VanDyke Software

Tips

Got a question or comment?   Send us a question or comment

Index

Gateway Access to an SSH-Secured SMB Share

This set of steps should be followed by those wanting to set up a secure tunnel to an SMB share that is accessible to multiple users within a local network (this "gateway" machine running SecureCRT will not be able to map any network shares itself).

  1. Configure the local network interface such that NetBIOS over TCP/IP is disabled. If you have to change this option, you should reboot your machine.
    1. From the Control Panel, select Network and Dial-up Connections (on Windows 2000) or Network Connections (on Windows XP); right-click on the Local Area Connection and choose Properties.
    2. Select Internet Protocol (TCP/IP) and click on the Properties button.
    3. Click on the Advanced button and navigate to the WINS tab.
    4. Select Disable NetBIOS over TCP/IP. If this option is not already selected, close all dialogs using the OK button and reboot the machine. If this option was already selected, you may want to reboot anyway.
  2. If your environment does not require you to leave File and Printer Sharing installed, remove the File and Printer Sharing components for Microsoft Networks:
    1. From the Control Panel, select Network and Dial-up Connections (on Windows 2000) or Network Connections (on Windows XP); right-click on Local Area Connection and choose Properties.
    2. Select the File and Printer Sharing for Microsoft Networks and click on the Uninstall button. When prompted with Are you sure...?, click on the Yes button, and close the Local Area Connection Properties dialog.
  3. If your environment requires you to leave File and Printer Sharing installed, disable Direct Hosting (the service on port 445):
    1. Start the registry editor.
    2. Locate and then click on the following registry key:

       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters

    3. Add the following registry value:

        Value Name: SmbDeviceEnabled
        Type: REG_DWORD
        Value Data: 0

    4. Reboot the machine
  4. Create a session in SecureCRT that will connect to the remote SSH server and will forward from port 139 to the remote SMB server.
    1. Fill in the hostname/IP address and port of the SSH server to which you will be connecting.
    2. Navigate to the Port Forwarding category.
    3. Enter the name of port forward entry (for example, SMB).
    4. In the Local section, ensure that the Manually select local IP Address on which to allow connections option is not enabled.
    5. In the Remote section, enter the hostname or IP Address of the SMB server relative to the SSH server. For example, if the SMB shares exist on the same machine as the SSH server, enter the name of that machine.
  5. Before exiting SecureCRT, navigate to the Global Options dialog in the Options / Advanced category).
  6. Select the Configuration folder path and copy it to the clipboard.
  7. Exit SecureCRT, browse to the configuration folder (which should already be in the clipboard).
  8. Edit the newly-created session's .ini file to allow connections from all the addresses in your LAN that you want to have access to this drive mapping through this forwarded port. SecureCRT should be closed completely before editing the session's .ini file. The line in the session's .ini file should be changed to something similar to:

      S:"Port Forward Filter"=allow,192.168.0.0/255.255.255.0,0 deny,0.0.0.0/0.0.0.0,0

    This step will allow other computers from within the same network to access this forwarded port from their machines.
  9. Start SecureCRT and connect to the SMB-forwarding session.
  10. Once connected with SecureCRT on a separate machine, you will not be able to access any of the shares or map to any of the shares provided by this SSH connection on the same "gateway" machine. This is a side-effect of having disabled NetBIOS over TCP/IP.
  11. Start Windows Explorer and in the address bar, enter the following:

      \\IP_ADDRESS_OF_TUNNEL_GATEWAY_MACHINE

    and press ENTER to browse the shares available on the remote SMB server. Or, you can use Tools / Map Network Drive and specify the following path:

      \\IP_ADDRESS_OF_TUNNEL_GATEWAY_MACHINE\SHARE_NAME

Return to Tunneling SMB  

 

Related Links

VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.