Port Forwarding in Windows 2003

posted on 10/17/07 at 08:16:24 am by Joel Ross

A while back, I set up Team Foundation Server for Tourney Logic's source control. It was anything but straightforward, so I figured I would share some of my headaches and how I got around them.

First, a note about my ISP. TL1 (Tourney Logic's development server) is hosted in The Dungeon, and I'm on a cable modem. Certain ports are blocked for inbound traffic - 80, 25 (in and out), and 8080. If you've ever used TFS, having port 8080 blocked is an issue if you want remote access. TFS runs on port 8080, and while I'm sure it's possible to change that (CodePlex appears to work over 443), I couldn't find any good documentation that worked reliably.

This probably could have been solved by a better router or VPN, but my router will not forward traffic from one port to another and, having tried VPN in the past, it's slow and unreliable. In my router, I can forward a port to a particular machine, but not on another port, so that wouldn't work for me either - and I'm too scared I might brick my router by installing DD-WRT - Internet access at my house is key for survival!

So, having no choice but to run TFS on port 8080, I started digging into Windows 2003 to determine if there was a way to make it think that one port was really another one. Turns out there is, and it's available through "Routing and Remote Access". Under the machine, you can manage the IP routing. Under that, you select "NAT/Basic Firewall":


You should have an entry for each NIC in your machine. I just have one, so I select that, and go to the "Services and Ports" tab.


I created my own called TFS, and in it, I set up my firewall to forward all incoming traffic on port 8083 to port 8080.


Note that I have a static IP address set up internally for all of my servers, and the entered IP address is the machine's IP address.

I think the original intent of this process is if you are using your server as a firewall and have other machines sitting behind it, so you can specify which machines handle which services, but it can just as easily route traffic to itself, and do it over a different port. Once I added this entry, I was able to use my public address over port 8083 to interact with my TFS server and it works perfectly.

For those sysadmins reading this thinking to themselves, "Well, duh!" you apparently aren't the ones installing TFS in environments where certain ports are off limits, because I saw this issue over and over in forums, blogs, etc., and no one had a good solution.

Categories: Software