This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Serving webservers using WAF upon UTM9

Hello,

I am trying to configure UTM9 Webserver Protection feature to manage several domain names, routing to specific web servers in DMZ, through my one and only public IP.


I have 2 DNS entries pointing to the same public IP:
sub1.mydomain.com
sub2.mydomain.com

I have NAT rule on router to forward incoming 443 trafic to the UTM9 WAN interface address.
I have 2 webservers in DMZ (10.129.50.0):
webserver1 on 10.129.50.10
webserver2 on 10.129.50.11

The way it should works : accessing sub1.mydomain.com should redirect trafic to webserver1, accessing sub2.mydomain.com should redirect trafic to webserver2. Well.

I configured each virtual webservers with the correct FQDN (sub1.mydomain.com and sub2.mydomain.com for the other one)
As all 443 traffic is NATed from router to UTM9 WAN interface, an incoming request on port 443 from outside should hit the Webserver Protection, which should match the incoming request (sub1.mydomain.com) to the right virtual webserver which has domain sub1.mydomain.com
right ?


With this configuration:

  • From outside :

https://sub1.mydomain.com --> Thumbsup tone1
https://sub2.mydomain.com --> timeout.

  • From wired LAN network :

https://sub1.mydomain.com --> 403 Forbidden
10.129.50.10 --> Thumbsup tone1

https://sub2.mydomain.com --> Thumbsup tone1
10.129.50.11--> Thumbsup tone1

 Sweat Where is my mistake(s) ?

Do I have to set additionnal NAT rules on UTM9 ? If so, what is the best practice rule ?

Thanks for your help,


Well, here are my progresses :

In virtual webservers, I selected Interface External WAN Adress and type HTTPS+redirect

Now from outside :

sub1.mydomain.com --> Thumbsup tone1
sub2.mydomain.com --> Thumbsup tone1

But from LAN network... :

sub1.mydomain.com --> timeout
sub2.mydomain.com --> timeout

One step forward, one step backward Unamused

WAF log says :

2022:09:14-13:12:03 firewall httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="108" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="350" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyG3Ay_a0LMopbPNsKk31wAAACA"

Is it loopback problem or something similar ? If so, I suppose here is the point to setup NAT rules for LAN users ? Any help appreciated...



This thread was automatically locked due to age.
Parents Reply
  • Salut and welcome to the UTM Community!

    If your DNS configuration looks like DNS best practice, you have two choices:

    1. Have internal traffic skip WAF by having the FQDNs resolve to the local IPs of the Real Servers internally.
    2. Create similar Virtual Servers on an IP on your Internal interface and have internal DNS resolve the FQDNs to that IP.

    Bien marché ?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children