Sorry, GZ, but I can't figure out what question you're asking.  Did you mean to post this in the Web Server Security forum?  Are you asking whether internal users can access the internal web server via a NAT on the External interface?  What is happening to the URL to change the FQDN to a numeric IP?

Cheers - Bob

I wouldn't run DNAT for this. WAF (web application firewall) is ideal for this situation and is what you should use. It will harden the URL to exactly what you want as well as giving you further protections.

Hey Bob,

Long time no see, not sure if you can remember me from Astaro forums.

This is what I have

Client----><Internet>-----><UTM>-----><oVirt>

The client on the open internet requests a URL, eg. ovirt.example.com

UTM has DNAT rule which forwards to client request onto an internal oVirt server.

The oVirt server allows to access the admin interface ONLY if FQDN is used.

My question is, is there a way to pass "ovirt.example.com" to the internal server instead of just doing IP NAT-ing?

Hi Louis, how do you do this?

WAF is a UTM feature that requires eventually an additional subscription. It is called Webserver Protection in the Web Interface.

But I can not see, why your setup shouldn't work correctly. If you set up a subdomain virt01 with an A record pointing to the UTM's public address in  your public DNS zone of example.com you should be able to connect to the internal server with a charm. Did you eventually only configure a 'redirect' in the public DNS zone?

Other thing which I rather believe is that the webserver virt01 only listens for an internal FQDN like virt01.mydom.local for the web interface and that point should be adjusted to the external FQDN you want the clients to be able to connect to.

You can always configure a split brain DNS Config for internal clients to use a public FQDN to reach an internal IP, but you can't do that for an internal FQDN that is accessed from external.

With WAF it should be possible when the UTM handles the external FQDN and tunnels the connection to the internal FQDN.

Hi kerobra_retired 

1. Public dns resolution works using A of ovirt.example.com pointing to the public IP of Sophos which then does NAT to the ovirt server IP.

2. Internal dns works on FQDN as well. Split DNS is setup. ovirt server responds to ovirt.example.com regardless if queried internally or externally

3. I believe Sophos when doing NAT-ing it plays only with IP addresses hence the failure.

I believe i have WAF subscribtion. Will try this and let you know.

Do I need valid certificates to use WAF?

kerobra_retired 

I think we are making progress here.....

in WAF;

1. I configured virtual web server for ovirt.example.com bound to the WAN interface with no firewall policy

2. I configured real web server for ovirt.example.com to the internal IP of the server

When I browse I'm now getting:

Forbidden

You don't have permission to access / on this server.

That is one of the benefits of WAF. Now you just need to set the full FQDN allowed (under site path routing) and the WAF will only allow what is specified.

eg it will allow https://ovirt.example.com/admin but not https://ovirt.example.com or http://ovirt.example.com

You might have to play about a little as the WAF can be very strict on what it allows. There are some good articles on Sophos WAF, particually about exchange, sharepoint etc which will give you a good insight into it.

I used to use a lot of DNAT's etc but now try to use the UTM's proxies as much as possible as as little NATing as possible.

Configured site path routing still not helping.

From what I'm reading it seems like I need to have the same certificate used for the webserver uploaded in sophos when creating the virtual server?

Tried HTTP but that doesn't work as well. All I get is forbidden.

Was the certificate uploaded correctly with private key? In a WAF configuration only the "virtual webserver" needs the certificate.