SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
        Configuring SOCKS Proxy >>
            Settings for Transparent FTP Tunneling
            Storing Remote Server Host Keys
        Creating the SSHSP User
        Running SOCKS Proxy >>
        Using Public-Key Authentication with the SOCKS Proxy >>
        Configuring FTP >>
        Examples of Transparent FTP Tunneling>>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

Settings for Transparent FTP Tunneling

The /etc/ssh2/ssh-socks-proxy-config-example.xml configuration file provided in the installation package is shown below. The configuration tunnels all FTP connections using the hostname and username provided by the FTP client application. To enable the configuration, copy the file to /etc/ssh2/ssh-socks-proxy-config.xml. 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE secsh-broker SYSTEM 
 "/etc/ssh2/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd" >
<secsh-broker version="5.3" >
  <profiles>
    <profile name="dynamic-ftp"
             id="id1"
             host=""
             port="22"
             connect-on-startup="NO"
             user=""
             gateway-profile="">
    </profile>
  </profiles>
  <static-tunnels>
    <tunnel type="socks-proxy"
            listen-address="127.0.0.1"
            listen-port="1080"
            dst-port=""
            allow-relay="NO"
            profile="" />
  </static-tunnels>
  <filter-engine>
     <dns id="id1_dns"
          ip-address=".*"
          pseudo-ip="NO" />
     <filter dns-id="id1_dns"
             ports="21"
             action="ftp-tunnel"
             profile-id="id1"
             fallback-to-plain="NO" />
  </filter-engine>
</secsh-broker>

You can edit the ssh-socks-proxy-config.xml configuration file using a normal text editor. The complete configuration options are described in Appendix ssh-socks-proxy-config.

The following settings are required in the ssh-socks-proxy-config.xml file to enable transparent tunneling:

  • profiles

    At least one connection profile element must be defined.

    The profile id must be a unique identifier that does not change during the lifetime of the profile.

    An additional name can be given to the profile. This is a free-form text string.

    The host attribute defines the Secure Shell server host that is the end point of the tunnel. If it is left empty, the Secure Shell tunnel is opened to the destination host given in the SOCKS request. Otherwise the Secure Shell tunnel is opened to the host specified in the profile and FTP connections are forwarded to the requested hosts.

    The port attribute specifies the Secure Shell server port. The default port is 22.

    The connect-on-startup attribute specifies whether a connection with the profile is opened automatically when the SOCKS Proxy is started. For transparent tunneling, it should be set to "no".

    The user attribute specifies the username on the Secure Shell server. If it is left empty, the username given by the FTP client is used when opening the Secure Shell connection.

    The gateway-profile attribute specifies whether a tunneled connection should be created through another profile. The first tunnel is created using the gateway host profile and from there the second tunnel is created to the host defined in this profile.

  • static-tunnels

    At least one tunnel element must be defined.

    For transparent tunneling, the tunnel type must be set as "socks-proxy and the port as "1080".

    The listen-address is usually the loopback address "127.0.0.1", but can be an address of any local interface that will be listened.

    The allow-relay attribute defines whether connections to the listened port are allowed from outside the client host. The default is no.

    The dst-host, dst-port, and profile attributes are left empty when transparent tunneling is used.

  • filter-engine

    At least one dns and filter element must be defined.

    The id attribute specifies a unique identifier for the dns element.

    The ip-address attribute specifies the target host IP address to be filtered. It can be a regular expression. Connections to the specified address are captured. With transparent FTP tunneling, this can be usually set to capture all connections (".*"), as the connections are already filtered by the SOCKS Proxy settings.

    The pseudo-ip attribute should be set to "no" for transparent tunneling.

    The dns-id attribute is a reference to a dns element and should contain the same value as the id attribute of the DNS rule.

    The ports attribute specifies the ports to be filtered. It can be a single port or a range. A range is specified with a dash between two integers (such as "21-25").

    The action attribute specifies the action to be done when a filter is used. For transparent FTP tunneling, it must be "ftp-tunnel".

    The profile-id attribute is a reference to a profile element and should contain the same value as the id attribute of the profile.

    When applying the filter rule, if creating the tunnel fails (or the connection to the Secure Shell server fails) the SOCKS Proxy will normally return a "host not reachable" error. However, if the fallback-to-plain attribute is set to "yes", a direct (unsecured) connection is used instead.

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice