Mapped Ports

The Mapped Ports Tab is used to configure access for Internet services and applications not directly supported by WinProxy. Mapped ports come in two primary forms: outgoing and incoming.

Outgoing mapped ports are most common under applications using Classic proxy settings. These ports are used for Internet sessions originating on a machine behind the firewall and connected to a machine on the Internet. The HTTP proxy, FTP and Mail proxies used by browsers and other applications are examples of outgoing ports directly supported by WinProxy. If you have Transparent proxy enabled in WinProxy (the default setting), Transparent proxy will handle most outgoing connections without the need for setting up an outgoing mapped port.

Incoming mapped ports allow outside access to a machine on your local network. The session originates on the web somewhere (you have no control over where). Incoming ports are a hole in your firewall, and should be treated carefully. Most small networks will never need an incoming mapped port. The incoming HTTP proxy and incoming SMTP proxy are examples of incoming ports directly supported by WinProxy.


Figure 3.23: The main Mapped Port page allows you to add other proxies to WinProxy, finely-tuning the program to suit your specific needs.

The main Mapped Port page shows which mapped ports have been configured, along with their settings. The mapped port name also appears on the main WinProxy ConnectionView screen as another protocol. To add a mapped port, click New.


Figure 3.24: This screen allows you to edit mapped ports.

The dialogue in Figure 3.23 allows you to: (1) modify an existing mapped port, or (2) create a new mapped port.

The options are:

  1. Mapped Port Name: Enter any name you like for the mapped port. After mapping is installed, this name will be displayed in the main window. It's helpful to use a name describing the connection type. As in our exam ple, CompuServe users would enter CompuServe.

    Proxy Port:
    Enter the port number WinProxy uses when listening for mapped connections. This is the port number you need to tell your application to connect to. In the example shown the proxy port is 4144. The proxy port can be different than the destination port. Outgoing Direction: WinProxy uses this port on its internal network connection to listen for activity from any of your client computers. Communication from any client computer will be sent to the address and Destination Port you configure (see below). Incoming Direction: WinProxy uses this port on its external network connection to listen for activity from any computer on the Internet. Any communication will be passed directly to the internal Destination IP address and Port you specify (see Destination IP, below).
    Destination IP:
    Enter the IP address of the machine you want to receive the connection request. In the example, this address is gateway.compuserve.com. When WinProxy receives a connection on the Proxy Port, it connects to this IP address. Outgoing: Enter the IP address of the distant server to which your application connects. You can only connect to a single IP address. Incoming: Enter the IP address of the machine on your local network to which an Internet user will connect. You can only specify a single machine.

  2. Destination Port: Enter the port number of the machine to which you are mapping. When WinProxy receives a connection on the Proxy Port, it connects to this port on the machine specified in Destination IP. It may be helpful to think of the Destination IP and Port as two parts of one address. In the example shown above, the destination is gateway.compuserve.com:4144.

    Outgoing: This will be the port on the Internet machine (specified by Destination IP) to which WinProxy sends whatever it has received on the proxy port.

    Incoming: This will be the port on the machine on your local network (specified by Destination IP) to which WinProxy passes on whatever it has received on the proxy port.

  3. Mapped Port Type:
    Select from TCP or UDP to choose the type of mapping to use. TCP, the most common type of connection, is used in most Internet protocols. UDP is streaming data, typically used for protocols such as RealAudio, which transmit continuous data. The primary difference between the two is that UDP packets do not guarantee delivery. TCP is usually the wisest choice, unless your application specifically states that it uses UDP.

  4. Mapped Port Direction: An outgoing mapped port is appropriate when the session originates from a machine behind the firewall and connects to a server outside the firewall. A typical example: a weather application which connects to an Internet server for updates. Using TCP, once the session is established communication can flow both ways. The majority of mapped ports utilized by most users will be TCP/outgoing.

    An incoming mapped port is appropriate when the session originates outside the firewall and connects to a machine (i.e., computer) behindyour firewall. An example: a business which allows some of its clients to connect directly to one their servers.

  5. Bi-directional UDP Mapping: If you've chosen TCP protocol, this selection is grayed out; it's allowed if you've selected UDP. Unlike TCP, a UDP session does not automatically provide for communication in both directions once the connection is established. Enable this selection if you're using UDP and want data to travel in two directions.

