Skip to content

Configuring Peer Tunnel Access

Peer Tunnel functionality enables a peer node to expose its internal service ports to a main node, even when direct inbound access from the main node is not possible. This is achieved via reverse SSH tunnels initiated by the peer node.

Overview of Peer Tunnels

In a typical peer node deployment, the main node requires access to services running on the peer node, such as the WEB Gateway, Native Gateway, Job Pool, and local Active Directory. These services often reside in an isolated network, inaccessible to external systems. Peer Tunnel provides a mechanism for securely exposing these services without modifying firewall rules or opening inbound ports.

Instead of requiring inbound access, the Peer Tunnel relies on outbound SSH connectivity from the peer node to the main node. When enabled, the peer node establishes and maintains reverse SSH tunnels to a reachable SSH server on the main node host. Once the tunnels are in place, the main node can access the peer node’s internal services as though they were locally available on the main node itself, using the specified forwarded ports.

This architecture supports scenarios involving multiple tenants or containers, with each potentially using different peer nodes, some of which may rely on peer tunnels. Additionally, a single peer node can manage tunnels for multiple tenants or distinct main node deployments.

The tunnel setup leverages a standard Unix Host asset that defines the SSH connection to the main node. For high availability (HA), alternate member assets can be added to this tunnel asset, allowing the peer node to build tunnels for all configured services.

Tip

For additional information about Peer Tunnel Architecture and Use Cases, please read our Peer Tunnel FAQ article.

Peer Tunnel Setup Instructions

To configure a Peer Tunnel, follow these steps.

Prerequisites

Ensure the following conditions are met before beginning:

  • The peer node must be deployed within the isolated network.
  • Outbound SSH (port 22) access from the peer node to the main node, located outside the isolated network, must be permitted.

Step 1: Deploy the Peer Node

Install, configure, and license the peer node within the isolated network environment.

Step 2: Define the Main Node Host

On the Peer Node, create a Unix Host asset representing the main node host. This asset supports authentication methods such as:

  • Username/password
  • Username/private key
  • Username/protected private key

It is recommended to enable the Server Key verification option in the SSH asset to ensure destination host authenticity for each connections.

Step 3: Configure the Peer Tunnel

Create the Peer Tunnel with the following parameters:

  • Name: Descriptive identifier for the tunnel (used in reports and references).
  • Asset: The Unix Host asset defining the main node connection. This can include alternative members assets all of which will be used to build tunnels to support main node HA deployment.
  • WEB Gateway: The web-based remote access service hosted by the peer node, typically hosted on localhost 127.0.0.1 and shared across tenants (default port: 4822).
  • Native Gateway: Used for native protocol remote sessions (SSH, RDP, or browser-based) provided by the peer node. Hosted locally on 127.0.0.1, with a unique port per tenant (e.g., 8800, 8801, etc.).
  • Job Pool: Executes the remote job service provided by the peer node. Shared across tenants and hosted locally on 127.0.0.1 (default port: 6443).
  • LDAP: An external LDAP or Active Directory service accessible by the peer node that the main node can use for authentication and authorization purposes. LDAP host is located outside of the peer node on the host that should be specified in the LDAP Local Host field. Specify the remote host address and port (typically 636 or 3269 for global catalog).
  • Remote Port: The port on the main node that will be used to access each respective service. Each port should be unique on the main node across all peer tunnels established by different peer nodes.

Peer Tunnel Parameters

Step 4: Activate the Tunnel

Enable and save the peer tunnel configuration. The peer node will automatically initiate or update SSH tunnels based on the latest settings. There is no need to restart either node. Tunnel create, recreate, or failure events are logged in the peer node's event log, along with involved IP addresses and ports.

Once established, the main node host will have active local ports representing the tunneled services. These ports can then be used to configure peer-related resources on the main node.

Step 5: Configure Peer on the Main Node

Create a peer configuration on the main node, referencing the ports created by the peer node on the main node host. Use the main node hostname (not localhost) to reference the tunneled services. This avoids special handling associated with localhost networking.

Main Node Peer Configuration

Step 6: Configure LDAP/AD Access

If LDAP or Active Directory integration is required, define the corresponding configuration on the main node. Use the main node hostname (not localhost) and the correct remote port as configured in the peer tunnel, to reference the reverse forwarded port to avoid special handling of localhost networking.

Main Node LDAP Configuration

Summary

After completing the setup, the main node can interact with LDAP and Peer Node configuration in the isolated network as if they were directly connected, without opening firewall ports in the isolated network. The peer node maintains the reverse SSH tunnels that bridge this connection securely and dynamically.