Transcription
Micro FocusReflection for Secure IT OMICRO·FOCUS
Reflection for Secure IT.Secure Shell backed by ServiceYou’re ready to get serious about security, andReflection for Secure IT can help. By replacingnonsecure Telnet and FTP with a reliableencrypted alternative, administrators can accessany TCP/IP-based application through a securetransmission tunnel, and safely transmit sensitivedata and manage remote servers — even overuntrusted networks.Why use Secure Shell?The Secure Shell (SSH) protocol is a flexible,dependable way to guarantee the safety of yourdata in motion. The following vital features providereliable safeguards that are increasingly importantin today’s world: Server authentication ensures that yourclients communicate with the correct server. Client authentication ensures that onlyauthorized client users can connect to yourserver. Data encryption assures that data in transit isindecipherable — the client and serverestablish a unique key for each Secure Shellsession, and this key is required to decipherthe data. Data integrity checking verifies that your datahas not been altered during transit. Port forwarding protects TCP/IPcommunications sent over an untrustednetwork.Why use Reflection for Secure IT?To build a security solution you can trust, youneed to work with software and people you cantrust. With Reflection for Secure IT andAttachmate you can count on: Rock solid, supported software.Our developers use the latest techniques insecure software design to ensure thatReflection for Secure IT products areoptimized for stability and security. Cross-platform support.Reflection for Secure IT clients and servers areavailable for Windows and UNIX operatingsystems, and run on both 32-bit and 64-bithardware. Responsive technical support.Our technical support experts work closely withyou and with our development team to makesure that your questions and concerns areanswered quickly and correctly. Security updates.Our security specialists watch for potentialsecurity vulnerabilities. In the event that welearn of a new vulnerability, we keep youinformed and make it our top priority to resolveyour security concerns. Comprehensive documentation.Our documentation team is committed toproviding you with complete, technicallyaccurate information about all facets of ourproducts.See for yourself!The evaluation software is a fully-functional,time-limited copy of Reflection for Secure ITWindows Client. If you haven’t yet downloadedthe evaluation software, go m and fill out the evaluation request form.Shortly after you submit the form, you’ll receivean e-mail message with a link to the evaluationdownload page.1. From the evaluation download page, click theDownload Now link, and run the program.2. Select a location for the installer files and clickNext.The files are extracted to the specifiedlocation and the Reflection installer startsautomatically.Before you get started. You’ll need access to a running Secure Shellserver. You can use any server that is alreadyavailable to you, or you can download andinstall an evaluation copy of the Reflection forSecure IT Windows or UNIX server. Supplement this document by viewing theReflection for Secure IT Windows Client 8.0user guide. This guide is installed with yourevaluation copy.PAGE 2
EVALUATING REFLECTION FOR SECURE IT WINDOWS CLIENTGetting started with Reflection for SecureITThis guide walks you through a few key tasks thatare familiar to typical Reflection for Secure ITusers. After you try the procedures, you canreview the ideas under “Do more.” There you’llfind suggestions that can help you use the richfeature set in Reflection to maximize the highestlevels of security, while saving time and money.Getting connectedAs soon as you’ve completed your installation,Reflection for Secure IT is ready to make a secureconnection to your host. The following procedurewill get you connected using default securitysettings:4. Click Always to add this host key to yourknown hosts list.Once the host key is added to this list, theclient can authenticate the server withoutrequiring user confirmation, so you won’t seethe unknown host prompt again whenconnecting to this host.5. Enter your password for this host, and thenclick OK.After you’ve authenticated successfully, theterminal window provides a shell session thatyou can use to execute commands on theserver — either UNIX shell commands orWindows DOS commands depending on yourserver.1. Start Reflection for Secure IT Client (Start Programs Micro Focus Reflection SSHClient).2. From the toolbar, click the Connect/Disconnect button:3. From the Connection Setup dialog box, enteryour host name (or IP address) and user name,and then click Connect.Note: The first time you connect to your host,you’ll see a Host Key Authenticity dialog boxlike the one shown here:A successful connection to a Windows server6. Click File Save to save a settings file with thissession configuration.To connect to the same host again, just open yoursaved settings file. Reflection for Secure ITautomatically initiates the connection.Do more.Now that you’ve made your first connection,you’re ready to do more. Here are some ideas: If you’re used to Telnet connections, thisprompt will be new to you. The fingerprintshown here (in two formats) can be used toauthenticate your server. You can confirm thevalidity of the host key by contacting thesystem administrator of the server.Customize the displayGo to Setup Display to customize screencolors, fonts, and other display options. Get quick access to settings using theConfiguration toolbarClick the Configure session settings button:PAGE 3
EVALUATING REFLECTION FOR SECURE IT WINDOWS CLIENT Configure public key authentication With Public key user authentication, the SecureShell server uses a unique digital signature toauthenticate the client user. To configure this,you create a private key on your workstationand upload the corresponding public key to theremote server. Public key authenticationimproves security because no authenticationsecret is ever sent over the network. (Withpassword authentication, the encryptedpassword must be sent over the network eachtime the user authenticates.)To configure public key authentication, clickthe Configure session settings toolbar button.In the left pane of the terminal window, clickUser Keys to open the tab shown in thefollowing graphic. The Reflection for Secure ITWindows Client User Guide includes detailedprocedures to help you configure your settings.Configure certificate authenticationCertificate authentication solves some of theproblems presented by public keyauthentication. For example, when public keysare used for client authentication, each clientpublic key must be uploaded to the server andthe server needs to be configured to recognizethat key. When certificate authentication isused, a single CA (Certificate Authority) rootcertificate can be used to authenticate multipleclient users. By default, Reflection for Secure ITuses certificates that you install in a Reflectionspecific certificate store. You can alsoconfigure Reflection to use certificates in theMicrosoft certificate store in addition to thosein the Reflection store. Using the Microsoftstore enables you to use certificates that wereinstalled with the operating system. Using theReflection store enables you to enforce ahigher level of security for your Reflectionconnections.To open the Reflection Certificate Manager,click the Configure session settings toolbarbutton. In the left pane of the terminal window,click PKI, then click the Reflection CertificateManager button.Configuring user keys Easily upload keys to the serverUse the Upload button, shown in the dialogbox above, to simplify uploading your user keyto the server. Reflection automaticallyuploads keys using the correct location andformat for your server.The Reflection Certificate Manager Configure Secure Shell settings forparticular hosts or groups of hostsWhether you want to share the same SecureShell settings for multiple hosts or usedifferent settings for particular hosts, youcan use configuration schemes to storeappropriate settings for each connection.PAGE 4
EVALUATING REFLECTION FOR SECURE IT WINDOWS CLIENTTo create a new configuration scheme, open theConnection Setup dialog box (Connection Connection Setup) and specify a host name. Youcan leave SSH config scheme blank (in this case,the scheme name defaults to the current hostname), or specify a scheme name that describesthe security settings you are configuring. Next,click Security, configure your Secure Shellsettings, and then click OK. Any changes you maketo your Secure Shell settings are saved to theclient configuration file under the current schemename. You can now apply this scheme tosubsequent connections. Host Key Authenticity dialog box. If you areconnecting to a different server, you’ll needto add this server to your known hosts list.5. Browse to locate the files or folders you wantto transfer, and to the destination location forthe transfer. To browse your local folders usethe left pane. To browse the server directories,use the right pane.6. Select the files or folders you want to transferand drag them from the source location to yourdesired destination.Save window layoutsIf you frequently work with several terminalsessions at a time, or if you like to open an FTPclient session automatically with each terminalsession, you can use layouts to save yourReflection sessions together as a group. Openthe Reflection settings files that you want toinclude in your layout, and then click File Layout.Work from the command lineReflection for Secure IT client includes acomplete set of command line utilities that youcan use to establish connections, configureforwarding, transfer files, and manage publickeys. The following commands are supported:ssh, scp, sftp, and ssh-keygen.Transferring files securelyYou can transfer files securely with the ReflectionFTP Client using a simple drag-and-dropoperation. You can drag individual files, multiplefiles, and entire folders. Let’s