Chapter 6 Using Secure Application Connectivity

Table of Contents

Defining Automatic Tunnels
Settings in Tectia Client
Settings in the Tunneled Application

This chapter shows how to set up easy application tunneling with pre-configured automatic tunnels for secure e-mail server access. The client machine where the e-mail application is running requires Tectia Client.

The tunneling capability of Tectia is a feature that allows, for example, company employees to access their e-mail, company intranet pages, and shared files securely even when working outside the office.

Tunneling, or port forwarding, is a way of forwarding otherwise unsecured TCP application traffic through Tectia in secure encrypted format. You can secure, for example, POP3, SMTP, and HTTP connections that would otherwise be unsecured.

Tunneling makes it possible to access e-mail from any type of Internet service, whether accessed via modem, GPRS, 3G, a DSL line or a cable connection, or a hotel Internet service. As long as the users have a TCP/IP connection to the Internet, they can get their e-mail and access other resources from anywhere in the world securely.

The Tectia Connection Broker takes care of the tunneling in the background. When the Connection Broker starts up, it opens the listeners for the defined automatic tunnels and asks the user to enter the password or passphrase. If the connections are authenticated with public keys that have empty passphrases, the user does not need to take any actions. The actual tunnel is formed the first time a connection is made to the listener port.


The user applications using the tunnel will carry out their own authentication procedures (if any) the same way they would without the encrypted tunnel.

The automatic tunnels are local (outgoing) tunnels, which means that they protect TCP connections that your local computer forwards from a specified local port to a specified port on the remote host computer where you are connecting to. It is also possible to forward the connection beyond the remote host computer, but the connection is encrypted only between Tectia Client and the Secure Shell server.

Figure 6.1 shows an example where the Secure Shell server resides in the DMZ network. The connection is encrypted from Tectia Client to the Secure Shell server and continues unencrypted within the corporate network to the IMAP server.

Local tunnel to an IMAP server

Figure 6.1. Local tunnel to an IMAP server