Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Remote Tunnels

A remote (incoming) tunnel forwards traffic coming to a remote port to a specified local port.

With sshg3 on the command line, the syntax of the remote tunneling command is as follows:

client$ sshg3 -R [protocol/][listen-address:]listen-port:dst-host:dst-port \


  • [protocol/] specifies which protocol is to be used in the tunneled connection, it can be ftp or tcp (optional argument). The default is tcp.

  • [listen-address:] defines which interface on the remote server will be listened to (optional argument). By default all interfaces are listened.

  • listen-port is the number of the port on the remote server, and connections coming to this port will be tunneled to the client.

  • dst-host:dst-port define the destination host address and the port to which the connection is tunneled from the client.

  • sshserver is the IP address or the host name of the Secure Shell server.

Setting up remote tunneling allocates a listener port on the remote server. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the local client and another connection is made from the client to a specified destination host and port. The connection from the client onwards will not be secure, it is a normal TCP connection.


Every user with access to the remote server host will be able to use remote tunnel.

Figure 7.4 shows the different hosts and ports involved in remote port forwarding.

Remote tunneling terminology

Figure 7.4. Remote tunneling terminology

For example, if you issue the following command, all traffic which comes to port 1234 on the server will be tunneled to port 23 on the client. See Figure 7.5.

sshclient$ sshg3 -R 1234:localhost:23 username@sshserver

The forwarding address in the command is resolved at the (local) end point of the tunnel. In this case localhost refers to the client host.

Remote tunnel

Figure 7.5. Remote tunnel

Tunnels can also be defined for connection profiles in the Connection Broker configuration file. The defined tunnels are opened automatically when a connection with the profile is made.

The following is an example from a ssh-broker-config.xml file:

<profile id="id1" host="">
      <remote-tunnel type="tcp"
                     dst-port="23" />


What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now