Cyberoam Knowledge Base


Advanced Search

Table of Contents

. . . . . . . . . . . . .

What's New

Knowledge Base Information

Cyberoam UTM

Product Literature

Best Practices & Policies

Protect Your Cyberoam Appliances from Power Fluctuations

Configure Virtual Host with Load Balancing and Health Checking

Monitor Packet Flow in Cyberoam

Allow Access to Internal Server Behind Cyberoam Using Non-Standard Port

Create a Schedule Based Firewall Rule

Create a Country-based Firewall Rule

Create Source NAT Policy in Cyberoam

Create DoS Bypass Rule

Configure Port Forwarding using Virtual Host to access devices on Internal network

Configure one-to-one IP address mapping to access devices on Internal network

Identity-based Policies

IPS

Logs & Reports

Multiple Gateway - Load Balancing and Failover

Quality of Service (QoS)

Web Application Firewall (WAF)

Wireless LAN

Configure Wireless WAN

Product Technical Support

Compatibility

Cyberoam Virtual UTM

Endpoint Data Protection

Cyberoam SSL VPN

Cyberoam iView

Cyberoam Central Console

Cyberoam's On-Cloud Management Service

Allow Access to Internal Server Behind Cyberoam Using Non-Standard Port

Applicable Version: 10.00 onwards

Overview

This article describes how you can configure Cyberoam to provide access to an internal resource behind Cyberoam through a non-standard port. This is done by:

- Creating virtual host

- Creating firewall rule to allow the inbound traffic to the internal resource

Virtual host

Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.

Virtual Host maps services of a public IP address to services of a host in a private network. In other words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the Destination address to access internal or DMZ server.

A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host.

Scenario

As shown in the diagram below, RDP Servers 1 and 2 are hosted in DMZ and are accessed from the Internet using a single Public IP address 204.88.128.93, i.e., Cyberoam WAN IP. Since both cannot be accessed over same standard RDP port (3389), access to one of them has to be given over a non-standard port. Hence, access to the RDP Servers is configured according to following table.

Network component	Public IP address	Internal IP Address	Port
RDP Server 1	204.88.128.93	192.168.1.15	3389
RDP Server 2	204.88.128.93	192.168.1.4	3390

Configuration

You can allow access to the RDP Servers by following the steps given below. Configuration is to be done from Web Admin Console using Administrator profile.

Step 1: Create Virtual Host for RDP Server 1

Go to Firewall à Virtual Host à Virtual Host and click Add to create a virtual host with parameters given below.

Parameter Description

Parameter	Value	Description
Name	RDP_Server_1	Name to identify the Virtual Host.
External IP	PortB – 204.88.128.93	The IP address through which Internet users access internal server/host.
Mapped IP	192.168.1.15	The IP address of the internal server/host.
Physical Zone	DMZ	LAN, WAN, DMZ, VPN or custom zone of the mapped IP address(s). For example, if mapped IP address represents any internal server then it is the zone in which server resides physically.
Port Forwarding
Enable Port Forwarding	Enabled	Click to enable service port forwarding. If Port Forwarding is enabled, following options are available.
Protocol	TCP	Select the protocol TCP or UDP that you want the forwarded packets to use.
Port Type	Port	Click to specify whether port mapping should be single or range of ports.
External Port	3389	Specify public port number for which you want to configure port forwarding.
Mapped Port	3389	Specify mapped port number on the destination network to which the public port number is mapped.

On clicking OK, the Add Firewall Rules For Virtual Host screen appears which allows you to create rules to allow access to RDP_Server_1 from other zones. Enable Add Firewall Rule(s) For Virtual Host and set rule parameters as desired. Here, we have created a rule which allows access to RDP_Server_1 from WAN zone.

Step 2: Create Virtual Host for RDP Server 2

Go to Firewall à Virtual Host à Virtual Host and click Add to create a virtual host with parameters given below.

Parameter Description

Parameter	Value	Description
Name	RDP_Server_2	Name to identify the Virtual Host.
External IP	PortB – 204.88.128.93	The IP address through which Internet users access internal server/host.
Mapped IP	192.168.1.4	Mapped IP address is the IP address of the internal server/host.
Physical Zone	DMZ	LAN, WAN, DMZ, VPN or custom zone of the mapped IP address(s). For example, if mapped IP address represents any internal server then it is the zone in which server resides physically.
Port Forwarding
Enable Port Forwarding	Enabled	Click to enable service port forwarding. If Port Forwarding is enabled, following options are available.
Protocol	TCP	Select the protocol TCP or UDP that you want the forwarded packets to use.
Port Type	Port	Click to specify whether port mapping should be single or range of ports.
External Port	3390	Specify public port number for which you want to configure port forwarding.
Mapped Port	3389	Specify mapped port number on the destination network to which the public port number is mapped.

On clicking OK, the Add Firewall Rules For Virtual Host screen appears which allows you to create rules to allow access to RDP_Server_2 from other zones. Enable Add Firewall Rule(s) For Virtual Host and set rule parameters as desired. Here, we have created a rule which allows access to RDP_Server_2 from WAN zone.

The above configuration allows access to both RDP Servers from Internet. You can verify by seeing the corresponding Firewall Rules, as shown below.

Document Version: 1.0 – 28/06/2012

Attachments
	How To â€“ Allow Access to Internal Server Behind Cyberoam Using Non-Standard Port.pdf

Article ID: 2368