• SonicOS 7.0
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
      • Support for Local CRL
      • TLS Certificate Status Request Extension
      • Support for Ciphers
      • DPI-SSL and CFS HTTPS Content Filtering Work Independently
      • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• DPI-SSL/TLS Client
  • Deploying the DPI-SSL/TLS Client
    • Configuring General DPI-SSL/TLS Client Settings
      • Enabling DPI-SSL Client on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Configuring Exclusions and Inclusions by Objects and Groups
      • Configuring Exclusions and Inclusions by Common Name
        • Viewing Status of DPI-SSL Default Exclusions
        • Rejecting or Accepting Default Common Names
        • Adding Custom Common Names
        • Editing Custom Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Configuring Exclusions and Inclusions by CFS Category
  • Applying DPI-SSL/TLS Client
    • Performing Content Filtering using DPI-SSL
    • Filtering Content by App Rules using DPI-SSL
      • Enabling App Control Service on a Zone
  • Viewing DPI-SSL Status
• DPI-SSL/TLS Server
  • Deploying the DPI-SSL/TLS Server
    • Configuring General DPI-SSL/TLS Server Settings
      • Enabling DPI-SSL Server on a Zone
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Blocking of SSH X11 Forwarding

X11 Forwarding requires a valid SonicWall DPI-SSH license.

X is a popular window system for Unix workstations. Using X, a user can run remote X applications that open their windows on the user’s local display (and vice versa, running local applications on remote displays). If the remote server is outside after a firewall and administrator have blocked remote connections, user can still use SSH tunneling to get the X display on a local machine. A user can thus circumvent the application-based security policies on the firewall, thereby creating security risks. As X protocol sessions between applications and X servers are not encrypted while being transmitted over a network, an X11 protocol connection can be routed through an SSH connection to provide security and stronger authentication. This feature is called X11 forwarding An SSH client requests X forwarding when it connects to an SSH server (assuming X forwarding is enabled in the client). If the server allows X forwarding for this connection, login proceeds normally, but the server takes some special steps behind the scenes. In addition to handling the terminal session, the server sets itself up as a proxy X server running on the remote machine and sets the DISPLAY environment variable in the remote shell to point to the proxy X display. If an X client program is run, it connects to the proxy. The proxy behaves just like a real X server, and in turn instructs the SSH client to behave as a proxy X client, connecting to the X server on the local machine. The SSH client and server then cooperate to pass X protocol information back and forth over the SSH pipe between the two X sessions, and the X client program appears on your screen just as if it had connected directly to your display. DPI-SSH X11 forwarding supports these clients:

• SSH client for Cygwin
• Putty •secureCRT
• SSH on Ubutu
• SSH on centos

DPI-SSH X11 Forwarding supports the SSH servers on:

• Fedora
• Ubuntu

SSH X11 Forwarding supports both route mode and wire mode. For:

• Wire mode, SSH X11 Forwarding is only supported in the secure (active DPI of inline traffic) mode.
• Route mode, here is no limitation.

The maximum number of connections supported for SSH X11 Forwarding is same as for DPI-SSH: 1000.DPI-SSH.