Connecting to web server computer from "inside"

I was asked to complete the firewall rules on a Windows 8 computer used as a web server on a private network with port forwarding in the gateway router.

The address is an https:// address and port 443 is what's being used.

If one has the URL, is it possible to browse to the URL from inside the private LAN?  I'd never thought about this before.  
If not then what is best practice for getting access from inside the LAN?

The topology is:
Public address facing the internet (what What is My IP reports).
Public address block for which the LAN NATs into.
(I don't understand how this works and why What is My IP reports one when it's really another - but perhaps no matter).
Router forwards the public IP:port 443 to the server:port 443.
Private LAN address of the server.
Server firewall with port 443 open.

Should one be able to access the server using the public URL?
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
Yes, you should. But this depends on your firewall.

Often you have something called NAT reflection which does exactly that.
This is inefficient tough and may sometimes not work.

Therefore a common practice (very often for Exchange servers) is to setup something called Split DNS.
Here you take advantage of the situation that inside your LAN you have control over the DNS lookups. Normally, public lookups outside your LAN are forwarded since your DNS is not authoritative (=does not know) the domain you are looking for.

So, just create a new zone in DNS named after your public DNS zone and create a A record pointing to your web server; but not the public, but the private IP.
Inside your LAN everyone will now be able to connect directly to your web server via private local IP.
0
naderzCommented:
1. What kind of router do you have?
2. Is the server inside the network? Or, in the DMZ?
3. If the server is inside the network, then you should have your internal DNS resolve to the inside address for inside access.
0
Fred MarshallPrincipalAuthor Commented:
So there's no way to prove that the outside access is working from the inside?
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

Daniel HelgenbergerCommented:
No, because of NAT you cannot prove this form the same network.
You always need another network to verify outside access.

From the inside do the following (I hope you have a smart phone):

- switch off WLAN
- make sure you have WWAN (=Edge/UMTS/LTE) connection
- open your web site

Best access practices with https is NAT reflection or split DNS. This is the only way your certificate will be valid when accessing it from the inside (ok, I assume you are not using SAN certs here)
0
Fred MarshallPrincipalAuthor Commented:
Thanks all.  In this case the gateway is a router that is controlled by a 3rd party and I have no idea what it's capabilities are.  There is no DMZ.  There is no Windows Server.

I imagine the easiest way to get access is to address the server from the inside.  Using it's IP address?  e.g. https://192.168.2.xxx
0
naderzCommented:
Yes, IP address is your first choice. If you have an internal DNS server, then you could define things that way.
0
Daniel HelgenbergerCommented:
I would not recommend that production use however; since you will get certificate errors va HTTPS. For development it will work fine!
0
Fred MarshallPrincipalAuthor Commented:
This is a very small organization/network.  I don't think the certificate errors from the inside are going to matter.  It wouldn't be the first time that I've had to live with them.  Development is over.
0
Daniel HelgenbergerCommented:
If there are only a few computers and this is a permanent setup, you could just modify the hosts file, in windows:
%SystemRoot%\system32\drivers\etc\hostsin Linux:
/etc/hosts

like this:
ip hostname
eg:
192.168.0.15 intranet intranet.yourdomain.com
0
Fred MarshallPrincipalAuthor Commented:
helge000
Yes, I understand about internal DNS sorts of things.  It may be handy for some.  Having a browser shortcut does the same thing, eh?
The problem is that this doesn't confirm outside access during testing - which is what I was about originally here.
0
naderzCommented:
You can try these services:

http://freeproxyserver.net/

http://www.uptimerobot.com/

To monitor/access your website from outside your network. It works.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.