Many companies prefer not to expose their server network to remote access and so want to take security to the next level. The desired effect is to have remote applications such as Application Configuration Console communicate with a single point of contact that is trusted to handle communications with the servers on the network. The solution is SSH tunneling, also known as port forwarding, as depicted in Figure E-1.
The single point of contact, the gateway host, is typically outside the firewall, but it can also be inside the firewall. To support this mode of communication, you have to perform setup on the network side and on the Application Configuration Console side.
The basic steps to set up SSH tunneling on your network are as follows:
Designate a host machine to be the gateway to your server network.
Install Cygwin (or a similar application that supports port forwarding) on the gateway host.
Enable a port on the gateway host for port forwarding of all SSH traffic to TCP port 22 on a server within your network that the Core Server needs to communicate with, for example:
ssh –N –L 2424:server1:22 user1@server1
This command enables TCP port 2424 for port forwarding to TCP port 22 on server1, where user1 is an authenticated user on server1. You would issue a similar command for each server in your network, changing the port number, host name, and authenticated user, as appropriate.
Note:If the gateway is inside the firewall, you will have to open each port you enable for port forwarding.
The basic steps to set up SSH tunneling on Application Configuration Console are as follows:
In the Client, create a host and endpoint for the gateway host. Be sure to change the endpoint SSH default TCP port (22) to the port that you enabled for port forwarding on the gateway. In the example for setup on the gateway, this would be TCP port 2424.
In the Client, create an authentication pack with credentials that are valid on a server within your network. Remember that traffic coming in to the gateway is being forwarded to the Core Server's ultimate target, a network server, so the username and password need to be valid on the target, not on the gateway host. In the example for setup on the gateway, this would be credentials for user1.
Repeat this step for each network server with which the Core Server is to communicate.
Test the setup by using the host and respective authentication pack you just created to ensure that you can browse the file system on each network server.