1. Docs
    2. arrow-right
  2. Installation Overview
    3. arrow-right
  3. How to Configure Port Forwarding

How to Configure Port Forwarding

When you purchase ItemPath, you will have been advised that ItemPath must be able to connect to your Power Pick installation. If you need to connect ItemPath to a Power Pick server that does not have a public IP address or connection to the internet, you have two main options:

  1. Run ItemPath from an on-premises server that can communicate directly through your network. In this case, ItemPath runs from a container on a server you manage that is on the same local network as Power Pick. Unfortunately, this makes configuring and upgrading ItemPath more difficult.
  2. Configure your network to allow for communication between ItemPath Cloud and Power Pick. A common way to do this is by port forwarding a public IP address to Power Pick’s private IP address and port. You can then use a firewall to secure this IP address and add ItemPath Cloud’s IP address to the list of approved IP addresses for incoming or outgoing traffic as needed.

This article is meant to serve as an explanation of the general process for (2). Specific steps will vary from customer to customer, depending on your network hardware and software, and this work will likely involve collaboration with your security and IT teams.

What is port forwarding?

You’re likely familiar with an IP address. This specifies the location of a device on a network. These can be public or private. A port is a numerical identifier for a particular application or service running on your device.  For example, port 80 and 443 are commonly used to handle requests for web servers (HTTP and HTTPS, respectively).

If you need to follow the process detailed in this article, your Power Pick instance is running on a server which has a private IP address. When a device on your local network communicates with Power Pick  it sends a request to both the IP address and the port(s) associated with particular services in Power Pick. Devices outside of this network will be unable to find this address.

Your local network also has a router. A router manages traffic on your local network — coordinating and sending requests between devices connected together on your network. Port forwarding refers to configuring a rule for your router to send traffic directed to a particular IP address to a different IP address and port. As part of configuring this rule, you will configure a public IP address and port that external services can communicate with. To secure the public IP address, you use a firewall and list of permitted IP addresses (“allowlist”).

Your Power Pick installation will have two layers of security:

  1. The port forwarding rule
  2. The firewall which limits traffic to the public IP address

You can visualize this setup below, where your network is connected to ItemPath, but contained in a separate secured network:

How does port forwarding help ItemPath communicate with Power Pick?

ItemPath Cloud is an application that is hosted on a server listed on the public internet. Access to ItemPath Cloud is controlled through authentication protocols. ItemPath has its own public IP address, and any requests from ItemPath will use that address. When you specify the connection to Power Pick in ItemPath, you will provide the port and URL/IP address for the public IP address that was created on your router. Your router will then “forward” traffic from ItemPath to Power Pick. To ensure that your public IP address is secure, you must configure a firewall that allows traffic from ItemPath’s IP address.

How do I configure port forwarding for my instance of Power Pick?

The particular steps are determined by your network configuration. You might be able to handle all configuration directly in your router. You might need to set up a second device that is connected to the internet. It is difficult to provide generic instructions that will work for all network configurations. 

At minimum, these instructions assume that you have the following: 

1) Power Pick running on a server, isolated on a local network
2) Your network is operated on a router that has access to the internet 
3) A firewall service
4) The IP address for your ItemPath Cloud instance

The broad steps to 

  1. Identify the IP address and Port(s) used by Power Pick.
  2. Configure your router:
    1. Access your router’s administrative interface (typically by entering your router's IP address into a browser on a computer connected to the same network).
    2. Find “Port Forwarding”, “Virtual Servers”, or a similar section.
    3. Create a new port forwarding rule:
      1. External Port: This is the public port that ItemPath will connect to (you can use the same number as the internal port, but double check your network configuration!).
      2. Internal Port: The port that Power Pick’s service is listening on (e.g., 1433).
      3. Internal IP Address: The private IP address of the machine hosting Power Pick.
      4. Protocol: Typically TCP.
    4. Please note: This will directly expose Power Pick to the internet on the chosen port. If there is an option to leave the rule inactive, and turn it on later, you should exercise that option.
  3. Firewall configuration settings: This is absolutely necessary to mitigate risks associated with step 2, and should be done immediately.
    1. Access your firewall’s administration settings. This could be the router's built-in firewall or a separate application.
    2. Create a new firewall rule with the following settings:
      1. Direction: Inbound and outbound.
      2. Source IP Addresses: the public IP address for ItemPath. Only allow traffic from the specific IP address associated with ItemPath.
      3. Destination IP Addresses: This is the public IP address configured with your port forwarding rule, not the private IP address associated with your Power Pick server.
      4. Destination Port: The external port configured in the port forwarding rule.
      5. Protocol: Typically TCP.
      6. Action: Allow.
    3. This step is critical to protect your Power Pick instance from receiving traffic from external services. It is your primary defense against unauthorized access to this system. Activate the rule.
  4. Activate and test your connections: If you haven’t activated the port forwarding rule, do so. You will want to test by making sure that ItemPath can connect to the public IP address and port specified in 3, and test that another IP address is unable to send traffic through the public port.
  5. If you need to connect to the Power Pick CEU Web Services module, repeat steps 1-4 for the appropriate port (the default for the machine running this is port 1353).

Best practices

This article is meant to describe a common network configuration that allows Power Pick to communicate with ItemPath. Please remember that you are responsible for securing your network: regularly updating your router and firewall providers, auditing the list of allowed IP addresses, and conducting security checks are important aspects of a well rounded security practice — and are your responsibility!

If you have any questions about how we secure ItemPath Cloud, please reach out to support@itempath.com.