Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Setting Up Port Forwarding for Secure Communications

    Port forwarding can be used to set up SSH tunneling for communications between the client and the server or between the client and the firewall/gateway over the Internet, in which case the firewall and server need to be able to connect to each other on the same LAN.

    Port forwarding can also be used when one of the required client ports has been reserved for another purpose, and the client needs to choose a different port. For example, suppose the client already uses port 3389 for a different application. In this case, you can use port forwarding to map an alternative port on the client (for example, port 33389) to the server’s port 3389.

    Enable Port Forwarding on the Server

    To enable port forwarding on the server:

    1. Log in using telnet or SSH to the IP/MPLSView server machine or firewall/gateway.
    2. As the root user, edit the /etc/ssh/sshd_config file and set AllowTcpForwarding to yes. Note that the port used for port forwarding can be changed by editing the Listen port value Port 22 to another port value that is not required for other purposes. Use the service sshd restart command to refresh the service with the new configuration information.
    3. If you are connecting to the IP/MPLSView server using a gateway, make sure that the server and gateway can ping each other. If not, set up a route between them (for example, using the route add command). For help on using the route add command, see Setting Up an IP/MPLSView Connection to the Router Network.

    Setting Up a Windows Client to Work With Port Forwarding

    Setting up port forwarding, requires the use of an SSH client with the ability to create SSH tunnels. Additionally, port forwarding capability should be turned on for the SSH server. PuTTY is a free SSH client, which can be downloaded from the Internet, with this capability, and is used in the example below.

    Note: The Traffic Collection Manager and Event Browser are special cases that only work with port forwarding if the IP/MPLSView server is installed using the IP address 127.0.0.1. For regular offline/Task Manager functionality, this is not required.

    1. Open an SSH client that supports port forwarding. This example uses PuTTY.
    2. In the left pane, select Connections > SSH > Tunnels.

      Figure 1: SSH Tunneling Options for the IP/MPLSView Server

      SSH Tunneling Options for the IP/MPLSView Server
    3. For use of the software in offline mode, add the following Source ports and map them to the corresponding remote IP address and remote port on the IP/MPLSView server. Even if you are connecting to a gateway or firewall, the SSH tunnel destination should be the IP/MPLSView server.
      • 8091 - Web port
      • 7000 - Client communications port
      • 3389 - LDAP
      • 22 - Add this port if the remote side is not 22
    4. The following ports can also be added for additional functionality:
      • 2099 and 2100 - Task Manager port
      • 1856, 4457, 4458, 4459- Additional ports for traffic collection and MariaDB database
      • 22, 23, 8443 - Standard ports for SSH, telnet, and https. Change the remote side’s port as necessary, for example, if the server is using a different port.
      • 8093-8094 - Ports for telnet proxy (for example, Connect to Device capability)
      • 1101, 21101 - Only required for special NAT situations
    5. Scroll up in the left pane and select Session. Enter the hostname or public IP address with which you want to establish the tunnel (the IP/MPLSview server or the gateway). Select SSH as your protocol. Enter in the SSH port, either the default value of 22, or the customized value specified in Setting Up Port Forwarding for Secure Communications). If the port value is not 22, the appropriate mapping for the SSH port should also be indicated in the SSH Tunnel options.

      Figure 2: Saving Session Information

      Saving Session Information
    6. Enter in a name for the session and click Save.
    7. Click Open to start the PuTTY session, enter the login credentials, and keep the PuTTY session open when using the client.
    8. If you are setting up the SSH tunnel to a gateway instead of to the IP/MPLSView server, there might be cases where there is also a firewall between the gateway and the server. If the required ports are not all open, but the SSH port is provided, a second SSH tunnel can be set up between the gateway and the IP/MPLSView server. For example, the following is an example setup (add more ports as required):
      ssh -f -N -L 8091:serverIP:8091 -L 7000:serverIP:7000 -L 3389:serverIP:3389 -L 2099:serverIP:2099 -L 2 100:serverIP -L 1856:serverIP:1856 -L 4457:serverIP:4457 -L 4458:serverIP:4458 -L 4459:serverIP:4459 username@serverIP

      Substitute the serverIP and username variables with the IP address of the IP/MPLSView server and the login user.

      Now you can log in to the IP/MPLSView server Web interface securely using: http://localhost:8091 or http://127.0.0.1:8091

      To login using the Java client directly, first edit the ipmplsview.bat file to change the server IP address to 127.0.0.1.

    Troubleshooting Port Forwarding

    • If you see that the login session has begun but it seems to have hung, it is possible that the LDAP port is also being used locally for a third-party application such as Remote Desktop. In that case, you might want to choose a different local port, for example, 33389. In this case, make changes to the SSH tunneling options, for example, set up the appropriate mapping using local port 33389 to remote port 3389. Then change the LDAP port value to 33389 in the ipmplsview.bat file by specifying LDAP<port number> in the MISC field. For example, use LDAP3389 to indicate the alternate use of port 3389 on the client side. Then launch the application.
    • Make sure that the server machine is enabled for port forwarding as described in the beginning of this section.
    • In some cases, the PC’s firewall might also be causing a problem. Try logging in to the server and running netstat -na | grep 8091 from one telnet or ssh session. Then telnet to the server using the same port, for example, telnet <server> 8091 and quickly rerun the netstat -na | grep 8091 command from the previous window to see if any new connection is listed as ESTABLISHED. If not, you might want to check your PC firewall settings by selecting Control Panel > Security Center, Windows Firewall.
    • If the Traffic Collection Manager or Event Browser do not work, note that these are special cases for port forwarding, which require the IP/MPLSView server to be installed with IP address 127.0.0.1.

    Setting Up a Linux Client to Work With Port Forwarding

    To run the client on a separate Linux or MAC system. the SSH tunnels can be set up at the command prompt (add more ports as required):

    ssh -f -N -L 8091:localhost:8091 -L 7000:localhost:7000 -L 3389:localhost:3389
    -L 2099:localhost:2099 -L 2100:localhost -L 1856:localhost:1856 -L
    4457:localhost:4457 -L 4458:localhost:4458 -L 4459:localhost:4459
    <user>@<server_ip> ...

    Additional ports to forward can be added similarly by using the -L flag. For more information, see Setting Up a Windows Client to Work With Port Forwarding.

    Modified: 2016-09-28