a network
    • Database storage of Gateway Administrator data

    Secure file transfer:

    • SFTP version 4 and 5 protocol support
    • SFTP special features:
      • Smart Copy (to eliminate redundant copying of identical source and target files)
      • File transfers resume after interrupted downloads when the remote server is a Reflection for Secure IT server
    • Virtual directory and chroot environment support
    • Support for store and forward and file streaming through the DMZ
    • SFTP-enabled SSH server included 

    Standards support:

    • Compliance with IETF Secsh Internet drafts and RFCs 4250–4254, 4256, 4462, 4344, 4345, and 4716
    • UTF-8 character support
    • Cryptographic library validation
      • FIPS 140-2 Level 1 (Certificate #1747 and Certificate #2768-validation in process)

    Identity management:

    • Integration with Microsoft Windows Active Directory
    • Built-in user storage for local users
    • Real-time synchronization
    • Filtering
    • LDAP groups

    Auditing:

    • Configurable Windows Event Log level (in Reflection Secure Shell Proxy only)
    • Debug logging with local and/or UTC time stamps
    • Dedicated audit log for all file transfers

    Transfer client:

    • Customizable user interface
    • Password or X.509 certificate authentication
    • Web-based drag-and-drop file transfer
      • SFTP version 4 and version 5
      • Preconfigured in FIPS Mode
      • Preconfigured ciphers (AES128-CTR)
    • Local and server views
    • Transfer entire directory trees
    • Smart copy 
    • Checkpoint restart when the remote server is a Reflection for Secure IT server
    • UTF-8 encoding supports file names in any locale
    • English, French, German, and Italian language support
  • Reflection for Secure IT Client for Windows

    Emulation Types:

    • VT500 and VT420
    • VT320, VT220, and VT100
    • VT-UTF8
    • Linux Console
    • BBS-ANSI and SCO-ANSI
    • QNX
    • xterm

    Connectivity:

    • SSH1 protocol for compatibility with older protocol servers
    • SCP1 for compatibility with OpenSSH Servers
    • SSH2 protocol IETF SecSh Internet drafts (RFCs 4250–4254, 4256, 4462, 4344, 4345, and 4716)

    Cryptographic Library Validation:

    • FIPS 140-2 Level 1 (Certificate #1747)

    User-Friendly interfaces:

    • Familiar graphical user interface
    • Batch/command-line scripting via SSH, SFTP, and SCP commands
    • Convenient setup for multihop connection

    Secure file transfer:

    • SCP
      • Replaces the nonsecure rcp command
      • SCP1 support
    • SFTP
      • Replaces the nonsecure FTP protocol
      • Complies with draft-ietf-secsh-filexfer
    • Secure, graphical FTP client utility
      • Support for wide variety of FTP servers by SFTP protocol, FTP over SSH, standard FTP (unencrypted), FTP over SSL/TLS, and Kerberized FTP (TLS)
    • Servers supported
      • Windows-based, IBM System z (Mainframe), IBM System i (AS/400), UNIX, NetWare, Unisys, HP 3000, and OpenVMS
      • File browsing on IBM mainframes with no host-side intrusion or modification
      • Site-to-site transfer between servers
      • Automation tools (script recorder and Microsoft OLE Automation)
      • Preserve timestamps and file attributes during SFTP transfers

    Tunneling:

    • TCP port forwarding (Local/Remote)
    • FTP protocol (dual-channel)
    • X11 forwarding
    • Gateway port
    • RDP protocol (secures Microsoft remote desktop access)

    Encryption Algorithms:

    • MACs
      • HMAC-SHA1 and HMAC-SHA1-96
      • HMAC-SHA256 and HMAC-SHA512
      • HMAC-MD5 and HMAC-MD5-96
      • RIPEMD160
    • Key exchange
      • RSA
      • Diffie-Hellman
    • Ciphers
      • AES (128, 192, and 256-bit CTR)
      • AES (128, 192, and 256-bit CBC)
      • 3DES (3 56-bit key CBC)
      • Blowfish (128-bit CBC)
      • CAST (128-bit)
      • Arcfour (128- and 256-bit)

    Authentication:

    • Server authentication
      • Public key (RSA and DSA)
      • PKI X.509 certificates
      • GSSAPI
    • User authentication password
      • Local
      • Windows Domain (Active Directory) authentication
    • User authentication public key
      • RSA
      • DSA
      • Agent forwarding
      • Smart card support for agent forwarding
    • Keyboard interactive
      • RSA SecurID
      • RADIUS
      • Keyboard-interactive password
    • PKI X.509 certificates
      • Reflection Certificate Manager
      • Windows Certificate Manager (MSCAPI)
      • Online Certificate Status Protocol (OCSP) support
      • Certificate Revocation Lists (CRL)
      • LDAP/Active Directory retrieval of CRLs and intermediate CA certificates
      • PKCS #12 key and certificate storage
      • PKCS #11 smart card support
      • Shared trusted certificate store location
    • GSSAPI/Kerberos
      • Reflection Kerberos client
      • Microsoft SSPI logon credentials
      • Supports both user and host authentication using GSSAPI

    Administrative tools:

    • Micro Focus Host Access Management and Security Server (MSS)*
      • Web-based console for central administration of settings files
      • Web-based deployment of settings files and updates
    • Application customization tool for settings and installation files (including MSI)
    • Support for Windows administration features
      • Windows Installer (MSI)
      • Active Directory
      • Roaming user and multiple user profiles
      • Group Policy
      • Application self-repair

    International Support:

    • French
    • German
    • English
    • Japanese

    Operating platforms:

    • Microsoft Windows 10 Pro**
    • Microsoft Windows 10 Enterprise**
    • Microsoft Windows 8.1 Pro**
    • Microsoft Windows 7 Enterprise**
    • Microsoft Windows 7 Ultimate**
    • Microsoft Windows Server 2016 with Remote Desktop Services (for multiuser environments)
    • Microsoft Windows Server 2012 R1 or R2 with Remote Desktop Services (for multiuser environments)
    • Microsoft Windows Server 2008 R1** or R2*** with Windows Terminal Server (for multiuser environments)
    • Citrix XenApp

    System Requirements:

    • Any system that meets the minimum requirements for the Microsoft Windows operating system
    • Network interface card
    • Disk space varies depending on the features installed
    • *Requires additional licenses(s)
      • **32- and 64-bit editions
      • ***64-bit editions
  • Reflection for Secure IT Server for Windows

    Secure shell access:

    • Secure remote terminal connections
      • Configurable terminal provider (i.e., cmd.exe)
      • Configurable terminal default directory
      • Use of mapped drives to access network directories during terminal sessions
    • Secure remote command execution

    Secure file transfer:

    • SCP and SFTP version 4 protocol support
    • SCP and SFTP special features
      • Smart Copy (to eliminate redundant copying of identical source and target files)
      • File transfer resume after interrupted downloads
    • SCP1 protocol support (for compatibility with OpenSSH clients)
    • Virtual directory and chroot environment support

    Access control:

    • Assignable rights (allow or deny)
      • Terminal shell access
      • Exec requests
      • Local port forwarding
      • Remote port forwarding
      • SCP1 access
      • SFTP/SCP2 access
      • SFTP activities (Browse, Download, Upload, Delete, and Rename)
    • Assignable to (subconfigurations)
      • Global
      • Groups
      • Users
      • Per client system (by IP address or domain name)
    • Deny connections to users without Windows interactive access rights
    • Control over the number of connections allowed per user
    • Use of alternative credentials for accessing SFTP directories (for file transfers) and mapped drives (for terminal sessions)

    Tunneling:

    • TCP port forwarding (local and remote)
    • FTP protocol (active and passive mode)
    • RDP protocol

    Standards support:

    • Compliance with IETF Secsh Internet drafts and RFCs 4250–4254, 4256, 4462, 4344, 4345, and 4716
    • UTF-8 character support

    Cryptographic library validation:

    • FIPS 140-2 validated (Certificate #1747)

    Algorithms:

    • Ciphers
      • AES (128-, 192-, and 256-bit CTR)
      • AES (128-, 192-, and 256 bit-CBC)
      • 3DES (3 56-bit key EDE)
      • Blowfish (128-bit)
      • CAST (128-bit)
      • Arcfour (128- and 256-bit)
    • Key exchange
      • Diffie-Hellman
      • GSS-API key exchange
    • MACs
      • HMAC-MD5 (optional MD5 rejection available)
      • HMAC-MD5-96
      • HMAC-SHA1
      • HMAC-SHA1-96
      • HMAC-SHA256
      • HMAC-SHA512
      • RIPEMD160
      • Meets DoD requirements for SHA-2

