Hi All:
Our Sophos is a UTM-330 running 9.605-1 in a HA active/passive configuration.
We have a /28 block of IP's from our two ISP's, one primary on fiber, secondary on adsl.
On one of the static IP's has a DNAT set up to access an internal IIS server using a non-standard port. Have one URL for the primary and another for the secondary ISP connection. There is a second DNAT for the secondary URL. They both have a "using service" with the appropriate ports in it. Then both have a "change to" the internal IP of the IIS server. There is no "and change the service to", as the IIS is set to work directly with the non-standard ports.
In the DNAT, should the "For Traffic From" in the DNAT be "any" or "internet". It was set for "any", but was doing some testing, and set it to "internet" to test.
Worked fine, then started doing some strange things.
When, from the outside world, tried connecting to the URL for both the primary & secondary ISP connections, would first ask about running java, then come up with the sophos logon screen, rather than the IIS server's application logon. Changed the DNAT back to "any" and it immediately resolved. Then to test, changed it back to "Internet", and it still worked.
There is an accompanying firewall rule (don't have the NAT doing automatic firewall rules), set for "Internet" using the appropriate ports, to go to the internal address of the IIS server.
That, I guess brings up a question with NAT and the meaning of "Internet" vs "any". And why did it work fine, then start acting strange?
First, within the context of NAT-ing, should the "coming from" be "Any" or "Internet"?
And any idea as to why it would work for a while, then start acting strange - popping up with the Sophos logon screen rather than the IIS server logon?
Could any of this have to do with the HA?
Thanks!
John S.
This thread was automatically locked due to age.
