What is reverse tunneling

2024-06-21Last updated

Reverse tunneling is a method of securing communication between clients and servers that are behind a firewall. This technique enhances security and simplifies firewall management. When using a reverse tunnel, the server initiates a connection to the client. This tunnel connection is secured by a previously shared keyfile that contains an identity certificate. When established, the reverse tunnel allows bidirectional communication without opening inbound firewall ports.

Context

In Security Center SaaS, reverse tunneling is typically used to connect one or more remote Security Center systems to the Federation™ host in the cloud. Using a reverse tunnel simplifies the firewall management and configuration of Security Center Federation. By default, the tunnel uses outbound TCP 5500 to connect the remote site to the Federation host.

Note: If required, reverse tunneling can be used to connect Security Center SaaS to an external Federation host, such as a system on-premises, or Security Center SaaS Edition (Classic). For help setting up this configuration, contact the Genetec™ Technical Assistance Center (GTAC).

Regular Federation can be challenging to set up due to the number of ports required to connect the Federation host to the Security Center main server at the remote site. The following diagram shows the communication flow of a regular Federation, shown in blue, and a Federation over reverse tunnel, shown in purple.

In a regular Federation, the Federation host is the client that initiates a connection to federated site, which acts as a server. This flow is reversed in a Federation over reverse tunnel.

An architecture diagram of a Federation™ host and a federated site showing how they connect through reverse tunneling.
To use reverse tunneling, you must create a Reverse Tunnel Server role on the Federation host and a Reverse Tunnel role at the remote site. Reverse tunneling works as follows:
  1. The Reverse Tunnel Server role generates a keyfile, which includes an identity certificate, network connectivity information, and a one-time use token.
  2. The Reverse Tunnel role accepts the keyfile to open the reverse tunnel.
  3. The Security Center Federation™ role connects to the federated site through the reverse tunnel.

Limitations and requirements

Reverse tunneling only supports TCP
The network segment used for tunneling between the remote site and the Federation host must support unicast TCP. After video reaches the cloud, the Best available transport protocol can be used.
Video streams must go through a redirector before and after the tunnel
The tunneling mechanism is only implemented at the level of video redirectors, and is transparent to the client application.