|
|
|
Reflection for the Web and the Microsoft Windows Firewall and Pop-Up Blocker (Included in XP Service Pack 2)
Technical Note 1828
Last Reviewed 12-Aug-2004
Applies To
Reflection for the Web
Reflection Administrator
Summary
Figure 1 - Windows Security Alert
Figure 2 - The Windows Firewall Exceptions List (Default)
Figure 3 - Pop-Up Blocker
Technical Note 1828
Last Reviewed 12-Aug-2004
Applies To
Reflection for the Web
Reflection Administrator
Summary
Windows XP Service Pack 2 (SP2) includes a new Windows Firewall and Pop-Up Blocker. In prior releases, the firewall was known as the Internet Connection Firewall (ICF) and was disabled by default. Starting with the SP2 release, during installation the firewall and pop-up blocker are installed and enabled by default. The firewall is enabled on all network connections and is configured to block all unsolicited incoming traffic. This note describes how the Windows Firewall and Pop-up Blocker interact with Reflection for the Web.
Note: For information about Reflection Products and Microsoft Windows XP SP2, see Technical Note 1830.
About the Windows Firewall
The Windows Firewall is a stateful host firewall that runs in Windows XP and blocks all unsolicited incoming traffic, unless configured to permit the traffic. Outgoing traffic and traffic internal to the Windows XP machine is not blocked by the firewall.
Note: You must be a member of the Window's Local Administrative group to configure the firewall. The firewall can be configured using Group Policies or scripting. For more information about these deployment options, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 on the Microsoft web site at
Reflection for the Web and the Windows Firewall
Attachmate has tested the current Reflection for the Web product with the Microsoft Windows Firewall. The following sections detail instances where you must configure the Windows Firewall to permit Reflection for the Web traffic.
For information about the current version of Reflection for the Web, see the Attachmate Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.
Reflection for the Web Clients
When Reflection for the Web clients are run from Windows XP SP2-based machines, most Reflection connections pass through the firewall with no extra firewall configuration because the connections are solicited from within the firewall. The one exception to this is when you use Reflection for the Web's FTP protocol in the non-default mode, active mode.
By default, Reflection for the Web's FTP protocol is configured for passive mode, which uses port 21 and requires no firewall configuration. Active mode FTP uses two ports for communication, ports 21 and 20. Port 21 is used to initiate communication, but port 20 is used to receive replies. Because Reflection does not initiate the communication on port 20, the Windows Firewall will block this traffic and will display a Windows Security Alert.
The Alert window enables users to decide whether to block the incoming traffic (Keep Blocking), add the connection to the Windows Firewall Exceptions list and always allow it (Unblock), or allow only this specific instance of the connection (Ask Me Later).
Figure 1 - Windows Security AlertWhen the Windows Security Alert opens, click Ask Me Later. Because Reflection for the Web is running through Internet Explorer, clicking Unblock at this point unblocks Internet Explorer, not just port 20.
To manually configure the firewall to permit inbound connections on port 20, follow the steps below.
- From the Control Panel, click Security Center > Windows Firewall, and click the Exceptions tab.
- If you clicked Unblock in the Windows Security Alert window and added Internet Explorer to the Exceptions list in error, select Internet Explorer from the list and click Delete.
- Click Add Port.
Figure 2 - The Windows Firewall Exceptions List (Default)- Enter a name (such as Reflection Active Mode FTP) and the port 20.
- If you want to restrict the scope of access to the port, click Change scope, enter the information appropriate to your environment, and then click OK.
- Click OK.
For information about manually adding application or port exceptions to the Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2 on the Microsoft web site at
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
Reflection for the Web Servers and the Windows Firewall
The following sections apply if any of the Reflection for the Web servers—Reflection Management Server, Security Proxy Server, or Metering Server—are running on a Windows XP SP2-based computer.
Installing Reflection for the Web
During Reflection for the Web installation, Reflection checks the HTTP and HTTPS ports specified to verify that they are not already in use. This check causes the Windows Security Alert dialog box to open and ask if you want to keep blocking java. Click Ask Me Later. This allows the necessary access for the installation, but does not permanently add the setting to the Windows Firewall Exceptions list.
Configuring the Firewall to Permit Reflection for the Web Traffic
If any of the Reflection for the Web servers are running on a Windows XP SP2-based computer, you must configure the Windows Firewall to permit unsolicited incoming Reflection for the Web traffic or all incoming connection requests to the Reflection for the Web servers will be blocked.
Users who attempt to use Reflection for the Web before the necessary port(s) have been opened will receive an error, such as "page cannot be displayed," or "connection to host failed/refused." No error will be displayed on the machine running the Reflection for the Web server(s), however, if Windows Firewall logging is enabled, the blocked connection is recorded in the log.
Follow the steps below to open a port for access to Reflection for the Web servers.
- From the Control Panel, click Security Center > Windows Firewall.
- On the Exceptions tab, click Add Port.
- Enter a name (such as Reflection for the Web) and the Reflection for the Web port number. By default, Reflection is configured to use port 80 for HTTP or port 443 for HTTPS.
- If you want to restrict the scope of access to the port, click Change scope, enter the information appropriate to your environment, and then click OK.
- If you are running the Reflection for the Web Security Proxy Server, or have configured Reflection to use X.509 access control, you must also open the ports used by these features. The default ports for these features are shown below. If you are not using the default ports, use the correct port numbers for your installation.
| Feature |
Default Port Number |
| Security Proxy Server |
3000 |
| X.509 Access Control |
8083 |
For further information about using Reflection for the Web through a firewall, see Technical Note 1786. For further information about Reflection for the Web and x.509 access control, see Technical Note 1756.
Repeat steps 3 and 4 for each additional port required in your environment.
- Click OK.
For further information about manually adding application or port exceptions to the Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2 on the Microsoft web site at
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
Troubleshooting the Microsoft Firewall
For information about troubleshooting the Microsoft Firewall, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2 on Microsoft's web site at
About the Windows Pop-Up Blocker
The Windows Pop-up Blocker is designed to help you control Internet Explorer pop-up windows. By default, the pop-up blocker is turned on and set to the medium setting.
Reflection for the Web and the Windows Pop-Up Blocker
The Windows XP SP2 Pop-up Blocker may block access to the Reflection for the Web Administrative WebStation or Help. If this happens, the following information is displayed at the top of the browser window: "Pop-up blocked. To see this pop-up or additional options click here..."
Figure 3 - Pop-Up BlockerTo configure the pop-up blocker to allow this page, click the pop-up blocker message, click Always Allow Pop-ups from this Site, and then click Yes.
Note: If you are in a Reflection for the Web emulator session when you get the pop-up blocker notice, you must configure the pop-up blocker and restart your Reflection session before the Reflection pop-up is allowed.
