Solved

How is forwarding Port 80 and 443 affecting how I access specific internal web interfaces

Posted on 2016-08-13
6
64 Views
Last Modified: 2016-08-15
Hello:

At my work we have a few Networking appliances that we have associated DNS names with internal IP addresses.  For example we may have a EMC DD160 (Storage) associated with the Name DD160A with the internal IP address of 10.10.10.10.  So to access the web interface one may type:

https://dd160A
or
https://10.10.10.10

Equally important we have the Outlook Web Access pointing to the 'Public IP address' in our Windows DNS config for the Outlook Web Access and not the Exchange server's internal IP address.  For example mail.company.net -> 10.10.10.11.  This way we may type

https://mail.company.net/owa
or
https://10.10.10.11/owa

to access the Outlook Web Access interface.

Now we have introduced a new mix in our network.  We are evaluating a web monitoring program where we have to configures our firewall to forward only "OUTBOUND" port 80 and port 443 traffic through a VPN tunnel to a web server and there the web monitoring vendor would create metrics for us regarding our user's web usage.  We have only made the rule for 1 specific Subnet (Device VLan) so we have other VLan's that are not affected by the monitoring atall.

To be honest the web reporting looks fantastic; but, one of the side affects is that anyone that is on that "Device VLan" cannot access https://mail.company.net/owa .  One must type https://10.10.10.11/owa to access the Outlook Web Access Interface.

Question 1:  Is this because when you are typing or forwarding a DNS name to an internal IP address and the associated port 443 traffic is routed inbound before it gets to the firewall so that never reaches the outbound forwarding.  So that web traffic is remaining in the network and is functional?

But the OWA is routed to an outside public IP address and that is sent tothe vendor's web server and then tot eh internet that way.  

Question2:  Why can we not connect to the OWA since the port 443 traffic is routed to the other location first?

I have another related question to follow up this
0
Comment
Question by:Pkafkas
  • 3
  • 2
6 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 41755393
First, your info about OWA is contradicting. You say you've pointed to the public IP, but show the LAN IP in examples.

If I read your config correctly, you've implemented policy based routing on your firewall. That means that only outbound traffic is concerned. That OWA works with the internal IP confirms that. So it has to be that DNS queries are changed, too, and the DNS lookup results in the public IP. That alone is no reason why it should not work, but probably you have issues with accessing OWA from Internet.
So you should check if DNS resolution has changed.

Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. Of course a web proxy setting needs to be rolled out to the clients, but that shouldn't be an issue in a domain. Web proxies allow for much more control over traffic.
0
 

Author Comment

by:Pkafkas
ID: 41755438
Well,

I am simply stating the facts, once the outbound port forwarding has been enables the OWA stopped working if that public IP address is used.  Meaning the DNS name mail.company.net/owa which points to the Public IP address or if anyone types that public IP address from inside the LAN.

Now if I am at home or at another location and one browses to https://mail.company.net/owa the Web interface works just fine.  The problem is exclusively from inside the LAN.  If one is inside the LAN and types the Exchange server's internal IP address https://10.10.10.11/owa then the OWA works.

To me its simple; but, I wanted to verify with others.  I really like learning and understand more about how the network communications are routed and how they work.  To me, it seems as if

1.  If there is internal routing via router or DNS name to point a Web Address to an internal IP address then that port 443 browsing is re-directed to the internal IP address and that never would leave the LAN.

2.  If there is a DNS name that associated with a public IP address then that will be sent as outbound 443 traffic which is routed to the other web proxy.
        a.  But why does the OWA not accessible from the WAN.

I see what is happening; but, I do not understand why.  Other port 443 traffic that is not hosted with us like insurance web portals for example, they work just fine why does the OWA not work correctly?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 400 total points
ID: 41755493
Your stated points are correct

Putting aside from you wanting to undertand what is going on, changing the internal DNS entry for OWA to local should be done. That reduces a lot of friction - some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. (Local routing is no issue, of course.)

Honestly I do not know why the proxy redirection should stop OWA from working from LAN to public IP. It should work just as any other web site. The only difference I see for OWA from direct public OWA access is that traffic originates seeminkgly from the web proxy.
Restricting the web redirect to internal IPs different from the OWA server, or excluding traffic to the public OWA IP, might make a change.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Pkafkas
ID: 41755501
Interesting.....  Your comment
... some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. ...

That may be the case here.  Does anyone else want to weigh in on this question?
0
 

Assisted Solution

by:Member_2_5107552
Member_2_5107552 earned 100 total points
ID: 41755627
What always works a dream is to create a domain in your AD DNS SERVER and call it
Mail.yourdomain.com exactly the same as your external access fqdn. (If you use yourdomain.com and create a sub domain mail then you will potentially break all your external resolving for that domain).

open the newly created domain and publish a empty a record to it, and assign the internal up address of your server

Check the new domain replicates through your environment on every DNS server that your clients resolve to.

Once you have verified replication flush the DNS cache on your test machine and ping mail.yourdomain.com

Internally you should resolve to the internal ip. Externally it should be you internet public routed ip

Disclaimer: I am using a mobile to write this so if autocorrect has bungled something then I'm sorry
0
 

Author Closing Comment

by:Pkafkas
ID: 41756171
Regarding a comment on firewall policy based routing "Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. "

The policy based routing was the suggested configuration changes by the web monitoring vendor.  This way if there is a problem they can support it and provide suggestions.    These suggestions have helped in other problems that have come up regarding this project as well.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now