Port forwarding and the client-side firewall

This section details how to configure port forwarding with a client-side firewall.

Figure: Connection from client side firewall with port forwarding

This figure shows a connection from a client-side firewall with port forwarding.

If you have a client side firewall, you cannot connect directly to your clients from outside the firewall. There are two solutions to this problem:

  • First, you can set up port forwarding while using SSH or SSH2 (See Figure 1). This is by far the easiest and most secure method to connect without the help of a VPN.
  • The second method requires adding rules to the router to allow connections (See Figure 2). The set up of the router will be covered here; port forwarding is covered in a separate section.
Figure: Connection from Client side Firewall

This figure shows a connection from a client-side firewall.

The router will need rules added to take a connection coming in on a specific port and direct it to one of your clients. The way Genero is normally configured, all clients would use port 6400. If you only have one client, you can add a rule to the router to forward 6400 to the client on port 6400. If you have more than one client, you will need to allocate other ports on the router to forward to the other clients.

Note: In the examples shown, the internal addresses are not public IP addresses. If you have public IP addresses on each client, you can open port 6400 for each of the clients.
Example rule:
Incoming 6400 -> 192.168.1.10:6400
If you have more than one client, you can map them as follows:
Incoming 6401 -> 192.168.1.10:6400
Incoming 6402 -> 192.168.1.11:6400
Incoming 6403 -> 192.168.1.12:6400
Another option if your firewall won't allow you to change the destination port number:
Incoming 6401 -> 192.168.1.10:6401
Incoming 6402 -> 192.168.1.11:6402
Incoming 6403 -> 192.168.1.12:6403
This last example requires that you start the GDC with the -p option, causing it to listen on a different port from the default port.
>gdc -p 6401
>gdc -p 6402

If you are setting up multiple clients in this manner, you may want to avoid starting the first client on 6400; any misconfigured new clients will pop up on that user's console unexpectedly.

On the command line of the GDC shortcut setup, assign FGLSERVER to be the IP of the firewall router with the corresponding port of the router. This must be hard-coded, since there is no way for the client computer or Genero to know how the connection is established.

For example, if the client firewall router's IP address to the Internet is 213.39.41.73, and port 10000 is mapped to the client 192.168.0.53 port 6400, then the entry in the router would be:
Incoming 213.39.41.73:10000 -> 192.168.0.53:6400
The command line in the GDC would look like:
FGLSERVER=213.39.41.73:36000; fglrun demo
Figure: Entering the proper command for a GDC shortcut

This figure shows panel two of the Genero Desktop Client shortcut wizard, with appserver.4js.com as the hostname and FGLSERVER variable set to 213.39.41.73:36000 ; fglrun demo.

The FGLSERVER variable is normally set using @FGL, but that would set FGLSERVER to the IP of the local client machine and the port specified when the GDC was started with -p. If the IP addresses used behind the firewall are public, this would be OK. If the addresses are not public, however, we must use the IP address of the router, and let the router translate and forward it. If the router is translating the port, then we must use the port that the router is expecting.

In our example the port that the router is looking for is 10000. The FGLSERVER port value must be set to 10000 minus 6400, resulting in 3600. This is because FGLSERVER=<ip> :0 tells Genero to connect on port 6400. The number after the colon is added to 6400.