Pkafkas
asked on
How is forwarding Port 80 and 443 affecting how I access specific internal web interfaces
Hello:
At my work we have a few Networking appliances that we have associated DNS names with internal IP addresses. For example we may have a EMC DD160 (Storage) associated with the Name DD160A with the internal IP address of 10.10.10.10. So to access the web interface one may type:
https://dd160A
or
https://10.10.10.10
Equally important we have the Outlook Web Access pointing to the 'Public IP address' in our Windows DNS config for the Outlook Web Access and not the Exchange server's internal IP address. For example mail.company.net -> 10.10.10.11. This way we may type
https://mail.company.net/owa
or
https://10.10.10.11/owa
to access the Outlook Web Access interface.
Now we have introduced a new mix in our network. We are evaluating a web monitoring program where we have to configures our firewall to forward only "OUTBOUND" port 80 and port 443 traffic through a VPN tunnel to a web server and there the web monitoring vendor would create metrics for us regarding our user's web usage. We have only made the rule for 1 specific Subnet (Device VLan) so we have other VLan's that are not affected by the monitoring atall.
To be honest the web reporting looks fantastic; but, one of the side affects is that anyone that is on that "Device VLan" cannot access https://mail.company.net/owa . One must type https://10.10.10.11/owa to access the Outlook Web Access Interface.
Question 1: Is this because when you are typing or forwarding a DNS name to an internal IP address and the associated port 443 traffic is routed inbound before it gets to the firewall so that never reaches the outbound forwarding. So that web traffic is remaining in the network and is functional?
But the OWA is routed to an outside public IP address and that is sent tothe vendor's web server and then tot eh internet that way.
Question2: Why can we not connect to the OWA since the port 443 traffic is routed to the other location first?
I have another related question to follow up this
At my work we have a few Networking appliances that we have associated DNS names with internal IP addresses. For example we may have a EMC DD160 (Storage) associated with the Name DD160A with the internal IP address of 10.10.10.10. So to access the web interface one may type:
https://dd160A
or
https://10.10.10.10
Equally important we have the Outlook Web Access pointing to the 'Public IP address' in our Windows DNS config for the Outlook Web Access and not the Exchange server's internal IP address. For example mail.company.net -> 10.10.10.11. This way we may type
https://mail.company.net/owa
or
https://10.10.10.11/owa
to access the Outlook Web Access interface.
Now we have introduced a new mix in our network. We are evaluating a web monitoring program where we have to configures our firewall to forward only "OUTBOUND" port 80 and port 443 traffic through a VPN tunnel to a web server and there the web monitoring vendor would create metrics for us regarding our user's web usage. We have only made the rule for 1 specific Subnet (Device VLan) so we have other VLan's that are not affected by the monitoring atall.
To be honest the web reporting looks fantastic; but, one of the side affects is that anyone that is on that "Device VLan" cannot access https://mail.company.net/owa . One must type https://10.10.10.11/owa to access the Outlook Web Access Interface.
Question 1: Is this because when you are typing or forwarding a DNS name to an internal IP address and the associated port 443 traffic is routed inbound before it gets to the firewall so that never reaches the outbound forwarding. So that web traffic is remaining in the network and is functional?
But the OWA is routed to an outside public IP address and that is sent tothe vendor's web server and then tot eh internet that way.
Question2: Why can we not connect to the OWA since the port 443 traffic is routed to the other location first?
I have another related question to follow up this
ASKER
Well,
I am simply stating the facts, once the outbound port forwarding has been enables the OWA stopped working if that public IP address is used. Meaning the DNS name mail.company.net/owa which points to the Public IP address or if anyone types that public IP address from inside the LAN.
Now if I am at home or at another location and one browses to https://mail.company.net/owa the Web interface works just fine. The problem is exclusively from inside the LAN. If one is inside the LAN and types the Exchange server's internal IP address https://10.10.10.11/owa then the OWA works.
To me its simple; but, I wanted to verify with others. I really like learning and understand more about how the network communications are routed and how they work. To me, it seems as if
1. If there is internal routing via router or DNS name to point a Web Address to an internal IP address then that port 443 browsing is re-directed to the internal IP address and that never would leave the LAN.
2. If there is a DNS name that associated with a public IP address then that will be sent as outbound 443 traffic which is routed to the other web proxy.
a. But why does the OWA not accessible from the WAN.
I see what is happening; but, I do not understand why. Other port 443 traffic that is not hosted with us like insurance web portals for example, they work just fine why does the OWA not work correctly?
I am simply stating the facts, once the outbound port forwarding has been enables the OWA stopped working if that public IP address is used. Meaning the DNS name mail.company.net/owa which points to the Public IP address or if anyone types that public IP address from inside the LAN.
Now if I am at home or at another location and one browses to https://mail.company.net/owa the Web interface works just fine. The problem is exclusively from inside the LAN. If one is inside the LAN and types the Exchange server's internal IP address https://10.10.10.11/owa then the OWA works.
To me its simple; but, I wanted to verify with others. I really like learning and understand more about how the network communications are routed and how they work. To me, it seems as if
1. If there is internal routing via router or DNS name to point a Web Address to an internal IP address then that port 443 browsing is re-directed to the internal IP address and that never would leave the LAN.
2. If there is a DNS name that associated with a public IP address then that will be sent as outbound 443 traffic which is routed to the other web proxy.
a. But why does the OWA not accessible from the WAN.
I see what is happening; but, I do not understand why. Other port 443 traffic that is not hosted with us like insurance web portals for example, they work just fine why does the OWA not work correctly?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting..... Your comment
That may be the case here. Does anyone else want to weigh in on this question?
... some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. ...
That may be the case here. Does anyone else want to weigh in on this question?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Regarding a comment on firewall policy based routing "Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. "
The policy based routing was the suggested configuration changes by the web monitoring vendor. This way if there is a problem they can support it and provide suggestions. These suggestions have helped in other problems that have come up regarding this project as well.
The policy based routing was the suggested configuration changes by the web monitoring vendor. This way if there is a problem they can support it and provide suggestions. These suggestions have helped in other problems that have come up regarding this project as well.
If I read your config correctly, you've implemented policy based routing on your firewall. That means that only outbound traffic is concerned. That OWA works with the internal IP confirms that. So it has to be that DNS queries are changed, too, and the DNS lookup results in the public IP. That alone is no reason why it should not work, but probably you have issues with accessing OWA from Internet.
So you should check if DNS resolution has changed.
Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. Of course a web proxy setting needs to be rolled out to the clients, but that shouldn't be an issue in a domain. Web proxies allow for much more control over traffic.