Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Local Port Forwarding and the F-Secure SSH Client
Technical Note 1841
Last Reviewed 26-May-2005
Applies To
F-Secure SSH Client for Windows version 5.1 through 5.4
F-Secure SSH Client for UNIX version 3.2.3 through 5.x
Summary

This technical note briefly describes Secure Shell (SSH) and port forwarding, explains how to configure the F-Secure SSH client for local port forwarding by creating a connection through a secure SSH tunnel; and then provides some sample configuration settings.

Note: Beginning with version 6.0, the F-Secure SSH product line has a new name: Reflection for Secure IT. This technical note does not apply to Reflection for Secure IT clients.

This technical note is organized in to the following sections:

A Brief Introduction to SSH
A Brief Introduction to Port Forwarding (Tunneling)
Using the F-Secure SSH Client for Secure Connections
Step I—Configuring the SSH Server to Use the SSH Tunnel
Step II—Creating a Local Tunnel
Step III—Configuring the Application to use the SSH Tunnel
Verifying the Secure Connection with the Windows Client
Sample Settings

A Brief Introduction to SSH

SSH is a computer program based on the Secure Shell protocol. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data. The current version of Secure Shell is ssh-2. (The ssh-1 protocol is deprecated; therefore, it is highly recommended that you use ssh-2.)

For more information about Secure Shell, see "Fortified SSH: A Cost-Effective Way to Safeguard Your Network" on Attachmate.com: http://www.attachmate.com/WhitePapers/Literature_0954.htm.

A Brief Introduction to Port Forwarding (Tunneling)

Port forwarding, or tunneling, allows insecure TCP/IP traffic to be forwarded through a secure SSH connection. Most remote services that use TCP/IP can be secured, including client-server applications, database systems, and services such as HTTP, Telnet, FTP, POP3, and SMTP. The F-Secure SSH Client also provides automatic forwarding for the X11 Windows System commonly used on UNIX machines.

Using the F-Secure SSH Client for Secure Connections

To tunnel a host session through an F-Secure SSH client connection, you must establish the SSH connection, and then configure the application you want to securely connect with so that its communication is redirected through the SSH tunnel.

Figure 1 - Port Forwarding Figure 1 - Port Forwarding

Step I—Configuring the SSH Server to Use the SSH Tunnel

Before the SSH tunnel is been established, and the application is configured to use the tunnel, ensure that the SSH server is configured to enable tunneling. How you configure the server depends on which server you are using. Follow the steps below to configure the F-Secure SSH Server for Windows or UNIX. For details on configuring other SSH server software, refer to your man pages or the product's documentation.

F-Secure Server for Windows

  1. Click Start > Programs > F-Secure SSH Server > Configuration.
  2. Select Server Settings > Tunneling.
  3. Select Allow TCP tunneling, and then click Apply. Note: The server does not need to be restarted after applying this change.

F-Secure SSH Server for UNIX

  1. Open the sshd2_config file in a text editor such as vi.
  2. Under the Tunneling heading, change the value of AllowTcpForwarding from No to Yes.
  3. Uncomment (remove the # from the start of the line) the AllowTcpFowrarding line.
  4. Restart the SSH daemon (sshd).

Step II—Creating a Local Tunnel

When you create a local tunnel, you configure the F-Secure SSH client to listen to a specific port on your local computer. When any program on your computer connects to the specified port, the F-Secure SSH client forwards the request and the data over the secure channel to the remote host.

You can create a local tunnel using the F-Secure SSH interface (for the Windows client) or the command line (for the Windows and UNIX clients).

Using the F-Secure SSH Interface (Windows Client)

Follow the steps below to create, close, and edit a tunnel using the F-Secure SSH interface.

Create a Tunnel

Follow the steps below to create a local tunnel.

  1. Navigate to the Add New Local Tunnel dialog box.

To access Add New Local Tunnel before connecting to a host, click Edit > Settings > Profile > Tunneling > Local > Add.

To access Add New Local Tunnel after connecting, follow these steps.

    1. Click Quick Connect and start an SSH connection from your computer to an SSH server. By default, this is on port 22.
    2. Click Window > New Tunnel View.
    3. Click Tunnel > New Local Tunnel.
  1. In the Display Name field, enter a name for the tunnel. Use a descriptive name that will help you recognize the tunnel later.
  2. In the Source Port field, enter a local port number that the F-Secure SSH client should listen to for TCP or FTP data requests.

Note the following:

    • Port numbers higher than 1025 are user-defined ports. Using ports 1 – 1024 requires administrative privileges.
    • If the protocol or the application that will use the tunnel has a fixed port number, the source port number should be the same fixed port number.
    • Make sure to select a non-used port for your Source Port. If the port number entered matches a port that is already configured to listen for another service, the F-Secure SSH client will be unable to forward the data.
    • If you create several tunnels for one connection, you must specify a different source port for each tunnel.
  1. In the Destination Host field, enter localhost.

Important: Localhost is used for the name of the remote machine if the server you are connecting to through the tunnel is running on the same server where the SSH daemon resides, which is often the case.

If the SSH daemon resides on a different host than the host you are connecting to, enter the name of the host you are connecting to in the Destination Host field. In this instance, the connection between the F-Secure SSH client and the SSH daemon is secure, but the connection between the SSH daemon and the target host is not secure.

  1. In the Destination Port field, enter the TCP/IP port on the SSH server where the application which uses the tunnel sends its data requests. For example, if you will be forwarding Telnet, the default port for Telnet is 23.
  2. Select a tunnel Type of TCP or FTP.
  3. Optional: To start an application automatically when the tunnel is created, browse to and select the application executable in the Application to Start field.
  4. Click OK. The new local tunnel opens automatically.
  5. To save this local tunnel for use the next time you launch the F-Secure SSH client, click File > Save Settings, in the SSH client or tunnel window.

When the F-Secure SSH client receives a local request on the specified source port, the application is connected to the destination port through the SSH tunnel.

Close a Tunnel

To terminate a tunnel, in the main F-Secure SSH client window, click Edit > Settings > Profile > Tunneling > Local, select the tunnel to delete, and then click Remove.

Edit a Tunnel

Follow the steps below to edit tunnel settings.

  1. Click Edit > Settings.
  2. Expand Profile > Tunneling, and select Local.
  3. Select the local tunnel you want to edit and click Edit.
  4. Edit the settings and click OK > OK.

Using the Command Line (Windows and UNIX Clients)

Use the following commands to establish the SSH connection and create the SSH tunnel from the command line.

Use this command to forward TCP traffic on the workstation through an SSH tunnel to the SSH server.

Syntax:

ssh2 –L <local workstation port>:localhost:<SSH server port> <user name>@<host name>

Example:

ssh2 –L 4000:localhost:4005 RKoa@mySSHserver

In the example above, TCP traffic will be forwarded through port 4000 on the workstation to port 4005 on the SSH server.

Step III—Configuring the Application to use the SSH Tunnel

After creating the SSH tunnel by following the directions in Step II, you must configure your application to use the SSH tunnel. The configuration will be different for each application. For details, refer to the application documentation.

An Example

The following example shows how to configure Reflection for HP or Reflection for UNIX and OpenVMS to redirect a Telnet session over the port you have redirected to connect through SSH.

  1. Start the F-Secure SSH client SSH tunnel (see Step II for directions).
  2. Open Reflection for HP or Reflection for UNIX and OpenVMS, and then click Connection > Connection Setup.
  3. Under Connect using, select Network and Telnet. In the 'Host name' field, enter localhost, and then click More Settings.
  4. On the General tab, select TCP port 1025 (or whatever port number you configured in step I-5 above), and then click OK.
  5. Click Connect, and then enter your user name and password.

Verifying the Secure Connection with the Windows Client

Follow the steps below to verify that your Telnet session is running through the SSH tunnel.

  1. Click Start > Run.
  2. In the Open field, type cmd, and then click OK.
  3. In the Windows Command window, type netstat.

Note: If the netstat command is not recognized, navigate to the C:\Windows\System32 directory and enter the command again.

If the port forwarding is successful, you should see a response similar to the following:

Active Connections
Proto  Local Address   Foreign Address     State
  TCP  My_PC:1554      my.server.com:22    ESTABLISHED
  TCP  My_PC:1025      localhost:1564      ESTABLISHED
  TCP  My_PC:1564      localhost:1025      ESTABLISHED

In the example above, the first TCP row shows the SSH connection from port 1554 (a random port) on the workstation to port 22 (the default SSH port) on the SSH server.

TCP rows two and three show the Telnet connection between port 1025 on the workstation, the port that has been configured to redirect Telnet connections (port 23) through the SSH tunnel (port 22), and a random port (1564) on the SSH server.

Note: If the second or third TCP row shows the actual host name, such as my.server.com:telnet(23), instead of localhost:<port number>, the tunnel has failed and the Telnet connection is not encrypted.

Sample Settings

The following sample settings show how to forward HTTP and FTP.

Forwarding HTTP

  1. Use the F-Secure SSH client to connect to the host running the HTTP and SSH servers.
  2. Create a local tunnel with the following values.
    Field
    		Data
    Source Port
    		8080
    Note: This number can be any port number over 1024.
    Destination Host
    		localhost
    Destination Port
    		80
    Type
    		TCP
  1. Open your web browser and go to http://localhost:8080.

Forwarding FTP

  1. Use the F-Secure SSH client to connect to the host running the FTP and SSH servers.
  2. Create a local tunnel with the following values:
    Field
    		Data
    Source Port
    		8021
    Note: This number can be any port number over 1024.
    Destination Host
    		localhost
    Destination Port
    		21
    Type
    		FTP
  1. Use your FTP client to connect to localhost on port 8021. You can use either active or passive FTP mode.
Related Technical Notes
1900 F-Secure SSH Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.