try it:Using drag-and-drop to transfer from the PC to the serverNote: The client maintains a list of which transfermethod to use for each file type. The first timeyou transfer a file with a file extension that’s noton this list, you’ll be given the option to set thetransfer method as shown here:1. From the Windows Start menu, click MicroFocus Reflection FTP Client.The Connect to FTP Site dialog boxopens automatically.2. Click New.The Add FTP Site wizard starts. The wizard isconfigured to create secure SFTPconnections by default. For SFTPconnections, your host needs to be running aSecure Shell server.3. Step through the wizard, entering your host anduser name when prompted.4. On the last panel, you are asked if you want toconnect to the FTP site. Select Yes (thedefault), and then click Finish to exit the wizardand make the connection.Note: If you are connecting to the same serveryou used for your terminal session, you won’tsee theSetting the file transfer type for .xls files7. Click File Save to save your changes to thesettings file.Your saved site will appear in the connection listeach time you launch the FTP Client. Savingyour settings also saves other changes youmake during a session (such as setting a newtransfer method).PAGE 5
EVALUATING REFLECTION FOR SECURE IT WINDOWS CLIENTDo more.Now that you have transferred your first file,you’re ready to take advantage of Reflectionfeatures that can help you simplify and automateyour file transfer tasks. Here are some ideas toget you started: Drag-and-drop entire foldersWhen you drag a folder, all the files within thatfolder are transferred. Set site-specific home directoriesTo save time navigating to files and directories,you can configure site-specific startupdirectories. From the Connect to FTP Sitedialog box click Properties, then go to theDirectories tab. You can configure startupdirectories for both the PC and the server;however, your access to server directories maybe limited by the server configuration. Use the command window to see detailedcommand informationClick View Command Window to see thecommunication sent between the client andserver. Use the script recorder to create scriptsYou can easily automate transfers by recordingand replaying transfer scripts. Use Script Start recording. Automate transfers using the scp and sftpcommand line utilitiesYou can use the scp and sftp command lineutilities to create batch files for automatingsecure file transfer. Reference information forthese utilities is available in the application help.Use the Automation API to transfer files fromother applicationsUsing the FTP Client Automation API, you canscript FTP transfers from Visual Basicprograms and other external applications,including Microsoft Office applications. For acomplete reference, open the FTP Clientapplication help (Help Help Topics), and find“Help for the FTP Client Automation API” in thetable of contents.Securing communications using portforwardingPort forwarding, also known as tunneling, is apowerful feature that redirects communicationsthrough the Secure Shell channel of an activesession. When port forwarding is configured, alldata sent to a specified port is redirected throughthe secure channel. This capability enables you toroute all your traffic through one secured port inthe firewall (similar to the way SOCKS works,except with encryption). The next exercise showshow you can use port forwarding to accomplishsecure remote server administration.Configure secure remote administrationOne of the protocols that can be sent through aSecure Shell tunnel is RDP (Remote DesktopProtocol). RDP is the protocol underlying whatMicrosoft calls Remote Desktop in WindowsServer 2003 and Terminal Services in Windows2000 Server. It enables you to log on remotely to aWindows computer and work as if you were seatedat the local console.Remote Desktop requires opening another port inthe firewall — typically port 3389 — which mostsecurity-conscious organizations are reluctant todo. Running RDP through a Secure Shell tunnelencrypts your communication and enables you tokeep tighter control over which ports are open.Here’s how it works:1. Install your Secure Shell server on the targetWindows server, and the Reflection for SecureIT client on your local workstation.2. Confirm that forwarding is enabled on yourserver; the default for Reflection for Secure ITservers.3. Enable Remote Desktop/Terminal Services onthe Windows server, and confirm that youraccount is allowed remote access.4. Launch the Reflection for Secure IT Client(Start Programs Micro Focus Reflection SSH Client).5. From the Connection menu, selectConnection Setup, and then enter your hostand user name. Note: You may also want tospecify a value for SSH config scheme. Doingthis enables you to select this schemewhenever you want to initiate a RemoteDesktop connection, and use a differentscheme for other Secure Shell connections tothe same host.Configuring the connection to the Secure Shell serverPAGE 6
