Using a SecureCRT^® Secure Shell Connection as a SOCKS Proxy

At times the need arises to access a number of devices that reside in a remote network behind a single gateway server. One solution would be to establish an SSH connection to the gateway server, and then issue another SSH connection from that server to each of the devices via the remote shell. This can be problematic and time-consuming, especially if more than two jumps are required. Fortunately, there is a better way.

SecureCRT provides the ability to create an SSH connection with a special port forwarding configuration that can then be used as a SOCKS proxy to reach all machines within a remote network (behind the gateway). Using an SSH SOCKS proxy, any application that is SOCKS 4 or 5 compatible (including other sessions established with SecureCRT) will be able to have their connections forwarded through the proxy and on to the desired destination. This tip will focus on creating an SSH SOCKS proxy via a connection to a remote gateway machine, and then using other SecureCRT sessions to connect through the SSH SOCKS proxy to the remote servers that reside behind the gateway server. The graphic below illustrates such a configuration:

Configuring the "Master Session" to the Gateway Server

The first step is to configure a "Master" session that can successfully connect via the SSH protocol to the gateway server (also known as a "jump host"). This "Master" session will need to be modified to add a dynamic port forward, essentially creating an SSH SOCKS proxy. This is done by pressing the Add button in the Connection / Port Forwarding category of the Session Options dialog for the "Master" session. The following dialog will appear:

Within the Local Port Forwarding Properties dialog (displayed above), the following settings will need to be configured:

• Name: Enter a name for the port forward. For example: SSH SOCKS Proxy
• Local/Port: Choose a listening port. Since this port forward will be used as a SOCKS proxy, it helps to specify a port similar to the standard SOCKS proxy port, 1081 for example (since the standard SOCKS proxy port is 1080).
• Dynamic forwarding using SOCKS 4 or 5: Enable this option. The other fields in the Remote category will not be used in this configuration.

After performing the configuration according to the pattern above, the Local Port Forwarding Properties dialog should look similar to the following:

Since this "Master" session will need to be connected and remain connected for all sessions that use the SSH SOCKS proxy, it would also be a good idea to make the following configuration changes to the "Master" session (both options are found in the main Terminal category of the Session Options dialog):

• Enable the Send Protocol NO-OP option and specify an interval less than the idle timeout of the remote server or remote shell.
• Enable the Auto reconnect option so that if the connection goes down unexpectedly, SecureCRT will automatically attempt to re-establish the connection.

For example:

Configuring a Global Firewall/Proxy Setup in SecureCRT

Now that the dynamic port forward is set up in the "Master" session, a firewall configuration will need to be created so that other SecureCRT sessions can use the SSH SOCKS proxy. This configuration can be performed by pressing the Add button in the Firewall category of the Global Options dialog. The following Firewall Properties dialog will appear:

To set up your firewall/proxy, use the configuration guidelines below:

Name: Enter a name for the firewall. For example: Gateway Firewall
Type: SOCKS version 5 (no authentication)
Hostname or IP: localhost
Port: Specify the port on which our dynamic port forward is configured to listen (1081, as in the previous example).

The Firewall Properties dialog should now look similar to the following:

After pressing the OK button on the Firewall Properties dialog, the new firewall configuration should appear in the Firewalls list within the Firewall category of the Global Options dialog, and can be used within other SecureCRT session configurations.

Configure a SecureCRT "Client" Session to Connect Through the SSH SOCKS Proxy

With a firewall/proxy configured as explained in the section above, the Session Options dialog for a new or existing session should provide the new firewall (named Gateway Firewall in the example) in the category that matches the protocol being used. To elaborate, any session that is configured to connect to the machines behind the gateway server can use this firewall as the Firewall setting in the connection configuration options, as illustrated below:

When configuring a session to use the SSH SOCKS proxy, it is important to remember that host name resolution occurs on the SSH gateway server. Thus, the Hostname field will need to be specified with a value that matches how the host would be accessed directly from the gateway server.

Putting Everything Together

Once "Master" and "Client" sessions have been created as described above, the process of connecting to a machine behind the gateway through the SSH SOCKS proxy is fairly simple:

1. Connect to the gateway machine using the "Master" session. In order to connect to machines in the gateway server's LAN, the "Master" session must first be connected successfully. Tip for Windows users: Some users may want to set up a shortcut in their Windows profile Startup folder to launch SecureCRT with the "Master" session to allow for the "Master" session to be up and running as soon as they log on to their Windows system. The shortcut's Run property can be set to Minimized to ensure that the SecureCRT application is started in a minimized state. It may also be convenient to have the "Master" session window minimized to the system tray so as to reduce clutter on the Windows taskbar. When enabled, the Minimize to Activator in the system tray option (located in the main Terminal category of the Session Options dialog for the "Master" session) will ensure that the "Master" session is minimized to the system tray.
2. Connect to machines located within the gateway server's LAN. In the example session configuration described earlier, a session was created and saved with a configuration instructing SecureCRT to use the SSH SOCKS proxy provided by the "Master" session. However, using a saved session isn't a requirement. It's just as easy to bring up the Quick Connect dialog, specify the remote host name, and select the SSH SOCKS firewall/proxy configuration as the firewall to use (see the graphic below). With a press of the Connect button, a connection through the SSH SOCKS proxy will be initiated.