I can not connect (internally) the company's website published on the Internet

Hi Carlos,

Is your external domain name the same as your internal domain name?

From that do you have a static DNS forward for anything to domain.com to talk to your internal DC?

Regards,

Emile

Emile,

Internal  = mycompany.local

External = mycompany.org.br

My internal DNS forwarding query to external DNS. I believe it is not DNS query problem, because internally the query to the company's domain is resolved. I believe it is a rule in Sophos .....

Thanks Emile.

Can you post the results of the basic stuff like nslookup, telnet via port 80/443 etc

Look at the Sophos UTM Firewall logs to see the request going to that URL/IP to see if there is a default drop going on. 

No worries, DNS is the first place to start with this kind of thing as it is a primary issues causer.

When you're connected internally, are you using the UTM as a proxy or transparent for web filtering?

Next up is Fruity's suggestion of what is being shown with an NSLookup

Cheers,

Emile

hey guys,

NSLOOKUP:

C:\Users\Administrator>nslookup webmail.mydomain.org.br
Server:  dns.mydomain.local
Address:  192.168.0.11

There is no authorization response:
Nome:    mail.mydomain.org.br
Address:  [privateIP]
Aliases:  webmail.mydomain.org.br

TELNET:

root@server:~$ telnet webmail.mydomain.org.br 443
Trying [privateIP]...
telnet: Unable to connect to remote host: Connection timed out

Apparently is port 443 that is not open to the internal network. But I released the port 443 bound to the external interface without success !!!!

Emile,

Yes, I am using the UTM as a proxy transparent for web filtering!!!

Hi Carlos,

Just a couple more questions:

1. Are you using your internal DNS as the primary (looks like you are)?
2. Are you only wanting users to access the webserver through the UTM?
3. Is your webserver set up to deny access to other IPs?

What i've been tempted to do in the past is make the internal DNS actually point to the external IP of the webserver for the address. That way it will bounce out of the UTM and back in via the Reverse Proxy instead so everyone is accessing the same system in the same way :)

Regards,

Emile

If you are running an internal dns server, simply create the outside zone (in your case = mycompany.org.br) on your internal dns server and then add the A record (webmail) to that zone making sure it points toward you internal ip address.

That way, when clients are on your network and want to access webmail, your internal dns server will point them towards the internal address.

Emile,

answering your questions:

1. Yes, the dns is an internal server. It solves my external domain;

2. No. Access has no blocks. This happens with any name public for the external interface. Can be www.mydomain.org.br, app.mydomain.org.br, or any other;

3. In the mail server, Zimbra, the rules are the standard. No lockout ..

For any local access, I created the rule releasing the HTTPS protocol "ANY". How do I publish the name "webmail.mydomain.org" ???

Tnx Emile.

Louis,

My internal DNS resolves my external domain. No need to have this redundancy. I firmly believe that is a rule in Sophos.

One question, it never happened to you ????

As you publish the rule for access to any publication ???

Very strange to me!!!!

I grant access "anywhere" and do not know why this happens.

Tnx.