Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Local and Remote Port Forwarding and the Reflection for Secure IT Client
Technical Note 1862
Last Reviewed 25-Jan-2007
Applies To
Reflection for Secure IT Windows Client version 6.0 or higher
Reflection for Secure IT Windows Server version 6.0 or higher
Reflection for Secure IT UNIX Client version 6.0 or higher
Reflection for Secure IT UNIX Server version 6.0 or higher
Reflection for UNIX and OpenVMS version 14.0 or higher
Summary

This technical note briefly describes Secure Shell (SSH) and port forwarding, explains how to configure the Reflection for Secure IT server and client for local and remote port forwarding by creating a connection through a secure SSH tunnel; and then provides some sample configuration settings.

Note: In earlier versions, the Reflection for Secure IT product was called F-Secure SSH. This technical note does not apply to the F-Secure SSH client. For information about local port forwarding and F-Secure SSH, see Technical Note 1841.

This technical note is organized in to the following sections:

A Brief Introduction to SSH
A Brief Introduction to Port Forwarding (Tunneling)
Using the Reflection for Secure IT Client for Secure Connections
Step I—Configuring the SSH Server to Allow TCP Tunneling
Step II—Configure Port Forwarding
Step III—Configuring the Application to use the SSH Tunnel
Verifying the Secure Connection with the Windows Client
Sample Settings

A Brief Introduction to SSH

SSH is a computer program based on the Secure Shell protocol. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data. The current version of Secure Shell is ssh-2. (The ssh-1 protocol is deprecated; therefore, it is highly recommended that you use ssh-2.)

For more information about Secure Shell, see "Fortified SSH: A Cost-Effective Way to Safeguard Your Network" on Attachmate.com: http://www.attachmate.com/WhitePapers/Literature_0954.htm.

A Brief Introduction to Port Forwarding (Tunneling)

Port forwarding, or tunneling, allows insecure TCP/IP traffic to be forwarded through a secure SSH connection. Most remote services that use TCP/IP can be secured, including client-server applications, database systems, and services such as HTTP, Telnet, FTP, POP3, and SMTP. The Reflection for Secure IT and Reflection clients also provide dynamic forwarding for the X11 Windows System commonly used on UNIX machines.

Using the Reflection for Secure IT Client for Secure Connections

To tunnel TCP traffic with SSH, you must configure local and/or remote port forwarding, establish the SSH connection, and then configure the application you want to securely connect with so that its communication is redirected through the SSH tunnel.

Note: If you plan to tunnel FTP, please note that in versions prior to Reflection for Secure IT 6.1 and Reflection 13.0.4 or 14.0, Reflection encrypts only the FTP command channel (port 21); the data channel (port 20) is not encrypted. To secure data and command, upgrade to a higher version.

If you must use an earlier version, we suggest using SFTP. If SFTP is not available, tunnel FTP only if the data being transferred is not sensitive. For further information about SFTP, see Technical Note 1918.

Step I—Configuring the SSH Server to Allow TCP Tunneling

Before the SSH tunnel has been established, and the application is configured to use the tunnel, ensure that the SSH server is configured to enable tunneling. How you configure the server depends on which server you are using. Follow the steps below to configure the Reflection for Secure IT Server for Windows or UNIX. For details on configuring other SSH server software, refer to your man pages or the product's documentation.

Reflection for Secure IT and F-Secure SSH Server for Windows

  1. Click Start > Programs > Reflection > SSH Server Configuration.
  2. Select Server Settings > Tunneling.
  3. Select Allow TCP tunneling, and then click Apply. Note: The server does not need to be restarted after applying this change.

Reflection for Secure IT and F-Secure Server for UNIX

By default, the UNIX SSH server is enabled for TCP port forwarding; see sshd2_config man pages, keywords AllowTCPForwarding, AllowTCPForwardingForGroups, AllowTCPForwardingForUsers.

If forwarding is disabled, follow these steps.

