At times the need arises to access a number of devices that reside in a remote network behind a single gateway server. One solution would be to establish an SSH connection to the gateway server, and then issue another SSH connection from that server to each of the devices via the remote shell. This can be problematic and time-consuming, especially if more than two jumps are required. Fortunately, there is a better way: dynamic port forwarding.
SecureCRT provides the ability to create an SSH connection with a dynamic port forwarding configuration that can then be used as a SOCKS proxy to reach all machines within a remote network (behind the gateway). Using an SSH SOCKS proxy, any application that is SOCKS 4 or 5 compatible (including other sessions established with SecureCRT) will be able to have their connections forwarded through this SSH SOCKS proxy and on to the desired destination.
This tip focuses on using SecureCRT's dynamic port forwarding functionality with a "Master" session to create an SSH SOCKS proxy associated with a connection to a gateway server. Additional SecureCRT sessions can then connect through the "Master" session's SSH SOCKS proxy to remote servers that are located behind the gateway server. The graphic below illustrates this concept:
The first step is to configure a "Master" session that can successfully connect via the SSH protocol to the gateway server (also known as a "jump host"). This "Master" session will then need to be modified to have a dynamic port forward configuration. A dynamic port forward is a listening port which acts as a SOCKS proxy that is automatically created when the “Master” session is used to connect to the gateway server. Note that the term “gateway server” used here refers to any SSH server that supports port forwarding functionality.
The configuration of a dynamic port forward is accomplished using the following steps:
Now that the dynamic port forward is set up in the "Master" session, a global firewall configuration will need to be created so that other SecureCRT sessions can use the SSH SOCKS proxy. To set up a global firewall/proxy in SecureCRT:
With a firewall/proxy configured as explained in the section above, the Session Options dialog for a new or existing session should provide the new firewall (named "Gateway Firewall" in the example) in the category that matches the protocol being used. To elaborate, any session that is configured to connect to the machines behind the gateway server can use this firewall as the Firewall setting in the connection configuration options, as illustrated below:
When connecting through an SSH SOCKS proxy, host name resolution occurs on the SSH gateway server. Therefore, you would specify the Hostname as it is known by the gateway server, which will be making the connection to the host on behalf of SecureCRT.
Once "Master" and "Client" sessions have been created as described above, the process of connecting to a machine behind the gateway through the SSH SOCKS proxy is fairly simple:
In some network configurations, there may be a need to access a secondary network through another gateway machine on the primary remote network. If you have to go through one gateway server and connect to another gateway server before you can reach your ultimate destination, you might be interested in "chaining" SSH SOCKS proxies, as depicted in the graphic below.
Once you have a "Master" session in place that gets you to your first gateway machine and sets up the first layer's SSH SOCKS proxy, follow these general steps to "chain" a secondary SSH SOCKS proxy through a primary SSH SOCKS proxy:
Once you have the "Secondary Master" session and corresponding firewall defined within SecureCRT's global options, you can connect to a third-tier machine behind the second gateway machine using these steps:
By default, only connections coming from the loopback adapter (127.*) on the SecureCRT machine are allowed to connect to the SSH SOCKS proxy port. To change the port-forwarding filters so other machines or interfaces are allowed to connect, see the FAQ: How do I modify port-forwarding filters in SecureCRT?