Configuring Security Proxy with OutsideView WEB
tECHNICAL nOTE

As an alternative to the more commonly-used https tunneling security capability,OutsideViewWEB also includes a security proxy server that can be used to encrypt the data connections from OutsideViewWEB terminal sessions to your host computers. To make secure connections, install and configure the security proxy server and then create secure terminal sessions using the Administrative WebStation.

This technical note provides an overview of the entire procedure and describes where to look for step-by-step instructions for each part of the process.

Understanding the OutsideViewWEB Security Proxy Server

OutsideViewWEB can be configured to pass host connections through a security proxy server as shown in the figure below. This configuration gives web users access to the host computer while safeguarding the connection between the browser and the security proxy server.

CONFIGURATION

Figure 1 - OutsideViewWEB security configuration

The following descriptions refer to the diagram above:

1. Using a web browser, a OutsideViewWEB user connects to a web server (typically on port 80) and downloads a terminal emulation applet and a security archive.

2. The downloaded applet contacts the security proxy server (typically on port 443) through a secure port in the company firewall (the firewall is optional). This contact establishes an encrypted session between the remote user and the security proxy server.

3. The security proxy server connects to the host computer over telnet (port 23) or an NS/VT connection (port 1570) and encrypts the data before forwarding it back to the user.

The OutsideViewWEB security components can be installed on any server, as long as the server contains a Java 1.1-compliant virtual machine (VM) capable of running Java applications. The security proxy server can reside on the host computer or on a separate server.

 

Preparing to Set Up the Proxy Server

The process for installing and configuring the OutsideViewWEB security proxy server is complex, but needs to be done only once for each host. You may prefer, however, to have Crystal Point's consulting services deploy the Proxy server for you. For more information, please visit our consulting page.

If you plan to set up the proxy server yourself, use the checklist at the end of this technical note to ensure that you have all the necessary information before you begin. You may want to print out the checklist in order to record your information and to have it on hand as you proceed with the security implementation.

 

Implementing Security

Implementing security can be divided into two general tasks:

  • Installing and configuring the OutsideViewWEB security proxy server
  • Configuring secure terminal sessions

 

Both of these tasks are described in the sections below.

 

Part One: Installing and Configuring the OutsideViewWEB Security Proxy Server

Before you proceed, read through the procedures below for an overview so you will know what to expect. Then, consult the documentation referenced below for step-by-step instructions.

These procedures assume that you already have installed the OutsideViewWEB terminal emulation component on your web server computer. For information on installing the terminal emulation component, see the Installation_Guide.html file on your OutsideViewWEB CD-ROM. To install the security proxy server, you will need to perform the following tasks:

1. Install the security proxy server files.
2. Run the security proxy server wizard.
3. Start the security proxy server.

1. Install the Security Proxy Server Files

The OutsideViewWEB security proxy server files are located in the Install folder on your OutsideViewWEB CD. You can install the files using a Windows installer, a Java installer, or by extracting the contents of the .zip file and copying the files to your server. For detailed instructions: See "Installing OutsideViewWEB" in the Installation and System Administrator Guide. The System Administrator Guide is available on your OutsideViewWEB CD as \Installation_Guide.html

2. Run the Security Proxy Server Wizard

The Wizard generates the security certificate that is used to authenticate the server. It also creates a server.properties file that contains information about each security proxy connection. You can configure multiple proxy servers by re-running the wizard. Simply select the server.properties file that you created the first time you ran the wizard. For detailed instructions: See "Setting Up Security" in the Installation and System Administrator Guide. The System Administrator Guide is available on your OutsideViewWEB CD as 

\Installation_Guide.html

Tip: You may want to specify port 443 as the listening port since it is typically an open port on firewalls. However, if you are installing the proxy server on the same computer as an IIS web server, you must choose a different port since port 443 is already reserved by IIS.

3. Start the Security Proxy Server

Once you have created the security certificate and server.properties file using the Wizard, you can run the security proxy server to enable encrypted host connections for OutsideViewWEB terminal sessions.

For detailed instructions: See "Setting Up Security" in the Installation and System Administrator Guide. The System Administrator Guide is available on your OutsideViewWEB CD as \Installation_Guide.html

Optional: Create a Test Certificate
When implementing security in OutsideViewWEB, you may want to register a digital certificate and key pair from a certifying authority such as Thawte or VeriSign. However, you can create a test certificate to use only for evaluation and testing purposes.

