Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 490 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure specific weblink to specific internal IP for Remote desktop

Gerbrand Hop

We would like to achieve the following:
In remote desktop (windows) that we can enter xx.domain.nl and that the specific link links to a specific internal IP (192.168.1.xx) .

I made the entries in our DNS for the xx part so it actually points to us.

After that I made 2 DNAT records like this:

 

the problem is that DNAT rule form vm63.domain.nl also catches all other xx.domain.nl and forwards them to the same ip. So if I want to go vm63.domain.nl or to xx.domain.nl I always end up on the same internal ip for example 192.168.1.63

It looks like the UTM doesn't differentiate between xx.domain.nl or yy.domain.nl it uses the first NAT rule it finds.

Is it possible to let it work for each specific link differently?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Gerbrand,

    this is not the way a packet filter works and BTW: what you are trying to do is dangerous!

    An object inside the Sophos SG UTM firewall for a fully qualified doamin name is just a translation to an ip address, which is then fed into a packetfilter rule. This is IP only, no way to differentiate between URL's like a webproxy or an application based security appliance could do.

    You could use different ports like 3389 for the first (internal) RDP-Server, 3390 for the second and so on. Then you could define this port in "mstsc.exe" as destination port of the server and us differnet DNAT-rules to tgranlste form 3390 to 3389 (internal), 3391 to 3389 (internal and so on.

    But: this is ugly and dangerous and I do not recommend it at all. If you have fixed IP addresses outside and you can define these addresses as source where the RDP-rquests are coming from, OK.

    Do not open this for anybody and all public IP addresses!

    Why are you not using a VPN-Client for this?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    Hello Gerbrand,

    this is not the way a packet filter works and BTW: what you are trying to do is dangerous!

    An object inside the Sophos SG UTM firewall for a fully qualified doamin name is just a translation to an ip address, which is then fed into a packetfilter rule. This is IP only, no way to differentiate between URL's like a webproxy or an application based security appliance could do.

    You could use different ports like 3389 for the first (internal) RDP-Server, 3390 for the second and so on. Then you could define this port in "mstsc.exe" as destination port of the server and us differnet DNAT-rules to tgranlste form 3390 to 3389 (internal), 3391 to 3389 (internal and so on.

    But: this is ugly and dangerous and I do not recommend it at all. If you have fixed IP addresses outside and you can define these addresses as source where the RDP-rquests are coming from, OK.

    Do not open this for anybody and all public IP addresses!

    Why are you not using a VPN-Client for this?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML