A method and apparatus for managing network access to internal hosts protected by a firewall is provided. A user on an external host logs in into a firewall. Once the user has been authenticated to the firewall, a session is established for the user, and tunnel configuration is transmitted to the user's process on the external host. The tunnel configuration data indicates the configuration of at least one tunnel for connecting to at least one internal host protected by the firewall. When creating a socket for connecting to the internal host, the socket is configured based on the tunnel configuration data. Tunnel objects and tunnel socket objects may be specially configured to establish a connection in a way that takes advantage of the power and simplicity of the inheritance feature of object oriented software. Various tunnel classes are provided to configure tunnels in a variety of mariners.