Collaborator SSH Access

Information about CAE's SSH gateway server

As a security measure, the College's network firewall prevents users outside of UW networks from connecting to most systems on College networks. While most users can access the network using a GlobalProtect VPN client, some outside collaborators may be unable to do so. To accommodate these users, the college provides an SSH proxy server.

Prerequisites

  • CAE Account Credentials
  • An SSH client which supports the ProxyJump feature
    • OpenSSH 7.5 or newer (recommended for Windows, macOS, and Linux)
    • Dropbear SSH Client 0.52 or newer
    • Putty 0.77 or newer

Connecting to a system behind a proxy

The SSH ProxyJump feature allows a connection to be forwarded through an intermediate server, such as CAE's SSH proxy, before reaching its destination. The general format for the command is as follows:

ssh -J proxy destination

Both the proxy and destination servers allow the addition of a username with @ notation.

Examples

Connecting to a system which does not use CAE usernames at the destination.

ssh -J bengineer@sshvpn.cae.wisc.edu remoteuser@my-instrument.cae.wisc.edu

Forwarding a local port (12345) to the web interface of an instrument behind the proxy.

ssh -L 12345:my-instrument.cae.wisc.edu:443 -N bengineer@sshvpn.cae.wisc.edu

NOTE: Using sshvpn to access systems located outside of the College of Engineering is not a supported use case! Similarly, sshvpn does not support remote port forwarding (with the ssh -R option)

Configuring OpenSSH to use the proxy transparently

SSH can load settings from a client configuration file which can be found in the user's .ssh folder, typically $HOME/.ssh/config

The various settings are enumerated in the ssh_config manual page, but the examples below show some helpful proxy-related configurations.

Examples

Shorten the name of the gateway to "sshvpn" and omit the username.

Host sshvpn
    User bengineer
    HostName sshvpn.cae.wisc.edu

Command:

ssh -J sshvpn bengineer@my-target-system.cae.wisc.edu

Connect to a data source without specifying the proxy server.

Host my-sftp-service.cae.wisc.edu
    ProxyJump bengineer@sshvpn.cae.wisc.edu

Command:

ssh remoteuser@my-sftp-service.cae.wisc.edu

Shorten the names of the example services above and enable compression for all connections through the proxy.

Host sshvpn
    User bengineer
    Compression yes
    HostName sshvpn.cae.wisc.edu

Host my-instrument
    LocalForward 9000:my-instrument.cae.wisc.edu:443
    ProxyJump sshvpn

Host my-sftp-service
    User bengineer
    HostName my-sftp-service.cae.wisc.edu
    ProxyJump sshvpn

Commands:

ssh my-instrument

ssh my-sftp-service


Keywords:
ssh jump proxyjump unix remote sshvpn 
Doc ID:
161905
Owned by:
Colin in CAE
Created:
2026-06-11
Updated:
2026-06-11
Sites:
Computer-Aided Engineering