I am currently learning about chef. What I understood so far:

• I have to install chef-server on an own server or use the hosted chef.
• I have to install chef-client on the servers that I want to manage aka nodes (manually or using knife bootstrap).
• I installed several chef tools on my own PC that I can use to manage the nodes, e.g. knife.

Now in my case the specialty is that the nodes are behind a firewall/load balancer/proxy. The nodes can access servers on the outside via NAT (http works and I can configure chef-specific hosts to work as well). However they can only be contacted from the outside via a ssh tunnel.

There is really much documentation about chef available but I did not find an answer to these questions:

1. When using knife, is it enough when I set up a ssh tunnel manually on my own PC or does the chef server need to contact the nodes?
2. When using knife, can I configure it to setup a ssh tunnel automatically?
3. When using the chef server web ui can I configure it to connect to the nodes via ssh tunnel or do I need a setup where I setup the tunnel myself e.g. using monit? Is this even possible with hosted chef?
4. Instead of using knife or the web ui: Can I issue the same management commands directly on the nodes using chef-client?
5. What solution would you recommend?

Thanks a lot for taking your time to help and answering one or more of these related questions