Remote Workers and Cradle – Connecting with SSH Tunnels

Your company is using Cradle, but you’re a remote worker – how do you connect to the Cradle server?

If you have the Cradle client utilities installed locally without a local CDS then one method, if you have an externally accessible Linux/Unix system is SSH tunnels.

To use SSH tunnels you need to “lock down” the Cradle server to use specific ports, so they’re not randomly allocated from a wide pool.  You can do this in the $CRADLEHOME/admin/ports file.

Make a note of the internal IP address of the Cradle server – we’ll use CDS_IPADDR later in this post to reference this address. (In this test environment it is 192.168.11.168)

Cradle Configuration Changes

As an example of a small Cradle system with 6 users we can configure the ports file as such. (We’re setting ports for each possible user and an extra)

CDS_UDP_PORT_NUMBER = 23960
TOOL_UDP_PORT_NUMBER = 23961
PRJMAN_UDP_PORT_NUMBER = 23962

CDS_TCP_TOOL_PORT_NUMBER   = 16161
CDS_TCP_PRJMAN_PORT_NUMBER = 16162
UTILITIES_TCP_PORT_NUMBER   = 16163-16169
WBENCH_TCP_PORT_NUMBER      = 16170-16176
CWS_TCP_PORT_NUMBER         = 21211-21217
PRJMAN_TCP_PORT_NUMBER      = 16177

This ports file needs to be copied to all the clients using this CDS.

Putty Configuration Changes

Now we can look at configuring the SSH tunnels. To do this we’ll be using PuTTY – probably the most popular Windows SSH client.

First off, click on the Category Session and enter the hostname or IP of the externally accessible box in the Host Name field.
Now expand the category SSH and click on Tunnels.
For each of the ports configured in Cradle we need to add an entry.
So, for the first one:
Source port  23960
Destination CDS_IPADDR:23960
You can leave the radio buttons alone (set to Local & Auto)
Now click the Add button.

In the Forwarded Ports box you should now have an entry similar to:
L23960     192.168.11.168:23960

Repeat this for all the other ports and we end up with a Forwarded ports section which looks like (if you scroll up and down):

Cradle Putty Tunnel Settings

L23960 192.168.11.168:23960
L23961 192.168.11.168:23961
L23962 192.168.11.168:23962
L16161 192.168.11.168:16161
L16162 192.168.11.168:16162
L16163 192.168.11.168:16163
L16164 192.168.11.168:16164
L16165 192.168.11.168:16165
L16166 192.168.11.168:16166
L16167 192.168.11.168:16167
L16168 192.168.11.168:16168
L16169 192.168.11.168:16169
L16170 192.168.11.168:16170
L16171 192.168.11.168:16171
L16172 192.168.11.168:16172
L16173 192.168.11.168:16173
L16174 192.168.11.168:16174
L16175 192.168.11.168:16175
L16176 192.168.11.168:16176
L16177 192.168.11.168:16177

Click back on the category Session, then add a name to the Saved Sessions and click on Save – so we don’t have to do this again.

If you now click on Open and login to the Linux host.
You can now use your local Cradle client with it pointed to the CDS as being on your local IP.

While you have this SSH session active, you will be able to access the CDS over the SSH tunnels.

Remote Workers and Cradle – Network Address Translation

Your company is using Cradle, but you’re a remote worker – how do you connect to the Cradle Database Server (CDS)?

With Network Address Translation – the IT administrator, where the CDS is located, can modify their firewall to redirect specific external ports to a local server.

Make a note of the internal IP address of the CDS – we’ll use CDS_IPADDR later in this post to reference this address. (In this test environment it is 192.168.11.168).

Cradle Configuration Changes

As an example of a small Cradle system with 6 users, we can configure the ports file as such.  We’re setting ports for each possible user (6) and an extra – so thats 7 ports in each range. To make it easier setting the firewall rules – so we have less rules to setup, we’ve got all the ports in UDP and TCP specific consecutive blocks, which is different to how we have them in the Cradle Help – https://www.threesl.com/cradle/help/

CDS_UDP_PORT_NUMBER = 23960
TOOL_UDP_PORT_NUMBER = 23961
PRJMAN_UDP_PORT_NUMBER = 23962

CDS_TCP_TOOL_PORT_NUMBER   = 16161
CDS_TCP_PRJMAN_PORT_NUMBER = 16162
UTILITIES_TCP_PORT_NUMBER   = 16163-16169
WBENCH_TCP_PORT_NUMBER      = 16170-16176
PRJMAN_TCP_PORT_NUMBER      = 16177

This ports file needs to be copied to all the clients using this CDS.

Firewall Config Changes

The IT administrator can now edit their firewall rules to redirect the external IP ports to the internal CDS.  As part of these rules they can set it so that only specific remote IP addresses are permitted to access these redirected ports.

I’m using pfSense as the example firewall in this case, and adding separate rules for each Cradle Port.
pfSense Cradle NAT Rules

Through the application of Network Address Translation, the remote worker now uses their locally installed Cradle client installation and talks to the Cradle Database Server, as if it is on the Cradle site’s external IP address – which they need to configure as their CRADLE_CDS_HOST address.

Article Updated

28/06/2021 – Use of port ranges in firewall rules.