Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 22865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port forwarding HTTPS 443 to port 3000

Thomas Thooft

Hello everyone,

 

I have a question that I don't seem to be able to solve.

I want to redirect incoming traffic on the port 443 to an internal server port 3000

 

This is the DNAT rule I have configured.

Now when I go to the following HTTP://IPADDRESS:443 I get redirected to the correct page.

When I try to go to HTTPS://IPADDRESS I cannot make any connection? So the NAT rule is working but the HTTPS is not working.

My questions is this a firewall setting I need to adjust or is this something I need to adjust at the backend?

 

Kind regards,

Thomas



This thread was automatically locked due to age.
  • 0

    Hi Thomas,

    Welcome to the Sophos Community.

    I have 3 questions

    1. Is port 3000 set to udp or tcp, is it the correct type (i'm sure you checked this)?

    2. is there another rule above this rule that is conflicting with it?

    3. when trying to access the resource/page, is there anything displayed in the live log or firewall log?

     

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    First of all thanks for the reply.

     

    Answer to your questions:

    1. The port is set to TCP but i've also changed it to UDP and UDP/TCP wihtout success

    2. I don't see any NAT rules that would conflict with it. I tried putting the NAT rule on top but without success

    3. In the firewall log I see this:

     

     

    This is what I see in the firewall logs.

    The strange things is that when I go to http://myip:443 everything is correct and I see the GET page.

    If I go to https://myip I don't get the page.

    I suspect this is something more at the site of the webserver and trying to redirect HTTPS to another ports as 443.

     

    Kind regards,

    Thomas

  • 0 in reply to Thomas Thooft

    this may be because of the way the port 3000 is configured and is unable to properly redirect the port correctly. I am sure I have seen this error on the community, but am unable to find it.

    I am presuming you have tried this as a direct port to port (rather that port redirection)?

    Are you able to put this behind the WAF?

    that would effectively get the UTM to request the page and would display it properly, although there may be other reasons why this is not possible.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0

    You did not show your http rule.  Are you forwarding both protocs to the same port?    That will not work.

  • 0 in reply to Thomas Thooft

    Hallo Thomas and welcome to the UTM Community!

    I'm confused by the fact that your NAT rule is in position 66, but the Firewall Live Log shows that the traffic is handled by NAT rule #1.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Normally the NAT rule was on position 66 but for testing purposes I did put it on the first line.

    Just to be sure there were no other rules active.

    So if I go to HTTPS://MYIP I clearly see this in the log files with the correct NAT rule.

  • 0

    Please show a picture of the Edit of your Service "HTTPS (All...".  Also, confirm that your Host object "BEMOLUBU..." does not violate #3 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    I also have the same question.

     

    I'm running out of wan IP and i want to make a whole bunch of network stuff visible but obfuscated so that i can use it for diagnostic/disaster purposes.

     

    eg: ilo servers, temperature monitors

     

    so I have a empty wan ip 222.33.44.55

    I wanted to redirect https://222.33.44.55:30031 to internal server https://10.10.11.31:443 

    I wanted to redirect https://222.33.44.55:30181 to internal server https://10.10.11.181:443 

    I wanted to redirect https://222.33.44.55:30182 to internal server https://10.10.11.182:443 

     

    none of which actually work.

     

    then I tried changing the listening port of my apc temperature monitor to 30031. then I am no longer able to connect to it on https://10.10.11.31:30031 

    so I suspect there might be a limited port range for https ?

  • 0 in reply to Thomas Thooft

    First of all, port translation is not necessary.   You can reference an https (or http) site with a non-standard port using colon as the qualifier in your web request, for example:   https:example.com:30000/

    Second, you appear to be redirecting port 443 on UTM's primary (or only) public IP address.   This port is normally reserved for User Portal, so at minimum you need to move User Portal to another port before your DNAT will work, although I suspect it will not work at all.

    Thirdly, DNAT provides no security, which is a problem because the bad guys are scanning your system for vulnerabilities.   You propose taking a port that they might overlook (30000), and translating it to a port that they will definitely examine (443).   This is crazy, unless you are a security researcher who is intentionally creating a honeypot.

    Instead

    • Use WAF with a login page and 2-factor authentication.   
      or   
    • Use SSL VPN with 2-factor authentication, then reference the web sites within the VPN session.   

    Either way, you need 2-factor authentication to keep the bad guys out of your network.   The bad guys are also very good at password guessing attacks, and the Internet already has too may zombie botnet PCs.

    If you have a single public IP address, WAF allows you to configure multiple sites using separate target ports.   If you have more than one IP, so that one can be dedicated to WAF, you can take advantage of its support for SNI, which allows you to overlay multiple host names on a single IP+Port, typically port 443.

  • 0 in reply to DouglasFoster

    hi. ok. found the problem. the interface i was reidirecting for was in the [off] position.

     

    once i turned it on, the redirection worked.

     

    I'll figure out the waf later.

     

    my passwords are 14 digit long though. brute force or dictionary is pointless (though getting key logged would be an issue).

Unfiltered HTML