I wouldn't run DNAT for this. WAF (web application firewall) is ideal for this situation and is what you should use. It will harden the URL to exactly what you want as well as giving you further protections.

I wouldn't run DNAT for this. WAF (web application firewall) is ideal for this situation and is what you should use. It will harden the URL to exactly what you want as well as giving you further protections.

Hi Louis, how do you do this?

WAF is a UTM feature that requires eventually an additional subscription. It is called Webserver Protection in the Web Interface.

But I can not see, why your setup shouldn't work correctly. If you set up a subdomain virt01 with an A record pointing to the UTM's public address in  your public DNS zone of example.com you should be able to connect to the internal server with a charm. Did you eventually only configure a 'redirect' in the public DNS zone?

Other thing which I rather believe is that the webserver virt01 only listens for an internal FQDN like virt01.mydom.local for the web interface and that point should be adjusted to the external FQDN you want the clients to be able to connect to.

You can always configure a split brain DNS Config for internal clients to use a public FQDN to reach an internal IP, but you can't do that for an internal FQDN that is accessed from external.

With WAF it should be possible when the UTM handles the external FQDN and tunnels the connection to the internal FQDN.

Hi kerobra_retired 

1. Public dns resolution works using A of ovirt.example.com pointing to the public IP of Sophos which then does NAT to the ovirt server IP.

2. Internal dns works on FQDN as well. Split DNS is setup. ovirt server responds to ovirt.example.com regardless if queried internally or externally

3. I believe Sophos when doing NAT-ing it plays only with IP addresses hence the failure.

I believe i have WAF subscribtion. Will try this and let you know.

Do I need valid certificates to use WAF?

kerobra_retired 

I think we are making progress here.....

in WAF;

1. I configured virtual web server for ovirt.example.com bound to the WAN interface with no firewall policy

2. I configured real web server for ovirt.example.com to the internal IP of the server

When I browse I'm now getting:

Forbidden

You don't have permission to access / on this server.

That is one of the benefits of WAF. Now you just need to set the full FQDN allowed (under site path routing) and the WAF will only allow what is specified.

eg it will allow https://ovirt.example.com/admin but not https://ovirt.example.com or http://ovirt.example.com

You might have to play about a little as the WAF can be very strict on what it allows. There are some good articles on Sophos WAF, particually about exchange, sharepoint etc which will give you a good insight into it.

I used to use a lot of DNAT's etc but now try to use the UTM's proxies as much as possible as as little NATing as possible.

Configured site path routing still not helping.

From what I'm reading it seems like I need to have the same certificate used for the webserver uploaded in sophos when creating the virtual server?

Tried HTTP but that doesn't work as well. All I get is forbidden.

Was the certificate uploaded correctly with private key? In a WAF configuration only the "virtual webserver" needs the certificate.

For now I'm trying not to play with certs. Using plain HTTP to see it working first before jumping the gun.

I have listed all the possible URLs in WAF Site Path Routing now.

Instead of forbidden I'm getting:

<sub>The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept cookies.</sub>

Alright.

Making progress but not in the right direction it seems :)

Sophos is now redirecting me to the Private IP of the Web server........?!?!?!?!?!

Go back to the virtual server. Do you have any ticked under advanced eg pass host header etc?