Connecting to SSH from behind an HTTP proxy


I'm behind a corporate network with an HTTP proxy. I also have an SSH server to reach on port 22. I don't have any kind of control over that server: I'm not root and even if I were I'm not allowed to install software or change configuration. The server listens on port 22, must be reached there and this cannot be changed ever.

If I configure XShell (but the same should apply to any other client) to use the corporate proxy I can't connect. Wiresharking it shows that CONNECT method gets refused by proxy because "that's not an SSL standard port".

I believe that the proxy blocks traffic to ports other than 80 and 443. Without doing deep packet inspection or other esotheric tricks.

I have been linked an article about configuring HTTP proxy for SSH "when the proxy filters SSH protocol" but the problem is that it works for Linux and I have another problem with it (it doesn't detect network card, already asked here…).

The question is: how to bypass the proxy without installing software or changing configuration on the target machine?

I would also like to understand

  1. Since the proxy blocks port 22 instead of SSH protocol by deep packet inspection, does the linked guide work when the server listens on port 22 and cannot be changed any way ever?
  2. Is there a way to make it work on Windows?

Best Answer

For any corporate proxying issue I suggest proxytunnel (over corkscrew) because it makes the traffic completely indistinguishable from real HTTPS traffic, even if full packet-sniffing were to be used.

This solution requires a https server under your control (possibly on the same machine your ssh server is running) which the corporate proxy talks to.

The answer to your first question is: proxytunnel will work around your corporate proxy blocking except in the unlikely case they generally block your https server. Further docs are found here.

I use it with great success on an linux machine. There appear to be docs and binaries for windows around (2nd question):

If you are lucky in your situation a simpler solution could also do the job. Together with corkscrew just setup an intermediate ssh server somewhere which forwards a port with blessing of your corporate proxy to port 22 of your target ssh server.