Environment
Reflection for Secure IT Windows Server version 8.0 or higher
Reflection for Secure IT UNIX Client version 7.2 or higher
Reflection for Secure IT UNIX Server version 7.2 or higher
Situation
This technical note briefly describes Secure Shell (SSH) and port forwarding, explains how to configure the Reflection for Secure IT 7.1 or higher server and client for local and remote port forwarding by creating a TCP connection through a secure SSH tunnel; and then provides some sample configuration settings.
This technical note is organized in to the following sections:
An Introduction to Port Forwarding (Tunneling)
Using the Reflection for Secure IT Client for Secure Connections
Step I—Configuring the SSH Server to Allow TCP Tunneling
Step II—Configuring Port Forwarding
Step III—Configuring the Application to use the SSH Tunnel
Verifying the Secure Connection with the Windows Client
Sample Settings
Resolution
A Brief Introduction to SSH
SSH is a computer program based on the Secure Shell protocol. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data. The current version of Secure Shell is ssh-2. (The ssh-1 protocol is deprecated; therefore, it is highly recommended that you use ssh-2.)
For more information about Secure Shell, see "Fortified SSH: A Cost-Effective Way to Safeguard Your Network" on Attachmate.com: https://www.attachmate.com/WhitePapers/Literature_0954.htm.
An Introduction to Port Forwarding (Tunneling)
Port forwarding, also known as tunneling, provides a way to redirect non-secure TCP/IP communications through a secure SSH connection. When port forwarding is configured, all data sent to a specified port is redirected through the secure channel. Most remote services that use TCP/IP can be secured, including client-server applications, database systems, and services such as HTTP, Telnet, FTP, POP3, and SMTP. The Reflection for Secure IT and Reflection clients also provide dynamic forwarding for the X11 Windows System commonly used on UNIX machines.
There are two types of port forwarding: local and remote.
Local Port Forwarding—In most cases, local port forwarding is used to forward data securely from another client application running on the same computer as the Secure Shell client. The Secure Shell client is configured to redirect data from a specified local port (on the same computer as the Secure Shell client), through the secure tunnel to a specified destination host and port. You can configure any other client running on the same computer to connect to the forwarded port (rather than directly to the destination host and port). After the Secure Shell connection is established, the Secure Shell client listens on the specified port and redirects all data sent to that port through the secure tunnel to the Secure Shell server. The server decrypts the data, and then directs it to the destination host and port.
Remote Port Forwarding—Remote port forwarding is used to forward data securely from any client application running on the same computer as the Secure Shell server. In this case, the client session requests that a specified remote port (on the same computer as the Secure Shell server) be used to redirect the data. You can configure any other client running on the same computer as the Secure Shell server to connect to the forwarded port (rather than directly to the destination host and port). After the Secure Shell connection is established, the Secure Shell server listens on the specified port and redirects all data sent to that port through the secure tunnel to the Secure Shell client. The client decrypts the data and then directs it to the destination host and port.
To tunnel TCP traffic with SSH, you must configure local or remote port forwarding (or both), establish the SSH connection, and then configure the application you want to secure to redirect its communication through the SSH tunnel.
Using the Reflection for Secure IT Client for Secure Connections
Port forwarding is configured only by the SSH client, not the Reflection for Secure IT server. However, you can configure the server to enable or disable requests made by the client.
Step I—Configuring the SSH Server to Allow TCP Tunneling
Before using port forwarding, ensure that the SSH server is configured to enable tunneling. How you configure the server depends on which server version and platform you are using.
Both local and remote port forwarding are enabled by default in version 7.0 or higher of the Reflection for Secure IT Server. For details about these settings, go to the product documentation page, https://support.microfocus.com/manuals/sshdocs.html. Select your product; open the Reflection for Secure IT Server Users Guide for your product version; and search for Port Forwarding.
For details on configuring other SSH server software, refer to your man pages or the product's documentation.
Step II—Configuring Port Forwarding
The client can be configured to request local or remote port forwarding, or both.
For information about configuring the Reflection for Secure IT Client for port forwarding, go to the product documentation page, https://support.microfocus.com/manuals/sshdocs.html. Select your product; open the Reflection for Secure IT Client Users Guide for your product version; and search for Port Forwarding.
Using the Reflection for Secure IT Interface (Windows Client)
Follow the steps below to create, close, and edit an SSH tunnel using the Reflection for Secure IT Windows Client.
Configure Local Port Forwarding
To create a local tunnel:
- Click Start > Programs > Attachmate Reflection > SSH Client.
- Click Connection > Connection Setup; enter the host name, and then click Security.
- On the Tunneling tab, under Local Forwarding, click Add.
- In the Forward local port field, enter a local port number that the Reflection client should use to listen for TCP or FTP data requests. Data sent from this port will be forwarded through the Secure Shell tunnel.
Note the following:
- Port numbers higher than 1025 are user-defined ports. Using ports 1 – 1024 requires administrative privileges.
- Make sure to select a non-used port for your Source Port. If the port number entered matches a port that is already configured to listen for another service, the Reflection SSH client will be unable to forward the data.
- If you create several tunnels for one connection, you must specify a different local port for each tunnel.
- In the Name field in the Destination Host section, enter localhost.
Important: Localhost is used for the name of the remote machine if the tcp application server you are connecting to through the tunnel is running on the same server where the SSH daemon resides, which is often the case.
If the SSH daemon resides on a different host than the host on which the tcp application is running, enter the name of the host you are connecting to in the Destination Host field. In this instance, the connection between the Reflection SSH client and the SSH daemon is secure, but the connection between the SSH daemon and the target host is not secure.
- In the Port field, enter the TCP/IP port on the SSH server where the application that uses the tunnel sends its data requests. For example, if you will be forwarding Telnet, the default port for Telnet is 23.
- Optional: The Local Port Forwarding dialog box enables you to configure several additional settings including Tunnel Remote Desktop, Forward type, and Application to Launch. For information about these settings, click the Help button on the Local Port Forwarding dialog box.
- Click OK twice to return to the Connection Setup dialog box.
This tunnel configuration is automatically saved to the user's config file (under SSH config scheme) and will be used again when you connect to the same host (using the same host name).
- Enter a User name and click Connect. Once the SSH connection has been established, unencrypted TCP traffic from a third-party application can be securely sent through the SSH tunnel.
- To save all of the non-SSH related settings, such as host and user names, for use the next time you launch the Reflection for Secure IT client, click File > Save in the SSH client window. Enter a file name and click Save.
When the Reflection SSH client receives a local request on the specified source port, the application is connected to the destination port through the SSH tunnel.
Note the following:
- Changes you make to these settings are saved to the currently specified SSH config scheme.
- Secure Shell settings are saved to the Secure Shell configuration file. You can also configure Secure Shell settings by editing this file manually in any text editor. The keyword used to configure local port forwarding is LocalForward.
Close a Tunnel
To close a tunnel, terminate the host session.
Edit a Tunnel Configuration
To edit tunnel settings:
- While the tunnel is not connected (no host connection has been made), click Connection > Connection Setup. Make sure that the correct host name has been entered, and then click Security.
- On the Tunneling tab, select the local tunnel you want to edit and click Modify.
- Edit the settings and click OK twice.
Using the Command Line (Windows and UNIX Clients)
You can use commands to establish the SSH connection and create the SSH tunnel from the command line.
Use the following command to forward TCP traffic on the workstation through an SSH tunnel to the SSH server.
Syntax:
ssh –L <local workstation port>:localhost:<SSH server port> <user name>@<host name>
Example:
ssh –L 4000:localhost:4005 RKoa@mySSHserver
In the example above, TCP traffic will be forwarded through port 4000 on the workstation to port 4005 on the SSH server.
Step III—Configuring the Application to Use the SSH Tunnel
After creating the SSH tunnel by following the procedure in Step II, you must configure your application to use the SSH tunnel. The configuration will be different for each application. For details, refer to the application documentation.
An Example
The following example shows how to configure Reflection for HP or Reflection for UNIX and OpenVMS to redirect a Telnet session over the port you have redirected to connect through SSH.
- Start the Reflection for Secure IT SSH tunnel (see Step II for details).
- Open Reflection for HP or Reflection for UNIX and OpenVMS, and then click Connection > Connection Setup.
- Under Connect using, select Network and Telnet. In the 'Host name' field, enter localhost, and then click More Settings.
- On the General tab, select TCP port 1025 (or whatever port number you configured in Step II-4 above), and then click OK.
- Click Connect, and log in to the host.
Verifying the Secure Connection with the Windows Client
To verify that your Telnet session is running through the SSH tunnel, follow these steps.
- Click Start > Run.
- In the Open field, type cmd, and then click OK.
- In the Windows Command window, type netstat.
Note: If the netstat command is not recognized, navigate to the C:\Windows\System32 directory and enter the command again.
If the port forwarding is successful, you should see a response similar to the following:
Active Connections Proto Local Address Foreign Address State TCP My_PC:1554 my.server.com:22 ESTABLISHED TCP My_PC:1025 localhost:1564 ESTABLISHED TCP My_PC:1564 localhost:1025 ESTABLISHED |
In the example above, the first TCP row shows the SSH connection from port 1554 (a random port) on the workstation to port 22 (the default SSH port) on the SSH server.
The second and third TCP rows show the Telnet connection between port 1025 on the workstation, the port that has been configured to redirect Telnet connections (port 23) through the SSH tunnel (port 22), and a random port (1564) on the SSH server.
Note: If the second or third TCP row shows the actual host name, such as my.server.com:telnet(23), instead of localhost:<port number>, the tunnel has failed and the Telnet connection is not encrypted.
Sample Settings
The following sample settings show how to forward HTTP.
Forwarding HTTP
- Use the Reflection SSH client to connect to the host running the HTTP and SSH servers.
- Create a local tunnel with the following values.
Field | Data |
Local forward | 8080 Note: This number can be any port number over 1024. |
To remote | localhost |
Port | 80 |
- Open your web browser and go to http://localhost:8080.
Your HTTP connection is now going through the SSH tunnel.
Additional Information
Legacy KB ID
This document was originally published as Attachmate Technical Note 2433.