PowerShell Snippet: Port-forwarding for RDP/SSH through an NSX Edge

If you have a lot of configurations in a lab the way we do in VMware, then most of them are using private networks that are not even routable inside your company, let alone the internet. So you can very quickly get into a nested rathole of RDP/SSH sessions from your terminal to a jump-box and from there to machines you are actually performing operations on. Worse you probably have nested windows of multi-connection tools, so your actual target keeps getting squashed to the right of your monitor. Sometimes your terminal itself might be an RDP session or Horizon Desktop, so it quickly becomes some kind of geeky Inception thing

Incidentally that image fits on multiple levels for me. Apart from the squinty look, thats the back of Cillian Murphy’s head. I went to school with him way back when. Closest I’ll get to a claim to fame (or to Batman for that matter) πŸ™‚

A nice trick to overcome the spiralling console windows (there’s no fix for my desire to be Batman) is to put an NSX edge and SNAT rule in place to allow those private networks to reach the outside world and then use DNAT rules to port-forward to your individual machines. Lo and behold, one RDP/SSH window, more real estate for the connection on your screen and little less likely to go mad.

Once you have the NSX Edge setup with the relevant interfaces and addresses configured on it, here’s a couple of powershell commands that will get you up and running.

You need PowerCLI and PowerNSX installed to achieve.


Before you issue the commands get connected to the NSX Manager. So open an PowerCLI window and issue the following

Connect-NsxServer -NsxServer -Username nsx-administrator -Password nsx-password -VIUserName vcenter-administrator -VIPassword vcenter-password

Replace the IP and the credential bits appropriately.


Only one of these, so PowerShell or UI….your choice. For me, never do it via the UI when you can script it. Who knows when you will want to automate or repeat it right?

Get-NSXEdge -name My-NSX-Edge-Name | Get-NSXEdgeNat | New-NSXEdgeNatRule -Vnic 0 -OriginalAddress any -TranslatedAddress -action snat -Enabled

Where is the routable IP address on the Uplink interface of the Edge and the My-NSX-Edge-Name is whatever you called the Edge itself

You should now be able to reach the internet from those private networks….assuming they are using the correct interface on the NSX Edge as their default gateways.

DNAT Rules

Definitely one you want to script…especially if you have lots of VMs or hosts that you want to connect to.

Assuming you are still connected to NSX manager, issue commands like the following for RDP:

Get-NSXEdge -name My-NSX-Edge-Name | Get-NSXEdgeNat | New-NSXEdgeNatRule -Vnic 0 -OriginalAddress -TranslatedAddress -action dnat -Protocol tcp -Enabled -OriginalPort 30004 -TranslatedPort 3389

Where is the public interface of the NSX Edge, 30004 is the port you want to forward to port 3389 on behind the edge

Or the following for SSH:

Get-NSXEdge -name My-NSX-Edge-Name | Get-NSXEdgeNat | New-NSXEdgeNatRule -Vnic 0 -OriginalAddress -TranslatedAddress -action dnat -Protocol tcp -Enabled -OriginalPort 20005 -TranslatedPort 22

Where is the public interface of the NSX Edge, 20005 is the port you want to forward to port 22 on behind the edge

Copy/paste/change the TranslatedAddress and OriginalPort as many times as you have connections

Personally I like to use some form of logical mapping between the port I am forwarding and the connection type / IP address of the target. For instance, I would always start an SSH port with 2 (as the target port is 22 typically) and an RDP port with 3 (as the target port is 3389 typically) and then map the last octet of the target IP to the end of the port I am forwarding. So RDP to would use port 30004 and SSH to would use 20005


Now in your tool of choice, every connection will be configured to point at the public interface of the NSX Edge ( in the above examples) and all you need to do is change the port to reach a different target. Most multi-connection tools such as mRemote, Royal TS/TSX will have fields for the port. If you are using Remote Desktop Connection, just use as the connection target.

So tell me….did I steal thoughts from your head or plant an idea πŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s