SSH port forwarding enables you to establish tunnels from your local computer, through our SSH Gateway, to ports on an internal Carnegie server.

SSH tunneling is non-trivial, and requires some knowledge about network protocols and ports.


  • A a free "high" port on your own computer (between 1024 and 65535)
  • A "target" internal server
  • A "target port" on that internal server
  • An "SSH gateway" to be used to connect to the internal "target"

Setting up an SSH Tunnel

  1. Pick a free "high" port on your computer
    For this example, we'll use port 33333, as it's usually available.
    If you try 33333 and it's not available, try 33334, 33335, etc.

  2. Pick the "target" internal server to connect to
    For this example, we'll use RDS2,

  3. Either know the TCP/IP port used by the protocol you'll be forwarding, or another custom "target port"
    For this example, we'll be connecting via RDP which uses port 3389

  4. Open a new terminal window, and establish the tunnel via the SSH command with the -L flag, through the SSH gateway: ssh -L high_port:target_server:target_port username@ssh-gateway
    ssh -L

  5. Leave the terminal window open.  The tunnel will only remain available so long as this SSH session remains connected

  6. Use your browser or client to connect to "localhost" on the "high port" you chose
    In this example, use your Microsoft RDP client to connect to "localhost:33333"

Setting up Additional SSH Tunnels

  • To establish another tunnel, use the same process, but with another "high" port number (e.g. 33334).
  • You can also chain multiple -L options on a single SSH call to establish multiple tunnels at once. (e.g. ssh -L 33333:localhost:5901 -L 33334:localhost:5902 -L 33335:localhost:5903