Working From Home? How to access cryoSPARC remotely

March 16, 2020

Introduction

In light of the growing number of users working remotely due to COVID-19, we have summarized below how you can securely access your cryoSPARC instance from home. Please note that for some institution-specific questions such as how to access the institution's VPN, or other security-related questions, you may need to contact your IT department.

Typical Network Topology

By default, cryoSPARC user interface pages are served by a web server running on the same "master" machine where cryoSPARC is installed, at port 39000. This web server is responsible for displaying datasets, experiments, streaming real time results, user accounts, updating, etc.

You connect to this server normally from within your institution network by using your browser and pointing to the correct URL. For example, say you work at an institution with domain myuniversity.com. If you have installed the cryoSPARC master application on a machine that has a hostname of cryoemhpc, on your local network you can usually access this as http://cryoemhpc:39000 or http://cryoemhpc.myuniversity.com:39000

If you are physically using the same machine as the master node to interact with the cryoSPARC interface, you can connect to it as: http://localhost:39000

A cryoSPARC job's stream log showing particles being cached on an SSD.

When you are working from a remote network, you will usually not have direct access to the master node to use cryoSPARC as you usually would.

Often, the master cryoSPARC server may be behind a firewall, within a local network (LAN) at your institution. Only other machines that are on the same local network can connect to the master server at port 39000.

VPN Access

Most institutions offer Virtual Private Network (VPN) capability which can allow you to connect to the institution's local network as if you are physically present at the office. There are different types of VPN connections, but most will allow you, once logged in, to connect to the cryoSPARC master server as you usually would, using your browser.

In some cases, your VPN may only allow certain types of connections, or your institution may allow for access over only some secure ports to your cryoSPARC master server, without a VPN log in. In both of these cases, if you are able to find a way to connect to your cryoSPARC master server using SSH, it is still possible to use cryoSPARC, even if you cannot connect to port 39000 as you usually would.

SSH Access and Tunnelling

When you want to access cryoSPARC from home or elsewhere to be able to run jobs and view results, it can be convenient to connect to the web server via an SSH tunnel. SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection.

SSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. Source: SSH Tunnel

A cryoSPARC job's stream log showing particles being cached on an SSD.

Please note that you may need to use a Virtual Private Network (VPN) client to connect to your institution's VPN in order to access the local network.

SSH Port Forwarding on a *nix system

When you can connect to the compute node with a single SSH command

If you can use SSH to connect to the cryoSPARC master instance, you can run an SSH command to forward the port of your remote instance to your local machine.

  1. Start an SSH tunnel to expose a port (by default, 39000) from your master node to your local machine.

    ssh -N -f -L localhost:39000:localhost:39000 remote_hostname
    
    Note: the -f flag tells ssh to run in the background, so you can close the terminal window after running this command, and the tunnel will stay open.
    Note: You can set up password-less SSH access so you don't have to specify a username and password every time you try to SSH to a known server. See Appendix A for more details.

  2. Now, open your browser (Chrome) on your local machine and navigate to http://localhost:39000. You should be presented with the cryoSPARC login page.

    A cryoSPARC job's stream log showing particles being cached on an SSD.

When you have to SSH through multiple servers to reach your cryoSPARC compute node

If your cryoSPARC instance is running on a server that is only accessible via another server (e.g., an SSH server, or a cluster edge node), you will have to run an SSH command that forwards the port through multiple machines.

  1. Set up a multi-hop connection from your local host to the remote host. To do this, open the file ~/.ssh/config (or create it if it doesn't exist) and add the following lines:

    Host *
            ServerAliveCountMax 4
            ServerAliveInterval 15
    
    Host local_name_for_remote_host
            HostName remote_hostname
            User remote_username
            ProxyCommand ssh -q ssh_username@ssh_server -W %h:%p
    

    a) Replace local_name_for_remote_host with a short name you will use to refer to the remote compute node.

    b) Replace remote_username & remote_hostname with the actual user/hostname of the compute node that you would use to connect to it from the ssh server.

    c) Replace ssh_username and ssh_server with the user/hostname of the ssh server.

    d) Save the file.


  2. Start an SSH tunnel to expose port 39000 from your compute node to your local machine.

    ssh -N -f -L localhost:39000:localhost:39000 local_name_for_remote_host
    
    Note: the -f flag tells ssh to run in the background, so you can close the terminal window after running this command, and the tunnel will stay open.
    Note: You can set up password-less SSH access so you don't have to specify a username and password every time you try to SSH to a known server. See Appendix A for more details.

  3. Now, open your browser (Chrome) and navigate to http://localhost:39000. You should be presented with the cryoSPARC login page.

Windows Users: Using Putty to forward a port over SSH

If you're using Windows, you can still take advantage of SSH Tunneling by using an SSH client like Putty. See here for instructions on how to set up SSH Tunneling using Putty

Appendix

Appendix A: Setting up password-less SSH access to a remote workstation

Set up SSH keys for password-less access (only if you currently need to enter your password each time you ssh into the compute node).

  1. If you do not already have SSH keys generated on your local machine, use ssh-keygen to do so. Open a terminal prompt on your local machine, and enter:

    ssh-keygen -t rsa -N "" -f $HOME/.ssh/id_rsa
    

    Note: this will create an RSA key-pair with no passphrase in the default location.


  2. Copy the RSA public key to the remote compute node for password-less login:

    ssh-copy-id remote_username@remote_hostname
    

    Note: remote_username and remote_hostname are your username and the hostname that you use to SSH into your compute node. This step will ask for your password.

This website uses cookies to ensure you get the best experience. To learn more, please refer to our Privacy Policy