1 of 4

Persistent Reverse SSH Tunnel

Connecting to an environment without ingress connections

Overview

Oftentimes, it is necessary to create a connection into a target system which blocks ingress connections or is behind a firewall, particularly if you cannot install Keeper Connection Manager on a device within the target network. For this use case, Keeper Connection Manager supports the use of reverse SSH tunnels. This guide provides a method of setting up a reverse SSH tunnel to access a system that is otherwise inaccessible due to inbound network restrictions. This guide covers reverse SSH tunnels using the Auto Docker Install method and a target endpoint. Once the tunnel and configuration is complete, Keeper Connection Manager can establish a connection to the remote endpoint through the tunnel. You can use any supported connection within the tunnel, one established.

AutoSSH as a Windows Service

Connecting to an environment without ingress connections

If you prefer to run autossh as a windows service, you can follow these steps.

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Prerequisite - Install Cygwin

After it's installed, we will select both the openssh and the autossh packages to download and install.

Click Next > Install from Internet > All Users > Next > Next > Next > Choose any mirror > Next (as shown below).

At the "Select Packages" screen, change the view from Pending to Full and then enter "ssh" in the search box. Select the down arrow on autossh, choose latest version. Select the down arrow on openssh, choose the latest version (shown below).

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

On the KCM Server, ensure that inbound SSH port 22 connections are open from the Remote Server to the KCM instance. We will be establishing an outbound connection from the Remote Server to the KCM instance to set up the reverse tunnel.

(2) Generate SSH Keys on the Remote Endpoint

On the Windows Remote Endpoint, using Cygwin Terminal create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server. Enter the following into the Cygwin Terminal:

It will ask where you want to save the key, you can just press enter to take the default and continue.

This will create two files, a private key and a public key. Leave the private key in place. We will copy the public key from the target endpoint onto the KCM server.

Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server in ~/.ssh/authorized_keys.

You can transfer the .pub file by any method that you choose.

You can transfer the .pub file by any method that you choose. If you have outbound traffic allowed on the windows target endpoint, you can use the following command in the Cygwin Terminal:

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server without any password prompt.

(4) Establish the persistent SSH tunnel

To create the persistent tunnel, enter the following two commands into the windows command prompt or PowerShell (not in the Cygwin Terminal):

Make sure that you have a firewall in place to block inbound connections on all ports except what is needed (HTTP/HTTPS/SSH). And/or change the 0.0.0.0 in the following command to the IP of your KCM server.

Choose any open port to use, in this example we use port 9000.

(5) Configure the Windows Service

Open Services and look for the new service called "AutoSSH" and open it, but don't start it just yet.

We will set an automatic delayed start and logon by the Administrator account. These will help allow the service to start properly.

On the Log On tab, click browser and enter the administrator object name and click "Check Names". Make sure to put the password for the administrator account into both fields.

Now we are ready to start the AutoSSH Service (shown below).

Start the AutoSSH service and confirm that it is running.

(6) Update GatewayPorts setting on KCM Server

This step only needs to be completed once, so if you have already completed it while setting up a different reverse ssh tunnel method, you can move on to step 8

On the KCM Server, the SSH process (sshd) must be modified to permit remote hosts (e.g. the guacd Docker container) to be allowed to connect to forwarded ports. By default, sshd binds remote port forwards to the loopback address. Setting the value of GatewayPorts to "clientspecified" allows the client to select the address to which the forwarded port is bound.

Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:

Restart sshd

The reverse tunnel is now established between the Remote Server and the KCM Server.

(7) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

Update the docker environment for the change to take effect.

(8) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).

As usual, ensure that the proper Authentication parameters are populated in the connection for the remote server. In this case, the remote server is being accessed via the established reverse SSH tunnel.

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.

Creating More Connections

If you would like to establish more connections using reverse SSH tunneling, repeat Step 5 of this guide on a different available port (e.g. 9001, 9002, etc...). Then create a connection with the specified port number when creating Connections inside Keeper Connection Manager.

References

Several references and guides posted online contain helpful information about this configuration.

Linux - AutoSSH

Connecting to an environment without ingress connections

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Linux instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Install KCM Server

If you have not set up a Keeper Connection Manager instance, follow the Auto Docker Install instructions on any instance within any cloud environment. This service will be your KCM Server.

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to an internal Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

(2) Generate SSH Key on the Remote Endpoint

On the Remote Endpoint, create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server.

ssh-keygen -t ed25519

This will create two files, a private key and a public key. Leave the private key as is, and copy only the .pub file to your KCM Server.