  1. Open the sshd2_config file in a text editor such as vi.
  2. Under the Tunneling heading, change the value of AllowTcpForwarding from No to Yes.
  3. Uncomment (remove the # from the start of the line) the AllowTcpForwarding line.
  4. Restart the SSH daemon (sshd).

Step II—Configure Port Forwarding

You can use the ssh client to configure both local and remote port forwarding.

Local Port Forwarding

To redirect unsecured tcp traffic through a secure ssh tunnel configure the Reflection client with a local listening port on the client's host, a destination host and port and configure your tcp client application (Step II) to connect to the local listening port. Reflection will encrypt tcp traffic received on the local listening port and forward that traffic securely to the destination host.

Remote Port Forwarding

Remote port forwarding reverses the direction that insecure tcp traffic is forwarding. The tcp client is remote in relationship to the ssh client and the tcp application server is local in relationship to the ssh client. To redirect insecure tcp traffic through a secure ssh tunnel, configure the Reflection client with a listening port on the remote server, a local machine and port and configure your tcp application to connect to the listening port on the remote server. Reflection will encrypt the tcp traffic received on the remote server listening port and forward that traffic securely to the local machine.

Config File Entries for Local and Remote Port Forwarding

The remote forward has been configured to secure printing data being sent to a PC printer using lpr/lpd. Lpd is running on the ssh client machine or local machine and lpr is running on the remote host that is also running the ssh server.

The local port forwarding illustrates the forwarding of FTP client traffic from the ssh client machine to the FTP server on the ssh server machine.

Host host1
RemoteForward 2515 localhost:515
LocalForward 2100 localhost:21. FTP=1 RDP=0

You can create a local tunnel using the Reflection for Secure IT interface (for the Windows client) or the command line (for the Windows and UNIX clients).

Using the Reflection for Secure IT Interface (Windows Client)

Follow the steps below to create, close, and edit a tunnel using the Reflection SSH interface.

Configure Local Port Forwarding

Follow the steps below to create a local tunnel.

  1. Click Start > Programs > Attachmate Reflection > SSH Client.
  2. Click Connection > Connection Setup; enter the host name, and then click Security.
  3. On the Tunneling tab, under Local Forwarding, click Add.
  4. In the Forward local port field (Forward local field in versions earlier than 6.1), enter a local port number that the Reflection SSH client should listen to for TCP or FTP data requests. Data sent from this port will be forwarded through the Secure Shell tunnel.

Note the following:

    • Port numbers higher than 1025 are user-defined ports. Using ports 1 – 1024 requires administrative privileges.
    • Make sure to select a non-used port for your Source Port. If the port number entered matches a port that is already configured to listen for another service, the Reflection SSH client will be unable to forward the data.
    • If you create several tunnels for one connection, you must specify a different local port for each tunnel.
  1. In the Name field in the Destination Host section ("to remote" field in versions earlier than 6.1), enter localhost.

Important: Localhost is used for the name of the remote machine if the tcp application server you are connecting to through the tunnel is running on the same server where the SSH daemon resides, which is often the case.

If the SSH daemon resides on a different host than the host on which the tcp application is running, enter the name of the host you are connecting to in the Destination Host field. In this instance, the connection between the Reflection SSH client and the SSH daemon is secure, but the connection between the SSH daemon and the target host is not secure.

  1. In the Port field, enter the TCP/IP port on the SSH server where the application which uses the tunnel sends its data requests. For example, if you will be forwarding Telnet, the default port for Telnet is 23.

Beginning in version 6.1, the Local Port Forwarding dialog box enables you to configure several settings including Tunnel Remote Desktop, Forward type, and Application to Launch. For information about these settings, click the Help button on the Local Port Forwarding dialog box.

  1. Click OK > OK to return to the Connection Setup dialog box.

This tunnel configuration is automatically saved to the user's config file (under SSH config scheme) and will be used again when you connect to the same host (using the same host name).

  1. Enter a User name and click Connect. Unsecured tcp traffic is securely tunneled automatically when the host connection is made.
  2. To save this local tunnel for use the next time you launch the Reflection for Secure IT client, in the SSH client window, click File > Save. Enter a file name and click Save.

