Connecting to a server behind the firewall

Some of our servers are behind the stadium’s firewalls, and we don’t have control over those firewalls. Our AWS servers, accessible by ssh on the internet, needs to connect to our physical servers behind the stadium’s firewall. I found the quickest way with minimum system-wide impact is to use so-called “ssh remote forwarding”.

If we call the host behind firewall HF, and the host in AWS HA, there are two steps to let HA connect to HF’s port 80. 1. HF runs ssh to connect to HA. 2. HA connects to HF by connecting to HA’s local port.

Here are the commands:

  1. on HF: ssh -R 8083:localhost:80 HA   , which forwards HA:8083 to HF:80
  2. on HA: browser to: http://localhost:8083 , which actually connects to HF:80.
  3. Optional.:GatewayPorts is needed only if other machines need to connect to HF through HA

“remote” means remote to sshd. In another words, sshd and the forwarding destination is not on the same local network.


Minimum requirement to display GUI on Windows for Linux

I manage multiple Linux servers in AWS, none of which has display server installed, neither x nor Wayland. Display servers run on my Windows machine. I prefer portable application over setup.exe. By portable, I mean no changes to registry, and all change are limited to the local folder that holds the download. There are some portable packages on Windows that can do this well, listed in reference section.

I wanted to go one step further: not only portable, but getting rid of terminal emulator, e.g. PuTTY. The solution on Windows includes two parts: x server and ssh.exe. Here are the key points.

  1. x server: downloaded as zip file. Both Xming and VcXsrv are tested well.
  2. sh.exe: can be copied, instead of installed, over from either git or installed Cygwin.
  3. It’s very important to set DISPLAY variable on both Linux and Windows. On windows it’s like this: set DISPLAY=

X11 forwarding can be removed too: (only tested on the same LAN)

  1. take out -X option when starting ssh.exe
  2. run “DISPLAY=MyWindowHost:0” on Linux.
  3. explicitly tell x server who is allowed to connect. e.g. edit X0.hosts for Xming.