Transparent TCP Tunneling from Server Perspective

Using a Shared Account
Restricting Services

Tectia ConnectSecure provides transparent TCP tunneling of applications. It can connect to any Secure Shell server complient with IETF SSH version 2. Tectia Server and Tectia Server for IBM z/OS both support transparent TCP tunneling. In this document, we handle the settings of Tectia Server.

The ConnectSecure users must be able to log in to an existing user account, preferably a non-privileged user account, on the server.

Users can have their own user accounts. If the Windows login name can be used also as the server-side login name, the variable %USERNAME% can be conveniently used in the configuration of Tectia ConnectSecure.

Most of the user authentication methods supported by Tectia Server can be used with transparent TCP Tunneling. The authentication methods include password, any keyboard-interactive methods such as SecurID or RADIUS, public-key authentication with certificates on smart cards, and GSSAPI if ConnectSecure and the server computers are part of the same Windows domain, or Tectia Server can perform initial login to MIT Kerberos realm on behalf of the ConnectSecure user.

User interaction is required for the keyboard-interactive authentication methods and typically at least the first time when the private key stored on a smart card is accessed in public-key authentication. For details on the user authentication methods, see Chapter 5.