# Port Forwarding Port forwarding is enabled for your organization in the Admin UI's security settings. Port forwarding is disabled by default and can only be enabled by users of your organization who have the Account Administrator permission level. ### How to Enable Port Forwarding 1. In the Admin UI, go to **Settings** > **Security**. 2. In the **Port Forwarding** > **Allow port forwarding through SSH?** section, select **Yes**. 3. Click **activate for all servers**. {% hint style="info" %} Enabling port forwarding does not turn on port forwarding globally. It simply allows the **Allow Port Forwarding** checkbox to be shown on SSH Server configuration pages, so port forwarding can be enabled on a per-server basis. {% endhint %} 4. When setting up any given server, check the **Allow Port Forwarding** box at the bottom of the Server configuration page. Once enabled, SSH connections proxied by StrongDM for this server will accept local forwarding requests. {% hint style="info" %} Existing connections are not affected by the enabling/disabling of port forwarding. Each connection will only adhere to the current settings at the time it is established. {% endhint %} ### Local Forwarding Tutorial With the **Allow Port Forwarding** option enabled for a server, your `sdm` executable will accept the same local forwarding (`-L`) flag that you would normally use with SSH. In the following example, you will establish a connection and start listening on a forwarded port to send data back and forth. Working through this example requires terminal access and some command-line knowledge. {% hint style="info" %} At this time remote forwarding is not supported. {% endhint %} 1. Outline of the command structure: ```bash sdm ssh [Server Name] -L [Local Port to Forward]:[Target Bind Address]:[Target Port] ``` 2. Identify the name of your server and which port it is running on; save this for the next step. ```bash local_client:~$ sdm status SERVER STATUS PORT TYPE TAGS port-forwarding-demo connected 25745 ssh ``` 3. Establish an SSH connection and forward port 3003 on the client machine to port 4003 on the target server (referred to as *localhost* in this command because this is internal to the target server). Run the following example on your local terminal. You should see the welcome screen for your remote server if everything was successful. ```bash local_client:~$ sdm ssh "port-forwarding-demo" -L 3003:localhost:4003 ``` {% hint style="warning" %} If port forwarding is disabled, you will still be able to establish a connection; however, attempts to forward ports will fail. Your log messages may reveal error messages similar to `channel 3: open failed: administratively prohibited: port forwarding is disabled for this server`. {% endhint %} 4. Next, we will use Netcat to listen on port 4003 on the target server. Run the following example on your remote server. ```bash remote_server:~$ nc -lv 4003 Listening on [0.0.0.0] (family 0, port 4003) ``` 5. On your client machine, open up a new terminal window or tab, and connect to your local port 3003 with the following command. You should receive a "connection successful" prompt on the remote server. This shows that the tunnel is working! Try typing `hello-from-client`, to send text from client to server over the SSH tunnel: ```bash local_client:~$ nc -v localhost 3003 Connection to localhost port 3003 [tcp/pxc-splr-ft] succeeded! hello-from-client ``` 6. If all went well, you should have received the messages from your local client on your remote server. At this point, you can also send data back to the client. ```bash remote_server:~$ nc -lv 4003 Listening on [0.0.0.0] (family 0, port 4003) Connection from [127.0.0.1] port 3003 [tcp/*] accepted (family 2, sport 48742) hello-from-client greetings from the server ``` That concludes this brief tutorial on how to use port forwarding with the StrongDM executable. This method should work with any applications running on non-privileged ports (ports higher than 1024). {% hint style="info" %} When port forwarding is enabled, StrongDM logging is circumvented. Only the user and session timestamp are recorded, not the commands themselves. {% endhint %} ### Alternate Syntaxes #### Direct with SSH With this syntax, we will call SSH directly and connect to the port mapped to the server. ```bash local_client:~$ ssh -L 4003:localhost:4003 localhost -p 25745 ``` #### Alias with SSH Here we will first create an alias: mapping `ssh` to `sdm`. This alias gives us the ability to use the logical name in StrongDM rather than the mapped port. 1. Create alias: ```bash local_client:~$ alias ssh="/usr/local/bin/sdm ssh wrapped-run" ``` 2. Connect with the logical name: ```bash local_client:~$ ssh -L 4003:localhost:4003 "port-forwarding-demo" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/servers/port-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.