How do you access IIS behind a NAT router?

(this was originally published in the November 2005 edition of the IIS Insider

Network address translation (NAT) routers have become very common lately as they are inexpensive and offer an easy way to set up a simple network. They are often used in corporate environments to isolate a test platform and are popular with home users as an easy way to share a broadband Internet connection amongst multiple computers in the household. Difficulties arise, however, because without proper configuration, the router will block access to your IIS server. A technology called "port forwarding" is used to enable access to the server from the outside world. In simple terms, the router is instructed to forward all requests it receives on a certain port to a specific computer on its network. While the standard port for HTTP traffic is 80, this can also be used for alternate available ports.

Most NAT routers have an embedded Web server that is used for configuration. Consult your documentation for the specific URL to use to connect. Once connected, look for Port Forwarding as one of the options to configure. The common way to configure this is to identify:

  • The service (HTTP in this case)
  • The port range you want to forward (port 80 by default for Web traffic)
  • The IP address to which you want to route all requests (the IP address of your server)

Because you need to statically map the port forwarding, it's best to assign a static IP for your server and not rely on DHCP. This technique can also be used for other services that you want to provide, such as SMTP, NNTP, or FTP. These services would be configured in the same way, except that you would forward the appropriate ports for each service. For specific instructions for your router, consult the manufacturer's Web site. Manufacturers typically offer documentation, pointers, and answers to frequently asked questions in their support areas.

An alternate method is to place your server in what might be called the Neutral Zone. While the router will still assign a static or dynamic IP for your server, the router will not block any requests and will therefore leave your box wide open for attacks. Make sure you have either a good software or hardware firewall protecting that server.

One final note: If you are a home user, please make sure you are not violating your Internet service provider's (ISP) Terms of Service as many broadband providers prohibit their home users from running servers. In many cases, ISPs will even block inbound port 80 traffic on their networks, making port 80 unusable for this type of use.

No Comments