This technical note briefly describes Secure Shell (SSH) and port forwarding, explains how to configure the Reflection for Secure IT 7.0 or higher server and client for local and remote port forwarding by creating a TCP connection through a secure SSH tunnel; and then provides some sample configuration settings.
This technical note is organized in to the following sections:
SSH is a computer program based on the Secure Shell protocol. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data. The current version of Secure Shell is ssh-2. (The ssh-1 protocol is deprecated; therefore, it is highly recommended that you use ssh-2.)
For more information about Secure Shell, see "Fortified SSH: A Cost-Effective Way to Safeguard Your Network" on Attachmate.com: http://www.attachmate.com/WhitePapers/Literature_0954.htm.
Port forwarding, also known as tunneling, provides a way to redirect non-secure TCP/IP communications through a secure SSH connection. When port forwarding is configured, all data sent to a specified port is redirected through the secure channel. Most remote services that use TCP/IP can be secured, including client-server applications, database systems, and services such as HTTP, Telnet, FTP, POP3, and SMTP. The Reflection for Secure IT and Reflection clients also provide dynamic forwarding for the X11 Windows System commonly used on UNIX machines.
There are two types of port forwarding: local and remote.
Local Port ForwardingIn most cases, local port forwarding is used to forward data securely from another client application running on the same computer as the Secure Shell client. The Secure Shell client is configured to redirect data from a specified local port (on the same computer as the Secure Shell client), through the secure tunnel to a specified destination host and port. You can configure any other client running on the same computer to connect to the forwarded port (rather than directly to the destination host and port). After the Secure Shell connection is established, the Secure Shell client listens on the specified port and redirects all data sent to that port through the secure tunnel to the Secure Shell server. The server decrypts the data, and then directs it to the destination host and port.
Remote Port ForwardingRemote port forwarding is used to forward data securely from any client application running on the same computer as the Secure Shell server. In this case, the client session requests that a specified remote port (on the same computer as the Secure Shell server) be used to redirect the data. You can configure any other client running on the same computer as the Secure Shell server to connect to the forwarded port (rather than directly to the destination host and port). After the Secure Shell connection is established, the Secure Shell server listens on the specified port and redirects all data sent to that port through the secure tunnel to the Secure Shell client. The client decrypts the data and then directs it to the destination host and port.
To tunnel TCP traffic with SSH, you must configure local or remote port forwarding (or both), establish the SSH connection, and then configure the application you want to secure to redirect its communication through the SSH tunnel.
Port forwarding is configured only by the SSH client, not the Reflection for Secure IT server. However, you can configure the server to enable or disable requests made by the client.
Before using port forwarding, ensure that the SSH server is configured to enable tunneling. How you configure the server depends on which server version and platform you are using.
Both local and remote port forwarding are enabled by default in version 7.0 or higher of the Reflection for Secure IT Server. For details about these settings, go to the product documentation page, http://support.attachmate.com/manuals/sshdocs.html. Select your product; open the Reflection for Secure IT Server Users Guide for your product version; and search for Port Forwarding.
For details on configuring other SSH server software, refer to your man pages or the product's documentation.
The client can be configured to request local or remote port forwarding, or both.
For information about configuring the Reflection for Secure IT Client for port forwarding, go to the product documentation page, http://support.attachmate.com/manuals/sshdocs.html. Select your product; open the Reflection for Secure IT Client Users Guide for your product version; and search for Port Forwarding.
Follow the steps below to create, close, and edit an SSH tunnel using the Reflection for Secure IT Windows Client.
To create a local tunnel:
Note the following:
Important: Localhost is used for the name of the remote machine if the tcp application server you are connecting to through the tunnel is running on the same server where the SSH daemon resides, which is often the case.
If the SSH daemon resides on a different host than the host on which the tcp application is running, enter the name of the host you are connecting to in the Destination Host field. In this instance, the connection between the Reflection SSH client and the SSH daemon is secure, but the connection between the SSH daemon and the target host is not secure.
This tunnel configuration is automatically saved to the user's config file (under SSH config scheme) and will be used again when you connect to the same host (using the same host name).
When the Reflection SSH client receives a local request on the specified source port, the application is connected to the destination port through the SSH tunnel.
To close a tunnel, terminate the host session.
To edit tunnel settings:
You can use commands to establish the SSH connection and create the SSH tunnel from the command line.
Use the following command to forward TCP traffic on the workstation through an SSH tunnel to the SSH server.
ssh L <local workstation port>:localhost:<SSH server port> <user name>@<host name>
ssh L 4000:localhost:4005 RKoa@mySSHserver
In the example above, TCP traffic will be forwarded through port 4000 on the workstation to port 4005 on the SSH server.
After creating the SSH tunnel by following the procedure in Step II, you must configure your application to use the SSH tunnel. The configuration will be different for each application. For details, refer to the application documentation.
The following example shows how to configure Reflection for HP or Reflection for UNIX and OpenVMS to redirect a Telnet session over the port you have redirected to connect through SSH.
To verify that your Telnet session is running through the SSH tunnel, follow these steps.
Note: If the netstat command is not recognized, navigate to the C:\Windows\System32 directory and enter the command again.
If the port forwarding is successful, you should see a response similar to the following:
In the example above, the first TCP row shows the SSH connection from port 1554 (a random port) on the workstation to port 22 (the default SSH port) on the SSH server.
The second and third TCP rows show the Telnet connection between port 1025 on the workstation, the port that has been configured to redirect Telnet connections (port 23) through the SSH tunnel (port 22), and a random port (1564) on the SSH server.
Note: If the second or third TCP row shows the actual host name, such as my.server.com:telnet(23), instead of localhost:<port number>, the tunnel has failed and the Telnet connection is not encrypted.
The following sample settings show how to forward HTTP.
Note: This number can be any port number over 1024.
Your HTTP connection is now going through the SSH tunnel.