Brian, it sounds to me like you are writing an NNTP proxy of sorts. At least that's how I'd approach it.

The way I would envision it is setting up a daemon that listens for the NNTP port and when someone connects to it a connection is made by the daemon (or a child of the daemon) in turn to the real NNTP server.

Actually... instead of a daemon let inetd kick it off.

As far as the clients inside your private cloud would be concerned they are talking to an NNTP server on whatever machine you set up the proxy on.

I realize that I have hand-waved all over the place on this but my blood sugars are heading south and I'm tired to boot...