RSS
Here's a common scenario: you need to make an emergency remote desktop connection to an XP server at work, but you're at home and the server is behind a firewall that blocks RDC connections.
In a nutshell, ssh tunneling allows you to connect to a port on another machine by forwarding traffic through an intermediary ssh server. Using an ssh tunnel, if you have access to an ssh server behind the firewall, you can connect to services on other machines behind the firewall, including remote desktop services.
Using Putty (a rockstar ssh client for Windows), you can easily set up a tunnel for accessing RDC on your firewalled server:
- Configure a new ssh session for the ssh server that you have access to (66.35.250.203 in this example).
- In the connection/ssh/tunnels menu, add a new forwarded port. You'll need to set up a port on your own machine (this will be the virtual, forwarded connection to the remote RDC server), so use something unused, like 3390.
- In the destination field, enter the ip address and RDC port for the firewalled machine, Ie. 192.168.0.5:3389 (3389 is what RDC listens on)
- Now save your session and connect to the SSH server
At this point, you can connect to the remote server's RDC port via your own machine's port 3390. Everything that comes in and out of localhost:3390 will be transparently whisked away over the ssh connection, through the intermediary machine, to your destination server's port 3389. So instead of entering 192.168.0.5:3389 for your destination server in the remote desktop client, enter localhost:3390. It will go right through the firewall.
Breaking Firewalls with OpenSSH and PuTTY (read this)- Link.
Putty SSH Client for Windows - Link.
I've been doing this for years with my Linux server, Smoothwall firewall router, and XP desktop and it works great. I suggest that you move SSH off of port 22 if you can, it will decrease the number of bots that try to brute force your host. Attacks against my SSH server dropped from about 400/day to maybe 1/month after I set it to listen on a non-standard port. Also be sure to disallow root logins and only allow SSH2 traffic in your sshd_config.
Reply to this comment
I agree...changing the port is a much better strategy for securing the tunnel.
Matt, have you ever used this same setup to then do revierse or server-to-client port forwarding?
i.e.- My tunnel is established from work-to-home over SSH via putty. I then want to be able to connect from my home-to-work back over the established tunnel with RDP. I toyed around with using the the remote Putty Port forwarding but could not seem to get this to work. Any experience with this?
Thanks
Reply to this comment
Just for info, I've been doing this with Windows XP for years. If you try it with the standard RDP client in Vista, port 3390 doesn't work as it's apparently reserved for Windows Media Centre. If you try on 3390, you'll get an error from RDC saying you're trying to connect to your own computer which you're not allowed to do. Change the local port in PuTTY to 3391 and you're good to go using that port.
Reply to this comment