Remote Workers and Cradle – Network Address Translation

Your company is using Cradle, but you’re a remote worker – how do you connect to the Cradle Database Server (CDS)?

With Network Address Translation – the IT administrator, where the CDS is located, can modify their firewall to redirect specific external ports to a local server.

Make a note of the internal IP address of the CDS – we’ll use CDS_IPADDR later in this post to reference this address. (In this test environment it is 192.168.11.168).

Cradle Configuration Changes

As an example of a small Cradle system with 6 users, we can configure the ports file as such.  We’re setting ports for each possible user (6) and an extra – so thats 7 ports in each range. To make it easier setting the firewall rules – so we have less rules to setup, we’ve got all the ports in UDP and TCP specific consecutive blocks, which is different to how we have them in the Cradle Help – https://www.threesl.com/cradle/help/

CDS_UDP_PORT_NUMBER = 23960
TOOL_UDP_PORT_NUMBER = 23961
PRJMAN_UDP_PORT_NUMBER = 23962

CDS_TCP_TOOL_PORT_NUMBER   = 16161
CDS_TCP_PRJMAN_PORT_NUMBER = 16162
UTILITIES_TCP_PORT_NUMBER   = 16163-16169
WBENCH_TCP_PORT_NUMBER      = 16170-16176
PRJMAN_TCP_PORT_NUMBER      = 16177

This ports file needs to be copied to all the clients using this CDS.

Firewall Config Changes

The IT administrator can now edit their firewall rules to redirect the external IP ports to the internal CDS.  As part of these rules they can set it so that only specific remote IP addresses are permitted to access these redirected ports.

I’m using pfSense as the example firewall in this case, and adding separate rules for each Cradle Port.
pfSense Cradle NAT Rules

Through the application of Network Address Translation, the remote worker now uses their locally installed Cradle client installation and talks to the Cradle Database Server, as if it is on the Cradle site’s external IP address – which they need to configure as their CRADLE_CDS_HOST address.

Article Updated

28/06/2021 – Use of port ranges in firewall rules.