# Pomerium Desktop and CLI Clients
Pomerium is capable of creating secure connections to services like SSH, Redis, and more by creating a TCP tunnel to the service with a local client. This article describes configuring a route to accept TCP connections, and using either the CLI or GUI client to connect to it.
# Create a TCP Route
Specify this new Route as a TCP Route by prefixing
tcp+in the From field, along with a port suffix.
The port is not used to connect to the Pomerium Proxy service from the internet; this will always be port 443 (unless otherwise defined in
config.yaml). Rather, the port defined in From is part of the mapping to the individual route. In this way, you can create multiple routes that share a DNS entry, differentiated by the port to determine which route they use.
For example, suppose we have a server called
augurrunning behind Pomerium that has a MySQL server and also listens for SSH connections. We can create routes for
The To field uses
tcp://as a protocol, and specifies the address and port the service listens on.
The example below demonstrates a route to the SSH service on the host running the Pomerium Core or Pomerium Enterprise service:
See the "Configure Routes" section of TCP Support for more detailed information on TCP routes.
# TCP Client Software
You can connect to this route with either the Pomerium CLI or Pomerium Desktop client.
For more examples and detailed usage information, see TCP Support
# Advanced Configuration
If Pomerium is listening on a port other than
443 (set with the
address key), the
pomerium-url flag (CLI) or "Alternate Pomerium URL" field (GUI) is required. This specifies the address and port for the client to communicate over, while the standard URL defines the port assignment for the specific route. For example:
pomerium-cli tcp ssh.localhost:pomerium.io:2222 \ --pomerium-url https://ssh.localhost.pomerium.io:8443 \ --listen :2222