How is forwarding Port 80 and 443 affecting how I access specific internal web interfaces

Posted on 2016-08-13
Last Modified: 2016-08-15

At my work we have a few Networking appliances that we have associated DNS names with internal IP addresses.  For example we may have a EMC DD160 (Storage) associated with the Name DD160A with the internal IP address of  So to access the web interface one may type:


Equally important we have the Outlook Web Access pointing to the 'Public IP address' in our Windows DNS config for the Outlook Web Access and not the Exchange server's internal IP address.  For example ->  This way we may type

to access the Outlook Web Access interface.

Now we have introduced a new mix in our network.  We are evaluating a web monitoring program where we have to configures our firewall to forward only "OUTBOUND" port 80 and port 443 traffic through a VPN tunnel to a web server and there the web monitoring vendor would create metrics for us regarding our user's web usage.  We have only made the rule for 1 specific Subnet (Device VLan) so we have other VLan's that are not affected by the monitoring atall.

To be honest the web reporting looks fantastic; but, one of the side affects is that anyone that is on that "Device VLan" cannot access .  One must type to access the Outlook Web Access Interface.

Question 1:  Is this because when you are typing or forwarding a DNS name to an internal IP address and the associated port 443 traffic is routed inbound before it gets to the firewall so that never reaches the outbound forwarding.  So that web traffic is remaining in the network and is functional?

But the OWA is routed to an outside public IP address and that is sent tothe vendor's web server and then tot eh internet that way.  

Question2:  Why can we not connect to the OWA since the port 443 traffic is routed to the other location first?

I have another related question to follow up this
Question by:Pkafkas
  • 3
  • 2
LVL 69

Expert Comment

ID: 41755393
First, your info about OWA is contradicting. You say you've pointed to the public IP, but show the LAN IP in examples.

If I read your config correctly, you've implemented policy based routing on your firewall. That means that only outbound traffic is concerned. That OWA works with the internal IP confirms that. So it has to be that DNS queries are changed, too, and the DNS lookup results in the public IP. That alone is no reason why it should not work, but probably you have issues with accessing OWA from Internet.
So you should check if DNS resolution has changed.

Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. Of course a web proxy setting needs to be rolled out to the clients, but that shouldn't be an issue in a domain. Web proxies allow for much more control over traffic.

Author Comment

ID: 41755438

I am simply stating the facts, once the outbound port forwarding has been enables the OWA stopped working if that public IP address is used.  Meaning the DNS name which points to the Public IP address or if anyone types that public IP address from inside the LAN.

Now if I am at home or at another location and one browses to the Web interface works just fine.  The problem is exclusively from inside the LAN.  If one is inside the LAN and types the Exchange server's internal IP address then the OWA works.

To me its simple; but, I wanted to verify with others.  I really like learning and understand more about how the network communications are routed and how they work.  To me, it seems as if

1.  If there is internal routing via router or DNS name to point a Web Address to an internal IP address then that port 443 browsing is re-directed to the internal IP address and that never would leave the LAN.

2.  If there is a DNS name that associated with a public IP address then that will be sent as outbound 443 traffic which is routed to the other web proxy.
        a.  But why does the OWA not accessible from the WAN.

I see what is happening; but, I do not understand why.  Other port 443 traffic that is not hosted with us like insurance web portals for example, they work just fine why does the OWA not work correctly?
LVL 69

Accepted Solution

Qlemo earned 400 total points
ID: 41755493
Your stated points are correct

Putting aside from you wanting to undertand what is going on, changing the internal DNS entry for OWA to local should be done. That reduces a lot of friction - some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. (Local routing is no issue, of course.)

Honestly I do not know why the proxy redirection should stop OWA from working from LAN to public IP. It should work just as any other web site. The only difference I see for OWA from direct public OWA access is that traffic originates seeminkgly from the web proxy.
Restricting the web redirect to internal IPs different from the OWA server, or excluding traffic to the public OWA IP, might make a change.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 41755501
Interesting.....  Your comment
... some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. ...

That may be the case here.  Does anyone else want to weigh in on this question?

Assisted Solution

Member_2_5107552 earned 100 total points
ID: 41755627
What always works a dream is to create a domain in your AD DNS SERVER and call it exactly the same as your external access fqdn. (If you use and create a sub domain mail then you will potentially break all your external resolving for that domain).

open the newly created domain and publish a empty a record to it, and assign the internal up address of your server

Check the new domain replicates through your environment on every DNS server that your clients resolve to.

Once you have verified replication flush the DNS cache on your test machine and ping

Internally you should resolve to the internal ip. Externally it should be you internet public routed ip

Disclaimer: I am using a mobile to write this so if autocorrect has bungled something then I'm sorry

Author Closing Comment

ID: 41756171
Regarding a comment on firewall policy based routing "Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. " 

The policy based routing was the suggested configuration changes by the web monitoring vendor.  This way if there is a problem they can support it and provide suggestions.    These suggestions have helped in other problems that have come up regarding this project as well.

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 question 1 54
Network Vs Redistribute Connected Commands 3 64
Advice on router and switch 25 43
Windows Server DFS priority 6 14
This article is in response to a question ( here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Resolve DNS query failed errors for Exchange
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question