Data Centers

Implementing Port Address Translation with BorderManager 3.x

Port Address Translation lets those who have a single public IP address or who need to offer more services than their range of public IP addresses will allow, route requests to multiple servers on an internal network while using one external IP address.


Depending on what you want to do with your connection to the Internet, you may need to do more with less. I saw a good example of this recently after offering a presentation at Novell’s Brainshare Europe conference. A company was limited to a single public IP address but needed to make e-mail services available between their company and the outside world. Although Port Address Translation (PAT) is not an officially supported option in the current version of BorderManager, this article will walk you through the implementation process.

What is Port Address Translation?
Network Address Translation (NAT) is a method whereby a public IP address is mapped to a private address on your internal network. The problem with this method is it requires a public address for each internal address you want to make available to the Internet or intranet.

PAT offers a possible solution. With PAT, requests for access to services are directed on a port-by-port basis. For example, Web browsing services use either port 80 for unencrypted communications or port 443 for SSL or secure communications, while SMTP uses port 25. With the situation just outlined, it is possible to route the Web requests to one server on your internal network while routing the e-mail requests to another server and using only one external IP address.

Some planning is required when implementing PAT. You can redirect a port to only one address. (For example, if you are redirecting port 80 from the public address on your BorderManager server to a server on your private network, you can’t redirect that same port to a different server on the private network.) If you need to present multiple Web servers through the single public address on your BorderManager server, you must use different port numbers on the additional Web servers that you want to make available outside your network. This means you must either notify your users or customers about the port numbers you are using or put links on the first Web server you are making available so external users can seamlessly link to the other Web servers without having to know specific port numbers.

This next section will apply only if you’re using the Transparent proxy and/or Single Sign-on functions in BorderManager 3.x. If you use one or both of these configurations and you’re unable to successfully pass from the public to the private side of your network, then you’ll probably need to grant an exception to port redirection under the Transparent Proxy Detail button. You should also make sure you have the “Set NAT Dynamic Mode to Pass Thru = ON” statement present in the BorderManager server’s autoexec.ncf file so the traffic needing to pass through by means of the Generic TCP and UDP proxies will be able to get through BorderManager.

Enabling PAT on BorderManager
Setting up PAT on BorderManager involves the Generic TCP and Generic UDP proxy servers. Start the process by going into NWAdmin and double-clicking the server object BorderManager is running on. When the server’s Properties page appears, click BorderManager Setup to open the configuration area for the Generic TCP and UDP proxies. Once the BorderManager Setup screen appears, click the Application Proxy tab to get to the area where you will configure the two Generic proxies.

While I will show just the steps to configure the Generic TCP proxy, you will need to repeat the steps for the Generic UDP proxy. In the Enable Services section of the screen, click the check box beside Generic TCP proxy. Then click the Details button to open the Properties screen, where you can set up the port-level redirection from an external address to an internal address.

When the Application Proxy screen appears, click the button that looks like a dotted square. When your cursor hovers over this button, you should see a message that says, “Add an accelerator to the list.” Click this button, and an additional Generic Proxy screen will appear.

To set up proxy redirection for Web browsing (i.e., port 80), enter the private IP address of the service you want to make publicly available in the Origin Server Hostname input field. You will want to enter 80 in both the Origin Server Port and Proxy Port input fields. The last step is to select the address of the public card in your BorderManager server that will be redirecting the external requests to the internal server on your network. Click OK to submit this new proxy configuration to BorderManager, and click OK again to close out the Generic TCP Proxy screen. Click OK once more on the BorderManager Setup screen. The messages displayed reflect the change in configuration.

Depending on the type of services you need to redirect through your BorderManager server using either of the two proxies I discussed here, you may need to repeat these steps for each of the ports on one or both of the proxies to successfully set up a PAT configuration.

Conclusion
As you can see, setting up Port Address Translation on BorderManager isn’t that hard. The planning process will take longer than the actual setup of the generic proxies. This technique is probably not as easy as a native PAT function would be in BorderManager (but perhaps this feature will be included in BorderManager 4.x, due out later this year); however, it at least offers an option for those who are bound to a single public IP address or need to offer more services than their available range of public IP addresses will allow.

Ronald Nutter is a senior systems engineer in Lexington, KY. He's an MCSE, a Novell Master CNE, and a Compaq ASE. Ron has worked with networks ranging in size from single servers to multiserver/multi-OS setups, including NetWare, Windows NT, AS/400, 3090, and UNIX. He's also the help desk editor for Network World. If you’d like to contact Ron, send him an e-mail. (Because of the large volume of e-mail that he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks