Skip to content

SSH Proxy Tunnels

SSH tunneling (also known as SSH port forwarding) allows you to securely forward network traffic from your local machine through an encrypted SSH connection to a remote destination. In 12Port, SSH tunneling is enhanced with role-based access control, multi-step workflow approvals, MFA identity verification, and Zero Trust access enforcement, ensuring secure and auditable tunnel sessions.

This guide explains how to create SSH tunnels and SOCKS5 proxies using the 12Port platform, and how to verify those connections.

Use Cases for SSH Tunneling in 12Port

SSH tunnels are useful in scenarios where direct access to a destination service is restricted. Common use cases include:

  • Accessing Web Portals that are available to an asset but not directly accessible from a user’s local device.
    Example: An external remote admin accesses a configuration web interface for a router or medical device behind a firewall.
  • Accessing Internal Databases securely, without exposing the broader network.
    Example: A database developer temporarily accesses a production database through a controlled tunnel, otherwise inaccessible from their external location.

Prerequisites

Before creating a tunnel, ensure the following:

  • You have a valid 12Port user account with the required roles and permissions to the asset.
  • Native Session access is enabled (Allow or Record) in your Access Profile.
  • Your workflow for the target asset is approved, if required.
  • MFA (Multi-Factor Authentication) is provided, if required.

Creating a Local Port Tunnel (Local Port Forwarding)

To establish a direct tunnel to a destination host through an asset, use the following command format:

ssh -N username#assetID@host -p sshProxyPort -L local-port:destination-host:destination-port

Where:

  • -N: (Optional) Prevents the SSH session from opening an interactive shell.
  • username: Your 12Port username with proper permissions and approved access.
  • assetID: The unqiue asset name or ID within 12Port.
  • host: The 12Port SSH proxy server hostname (e.g., localhost, 12port.contoso.com).
  • sshProxyPort: The port on which the SSH proxy is running (e.g., 2200).
  • local-port: The local port on your device to forward traffic through.
  • destination-host: The internal destination host accessible from the asset.
  • destination-port: The destination port on that host.

After the tunnel is established, applications on your local machine can connect to localhost:local-port as if they were directly connected to destination-host:destination-port.

Example

The command below creates a tunnel from local port 1521 to 192.168.4.82:1521 via the asset with ID faecd97-f9d4-4ac4-b35b-b2d71491354d, using user bwilliams through the SSH proxy12port.contoso.com on port 2203:

ssh -N bwilliams#faecd97-f9d4-4ac4-b35b-b2d71491354d@12port.contoso.com -p 2203 -L 1521:192.168.4.82:1521

Once connected, you can use applications like Oracle SQL Developer to connect to the Oracle DB at 192.168.4.82:1521 by specifying localhost:1521 as the endpoint.

Creating a SOCKS5 Proxy for Web Browsing

To create a SOCKS5 tunnel for browser-based access via an asset, use the following command:

ssh -D socks-port username#assetID@host -p sshProxyPort

Where:

  • socks-port: Local port to be used as a SOCKS5 proxy on your machine.
  • username: Your 12Port username with proper permissions and approved access.
  • assetID: The unique asset name or ID in 12Port.
  • host: 12Port SSH proxy server hostname (e.g., localhost, 12port.contoso.com).
  • sshProxyPort: Port number of the SSH proxy service (e.g., 2200).

After establishing the tunnel, configure your browser to use a SOCKS5 proxy pointing to localhost:socks-port. All browser traffic will be routed through the asset's network, allowing access to web services reachable only from the asset.

Example

The following command creates a SOCKS5 proxy on local port 8443 via the asset with ID faecd97-f9d4-4ac4-b35b-b2d71491354d using user bwilliams:

ssh -D 8443 bwilliams#faecd97-f9d4-4ac4-b35b-b2d71491354d@12port.contoso.com -p 2203

Configure your browser’s network settings to use localhost:8443 as a SOCKS5 proxy. This enables browsing from the perspective of the asset's network environment.

Session Reporting in 12Port

12Port logs all tunnel sessions for auditing and compliance. Session metadata includes:

  • Timestamp of connection start
  • Username that initiated the tunnel
  • Destination details of forwarded traffic

SSH Proxy Tunnel sessions are marked with SSHP:Tunnel in the Channel field. The field also shows the final forwarded destination of the tunnel, e.g.:

SSHP:Tunnel (detectportal.firefox.com:80)

Use this reporting to validate tunnel activity, investigate access patterns, or confirm proper use of access controls.