Consider the following approach:
- Set up an SSH server outside the firewall that is accessible both by the proxy server and by the application.
- Configure that external SSH server to allow incoming tunnels (reverse port forwarding) from non-local endpoints.
- At the proxy server, run an application that uses Rebex Terminal Emulation's port forwarding API to establish an incoming tunnel (or a set of tunnels) from an address/port at the external SSH server to a machine behind the firewall.
Details:
(1) Any SSH server that supports reverse port forwarding is suitable. An OpenSSH server on a Linux VPS would be fine. (Our Buru SFTP Server is intended for file transfer and doesn't support reverse port forwarding yet.)
(2) In OpenSSH, this can be enabled by setting the GatewayPorts
configuration option to yes
.
(3) At the proxy server, an application based on Rebex.SshShell
assembly would establish tunnels from the SSH server to local machines:
// connect and log in to an SSH server
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);
ssh.Login(username, password);
// create port forwarding rules
var tunnel1 = ssh.StartIncomingTunnel(
"sshserver.example.org", 10022, // server-side source address/port
"192.168.1.1", 22); // client-side target address/port
// create port forwarding rules
var tunnel2 = ssh.StartIncomingTunnel(
"sshserver.example.org", 11022, // server-side source address/port
"192.168.1.2", 22); // client-side target address/port
...
With this setup, an application outside the firewall would be able to connect to (for example) sshserver.example.org:11022
and the connection would get tunneled to 192.168.1.2:22
.
With this approach, all of the possible tunnels would have to be pre-configured. Or, in other words, the application outside the firewall could not connect to any IP/port behind the firewall. This could be both a drawback or a benefit, depending on your scenario. But if you need the ability for the application to connect to any IP/port behind the firewall, this could be achieved by first connecting to an SSH server behind the firewall and using forward port forwarding to reach the other machines.