Windows server 2016, redirect internal IP to external URL

Redirect an internal IP to external URL.

My companies phone system has an  option to forward voicemail to email.  The phone system will not accept a URL for the email server address, only an IP.  Our email is hosted and filtered by Barracuda.  I can ping our barracuda filter URL, get the IP, use it in the phone system and everything will be fine until Barracuda makes changes and I have to manually get the address again.  

I would like to be able to use DNS on our Windows server to create an internal IP address and forward it to (URL) of external email filtering.  Is this possible?
Who is Participating?
nociSoftware EngineerCommented:
@Lee, I might have a surprise for you ;-)

first get some common language:
URL != hostname   url is the whole complex of a protocol + '://' + [ optional userspec '@' ] + hostname [ + optional ':' + port ] + URI
Userspec may be username [ + optional ':' password ].
As you can see hostname is part of a URL, URL never is part of hostname.

DNS can never handle URL's, DNS can handle hostnames, then again an smtp proxy might be of help here.
(ie. a proxy that accepts a connection on port 25, and then connects through to a hostname, not too difficult to build, then again also not exactly trivial because mail needs to line based.

Then there used to be Tis/FWTK (Firewall Toolkit, a Proxy based firewall (from before the ipfilters).   This was once cleanroom rebuilt into openfwtk because the original license required active participation of already years nonexisting company.
 (TIS, bought by NAI...)

This FWTK had plug-gw which might be applicable here.
(could plug through a port to an internal system, but why not reverse this pluggw...).

Location of sources:
Andy BartkiewiczNetwork AnalystCommented:
No, I don't think that is possible
Lee W, MVPTechnology and Business Process AdvisorCommented:
To the best of my knowledge, no, it can't be done.  That said, I'm curious to see if someone has any tricks to get this done.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

nociSoftware EngineerCommented:
Here is the man-page for plug-gw:
on windows environments you may need Cygwin to build & run this.

PLUG-GW(8)                  System Manager's Manual                 PLUG-GW(8)

       plug-gw - plug proxy

       plug-gw [ -daemon <port> ] [ -fastdaemon <port> ] [ -as <tag> ] service

       The Firewall Toolkit plug proxy is an application level proxy that pro‐
       vides configurable access control, authentication and  logging   mecha‐
       nisms.   The  plug  proxy,  which  runs on the firewall, passes LDAP or
       other TCP-based application  requests  through  the  firewall  (at  the
       application   level),  using  rules  you  supply.   You  can  configure
       instances of the plug proxy to service:

       ·   LDAP searches

       ·   webster

       ·   whois

       This is not an exhaustive list.  The plug proxy is protocol neutral, so
       you  can  tunnel  a variety of other TCP-based applications.  Weigh the
       risks carefully for each application.

       For each version of the plug proxy, you  can  configure  the  proxy  to
       allow connections based on:

       ·   source IP address

       ·   source host name

       ·   source port

       ·   destination IP address

       ·   destination host name

       ·   destination port

       All packets, and therefore all application requests go to the firewall.
       On the firewall, the plug proxy software relays  information  from  one
       side of the firewall to the other.  The proxy prevents the applications
       on outside networks from talking directly with the applications on your
       inside  network,  and  vice versa.  No IP packets pass from one side of
       the firewall to the other.  All  data  is  passed  at  the  application

       The  firewall  runs  different instances of the plug proxy (plug-gw) as
       daemons (invoked from /etc/rc.local) on different ports  for  different
       applications,  based  on  the  information  in  the  /etc/services  and
       /etc/rc.local files.  These files indicate which services the  firewall
       should  run on which ports.  For example, the firewall runs an instance
       of the plug proxy on port 389 to handle LDAP requests.

       Whenever the system receives a request on one of these ports, the  plug
       proxy  checks  its configuration information (in the netperm-table) and
       determines whether the initiating host has permission to initiate  this
       type  of request. If the host does not have permission, the plug daemon
       logs the connection attempt and displays an error message.

       The proxy may also be  invoked  from  tcp/ip  "superserver"  (inetd  or
       xinetd).  -daemon parameter should be omitted in this case.

       If  the  host has permission, the proxy logs the transaction and passes
       the request to the destination host.  The  plug  proxy  remains  active
       until either side closes the connection.

       Allowing  proprietary  protocols  through your firewall is a really big
       unknown.  Because the protocols are proprietary, the firewall  and  the
       proxy  have no idea what sorts of data or requests the applications are
       sending. Nor do we have any idea how safe the  actual  application  is.
       Do  not use the plug proxy for proprietary protocols without first per‐
       forming a risk assessment.

   Command Line Options
       The plug proxy recognizes the following command line  options  (whether
       started from the command line or from within /etc/rc.local):

       -daemon port
              Indicates  that  the  plug  proxy runs as a daemon, and the port
              (name or number) on which the plug proxy listens.  When  -daemon
              option  is  used, configuration is being read from netperm-table
              for every new connection accepted by proxy.