  6. Disabled: Checking this box disables the mapped port without losing the settings. Additional Examples of Mapped Ports One of the common uses of mapped ports is allowing access (via Classic Proxy) to additional News servers.

Additional Examples of Mapped Ports

One of the common uses of mapped ports is allowing access (via Classic Proxy) to additional News servers.


Figure 3.25: A mapped port that sets up access to additional News servers.

It's best to use the numeric IP address of the other News server (the one shown here is for Best's News Server). However, you can also use a domain name form such as mail.best.com if (1) WinProxy is connected to your Service Provider at the time and, (2) you enabled, on the General page, permit domain names in mail, news and mapped ports.

You can use port 120 as a proxy port (8119 is another common choice). You'll need to use a different proxy port for each additional News server. As you can see from the example shown here, you can have different proxy and destination ports. In this case, WinProxy listens on the proxy port on its internal connection; anything arriving on that port from one of your client computers will be sent to the destination IP and destination port.

The News application needs to be configured with the IP address of the WinProxy machine; it must also be given the new port number. Many applications will let you do this as part of the IP address, using the form 90.0.0.1:120 or winproxy:120 to designate server name and port.

The destination port for News Servers should always be port 119, unless you are certain that the destination is a different port.

Another example of a mapped port:


Figure 3.26: A mapped port used to set up Microsoft Chat.

Figure 3-26 is an example of a mapped port used to set up Microsoft Chat. The application does its business on port 6667, where the server expects to hear from it. In the application itself you'd specify that the server can be found at the WinProxy internal IP address. The mapped port name appears in the mapped port screen and on the main view screen. This name can be anything you choose.

A last look at a mapped port-an incoming port, this time.


Figure 3.27: An incoming mapped port.

A NOTE OF CAUTION:The settings described above constitute a hole in your firewall, since you have no way of knowing who is coming in on the proxy port. For an incoming port, the proxy port is on the external connection. Anybody telnetting to your WinProxy machine will immediately connect to the machine at 90.0.0.3.

Revealing the Mysteries of Mapped Ports

New users often find the concept of a Mapped Port (sometimes called a "plug") to be mysterious. Like much else, though, once you know what the words mean a lot of the mystery disappears. We'll try to dissolve anything mysterious about mapped ports in this section.

Here at Ositis Software, most questions we've received about mapped ports can be categorized in two ways. First, users simply don't have a good feel for what a mapped port is, or for what the various settings mean when they try to set up a mapped port. Second, they're unclear about the difference between Incoming and Outgoing connections.

What's a Mapped Port? The fact is, many of you have already seen a mapped port in action, even if you thought you hadn't messed with one yet. Most of what a Classic Proxy does is, in fact, a mapped port in one form or another. All of the functions you configured in WinProxy to allow browsing, email, news, ftp and telnet are a form of mapped ports. They don't look like it at first, because we've wrapped them up in a nicer-looking interface and hidden some details. But the bottom line is that they are much the same as mapped ports.

Here's an example. Let's say that you configured the News protocol in WinProxy, telling it that (1) your news server is at news.myisp.com, and (2) to use the standard port 119 for news. You could configure a mapped port that would do exactly the same thing, like this:

Mapped Port Name: Any name you choose
Proxy Port: 119 Destination IP: news. myisp. com
Destination Port: 119 Protocol: TCP
Direction: Outgoing

In the chart above, the two entries in italics are the settings made by you when configuring the news protocol. The others are known in advance: since these particular news protocol settings never change, their unnecessary details aren't presented to the user.

One last thing that mapped ports and other protocol configurations have in common: application settings. With the Classic Proxy, you must configure your news application to find its news server at the WinProxy IP address instead of the "real" address. You must do the exact same thing if you configure the news application using Mapped Ports instead of the news protocol settings.

We chose not to use browsing, telnet or ftp as examples here because they have one crucial distinction from a regular mapped port. Using methods carefully specified and standardized by the Internet community, WinProxy can "peek" at the connection request from those protocols to ascertain the destination. Thus, it's not limited to a single destination as regular mapped ports are.

