Overview of Dynamic Port Forwarding with SecureCRT®

Introduction
This page provides an overview of dynamic port forwarding, a service in SecureCRT 5.0 and later versions which simplifies how TCP/IP application data is routed through an SSH2 connection. Instead of configuring port forwarding on a per-application basis in SecureCRT, with dynamic forwarding each application is configured to use a SOCKS server on a local host port. SecureCRT opens a port on the local host and acts as a SOCKS server for any SOCKS-compatible application, even those that use multiple ports, such as FTP.

This page covers the core concepts of dynamic port forwarding as well as its basic configuration, derived from the SecureCRT Help file. Some technical knowledge is assumed, such as familiarity with SOCKS and with the concept of port forwarding, including the localhost or loopback address. For general information on port forwarding, see the SecureCRT Help topics and sources such as O'Reilly's SSH, The Secure Shell: The Definitive Guide.

Key Concepts
Dynamic port forwarding is a local port forwarding option for SSH2 sessions that simplifies how TCP/IP application data is routed through the Secure Shell connection. Instead of configuring port forwarding on a per-application basis in SecureCRT, each application is configured to use a SOCKS server on a local host port. SecureCRT opens a port on the local host and acts as a SOCKS server for any SOCKS-compatible application, even those that use multiple ports, such as FTP.

If the remote port is not static, for example, with FTP, dynamic port forwarding must be used. It also is needed when multiple hosts are involved, for example, with the MSN service, which uses connections to successive servers.

Dynamic, application-level port forwarding capabilities are available with SecureCRT 5.0 and higher. The dynamic port forwarding option allows SecureCRT to act as a SOCKS5 proxy server on a specified port. This allows any client application that can connect using a SOCKS5 firewall to use the dynamic port forward. SecureCRT "listens" as a proxy server on a user-specified port. You direct your applications to send all traffic to this proxy, which sends the traffic on through the Secure Shell connection to the Secured Shell server. The Secure Shell server sends the traffic to the final destination.

Dynamic port forwarding can also be useful to reduce the number of configured port forwards you have to configure and maintain. If you regularly access a number of different hosts at one location, instead of setting up several port forwards and having to remember which localhost (127.0.0.x) and port combination lands you at which host, you can simply enter the hostnames as if you were behind the firewall, and connect using a SOCKS firewall. Depending on your setup, you could use the same dynamic port forward for mail and web browsing.

It is important to note that Internet Explorer and Outlook Express only support the older SOCKS4, which does not support hostname resolution, and so cannot be used with SecureCRT's dynamic port forwarding. Therefore, it is possible that in order to take full advantage of dynamic port forwarding you may need to change one or more client applications. Also, for clients that don't have built-in SOCKS support, there is such a thing as a "SOCKS-ifier" that can provide this capability.

Dynamic port forwarding is extremely useful for applications that require connections to different hosts or ports on the other end of a tunnel, for example MSN. To tunnel from SecureCRT, you need to specify the destination host and port. This standard port forwarding set up doesn't work for MSN, since it requires connections to multiple hosts. Instead, after SecureCRT is configured to provide dynamic port forwarding, set the local application (MSN) to use localhost address (127.0.0.x) as the SOCKS5 proxy on the specified port (MSN uses 1080).

Configuring dynamic port forwarding
The Local Port Forwarding Properties dialog can be accessed by clicking on either the Add... or Edit... button on the Connection/Port Forwarding category of the Session Options dialog. The following fields are used to define a connection; most are the same as in static local port forwarding.

Name	Enter a unique name for this connection.
Local	Manually select local IP address on which to allow connections. Check this option to bind the local end of a port forward to an address other than the default localhost loopback adaptor (e.g., 127.0.0.x).
Port	Enter the number or name of the port on the local machine.
Dynamic forwarding using SOCKS 4 or 5	Check this option to have SecureCRT act as a SOCKS proxy server on the specified port. This will allow any client that can connect using a SOCKS firewall to use the "dynamic port forward" to set up a port forward. For example, if you have a dynamic port forward set up to use 127.0.0.3 on port 1080, you could then use that one dynamic port forward to connect to any host behind the firewall.
Remote	Check this option if the remote destination host is different from the Secure Shell server.
Port	Enter the number or name of the port on the remote machine to which you want to connect.
Application	SecureCRT allows you the option to start an application on the local machine once you have established a connection.
Arguments	Enter any arguments that you want to use with the specified application.

Tell us what you think. Did you find this tip useful? Do you have a question you'd like us to answer? Send your comments and questions to VanDyke Software Support.

1. Read or download one of our secure solutions white papers.

2. Download a free
30-day evaluation copy of our products.

3. Let us help define the right Secure Shell solution for your company.

4. Subscribe to our monthly newsletter for tips, solutions ideas, and product news.

VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners.