This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to view website published on DMZ via Webserver on our internal network

Hi everyone. I have a webserver on a DMZ (on UTM) that is published to the internet on an external IP via webserver protection. My users are unable to see this site when browsing from the internal network via the UTM web proxy. Do I need some sort of access or NAT rule for my users to see this?

This thread was automatically locked due to age.

Top Replies

BAlfson over 1 year ago in reply to Shaun Raven +2 verified

Shaun, accesses to the external IP are captured by Webserver Protection because of the definition of the Virtual Server that "listens" on that IP. To have internal accesses go through Webserver Protection…

Parents

0 Vivek Jagad over 1 year ago

Hello Shaun Raven ,

Thank you for reaching out to the community, please refer the following KBA - DNAT

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Shaun Raven over 1 year ago in reply to Vivek Jagad

Hi Vivek,

I tried that suggestion, but no joy I'm afraid. The article says that this only works is the rule is above the DNAT rule for the published server. Because the server is published using UTM's Webserver protection feature, I have no control over the rule created by that feature - unless you know otherwise.

Kind regards
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 1 year ago in reply to Shaun Raven

Hi Shaun,

I prefer to do this with split DNS, resolving the subdomain for internal users to the internal IP in the DMZ. Depending on your Web Filtering configuration, you may also need to do something there - if you're still not getting through to the server, check the Web Filtering log.

You might also be interested in DNS best practice.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Shaun Raven over 1 year ago in reply to BAlfson

Hi Bob,

Thanks for replying. My problem seems to be that I only want my internal users to view the site using the external IP. I've got a dns server on the local network which has the external ip of the site, and that seems to resolve the name ok
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 1 year ago in reply to Shaun Raven

Why only the External IP, Shaun - are you wanting to have their accesses go through Web Server Protection, or ???

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Shaun Raven over 1 year ago in reply to BAlfson

Yes Bob - exactly that. I don't want this particular webserver ANYWHERE near my internal network
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 1 year ago in reply to Shaun Raven

Good morning, Shaun,

I should have read your other posts above more closely as it's obvious you wanted to use Web Server Security.

You can just have internal DNS resolve to an Additional Address on the Internal interface and then create a new Virtual Server for that IP using the same Real Server. Does that work for you?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up +1 Vote Down

Cancel
0 Shaun Raven over 1 year ago in reply to BAlfson

Hi Bob,

Sorry Bob, I don't quite follow.

What I really want is my users on the internal network to access the website on it's external IP address. I don't want them to be able to access the DMZ it's on in any way, and I don't want the webserver to be able to access the internal network. Can you explain your solution further?

Kind regards - Shaun
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Shaun Raven over 1 year ago in reply to BAlfson

Hi Bob,

Sorry Bob, I don't quite follow.

What I really want is my users on the internal network to access the website on it's external IP address. I don't want them to be able to access the DMZ it's on in any way, and I don't want the webserver to be able to access the internal network. Can you explain your solution further?

Kind regards - Shaun
Cancel
Vote Up 0 Vote Down

Cancel

Children

+1 BAlfson over 1 year ago in reply to Shaun Raven

Shaun, accesses to the external IP are captured by Webserver Protection because of the definition of the Virtual Server that "listens" on that IP. To have internal accesses go through Webserver Protection, simply add another Virtual Server definition with an additional address on the Internal interface. You also need internal DNS to resolve the FQDN to that additional address. Voila - no direct access locally to that server.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up +2 Vote Down

Cancel
0 Shaun Raven over 1 year ago in reply to BAlfson

Hi Bob,

So you're effectively publishing it twice? Once on the External, One on the Internal?

Kind regards,

Shaun
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 1 year ago in reply to Shaun Raven

Exactly!

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel