This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

tunneling protocol through WAF

hai,

very confused with publishing web server through Web server protection
http://Public IP:8080 and
http://Public IP: 7778

as of DNAT

ANY >> service 8080>> public IP 1 DNAT to local server 1

ANY>> service 7778 , 80 >> Public IP 2 DNAT to local server 2

how can i perform this at Web server protection.

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

Two separate Virtual WebServers and two separate Real Servers. If you've tried that and it didn't work, please click on [Go Advanced] below and attach a picture of the Edit of one of the Virtual WebServer definitions.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
0 apijnappels over 11 years ago

And don't forget to disable the DNAT-rules once you have setup your virtual and real servers otherwise NAT will handle the request bypassing the WAF.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
- 0 deltaline-IT over 11 years ago in reply to apijnappels
  
  thanks to all who took precious time and replied.
  
  as its live environment i want to be assure before changing the connection.
  
  scenario 1
  http://Public-IP:8080 my understanding (attached real server and virtual server snapshot)
  
  scenario 2
  for http://Public-IP:7778 (attached real server and virtual server snapshot)
  
  does i understood the concept correctly?
  real webserver scenario 1.png
  
  View
  
  Hide
0 BAlfson over 11 years ago

Thanks, apijnappels, for the opportunity to remind folks about #2 in Rulz. [;)]  The domain should just be the public IP.

Cheers - Bob

Sorry for any short responses.  Posted from my iPhone.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
- 0 deltaline-IT over 11 years ago in reply to BAlfson
  
  thanks for response...
  
  here at screen shot i am correct with selecting port as 8080 at both virtual and real server for http:// my.domain.com:8080 ?
0 apijnappels over 11 years ago

I'm not sure if domain is required when you're only hosting HTTP sites (and not HTTPS). But if you do, I think it should be just: public-ip (and not http and port number in it).

The ports you have to enter are the ports that are setup. For the real webserver, it will usually by default be at port 80 (unless you instructed the webserver to listen at 8080 instead).
For the virtual server you will have to specify at which port you want the website to be available for "outsiders", this could be the same port as the real webserver is on, but you could also choose other ports.

So first try to leave the domains fields empty and on real servers enter the port numbers the respective webservers are listening on. On virtual webservers you will probably have to use the same port numbers

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
0 Evianne over 11 years ago

Hi,

if I undestood you correctly, you need altogether 3 virtual webservers and also 3 real webserver.

Am I right that your first real webserver listens on port 8080 and your second on port 80 and 7778?
Accordingly, for your second scenario, you need two virtual webservers and 2 real webservers (one for each port).

In the domain field, you only put the IP address, no http:// and no port number.

Best,
Sabine
- 0 deltaline-IT over 11 years ago in reply to Evianne
  
  sorry about explanation i am very poor about webserver things.
  
  what i need is to publish two webserver A and B through webserver protection.
  right now they are publish by DNAT through ASA so because of security reason.
  
  right now from outside they are reachable by
  
  http://1.2.3.4(public-IP):8080 to access Server A
  
  http://5.6.7.8(public-IP):7778 to access server B so now how many virtual and real IP i need to configure and what will be the "TYPE" and "PORT" at each settings.
  
  very thankful if any one explain step by step.
  
  regards,
0 apijnappels over 11 years ago

You need 2 virtual and 2 real servers.
1 real and 1 virtual will most likely need port 8080 and the other real and virtual will most likely need poort 7778.
The real-servers are your own internal "real" servers, so these should point to your internal IP-addresses or FQDN's.
Eviane pointed out that on domain you need to enter the external IP-addresses without http:// and without port number (just 1.2.3.4 and 5.6.7.8 respectively as in your example).

Type is most likely HTTP. If it is HTTPS you should also take care (and have done previously) of setting up SSL-certificates.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
- 0 deltaline-IT over 11 years ago in reply to apijnappels
  
  thanks to all you responded...
  
  i had done the testing seems everything working fine without any issue but i want to take some time for testing period. may be it will be very help full to those who wants similar configuration. below is the settings what i had configure
  
  http://1.2.3.4:8080
  
  attached screen shots..
  
  once again thanks a lot...
  final real server settings.png
  
  View
  
  Hide