Incoming/Outgoing Connections. Now we'll turn to the distinction between incoming and outgoing connections. In a standard installation, all or almost all connections are outgoing. A browser, an email application, or any other local application begins a connection session by sending a connection request out through the firewall.

This is simply the nature of Internet communication (you can read more about this in "Ports is Ports," contained in Chapter 2: Ports and IP Addressing). A server listens and listens on a particular port, waiting for connection requests. That's what a server is. A client doesn't listen; it sends a connection request to a waiting server. That's what a client is. For most simple local networks, all of your local applications are client applications, and if you need to set up a mapped port it will be an outgoing mapped port.

Here's a diagram showing what the settings for an Outgoing Mapped Port refer to:


Figure 3.28: This schematic, representing an Outgoing connection, illustrates how a client application behind WinProxy reaches a distant server computer on the Internet.

An incoming connection is only needed when your local network contains a server and you intend to allow people on the Internet to connect to that server. You need to open a port on the external side of your firewall, allowing connection requests to come in through your firewall.

WinProxy already has an interface for some of the more common internal servers, including a web server, a mail server, and an ftp server. The settings for each of these is found in Settings: Protocols. Look under the appropriate protocol name, where you'll see it listed as an incoming connection. As soon as you enter settings in these boxes and say "OK," you have a hole in firewall that allows incoming connections.

You need to provide one piece of information to those outside users: the address of your server. The internal address of your server will do them no good, as they can't see into your network. Give them the IP address of the external WinProxy network connection; also-if you use a non-standard port-tell them the port number. When you set up an incoming mapped port, WinProxy opens that port on the external side to listen for connection requests; it thus acts as a proxy server for those folks on the outside just as it does for your client applications on the inside.

Here's a diagram showing what the settings for an Incoming Mapped Port refer to:


Figure 3.29: This schematic, representing an incoming connection, illustrates how a distant client application on the Internet reaches a Server behind WinProxy.

When a user needed a mapped port in WinProxy 2.1-a Classic Proxy-95% of the time they would need an outgoing mapped port. The user would almost always have a client application that needed to connect to a server elsewhere.

This last part holds true in WinProxy 3.0 and above, as well. However, with the new connection engines you need only set up outgoing mapped ports when WinProxy is configured to act only as a Classic Proxy and the NAT/ Transparent Proxy functions are disabled. When the NAT engine is enabled, outgoing connections that formerly needed mapped ports now work seamlessly and invisibly. No further configuration is required.

Incoming ports, though, need to be configured in either version. WinProxy will not open up incoming connections unless you specifically configure it to do so.

Bi-Directionality. There's a little more to connections than just sending the connection request. After the request is made, the client and server send many packets back and forth. For TCP connections, return packets are allowed through the firewall; you needn't make any special allowances.

UDP, on the other hand, is a connection-less protocol with no particular provision in the tcp/ip stack for handling return packets. In most cases, when you are configuring a UDP mapped port, you'll want to enable the Bi-Directional option so that returning packets will be allowed through the firewall.

Some rules of thumb for configuring Mapped Ports:

  • If behind a Classic Proxy, 95% of the mapped ports are outgoing mapped ports.
  • When configuring an outgoing mapped port, you must know the destination IP address. Many site FAQs specify only the ports you need to open and fail to mention the IP address. You need to know that IP address for proper configuration.
  • When they don't specify which protocol, start with TCP, which is most commonly used (not only was it the "original," but it also provides error-checking and an assurance that packets arrived). Most places specify UDP when it's required, but if they don't use words like "streaming," it's possible that they're using UDP.
  • When you do use UDP, enable the Bi-Directional option.
  • Most of the time, the proxy port and destination port will use the same port number.

Our last offering here is a complete group of sample diagrams for setting up mapped ports. The application featured in this group is "WinVNC," a freeware program somewhat like PCAnywhere or CarbonCopy. This program allows you to control a distant computer, viewing their screen on yours, and controlling it with your keyboard and mouse.

This program comes in two major pieces. One is the VNC Server. It runs on the machine that will be controlled, and like any good server sits and patiently waits for a connection request. The other portion is called the VNC Viewer-the client application. You use VNC Viewer to connect to VNC Server; once connected the server asks for a password and then allows you control of the machine on which VNC Server is running.