Now we need to add the contents of the public key file into a special file in your KCM server directory. Check your <home>/.ssh directory and if it doesn't already have a file called "authorized_keys" then create the file. Take the text from the public key file id_ed25519.pub and put the text into the the file~/.ssh/authorized_keys on the KCM server.

The text should have the following format:

ssh-ed25519 AAAAC3NzaC1lZDI1nScLLwc3wsBH localuser@localhost

Save the authorized_keys file as ~/.ssh/authorized_keys

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server, without any password prompt (using the keys).

$ ssh username@demo.kcmdemo.com

Last login: Mon Jul  4 20:28:10 2022 from ip-10-0-1-7.my.remote
[centos@kcmdemo.com ~]$ exit

(4) Install autossh on the Remote Endpoint

The Linux program autossh is a helper utility for creating a persistent SSH tunnel. Installation of autossh depends on the platform, but a typical command to install it would be:

sudo yum install autossh

Or, to build from source, follow these steps (for example, on an Amazon Linux 2 AMI):

$ sudo yum install gcc
$ wget http://www.harding.motd.ca/autossh/autossh-1.4e.tgz
$ tar -xf autossh-1.4e.tgz
$ cd autossh-1.4e
$ ./configure
$ make
$ sudo make install

(5) Update GatewayPorts setting on KCM Server

Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:

GatewayPorts clientspecified

Restart sshd

sudo service sshd restart

(6) Command to Create Persistent Reverse SSH Tunnel

In order to establish an SSH connection from the KCM Server to the Remote Server, we need to first create a persistent reverse tunnel, initiated from the Remote Server.

On the Remote Endpoint, execute autossh in the background, using parameters similar to below. Note that the full path to the private SSH key is provided. Autossh will then run in the background and the tunnel will remain active as long as the instance is running.

autossh -f -M 0 -N -o "ServerAliveInterval 30" \
  -o "ServerAliveCountMax 3" \
  -R 0.0.0.0:9000:localhost:22 \
  -i /home/ec2-user/.ssh/id_ed25519 \
  user@kcm.server.xyz

The reverse tunnel is now established between the Remote Server and the KCM Server.

To verify connectivity, you can now establish an SSH session from the KCM Server to the Remote Server over localhost on the port defined by the tunnel (in this case, port 9000).

From the KCM Server this can be tested using the command below:

ssh -i /path/to/key -p 9000 username@localhost

(7) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
        extra_hosts:
            - "host.docker.internal:host-gateway"

Update the docker environment for the change to take effect.

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

(8) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

For this example, you can create a new connection which simply references the Hostname of host.docker.internal and the port of 9000.

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.

Creating More Connections

If you would like to establish more connections using reverse SSH tunneling, repeat Step 6 of this guide on a different port (e.g. 9001, 9002, etc...). Then reference host.docker.internal with the specified port number when creating Connections inside Keeper Connection Manager.

References

Several references and guides posted online contain helpful information about this configuration.

Windows - OpenSSH

Connecting to an environment without ingress connections

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Prerequisite - Install OpenSSH Client and Server

Good news, Windows now comes with OpenSSH! However, it may not be installed by default. We recommend Installing both the OpenSSH Client and the OpenSSH Server.

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

OpenSSH can be found in "Optional Features" in Windows 10+ and Windows Server 2019+. You can install it from Settings > Apps > Optional Features > Add Feature > Open SSH Client / Server.

Microsoft's instructions for installing OpenSSH are here: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

(2) Generate SSH Keys on the Remote Endpoint

On the Windows Remote Endpoint, create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server. Enter the following into an elevated command prompt:

ssh-keygen -t ed25519

This will create two files, a private key and a public key. Leave the private key in place.

Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server.

You can copy the .pub file using any method you choose

If you have outbound traffic allowed, you can use the following command in PowerShell as Administrator:

PS C:\Users\Administrator\.ssh> scp id_ed25519.pub user@kcm.server.xyz:~/.ssh/authorized_keys

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server, without any prompt.

C:\Users\Administrator> ssh username@demo.kcmdemo.com

Last login: Mon Jul  4 20:28:10 2022 from ip-10-0-1-7.my.remote

(4) Establish the ssh tunnel

To create a persistent session, we will utilize a batch file with an ssh command, and the windows task scheduler. First, open notepad and copy in the following command:

ssh -fN -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 0.0.0.0:9000:localhost:3389 -i C:\path\to\.ssh\privkey user@kcm.server.xyz

Edit the command with the values that correspond to your path, desired port, and URL, and save the file as a .bat file.