Note the following:

  • Changes you make to these settings are saved to the currently specified SSH config scheme.
  • Secure Shell settings are saved to the Secure Shell configuration file. You can also configure Secure Shell settings by editing this file manually in any text editor. The keyword used to configure local port forwarding is LocalForward.

When the Reflection SSH client receives a local request on the specified source port, the application is connected to the destination port through the SSH tunnel.

Close a Tunnel

To close a tunnel, terminate the host session.

Edit a Tunnel

Follow the steps below to edit tunnel settings.

  1. While the tunnel is not connected (no host connection has been made), click Connection > Connection Setup. Make sure that the correct host name has been entered, and then click Security.
  2. On the Tunneling tab, select the local tunnel you want to edit and click Edit.
  3. Edit the settings and click OK > OK.

Using the Command Line (Windows and UNIX Clients)

Use the following commands to establish the SSH connection and create the SSH tunnel from the command line.

Use this command to forward TCP traffic on the workstation through an SSH tunnel to the SSH server.

Syntax:

ssh2 –L <local workstation port>:localhost:<SSH server port> <user name>@<host name>

Example:

ssh2 –L 4000:localhost:4005 RKoa@mySSHserver

In the example above, TCP traffic will be forwarded through port 4000 on the workstation to port 4005 on the SSH server.

Step III—Configuring the Application to use the SSH Tunnel

After creating the SSH tunnel by following the directions in Step II, you must configure your application to use the SSH tunnel. The configuration will be different for each application. For details, refer to the application documentation.

An Example

The following example shows how to configure Reflection for HP or Reflection for UNIX and OpenVMS to redirect a Telnet session over the port you have redirected to connect through SSH.

  1. Start the Reflection for Secure IT SSH tunnel (see Step II for directions).
  2. Open Reflection for HP or Reflection for UNIX and OpenVMS, and then click Connection > Connection Setup.
  3. Under Connect using, select Network and Telnet. In the 'Host name' field, enter localhost, and then click More Settings.
  4. On the General tab, select TCP port 1025 (or whatever port number you configured in step I-5 above), and then click OK.
  5. Click Connect, and then enter your user name and password.

Verifying the Secure Connection with the Windows Client

Follow the steps below to verify that your Telnet session is running through the SSH tunnel.

  1. Click Start > Run.
  2. In the Open field, type cmd, and then click OK.
  3. In the Windows Command window, type netstat.

Note: If the netstat command is not recognized, navigate to the C:\Windows\System32 directory and enter the command again.

If the port forwarding is successful, you should see a response similar to the following:

Active Connections
Proto  Local Address   Foreign Address     State
  TCP  My_PC:1554      my.server.com:22    ESTABLISHED
  TCP  My_PC:1025      localhost:1564      ESTABLISHED
  TCP  My_PC:1564      localhost:1025      ESTABLISHED

In the example above, the first TCP row shows the SSH connection from port 1554 (a random port) on the workstation to port 22 (the default SSH port) on the SSH server.

TCP rows two and three show the Telnet connection between port 1025 on the workstation, the port that has been configured to redirect Telnet connections (port 23) through the SSH tunnel (port 22), and a random port (1564) on the SSH server.

Note: If the second or third TCP row shows the actual host name, such as my.server.com:telnet(23), instead of localhost:<port number>, the tunnel has failed and the Telnet connection is not encrypted.

Sample Settings

The following sample settings show how to forward HTTP.

Forwarding HTTP

  1. Use the Reflection SSH client to connect to the host running the HTTP and SSH servers.
  2. Create a local tunnel with the following values.
    Field
    		Data
    Local forward
    		8080
    Note: This number can be any port number over 1024.
    To remote
    		localhost
    Port
    		80
  1. Open your web browser and go to http://localhost:8080.
Related Technical Notes
1918 The Relationship Between File Transfer, SSH, SCP2 (scp), and SFTP
1999 Reflection for Secure IT Technical Notes
10068 Encrypting Connections Between the Verastream Server and Host

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.