Preface: This is naughty and not intended behavior. Your security and networking teams may not like it, and LANDesk Support won't either. If you have a better way to forward the necessary ports, use it instead.... Anyway, on to the rule breaking.

While it is a hardened Linux box, the Management Gateway is still a Linux box, and there's a lot of power under its hood. So if you're in a situation where you get one DMZ box for all LANDesk activities and you need to get some more ports for something like, oh, I don't know, LANDesk Handheld Manager, here's a trick you can use to open things up a bit more.

1. SSH to the gateway and log in, then exit to terminal.
2. Edit your firewall script to make it forward the ports to the right places.

1. [admin@lavatube ~]$ sudo cp /usr/sbin/ipfirewall /usr/sbin/ipfirewall.backup
   [admin@lavatube ~]$ sudo vi /usr/sbin/ipfirewall

2. :7 add your initials to the end of FWVER to show that you've made a change
   
   :10 CORE=your.core.ip
   
   :740, at the end of the per external address loop, add these lines:
   
      # Forward the LANDESK HANDHELD MANAGER ports to the CORE
      echo "    Enabling Handheld client access"
      $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
      # PORT 8268 for SCAN
      echo "         SCAN port"
      enableServer "scan" "tcp" "8268" $IPADDR
      enableClient "scan" "tcp" "8268" $IPADDR
      $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $IPADDR --dport 8268 --sport 1024:65535 -j DNAT --to $CORE:8268
      $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $EXTIF -d $CORE --dport 8268 --sport 1024:65535 -m state --state NEW -j ACCEPT
      # PORT 8269 for CONTROL
      echo "         CONTROL port"
      enableServer "control" "tcp" "8269" $IPADDR
      enableClient "control" "tcp" "8269" $IPADDR
      $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $IPADDR --dport 8269 --sport 1024:65535 -j DNAT --to $CORE:8269
      $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $EXTIF -d $CORE --dport 8269 --sport 1024:65535 -m state --state NEW -j ACCEPT
      # PORT 8270 for REGISTRATION
      echo "         REGISTRATION port"
      enableServer "registration" "tcp" "8270" $IPADDR
      enableClient "registration" "tcp" "8270" $IPADDR
      $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $IPADDR --dport 8270 --sport 1024:65535 -j DNAT --to $CORE:8270
      $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $EXTIF -d $CORE --dport 8270 --sport 1024:65535 -m state --state NEW -j ACCEPT
      echo "         Finalizing"
      $IPTABLES -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A FORWARD -t filter -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
   
   

3. Restart your firewall and test it out.

1. [admin@lavatube ~]$ sudo /subin/firewall restart
   

In some cases there are changes to your routing tables required in order to reach the required machines; this is beyond the scope of this doc, but any basic Linux networking guide will be of assistance (as long as it's talking about ip route add instead of "click the button that looks like a modem").

If you've installed the 8.7 SP3 or later version of Handheld, it will have asked you for your external IP and set this up ahead of time; otherwise, you'll need this configured too: