Get Started!

˂ Return to FAQ

Creating SSH Tunnels for Secure Access

A common scenario we hear from our users is that they want to provide access to an internal resource (for example, a production database) without having to open access to it externally. In addition, allowing their Admins and Developers to continue to use their native client tools is usually a must have requirement. So how can you satisfy such a requirement will maintaining security?

The answer is simple; use XTAM’s privileged access management while employing SSH tunnels. Using a secure, password-less SSH session to the jump server, the user’s traffic from their client is then tunneled to the desired endpoint.

Other common scenarios where SSH Tunnels are used:

  • Ports cannot or should not be opened
  • The service or system should only be accessible internally
  • Firewall configurations
  • Security architecture requires it

In the following example, we will demonstrate how XTAM is configured to use a Unix jump server in order to provide a SSH tunnel from an external SQL Developer client to an internal Oracle database.

To make use of SSH tunneling, you first must enable the SSH Proxy feature in XTAM. If you have not this feature yet, please first read our SSH Proxy article and then return here when complete.

1

Create a Unix record in XTAM that will be used as the jump server for the ssh tunnel

2

Open your preferred SSH client (our example is using the Windows 10 Command Prompt) and create your tunnel using the following syntax:

ssh <your XTAM userName>#<XTAM record name or ID of the jump server>@<XTAM host url>-p <XTAM SSH Proxy port number> -L <local listening port>:<remote host>:<remote listening port>

For example:

XTAM SSH Tunnel Connection String

ssh bwilliams#41603@xtam.company.com -p 2022 -L 1521:10.0.0.145:1521
  • bwilliams – our XTAM user
  • 41603 – our XTAM record ID for our Unix jump server. You can also use the XTAM record Name, assuming it is unique.
  • xtam.company.com – our XTAM host URL
  • 2022 – our XTAM SSH Proxy port number
  • 1521 – our local listening port (1521 is the default for Oracle)
  • 10.0.0.145 – our Oracle database host IP
  • 1521 – our remote listening port
  • -N – (optional) to create the tunnel as a user with the “nologin” shell

On other operating systems, you may use other SSH products. For example, on Unix you can simply use the ssh command or on Windows you could use PuTTY.
Also, many applications like SQL Developer or MySQL Studio have their own SSH Tunnel configuration options which can be used instead of a separate SSH client.

3

You should now see the display message XTAM Secure Proxy Shell indicating that the traffic is being routed through XTAM. At the password prompt, enter the XTAM user’s password.

XTAM SSH Tunnel Connection Password Prompt

4

Once authenticated, the SSH tunnel is created. We can now connect to our internal Oracle database using localhost or 127.0.0.1 as the Hostname and port 1521. The traffic will be forwarded to the destination server behind our firewall.

XTAM SSH Tunnel Connected

5

When finished, you can close the tunnel.

XTAM SSH Tunnel Connection Closed

 

Application SSH Tunnel Configuration Examples

PuTTY

XTAM SSH Tunnel - PuTTY Configuration Example

Oracle SQL Developer

XTAM SSH Tunnel - Oracle SQL Developer Configuration Example

 
 

Copyright © 2018 Xton Technologies, LLC. All rights reserved.