This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to view website published on DMZ via Webserver on our internal network

Hi everyone.  I have a webserver on a DMZ (on UTM) that is published to the internet on an external IP via webserver protection.  My users are unable to see this site when browsing from the internal network via the UTM web proxy.  Do I need some sort of access or NAT rule for my users to see this?



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thank you for reaching out to the community, please refer the following KBA - DNAT 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi Vivek,

    I tried that suggestion, but no joy I'm afraid.  The article says that this only works is the rule is above the DNAT rule for the published server.  Because the server is published using UTM's Webserver protection feature, I have no control over the rule created by that feature - unless you know otherwise.

    Kind regards

  • Hi Shaun,

    I prefer to do this with split DNS, resolving the subdomain for internal users to the internal IP in the DMZ.  Depending on your Web Filtering configuration, you may also need to do something there - if you're still not getting through to the server, check the Web Filtering log.

    You might also be interested in DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for replying.  My problem seems to be that I only want my internal users to view the site using the external IP.  I've got a dns server on the local network which has the external ip of the site, and that seems to resolve the name ok

  • Why only the External IP, Shaun - are you wanting to have their accesses go through Web Server Protection, or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes Bob - exactly that.  I don't want this particular webserver ANYWHERE near my internal network Slight smile

  • Good morning, Shaun,

    I should have read your other posts above more closely as it's obvious you wanted to use Web Server Security. Grimacing

    You can just have internal DNS resolve to an Additional Address on the Internal interface and then create a new Virtual Server for that IP using the same Real Server.  Does that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Sorry Bob, I don't quite follow.

    What I really want is my users on the internal network to access the website on it's external IP address.  I don't want them to be able to access the DMZ it's on in any way, and I don't want the webserver to be able to access the internal network.  Can you explain your solution further?

    Kind regards - Shaun

  • Shaun, accesses to the external IP are captured by Webserver Protection because of the definition of the Virtual Server that "listens" on that IP.  To have internal accesses go through Webserver Protection, simply add another Virtual Server definition with an additional address on the Internal interface.  You also need internal DNS to resolve the FQDN to that additional address.  Voila - no direct access locally to that server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Shaun, accesses to the external IP are captured by Webserver Protection because of the definition of the Virtual Server that "listens" on that IP.  To have internal accesses go through Webserver Protection, simply add another Virtual Server definition with an additional address on the Internal interface.  You also need internal DNS to resolve the FQDN to that additional address.  Voila - no direct access locally to that server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children