With default settings, VNC Viewer and Server communicate on port 5900, the port setting shown throughout all but one-the last-of these diagrams. The IP addresses shown are sample addresses; those, too, remain the same throughout the diagrams to aid in readability. The first diagram shows the connection without a proxy/firewall, simple as can be. Increasingly complex topologies follow, starting with a single firewall on the client side (the most common configuration) and working up through more interesting scenarios.

The first illustration below shows the simplest possible setup - no proxies, no firewalls. It'll give you an idea of our starting place.


Figure 3.30: A simple setup, with no firewall or proxy involved.

The VNC viewer (in Internet parlance, it's the client application; it starts the communication by sending connection requests) must be told where the VNC server is and on what port the server is listening.

The next picture is the first showing a proxy/firewall in place. The firewall is on the client's side of the Internet cloud. This shows the settings you'll need if WinProxy is your firewall:


Figure 3.31: A simple WinProxy setup in place. This situation, with a client-side firewall, is the most common situation seen by users.

As you can see, no additional settings or changes are needed. The NAT or Transparent Proxy functions in WinProxy accomplish any translations needed to connect to the server.

Without the NAT drivers, however, things are a little more complicated:


Figure 3.32: A Classic Proxy setup (or one with NAT and TProxy disabled).

Figure 3.32 shows the settings if you're using a Classic Proxy (like WinProxy 2.1) or if you have the NAT and Tproxy (Transparent Proxy) settings disabled in WinProxy. In this situation, you'll need a mapped port. Since the viewer (client app) is behind the firewall, you'll need to set up an outgoing mapped port. The mapped port setting contains information about where the Server really is. As far as the client knows, the server is at the WinProxy internal IP address. For that matter, as far as the client knows the entire Internet lives at that address. Any other address makes no sense to the TCP/IP routing software.

Figure 3.33 illustrates the firewall on the Server side. You'll see only one illustration in this case-not two as for the firewall on the client side. Since the client is attempting access from outside the firewall, no automatic translation takes place. The settings are the same for WinProxy 3.0 and above with Transparent Proxy as they are for WinProxy 2.1 with Classic Proxy:


Figure 3.33: The server side firewall.

Only when somebody outside your firewall attempts to contact a server inside your firewall do you need to set up an incoming mapped port. The mapped port settings contain information about where your server really is. The distant client must be configured as if your server were at the WinProxy external IP address, the only point on your local network visible to the Internet.

Now let's look at a more complicated situation, one that people are increasingly running into as private networks become more pervasive. In Figure 3.34 you'll see a firewall on both sides, which means that both client and server apps are hidden behind their own firewall:


Figure 3.34: A setup with a firewall on both client and server sides.

The same rules apply as before. If you're using WinProxy (with default settings) on the client side, there's no need to do anything special with WinProxy. However, you do need to configure the client application as if the distant server resided at the only visible IP address for that network-the firewall's external address. On the VNC server side, you need to set up an incoming mapped port no matter which type of firewall you have. This incoming mapped port on the server-side firewall has the information about where the server really is.

Figure 3.35 illustrates a slight variation of the setup just presented. The only difference is that the client-side firewall is now a Classic Proxy, so you will have set up a mapped port on the client-side firewall:


Figure 3.35: A setup with a firewall on both client and server sides; the client-side firewall is a Classic Proxy.

Once again, the familiar rules apply. On the client-side firewall you must configure an outgoing mapped port, telling it that the distant server lives at the other network's external IP address. On the server-side firewall, you have to configure an incoming mapped port with the actual server address. As you go through this, you'll notice that the client side has to know the server side's external address; if you look closer, you'll also notice that nobody has to know the client side's external address.

Now here's one last illustration for those who have hung on this long: a variation on the setup just above. The situation is exactly the same-except that we're not using the same port numbers throughout:


Figure 3.36: A setup with a firewall on both client and server sides. The client-side firewall is a Classic Proxy. Identical port numbers are not used throughout.

This diagram shows that the destination port and proxy port settings for any one mapped port configuration don't have to agree. The only rule is that the "destination port" on the source machine must match the "proxy port" on the destination machine. In other words, the port you're sending too must be the port they're listening on.

Additional Links

Search

Support

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news