Forwarding a TCP or UDP port from the Public Internet to the Internal Network
Process: For additional security, CloudConnect recommends placing any web server, which will receive inbound unauthenticated traffic in a DMZ network. CloudConnect supports a three-pronged DMZ architecture leveraging Edge Gateway. To do this, create a dedicated OrgVdc network for your web server virtual machine(s). For additional information, contact CloudConnect Technical Support.
Configure a firewall exception(s) and DNAT rule(s) on the Edge Gateway responsible for routing the Virtual Machine's OrgVdc Network. In this example, we will demonstrate how to do this for TCP port 80 (HTTP) and TCP 443 (HTTPS)
Create a Firewall exception as well as a DNAT rule on the Edge Gateway for the server in question. These rules will generally be allowed on port 80 (HTTP) as well as port 443 (HTTPS). Generally, a redirect rule is applied on the webserver as well to encrypt unsecured traffic.
Navigate to the domain in question (this will work for both mspCloud domains as well as Private Domains) and select Edges under the dropdown Networking. From here, select the Edge Gateway you'd like to set up port forwarding on. Make note of the Edge Gateway's Internet Access IP Address, and then click Configure Services. Note that the Internet Access IP address of the Edge Gateway is not the public IP address (see bottom of this article).
Create a Firewall exception by clicking the "+" button.
The first firewall exception we'll create will be on port 80:
- Change the rule's Name to something descriptive.
- Allow any Source IP
- Configure the Destination as the Edge Gateway's Internet Access IP Address (not the Public IP Address)
- Define the Protocol and Port under Service
- Once you have confirmed everything is correct, Save your changes.
Next, we'll create the DNAT rule for port 80.
- Create a new DNAT rule by clicking the "+" button.
- This rule should be Applied On "Internet Access"
- The Original IP is the Edge Gateway's Internet Access IP Address.
- The Protocol will be consistent with our firewall rule; TCP.
- The Port will be consistent with our firewall rule; 80.
- The Translated IP will be the Internal IP of the public-facing server. (Note: For extra flexibility, CloudConnect suggests using an IP address in the 192.168.0.0/24 range.)
- Lastly, we will allow any Translated Port.
- Click "Keep", then click "Save Changes"
Repeat these steps for Port 443 (or any other port)
- Create the Firewall Rule
Create the DNAT rule
To test the functionality of these rules from the internet. Use the Primary Public IP address for your Edge Gateway. To find the converted IP address, use the table below. For example, if your Edge Gateway's Internet Access IP address is 172.29.254.235, then the Public IP address (the address from which the Edge Gateway is accessible from the internet) would be 126.96.36.199. In this example, the Primary Public IP Address of 188.8.131.52 is what an internet DNS A Record should point to.
It is recommended that you install an SSL certificate from a trusted root certification authority and configure a redirect on the web server itself from HTTP to HTTPS. There are several ways to accomplish this depending on the type of web server in use. Additionally, it is recommended to run a penetration test on the web server's URL using a service such as SSL Labs (https://www.ssllabs.com/ssltest/) to verify your web server is supports the desired TLS version(s).
Additional Information: If you create the NAT and firewall statements correctly but the web server does not respond, it either means that:
- The web server does not have any web services running on or bound to that port
- The web server's own firewall (I.e. Windows Firewall or Linux IP Tables) is blocking the traffic and needs exceptions
- You are attempting to connect to the service using the Edge Gateway's Internet Access IP Address and not the Primary Public IP Address. Always connect using the Public IP Address.
Applies To: VMware Cloud Director virtual machines.