?
Solved

Sonicwall : How to forward port 443 to two different servers?

Posted on 2013-10-26
10
Medium Priority
?
7,372 Views
Last Modified: 2013-10-28
Hello All,

Currently I have two servers running that utilizes port 443 (Mac Profile Manager/WebHelp Desk).

I have the following configuration :
==========
IP from ISP is Static

DNS Server/file server 192.168.1.2 (win2k8 R2) :
webhelpdesk.abc.com (192.168.1.5 on win2k8 r2)
profilemgr.abc.com (192.168.1.10 on a mac)

===========

Internally, I can access both webservers by navigating to their respective URL.

My question is, how do I configure my SonicWall so that I can access these two services via the INTERNET.

Basically, I want to be able to navigate to the URL outside of my internal network and still be able to access these services..

Thank you much in advance!
0
Comment
Question by:Coupee46
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39602845
While you have a couple options, it's helpful to first understand that you generally cannot forward to multiple internal hosts using the same public ip address and same port number.  If you have more than one public IP address available, then you simply configure a port address translation (PAT) or network address translation entry (NAT), and appropriate access control rules, for each web server.  If you only have one public IP address, then you'll need to select an alternate port for one of the web servers on the public side (ie 444/TCP) which is then translated to private side on 443/TCP.  Another possibility is hosting both web servers on the same machine, and distinguishing between the two web sites via the host header.  In this way they can share the same IP address and port, however in the case of SSL/TLS you'll need a certificate issued which supports both FQDN's.  It's also possible an application layer SSL IPS/firewall/reverse-proxy could read the host header and forward accordingly.

All that being said, you'll need to identify and gain access to the public name servers for your domain (i.e. abc.com); from here you'll basically duplicate your internal DNS records, except you'll modify the IP addresses from private IP's to their corresponding public IP's.  The public IP's correlate to your PAT/NAT entries, which translate a given public IP to a given private IP.  Make sense?
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39602868
Ahh ok that makes sense.  Well my ISP has given me a block of public IP address (5 addresses). Would this work? I assume I can reconfigure my DNS A record to point to another public IP that I am not currently using?
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39602877
Yes, select two public IP's from your block which aren't in use.  I'd recommend you create PAT entries instead of NAT entries.  This leaves open the possibility of assigning other ports in the future to other internal hosts, whereas a 1-to-1 NAT entry dedicates the entire IP address to a single host.

After you've created the PAT entries, modify your public DNS records to match the FQDN's:

webhelpdesk.abc.com (public IP 1)
profilemgr.abc.com (public IP 2)

Aside from convenience, another benefit of matching FQDN's is you won't need to reissue your web server certificates.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:Coupee46
ID: 39602892
Great! Thanks, I'll give that a try today. The profilemgr.abc.com I don't mind assigning the entire IP to it since the only thing it will be responsible for is my iOS and osx devices....

You wouldn't by chance know of any sonic wall tutorial on setting up te pat or nat?

Thank you again!
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39603652
Just a heads up that the Sonicwall likely (by default on the TZ series) uses port 443 for its management https interface
This may cause a conflict with what you are intending
1
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 2000 total points
ID: 39603954
Here's a video tutorial:
http://www.youtube.com/watch?v=HhXqGSpA0ik

It would be best practice to only make your management http daemon available on the private side, not the public.  If this can't be avoided then restrict access on the public side, to the management interface, by IP address.

Additionally, best practice would be to create a separate private network for use as your DMZ, and to have all publicly accessible hosts reside there.  If one of these hosts are compromised, then only the DMZ network will be accessible to attackers as opposed to your entire primary private network.  You'd then create PAT/NAT entries from the DMZ to the primary private side as well, in order to make the DMZ hosts accessible to your private network.  This is another reason to consider PAT over NAT--- to limit the attack (and fingerprinting) surface attackers have access to.
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39606494
Thank you x66,

I created a NAT policy for the MDM first to test if it works..

Original Destination : <one of my mpublic ip>
Translated Destination : 192.168.1.10 (DMZ)
Original Service : <set to ANY>

I added modified the following DNS recrods :

name : profilemgr
Type : Host (A)
Data : public ip

===========

1. atempting to open profilemgr.abc.com resulted in PAGE CANNOT BE FOUND
2. I went ahead and ping profilemgr.abc.com from a separate workstation on the same network, and was able to receive a REPLY with the internal IP 192.168.1.10
3. I performed a tracert to profilemgr.abc.com and verified it did ended at the MacMini server
4. I performed a port scan on the private IP and verified 80/443 is live on the profilemgr.abc.com
5. I verified I could access the profile interface on https via the private IP 192.168.1.10
6. I attempted a port scan on the public IP, but did not yield any result to any open ports

So basically, I am still unable to access the profilemgr.abc.com on the public IP, only on the private IP.  When I perform the ping and tracert on the public IP my results comes back with a reply from the PRIVATE IP 192.168.1.10

But when I attempt to ping or tracert te public IP outside of my network, I am given "RESULT TIMED OUT"

Suggestions?

Thanks again.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 2000 total points
ID: 39606536
Yes, in addition to NAT you'll need to create an access control rule to permit the port and protocol you're testing (e.g. 80/TCP (http), 443/TCP (https)).  You'll also need to make sure the public DNS server is resolving the FQDN properly, meaning it's resolving to the public IP address (that is NAT'd to the corresponding private IP) and *not* the Private IP.  Are you using the same DNS server for private as you are for public?  If so, you'll need to use a separate DNS server on the public side.  CloudNS.net is a provider I use.

So both your ACL and your NAT rule should apply to the same public IP.  To temporarily eliminate DNS from the equation, test on the public-side of the firewall using the public IP address only.

Additionally, rather than PING (which uses the ICMP protocol), you'll want to test with a utility such as Nping (part of the Nmap package) using the actual port and protocol of the service you really want to verify.

nping --tcp -p 80 74.125.239.35

Open in new window


If you do want to test with PING, create an ACL to permit ICMP (specifically, Type 8 — Echo and Type 0 — Echo Reply) on the public IP address you used for your NAT address.
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39606582
x66,

you're a blessing.. thank you sir/maddam.. Everything works great now :).  I also created an additional NAT policy as a loopback for internal workstations.
0
 
LVL 1

Author Closing Comment

by:Coupee46
ID: 39606587
Amazing explanation!
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question