The Airport as a router/firewall may give your some limitations. However, you should be able to creatively overcome matching port forwards if needed. The Airport can do port forwarding and translated port forwarding. Based on what you have defined above, you have the following (replace with your real values):
Public IP address: 201.202.203.204
Private Server 1 (access.domain.com at 10.0.0.10) running:
• Profile Manager = tcp port 80 or 443 (ideally 443 with a certificate)
• Open Directory = tcp port 389 or 636 (ideally, you would NOT allow public access to OD)
• File Sharing = tcp 548 for AFP and tcp 139 and 445 for SMB (ideally, you would NOT allow public access to file sharing protocols
Private Server 2 (fmserver.domain.com at 10.0.0.20) running:
• FileMaker Server = how are you accessing? WebPublishing? What port? 443? Perhaps 8443. 5003 for the fat client?
You want to use the Airport to map ports to private addresses. The challenge you have is that if you are trying to do port 443 to both Profile Manager and FileMaker, you can't do it with straight mapping. You will either need to alter FileMaker's port or use port translation on the Airport.
For example, let's say you run Profile Manager on 443 and FileMaker on 8443. This is the easiest and most straight forward. In at the Airport, you would create two Port Setting rules:
Rule 1: For Profile Manager running on 10.0.0.10
Description: Custom - Profile Manager
Public UDP Ports:
Public TCP Ports: 80, 443
Private IP Address: 10.0.0.10
Private UDP Ports:
Private TCP Ports: 80, 443
Rule 2: For FileMaker running on 10.0.0.20
Description: Custom - FileMaker Web Publishing
Public UDP Ports:
Public TCP Ports: 8443
Private IP Address: 10.0.0.20
Private UDP Ports:
Private TCP Ports: 8443
Do this configuration, you will be able to hit Profile Manager by using a straight URL such as https://access.domain.com. However, to reach FM, you will need https://access.domain.com:8443. Or, if you want to have two hosts as noted above, make sure you use public DNS to point both access and fmserver to the same public IP, 201.202.203.204. Then you can use https://fmserver.domain.com:8443.
Remember, your configuration is a split horizon DNS. You are hosting an internal DNS server but only internal devices have access to it. You must configure public DNS to match your private but the public must point to public IP addresses while the private points to private IP addresses.
Now, if you have already deployed FileMaker and it is already on port 443, then you can use a port translation rule. But this will still require the use of an alternate port on the public side as there is no way for the Airport to discern which 443 traffic is supposed to go where.
If this is the case, Rule 1 remains the same as above. However Rule 2 would look like this:
Rule 2: For FileMaker running on 10.0.0.20
Description: Custom - FileMaker Web Publishing
Public UDP Ports:
Public TCP Ports: 8443
Private IP Address: 10.0.0.20
Private UDP Ports:
Private TCP Ports: 443
Note that the public port is 8443 but when traffic on that port is experienced, it is translated to port 443 running on device 10.0.0.20. In this scenario, the Public TCP Port number can be just about anything you want. But what you pick will be part of your public URL. So lets say you pick port 20443, then the public address is https://fmserver.domain.com:20443. But you private URL is https://fmserver.domain.com. This can be confusing and breaks the goals of split horizon (maintaining a unified URL reference for both public and private visitors).
Hope this is helpful.
Reid
