Solved

Sonicwall : How to forward port 443 to two different servers?

Posted on 2013-10-26
10
5,656 Views
Last Modified: 2013-10-28
Hello All,

Currently I have two servers running that utilizes port 443 (Mac Profile Manager/WebHelp Desk).

I have the following configuration :
==========
IP from ISP is Static

DNS Server/file server 192.168.1.2 (win2k8 R2) :
webhelpdesk.abc.com (192.168.1.5 on win2k8 r2)
profilemgr.abc.com (192.168.1.10 on a mac)

===========

Internally, I can access both webservers by navigating to their respective URL.

My question is, how do I configure my SonicWall so that I can access these two services via the INTERNET.

Basically, I want to be able to navigate to the URL outside of my internal network and still be able to access these services..

Thank you much in advance!
0
Comment
Question by:Coupee46
  • 5
  • 4
10 Comments
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39602845
While you have a couple options, it's helpful to first understand that you generally cannot forward to multiple internal hosts using the same public ip address and same port number.  If you have more than one public IP address available, then you simply configure a port address translation (PAT) or network address translation entry (NAT), and appropriate access control rules, for each web server.  If you only have one public IP address, then you'll need to select an alternate port for one of the web servers on the public side (ie 444/TCP) which is then translated to private side on 443/TCP.  Another possibility is hosting both web servers on the same machine, and distinguishing between the two web sites via the host header.  In this way they can share the same IP address and port, however in the case of SSL/TLS you'll need a certificate issued which supports both FQDN's.  It's also possible an application layer SSL IPS/firewall/reverse-proxy could read the host header and forward accordingly.

All that being said, you'll need to identify and gain access to the public name servers for your domain (i.e. abc.com); from here you'll basically duplicate your internal DNS records, except you'll modify the IP addresses from private IP's to their corresponding public IP's.  The public IP's correlate to your PAT/NAT entries, which translate a given public IP to a given private IP.  Make sense?
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39602868
Ahh ok that makes sense.  Well my ISP has given me a block of public IP address (5 addresses). Would this work? I assume I can reconfigure my DNS A record to point to another public IP that I am not currently using?
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39602877
Yes, select two public IP's from your block which aren't in use.  I'd recommend you create PAT entries instead of NAT entries.  This leaves open the possibility of assigning other ports in the future to other internal hosts, whereas a 1-to-1 NAT entry dedicates the entire IP address to a single host.

After you've created the PAT entries, modify your public DNS records to match the FQDN's:

webhelpdesk.abc.com (public IP 1)
profilemgr.abc.com (public IP 2)

Aside from convenience, another benefit of matching FQDN's is you won't need to reissue your web server certificates.
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39602892
Great! Thanks, I'll give that a try today. The profilemgr.abc.com I don't mind assigning the entire IP to it since the only thing it will be responsible for is my iOS and osx devices....

You wouldn't by chance know of any sonic wall tutorial on setting up te pat or nat?

Thank you again!
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39603652
Just a heads up that the Sonicwall likely (by default on the TZ series) uses port 443 for its management https interface
This may cause a conflict with what you are intending
1
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 500 total points
ID: 39603954
Here's a video tutorial:
http://www.youtube.com/watch?v=HhXqGSpA0ik

It would be best practice to only make your management http daemon available on the private side, not the public.  If this can't be avoided then restrict access on the public side, to the management interface, by IP address.

Additionally, best practice would be to create a separate private network for use as your DMZ, and to have all publicly accessible hosts reside there.  If one of these hosts are compromised, then only the DMZ network will be accessible to attackers as opposed to your entire primary private network.  You'd then create PAT/NAT entries from the DMZ to the primary private side as well, in order to make the DMZ hosts accessible to your private network.  This is another reason to consider PAT over NAT--- to limit the attack (and fingerprinting) surface attackers have access to.
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39606494
Thank you x66,

I created a NAT policy for the MDM first to test if it works..

Original Destination : <one of my mpublic ip>
Translated Destination : 192.168.1.10 (DMZ)
Original Service : <set to ANY>

I added modified the following DNS recrods :

name : profilemgr
Type : Host (A)
Data : public ip

===========

1. atempting to open profilemgr.abc.com resulted in PAGE CANNOT BE FOUND
2. I went ahead and ping profilemgr.abc.com from a separate workstation on the same network, and was able to receive a REPLY with the internal IP 192.168.1.10
3. I performed a tracert to profilemgr.abc.com and verified it did ended at the MacMini server
4. I performed a port scan on the private IP and verified 80/443 is live on the profilemgr.abc.com
5. I verified I could access the profile interface on https via the private IP 192.168.1.10
6. I attempted a port scan on the public IP, but did not yield any result to any open ports

So basically, I am still unable to access the profilemgr.abc.com on the public IP, only on the private IP.  When I perform the ping and tracert on the public IP my results comes back with a reply from the PRIVATE IP 192.168.1.10

But when I attempt to ping or tracert te public IP outside of my network, I am given "RESULT TIMED OUT"

Suggestions?

Thanks again.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 500 total points
ID: 39606536
Yes, in addition to NAT you'll need to create an access control rule to permit the port and protocol you're testing (e.g. 80/TCP (http), 443/TCP (https)).  You'll also need to make sure the public DNS server is resolving the FQDN properly, meaning it's resolving to the public IP address (that is NAT'd to the corresponding private IP) and *not* the Private IP.  Are you using the same DNS server for private as you are for public?  If so, you'll need to use a separate DNS server on the public side.  CloudNS.net is a provider I use.

So both your ACL and your NAT rule should apply to the same public IP.  To temporarily eliminate DNS from the equation, test on the public-side of the firewall using the public IP address only.

Additionally, rather than PING (which uses the ICMP protocol), you'll want to test with a utility such as Nping (part of the Nmap package) using the actual port and protocol of the service you really want to verify.

nping --tcp -p 80 74.125.239.35

Open in new window


If you do want to test with PING, create an ACL to permit ICMP (specifically, Type 8 — Echo and Type 0 — Echo Reply) on the public IP address you used for your NAT address.
0
 
LVL 1

Author Comment

by:Coupee46
ID: 39606582
x66,

you're a blessing.. thank you sir/maddam.. Everything works great now :).  I also created an additional NAT policy as a loopback for internal workstations.
0
 
LVL 1

Author Closing Comment

by:Coupee46
ID: 39606587
Amazing explanation!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now