Open Windows Task Scheduler, create a new task with a trigger set to "on startup" and an action to run the .bat file that you created.

(5) Update GatewayPorts setting on KCM Server

This step only needs to be completed once, so if you have already completed it while setting up a different reverse ssh tunnel method, you can move on to step 7

Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:

GatewayPorts clientspecified

Restart sshd

sudo service sshd restart

The reverse tunnel is now established between the Remote Server and the KCM Server.

(6) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
        extra_hosts:
            - "host.docker.internal:host-gateway"

Update the docker environment for the change to take effect.

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

(7) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.

Creating More Connections

If you would like to establish more connections using reverse SSH tunneling, repeat Step 4 of this guide on a different port (e.g. 9001, 9002, etc...). Then create a connection with the specified port number when creating Connections inside Keeper Connection Manager.

References

Several references and guides posted online contain helpful information about this configuration.

Linux - AutoSSH

Connecting to an environment without ingress connections

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Linux instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Install KCM Server

If you have not set up a Keeper Connection Manager instance, follow the Auto Docker Install instructions on any instance within any cloud environment. This service will be your KCM Server.

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to an internal Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

(2) Generate SSH Key on the Remote Endpoint

On the Remote Endpoint, create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server.

ssh-keygen -t ed25519

This will create two files, a private key and a public key. Leave the private key as is, and copy only the .pub file to your KCM Server.

The text should have the following format:

ssh-ed25519 AAAAC3NzaC1lZDI1nScLLwc3wsBH localuser@localhost

Save the authorized_keys file as ~/.ssh/authorized_keys

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server, without any password prompt (using the keys).

$ ssh username@demo.kcmdemo.com

Last login: Mon Jul  4 20:28:10 2022 from ip-10-0-1-7.my.remote
[centos@kcmdemo.com ~]$ exit

(4) Install autossh on the Remote Endpoint

The Linux program autossh is a helper utility for creating a persistent SSH tunnel. Installation of autossh depends on the platform, but a typical command to install it would be:

sudo yum install autossh

Or, to build from source, follow these steps (for example, on an Amazon Linux 2 AMI):

$ sudo yum install gcc
$ wget http://www.harding.motd.ca/autossh/autossh-1.4e.tgz
$ tar -xf autossh-1.4e.tgz
$ cd autossh-1.4e
$ ./configure
$ make
$ sudo make install

(5) Update GatewayPorts setting on KCM Server

Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:

GatewayPorts clientspecified

Restart sshd

sudo service sshd restart

(6) Command to Create Persistent Reverse SSH Tunnel

In order to establish an SSH connection from the KCM Server to the Remote Server, we need to first create a persistent reverse tunnel, initiated from the Remote Server.

autossh -f -M 0 -N -o "ServerAliveInterval 30" \
  -o "ServerAliveCountMax 3" \
  -R 0.0.0.0:9000:localhost:22 \
  -i /home/ec2-user/.ssh/id_ed25519 \
  user@kcm.server.xyz

The reverse tunnel is now established between the Remote Server and the KCM Server.

To verify connectivity, you can now establish an SSH session from the KCM Server to the Remote Server over localhost on the port defined by the tunnel (in this case, port 9000).

From the KCM Server this can be tested using the command below:

ssh -i /path/to/key -p 9000 username@localhost

(7) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
        extra_hosts:
            - "host.docker.internal:host-gateway"

Update the docker environment for the change to take effect.

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

(8) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

For this example, you can create a new connection which simply references the Hostname of host.docker.internal and the port of 9000.

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.

Creating More Connections

References

Several references and guides posted online contain helpful information about this configuration.

SSH tunnelling for fun and profit: AutosshEverything CLI

Selecting Interface for SSH Port ForwardingServer Fault

How to connect to the Docker host from inside a Docker container?Medium

Windows - OpenSSH

Connecting to an environment without ingress connections

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Prerequisite - Install OpenSSH Client and Server

Good news, Windows now comes with OpenSSH! However, it may not be installed by default. We recommend Installing both the OpenSSH Client and the OpenSSH Server.

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

OpenSSH can be found in "Optional Features" in Windows 10+ and Windows Server 2019+. You can install it from Settings > Apps > Optional Features > Add Feature > Open SSH Client / Server.

Microsoft's instructions for installing OpenSSH are here: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

(2) Generate SSH Keys on the Remote Endpoint

ssh-keygen -t ed25519

This will create two files, a private key and a public key. Leave the private key in place.

Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server.

