How to configure reverse proxy for SSH backend server
search cancel

How to configure reverse proxy for SSH backend server


Article ID: 166341


Updated On:


ProxySG Software - SGOS


My proxy is on DMZ and I wanted to tunnel port 22 going to backend SSH server

I have reverse proxy configuration for https to http traffic currently.  How do I configure reverse proxy that is located on DMZ going to back end SSH server without interfering with current reverse proxy configuration.








By default, ProxySG has listener on port 22 as ssh-console.  It is strongly suggest to use different proxy listener aside from port 22.

** Create a new VIP on proxy.  This VIP should be on same segment of default gateway configured on proxy

MC - Configuration - Advanced - VIPs - click New - put the virtual IP address you wanted to use for listener and click ok and apply.

** Configure proxy service port for the VIP created.  As an example, port 2222 will be use as a listener.   

Go to MC - Configuration - Services - Proxy Services.    Click "New Service" and fill in information for this new service:


Name - name of the service e.g. SSH_tunnel 

Service Group - Tunnel Recommended

* Proxy setting 

Proxy - TCP tunnel

All options could be left uncheck

click New

Source could be ALL (these are IPs coming from WAN/Internet side)

Destination - choose "destination host or subnet" and put in the VIP created earlier

Port range - 2222

Action - Intercept

Click ok, ok and apply 


** Create forwarding host

MC - Configuration - Forwarding - Forwarding Hosts - Forwarding Hosts - click new

Fill in information for this forwarding host; as an example

Alias - myfwdhost4ssh

Host - ip address (or host name) of the SSH backend server.  If you are using host name, makes sure this are resolvable by DNS server configured on the proxy

Type - Server

Port - 22

Load Balancing and host affinity could be left as default

Click ok and apply



** Create a rule on the VPM, Forwarding layer to forward request to back end server

The triggers should be a combined destination object for the VIP AND port 222

Action - choose the forwarding host created (myfwdhost4ssh)

If your default policy is "deny", make sure request will be allowed on the policy (Web Access Layer)