Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access Web Server externally error (You do not have permission to...)

RaymondPalms

Hi There,

 

So we have an XG Firewall setup, running "SFOS 17.1.2 MR-2", have been trying today to get a server on the LAN which hosts a web interface to be accessible externally, documentation for this server says it requires a Reverse Proxy setup which I have done, I have tried to port forward to the reverse proxy as well but that does not seem to work, if I port forward to the reverse proxy and go to PUBLIC_IP:80, the revers proxy just sends back the internal server name and tells the web browser to go to that.

 

Server IP: 192.168.0.50

Reverse Proxy(Ubuntu) IP: 192.168.0.51

I trie the following:

1.) Hosts and Services > IP Host > Create a IP host for 192.168.0.51

2.) Hosts and Services > Services > "Add" a new service with "TCP/UDP", Source Port "1:65535", Destination Port "80"

3.) Firewall > DNAT Rule :

Source Zones: Any

Allowed Client Networks: Any

Desination host/Network*: Port1- PUBLICIP

Services: Used new entry created in step 2

Protected Servers: Used new entry created in step 1

Protected Zone: LAN

Enabled "Rewrite source address (Masquerading)

 

With the above when I go to PUBLICIP:80, the reverse proxy tells the web browser to go to https://INTERNAL_SERVER_NAME/example_path/example_index.jsp

 

I then tried the following:

1.) Hosts and Services > IP Host > Create a IP host for 192.168.0.51

2.) Hosts and Services > Services > "Add" a new service with "TCP/UDP", Source Port "1:65535", Destination Port "80"

3.) Web Server > Created a web server, Host "192.168.0.51", type "HTTP", Port "80"

4.) Firewall > WAF:

Hosted Address: Port 1-PUBLICIP

Listening Port: 80

Web server List: Used new entry created in step 3

Allowed Client Networks: Any IPv4

 

When I go to PUBLICIP:80, the url it tries to redirect to is https://PUBLICIP/example_path/example_index.jsp, this always comes back with a "You do not have permission to access / on this server", I've tried the "Path-specific routing" and "Exceptions" options but that did not make any difference, could this also be a misconfiguration on the Reverse Proxy ?

 

Any help is appreciated.



This thread was automatically locked due to age.
  • 0

    Hi,

    you are sending port 80 to the server but you are showing an error of port 443, please review the log viewer report and show what you see when you try to connect to the server?

    What does your browser show as connection type, eg a number of browsers default to https, so you might need to be explicit with your url.

    Ian

    XGS118 - v21.5.0

    XG115 converted to software licence v21.5.0

    If a post solves your question please use the 'Verify Answer' button.

    • 0

      Ok for the moment I've removed the Reverse Proxy from the equation, now I'm simply trying to access a internal web server externally, this server requires HTTPS as it provides a login interface.

       

      Web Server: 192.168.0.50

       

      1.) I've changed the Sophos XG's User Portal port from 443 to another port.

      2.) Created a DNAT rule to allow HTTPS to 192.168.0.50

       

      When I go to https://PUBLIC_IP it seems to be hitting the internal server but then gets a response telling the web browser to go to https://INTERNAL_SERVER_NAME/example_path/exaple_file.jsp, I've tried googling quite a bit but can't seem to find a way to get this to work.

      • 0 in reply to RaymondPalms

        Hi,

        to access internal device from an external site you should be using a business rule with a DNAT.

        Ian

        XGS118 - v21.5.0

        XG115 converted to software licence v21.5.0

        If a post solves your question please use the 'Verify Answer' button.

        • 0 in reply to rfcat_vk

          So I created a single IP-Host entry and a DNAT rule to allow HTTP and HTTPS to that IP-Host, below is the a screenshot of the rule, when I go to https://PUBLIC_IP the internal server seems to send back https://INTERNAL_SERVER_NAME/example_path/example_file.jsp which of course won't work.

           

          • 0 in reply to RaymondPalms

            Hi,

            I think the returned information is correct, because you would need to be using FQDN to get the correct name returned. So the server is returning the only name it has and it does not know about the external address.

            Ian

            XGS118 - v21.5.0

            XG115 converted to software licence v21.5.0

            If a post solves your question please use the 'Verify Answer' button.

            • 0 in reply to rfcat_vk

              Is there a way to get the traffic to go through the XG Firewall ?, or to keep everything going through the XG so it does not return the internal server name ?

              • 0 in reply to RaymondPalms

                I am sorry, but I don't know the answer to your question, we will have to rely on one of the mods or more experienced posters to assist.

                You could try using something like DYDNS to create your own domain.

                Ian

                XGS118 - v21.5.0

                XG115 converted to software licence v21.5.0

                If a post solves your question please use the 'Verify Answer' button.