You can copy the .pub file using any method you choose

If you have outbound traffic allowed, you can use the following command in PowerShell as Administrator:

PS C:\Users\Administrator\.ssh> scp id_ed25519.pub user@kcm.server.xyz:~/.ssh/authorized_keys

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server, without any prompt.

C:\Users\Administrator> ssh username@demo.kcmdemo.com

Last login: Mon Jul  4 20:28:10 2022 from ip-10-0-1-7.my.remote

(4) Establish the ssh tunnel

To create a persistent session, we will utilize a batch file with an ssh command, and the windows task scheduler. First, open notepad and copy in the following command:

ssh -fN -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 0.0.0.0:9000:localhost:3389 -i C:\path\to\.ssh\privkey user@kcm.server.xyz

Edit the command with the values that correspond to your path, desired port, and URL, and save the file as a .bat file.

Open Windows Task Scheduler, create a new task with a trigger set to "on startup" and an action to run the .bat file that you created.

(5) Update GatewayPorts setting on KCM Server

This step only needs to be completed once, so if you have already completed it while setting up a different reverse ssh tunnel method, you can move on to step 7

Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:

GatewayPorts clientspecified

Restart sshd

sudo service sshd restart

The reverse tunnel is now established between the Remote Server and the KCM Server.

(6) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
        extra_hosts:
            - "host.docker.internal:host-gateway"

Update the docker environment for the change to take effect.

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

(7) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.

Creating More Connections

References

Several references and guides posted online contain helpful information about this configuration.

How to connect to the Docker host from inside a Docker container?Medium

AutoSSH as a Windows Service

Connecting to an environment without ingress connections

If you prefer to run autossh as a windows service, you can follow these steps.

Definitions

KCM Server: The instance running Keeper Connection Manager.

Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.

Prerequisite - Install Cygwin

On the remote endpoint, install Cygwin from . The direct download link is .

After it's installed, we will select both the openssh and the autossh packages to download and install.

Click Next > Install from Internet > All Users > Next > Next > Next > Choose any mirror > Next (as shown below).

Reverse Tunnel Setup

The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.

(1) Allow inbound SSH on KCM Server

(2) Generate SSH Keys on the Remote Endpoint

ssh-keygen -t ed25519

It will ask where you want to save the key, you can just press enter to take the default and continue.

This will create two files, a private key and a public key. Leave the private key in place. We will copy the public key from the target endpoint onto the KCM server.

Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server in ~/.ssh/authorized_keys.

You can transfer the .pub file by any method that you choose.

You can transfer the .pub file by any method that you choose. If you have outbound traffic allowed on the windows target endpoint, you can use the following command in the Cygwin Terminal:

cd .ssh
ssh-copy-id user@kcm.server.xyz

(3) Verify SSH Connectivity from Remote Endpoint to KCM Server

You should now be able to SSH from the remote server into the KCM server without any password prompt.

ssh username@kcm.server.xyz

Last login: Mon Jul  4 20:28:10 2022 from ip-10-0-1-7.my.remote

(4) Establish the persistent SSH tunnel

To create the persistent tunnel, enter the following two commands into the windows command prompt or PowerShell (not in the Cygwin Terminal):

Navigate to this directory

cd C:\cygwin64\bin

Choose any open port to use, in this example we use port 9000.

Use 9000 or any open port

cygrunsrv -I AutoSSH -p /usr/bin/autossh -a "-M 20000 -R 0.0.0.0:9000:localhost:3389 username@hostenameORipaddress" -e AUTOSSH_NTSERVICE=yes

(5) Configure the Windows Service

Open Services and look for the new service called "AutoSSH" and open it, but don't start it just yet.

We will set an automatic delayed start and logon by the Administrator account. These will help allow the service to start properly.

On the Log On tab, click browser and enter the administrator object name and click "Check Names". Make sure to put the password for the administrator account into both fields.

Now we are ready to start the AutoSSH Service (shown below).

Start the AutoSSH service and confirm that it is running.

(6) Update GatewayPorts setting on KCM Server

This step only needs to be completed once, so if you have already completed it while setting up a different reverse ssh tunnel method, you can move on to step 8

Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:

GatewayPorts clientspecified

Restart sshd

sudo service sshd restart

The reverse tunnel is now established between the Remote Server and the KCM Server.

(7) Update docker-compose to reference the host

This step applies only to the docker installations.

In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
        extra_hosts:
            - "host.docker.internal:host-gateway"

Update the docker environment for the change to take effect.

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

(8) Create Connection to the target Remote Server

Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.

Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).

Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.