I can not connect (internally) the company's website published on the Internet

Hi Carlos,

Is your external domain name the same as your internal domain name?

From that do you have a static DNS forward for anything to domain.com to talk to your internal DC?

Regards,

Emile

Emile,

Internal  = mycompany.local

External = mycompany.org.br

My internal DNS forwarding query to external DNS. I believe it is not DNS query problem, because internally the query to the company's domain is resolved. I believe it is a rule in Sophos .....

Thanks Emile.

Can you post the results of the basic stuff like nslookup, telnet via port 80/443 etc

Look at the Sophos UTM Firewall logs to see the request going to that URL/IP to see if there is a default drop going on. 

No worries, DNS is the first place to start with this kind of thing as it is a primary issues causer.

When you're connected internally, are you using the UTM as a proxy or transparent for web filtering?

Next up is Fruity's suggestion of what is being shown with an NSLookup

Cheers,

Emile

hey guys,

NSLOOKUP:

C:\Users\Administrator>nslookup webmail.mydomain.org.br
Server:  dns.mydomain.local
Address:  192.168.0.11

There is no authorization response:
Nome:    mail.mydomain.org.br
Address:  [privateIP]
Aliases:  webmail.mydomain.org.br

TELNET:

root@server:~$ telnet webmail.mydomain.org.br 443
Trying [privateIP]...
telnet: Unable to connect to remote host: Connection timed out

Apparently is port 443 that is not open to the internal network. But I released the port 443 bound to the external interface without success !!!!

Emile,

Yes, I am using the UTM as a proxy transparent for web filtering!!!

Emile,

Yes, I am using the UTM as a proxy transparent for web filtering!!!

Hi Carlos,

Just a couple more questions:

1. Are you using your internal DNS as the primary (looks like you are)?
2. Are you only wanting users to access the webserver through the UTM?
3. Is your webserver set up to deny access to other IPs?

What i've been tempted to do in the past is make the internal DNS actually point to the external IP of the webserver for the address. That way it will bounce out of the UTM and back in via the Reverse Proxy instead so everyone is accessing the same system in the same way :)

Regards,

Emile

If you are running an internal dns server, simply create the outside zone (in your case = mycompany.org.br) on your internal dns server and then add the A record (webmail) to that zone making sure it points toward you internal ip address.

That way, when clients are on your network and want to access webmail, your internal dns server will point them towards the internal address.

Emile,

answering your questions:

1. Yes, the dns is an internal server. It solves my external domain;

2. No. Access has no blocks. This happens with any name public for the external interface. Can be www.mydomain.org.br, app.mydomain.org.br, or any other;

3. In the mail server, Zimbra, the rules are the standard. No lockout ..

For any local access, I created the rule releasing the HTTPS protocol "ANY". How do I publish the name "webmail.mydomain.org" ???

Tnx Emile.

Louis,

My internal DNS resolves my external domain. No need to have this redundancy. I firmly believe that is a rule in Sophos.

One question, it never happened to you ????

As you publish the rule for access to any publication ???

Very strange to me!!!!

I grant access "anywhere" and do not know why this happens.

Tnx.

I've not had it happen on the UTM as I normally place our external domains on the internal dns so they resolve internally as above.

I know pFsense and other firewalls didn't like you going external to come back back in and they classed it as some sort of DNS rebinding attack. You had to specifically remove some of the protection on top of the firewall rules to get it to do this which it didn't advise.

We do go out to come back in on our network but purely for testing purposes and we go out of a different gateway to come back in on the target address. We don't use the same gateway to come back in on itself.

Going out to come back in isn't strickly efficient and probably not the best ways to do things.

Emile,

I tried to access the private IP on port 443, out of my internal network, and can access (sucess). But when I try in my internal network, using PRIVATE IP on port 443, also can not access. The problem is not DNS (name resolution).

I use the default access rules (Internal Network-> Web Surfing-> ANY). I create some other rule for access ????

Tnx guys...

I understood Louis, you apply the best name resolution practices. Very good!!!! I will use this way also. But you understand what is happening, is not DNS, in my case....

no, it won't be DNS but more to do with the firewall & natting. If your external ip is eg 123.123.123.123, you would end up coming back on yourself and I don't think the UTM would like that.

Carlos,

Louis M makes a good point "If your external ip is eg 123.123.123.123, you would end up coming back on yourself and I don't think the UTM would like that."

True!!! I created in my internal DNS records for external domain pointing to the internal server and it worked.

Thank you so much guys.

It's working now!!!!