The transparent TCP tunneling feature captures the TCP traffic of hosts defined in the SSH Tectia configuration and uses encrypted tunnels for sending the data. No changes are required to the configuration of the application software.
The transparent TCP tunneling is activated in the Connection Broker configuration, where you can also specify the applications to be tunneled and define filter rules that control the setting up of the tunnels in detail. Once activated, the transparent TCP tunneling feature automatically captures the defined applications and the Connection Broker creates Secure Shell tunnels to the defined servers, that can be SSH Tectia Servers, SSH Tectia Server for IBM z/OS, or any SSH2-capable Secure Shell servers.
For information on the configuration settings in the XML file, see
the section called “The filter-engine
Element”, and for settings in the Windows GUI, see
Defining Transparent Tunnels.
When a global configuration file exists, (for example when
SSH Tectia ConnectSecure is controlled by SSH Tectia Manager,) and it includes the filter-engine
element, those settings are applied. The global configuration file is located in
/etc/ssh2/ssh-broker-config.xml
on Unix, and
"C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia
Broker\ssh-broker-config.xml"
on Windows.
This example shows how transparent TCP tunneling can be used to secure Telnet connections between a corporate network and external servers over the Internet.
In the example use case, the users have Unix hosts with Telnet applications. Since Telnet includes no internal security measures, SSH Tectia ConnectSecure is also installed on each host to provide security. The users make Telnet connections to port 23 (the dedicated Telnet port) to application servers outside the company. The destination hosts are required to have Secure Shell servers running on them, either SSH Tectia Server or some other standard-compliant server.
The host keys of the destination hosts need to be saved as known host
keys on the local hosts before using the transparent TCP tunnels. To fetch
and save the host keys, connect once to each of the destination hosts using
command sshg3
and choose save
in the host
key dialog.
Also, the user public keys need to be delivered to the Secure Shell
servers. On Unix, the ssh-capture
process cannot always
extract the password prompt from the application, so the Secure Shell
connections need to be established non-interactively. For this reason, the
users should use, for example, public keys without passphrases.
The transparent TCP tunnels are defined in the SSH Tectia ConnectSecure configuration
to tunnel all traffic going to port 23. SSH Tectia ConnectSecure can use the destination host
name directly from the connection-originating application, so it is not
necessary to create a separate connection profile for each destination host.
The transparent TCP tunneling configuration is made in a single filter rule
set in the Connection Broker configuration file ssh-broker-config.xml
:
<filter-engine> . . . <rule host=".*" ports="23" action="TUNNEL" hostname-from-app="YES" fallback-to-plain="NO" /> </filter-engine>
For detailed description of the configuration elements, see
the section called “The filter-engine
Element”.
To activate the transparent TCP tunneling, restart the Connection Broker or make it re-read its configuration by using command:
$ ssh-broker-ctl reload
To start tunneling the Telnet connections made to port 23, run command:
$ ssh-capture telnet some-server.example.com
You can also start a bash shell session with connection capturing enabled for all commands. Run command:
$ ssh-capture bash
With the transparent TCP tunneling active, all Telnet connections from the Unix client hosts to the remote servers will be securely tunneled. The client host applications require no modifications, so the users can keep working with the existing tools as before.
Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.
This section gives an example of configuring encrypted tunnels for an e-mail service on Windows. Transparent TCP tunneling is used for establishing tunnels that can be utilized as a secure transport between an e-mail client and an e-mail server communicating over the Internet.
This scenario describes a typical configuration for remote users for accessing the company's internal e-mail services transparently. In the test scenario, access from the client's private network to the Internet traverses through a SOCKS4 server, and the client-side has SSH Tectia ConnectSecure installed. Access to the company's internal network, including the e-mail services, goes via a gateway host which has SSH Tectia Server running.
Before e-mail delivery, SSH Tectia ConnectSecure automatically creates a transparent TCP tunnel between the client host and the SSH Tectia Server gateway for SMTP/IMAP/POP protocols. The encrypted tunnel ends at the gateway, and from there onwards the e-mail traffic is transmitted unencrypted in the company's internal network.
To create the configuration using the SSH Tectia Configuration tool, do the following:
On the Connection Profiles page, click
Add profile to add a new connection profile for the
gateway server host. Enter the profile name and click OK.
In the example, the profile is named paper
.
Select the created profile from the Connection Profiles list, and specify the connection details in the following view.
By default, the profile name is assumed to be the host name of the
destination server, but here we link the profile name to a server called
host1234
. Click Apply when the settings are
ready.
On the Transparent Tunnels → Connection Capture page, select the Enable transparent tunneling at startup check box.
On the Transparent Tunnels → Filter
Rules page, click Add to add the filter rules
which define the applications and ports to be captured and tunneled. In this
example, only TCP ports related to e-mail delivery (IMAP, POP, SMTP) are
forwarded to the gateway server through profile paper
.
Under Action, it is possible to select how the destination host is defined; either the host defined in the connection profile is used, or the host definition is received from the application. Now that we have a gateway server in this example, we will use the hostname defined in the profile, and the Use host name from the application is left unselected. In case we had a Secure Shell server running on each destination server, we could use the host names from the application.
The created rules are listed in the Filter Rules view. You can return to editing a selected rule by clicking Edit, and you can arrange the order of the rules with the up and down arrows. Place the most specific rules first. In this example, the order is not significant.
Once transparent TCP tunneling has been activated, it captures the e-mail traffic to the hosts defined in the SSH Tectia configuration and uses encrypted tunnels for sending the data. No changes are required to the configuration of the e-mail application.
When the tunnel is opened, the user is prompted to authenticate to the gateway server. Setting up public-key authentication to the server is recommended. For instructions, see Managing Keys and Certificates.