Accessing vision client through NAT when backup server present

Is it possible to access a vision client behind NAT?

USER => firewall ( => primary server (
Where port 8088 and 8043 are forwarded (DNAT) from to

My gut says yes. What about when a backup server is involved?
Same architecture as above, but add as the backup server.
Now, there is no direct way for the USER to access, as the NAT rules are port specific and cannot be mapped to more than one host on the LAN ( side.

The symptom is that the client launcher will see the gateway and can add the applications to the list, but when you go to launch it, it connects for a split second (verified with tcpdump on primary) and then bails out.

What can be done about this? I don’t need the USER to have access to the backup in order to run off the primary. The user is just read only for occasional monitoring purposes.