Sonicwall : How to forward port 443 to two different servers?

Posted on 2013-10-26
Last Modified: 2013-10-28
Hello All,

Currently I have two servers running that utilizes port 443 (Mac Profile Manager/WebHelp Desk).

I have the following configuration :
IP from ISP is Static

DNS Server/file server (win2k8 R2) : ( on win2k8 r2) ( on a mac)


Internally, I can access both webservers by navigating to their respective URL.

My question is, how do I configure my SonicWall so that I can access these two services via the INTERNET.

Basically, I want to be able to navigate to the URL outside of my internal network and still be able to access these services..

Thank you much in advance!
Question by:Coupee46
  • 5
  • 4
LVL 15

Accepted Solution

Giovanni Heward earned 500 total points
ID: 39602845
While you have a couple options, it's helpful to first understand that you generally cannot forward to multiple internal hosts using the same public ip address and same port number.  If you have more than one public IP address available, then you simply configure a port address translation (PAT) or network address translation entry (NAT), and appropriate access control rules, for each web server.  If you only have one public IP address, then you'll need to select an alternate port for one of the web servers on the public side (ie 444/TCP) which is then translated to private side on 443/TCP.  Another possibility is hosting both web servers on the same machine, and distinguishing between the two web sites via the host header.  In this way they can share the same IP address and port, however in the case of SSL/TLS you'll need a certificate issued which supports both FQDN's.  It's also possible an application layer SSL IPS/firewall/reverse-proxy could read the host header and forward accordingly.

All that being said, you'll need to identify and gain access to the public name servers for your domain (i.e.; from here you'll basically duplicate your internal DNS records, except you'll modify the IP addresses from private IP's to their corresponding public IP's.  The public IP's correlate to your PAT/NAT entries, which translate a given public IP to a given private IP.  Make sense?

Author Comment

ID: 39602868
Ahh ok that makes sense.  Well my ISP has given me a block of public IP address (5 addresses). Would this work? I assume I can reconfigure my DNS A record to point to another public IP that I am not currently using?
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39602877
Yes, select two public IP's from your block which aren't in use.  I'd recommend you create PAT entries instead of NAT entries.  This leaves open the possibility of assigning other ports in the future to other internal hosts, whereas a 1-to-1 NAT entry dedicates the entire IP address to a single host.

After you've created the PAT entries, modify your public DNS records to match the FQDN's: (public IP 1) (public IP 2)

Aside from convenience, another benefit of matching FQDN's is you won't need to reissue your web server certificates.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 39602892
Great! Thanks, I'll give that a try today. The I don't mind assigning the entire IP to it since the only thing it will be responsible for is my iOS and osx devices....

You wouldn't by chance know of any sonic wall tutorial on setting up te pat or nat?

Thank you again!
LVL 10

Expert Comment

ID: 39603652
Just a heads up that the Sonicwall likely (by default on the TZ series) uses port 443 for its management https interface
This may cause a conflict with what you are intending
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 500 total points
ID: 39603954
Here's a video tutorial:

It would be best practice to only make your management http daemon available on the private side, not the public.  If this can't be avoided then restrict access on the public side, to the management interface, by IP address.

Additionally, best practice would be to create a separate private network for use as your DMZ, and to have all publicly accessible hosts reside there.  If one of these hosts are compromised, then only the DMZ network will be accessible to attackers as opposed to your entire primary private network.  You'd then create PAT/NAT entries from the DMZ to the primary private side as well, in order to make the DMZ hosts accessible to your private network.  This is another reason to consider PAT over NAT--- to limit the attack (and fingerprinting) surface attackers have access to.

Author Comment

ID: 39606494
Thank you x66,

I created a NAT policy for the MDM first to test if it works..

Original Destination : <one of my mpublic ip>
Translated Destination : (DMZ)
Original Service : <set to ANY>

I added modified the following DNS recrods :

name : profilemgr
Type : Host (A)
Data : public ip


1. atempting to open resulted in PAGE CANNOT BE FOUND
2. I went ahead and ping from a separate workstation on the same network, and was able to receive a REPLY with the internal IP
3. I performed a tracert to and verified it did ended at the MacMini server
4. I performed a port scan on the private IP and verified 80/443 is live on the
5. I verified I could access the profile interface on https via the private IP
6. I attempted a port scan on the public IP, but did not yield any result to any open ports

So basically, I am still unable to access the on the public IP, only on the private IP.  When I perform the ping and tracert on the public IP my results comes back with a reply from the PRIVATE IP

But when I attempt to ping or tracert te public IP outside of my network, I am given "RESULT TIMED OUT"


Thanks again.
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 500 total points
ID: 39606536
Yes, in addition to NAT you'll need to create an access control rule to permit the port and protocol you're testing (e.g. 80/TCP (http), 443/TCP (https)).  You'll also need to make sure the public DNS server is resolving the FQDN properly, meaning it's resolving to the public IP address (that is NAT'd to the corresponding private IP) and *not* the Private IP.  Are you using the same DNS server for private as you are for public?  If so, you'll need to use a separate DNS server on the public side. is a provider I use.

So both your ACL and your NAT rule should apply to the same public IP.  To temporarily eliminate DNS from the equation, test on the public-side of the firewall using the public IP address only.

Additionally, rather than PING (which uses the ICMP protocol), you'll want to test with a utility such as Nping (part of the Nmap package) using the actual port and protocol of the service you really want to verify.

nping --tcp -p 80

Open in new window

If you do want to test with PING, create an ACL to permit ICMP (specifically, Type 8 — Echo and Type 0 — Echo Reply) on the public IP address you used for your NAT address.

Author Comment

ID: 39606582

you're a blessing.. thank you sir/maddam.. Everything works great now :).  I also created an additional NAT policy as a loopback for internal workstations.

Author Closing Comment

ID: 39606587
Amazing explanation!

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up static routes to  sonicwll 4 75
DNS Config for External Mail 3 22
DNS.exe on Azure 2 24
ASA5510 Blocking a Wanted Website/Host 9 26
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question