       -fastdaemon port
              Indicates that the plug proxy runs as a  daemon,  and  the  port
              (name  or  number) on which the plug proxy listens.  When -fast‐
              daemon option is used, configuration is being read from netperm-
              table once the daemon starts or if SIGHUP is received.

              Indicates the name of the service the plug proxy connects as.

              Displays version information for the plug proxy on stdout.

   Configuration Options
       The  plug  proxy reads configuration rules from the /usr/local/etc/net‐
       perm-table.  It reads all rules using the plug-gw (or the  name  speci‐
       fied  with  the  -as  option) and * (wildcard) keywords. The plug proxy
       reads the netperm-table from top to  bottom.   If  there  are  multiple
       rules  in  the  table  that could apply for a particular attribute, the
       plug proxy uses the first one that it finds.  See netperm-table(5)  for
       a more complete explanation of netperm-table syntax and precedence.

       The plug proxy recognizes the following attributes:

              groupid group
                     Specifies  the name of the group the plug proxy uses when

                     group  Specifies either a name or  numeric  id  from  the
                            /etc/group file.

              port portid host-pattern [options]
                     It  is  the legacy way (included for TIS fwtk compatibil‐
                     ity) to specify a connection rule. When a  connection  is
                     made,  a match is searched for on the port-id and calling
                     host. The port-id may be either a  numeric  value  (e.g.:
                     119) or a value from /etc/services (e.g.: "nntp"). If the
                     calling port matches, then the  host-pattern  is  checked
                     for  a  match,  following  the  standard address matching
                     rules employed by the firewall. If the rule matches,  the
                     connection will be made based on the remaining options in
                     the rule, all of which begin with '-'. The  more  unified
                     and recommended connection rule form is

              hosts host-pattern [host-pattern..] [options]
                     Sub-options are:

                     -authuser username treat connection as authenticated with
                     user name (for extended permissions)

                     -authreq username authenticate via SSO keepalive  request
                     to authentication console

                     -extnd  specifies  that the proxy should request extended
                     authorization from authsrv

                     -client-dscp dscp-tag-name
                     -client-dscp dscp-hex-value specifies diffserv  codepoint
                     (QoS/ToS mark) for client to proxy connection.

                     -server-dscp dscp-tag-name
                     -server-dscp  dscp-hex-value specifies diffserv codepoint
                     (QoS/ToS mark) for proxy to server connection.

                     -plug-to host specifies the name or address of  the  host
                     to connect to. This option is mandatory.

                     -transparent select destination from tranparency engine

                     -privport indicates that a reserved port number should be
                     used when connecting. Reserved port numbers must be spec‐
                     ified  for  protocols  like rlogin which rely on them for

                     -port portid specifies a different port. The default port
                     is the same as the port used by the incoming connection.

                     -ssl-client  If  the  proxy  is compiled with SSL, enable
                     ssl/tls on client socket

                     -ssl-server If the proxy is  compiled  with  SSL,  enable
                     ssl/tls on server socket

                     -client-verify  If the proxy is compiled with SSL, verify
                     client certificate

                     -server-verify If the proxy is compiled with SSL,  verify
                     server certificate

       private-key file
              Specifies SSL proxy private key file

       certificate file
              Specifies SSL proxy certificate chain

       CAfile file
              Specifies SSL proxy CA

       timeout seconds
              Specifies  the number of seconds the plug proxy is idle (with no
              network activity) before disconnecting.

       userid user
              Specifies the user ID the proxy uses when running.

              user   Specifies  either  a  name  or  numeric   id   from   the
                     /etc/passwd file.

       This  example  shows the configuration lines in the netperm-table for a
       one-to-one connection from inside to outside:

              # allows one host inside to connect to one host outside
              qotd-gw: port qotd -plug-to -port qotd

              Command script that controls automatic reboot, and includes
              startup information for the plug proxy.

              The network permissions file contains configuration information
              for the Firewall Toolkit, including the plug proxy.

       Since incoming connection hosts can be wildcarded, plug-gw works well
       in a many-to-one relationship but does not work at all in a one-to-many
       relationship. If, for example, a site has 3 news feeds - it is easy to
       configure plug-gw to plugboard any connections from those 3 hosts to an
       internal news server, but unless there are multiple instances of plug-
       gw on different ports, and the internal news server's software can sup‐
       port connecting on a non-standard port, modification to software will
       be required.

       Report bugs to or mailing list.
       Include a complete example, explaining what you expected to happen and
       what actually happened.  Be sure to indicate the type of system (oper‐
       ating system, hardware, etc.) you are using, as well as the version of
       the plug proxy.


       netperm-table(5), rc(8)

OpenFWTK                          August 2007                       PLUG-GW(8)

Open in new window

How about setting up a local SMTP relay on Windows or Linux? You can point the voicemail server to the local SMTP server.

Some firewalls can use FQDN in their rules. My Palo Alto firewall can do this. You could NAT the external Barracuda address to an internal IP address. Point the voice mail to the internal IP address, and the firewall updates the rules as the DNS changes.
nociSoftware EngineerCommented:
if you want to setup a mail relay, check out qmail (easy & simple to use small mail system, yet very capable system) it ran until 2010-ish....
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.