EVALUATING REFLECTION FOR SECURE IT WINDOWS CLIENT6. Click Security.7. From the Tunneling tab, under LocalForwarding, click Add.The Local Port Forwarding dialog box opens.13. Log on to complete your secure remotesession.14. Click File Save to save this sessionconfiguration.Now you can open your saved settings filewhenever you need to administer the remoteserver. Reflection automatically launches a secureremote session using your saved configuration.Do more.Port forwarding is a powerful and flexible featurethat can help you secure your data in motion. Hereare some ideas to get you started: You can secure the data exchanged betweenany client and server applications that use theTCP/IP protocol. This means that you cansecurely forward Telnet, HTTP, SMTP, POP,and IMAP communications over an untrustednetwork. Once you’ve configured a forwardedport, just set your TCP/IP application toconnect to the forwarded port. For help settingup forwarding, see the Reflection for Secure ITWindows Client User Guide.Configuring secure Remote Desktop forwarding8. For Forward local port, enter an arbitrary port(using any available value greater than 1024).Data sent to this port will be forwarded throughthe secure tunnel to the server. 9. Under Destination Host, select TunnelRemote Desktop.This setting configures the client to forward theRDP protocol using the specified port, and alsoto launch Remote Desktop automatically assoon as the Secure Shell connection isestablished.10. Under Destination Host, set Name equal tolocalhost. This value specifies that thedestination for the forwarded data is the samecomputer that is running the Secure Shellserver.11. Click OK to return to the Connection Setupdialog box.12. Click Connect and log on to the Windowsserver using your credentials.A Remote Desktop/Terminal Services sessionstarts automatically as soon as the Secure Shellsession is established.Forward data exchanged between any TCP/IPclient and server Use forwarding to secure FTP protocoltransfersBy default, Reflection for Secure IT uses theSFTP protocol for secure file transfer. In somecases, you may prefer to use the FTP protocol,which supports additional command options.With Reflection for Secure IT, you can easilyconfigure FTP protocol forwarding. When youdo, your data is fully protected because boththe command and data channels are forwardedthrough the secure tunnel. From the FTP ClientConnect to Site dialog box select a site, andthen go to Security Secure Shell TunnelFTP using port forwarding.Configure forwarding using the command lineor the configuration fileReflection for Secure IT offers flexible optionsfor configuring forwarding. Besides configuringit from the user interface, you can configureforwarding using the ssh command line utilityor by editing the client configuration file.PAGE 7
EVALUATING REFLECTION FOR SECURE IT WINDOWS CLIENTUsing the Installation Customization Tool to install a known hosts fileCustomizing the InstallationIn addition to supporting easy defaultinstallations, the Attachmate Setup programincludes the Attachmate Customization Tool,which enables administrators to customizeReflection for Secure IT installations. To run the Installation Customization Tool,type the following on the command line:setup.exe /adminYou can create a new Setup customization filefor your product, or create a Companion installerthat, for example, uses the Add Files feature ofthis tool to install a known hosts file to ensurethat users connect securely to known serverswithout needing to respond to the unknown hostprompt.For more details about the InstallationCustomization Tool, see the Reflection forSecure IT Windows Client User Guide.For More Information on Reflection forSecure IT Windows ClientFor more information about Reflection for Secure ITWindows Client, visit the Product Documentation siteat: http://support.attachmate.com/manuals/rsit win client.htmlFor further assistance regarding evaluationsoftware and product updates, visit our TechnicalSupport site at http://support.attachmate.com/. 2017 Attachmate Corporation, a Micro Focus company. All rights reserved.No part of the documentation materials accompanying this Attachmate software product may be reproduced, transmitted,transcribed, or translated into any language, in any form by any means, without the written permission of AttachmateCorporation.For additional office locations, partners,and resellers, visit our Web site atwww.microfocus.com.Attachmate, the Attachmate logo, and Reflection are registered trademarks of Attachmate Corporation in the USA. All othertrademarks, trade names, or company names referenced in this product are used for identification only and are the property oftheir respective owners.PAGE 8
Focus Reflection FTP Client. The Connect to FTP Site dialog box opens automatically. 2. 3. Click New. The Add FTP Site wizard starts. The wizard is configured to create secure SFTP connections by default. For SFTP connections, your host needs to be running a Secure Shell server. 4. On the last panel, you are asked if you want to
