Appendix A: Remote Port Forwarding

Remote port forwarding may be used if there is a need for applications to connect, through the Secure Shell server, to an application that resides on the Secure Shell client-side.

When a remote port is forwarded, SecureCRT® (the Secure Shell client) requests that VShell® (the Secure Shell server) listen to an arbitrary, unused TCP port on the Secure Shell server. When a connection is requested to this port on the Secure Shell server, the Secure Shell server opens another port to the Secure Shell client to relay the forwarded traffic. Packets received at remotehost:remoteport are intercepted by the Secure Shell server and re-directed to the Secure Shell client at localhost:localport.

Figure 7: Remote Port Forwarding

In this case, forwarded traffic can be seen as "flowing" between some independent client (the application that accesses the reverse-forwarded port), the Secure Shell server (remotehost), the Secure Shell client (localhost), and a destination server (the application that consumes the reverse-forwarded data). Figure 7 illustrates remote port forwarding to a Telnet server on the localhost.

With remote port forwarding, the server application is typically co-located with SecureCRT. The server can also run on a trusted host near SecureCRT - for example, a SOHO LAN gateway that is remotely administered through Telnet. When configuring remote port forwards, unique listening ports must be assigned to each SecureCRT. In Figure 7, VShell can forward Telnet sessions to several different SecureCRTs - provided that each uses a different remote port.