Avatar of hypercube
hypercubeFlag for United States of America asked on

Connecting to web server computer from "inside"

I was asked to complete the firewall rules on a Windows 8 computer used as a web server on a private network with port forwarding in the gateway router.

The address is an https:// address and port 443 is what's being used.

If one has the URL, is it possible to browse to the URL from inside the private LAN?  I'd never thought about this before.  
If not then what is best practice for getting access from inside the LAN?

The topology is:
Public address facing the internet (what What is My IP reports).
Public address block for which the LAN NATs into.
(I don't understand how this works and why What is My IP reports one when it's really another - but perhaps no matter).
Router forwards the public IP:port 443 to the server:port 443.
Private LAN address of the server.
Server firewall with port 443 open.

Should one be able to access the server using the public URL?
RoutersNetworking ProtocolsSSL / HTTPS

Avatar of undefined
Last Comment
naderz

8/22/2022 - Mon
Member_2_6582184

Yes, you should. But this depends on your firewall.

Often you have something called NAT reflection which does exactly that.
This is inefficient tough and may sometimes not work.

Therefore a common practice (very often for Exchange servers) is to setup something called Split DNS.
Here you take advantage of the situation that inside your LAN you have control over the DNS lookups. Normally, public lookups outside your LAN are forwarded since your DNS is not authoritative (=does not know) the domain you are looking for.

So, just create a new zone in DNS named after your public DNS zone and create a A record pointing to your web server; but not the public, but the private IP.
Inside your LAN everyone will now be able to connect directly to your web server via private local IP.
naderz

1. What kind of router do you have?
2. Is the server inside the network? Or, in the DMZ?
3. If the server is inside the network, then you should have your internal DNS resolve to the inside address for inside access.
ASKER
hypercube

So there's no way to prove that the outside access is working from the inside?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Member_2_6582184

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
hypercube

Thanks all.  In this case the gateway is a router that is controlled by a 3rd party and I have no idea what it's capabilities are.  There is no DMZ.  There is no Windows Server.

I imagine the easiest way to get access is to address the server from the inside.  Using it's IP address?  e.g. https://192.168.2.xxx
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Member_2_6582184

I would not recommend that production use however; since you will get certificate errors va HTTPS. For development it will work fine!
ASKER
hypercube

This is a very small organization/network.  I don't think the certificate errors from the inside are going to matter.  It wouldn't be the first time that I've had to live with them.  Development is over.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
hypercube

helge000
Yes, I understand about internal DNS sorts of things.  It may be handy for some.  Having a browser shortcut does the same thing, eh?
The problem is that this doesn't confirm outside access during testing - which is what I was about originally here.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.