Nat Policie to allow RWW on Sonic Wall TZ 190

we recently changed ISP's and have RWW running on Server 2012R2 but after the ISP RWW will not work externally, so some policy didn't work with the new IP address.

I don't know much about NAT policies or the SonicWall but I need to get this working.

What policy should I create on the Sonic Wall to allow RWW to work with the new IP address?  I changed the A record on network solutions to point to the new IP, when I did this with OWA and Email simplying changing the A record made it function, however with RWW it is not working, just says website cannot be found.

I don't know how to make new NAT rules, so I need step by step to allow it.

Thanks
LVL 1
FosterThomasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dardanceGeneral ManagerCommented:
Since you are able to access other sites on the same server on port 443, I dont think that this has anything to do with the Sonicwall, but probably the IIS. Even though I dont think it is regarding the Sonicwall, I've included how you should setup the NAT policy.

Original Source: Any
Translated Source: Original
Original Destination: The public IP address
Translated destination: The internal IP address
Original Service: HTTPS
Translated Service: Original

If you have multiple public IPs and the one for RWW isn't the WAN IP of the sonicwall, then you need this policy as well:

Original Source: Internal IP address
Translated Source: External IP
Original Destination: Any
Translated Destination: Original
Original Service: HTTPS
Translated Service: Original

After you've created the NAT policies remember to create firewall policies to allow HTTPS from WAN to LAN on the public IP.
0
FosterThomasAuthor Commented:
Can you help me do the last step?
0
FosterThomasAuthor Commented:
Also since RWW was working on old ISP shouldn't HTTPS from Wan to Lan already be set up?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

dardanceGeneral ManagerCommented:
That depends on how you have created the NAT/firewall rules, so lets create a new firewall rule as well.

Under the firewall rules select the view type "Dropdown Boxes"
Select from zone: WAN
To zone: LAN

Create a new access rule like this:
Source port (if shown): Any
Service: HTTPS
Source: Any
Destination: External IP

That should be it.

Does your owa and other websites reside on the same A record and external/internal IP?
0
FosterThomasAuthor Commented:
Thanks, RWW is working, I was out of the office for a few days and couldn't reply to this.

Now the only thing not working is my CRM external address.

RWW has it's own External and Internal IP

OWA and MsCRM have the same.

Before the ISP switch you could either to go http://ExternalIP:5555 or http://crm.xxxdomainxxx.com:5555   since the switch, if you go to the new External IP in the above address or the CRM address it loads a blank page.  IT doesn't say can't be found but physically loads an all white blank page.  The internal IP for CRM works just fine.

CRM is the last thing to get working externally after the switch, the fact it is loading a blank page is making me think it is getting to the server just either not the right server or the port isn't open, but it was open on the same address before the switch.

Thanks for the help
0
dardanceGeneral ManagerCommented:
Great - so far so good :)

Are OWA and CRM located on the same IIS server or on two different servers?
0
FosterThomasAuthor Commented:
two different servers, but they worked from the same address before the ISP switch

IE:

OWA was https://crm.domain.com/owa

CRM was http://crm.domain.com:5555 or http://ExternalIP:5555
0
dardanceGeneral ManagerCommented:
Great. Then you need to create some new NAT policies and a new firewall rule. Just create the rules below and everything should be working again.

NAT Policies:
Original Source: Any
Translated Source: Original
Original Destination: The public IP address
Translated destination: The internal IP address of CRM
Original Service: Create a new service for port 5555 and use it here.
Translated Service: Original


Original Source: CRM Internal IP address
Translated Source: External IP
Original Destination: Any
Translated Destination: Original
Original Service: The service you created for port 5555
Translated Service: Original

Firewall policy:

Under the firewall rules select the view type "Dropdown Boxes"
Select from zone: WAN
To zone: LAN

Create a new access rule like this:
Source port (if shown): Any
Service: The port 5555 service you created
Source: Any
Destination: External IP

And thats it :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FosterThomasAuthor Commented:
stupid question but for creating the nat policies when I am adding the IPs, I have to create a new address object right?  Then it asks for

Name
Zone Assignment -  Lan, Wan, and some more options
Type -  host, range, network
IP address

I just want to make sure I do it correctly
0
FosterThomasAuthor Commented:
Also when I create the port for Original Service: Create a new service for port 5555 and use it here. what options do I pick in that window.

There are a bunch of options in the drop down, custom IP type, ICMP, IGMP, TCP, UDP, etc
0
FosterThomasAuthor Commented:
I think I figured out adding the IP's for external I picked Wan and Internal I picked Lan, hopefully that simple.

I cannot figure out the port option, when I create a new service I have custom type and there is a port range for some, and IP address for others in that list , and some of the options port range is grayed out.

Do I set the port range from 1 - 5555 or jsut 5555-5555?
0
FosterThomasAuthor Commented:
Sorry forgt to attach picture Capture of Sonic Wall Options
0
dardanceGeneral ManagerCommented:
It sounds like you did it the right way with the new address objects.
On the create service you need to select TCP under protocal, and just input 5555-5555 in the port range.
I haven't thought about what sub tybe does before now, so just keep it at none :)
0
FosterThomasAuthor Commented:
I seem to have got it working, I appreciate your help, I am teaching myself Sonic Wall and Nat Policies and you have been   a big big help.

so I have http://InternalIP:5555 working for inside the office and http://externalIP:5555 and http://crm.domain.com:5555 working for outside the office

Is it hard to make http://crm.domain.com:5555 and http://externalIP:5555 work inside our building, currently they don't and if I could give everyone the same address it would be a huge help.
0
dardanceGeneral ManagerCommented:
Good to hear :) It took me some thime to figure out how Sonicwall coped with NAT og firewall policies, but once you get a hang of it, its a walk in the park :)

As long as you dont have your external DNS as an extra zone in your AD, then this NAT rule should do the trick:

Original Source: Firewalled Subnets
Translated Source: The public IP address
Original Destination: The public IP address
Translated destination: The internal IP address of CRM
Original Service: The service for port 5555.
Translated Service: Original
0
FosterThomasAuthor Commented:
I will try tomorrow morning, thanks again
0
FosterThomasAuthor Commented:
that work for http://externalIP:5555 but didn't work for http://crm.domain.com:5555   Would I make a new policy and instead of public IP put crm.domain.com?
0
dardanceGeneral ManagerCommented:
Hmm... If you try to ping crm.domain.com what IP do you get? The same as the external one?
0
FosterThomasAuthor Commented:
No I get .94 instead of .95 which is weird because you can use the owa link which is crm.domain.com/owa just fine but the database is on the same server as CRM.  .94 is the main WAN IP that is set in my sonic wall
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.