Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8136 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver in DMZ mit WAF

Ralph Sikau

Hallo,

ich wollte von DNAT auf WAF umstellen. Dazu habe ich - wie in der Anleitung - einen Webserver in der DMZ auf Listen 80 umgeschaltet und einen virtuellen Webserver angelegt mit HTTPS-Umleitung, der an einer bestimmten festen IP horcht. Aber das funktioniert nicht. Weder ist der Webserver vom LAN über http:// erreichbar noch korrekt von außerhalb. Soll heißen: Anmeldung in der Cloud geht, hochladen nicht.
Ein zweiter virtueller Webserver verbindet zu einem Exchange Server (Horde) im internen Netz. Das klappt einwandfrei, abgesehen von einigem Gemecker über unsignierte Cookies. Aber das ist ein anderes Thema.
Was muss anders konfiguriert werden, wenn der Server in einer DMZ steht? Mit DNAT lief alles einwandfrei.

Danke für Tipps und Ratschläge! Oder braucht ihr noch mehr Informationen?

Gruß - Ralph



This thread was automatically locked due to age.
Parents
  • 0

    Assuming that your WAF has a private IP, you still need a DNAT rule for exteneral users, but it needs to point at the WAF site instead of the original site.

    For internal users, your internal DNS needs to resolve to the WAF DMZ address if you want WAF filtering active, or to the real webserver address if they get WAF bypass privileges.

    Your Firewall Fules need to ensure that the Virtual Webserver can communicate with the Real Webserver.  On the list of virtual servers, there should be a green circle next to the Real WebServer entry.

     

  • 0 in reply to DouglasFoster

    DouglasFoster said:

    Assuming that your WAF has a private IP, you still need a DNAT rule for exteneral users, but it needs to point at the WAF site instead of the original site.

    Sorry, I don't quite understand. What do you mean by the WAF IP? The virtual webserver is linked to an interface address with a static external IP.
    The real webserver has an IP of the DMZ subnet.
    Please give an example of a DNAT rule pointing to let's say "mycloud.example.com".

    For internal users, your internal DNS needs to resolve to the WAF DMZ address if you want WAF filtering active, or to the real webserver address if they get WAF bypass privileges.

    Again: what is the WAF DMZ address?

  • 0 in reply to Ralph Sikau

    I set it up along this HOWTO:
    "www.frankysweb.de/.../"

    But it doesn't work.

  • 0 in reply to Ralph Sikau

    If I'm reading this correctly, the OP has a DMZ on the UTM?

    If that's the case, I would assume that the OP has multiple public IP's and it's simply a case of enabling WAF with the right external IP pointing to the DMZ ip of the web server

    No DNAT needed. When we first started with the UTM, we had DNAT's all over the place for smtp, http, https etc and we've gradually managed to get rid of most of them.

Reply
  • 0 in reply to Ralph Sikau

    If I'm reading this correctly, the OP has a DMZ on the UTM?

    If that's the case, I would assume that the OP has multiple public IP's and it's simply a case of enabling WAF with the right external IP pointing to the DMZ ip of the web server

    No DNAT needed. When we first started with the UTM, we had DNAT's all over the place for smtp, http, https etc and we've gradually managed to get rid of most of them.

Children
No Data
Unfiltered HTML