X11 Forwarding over SSH using X-Deep/32 and PuTTY

PC users may need access to graphical interfaces on remote Unix or Linux computers. Frequently, this is complicated by the need for security for the connection. One approach, when the PC runs some version of Microsoft Windows, is the use of X-Deep/32 and PuTTY to connect to the Unix/Linux host. This approach provides a secure, encrypted link and allows the graphical information to pass through firewalls using a feature called X11 forwarding.

This process is most easily done if the PC's network has a fixed IP address. It is still possible if the PC or its network use dynamic IP address (DHCP).

When to use this

Use this technique when you have a PC needing graphical access to a computer on another network and the network is accessed via the internet.

When not to use this

This technique is not necessary if the PC and the computer it wants to access are on the same private network.

This technique is not necessary if the PC and the computer it wants to access are both directly connected to the internet. (Although if PC has firewall software installed, the comments on opening port 6000 are appropriate.)

This technique is not necessary if the PC's network and the network of the computer it wants to access are connected with a Virtual Private Network (VPN). The VPN is a superior solution if multiple PCs at a location need access to one or more hosts at another location.

This technique is not necessary if the PC and the Host run VNC. How that connection is made is documented elsewhere on the web.

Our Example Situation

Let's start off with the most complex case. A PC is on a network. That network connects to the internet through a router/firewall that provides IP masquerading, also known as Network Address Translation (NAT). The Unix host is also on a private network using NAT.

I am taking the liberty of not using genuine IP addresses. The IP addresses shown have letters in them, which is not legitimate. I don't want someone trying to follow my examples too literally and messing with someone's public IP address. If you are not the network administrator for both private networks you will need the assistance of the network administrator(s).


The PC runs Microsoft Windows. To do the X11 forwarding, we install PuTTY and X-Deep/32. Both programs are free, as in no $$$. I recommend installing the Windows-style installer version of PuTTY from the Download page. PuTTY is an SSH client that encrypts information when connected to an SSH server. X-Deep/32 is an X-server that displays graphical information for an X-client. Note that X reverses the usual sense of client and server. The server is on the desktop; the client is remote. I will attempt to avoid confusion by speaking of PC and Host instead of client and server.

In our example the PC has address 192.168.1.xxx on the private network (Netmask


The Host runs Unix, or maybe Linux. It also uses X11 for the graphical interface (GUI) and has sshd installed and configured. The Host must have a static (fixed) IP address on its private network.

In our example the Host has IP address 192.168.4.zzz on the network (Netmask Note that both the PC and the Host are on private networks that cannot send IP traffic directly to each other. Each IP address on the internet must be unique to a device. However, there are thousands of computers that have the IP address 192.168.1.xxx but they cannot communicate directly with each other since the 192.168.?.? address-range is not routable over the internet. Note also that the address 192.168.1.xxx must be unique on the private network.

PC's Firewall

The PC's Firewall may be a PC that performs the router/firewall function with NAT enabled. More likely, it will be a router/firewall device (firewall appliance). Firewall appliances can be purchased for less than $100. They are sometimes called Cable or DSL Routers. Units are available from companies like D-Link, Linksys, SMC, and Netgear. There are also commercial grade units from companies like Cisco, SonicWALL, Netscreen, and Watchguard. This configurable device will have rules that tell what traffic is permitted from the WAN and where it is to go on the private network. The private network will be on the LAN side of the firewall. The internet connection will attach to the WAN side. Advanced units will have many capabilities not germane to this topic. These features might include virus detection, filtering objectionable web sites, and blocking certain users from connecting to the internet.

Host's Firewall

The Host's Firewall is more likely a commercial grade router/firewall. This is somewhat dependant on the number of users and servers on the Host's LAN and how complex the access rules need to be. The essential functions of providing NAT and setting rules for access and routing are similar to the PC's firewall.


Get PC Access to the Host Via SSH

The first step is getting the PC to where it can do an SSH connection to the Host.

The Host

The sshd daemon must be running on the Host before the PC can connect. Typically, the Host is set up so that sshd is started as part of the boot process. Usually a file in somewhere like /etc/rc2.d handles this.

Before starting sshd on the host, the sshd_config file must be set up. This file is usually in directory /etc/ssh. The defaults will often work. I recommend setting "PermitRootLogin no". Also, "X11Forwarding yes" although this may not be necessary. These notes apply to OpenSSH, an implementation of SSH found on many Unix and Linux computers.

