Port forwarding HTTPS 443 to port 3000

Question

Hello everyone, 
 
 I have a question that I don't seem to be able to solve. 
 I want to redirect incoming traffic on the port 443 to an internal server port 3000

This is the DNAT rule I have configured. 
 Now when I go to the following HTTP://IPADDRESS:443 I get redirected to the correct page. 
 When I try to go to HTTPS://IPADDRESS I cannot make any connection? So the NAT rule is working but the HTTPS is not working. 
 My questions is this a firewall setting I need to adjust or is this something I need to adjust at the backend? 
 
 Kind regards, 
 Thomas

DouglasFoster · Answer

First of all, port translation is not necessary. You can reference an https (or http) site with a non-standard port using colon as the qualifier in your web request, for example: https:example.com:30000/ 
 Second, you appear to be redirecting port 443 on UTM's primary (or only) public IP address. This port is normally reserved for User Portal, so at minimum you need to move User Portal to another port before your DNAT will work, although I suspect it will not work at all. 
 Thirdly, DNAT provides no security, which is a problem because the bad guys are scanning your system for vulnerabilities. You propose taking a port that they might overlook (30000), and translating it to a port that they will definitely examine (443). This is crazy, unless you are a security researcher who is intentionally creating a honeypot. 
 Instead 
 
 Use WAF with a login page and 2-factor authentication. or 
 Use SSL VPN with 2-factor authentication, then reference the web sites within the VPN session. 
 
 Either way, you need 2-factor authentication to keep the bad guys out of your network. The bad guys are also very good at password guessing attacks, and the Internet already has too may zombie botnet PCs. 
 If you have a single public IP address, WAF allows you to configure multiple sites using separate target ports. If you have more than one IP, so that one can be dedicated to WAF, you can take advantage of its support for SNI, which allows you to overlay multiple host names on a single IP+Port, typically port 443.