GlobalProtect VPN with SSH

Owned by Ian Peter Farnell (Unlicensed)
Last updated: Jun 19, 2024 by Bret Giddings
3 min read

NOTE: You do not need to be running GlobalProtect VPN to access SSH resources listed in your VPN access profile. When not running GlobalProtect, you will get an additional MFA prompt.

Permissions

Permission for remote SSH server access via GlobalProtect (or without) is handled in the same central manner via your SSH/RDP access profile.

Only SSH entries allow SSH access.

VPN Account Details

In all cases, you have to setup your SSH client to use a jump host of sshgw.essex.ac.uk as described in the sections below.

Terminal Access via OpenSSH

on Linux, macOS or Windows

Both Linux and the macOS come with OpenSSH pre-installed but you can also install OpenSSH on Windows 10 or newer too. You only need install the client, not the server.

Full Guidance

To connect to your allowed SSH servers with OpenSSH, open a terminal window on Linux or macOS, or a PowerShell window on Windows, then connect using the below.

ssh -J mylogin@sshgw.essex.ac.uk mylogin@host.essex.ac.uk

(mylogin is your University user name [e.g jb22007] and host is the host you wish to connect to).

Again, you may be prompted for your login name and password twice (once on the SSH gateway and once on your target host), however, this should be the only change you need to make. If you use an SSH keypair, this will be passed on by the SSH gateway to the destination.

Modify Default OpenSSH Config File

You can also modify your default OpenSSH configuration file ($HOME/.ssh/config) as shown below.

Host sshgw.essex.ac.uk ceres.essex.ac.uk unix4.essex.ac.uk ProxyJump none
Host *.essex.ac.uk ProxyJump sshgw.essex.ac.uk User mylogin # change to your login name – e.g. jb22007

After which, a simple…

This will work for any host to which you have access.

There is also an alternative which uses CA signed SSH keys that will enable you to avoid the password prompt on the gateway, and if you configure it, the target host. This will also work without needing to also run GlobalProtect as it uses its own two-factor authentication (2fa).

Terminal Access via PuTTY

If you are already using PuTTY (version 0.77 or newer), you will need to modify the configuration under Connection -> Proxy and set the following:

  1. Proxy type to SSH

  2. Proxy hostname to sshgw.essex.ac.uk

  3. Port to 22

Remember to save your settings.

You may be prompted for your login name, password and Microsoft MFA code for sshgw and your login and password on your target host. However, this should be the only change you need to make. If you use an SSH keypair, this will be passed on by the SSH gateway to the destination.

We recommend using OpenSSH client on Windows instead of PuTTY. You only need install the client, not the server.

Full Guidance

Copying files using scp/sftp

Should you want to copy files between your local device and the remote server, the standard scp and sftp commands (or PuTTY equivalents) should work fine. Note that for M: drive remote access, please see instructions at https://universityofessex.atlassian.net/l/cp/PxxeKgR8.

Copying files using FileZilla

If you wish to copy files using the FileZilla GUI, you’ll need to make this a 2-stage process. First in a local terminal windows (use Powershell or CMD on Windows), run

(modify host for the host you wish to connect to and mylogin for your login name).

This will prompt you for your password and if it works will look like it has merely hung. Note: if you are a PuTTY user, download plink.exe and use this in place of ssh.
Now in FileZilla, connect to sftp://127.0.0.1:2222 and you should then be able to transfer files.

When you have finished transferring your files, you can close FileZilla, then CTRL-C your ssh command.