NAT Router Configuration

A fundamental concept is that NAT routers let any traffic out, like your web page request, and only let matching IP address responses in, like the actual web page that you requested. This makes NAT routers an excellent choice for home or internet networking where you want to avoid "wide-open" two way traffic by providing a high degree of protection by default.

NAT routers typically present a single IP address to the "public" side of the router, yet support many machines in the background on the "private" side of the router. They do this by functioning as a DHCP server, giving out private IP addresses to connected hosts. When "incoming" packets arrive, NAT has to know who to route the data too. Typically, NAT knows that it is receiving a response destined for a particular IP address on the "private" side. But what if you are initiating a connection from the "public" side instead of the "private" side?

In the case where a Master-Agent is on the "public" side, and one or more Leaf Agents are on the "private" side, port forwarding can be used to support connections to multiple Leaf Agents. This means each Leaf Agent is installed with a unique port number, and that the port number is used to distinguish between Leaf Agent instances. Remember that incoming traffic is arriving at the "public" IP address of the NAT router (see "Status" Tab on your Linksys) and there is only one IP address, therefore a unique port number on the public address is used to identify individual Leafs by IP:Port on the private side; this is essentially port forwarding. Your basic steps are:

Gather Information

Configure Router

Configure the NAT router on the port forwarding tab. Below, the incoming port is identified, followed by the destination port belonging to the IP address on the right. You need to check "enable" for this particular router model. TCP is the only required protocol for Prism Patch Manager.

Install Leaf Agents

Do a Local Agent Install for each Leaf (see below), using the public IP address of the router and unique Leaf port number to identify the Leaf. Do not use the Leafs private IP ( address to identify it, since the Master-Agent will not be able to reach that address from the outside.

Just for clarity, when you stipulate a "Local" install, the Agent Installer does not validate the IP address against the current machines IP address; instead the Agent Installer merely passes this address and port to the Master Agent toward the end of the Leaf Agent install, so that the Master will know how to contact the Leaf later, as when querying for example.

In our 1st screen shot, is the public router address, and 9970 is the Leaf Port we are assigning.

In our 2nd screen shot, is the Master Agent machine, and 9968 is its assigned port.


Note: When installing the Leaf Agent, you may get challenged for Master-Agent credentials when the Leaf registers with the Master Agent.