Port Forwarding
with SSH
Overview of Port Forwarding
Port forwarding The concept of connecting a logical port on a local machine to a port on a remote machine over a secure (encrypted) channel. All requests for services sent to the local port are then forwarded across the secure channel to the corresponding port on the remote machine. is a powerful tool that allows you to secure TCP/IP Transmission Control Protocol/Internet Protocol. TCP/IP is the basic communication method used over the Internet. The TCP on the side of the sending machine is responsible for breaking up a message into smaller portions called packets. These packets are then sent to their destination and the TCP on the side of the receiving machine is responsible for reassembling the packets to form the original message. The Internet Protocol provides a means of properly addressing each packet so that it arrives at its destination. SSH and Telnet, for example, are built upon TCP/IP. traffic using SecureCRT's SSH1 and SSH2 protocol support. This means that you can encrypt application data using protocols such as IMAP, POP3, and SMTP. For example, if you receive your email from an Internet Service Provider (ISP), you could encrypt the communication between your workstation running the email client A computer or application that uses services provided by a server. and the ISP's SSH server A computer program that provides services to other computer programs (called clients). Often the computer on which a server program runs is also called a server. The term host is often used as a synonym for server.. SecureCRT also supports X11 forwarding The process of transporting X11 data over an encrypted channel from a remote machine to a local machine., which allows X Windows traffic between the X server and X client to be encrypted.
In general, with any port forwarded by SecureCRT for an application, the application needs to be reconfigured to use the localhost or loopback address 127.0.0.1 as its application server address.
Setting up Port Forwarding
To set up port forwarding, follow these steps:
1. Click on File / Connect and select the SSH SSH is an acronym for the Secure Shell protocol. A communications protocol used to encrypt network traffic between a client and a server. session A session is a set of options that are assigned to a connection to a remote machine. These settings and options are saved under a session name and allow the user to have different preferences for different hosts. for which you would like to use forwarded ports.
2. Click
on the Properties button 
or right-click on the session and select Properties from
the pop-up menu to bring up the Session Options
dialog.
3. Under the Connection category, click on the Port Forwarding subcategory.
4. To add a new locally forwarded port, click on the Add button and fill in the local port, remote hostname and remote port. Click on the OK button to save your settings.
5. To add a new remotely forwarded port for an SSH2 connection A data path or circuit between two computers over a phone line, network cable, or other means., click on the Remote/X11 subcategory and then click on the Add button. Fill in the local port, remote hostname and remote port, then click OK.
Note: As you enter the local port, the remote port is automatically filled in from the existing session information. Ports may be defined either by their port number or by their service name.
6. Connect with this session to start port forwarding, then run the client application.
Port forwarding works by forwarding data from a local port to the remote host/port. For example, to secure POP3 traffic through your mail client, set up port forwarding with the following settings:
· local port=110
· remote hostname: set to the mail server's hostname
· remote port=110.
Configure your mail client to use 127.0.0.1 (otherwise known as "localhost") as the POP3 server's IP address. Hostname and port configuration needs to be done in both SecureCRT and the client application (e.g., email). After connecting with this session, POP3 traffic is encrypted to the SSH server as long as SecureCRT is running. If the connection to the SSH server is broken or closed, the forwarded ports will no longer be forwarded, and the client applications may receive an error when they try to connect to the local port.
Forwarding X11 Packets
X11 Forwarding is configured as part of the port forwarding setup. To enable X11 packet forwarding, follow the steps outlined in the "Setting up Port Forwarding" section (above) with the added step of selecting the Forward X11 packets option on the Remote/X11 category.
Note: SecureCRT is not an X Server. The Forward X11 packets option allows SecureCRT to accept X11 data from the remote machine and forwards it to the X server running on the local machine. The local X Server must be running before any X11 sessions can be displayed. If you are using Xhost authority access on the local X11 server, you will need to add the localhost or loopback address 127.0.0.1 to your server's Xhost list.
Security Considerations with Port Forwarding
It is important to understand that the client data is only encrypted between the machine that SecureCRT is running on and the SSH server that SecureCRT is connected to. Any data moving from the SSH server across the network to another server is not encrypted.
Two configurations are presented below to illustrate different machine/network configurations and their affect on security. Your evaluation of the connection between Servers A and B is the critical factor in deciding whether the aggregate security meets your needs.
Configuration 1 (Less secure)
SecureCRT forwards POP3 mail to a remote mail server that is a different machine than the SSH server.
· Between the Local Machine and Server A the data is encrypted.
· Between Server A and Server B the data is not encrypted.
· Since the SSH server and mail server are on different machines your data can be viewed on this connection.
In Configuration 1, the connection between Servers A and B could be one of the following:
· On the Internet - an unsecure network.
· On an internal LAN - a network that may or may not deliver a satisfactory level of security.
Configuration 2 (More secure)
SecureCRT forwards POP3 mail to a remote mail server that is running on the same machine as the SSH server.
· Between the Local Machine and Server A the data is encrypted.
· Since there is no network traffic between the SSH server and Mail server, security is increased over Configuration 1.