Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 4926 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring external access to a webserver

Kona153

Hello all,

 

Hopefully this is the correct forum to post this question in :)  So, I have a web sever that sits in our DMZ.  I've configured internal DNS and we can get onto the login page of the site no problem.  But we need to allow external access to the site also.  I've set up a real server, a virtual web server and configured DNAT to forward any web service requests from the internet to the machine that hosts the website.  If I try to connect to the site externally i get This site cannot be reached. xxxxxxxx is unreachable Err_address_unreachable.

We have already set up the sub domain and its pointing to the correct external IP address.  If I do an nslookup from the host, it resolves the website address via googles DNS.  I can see UMT dropping unwanted requests for the site and occationally I see a nat rule # x in white in the firewall log.  

I am kind of at a loss to where to look next and would really appreciate any help!

 

Regards



This thread was automatically locked due to age.
  • 0

    Traditionally, this is done with a DNAT rule and a corresponding firewall rule. Indeed, you can still do it this way like you would with most other firewalls.

    But, the UTM has a few tricks up it's sleeve which in this case is Web Server Protection.

    You either use one or the other ie DNAT or Web Server Protection but not both together (even though you can)

    My advice would be to forget abou the DNAT?firewall rule and go down the Web Server Protection road as it offers a bit more eg static url hardening etc,

    You simply specify your real server (your DMZ ip web server) and then create your virtual web server using the external ip and map that to your internal server.

    There are good instructions around for doing that. Once you have it going, you can then tighten the security up with cookie signing, form hardening etc

    Just be sure that the UTM resolves your external FQDN to your external IP and not the internal IP. You can test this under support > tools

     

    The most common mistake made with the UTM is to try and use the traditional way and the UTM's extra features  with the common one being the SMTP proxy where again, users create DNAT rules for smtp and then try and use the smtp proxy when there really is no need to do so.

     

    Same with the web protection proxy too. Coming from other firewalls, the first thing I did was to create web browsing rules when in effect, all you need to do is enable the web proxy and DNS proxy.

  • 0

    Agreed with Louis that the best way to go is Webserver Protection if you have that subscription.

    If you don't you might be interested in Accessing Internal or DMZ Webserver from Internal Network.

    Cheers - Bob