diff --git a/ccp/vars b/ccp/vars
index 0900914..cdc6877 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -29,4 +29,12 @@ done
 idManagementSetup
 mtbaSetup
 obds2fhirRestSetup
-blazeSecondarySetup
\ No newline at end of file
+blazeSecondarySetup
+
+for module in modules/*.sh
+do
+    log DEBUG "sourcing $module"
+    source $module
+done
+
+transfairSetup
\ No newline at end of file
diff --git a/lib/functions.sh b/lib/functions.sh
index 44b000c..a11920b 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -334,6 +334,19 @@ function secret_sync_gitlab_token() {
             ;;
     esac
 
+    if [ "$PROJECT" == "bbmri" ]; then
+        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
+        proxy_id=$ERIC_PROXY_ID
+        broker_url=$ERIC_BROKER_URL
+        broker_id=$ERIC_BROKER_ID
+        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
+    else
+        proxy_id=$PROXY_ID
+        broker_url=$BROKER_URL
+        broker_id=$BROKER_ID
+        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
+    fi
+
     # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
     # If it is missing or expired, Secret Sync will create a new token and write it to the file.
     # The git credential helper reads the token from the file during git pull.
@@ -344,14 +357,14 @@ function secret_sync_gitlab_token() {
     docker run --rm \
         -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
         -e NO_PROXY=localhost,127.0.0.1 \
         -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$PROXY_ID \
-        -e BROKER_URL=$BROKER_URL \
-        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
+        -e PROXY_ID=$proxy_id \
+        -e BROKER_URL=$broker_url \
+        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
         -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
     if [ $? -eq 0 ]; then
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 38c3874..915e380 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -41,6 +41,14 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
   add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 
+if [ -z "$TRANSFAIR_AUTH" ]; then
+  if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
+    log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
+    generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
+    add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
+  fi
+fi
+
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
diff --git a/modules/ssh-tunnel-compose.yml b/modules/ssh-tunnel-compose.yml
new file mode 100644
index 0000000..5ca9989
--- /dev/null
+++ b/modules/ssh-tunnel-compose.yml
@@ -0,0 +1,17 @@
+version: "3.7"
+
+services:
+  ssh-tunnel:
+    image: docker.verbis.dkfz.de/cache/samply/ssh-tunnel
+    container_name: bridgehead-ccp-ssh-tunnel
+    environment:
+      SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}"
+      SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}"
+      SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}"
+    volumes:
+      - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro"
+    secrets:
+      - privkey
+secrets:
+  privkey:
+    file: /etc/bridgehead/pki/ssh-tunnel.priv.pem
diff --git a/modules/ssh-tunnel-setup.sh b/modules/ssh-tunnel-setup.sh
new file mode 100644
index 0000000..eb49f1c
--- /dev/null
+++ b/modules/ssh-tunnel-setup.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -n "$ENABLE_SSH_TUNNEL" ]; then
+	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
+	OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
+fi
diff --git a/modules/ssh-tunnel.md b/modules/ssh-tunnel.md
new file mode 100644
index 0000000..4240b19
--- /dev/null
+++ b/modules/ssh-tunnel.md
@@ -0,0 +1,19 @@
+# SSH Tunnel Module
+
+This module enables SSH tunneling capabilities for the Bridgehead installation.
+The primary use case for this is to connect bridgehead components that are hosted externally due to security concerns.
+To connect the new components to the locally running bridgehead infra one is supposed to write a docker-compose.override.yml changing the urls to point to the corresponding forwarded port of the ssh-tunnel container.
+
+## Configuration Variables
+
+- `ENABLE_SSH_TUNNEL`: Required to enable the module
+- `SSH_TUNNEL_USERNAME`: Username for SSH connection
+- `SSH_TUNNEL_HOST`: Target host for SSH tunnel
+- `SSH_TUNNEL_PORT`: SSH port (defaults to 22)
+
+## Configuration Files
+
+The module requires the following files to be present:
+
+- `/etc/bridgehead/ssh-tunnel.conf`: SSH tunnel configuration file. Detailed information can be found [here](https://github.com/samply/ssh-tunnel?tab=readme-ov-file#configuration).
+- `/etc/bridgehead/pki/ssh-tunnel.priv.pem`: The SSH private key used to connect to the `SSH_TUNNEL_HOST`. **Passphrases for the key are not supported!**
\ No newline at end of file
diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml
index 4ee2ff9..81ef952 100644
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@@ -5,8 +5,12 @@ services:
     container_name: bridgehead-transfair
     environment:
       # NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
-      - INSTITUTE_TTP_URL
-      - INSTITUTE_TTP_API_KEY
+      - TTP_URL
+      - TTP_ML_API_KEY
+      - TTP_GW_SOURCE
+      - TTP_GW_DOMAIN
+      - TTP_TYPE
+      - TTP_AUTH
       - PROJECT_ID_SYSTEM
       - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
       - FHIR_INPUT_URL=${FHIR_INPUT_URL}
@@ -21,6 +25,17 @@ services:
     volumes:
       - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.transfair-strip.stripprefix.prefixes=/transfair"
+      - "traefik.http.routers.transfair.middlewares=transfair-strip,transfair-auth"
+      - "traefik.http.routers.transfair.rule=PathPrefix(`/transfair`)"
+      - "traefik.http.services.transfair.loadbalancer.server.port=8080"
+      - "traefik.http.routers.transfair.tls=true"
+  
+  traefik:
+    labels:
+      - "traefik.http.middlewares.transfair-auth.basicauth.users=${TRANSFAIR_AUTH}"
 
   transfair-input-blaze:
     image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
@@ -34,6 +49,13 @@ services:
     volumes:
       - "transfair-input-blaze-data:/app/data"
     profiles: ["transfair-input-blaze"]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.transfair-input-blaze.rule=PathPrefix(`/data-delivery`)"
+      - "traefik.http.middlewares.transfair-input-strip.stripprefix.prefixes=/data-delivery"
+      - "traefik.http.services.transfair-input-blaze.loadbalancer.server.port=8080"
+      - "traefik.http.routers.transfair-input-blaze.middlewares=transfair-input-strip,transfair-auth"
+      - "traefik.http.routers.transfair-input-blaze.tls=true"
 
   transfair-request-blaze:
     image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
@@ -47,6 +69,13 @@ services:
     volumes:
       - "transfair-request-blaze-data:/app/data"
     profiles: ["transfair-request-blaze"]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.transfair-request-blaze.rule=PathPrefix(`/data-requests`)"
+      - "traefik.http.middlewares.transfair-request-strip.stripprefix.prefixes=/data-requests"
+      - "traefik.http.services.transfair-request-blaze.loadbalancer.server.port=8080"
+      - "traefik.http.routers.transfair-request-blaze.middlewares=transfair-request-strip,transfair-auth"
+      - "traefik.http.routers.transfair-request-blaze.tls=true"
 
 volumes:
   transfair-input-blaze-data:
diff --git a/modules/transfair-setup.sh b/modules/transfair-setup.sh
index 58f7331..1d202a3 100755
--- a/modules/transfair-setup.sh
+++ b/modules/transfair-setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 function transfairSetup() {
-    if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
+    if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
         echo "Starting transfair."
 	    OVERRIDE+=" -f ./modules/transfair-compose.yml"
 	    if [ -n "$FHIR_INPUT_URL" ]; then
@@ -18,5 +18,14 @@ function transfairSetup() {
 		    FHIR_REQUEST_URL="http://transfair-requests-blaze:8080"
 		    OVERRIDE+=" --profile transfair-request-blaze"
 	    fi
+	    if [ -n "$TTP_GW_SOURCE" ]; then
+		    log INFO "TransFAIR configured with greifswald as ttp"
+		    TTP_TYPE="greifswald"
+	    elif [ -n "$TTP_ML_API_KEY" ]; then
+		    log INFO "TransFAIR configured with mainzelliste as ttp"
+		    TTP_TYPE="mainzelliste"
+        else
+		    log INFO "TransFAIR configured without ttp"
+	    fi
     fi
 }