SSH Communications Security
Previous Next Up [Contents] [Index]

    Introduction >>
    Configuration >>
        Saving Settings >>
        Loading Settings
        Profile Settings >>
            Connection
            Cipher List
            Authentication
            Colors
            Keyboard
            Keymap Editor
            Tunneling
            File Transfer
            Favorites
        Global Settings >>
        Customize
    Connecting >>
    Terminal Window >>
    File Transfer >>
    Toolbar Reference >>
    Menu Reference >>
    Advanced Information >>
    Troubleshooting >>
    Appendices >>

Tunneling

Tunneling, or port forwarding, is a way to forward otherwise insecure TCP traffic through an encrypted Secure Shell tunnel. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

Note: The client-server applications using the tunnel will carry out their own authentication procedures (if any) the same way they would without the encrypted tunnel.

For a more thorough explanation of tunneling, see Section Tunneling Explained. For practical tunneling examples, see sections Tunneling Example - Email and Tunneling Example - FTP.

Tunneling settings are configured using the Tunneling page of the Settings dialog. Any changed tunneling settings will take effect the next time you login.

tunneling-page-10.gif
Figure : The Tunneling page of the Settings dialog.

The outgoing and incoming tunnel settings are configured using the Outgoing and Incoming tabs of the Tunneling page.

Outgoing

Outgoing tunnels protect TCP connections that your local computer forwards from a specified local port to the specified port on the remote host computer you are connected to.

tunneling-imap-11.gif
Figure : Tunneling an IMAP connection for secure email.

It is also possible to forward the connection beyond the remote host computer, however the connection is encrypted only between the client (local computer) and the Secure Shell server. See Forwarding to a third host.

forwardingtoathirdhost-12.gif
Figure : Forwarding to a third host.

Click the Outgoing tab to edit outgoing tunnel definitions.

The following fields are used to define an outgoing tunnel. These values can be edited by clicking the Add or Edit buttons on the Outgoing page of the Settings dialog.

  • Name

    The name of the tunnel definition. You can use this field to type in a descriptive name that will help you to recognize this tunnel definition later on.

  • Listen Port

    This is the number of the local port that the tunnel 'listens to', or captures.

    Note: The protocol or application that you wish to create the tunnel for may have a fixed port number (for example, 143 for IMAP) that it needs to use to successfully connect. Some other protocol or applications may require an offset (e.g. 5900 for VNC) that you will have to take into an account.

  • Destination Host

    This field defines the destination host for the port forwarding. The default value is localhost.

    Note: The value of localhost is resolved after the Secure Shell connection has been established - so here localhost refers to the remote host computer you have connected to.

  • Destination Port

    The destination port defines what port will be used for the forwarded connection on the destination host.

  • Allow Local Connections Only

    Leave a check mark in this box if you allow only local connections to be made. This means that other computers will not be able to use the tunnel created by you. By default, only local connections are allowed. This is the right choice for most situations. You should carefully consider the security implications if you decide to also allow outside connections.

  • Type

    Select the type of the tunnel from the dropdown list. Valid choices are TCP and FTP.

Incoming

Incoming tunnels protect TCP connections that the remote host forwards from a specified remote port to the specified port on your local computer. Click the Incoming tab to edit incoming tunnel definitions.

tunneling-http-13.gif
Figure : Redirecting the HTTP connection to a remote host port 8080 to your local computer's port 80.

The following fields are used to define an incoming tunnel. These values can be edited by clicking the Add or Edit buttons.

  • Name

    The name of the tunnel definition. You can use this field to type in a descriptive name that will help you to recognize this tunnel definition later on.

  • Listen Port

    The port that the tunnel 'listens to', or captures from the remote host computer.

    Note: Privileged ports (above 1023) can be forwarded only when logging in with root privileges on the remote host computer.

  • Destination Host

    This field defines the destination host for the port forwarding. The default value is localhost.

    Note: Here localhost refers to your local computer. Also note that if the connection from the remote host computer is forwarded beyond your local computer, that connection will be insecure.

  • Destination Port

    The destination port defines what port will be used for the forwarded connection on the destination host.

  • Type

    Select the type of the tunnel from the dropdown list. Valid choices are TCP and FTP.

Configuring Tunnels

The following buttons are available for configuring outgoing and incoming tunnels.

  • Add

    Click the Add button to add a tunnel definition. An Add New Tunnel dialog appears, allowing you to define the name, type, listen port, destination host, and destination port for the port forwarding. With outgoing tunnels you can also define if you allow local connections only.

    Note: If you are tunneling an FTP connection, you must set the tunnel type as FTP.

    If the SSH server and the FTP server are located on separate host computers, FTP tunneling works only if FTP is set to run in passive mode. If the SSH server and the FTP server are located on the same computer, tunneling works regardless of whether FTP is running in passive or active mode.

  • Edit

    Select a tunnel definition from the displayed list and click the Edit button to edit a previously defined tunnel. An Edit Tunnel dialog appears, allowing you to edit the name, listen port, destination host, and destination port of the outgoing tunnel. With outgoing tunnels you can also define if you allow local connections only.

  • Remove

    Select a tunnel definition from the displayed list and click the Remove button to remove a previously defined tunnel. Note that the selected tunnel will be removed immediately, with no confirmation dialog being displayed.

X11 Tunneling

The Secure Shell 2 client can securely tunnel (forward) X11 graphic connections from the remote host computer to an X- Windows server running on the local computer.

Note: You must also be running an X emulator such as Exceed or Reflection X in passive mode on the Windows computer for X11 tunneling to work.

To tunnel (forward) X11 traffic, perform the following tasks:

  1. Install an X server (X emulation) program on Windows (eXceed, Reflection X, or the like).
  2. Start SSH Secure Shell for Workstations.
  3. Select the Edit -> Settings... -> Tunneling option and make sure that the Tunnel X11 connections checkbox is selected.
  4. Save your settings for SSH Secure Shell for Workstations.
  5. Quit the client, start it again and log into the remote host.
  6. Start the X server (X emulation) program.
  7. Run xterm or xclock from Secure Shell, and it should work.

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2003 SSH Communications Security Corp.
All rights reserved.
Copyright Notice