Posted by Julien DUMEZ
December 14, 2020

What is the best alternative to replace your TN3270 emulator?

man looking at his laptop

The reason you’re asking this question is understandable. The promises heavy TN3270 emulators made years ago are starting to wane. In the beginning, these emulators brought convenience and cost savings. Unfortunately, security breaches and performance issues followed some years after.

So, you’re right: it’s high time to get rid of that expensive TN3270 emulator. But what is the alternative? By now, you’ve probably heard about web-based emulators (not to worry if you didn’t, we’ll explain everything). You heard their promises: ubiquitous, secure, and fast. You just aren’t convinced yet.

Not all web-based solutions are equivalent, so let us help you choose the best one out there.


Download your checklist to be ready to switch terminal emulators

What is wrong with heavy client TN3270 emulators?

Man having a nervous breakdown

As the name implies, traditional TN3270 emulators require a thick client to be installed on your workstation. However, this TN3270 emulator needs a wide array of elements to work properly.


To secure unencrypted data between the TN3270 emulator on the user's desktop and the mainframe outside of the company network, most companies chose to invest in a VPN. Not only is this an additional cost, but it is also another software to monitor and maintain.


Activating TLS on these emulators, if compatible, seemed like a good way to bypass VPNs. However, configuring TLS on the emulator requires a lengthy intervention on each workstation. This is why many companies are reluctant to make this change and are stuck with VPNs.


Speaking of change, heavy TN3270 emulators are also extremely vulnerable to OS changes. Significant efforts are required to ensure their compatibility, which can explain why some companies choose to postpone (sometimes for years) their migration to Windows 10 for example.


Moreover, many heavy TN3270 emulators are reliant on Java plugins which are vulnerable to security breaches. Not to mention that Java’s licensing costs can get unpredictably high and can make Accounting irritated. In fact, they’re not the only ones who are. Your maintenance teams are getting weary from hundreds of co-workers requesting help with installing updates and security patches. Because don’t forget, this needs to be done on Every. Single. Computer.


To summarize, traditional TN3270 emulators are letting you down on every front: performance, security, convenience, and cost. So, what’s the alternative?

What about web-based TN3270 emulators with middle-tier servers?

reflexion in front of a laptop

Middle-tier architecture is appealing. Getting rid of any installation on the user’s side is already a step in the right direction. All the hard work of conversion from PC to mainframe is done on the middle-tier server.


But you guessed it, middle-ware servers are also full of issues, the biggest one being security. By design, middle-tier servers translate data between two protocols: HTTPS and TN3270.


Unfortunately, TN3270 is an ancient protocol that is quite complicated to secure. Not to mention that it is derived from Telnet which is no longer used on Unix platforms that favored more secure protocols such as SSH.


Middle-tier servers also represent an additional stage to access the mainframe computer; another piece added to the infrastructure. This makes the whole mainframe environment more vulnerable because any middle-tier-server failure can completely break access to the mainframe.


They also need to be included in the capacity planning process and thereby increasing the total cost of ownership.

The Ideal Solution from our point of view: Two-tier Web-based TN3270 emulator to access Mainframes

A man showing his screen to other employees

What do we mean by two-tier web-based access? It’s simple, we eliminate the middleman (or server in this case) to end up with only two “tiers”: the mainframe and the PC. The TN3270 emulator is installed directly as a  mainframe software. It can then be accessed through any standard web browser (and its subsequent updates) through a URL. What does this imply?


Security, security, and even more security


Two-tier architecture benefits from reinforced security as it is directly installed on the mainframe. The emulator’s own internal security system can function by interaction with the leading tools on the market such as RACF, TOP-SECRET, and ACF2.


Moreover, when it uses SSL, the emulator builds on the z/OS system’s AT-TLS layers which makes it compliant with the most recent security levels in this matter.


Similarly, this architecture uses standard and modern web browsers, which are constantly updated and are one of the most secured pieces of software in modern IT.


Eliminate the unnecessary and save money


Well first, you can say goodbye to all the additional software we mentioned before such as Java, and VPNs. Which in turn means that you don’t have to worry about updating them and dealing with their security issues.


Let’s not also forget the simple fact that you’re effectively lowering your TCO by not buying extra licenses! Here’s a bonus: you’ll also save on a session manager since two-tier TN3270 emulators already have one built-in!


Make life easier for your maintenance team


Do a favor to your maintenance team by eliminating repetitive tasks. With a two-tier TN3270 emulator, there’s still nothing to install on each workstation. Nothing to update either, except for web-browsers which is done by the IT department anyway.


No need to manage a middle-tier server (as it doesn’t exist in this situation) and no more worries about Windows 10 compatibility. These are things that will delight your maintenance team. I guarantee it. You can even mention full IPv6 compatibility to seal the deal!


More importantly, everything related to the TN3270 emulator will be found on the mainframe. This is good news for your maintenance team since all their efforts will become concentrated in one place, as it goes for all mainframe software.


Get the flexibility and scalability you need


Gone are the days of sitting in front of a company-issued computer. BYOD (Bring Your Own Device) is all the rage. Let your employees work from whatever device they want, without having to worry about security.


Let them sign-on from anywhere, anytime with any SSO tool on the market (these emulators support most of them). Two-tier web-based access makes remote working a breeze.


Not only does this give easy access to the employees, but it's also the case for contractors and other third-party collaborators. They can finally be free from restrictions on which operating system version to use and what software they can install on their PC.


If you add the compatibility with all existing SSO solutions, you have a very convenient and easy-to-use mainframe software.


Finally, two-tier TN3270 emulators allow multiple concurrent user sessions (up to 10 000) without any loss of performance. If you were looking for scalability or a web-VDI oriented solution, you found it!


good news at the office

Heavy TN3270 emulators are a relic of the past. Companies’ needs have evolved and so should 3270 emulators. However, this doesn’t mean we should settle for unsatisfactory solutions. If you must rely on a TN3270 emulator, you should demand the best.


Two-tier TN3270 emulators are not only secure, easy to maintain, and flexible, they are also non-invasive. Their installation will not disrupt your business. The transition will be seamless and allow you to transition at your own pace, without having to rebuild your entire infrastructure or write a single line of code.


“So that’s great and all, but where can I find a two-tier TN3270 emulator?”. If you are asking yourself this question, I suggest checking out Virtel. No worries, you can try it for free!

Discover our 2-tier thin-client emulator: Virtel

Download your checklist to be ready to switch terminal emulators

Topics: 3270 Emulation, Mainframe, z/OS