    Authentication:

    • Reflection PKI Services Manager
      • Centralized configuration and management of PKI functions across multiple Reflection for Secure IT Windows servers, UNIX servers, and UNIX clients
      • Standalone service module supported on most platforms supported by Reflection for Secure IT Windows and UNIX servers
      • DoD PKI certified
      • FIPS 140-2 validated (Certificate #2468)
      • RFCs 2253, 2560, and 3280
      • X.509 certificates for server and client authentication (X.509 versions 1-3)
      • Version 2 X.509 CRL
      • OCSP revocation checks
      • HSPD-12 support
      • Support for LDAP and HTTP certificate and CRL repositories
      • Support for Microsoft Windows Certificate Store
      • Certificate extensions supported
        • CDP
        • IDP
        • AIA
        • Policy constraints
        • Basic constraints
        • Name constraints
        • Extended key usage
      • Customizable configuration on per trust anchor basis
      • Fully customizable mapping of SSH user account names to certificates
      • SOCKS proxy support
      • PKI client command line utility for querying services availability and certificate validity
    • Server authentication
      • Public key (RSA and DSA)
      • PKI X.509 certificates
      • GSSAPI/Kerberos
    • User authentication
      • Password (local user and Windows domain user)
      • Public key
        • RSA user keys
        • DSA user keys
        • X.509 certificates
        • OpenSSH public key interoperability
      • Keyboard interactive
        • RSA SecurID
        • RADIUS
    • Keyboard-interactive password
      • GSSAPI/Kerberos

    Auditing and logging:

    • Configurable Windows Event Log level
    • Configurable Debug Log with local and UTC time stamps
    • Notification of exceeded maximum password attempts
    • Dedicated audit log for all file transfers

    Administrative tools:

    • Post Transfer Actions for automating important processes for files after they are received
    • ProcessPriority for limiting the amount of CPU resources consumed
    • Customizable locations for server configuration files
    • Section 508 support in the Reflection for Secure IT Server for Windows configuration utility

    Operating systems:

    • Microsoft Windows Server 2016 (x86-64)
    • Microsoft Windows Server 2012 (x86-64)
    • Microsoft Windows Server 2008 R2 (x86-64)
    • Microsoft Cluster Service support
    • VMWare ESXi support

    System requirements:

    • Any system that meets the minimum requirements for the Microsoft Windows operating system
    • Disk space varies depending on the features installed
    • Network interface card
  • Reflection for Secure IT Client for UNIX

    Secure Shell Access:

    • Secure remote terminal connections
    • Secure remote command execution

    Secure file transfer:

    • SCP and SFTP special features
      • Smart Copy (to eliminate redundant copying of identical source and target files)
      • File transfer resume after interrupted downloads
      • Recursive directory copying
      • Remote-to-remote transfers (SCP)
      • Automatic ASCII mode for specified file extension types (SFTP)
    • SCP and SFTP version 4 protocol support
    • Support for High Performance Enabled file transfer
    • Unattended scheduled file transfers

    Tunneling:

    • X11 protocol
    • Background and "one-shot" (single use) forwarding ports
    • TCP port forwarding (local and remote)
    • FTP protocol

    Standards Support:

    • Compliance with IETF Secsh Internet drafts and RFCs 4250 – 4254, 4256, 4462, 4345, and 4716
    • UTF-8 character support

    Cryptographic Library Validation:

    • FIPS 140-2 Level 1 (Certificate #1747 and #2398-AIX)

    Algorithms:

    • Ciphers
      • AES (128-, 192-, and 256-bit CBC)
      • AES (128-, 192-, and 256-bit CTR)
      • 3DES (3 56-bit key EDE)
      • Blowfish (128-bit)
      • CAST (128-bit)
      • Arcfour (128- and 256-bit)
    • Key exchange
      • Diffie-Hellm
      • GSS-API key exchange
      • RSA
      • DSA 
    • MACS
      • HMAC-MD5
      • HMAC-MD5-96
      • HMAC-SHA1
      • HMAC-SHA1-96
      • HMAC-SHA256
      • HMAC-SHA512
      • RIPEMD160
      • Meets DoD requirements for SHA-2

    Accounting and Auditing:

    • Notification of exceeded maximum password attempts
    • Oracle Solaris Projects support
    • Dedicated audit log for all file transfers

    Authentication:

    • Reflection PKI Services Manager
      • Centralized configuration and management of PKI functions across Reflection for Secure IT Server for Windows, Server for UNIX, and Client for UNIX
      • Standalone service module supported on most platforms supported by Reflection for Secure IT Server for Windows and Server for UNIX
      • DoD PKI certified
      • FIPS 140-2 Level 1-validated for most supported platforms (Certificate #2058)
      • RFCs 2253, 2560, and 3280
      • X.509 certificates for server and client authentication (X.509 versions 1-3)
      • Version 2 X.509 CRL
      • OCSP revocation checks
      • Support for LDAP and HTTP certificate and CRL repositories
      • Certificate extensions supported
        • CDP
        • IDP
        • AIA
        • Policy constraints
        • Basic constraints
        • Name constraints
        • Extended key usage
      • Customizable configuration on per trust anchor basis
      • Fully customizable mapping of SSH user account names to certificates
      • SOCKS proxy support
      • PKI client command line utility for querying services availability and certificate validity
    • Server authentication
      • Public key (RSA and DSA)
      • PKI X.509 certificates
      • Kerberos (gssapi-keyex)
    • User authentication
      • Password
      • Public key
        • RSA and DSA user keys
        • Agent forwarding
        • Host name aliasing for host key storage
        • PKCS#11 smart card support on SPARC platforms
      • Keyboard interactive
        • RSA SecurlID
        • RADIUS
        • Keyboard – interactive password
      • PKI X.509 certificates
      • Kerberos (gssapi-with-mic)

    Performance:

    • High Performance Enabled (HPN) support leverages dynamic TCP windows for improved file transfer performance
    • Granular control of data compression levels enables performance calibration

    Operating systems:

    • HP-UX 11i v2 (PA-RISC)
    • HP-UX 11i v2 (Itanium)
    • HP-UX 11i v3 (Itanium)
    • IBM AIX 6.1 (POWER)
    • IBM AIX 7.1 (POWER)
    • Red Hat Enterprise Linux 7 (x86-64)*
    • Red Hat Enterprise Linux 7 (x86-64)*
    • *Customizable installation directory available for Solaris and Linux platforms
    • Oracle Solaris 11 (SPARC)*
    • Oracle Solaris 11 (x86-64)*
    • SUSE Linux Enterprise Server 10 (x86)*
    • SUSE Linux Enterprise Server 10 (x86-64)*
    • SUSE Linux Enterprise Server 10 zSeries (64-bit)*
    • SUSE Linux Enterprise Server 11 (x86)*
    • SUSE Linux Enterprise Server 11 (x86-64)*

    System Requirements:

    • For all Itanium systems, the library libunwind is required (HP-UX, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server)
    • Network interface card
    • Any system that meets the minimum requirements for the UNIX/Linux operating system
    • Oracle Solaris UltraSPARC CPU
  • Reflection for Secure IT Server for UNIX

    Secure shell access:

    • Secure remote terminal connections
    • Secure remote command execution

    Secure file transfer:

    • SCP and SFTP version 4 protocol support
    • SCP and SFTP special features
      • Smart Copy (to eliminate redundant copying of identical source and target files)
      • File transfer resume after interrupted downloads
      • Recursive directory copying
      • Remote-to-remote transfers (SCP)
      • Automatic ASCII mode for specified file extension types (SFTP)
    • Support for High Performance Enabled (HPN) file transfer
    • Chroot environment support
    • Unattended scheduled file transfers

    Access control:

    • Assignable rights (allow or deny)
      • Terminal shell access
      • Exec requests
      • File transfer access
      • SFTP activities (browse, download, upload, delete, and rename)
    • Assignable to (subconfigurations)
      • Global
      • Groups
      • Users
      • Per client system (by IP address or domain name)

    Standards support:

    • Compliance with IETF Secsh Internet drafts and RFCs 4250-4254, 4256, 4462, 4345, and 4716
    • UTF-8 character support

    Cryptographic library validation:

    • FIPS 140-2 Level 1 (Certificate #1747 and #2398-AIX)

    Algorithms:

    • Ciphers
      • AES (128-, 192-, and 256-bit CTR)
      • AES (128-, 192-, and 256-bit CBC)
      • 3DES (3 56-bit key EDE)
      • Blowfish (128-bit)
      • CAST (128-bit)
      • Arcfour (128- and 256-bit)
    • MACS
      • HMAC-MD5
      • HMAC-MD5-96
      • HMAC-SHA1
      • HMAC-SHA1-96
      • HMAC-SHA256
      • HMAC-SHA512
      • RIPEMD160
      • Meets DoD requirements for SHA-2
    • Key exchange
      • Diffie-Hellman
      • GSS-API key exchange
      • RSA
      • DSA

    Authentication:

    • Server authentication
      • Public key (RSA and DSA)
      • PKI X.509 certificates
      • Kerberos (gssapi-keyex)
    • User authentication
      • Password
      • Public key
        • RSA and DSA user keys
        • Key agent utility for private key management
        • Agent forwarding
        • Host name aliasing for host key storage
        • PKCS#11 smart card support on SPARC platforms
      • Keyboard interactive
        • PAM (Pluggable Authentication Module)
        • RSA SecurID
        • RADIUS
        • Keyboard-interactive password
      • PKI X.509 certificates
      • Kerberos (gssapi-with-mic)
    • LDAP
      • Directory-accessed user shell configurations
      • Support for mkhomedir PAM module for automatic creation of LDAP user home directory
    • Reflection PKI Services Manager
      • Centralized configuration and management of PKI functions across Reflection for Secure IT Server for Windows, Server for UNIX, and Client for UNIX
      • Standalone service module supported on most platforms supported by Reflection for Secure IT Server for Windows and Server for UNIX
      • DoD PKI certified
      • FIPS 140-2 Level 1-validated for most supported platforms (Certificate #2058)
      • RFCs 2253, 2560, and 3280
      • X.509 certificates for server and client authentication (X.509 versions 1-3)
      • Version 2 X.509 CRL
      • OCSP revocation checks
      • HSPD-12 support
      • Support for LDAP and HTTP certificate and CRL repositories
      • Certificate extensions supported
        • CDP
        • IDP
        • AIA
        • Policy constraints
        • Basic constraints
        • Name constraints
        • Extended key usage
      • Customizable configuration on per trust anchor basis
      • Fully customizable mapping of SSH user account names to certificates
      • SOCKS proxy supported
      • PKI client command line utility for querying services availability and certificate validity
    • Other
      • Configurable pre-authenticated session limit

    Accounting/auditing:

    • Logon events for all authentication methods
    • Detailed file transfer event capture, including uploads, downloads, and directory listings
    • Notification of exceeded maximum password attempts
    • HP-UX SAM auditing and security tool support
    • Oracle Solaris Basic Security Module auditing support
    • Oracle Solaris Least Privilege Model support
    • AIX System Resource Controller support
    • Dedicated audit log for all file transfers

    Performance:

    • High Performance Enabled (HPN) support leverages dynamic TCP windows for improved file transfer performance
    • Granular control of data compression levels enables performance calibration

    Operating systems:

    • HP-UX 11i v2 (PA-RISC)
    • HP-UX 11i v2 (Itanium)
    • HP-UX 11i v3 (Itanium)
    • IBM AIX 6.1 (POWER)
    • IBM AIX 7.1 (POWER)
    • Red Hat Enterprise Linux 7 (x86-64)*
    • Oracle Solaris 11 (SPARC)*
    • Oracle Solaris 11 (x86-64)*
    • SUSE Linux Enterprise Server 10 (x86)*
    • SUSE Linux Enterprise Server 10 (x86-64)*
    • SUSE Linux Enterprise Server 10 zSeries (64-bit)*
    • SUSE Linux Enterprise Server 11 (x86)*
    • SUSE Linux Enterprise Server 11 (x86-64)*

    System requirements:

    • Any system that meets the minimum requirements for the UNIX/Linux operating system
    • Network interface card
    • For all Itanium systems, the library libunwind is required (HP-UX, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server)
    • Oracle Solaris UltraSPARC CPU
release-rel-2020-8-1-hotfix-4896 | Fri Aug 7 09:16:14 PDT 2020
4896
release/rel-2020-8-1-hotfix-4896
Fri Aug 7 09:16:14 PDT 2020