| Description | This article discusses The upgrade from Windows-based EMS to Linux-based EMS in v7.4 has introduced the capability of installing the hosting operating system without a graphical user interface (GUI), a configuration commonly referred to as a headless installation. In such instances, system administrators may find themselves needing to access services, specifically web services as if they were operating directly on the system. |
| Scope | FortiClient EMS Linux. |
| Solution |
One particular use case arises when an administrator inadvertently locks themselves out by deselecting the 'Remote HTTPS access' option under System Settings -> EMS Settings. Given that a headless text-based Linux server does not support any functional modern web browser, it becomes impossible to remotely revert this change. A convenient solution is to utilize SSH tunneling with port forwarding to remotely connect to the EMS local services as if communicating with EMS from its local IP addresses.
Method 1: Standard SSH Client with Simple Port Forwarding. This method utilizes the standard OpenSSH Client available on Windows (cmd or PS), Linux, Mac OS, or even an OpenSSH client for Android:
ssh -L <LocalPort>:<EmsInternalIPaddress>:<DstPort> <EmsLinuxUsername>@<EsmServerIP> -p <SSH port>
The command establishes an SSH connection over port 7422 to 11.22.33.44 with the username ‘mzbz’. Upon establishing the connection, all traffic to localhost:9999 is forwarded over the SSH connection to 192.168.100.110:443. The IP address 192.168.100.110 can be replaced with 127.0.0.1 to source connections on the EMS from its' own localhost (like if opening https://localhost:443 on a desktop GUI browser on the remote server). It is possible to gain access to the EMS web interface port by navigating to https://localhost:9999 on the local Web Browser. The request will be forwarded over the SSH connection and either 192.168.100.110:443 or 127.0.0.1:443 will be returned based on your command usage.
Method 2: Dynamic Port Forwarding: SSH provides an option for dynamic port allocation, which creates a local SOCKS 4/4A/5 proxy on a local port. This proxy only supports TCP connections as the SSH protocol does not support forwarding UDP. This method requires special support from the client that connects to it. The advantage is that the destination address is obtained dynamically at runtime rather than being fixed in advance.
ssh -D localhost:36789 mzbz@11.22.33.44 -p 7422 This command creates a SOCKS proxy on the local system listening on port 36789 and proxies any traffic received over the SSH tunnel. This allows browsing the web using the SSH server’s Internet connection or accessing any resources available to the EMS server from a remote location (jump server). A SOCKS client is required for this method. Mozilla Firefox has built-in SOCKS proxy support, but Chromium-based browsers use Windows’ internal Internet Options settings.
PuTTY can also be used for such purposes on Windows OS. The Tunnel options are available from Connection -> SSH -> Tunnels. Some SOCKS clients, such as the Firefox web browser, do not proxy destination IP 127.0.0.1/8 (Internet host loopback address). Therefore, to connect to localhost remotely, use local-to-remote port forwarding.
To confirm the functionality, utilize tcpdump on the EMS side to monitor the traffic associated with the activity:
sudo tcpdump -i any -nn host 127.0.0.1 and port 443
References: |