If a port other than 22 is to be used for SSH make note of it, it will change how the Host Firewall is configured. (Destination Port in Port Forwarding will have to match this port number). The port is defined in sshd_config.

The PC user must have a valid login and password on Host.

The Host's Firewall

By default the Host's Firewall will likely not let SSH traffic pass to the Host. The firewall rules will need a rule to allow the data traffic through. In the Port Forwarding rules, create a rule that says: "allow TCP traffic received at the WAN interface on port 22, sent from the PC's firewall (Source is 4.4.4.aaa), and forward it to the Host (Destination is 192.168.4.zzz), using Destination Port 22."

In the event there are several Hosts on the network that PC wants to access, a second rule might say: "allow TCP traffic received on WAN port 222, sent from Source IP address 4.4.4.aaa, and forward it to the second host (say Destination 192.168.4.xyz), using Destination Port 22." Note that traffic from a Source IP/Port combination can only be routed to a single Destination IP/Port combination.

If the PC's Firewall uses a dynamic WAN IP address (DHCP), i.e. not a static (fixed) IP address, you can port forward by using Source IP Address However, be aware, this will allow anyone on the internet who can guess a user name and password to have access to Host.

The PC

The PC must have a static (fixed) IP address on its private network. If the PC is on a private network, the network administrator can give it an effective static IP by associating an IP address (192.168.1.xxx) from the DHCP pool with the the PC's MAC address in the DHCP server. This gives the effect of a static IP while the PC can still be set up to request an IP address via DHCP. If the PC is connected directly to the internet (no firewall), a DHCP address may work but will require that the Host's Firewall forward all traffic for port 22 to Host.

The PC must have PuTTY installed. Another SSH Client will work but you will need to configure based on hints here.

After installation, open PuTTY and configure a connection to the Host.

  1. Session: Put the IP address of the WAN side of the Host's Firewall into "Host Name (or IP address)". In our example, this would be "5.6.7.bbb".
  2. Session: Click "SSH" which should select 22 as the "Port".
  3. Keyboard: Click "Control-H" for "The Backspace key".
  4. SSH: Click "2" for "Preferred SSH protocol version:".
  5. Tunnels: Click "Enable X11 forwarding".
  6. Tunnels: Blank out "X display location".
  7. Session: Type a name for Host into "Saved Sessions". Example: "X-session on myhost".
  8. Sessions: Click the "Save" button.


To test, click the "Open" button on the PuTTY screen. If port forwarding is working and sshd is configured and working on Host, you will get a screen asking if you are willing to risk having been redirected to a spoof server. Click whichever button lets you proceed. At this point, if the stars are aligned, the gods are appeased, Murphy is distracted, and you've been leading a good life, you will get a login prompt from Host.

Log in to complete the test. You are now able to communicate securely between PC and Host.


X11 Forwarding


The login test put us in a character based shell, probably csh, sh, korn, or bash. We will want a script to start a graphical interface. The following could be put in $HOME/.profile (bash or sh) for the login account:

echo "\n\nX-server connection? \c"; read X11RESP
if [ "$X11RESP" = "y" ]
export DISPLAY
startx -t &

If there is a value in $SSH_CONNECTION, the following should work:

echo "\n\nX-server connection? \c"; read X11RESP
if [ "$X11RESP" = "y" ]
DISPLAY=`echo $SSH_CONNECTION | cut -d" " -f1` # Source IP address
DISPLAY=$DISPLAY:0 # append display number
export DISPLAY
startx -t & # start X11, will time out if no connection

This will ask if you want a graphical screen then start it. This logic assumes that startx has already been started through a mechanism like /etc/inittab or /etc/rc2.d for session on the Host console.

Host's Firewall

The PC will send out UDP to port 177 that Host needs to receive to make XDMCP work. Host's Firewall needs to let these through and route them to Host. The firewall rules will need a rule to allow the data traffic through. In the Port Forwarding rules, create a rule that says: "allow UDP traffic from the PC's firewall (Source is 4.4.4.aaa), that is sent to Source Port 177 to be forwarded to the Host (Destination is 192.168.4.zzz), Destination Port 177."

Should PC need to access other hosts on the Host's private network another rule might allow UDP traffic from the PC's firewall (Source is 4.4.4.aaa), that is sent to Source Port 1177 to be forwarded to the other host (Destination is 192.168.4.xyz), Destination Port 177.

PC's Firewall

The Host will try to send back packets to PC using port 6000. These need to be routed through PC's Firewall. On the PC's Firewall create a port forwarding rule that allows TCP traffic from Host's Firewall (Source IP address 5.6.7.bbb) sent to Port 6000 to go to PC (Destination IP address 192.168.1.yyy, Destination Port 6000.

Note that if there are multiple PCs on the PC's private network that want access to Host, each must have a unique screen Display Number (see X-Deep/32). Each must have a rule on the PC's Firewall forwarding (Display Number + 6000) to the private IP address of the PC. The DISPLAY value at the login must have the Display Number after the colon.

Further, each must have a rule on Host's Firewall forwarding a unique UDP port number to port 177 on Host. Each must have a matching UDP port number in the X-Deep/32 XDMCP UDP Port parameter.


Once X-Deep/32 is installed on the PC, it must be configured to connect to Host. The X-Server Menu option gives access to X-Server Options. Within X-Server Options are seven tabbed screens. Set values as follows:

  1. Miscellaneous: Display Number 0 (Use other values if multiple PCs access Host. Each PC on the PC's private network must have a unique Display Number.)
  2. XDMCP: Check "X-Deep/32 Local XDM Chooser"
  3. XDMCP: Click "Local XDM Chooser" (this opens XDM Chooser Host List)
  4. XDM Chooser Host List: put the WAN IP address of the Host's Firewall (5.6.7.bbb) in the text box then click "Add Host".
  5. XDM Chooser Host List:: Uncheck "Use Broadcast Address"
  6. XDM Chooser Host List:: Click "Okay"
  7. XDMCP: XDMCP UDP Port 177 (use other values if multple PCs access Host)
  8. Click "Apply" and restart when asked.

You should now be completely configured for the PC to access the Host. It is best to start X-Deep/32, then start PuTTY and after logging into Host, run "startx -t &".

If connection does not occur, try configuring X-Deep/32 as follows:

  1. XDMCP: Check "XDMCP by Query Host"
  2. Put the WAN IP address for the Host's Firewall (5.6.7.bbb) in "XDMCP Hostname or IP address"
  3. Click "Apply" and restart when asked

This configuration may have to be run successfully once before the XDM Chooser logic will work.


This discussion used a variety of technical terms. Definitions may be found at http://www.instantweb.com/foldoc/ or at http://www.techweb.com/encyclopedia/ or by searching the web.

DHCP - Dynamic Host Configuration Protocol - under DHCP, devices on a network do not have static (fixed) IP addresses. Devices are given an IP address by a DHCP server. This technique simplifies the life of a network administrator. A Microsoft Windows PC uses DHCP if it has "Obtain an IP address automatically" checked in the TCP/IP Properties for its Network Interface Card.

GUI - Graphical User Interface - software that places non-character data (pictures and windows) on the screen. It also handles mouse and keyboard input.

LAN - Local Area Network - the network that connects computers within an establishment or campus. Typically, there is a substantial degree of trust amongst the LAN computers and they are protected from un-trusted computers by the firewall.

NAT - Network Address Translation - a service provided by a router for network traffic bound for the internet. The service transforms the return-address of the data packets to the IP address of the router's external IP address. Traffic sent back to the router from the internet is routed to the correct private IP address.

Private IP Address - an address used on a local network. These addresses cannot be reached directly over the internet because the routers on the internet cannot route them. The common private addresses are 192.168.?.? and 10.?.?.? with most organizations using the former. These may also be called Non-routable addresses.

SSH - Secure Shell - a software standard for authenticating users and transferring data in encrypted format. SSH has a client component and a server component.

VNC - Virtual Network Control - a client/server software solution that lets one computer see and take control of another computer. VNC is open-source software very similar to pcANYWHERE.

WAN - Wide Area Network - the network that connects other networks, typically the internet.

X11 forwarding - the process of connecting two computers with a secure telnet-like connection then passing X11 (graphical interface) information over the connection.

XDMCP - X Display Manager Control Protocol - facilitates the connection between X-servers and hosts.

This document is intended to be informative. The author assumes no liability for your use of the information herein. The document was developed as a result of the author's frustrations attempting to connect to a remote SCO Unix host. Hopefully, my experience, as documented here, can help others achieve results more readily.

Praise, criticism, corrections, suggestions, and questions may be directed to: frank (at) dragonwall (dot) net.

The following lines are included for the benefit of search engines.

Thanks to Simon Tathum for PuTTY. Thanks to Pradeep Nambiar for X-Deep/32. Individuals still make a difference.