SSH Port Forwarding

Port Forwarding can be enabled on a per-server basis; simply check Allow Port Forwarding at the bottom of the server settings. Once enabled, SSH connections proxied by strongDM for this server will accept local forwarding requests. Keep in mind that this option is disabled by default and can only be enabled by your organization administrators.

Port Forwarding Settings
Port Forwarding Settings

Existing connections are not affected by the enabling/disabling of port forwarding. Each connection will only adhere to the current settings at the time it is established.

Local Forwarding Tutorial

With the Allow Port Forwarding option enabled, your sdm executable will accept the same local forwarding (-L) flag that you would normally use with SSH. We will go through the example below; first, we will establish a connection, then start listening on a forwarded port to send data back and forth. This tutorial requires terminal access and some previous command-line knowledge.

At this time remote forwarding is not supported.

1. Outline of the command structure:
sdm ssh [Server Name] -L [Local Port to Forward]:[Target Bind Address]:[Target Port>
  1. Identify the name of your server and which port it is running on; save this for the next step.

    local_client:~$ sdm status
    port-forwarding-demo connected 25745 ssh
  2. Establish an SSH connection and forward port 3003 on the client machine to port 4003 on the target server (referred to as localhost in this command, since this is internal to the target server). Run the example shown below on your local terminal. You should see the welcome screen for your remote server if everything was successful.

    local_client:~$ sdm ssh "port-forwarding-demo" -L 3003:localhost:4003

    If port forwarding is disabled, you will still be able to establish a connection; however, attempts to forward ports will fail. Your log messages may reveal error messages similar to the one below. channel 3: open failed: administratively prohibited: port forwarding is disabled for this server.

  3. Next, we will use Netcat to listen on port 4003 on the target server. Run the example below on your remote server.

    remote_server:~$ nc -lv 4003
    Listening on [] (family 0, port 4003)
  4. On your client machine, open up a new terminal window or tab, and connect to your local port 3003 with the command below. You should receive a "connection successful" prompt on the remote server. This shows that the tunnel is working! Try typing hello-from-client, to send text from client to server over the SSH tunnel:

    local_client:~$ nc -v localhost 3003
    Connection to localhost port 3003 [tcp/pxc-splr-ft] succeeded!
  5. If all went well, you should have received the messages from your local client on your remote server. At this point, you can also send data back to the client.

    remote_server:~$ nc -lv 4003
    Listening on [] (family 0, port 4003)
    Connection from [] port 3003 [tcp/*] accepted (family 2, sport 48742)
    greetings from the server

That concludes this brief tutorial on how to use port forwarding with the strongDM executable. This method should work with any applications running on non-privileged ports (ports higher than 1024).

Alternate Syntaxes

Direct with SSH

With this syntax, we will call SSH directly and connect to the port mapped to the server.

local_client:~$ ssh -L 4003:localhost:4003 localhost -p 25745

Alias with SSH

Here we will first create an alias: mapping ssh to sdm. This alias gives us the ability to use the logical name in strongDM rather than the mapped port.

  1. Create alias

    local_client:~$ alias ssh="/usr/local/bin/sdm ssh wrapped-run"
  2. Connect with the logical name

    local_client:~$ ssh -L 4003:localhost:4003 "port-forwarding-demo"

If any errors occur, please copy them into an email and send them to

SSH Certificate Auth
Log Encryption and Storage