The transparent TCP tunneling feature captures the TCP traffic of hosts defined in the SSH Tectia configuration and uses encrypted tunnels for sending the data. No changes are required to the configuration of the application software.
On Windows, transparent TCP tunneling captures also connections initiated by applications running at low integrity level on Windows Vista and newer platforms. This is mainly because Internet Explorer (version 7 and newer) runs at low integrity level when configured for protected mode, as by the default.
Connection sharing between SSH applications of one user running at low integrity level and those running at higher integrity levels is disabled for security reasons.
For example, let us assume that the sshg3 client has opened and authenticated a secure shell connection using a profile named
tunneling_profile (and sshg3 is running at normal integrity level). Then, Internet Explorer running in protected mode (and at low integrity level) establishes a TCP connection which is tunneled using the same profile
tunneling_profile. Connection Broker behaves as follows in this situation:
A new SSH connection is opened and authenticated for the Internet Explorer process.
Previously, the existing connection would have been shared between the two applications, only opening new channels as needed.
However, connections are still shared among all processes that run at low integrity level. Similarly, connections are shared also among processes running at medium and higher integrity levels.
The transparent TCP tunneling is activated in the Connection Broker configuration, where you can also specify the applications to be tunneled and define filter rules that control the setting up of the tunnels in detail. Once activated, the transparent TCP tunneling feature automatically captures the defined applications and the Connection Broker creates Secure Shell tunnels to the defined servers, that can be SSH Tectia Servers, SSH Tectia Server for IBM z/OS, or any SSH2-capable Secure Shell servers.
When a global configuration file exists, (for example when SSH Tectia ConnectSecure is controlled by SSH Tectia Manager,) and it includes the
filter-engine element, those settings are applied. The global configuration file is located in
/etc/ssh2/ssh-broker-config.xml on Unix, and
"C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Broker\ssh-broker-config.xml" on Windows.
This example shows how transparent TCP tunneling can be used to secure Telnet connections between a corporate network and external servers over the Internet.
In the example use case, the users have Unix hosts with Telnet applications. Since Telnet includes no internal security measures, SSH Tectia ConnectSecure is also installed on each host to provide security. The users make Telnet connections to port 23 (the dedicated Telnet port) to application servers outside the company. The destination hosts are required to have Secure Shell servers running on them, either SSH Tectia Server or some other standard-compliant server.
The host keys of the destination hosts need to be saved as known host keys on the local hosts before using the transparent TCP tunnels. To fetch and save the host keys, connect once to each of the destination hosts using command
sshg3 and choose
save in the host key dialog.
Also, the user public keys need to be delivered to the Secure Shell servers. On Unix, the
ssh-capture process cannot always extract the password prompt from the application, so the Secure Shell connections need to be established non-interactively. For this reason, the users should use, for example, public keys without passphrases.
The transparent TCP tunnels are defined in the SSH Tectia ConnectSecure configuration to tunnel all traffic going to port 23. SSH Tectia ConnectSecure can use the destination host name directly from the connection-originating application, so it is not necessary to create a separate connection profile for each destination host. The transparent TCP tunneling configuration is made in a single filter rule set in the Connection Broker configuration file
<filter-engine> . . . <rule host=".*" ports="23" action="TUNNEL" hostname-from-app="YES" fallback-to-plain="NO" /> </filter-engine>
For detailed description of the configuration elements, see the section called “The
To activate the transparent TCP tunneling, restart the Connection Broker or make it re-read its configuration by using command:
$ ssh-broker-ctl reload
To start tunneling the Telnet connections made to port 23, run command:
$ ssh-capture telnet some-server.example.com
You can also start a bash shell session with connection capturing enabled for all commands. Run command:
$ ssh-capture bash
With the transparent TCP tunneling active, all Telnet connections from the Unix client hosts to the remote servers will be securely tunneled. The client host applications require no modifications, so the users can keep working with the existing tools as before.
Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.
This section gives an example of configuring encrypted tunnels for an e-mail service on Windows. Transparent TCP tunneling is used for establishing tunnels that can be utilized as a secure transport between an e-mail client and an e-mail server communicating over the Internet.
This scenario describes a typical configuration for remote users for accessing the company's internal e-mail services transparently. In the test scenario, access from the client's private network to the Internet traverses through a SOCKS4 server, and the client-side has SSH Tectia ConnectSecure installed. Access to the company's internal network, including the e-mail services, goes via a gateway host which has SSH Tectia Server running.
Before e-mail delivery, SSH Tectia ConnectSecure automatically creates a transparent TCP tunnel between the client host and the SSH Tectia Server gateway for SMTP/IMAP/POP protocols. The encrypted tunnel ends at the gateway, and from there onwards the e-mail traffic is transmitted unencrypted in the company's internal network.
To create the configuration using the SSH Tectia Configuration tool, do the following:
On the Connection Profiles page, click Add profile to add a new connection profile for the gateway server host. Enter the profile name and click OK. In the example, the profile is named
Select the created profile from the Connection Profiles list, and specify the connection details in the following view.
By default, the profile name is assumed to be the host name of the destination server, but here we link the profile name to a server called
host1234. Click Apply when the settings are ready.
On the Transparent Tunnels → Connection Capture page, select the Enable transparent tunneling at startup check box.
On the Transparent Tunnels → Filter Rules page, click Add to add the filter rules which define the applications and ports to be captured and tunneled. In this example, only TCP ports related to e-mail delivery (IMAP, POP, SMTP) are forwarded to the gateway server through profile
Under Action, it is possible to select how the destination host is defined; either the host defined in the connection profile is used, or the host definition is received from the application. Now that we have a gateway server in this example, we will use the hostname defined in the profile, and the Use host name from the application is left unselected. In case we had a Secure Shell server running on each destination server, we could use the host names from the application.
The created rules are listed in the Filter Rules view. You can return to editing a selected rule by clicking Edit, and you can arrange the order of the rules with the up and down arrows. Place the most specific rules first. In this example, the order is not significant.
Once transparent TCP tunneling has been activated, it captures the e-mail traffic to the hosts defined in the SSH Tectia configuration and uses encrypted tunnels for sending the data. No changes are required to the configuration of the e-mail application.
When the tunnel is opened, the user is prompted to authenticate to the gateway server. Setting up public-key authentication to the server is recommended. For instructions, see Managing Keys and Certificates.