Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Tunneling with SSH Tectia Connector

SSH Tectia Connector has been especially designed for application tunneling. It provides encryption and strong two-factor authentication to third-party network client applications. It allows a company IT administrator to install transparent network security to Windows workstations in order to secure the intranet communications of any standard applications that use TCP/IP.

SSH Tectia Connector can be used for example to secure connections from workstations to the department server room, or to connect securely to the office e-mail server and intranet from a remote location.


SSH Tectia Connector connects to SSH Tectia Server with Tunneling Expansion Pack or SSH Tectia Server for IBM z/OS and captures all network communication originating from applications on the local workstation such as MS Outlook, MS Internet Explorer, Netscape and other software.

When an application tries to establish a connection to a remote host, SSH Capture DLL queries from the Connection Broker whether the connection needs to be blocked, passed directly or tunneled securely through an SSH Tectia Server. If the connection requires tunneling, the Connection Broker creates a TCP listener as a local tunnel end point and the application connection is redirected to that local end point.

Processes running with the SYSTEM account are passed through, and only user processes are captured. Connector uses the standard Windows Socket API.

The architecture of SSH Tectia Connector

Figure 4.5. The architecture of SSH Tectia Connector

SSH Tectia Connector directs the network communication using tunneling (port forwarding) over the secure SecSh connection to the SSH Tectia Server with Tunneling Expansion Pack, which, if necessary, relays the traffic to the destination host. The connection segment between SSH Tectia Connector and SSH Tectia Server is secure and the relayed connection between the SSH Tectia Server and the application server is unsecured. This is why it is recommended that there is at least one SSH Tectia Server in each physically secured area such as a machine room.

Connector can secure network client applications that initiate connections to server applications using TCP communications. Other network protocols such as UDP are currently not supported. Also applications that initiate connections from the server to the workstation are currently out of the scope of SSH Tectia Connector.

For example, when FTP is used in passive mode, the FTP client initiates both command and data connections to the server. This way, SSH Tectia Connector is able to capture the connections and secure them regardless of port numbers and the number of data connections. When the FTP client connects to an FTP server using active mode FTP, the FTP server initiates the data connections, and they are not captured by SSH Tectia Connector. Hence, in active mode FTP, connections are not secured.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more