Connecting to web server computer from "inside"
I was asked to complete the firewall rules on a Windows 8 computer used as a web server on a private network with port forwarding in the gateway router.
The address is an https:// address and port 443 is what's being used.
If one has the URL, is it possible to browse to the URL from inside the private LAN? I'd never thought about this before.
If not then what is best practice for getting access from inside the LAN?
The topology is:
Public address facing the internet (what What is My IP reports).
Public address block for which the LAN NATs into.
(I don't understand how this works and why What is My IP reports one when it's really another - but perhaps no matter).
Router forwards the public IP:port 443 to the server:port 443.
Private LAN address of the server.
Server firewall with port 443 open.
Should one be able to access the server using the public URL?
The address is an https:// address and port 443 is what's being used.
If one has the URL, is it possible to browse to the URL from inside the private LAN? I'd never thought about this before.
If not then what is best practice for getting access from inside the LAN?
The topology is:
Public address facing the internet (what What is My IP reports).
Public address block for which the LAN NATs into.
(I don't understand how this works and why What is My IP reports one when it's really another - but perhaps no matter).
Router forwards the public IP:port 443 to the server:port 443.
Private LAN address of the server.
Server firewall with port 443 open.
Should one be able to access the server using the public URL?
1. What kind of router do you have?
2. Is the server inside the network? Or, in the DMZ?
3. If the server is inside the network, then you should have your internal DNS resolve to the inside address for inside access.
2. Is the server inside the network? Or, in the DMZ?
3. If the server is inside the network, then you should have your internal DNS resolve to the inside address for inside access.
ASKER
So there's no way to prove that the outside access is working from the inside?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all. In this case the gateway is a router that is controlled by a 3rd party and I have no idea what it's capabilities are. There is no DMZ. There is no Windows Server.
I imagine the easiest way to get access is to address the server from the inside. Using it's IP address? e.g. https://192.168.2.xxx
I imagine the easiest way to get access is to address the server from the inside. Using it's IP address? e.g. https://192.168.2.xxx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would not recommend that production use however; since you will get certificate errors va HTTPS. For development it will work fine!
ASKER
This is a very small organization/network. I don't think the certificate errors from the inside are going to matter. It wouldn't be the first time that I've had to live with them. Development is over.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
helge000
Yes, I understand about internal DNS sorts of things. It may be handy for some. Having a browser shortcut does the same thing, eh?
The problem is that this doesn't confirm outside access during testing - which is what I was about originally here.
Yes, I understand about internal DNS sorts of things. It may be handy for some. Having a browser shortcut does the same thing, eh?
The problem is that this doesn't confirm outside access during testing - which is what I was about originally here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Often you have something called NAT reflection which does exactly that.
This is inefficient tough and may sometimes not work.
Therefore a common practice (very often for Exchange servers) is to setup something called Split DNS.
Here you take advantage of the situation that inside your LAN you have control over the DNS lookups. Normally, public lookups outside your LAN are forwarded since your DNS is not authoritative (=does not know) the domain you are looking for.
So, just create a new zone in DNS named after your public DNS zone and create a A record pointing to your web server; but not the public, but the private IP.
Inside your LAN everyone will now be able to connect directly to your web server via private local IP.