I can not connect (internally) the company's website published on the Internet

Question

Internally, I can not access the address https://webmail.mydomain.com , as well as any other site that was published by sophos UTM 9. What must rule release to be able to access the publications made by sophos through my internal network ??? ? 
 Tnx, 
 
 Carlos Lima.

Emile Belcourt · Accepted Answer

Hi Carlos, 
 Just a couple more questions: 
 
 Are you using your internal DNS as the primary (looks like you are)? 
 Are you only wanting users to access the webserver through the UTM? 
 Is your webserver set up to deny access to other IPs? 
 
 What i've been tempted to do in the past is make the internal DNS actually point to the external IP of the webserver for the address. That way it will bounce out of the UTM and back in via the Reverse Proxy instead so everyone is accessing the same system in the same way :) 
 Regards, 
 Emile

Louis-M · Answer

If you are running an internal dns server, simply create the outside zone (in your case = mycompany.org.br) on your internal dns server and then add the A record (webmail) to that zone making sure it points toward you internal ip address. 
 That way, when clients are on your network and want to access webmail, your internal dns server will point them towards the internal address.

Louis-M · Answer

I've not had it happen on the UTM as I normally place our external domains on the internal dns so they resolve internally as above. 
 I know pFsense and other firewalls didn't like you going external to come back back in and they classed it as some sort of DNS rebinding attack. You had to specifically remove some of the protection on top of the firewall rules to get it to do this which it didn't advise. 
 We do go out to come back in on our network but purely for testing purposes and we go out of a different gateway to come back in on the target address. We don't use the same gateway to come back in on itself. 
 Going out to come back in isn't strickly efficient and probably not the best ways to do things.

Louis-M · Answer

no, it won't be DNS but more to do with the firewall & natting. If your external ip is eg 123.123.123.123, you would end up coming back on yourself and I don't think the UTM would like that.

Firewalls.com Inc · Answer

Carlos, 
 Louis M makes a good point "If your external ip is eg 123.123.123.123, you would end up coming back on yourself and I don't think the UTM would like that." 
 
 This is correct and in these cases we use the DNS loop back which is done using a Full NAT, mapping both the source and destination. However judging from the nslookup, it's resolving internally and unless we are on a different subnet the packets may not even be flowing through the firewall. 
 
 When accessing this are you on the same subnet as the web server? Also, was this working previously and we just put the Sophos in place, or is it a new web server?

Are the webmail and mail dots used in the nslookup and telnet tests just examples or is this a new deployment of OWA?