Accessing your intranet web sites through an SSH tunnel

If, from your home, you're connecting to your company's network via a Linux SSH server, and would like to to be able to access all of the corporate intranet web sites, here's how.

First, some assumptions, your SSH server machine must have the following software installed:

  • an SSH server that support SSH2 protocol
  • SSH daemon running with port-forwarding enabled. RedHat Linux has it enabled out-of-the-box.
  • a web (outbound) proxy/cache daemon. RedHat Linux comes with Squid. Note what port your proxy server is running on. Squid runs on port 3128 by default.


Instructions:
You'll be connecting to the SSH server using PuTTY.

  1. Set up a port-forwarding tunnel as follows: L3128=<your_proxy_server_ip_address>:3128

    View Full Image
  2. Connect to your SSH server using the above new settings
  3. Configure your browser proxy setting to use localhost:3128 as the proxy server.

    View Full Image
  4. Now restart your browser, and try accessing an internal web site, for example: http://shrike.karora.ca:8080/supportwiki/


Internal host names will work, since the browser now uses the DNS server on the proxy server for name resolution. The side effect to this is that you're now surfing the web as if you're doing it from your corporate office's computer. So beware of nosy, sniffy network administrators. ;-)

The whole thing is relatively simple to set up. The one pain point is the tunnel forwarding setup in PuTTY, not too intuitive for the non-techie users.

I've been thinking of writing (if I ever get any down time, that is) a Java Webstart application that does what PuTTY does, but simplifies the setup for the novice users. The administrator would configure the appropriate tunnel setting on the server side, then send a JNLP URL to the user to click on. The JWS application will launch and will take care of all the config stuff. The user won't have to mess with port forwarding settings or browser proxy settings, whatsoever.

If anyone knows anything out there that already does something like this, please let me know.