LogoLogo
Keeper Connection Manager
Keeper Connection Manager
  • Overview
  • Security Architecture
  • Installation
    • License Key
    • System Requirements
    • Preparing for Installation
    • Auto Docker Install
      • Service Management
      • Upgrading
      • Adding Packages
    • Docker Compose Install
      • keeper/guacamole
      • keeper/guacd
      • Database images
        • keeper/guacamole-db-mysql
        • keeper/guacamole-db-postgres
      • SSL Termination
        • keeper/guacamole-ssl-nginx
        • Using a Custom SSL Cert
      • Upgrading
    • Podman Install
    • Backup & Recovery
  • Authentication Options
    • SSO Auth (SAML)
      • Microsoft Azure
      • Okta
      • Google Workspace
      • OneLogin
      • Oracle
      • PingIdentity
    • 2FA with TOTP
    • 2FA with Duo
    • SSL/TLS Client Authentication
    • Multiple Hostnames
    • PIV/CAC/Smart cards
    • Account Approve/Deny Workflow
    • OpenID Connect Auth
    • LDAP Auth
      • Using Multiple LDAP Servers
      • Storing connection data within LDAP
      • Using LDAP with a database
    • Account Restrictions
  • Connection Protocols
    • RDP
    • SSH
    • VNC
    • Telnet
    • Remote Browser Isolation
    • Kubernetes
    • MySQL
      • Importing and Exporting
      • Keyboard Shortcuts
    • PostgreSQL
      • Importing and Exporting
      • Keyboard Shortcuts
    • Microsoft SQL Server
      • Importing and Exporting
      • Keyboard Shortcuts
    • Connecting to Host Instance
    • Persistent Reverse SSH Tunnel
      • AutoSSH as a Windows Service
      • Linux - AutoSSH
      • Windows - OpenSSH
  • How to Use KCM
    • Login Screen
    • Home Screen
    • Creating Connections
      • Batch Import and API
    • How to Use KCM
    • File Transfer Config
    • Sharing Connections
    • Session Recording and Playback
    • AWS EC2 Discovery
    • Credential Pass-Through
    • Dynamic Connections
    • Custom Branding
      • Add Your Logo
  • Vault Integration
    • Connecting KCM to your Vault
    • Dynamic Tokens
    • Static Tokens
    • Multiple Vaults Integration
    • EC2 Cloud Connector
    • Advanced
    • KeeperPAM
  • Custom Extensions
  • Guest Mode
  • Advanced Configuration
    • guacamole.properties
      • SAML 2.0 Authentication Configuration Properties
      • Duo Two-Factor Authentication Configuration Properties
      • Encrypted JSON Configuration Properties
      • LDAP Configuration Properties
      • MySQL / MariaDB Configuration Properties
      • PostgreSQL Configuration Properties
      • SQL Server Configuration Properties
      • Login Attempts Properties
  • Troubleshooting
  • Importing Connections
  • Exporting Connections
  • High Availability
  • Pre-Release Testing
  • Changelog
  • Licensing and Open Source
  • Scope of Support
  • Security Advisories
  • Accessibility Conformance
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Definitions
  • Prerequisite - Install OpenSSH Client and Server
  • Reverse Tunnel Setup
  • Creating More Connections
  • References

Was this helpful?

Export as PDF
  1. Connection Protocols
  2. Persistent Reverse SSH Tunnel

Windows - OpenSSH

Connecting to an environment without ingress connections

PreviousLinux - AutoSSHNextHow to Use KCM

Last updated 5 months ago

Was this helpful?

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Prerequisite - Install OpenSSH Client and Server

Good news, Windows now comes with OpenSSH! However, it may not be installed by default. We recommend Installing both the OpenSSH Client and the OpenSSH Server.

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

OpenSSH can be found in "Optional Features" in Windows 10+ and Windows Server 2019+. You can install it from Settings > Apps > Optional Features > Add Feature > Open SSH Client / Server.

Microsoft's instructions for installing OpenSSH are here: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

On the KCM Server, ensure that inbound SSH port 22 connections are open from the Remote Server to the KCM instance. We will be establishing an outbound connection from the Remote Server to the KCM instance to set up the reverse tunnel.

(2) Generate SSH Keys on the Remote Endpoint

On the Windows Remote Endpoint, create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server. Enter the following into an elevated command prompt:

ssh-keygen -t ed25519

This will create two files, a private key and a public key. Leave the private key in place.

Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server.

You can copy the .pub file using any method you choose

If you have outbound traffic allowed, you can use the following command in PowerShell as Administrator:

PS C:\Users\Administrator\.ssh> scp id_ed25519.pub user@kcm.server.xyz:~/.ssh/authorized_keys

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server, without any prompt.

C:\Users\Administrator> ssh username@demo.kcmdemo.com

Last login: Mon Jul  4 20:28:10 2022 from ip-10-0-1-7.my.remote

(4) Establish the ssh tunnel

Make sure that you have a firewall in place to block inbound connections on all ports except what is needed (HTTP/HTTPS/SSH). And/or change the 0.0.0.0 in the following command to the IP of your KCM server.

To create a persistent session, we will utilize a batch file with an ssh command, and the windows task scheduler. First, open notepad and copy in the following command:

ssh -fN -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 0.0.0.0:9000:localhost:3389 -i C:\path\to\.ssh\privkey user@kcm.server.xyz

Edit the command with the values that correspond to your path, desired port, and URL, and save the file as a .bat file.

Open Windows Task Scheduler, create a new task with a trigger set to "on startup" and an action to run the .bat file that you created.

(5) Update GatewayPorts setting on KCM Server

This step only needs to be completed once, so if you have already completed it while setting up a different reverse ssh tunnel method, you can move on to step 7

On the KCM Server, the SSH process (sshd) must be modified to permit remote hosts (e.g. the guacd Docker container) to be allowed to connect to forwarded ports. By default, sshd binds remote port forwards to the loopback address. Setting the value of GatewayPorts to "clientspecified" allows the client to select the address to which the forwarded port is bound.

  • Edit the file /etc/ssh/sshd_config

  • Update the GatewayPorts line to this:

GatewayPorts clientspecified

  • Restart sshd

sudo service sshd restart

The reverse tunnel is now established between the Remote Server and the KCM Server.

(6) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
        extra_hosts:
            - "host.docker.internal:host-gateway"

Update the docker environment for the change to take effect.

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

(7) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).

As usual, ensure that the proper Authentication parameters are populated in the connection for the remote server. In this case, the remote server is being accessed via the established reverse SSH tunnel.

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.

Creating More Connections

If you would like to establish more connections using reverse SSH tunneling, repeat Step 4 of this guide on a different port (e.g. 9001, 9002, etc...). Then create a connection with the specified port number when creating Connections inside Keeper Connection Manager.

References

Several references and guides posted online contain helpful information about this configuration.

SSH tunnelling for fun and profit: AutosshEverything CLI
Logo
How to make an SSH tunnel publicly accessible?Super User
Windows Task Scheduler
Create Connection via Reverse SSH Tunnel
Selecting Interface for SSH Port ForwardingServer Fault
How to connect to the Docker host from inside a Docker container?Medium
Logo
Logo
Logo