Hi Team,
I'm trying to migrate from TMG to Sophos XG. I have 40 web sites, 39 are ok, but 1 is causing a real headache :(
In TMG you can use site path routing for web publishing, and for each rule, decide if you want to send to the real web server the traffic SNATed or Not.
*** I have a big problem, Sophos always do Full NAT when i use WAF ***
The question is, ¿How can i avoid this behavior?
I need that for some site path routing rules, doesn't do SNAT (the application at the server side doesn't support the traffic that comes from the firewall, only accepts the traffic he sees from Outside (WAN) with public IPs).
¿How It Works?
It's a simple web application. Users calls the web app Ej. www.site.com in port 80, then it redirects to the IIS in the same port. I use a site path routing rule to redirect the traffic to the 192.168.100.39 server. That's All. The IIS use the host header to do the rest.
¿How is the real web server configured?
- Ip: 192.168.100.39
- Port: 80
- Keep Alive (+)
¿How is the site path routing configured?
/TimDFCT/*
Things i have tried...
- Doing a DNAT, i changed de outside port to 25200 and make a redirection to the port 80 (internally). This worked, the problem is that the client says, that he can´t change the external port, because the application has burned this address in many devices, and is virtually impossible to change that at this point.
- Doing a DNAT and putting at the bottom. This DNAT just send to hell all my other publications with WAF. It seams DNAT overlaps WAF Rules, it doesn't matter if the DNAT is at the beginning or at the end.
- Tring to eliminate the SNAT internal Rule with advance_firewall sys-traffic-nat delete 192.168.100.39 192.168.100.5
- Tring that my IIS accepts the traffic from firewall, this is because other applications in the same server seems not to have problems with the traffic coming from the firewall (i don´t know why). Anyway i couldn't' figure out how to put the application to accept the traffic coming from the firewall.
If there is a crack out there, i need you man.
Thanks Anyway, Team.
This thread was automatically locked due to age.