 

Part Two: Configuring Secure Terminal Sessions

To create secure terminal sessions, perform the following tasks using the Deployment Director tools in the Administrative WebStation:

1. Configure your default security settings.
2. Create the security archives.
3. Upload the security archives to your server.
4. Create terminal session web pages.
5. Upload the session files to your web server.

Each task is described below.

Note: If your web server runs Windows NT and you have permanently set the system classpath to include the SecureProxyJ.jar file, you may have trouble creating the security archives by running the Administrative WebStation directly on the server. Instead, run the Administrative WebStation on a different PC while performing the steps below.

1. Configure the Default Security Settings

Use the Default Settings tool to enter information on your proxy server and destination host.

For detailed instructions: Use the Default Settings tool in the Deployment Director section of the Administrative WebStation. Click Help for additional information.

2. Create the Security Archives

The Security Archive tool guides you through creating the security archive files that enable secure terminal sessions and provide server authentication.

For detailed instructions: Use the Security Archive tool in the Deployment Director section of the Administrative WebStation. Click Help for additional information.

3. Upload the Security Archives

Once you've created the security archives, use the File Upload tool to upload the files from the \OutsideViewWEB\Upload folder on your administrative PC to the top-level folder of the OutsideViewWEB terminal emulation component on your web server. (If your web server does not support FTP, you may alternately be able to copy the files to your web server.)

For example, if you installed the OutsideViewWEB terminal emulation files to a folder named OVWebServer on your web server, upload the security archives to the OVWebServer folder.

You may find up to three security archive files in the \OutsideViewWEB\Upload folder, depending on which browsers you selected using the Security Archive tool. The file names are:

OVWebCert.cab (Internet Explorer for Windows)

OVWebCert.jar (Netscape for Windows)

OVWebCertJ.jar (Internet Explorer for Mac)

For detailed instructions: Use the File Upload tool in the Deployment Director section of the Administrative WebStation. Click Help for additional information.

4. Create Secure Terminal Sessions

The Deployment Director contains a Secure Terminal Session tool that guides you through creating configuration files and web pages that launch secure terminal sessions.

For detailed instructions: Choose one of the following options:

Use the Terminal Session tool in the Deployment Director section

of the Administrative WebStation.

Step through the tutorial titled "Creating a Secure Terminal Session"

in the How To section of the Administrative WebStation.

5. Upload the Session Files

Upload your configuration files and web pages to the Session folder on your web server. Typically, the Session folder will be one level below the folder where you installed the OutsideViewWEB terminal emulation component.

For example, if you installed your OutsideViewWEB terminal emulation files to an OVWebServer folder on your web server, upload the session files to the OVWebServer/Session folder.

For detailed instructions: Use the File Upload tool in the Deployment Director section of the Administrative WebStation.

Additional Resources

Several training, consulting, and technical support options are available from Crystal Point:

Technical Training

Crystal Point offers instructor-led training for OutsideViewWEB. For more information on Crystal Point's technical training opportunities, click here.

Consulting

Crystal Point's consulting services can help you deploy, configure, or customize OutsideViewWEB . For more information, click here.

Technical Support

For troubleshooting and general support information, see the Crystal Point technical support page:

The web site includes technical notes, a download library, product manuals, and information on contacting Crystal Point technical support engineers.

Security Implementation Checklist

You will need to answer the following questions in order to configure the OutsideViewWEB security proxy server and create security archives.

  • What operating systems do your end-users have (Windows NT 4.0, Mac OS 9, Linux, etc.)?

  • What browsers and Java virtual machines do your end-users have (Internet Explorer 5.0, Netscape Navigator 4.7, etc.)?

  • What is the name and IP address of the server where you are installing the OutsideViewWEB security proxy server?

  • What port will you assign to be the listening port on the server where you are installing the OutsideViewWEB security proxy
    server? This port number must be a unique, non-reserved number. (Typically, a number above 1023 is used.) If relevant, ensure that the port you choose is compatible with your network firewall implementation.

  • What is the name and IP address of the remote host that end-users will be connecting to?

  • What port on the remote host will be used for the connection? (Typically, port 23 is used for telnet connections.)

  • What is your preferred level of security encryption: 56-bit DES (basic) or 168-bit 3DES (high-level)?

  • What is the location of your signed digital certificate? If you do not have a digital certificate, see the Administrative WebStation information on Certifying Authorities (to obtain a certificate).

  •  What are the client IP addresses that you want the proxy to accept connections from? You can specify individual clients addresses, entire subnets, or all addresses (no restriction).