Windows 2000 Port Forwarding: How to Put Your Mail Server Behind Your Firewall
The concept and practice of port forwarding has been around for a long time in the UNIX world, but Microsoft is just catching up. The idea is simple: communicating directly with a computer that resides inside a firewall using Network Address Translation (NAT) to hide the identity of internal machines from the outside world.
Let's say that while visiting a friend in New England last summer you came across a Cray-1 at a yard sale and, for a reason we won't go into, you happened to be driving an empty Rider truck. So you bought the Cray and took it back to your office, where you and the rest of the nerds on the block had a terrific time setting it up and installing Hunt the Wumpus on it. Your network is protected by a Windows 2000 server running Network Address Translation, meaning that it assigns "fake" IP addresses to the internal machines, which are then unreachable from outside your network. This has the advantage of protecting the users inside your network, but it also has a terrible downside: If you're not inside your firewall, you can't Telnet to your Cray and play Hunt the Wumpus. What you'd like to do is to give the Cray its own IP address so you can reach it (see Figure 1). But how can you do this without putting it outside the firewall?
Figure 1 Here's what you want: Easy access through the firewall to the Cray.
Port Forwarding or Port Redirection
Enter port forwarding. Port forwarding, also known as port redirection, allows you to specify a particular port on your Windows 2000 server that corresponds with a single, particular computer and open TCP port within your internal network. Essentially, this creates a new, unique address for the machine within your network and allows you to reach it from the outside world. It's a fairly simple combination of routing and packet header rewriting. UNIX users have been doing this for years. And while it's possibleeven simpleon Windows 2000, it's not well documented.
Why Do I Want to Enable Port Forwarding?
There's only one reason: You want to reach a particular machine behind your NAT server. This could be for purposes of Telnet, FTP, HTTP, or email. Probably the most common reason would be to put a mail server behind your NAT server.
Does Port Forwarding Reduce Security?
Yes. We're surprised you even asked. In essence, you're giving the secretary at the front desk the extension to your office and saying "If anyone calls and asks for me, patch them through." It's up to the receptionist to decide who gets in and who doesn't. It stands to reason that if the receptionist doesn't know your office extension, he or she can't give it out to anybody. (More information in the "Security" section at the end of this article.)