This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebProtection: Routing to Internal Networks when "Optional: Interface for Outgoing traffic" is used

Hello,

we have the following Problem:

We use the option "Optional: Interface for Outgoing traffic" for our WebProtection Profiles, so different customers can browse websites with different public IPs.

If we want to connect to an internal web-server we get the error "an error occoured while handling your request (no route to host)"

I think this is beacuase the http request is always going from the interface we assigned in "Optional: Interface for Outgoing traffic". This is a Interface with an public IP and so it can not connect to a private IP within our Network.

If we put the Intenal Network to "Skip Transparent Mode Destination..." everything works fine.

Is it possible to configure the WebProtection, so it works without the exeption for the internal network?



This thread was automatically locked due to age.
Parents
  • Hi, Daniel, and welcome to the UTM Community!

    I like Doug's suggestion, but your topology isn't clear to me.  Perhaps a simple diagram or pictures of the Edits of your Web Filtering Profiles?

    Cheers - Bob
    PS Moving this thread to the Web Protection forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Network.pdf

    Hi,

    I created an overview of the network topology.

    So there are connected multiple customers to the UTM with an IPsec tunnel. We have configured the webfilter profiles with "Optional: Interface for Outgoing traffic", so that every customer gets another outgoing IP for Web Surfing.

    Now if the customer (e.g. Client 10.2.0.1) connects to Webserver 22.33.44.55 everything works fine. But if the customer wants to connect to 10.0.0.1, the proxy shows the error "an error occoured while handling your request (no route to host)".

    I think it is because we have staticaly assigned an outgoing Interface (e.g. eth1) and of course the Webserver 10.0.0.1 is not reachable over this interface.

    When we assign the network 10.0.0.0/24 to "Skip Transparent Mode Destination..." in the webprotection settings it works, because then the normal routing tables are used.

    Now I want to know if it is possible to user the Proxy also for the internal webservers and use the option "Optional: Interface for Outgoing traffic"

     

    Regards,

    Daniel

  • Thanks, Daniel, that helps!

    It looks like A & C are connected as in Hub and Spoke Site-to-Site VPNs.  In that case, you should skip the Proxy as you have done.

    If A is not the same corporation as C, I agree with Doug about accessing 10.0.0.1 via WAF.  That would require modifying the tunnel to NOT include the direct connection between A & C and to make some DNS changes and to modify the webserver to look for the X-FORWARDED-FOR header.

    In order to reach the server at 22.33.44.55 through an IPsec tunnel, you would need to add it to the tunnel, but I don't think that was a part of your question.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Thanks, Daniel, that helps!

    It looks like A & C are connected as in Hub and Spoke Site-to-Site VPNs.  In that case, you should skip the Proxy as you have done.

    If A is not the same corporation as C, I agree with Doug about accessing 10.0.0.1 via WAF.  That would require modifying the tunnel to NOT include the direct connection between A & C and to make some DNS changes and to modify the webserver to look for the X-FORWARDED-FOR header.

    In order to reach the server at 22.33.44.55 through an IPsec tunnel, you would need to add it to the tunnel, but I don't think that was a part of your question.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data