Topic: Using SME server to route (PAT question)

[mlabonte]

I am setting up an SME 7.1 server as a proxy/filtering server for a small school.

Our network will consist of:
One SME filtering/DC
One Windows 2003 terminal server.
One Windows 2003 PBX server.
30+ thin clients.
10+ network printers.

The problem is I have one external IP, and the school doesn't have the budget for a decent router.

I need to use ports 443 & 80 externally for the SME server.
And port 3389 externally on the terminal server.
However the PBX guys need ports 80 & 3389 for their server.

I could do a NAT or VPN solution, I know. But it wouldn't be ideal because of how the PBX system works.

Is there anyway to accomplish a PAT on the SME server?

[idp_qbn]

Are you committed to WIn2003 as a PBX server?
SME has an addon "Asterix" PBX server (see http://wiki.contribs.org/Asterisk) which perhaps could help.

I wasn't sure of your network requirements from your description -
Is there a separate Firewall or is the DC to be the Firewall as well?

Decent Router? That should be very cheap these days....most DSL modems come as modem/router.

Sorry I can't really help you any more than that - wish I could.

Cheers
Ian

[mlabonte]

Sadly this is not an ideal situation.

I am committed to the the Win2k3 PBX server, because it is out of my hands.
They've bought this system from another company entirely.

There is only one SME box. It will be doing filtering for outbound internet traffic (to keep the students out of trouble) and firewall for incoming traffic. And it will be doing internal domain & smtp.

Any router within their budget does NAT well. But I'm aware that can be done on SME. What I really need is a good PAT router.

But again, their budget is small, so that is why I am trying to use SME as a PAT router.

[CharlieBrady]

Is there anyway to accomplish a PAT on the SME server?

What exactly do you mean by "a PAT"?

You can handle the port 80 issue by using ProxyPass in apache.

You can use port forwarding for port 3389, but you cannot forward one port to two different destinations.

[mlabonte]

I'm experienced with port forwarding, and also in our other environments we have used router equipment to do a PAT, or Port Address Translation.

So that if someone externally tried to RDP to port 3390 it would translate to port 3389 on one server, and if they tried for port 3389 it would go to port 3389 on another.

I'm unfamiliar with ProxyPass, could you explain it?

[CharlieBrady]

So that if someone externally tried to RDP to port 3390 it would translate to port 3389 on one server, and if they tried for port 3389 it would go to port 3389 on another.

Use the port forwarding panel.

I'm unfamiliar with ProxyPass, could you explain it?

Search is your friend.

[mercyh]

Are you saying you have some way with PAT to forward port 80 to two different internal machines?

I can see a map as follows:

ExternalIP:80-------->internalIP1:80

and

ExternalIP:9999 ----->internalIP2:80

but not

ExternalIP:80--------->InternalIP1:80 sometimes

and

ExternalIP:80--------->InternalIP2:80 othertimes

[mmccarn]

Does the PBX vendor really need port 80 open?  If so, what for?  Why can't they add ':81' to the end of their URL?

Or, can you use ":81" in *your* url?

Or, can you create an ibay for the PBX and put in an html redirect to ":81" for the PBX?

[CharlieBrady]

Are you saying you have some way with PAT to forward port 80 to two different internal machines?

ProxyPass will allow you to handle all port 80 connections on the SME server, but to pass a subset of URLs through to a webserver running on another internal machine.

[mlabonte]

Are you saying you have some way with PAT to forward port 80 to two different internal machines?

I can see a map as follows:

ExternalIP:80-------->internalIP1:80

and

ExternalIP:9999 ----->internalIP2:80

That's pretty much exactly what I am saying. Only difference is I need it for RDP as well as web services.

I tried the port forwarding thing for RDP, didn't seem to work because you can't change the RDP port on a windows 2003 server, it will ONLY listen on 3389.

Sorry I've been gone so long, I've been swamped with other work and this project took a back seat.

[mmccarn]

You can still port-forward rdp in the same manner:

ExternalIP:3389 -> InternalIP_A:3389
ExternalIP:3390 -> InternalIP_B:3389

Access system B from off-site using Start, Run, mstsc /v:External_IP:3390

Watch out with the latest RDP client - if you save the username and password it will use it for all access to 'ExternalIP', regardless of the port number you add to the address.

If you do some searching on Google you should also be able to find a couple ways to make windows listen on another port (besides 3389).  One way uses the local firewall (win xp or 2003) to do the above PAT locally on each system; the other requires registry edits.

[mlabonte]

You can still port-forward rdp in the same manner:

ExternalIP:3389 -> InternalIP_A:3389
ExternalIP:3390 -> InternalIP_B:3389

Access system B from off-site using Start, Run, mstsc /v:External_IP:3390

Watch out with the latest RDP client - if you save the username and password it will use it for all access to 'ExternalIP', regardless of the port number you add to the address.

If you do some searching on Google you should also be able to find a couple ways to make windows listen on another port (besides 3389).  One way uses the local firewall (win xp or 2003) to do the above PAT locally on each system; the other requires registry edits.

Okay, I'll try this later today and post back.

I knew about the firewall method, but we wanted windows firewall disabled for a few reasons.

Thanks!

[cool34000]

Hi,

I tried the port forwarding thing for RDP, didn't seem to work because you can't change the RDP port on a windows 2003 server, it will ONLY listen on 3389.

That's not true.
See this article

[mlabonte]

Hi,

I tried the port forwarding thing for RDP, didn't seem to work because you can't change the RDP port on a windows 2003 server, it will ONLY listen on 3389.

That's not true.
See this article

That applies to 2000, I'll test it out and see if it works on 2003.