In this post I will allow inbound access to a VM. I will be allowing windows RDP on TCP port 3389 but it could be any protocol an any port.
First I need to create a filewall rule allowing any traffic hitting the edge with a destination port of 3389 to be accepted.
Then a DNAT rule to forward any traffic on the external IP of the edge on port 3389 to be forwarded to the VM on the same port.
Go to the Edge gateway that we will configure the rules on.
We will need the external IP of the edge but this time we can get that from the SNAT rule.
Select the edge and click the SERVICES link to open the config winodw.
Looking at the Edge firewall rules, I have hidden the system rules and I can see the outbound rule from the last post.
Click the Plus button to create a new rule
Double click on the new rule box to name the rule.
Hover the mouse over the Source box and select the Plus icon.
Select the External object and click the right arrow to move it to the selected list. Click Keep to add it to the rule.
Hover the mouse over the Destination box and click the IP icon.
A dialog window pops up. Enter the external IP of the edge and click Keep.
Now hover the mouse over the Service box and click the Plus icon.
The Service window pops up. Select the Protocol (in this case TCP), leave the source port as any and set the destination port to the port to listen on, in this case 3389.
The inbound rule is now complete. Click Save changes.
Go to the NAT tab and click the DNAT Rule button.
The Add DNAT rule window will open.
This rule is equivalent to a “port forward” or “IP publishing” rule.
The original IP will be the external IP of the edge.
The Translated IP will be the IP on the VM we are forwarding the port traffic to.
The Original and translated port are the port we are forwarding and the port that hits the VM (in this case RDP on 3389)
Finally, Click the Save changes link to commit the rule.
If you now point an RDP client at the external IP of the edge it will be forwarded to the VM. If the VM has RDP enabled you will be prompted for logon credentials.
Posts in this series