Tunnels
A Tunnel defines a listener within a Proxy Server, which is dedicated to accepting connections from Proxy Clients. It is a core component that enables secure communication across network zones where firewall restrictions would otherwise block direct access. Each Tunnel specifies:
- The network port on which it listens for inbound connections from Proxy Clients.
- A Private Key used to authenticate the USP Server during the SSH handshake with the USP Client.
Tunnels are later referenced by Deployments to enable access to Proxy Clients.
Before You Begin
Port
The Port defines the port on which the Tunnel listens for incoming connections.
- Must be a valid, unused port on the USP Server host.
- Ensure the port is not blocked by firewalls or reserved by another service.
USP Client and Tunnel Authentication
Connections between a USP Client and a USP Server's Tunnel use SSH public key authentication, which requires two complete key pairs, one for each side of the connection:
- A key pair for the USP Client
- A key pair for the USP Server (set within its Tunnel)
| Component | Private Key | Public Key |
|---|---|---|
| USP Client | Referenced in the USP Client's .hcl config (key parameter). | Uploaded in the USP Admin UI and USP REST API, and linked via the Proxy Client's Public Key. |
| USP Server | Uploaded in the USP Admin UI and USP REST API, and linked via the Tunnel's Private Key. | Referenced in the USP Client's .hcl configuration file (tunnel.host_key parameter). |
Additionally, the Name field of the Proxy Client must match the USP Client's name value (in its .hcl configuration file).
For more information on authentication between USP Clients and Tunnels, refer to Authentication Between USP Clients and Tunnels.
Multiple USP Client Connections
A single Tunnel can support multiple concurrent Proxy Client connections. For successful operation, each USP Client must:
- Have network access to the Tunnel's configured port.
- Reference the correct public key of the Tunnel using
tunnel.host_keyin the.hclconfiguration file. - Present a private key (using
keyin the.hclconfiguration file) that corresponds to the Public Key assigned in its Proxy Client definition in USP Manager.
This model supports secure, scalable tunneling from multiple LAN-based clients to a centralized USP Server instance hosted in a DMZ.
Tunnel Administration via USP Admin UI
Adding a Tunnel
To add a Tunnel, follow these steps:
- From the Sidebar, click Configuration > Proxy Servers.
- Click the Name of the Proxy Server to which you want to add the Tunnel.
- Go to the Tunnels tab.
- Click the Add Tunnel button.
- Complete the details for the new Tunnel using the Field Descriptions table as a guide.
- Click Save.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the Tunnel. |
| Yes |
| Description | The description of the Tunnel. | No | |
| Port | The port number on which the Tunnel listens for incoming client connections. |
| Yes |
| Private Key | The name of the Private Key used as the host key. | Must reference an already-created Private Key. | Yes |
Editing a Tunnel
To edit a Tunnel, follow these steps:
- From the Sidebar, click Configuration > Proxy Servers.
- Click the Name of the Proxy Server where the Tunnel is added.
- Go to the Tunnels tab.
- Click the Name of the Tunnel you want to edit.
- Click the Edit button.
- Edit the Tunnels details using the Field Descriptions table as a guide.
- Click the Save button.
If you modify a Deployment that is currently associated with a USP Server instance, the updated configuration must be manually applied. To do this, follow these steps:
- Navigate to Monitoring Status.
- Click the Name of the associated server.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
Additionally, if you edit the Tunnel's port, you also need to restart the Tunnel. To do this, continue with these steps:
- Go to the Live Tunnels tab.
- Click the [ ··· ] button.
- Click the Stop Tunnel button.
- Click the [ ··· ] button again.
- Click Start Tunnel.
The changes do not take effect on the USP Server instance until these steps are completed.
Tunnel Metadata
Tunnel details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| ID | Universally Unique Identifier of this Tunnel. |
| Server ID | The ID of the Proxy Server where the Tunnel is added. |
| Created At | Date and time this Tunnel was created. |
| Updated At | Date and time this Tunnel was last updated. |
Deleting a Tunnel
To edit a Tunnel, follow these steps:
- From the Sidebar, click Configuration > Proxy Servers.
- Click the Name of the Proxy Server where the Tunnel is added.
- Go to the Tunnels tab.
- Click the Name of the Tunnel you want to delete.
- Click the Delete button above the Tunnel details.
- You will be asked to confirm the deletion. Click Delete.
USP Manager prevents deletion of a Configuration Item if it is currently referenced by another item. Additionally, if the Configuration Item is in use by a USP Server instance, the updated configuration must be manually applied. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
The changes do not take effect on the server until this step is completed.
Managing a Tunnel
After adding a Tunnel to a USP Server instance, you can monitor, start, and stop the Tunnel from the Status page. See Live Tunnels Tab for more information.