Windows 2000 port forwarding

This tip discusses how you can put servers inside your firewall and still access them from the Internet in Windows 2000.

The concept and practice of port forwarding has been around for a long time in the UNIX world, but Microsoft is just catching up. The idea is simple: communicating directly with a computer that resides inside a firewall using Network Address Translation (NAT) to hide the identity of internal machines from the outside world.

Let's say that while visiting a friend in New England last summer you came across a Cray-1 at a yard sale and, for a reason we won't go into, you happened to be driving an empty Rider truck. So you bought the Cray and took it back to your office, where you and the rest of the nerds on the block had a terrific time setting it up and installing Hunt the Wumpus on it. Your network is protected by a Windows 2000 server running Network Address Translation, meaning that it assigns "fake" IP addresses to the internal machines, which are then unreachable from outside your network. This has the advantage of protecting the users inside your network, but it also has a terrible downside: If you're not inside your firewall, you can't Telnet to your Cray and play Hunt the Wumpus. What you'd like to do is to give the Cray its own IP address so you can reach. But how can you do this without putting it outside the firewall?

Enter port forwarding. Port forwarding, also known as port redirection, allows you to specify a particular port on your Windows 2000 server that corresponds with a single, particular computer and open TCP port within your internal network. Essentially, this creates a new, unique address for the machine within your network and allows you to reach it from the outside world. It's a fairly simple combination of routing and packet header rewriting. UNIX users have been doing this for years. And while it's possible-even simple-on Windows 2000, it's not well documented.

There's only one reason to enable port forwarding: You want to reach a particular machine behind your NAT server. This could be for purposes of Telnet, FTP, HTTP, or email. Probably the most common reason would be to put a mail server behind your NAT server.

Of course, port forwarding reduces security. In essence, you're giving the secretary at the front desk the extension to your office and saying "If anyone calls and asks for me, patch them through." It's up to the receptionist to decide who gets in and who doesn't. It stands to reason that if the receptionist doesn't know your office extension, he or she can't give it out to anybody.

Windows 2000 port forwarding is set up through the Internet Sharing Connection Wizard-which makes sense.

If you haven't done so already, you'll need to enable Internet Connection Sharing-this allows your multi-homed server to manage Internet connections for the computers inside your network. Your server will have two network cards: one connected to the outside world, and the other connected to the inside world. In this example, the outside card has an IP address of 130.91.52.1 and the inside card an address of 192.168.0.1. The 192.168.x.x subnet is a "test" subnet, invalid on the Internet.

To enable Internet Connection Sharing between your two networks, right-click your outside Internet connection, select Properties, and then select Sharing. Check the box labeled Enable Internet Connection Sharing for This Connection. Select your internal network in the box below (labeled For Local Network). Now, forwarding a port on your server to an individual computer within your inside network is as simple as clicking the Settings button.

A number of the standard ports-for mail or FTP, for example-are provided by default, in the likely assumption that you may want to put a mail or FTP server behind your firewall and still be able to access it directly. If this is your goal, select the appropriate service and click Edit. In our case, however, we want to be able to Telnet to our Cray, which isn't listed, so we'll have to add a new service. Click the Add button.

If you're adding a service, give it a name and a port number. Then select either TCP or UDP, based on the protocol that the service will use. Finally, enter the internal IP address of the target computer. In this case, we created a new service called "cray" and assigned it port number 4020 on our Windows 2000 server, and told the server that port 4020 forwards to port 4020 on the computer with the internal IP address of 192.168.100.207, our Cray.

Now, from outside the network, you can type the following to log onto the Cray:

telnet yourserver.yourcompany.com:4020

And then play Hunt the Wumpus until your fingers bleed.


This was first published in August 2001

Dig deeper on Working With Servers and Desktops

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close