Terminal Server (TSE) connexion through SSH
Usually, when I want to connect to my LAN from the Wild Wild World, I use a VPN connexion. But there are times when it is not possible ; especially now that my work LAN has the same IP range as my home LAN… An alternate way to access my unpublished home services from outside is to use SSH tunnels.
What you need is an SSH server on the LAN that you want connect to. The SSH server has to be able to connect to the LAN server you aim to connect to. Then, all you have to do is a bit of “Port Forwarding”.
The network connexion
First, let’s have a quick look at the networks:
___-----( Internet )-----___ | | < Firewall / Router > < Internet Box > | | [ You are here (localhost) ] |--[ Web Server ] |--[ TSE Server (tserver) ] |--[ SSH Server (public) ]
Who needs Visio(c) ? :p
Nothing particular here. All you have to be sure is that the SSH Server is accessible from the Internet ; probably using NAT and the correct ACL.
The Magic Tunnel
I am using a MacBook Pro so I’m using native SSH commands in a Terminal. Any real other good OS would have a terminal and ssh software installed. I you run Windows, either use SSH commands from tools like Cygwin or use the excellent Putty. That being said, let’s play.
From where you are, check that you can access your SSH server. A simple test would be:
# ssh public "ping tserver"
Since it works, you can now forward the ports:
# ssh -L localhost:3389:tserver:3389 public
If you get a shell, then you’re connected. Now, use your favorite RDP client and connect to localhost, using the standard (3389) port you configured. Tada!!!
Using this method, you may end with a bunch of Terminal windows… You can
either change the window’s title to know which tunnels which. What I like to do
is using the
iftop tool as a reminder. Beware that the output will use a bit
# ssh -tL localhost:3389:tserver:3389 public \ "sudo iftop -f 'host tserver and port 3389'"
Of course, this works with any remote service, like Web, Mail, … All you have to own is a remote SSH server that has forward enabled and access to your remote server.
That’s All Folks! Happy tunneling.