Hi
I'm running ASG software UTM v9.411 which is installed as a backend proxy. UTM has internal and DMZ interfaces and edge firewall NATs public facing IPs through to UTM DMZ interface additional IPs for my WAF standard HTTP/S webserver rules which are working fine.
I now need to publish an application server to the internet so that my app devs can roll out an android app. The app connects to a FQDN. The app connects to the app server over a non web TCP port e.g. TCP.4321. I've tested using WAF for the FQDN and DNAT for the custom port and I'm obviously doing something wrong. Get so far with DNAT but can't work out where the issue is.
My DNAT rule
No Group, position 1 (no other DNAT rules)
DNAT (Destination)
Matching Condition
For traffic from: Any
Using Service: custom defined service definition e.g. TCP.4321
Going to: External (WAN) "server DMZ listener IP" [Address] where this is the additional IP added to the external interface
Action
Change the destination to: "internal app server network definition"
Automatic firewall rule & Log initial packets both ticked
My app dev can sucecssfully test from his smartphone over the internal network so we know that the app can connect to the app server directly.
When he tests over an external 4g connection he gets a connection error. Firewall log shows a single entry
TIME NAT rule #1 TCP SOURCEIP:37177 → UTMAdditionalIP:4321 [SYN] len=60 ttl=47 tos=0x00 srcmac=MAC ADDRESS dstmac=MAC ADDRESS
Edge firewall logs looked clear and nothing is showing in my WAF log presumably because the traffic is hitting DNAT first but I'm assuming that I can't do this with WAF anyway?
For info, my WAF rule Virtual Server is set as Encrypted (HTTPS) & redirect with a port set to the custom port e.g.4321 and a certificate approrpiate to the FQDN. I've also set the custom port in the port field for the Encrypted (HTTPS) Real Webserver definition.
This thread was automatically locked due to age.
