Using a SecureCRT® Secure Shell Connection as a SOCKS Proxy
At times the need arises to access a number
of devices that reside in a remote network behind a single gateway server.
One solution would be to establish an SSH connection to the gateway
server, and then issue another SSH connection from that server to each
of the devices via the remote shell. This can be problematic and time-consuming,
especially if more than two jumps are required. Fortunately, there is
a better way.
SecureCRT provides the ability to create an SSH connection with a special
port forwarding configuration that can then be used as a SOCKS proxy
to reach all machines within a remote network (behind the gateway).
Using an SSH SOCKS proxy, any application that is SOCKS 4 or 5 compatible
(including other sessions established with SecureCRT) will be able to
have their connections forwarded through the proxy and on to the desired
destination. This tip will focus on creating an SSH SOCKS proxy via
a connection to a remote gateway machine, and then using other SecureCRT
sessions to connect through the SSH SOCKS proxy to the remote servers
that reside behind the gateway server. The graphic below illustrates
such a configuration:
Configuring the "Master Session" to the Gateway Server
The first step is to configure a "Master"
session that can successfully connect via the SSH protocol to the gateway
server (also known as a "jump host"). This "Master"
session will need to be modified to add a dynamic port forward, essentially
creating an SSH SOCKS proxy. This is done by pressing the Add
button in the Connection / Port Forwarding category
of the Session Options dialog for the "Master"
session. The following dialog will appear:
- Name: Enter a name for the port forward. For example: SSH SOCKS Proxy
- Local/Port: Choose a listening port. Since this port forward will be used as a SOCKS proxy, it helps to specify a port similar to the standard SOCKS proxy port, 1081 for example (since the standard SOCKS proxy port is 1080).
- Dynamic forwarding using SOCKS 4 or 5: Enable this option. The other fields in the Remote category will not be used in this configuration.
- Enable the Send Protocol NO-OP option and specify an interval less than the idle timeout of the remote server or remote shell.
- Enable the Auto reconnect option so that if the connection goes down unexpectedly, SecureCRT will automatically attempt to re-establish the connection.
Configuring a Global Firewall/Proxy Setup in SecureCRT
Now that the dynamic port forward is set
up in the "Master" session, a firewall configuration will
need to be created so that other SecureCRT sessions can use the SSH
SOCKS proxy. This configuration can be performed by pressing the Add
button in the Firewall category of the Global
Options dialog. The following Firewall Properties
dialog will appear:
Name: Enter a name for the firewall. For example: Gateway Firewall
Type: SOCKS version 5 (no authentication)
Hostname or IP: localhost
Port: Specify the port on which our dynamic port forward is configured to listen (1081, as in the previous example).
The Firewall Properties dialog should now look similar to the following:
After pressing the OK button
on the Firewall Properties dialog, the new firewall
configuration should appear in the Firewalls list within the Firewall
category of the Global Options dialog, and can be used
within other SecureCRT session configurations.
Configure a SecureCRT "Client" Session to Connect Through the SSH SOCKS Proxy
With a firewall/proxy configured as explained in the section above, the Session Options dialog for a new or existing session should provide the new firewall (named Gateway Firewall in the example) in the category that matches the protocol being used. To elaborate, any session that is configured to connect to the machines behind the gateway server can use this firewall as the Firewall setting in the connection configuration options, as illustrated below:
Putting Everything Together
Once "Master" and "Client"
sessions have been created as described above, the process of connecting
to a machine behind the gateway through the SSH SOCKS proxy is fairly
simple:
- Connect to the gateway machine using the "Master" session. In order to connect to machines in the gateway server's LAN, the "Master" session must first be connected successfully. Tip for Windows users: Some users may want to set up a shortcut in their Windows profile Startup folder to launch SecureCRT with the "Master" session to allow for the "Master" session to be up and running as soon as they log on to their Windows system. The shortcut's Run property can be set to Minimized to ensure that the SecureCRT application is started in a minimized state. It may also be convenient to have the "Master" session window minimized to the system tray so as to reduce clutter on the Windows taskbar. When enabled, the Minimize to Activator in the system tray option (located in the main Terminal category of the Session Options dialog for the "Master" session) will ensure that the "Master" session is minimized to the system tray.
- Connect to machines located within the gateway server's LAN. In
the example session configuration described earlier, a session was
created and saved with a configuration instructing SecureCRT to use
the SSH SOCKS proxy provided by the "Master" session. However,
using a saved session isn't a requirement. It's just as easy to bring
up the Quick Connect dialog, specify the remote host name, and select
the SSH SOCKS firewall/proxy configuration as the firewall to use
(see the graphic below). With a press of the Connect button, a connection
through the SSH SOCKS proxy will be initiated.
from http://www.vandyke.com/support/tips/socksproxy.html
