Your browser does not allow storing cookies. We recommend enabling them.
SSH.COM uses cookies to give you the best experience and most relevant marketing. More info
DECLINE Warning: Some functionality on this site will not work without cookies and our advertising will be less relevant!GOT IT!

SSH
Home Prev Up Next

Running Two SOCKS Proxies on a Dual TCP/IP Stack

In this example we have two users, SSHSP and SSHSPB, and two started tasks, SSHSP and SSHSPB, for two Tectia SOCKS Proxies:

  • SSHSP: this started task is assigned to user SSHSP and uses stack TCPIP:

    //STDENV  DD  DSN=<HLQ>.V663.PARMLIB(SSHENV),
//            DISP=SHR                             
//        DD  DSN=<HLQ>.V663.PARMLIB(TCPIP),DISP=SHR 1
    1

    The TCP/IP stack name is specified using the _BPXK_SETIBMOPT_TRANSPORT environment variable that is set in <HLQ>.V663.PARMLIB(TCPIP):

    _BPXK_SETIBMOPT_TRANSPORT=TCPIP

  • SSHSPB: this started task is assigned to user SSHSPB and uses stack TCPIPB:

    //STDENV  DD  DSN=<HLQ>.V663.PARMLIB(SSHENV),
//            DISP=SHR 
//        DD  DSN=<HLQ>.V663.PARMLIB(TCPIPB),DISP=SHR

The IP address of the SOCKS Proxy in stack TCPIP is 198.51.100.1, and the IP address of the SOCKS Proxy in stack TCPIPB is 198.51.100.2. The SOCKS Proxies are used to connect to remote servers at 203.0.113.1 and 203.0.113.2.

Dual TCP/IP stack setup for Tectia SOCKS Proxy

Figure D.1. Dual TCP/IP stack setup for Tectia SOCKS Proxy

You can run the two SOCKS proxies on a dual stack z/OS in two ways:

  • Using two SOCKS Proxy configuration files with different network listeners (see Example D.1)

  • Using one global SOCKS Proxy configuration file, and creating network listeners on both TCP/IP stacks' loopback address (see Example D.2). You can also use two separate SOCKS Proxy configuration files if you want to have different rules for the other stack connections.

Example D.1. Two configuration files with different network listeners

Add the following elements to the SSHSP configuration file (/u/SSHSP/.ssh2/ssh-socks-proxy-config.xml): 

...
<profile name="dynamic-ftp"
         id="id1"
         host=""
         port="22"
         user="">
</profile>
...    
<!-- SOCKS proxy needs its own listener for SOCKS. -->
<tunnel  type="socks-proxy"
         listen-address="198.51.100.1"
         listen-port="1080"
         dst-port="0"
         profile="" />
...        
<rule    ip-address="203.0.113.1"
         ports="21"
         action="ftp-proxy"
         profile-id="id1"
         username-from-app="YES"
         hostname-from-app="YES"
         fallback-to-plain="NO" />
...

Add the following elements to the SSHSPB configuration file (/u/SSHSPB/.ssh2/ssh-socks-proxy-config.xml): 

...
<profile name="dynamic-ftp"
         id="id1"
         host=""
         port="22"
         user="">
</profile>
...    
<!-- SOCKS proxy needs its own listener for SOCKS. -->
<tunnel  type="socks-proxy"
         listen-address="198.51.100.2
         listen-port="1080"
         dst-port="0"
         profile="" />
...        
<rule    ip-address="203.0.113.2"
         ports="21"
         action="ftp-proxy"
         profile-id="id1"
         username-from-app="YES"
         hostname-from-app="YES"
         fallback-to-plain="NO" />
...

Define the IP addresses of the SOCKS Proxies in the socks.conf file:

sockd @=198.51.100.1 203.0.113.1 255.255.255.0
sockd @=198.51.100.2 203.0.113.2 255.255.255.0
direct 0.0.0.0 0.0.0.0

Example D.2. Network listeners on TCP/IP stacks' loopback address

Add the following elements to the global SOCKS Proxy configuration file (/opt/tectia/etc/ssh-socks-proxy-config.xml):

...
<profile name="dynamic-ftp"
         id="id1"
         host=""
         port="22"
         user="">
</profile>
...
<!-- SOCKS proxy needs its own listener for SOCKS. -->
<tunnel  type="socks-proxy"
         listen-address="127.0.0.1"
         listen-port="1080"
         dst-port="0"
         profile="" />
...
<rule    ip-address="203.0.113.*"
         ports="21"
         action="ftp-proxy"
         profile-id="id1"
         username-from-app="YES"
         hostname-from-app="YES"
         fallback-to-plain="NO" />
...

Create listeners on both TCP/IP stacks' loopback address (127.0.0.1) in the socks.conf file:

sockd @=127.0.0.1 203.0.113.1 255.255.255.255
sockd @=127.0.0.1 203.0.113.2 255.255.255.0
direct 0.0.0.0 0.0.0.0
Home Prev Up Next

Copyright 2017 SSH Communications Security Corporation
This software is protected by international copyright laws. All rights reserved.
Contact Information


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now

  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now