Ssh – Exposing a WebServer behind a firewall without Port Forwarding

firewallhttpnat;sshtunneling

We are deploying web applications in java using tomcat on client machines across the country.

Once they are installed, we want to allow a remote access to these web applications through a central server, but we do not want our clients to have to open ports on their routers.

Is there a way to tunnel the http traffic so that people connected to the central server can access the web applications that are behind a firewall ?

The central server has a static ip address and we have full control over it.
Right now, it is a windows box but it could be changed to a linux box if necessary.

Our clients are running windows xp and up.

We don't need to access the filesystem, we only want to access the web application through a browser.

We have looked at reverse ssh tunneling but it shows scaling problem since every packet would have to pass through the central server.

Best Answer

sounds like you need to run a vpn access server. A vpn should allow strong authentication, encryption and scalability if you choose the right hardware.

Related Solutions

Linux – Remote access to a Linux machine behind a firewall

It has less to do with being concerned with a port being open and more to do with not wanting to walk a user though the process of opening up a port. I don't have any access to this router at all unfortunately.

If changing the router is completely out of the question, you may need to look at a P2P or VPN solution like Hamachi. If you setup the system to automatically establish the VPN connection at startup, then you should be able to connect in whenever you need to. Hamachi does all the firewall negotiation for you. The one drawback is you have to rely on the Hamachi servers being up and functional when you need to connect.

If you have a server that is always up, you could setup autossh so that the remote system always keeps a tunnel open and connected to your server. The one drawback is the remote system is compromised they attacker will get the keys that where used to establish the ssh session. It would be very important to keep your system that accept the ssh connection really locked down.

Below is my original answer, I had assumed that updating the router was an option.

One solution you might want to investigate if you firewall supports it, is port knocking. With some firewalls it should be possible to send out a special set of packets that the firewall notices and then temporarily opens hole through the firewall.

There are many implementations some better then others. Some use strong cryptography to make it nearly impossible for a person without the right keys to send the correct knock.

Firewall – Access internal server from Internet without modifying firewall

@embodo: SSH tunneling seems to rely on an SSH client forwarding a port to a remote server via SSH, but in my case there is no route through the firewall to the internal server (by SSH or whatever else). Feel free to show me how it might be done, of course!

OK, I'll make this an answer then. I assume the internal server you control (ISIC) is allowed outbound ssh to the public server you control (PSIC). From ISIC ssh to PSIC like so:

root@ISIC # ssh -R '*:80:localhost:80' PSIC

This causes ssh to listen on port 80 of PSIC because of *:80 and then forward that to port 80 on ISIC because of localhost:80. It functions exactly like X forwarding.

Best Answer

Related Solutions

Linux – Remote access to a Linux machine behind a firewall

Firewall – Access internal server from Internet without modifying firewall

Related Topic