Internally, I can not access the address https://webmail.mydomain.com, as well as any other site that was published by sophos UTM 9. What must rule release to be able to access the publications made by sophos through my internal network ??? ?
Tnx,
Carlos Lima.
Emile,
Internal = mycompany.local
External = mycompany.org.br
My internal DNS forwarding query to external DNS. I believe it is not DNS query problem, because internally the query to the company's domain is resolved. I believe it is a rule in Sophos .....
Thanks Emile.
No worries, DNS is the first place to start with this kind of thing as it is a primary issues causer.
When you're connected internally, are you using the UTM as a proxy or transparent for web filtering?
Next up is Fruity's suggestion of what is being shown with an NSLookup
Cheers,
Emile
hey guys,
NSLOOKUP:
C:\Users\Administrator>nslookup webmail.mydomain.org.br
Server: dns.mydomain.local
Address: 192.168.0.11
There is no authorization response:
Nome: mail.mydomain.org.br
Address: [privateIP]
Aliases: webmail.mydomain.org.br
TELNET:
root@server:~$ telnet webmail.mydomain.org.br 443
Trying [privateIP]...
telnet: Unable to connect to remote host: Connection timed out
Apparently is port 443 that is not open to the internal network. But I released the port 443 bound to the external interface without success !!!!
Emile,
Yes, I am using the UTM as a proxy transparent for web filtering!!!
Hi Carlos,
Just a couple more questions:
What i've been tempted to do in the past is make the internal DNS actually point to the external IP of the webserver for the address. That way it will bounce out of the UTM and back in via the Reverse Proxy instead so everyone is accessing the same system in the same way :)
Regards,
Emile
If you are running an internal dns server, simply create the outside zone (in your case = mycompany.org.br) on your internal dns server and then add the A record (webmail) to that zone making sure it points toward you internal ip address.
That way, when clients are on your network and want to access webmail, your internal dns server will point them towards the internal address.
Emile,
answering your questions:
1. Yes, the dns is an internal server. It solves my external domain;
2. No. Access has no blocks. This happens with any name public for the external interface. Can be www.mydomain.org.br, app.mydomain.org.br, or any other;
3. In the mail server, Zimbra, the rules are the standard. No lockout ..
For any local access, I created the rule releasing the HTTPS protocol "ANY". How do I publish the name "webmail.mydomain.org" ???
Tnx Emile.
Louis,
My internal DNS resolves my external domain. No need to have this redundancy. I firmly believe that is a rule in Sophos.
One question, it never happened to you ????
As you publish the rule for access to any publication ???
Very strange to me!!!!
I grant access "anywhere" and do not know why this happens.
Tnx.
Louis,
My internal DNS resolves my external domain. No need to have this redundancy. I firmly believe that is a rule in Sophos.
One question, it never happened to you ????
As you publish the rule for access to any publication ???
Very strange to me!!!!
I grant access "anywhere" and do not know why this happens.
Tnx.
I've not had it happen on the UTM as I normally place our external domains on the internal dns so they resolve internally as above.
I know pFsense and other firewalls didn't like you going external to come back back in and they classed it as some sort of DNS rebinding attack. You had to specifically remove some of the protection on top of the firewall rules to get it to do this which it didn't advise.
We do go out to come back in on our network but purely for testing purposes and we go out of a different gateway to come back in on the target address. We don't use the same gateway to come back in on itself.
Going out to come back in isn't strickly efficient and probably not the best ways to do things.
Carlos,
Louis M makes a good point "If your external ip is eg 123.123.123.123, you would end up coming back on yourself and I don't think the UTM would like that."
