none
Windows 2012 Firewall Port Forwarding

    Question

  • Hi all,

    I'm trying to forward ports to my server, my server has a static public IP (WAN) and I would like to get from every remote user requests from port 12345 so the firewall translate it to 54321(native port of a server application), this was possible in Windows 2003 server.

    I'm trying to add a new inbound rule:

    Local port (Specific port): : TCP 54321
    Remote port (All ports)

    So far it works ok if I try to connect from 54321> 54321 but I need a distinct remote port:

    Local port (Specific port): TCP 54321
    Remote port (Specific port): TCP 12345

    I just can't connect and this is driving me nuts, I have tried every single combination, even creating an outbound rule for 12345 but is not working.

    Any ideas?

    Thanks in advance


    G.Waters

    Monday, November 25, 2013 2:54 PM

Answers

  • Well, here's the solution:

    We have to use netsh to accomplish this, although there is a tricky part. When using netsh doesn't mean that it overrides firewall rules so here's how communication works:

    Remote client ----> Windows firewall (in server) ---->netsh rules

    translated to ports:

    Port 54321 -----> Windows firewall rule to accept 54321  ------>netsh rules forwards 54321 to 12345

    So this is the sequence I did in order to accomplish:


    >netsh interface portproxy set mode online
    >netsh interface portproxy add v4tov4 listenport=54321 connectport=12345 connectaddress=88.88.88.88

    (listenaddress is omited since we want no restriction on the client ip so it can connect from anywhere)
    >netsh interface portproxy commit

    >In windows firewall we must create a rule that accepts all incoming traffic from port 54321, DO NOT select any program associated since that program will never listen to 54321 port, it listens to 12345



    That's it, hope it helps someone


    G.Waters

    • Marked as answer by George Waters Friday, January 3, 2014 6:00 PM
    Friday, January 3, 2014 6:00 PM

All replies

  • Hi,

    Thanks for posting in the forum.

    Regarding your request, if you want to configure port forwarding on Windows Server 2012, I suggest you could refer to the following article.

    Port Forwarding / Port Mapping on Windows Server 2008 R2

    http://www.rickwargo.com/2011/01/08/port-forwarding-port-mapping-on-windows-server-2008-r2/

    In addition, we could also configure RRAS for port forwarding. For details, please refer to the following article.

    Configuring RRAS

    http://technet.microsoft.com/en-us/library/dd458979.aspx

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Tuesday, November 26, 2013 9:43 AM
    Moderator
  • Hi,

    Any update?

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Tuesday, December 3, 2013 11:47 AM
    Moderator
  • Sorry for the delay.

    Well, I don't understand why I should install RRAS, when creating an inbound rule, it gives you clearly options for Local Port (which resides in the server) and remote port (the port where the client tries to connect), so why does that doesn't work?, if I'm wrong about this concepts, please light my path.

    Thanks in advance.


    G.Waters


    Thursday, January 2, 2014 9:41 PM
  • Can someone help me with this?

    G.Waters


    Friday, January 3, 2014 2:38 PM
  • According to this, it should work by defining the remote port but it just does not:

    http://technet.microsoft.com/en-us/library/cc770685.aspx

    Remote port

    If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied.

    The following options are available for inbound rules:

    • All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. 
    • Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen.
    • IPHTTPS. Available for TCP only. Available under Remote port for outbound rules. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.


    G.Waters

    Friday, January 3, 2014 2:54 PM
  • Well, here's the solution:

    We have to use netsh to accomplish this, although there is a tricky part. When using netsh doesn't mean that it overrides firewall rules so here's how communication works:

    Remote client ----> Windows firewall (in server) ---->netsh rules

    translated to ports:

    Port 54321 -----> Windows firewall rule to accept 54321  ------>netsh rules forwards 54321 to 12345

    So this is the sequence I did in order to accomplish:


    >netsh interface portproxy set mode online
    >netsh interface portproxy add v4tov4 listenport=54321 connectport=12345 connectaddress=88.88.88.88

    (listenaddress is omited since we want no restriction on the client ip so it can connect from anywhere)
    >netsh interface portproxy commit

    >In windows firewall we must create a rule that accepts all incoming traffic from port 54321, DO NOT select any program associated since that program will never listen to 54321 port, it listens to 12345



    That's it, hope it helps someone


    G.Waters

    • Marked as answer by George Waters Friday, January 3, 2014 6:00 PM
    Friday, January 3, 2014 6:00 PM