External IP shows as internal DMZ IP when using "Remote_Host" HTTP variable

Question

As per the subject really 
 On my old FW (not Sophos) I used to allow access to pages internally (to our network) by checking the remote host http variable. This would give the users external (in the case of an external IP) or the internal (192.168.0.x) of an internal user. So I could lock out pages to external users 
 With Sophos UTM9 installed the remote_host is always shown as the DMZ IP address - 192.168.1.1. Therefore my apparantly secure pages are now visible externally 
 Is there a way to make this work as it used to? I can't see that NATing will help me in anyway

BAlfson · Accepted Answer

Thanks, Mike, I see now that you aren't using a NAT rule for this. I'll move this thread to the Webserver Security forum. 
 If you did have a NAT rule like 'DNAT : Internet -> Web Surfing -> External [www.company.com] (Address) : to 192.168.1.x', you would see the originating IP, but this would cause the bypassing of your Virtual Server for HTTP/S (see #2 in Rulz ). So you were right that a NAT rule wouldn't help you if you want to use Webserver Protection. 
 When traffic passes through the WAF, it adds the "X-FORWARDED-FOR" header, so that's what you'll need to look for. 
 Cheers - Bob

BAlfson · Answer

I see now, Mike. Yes, you want to use DNATs instead of Full NATs. If a DNAT doesn't work, then I'll guess that "mail.xxxxx.com" violates #3 in Rulz . Also, I don't think you want the SNAT - if it's needed as noted, then there might also be a violation of #3 through #5. 
 Cheers - Bob