Port Forwarding Scenarios

Connectivity Secure Shell

Port Forwarding Scenarios

There are three general scenarios for port forwarding:

  • Outgoing Port Forwarding
  • Incoming Port Forwarding
  • Off-Host Port Forwarding (incoming/outgoing)

Outgoing Port Forwarding

In outgoing (or local) port forwarding scenarios, the TCP channel is initiated by Connectivity Secure Shell and sent through the tunnel to the remote Secure Shell server. For example, if a TCP client application such as an e-mail client is running locally on the same machine as Connectivity Secure Shell, and you want to create a secure connection to the application server (POP3), which resides on a remote host along with the Secure Shell server, you must set up an outgoing port forwarding.

Incoming Port Forwarding

In incoming (or remote) port forwarding scenarios, the Secure Shell server sends the initial TCP connection through the tunnel. In other words, the direction of the tunnel and the direction of the initial TCP connection are not the same.

For example, if the TCP client and server from the previous example are reversed, so that the e-mail client resides on the remote Secure Shell server machine, while the POP3 server application resides locally along with Connectivity Secure Shell, you can set up an incoming port that remote POP3 e-mail clients can use to access the local POP3 server. The server must be configured to listen for incoming connections to forward into the tunnel.

Off-Host Port Forwarding

Off-host port forwarding can be outgoing or incoming in nature. Its distinguishing feature is it requires that there be more than one host, which is to say that the hosts involved are not limited to those on either end of the Secure Shell connection. Another distinguishing feature of off-host port forwarding, however, is it does not offer the same level of security as simple outgoing or incoming port forwarding.

In this scenario, either the e-mail client or POP3 server application, or both can reside on machines other than the Secure Shell server machine or the machine on which Connectivity Secure Shell is installed. The following diagram depicts an incoming off-host setup.

You can set up an incoming or outgoing port forwarding, and configure it to allow remote connections. Then, on the remote TCP client or server machine, as the case may be, you can telnet to the forwarded port and connect through the Secure Shell tunnel. This configuration is useful, for example, in lieu of a VPN to traverse the Internet securely.