Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How is forwarding Port 80 and 443 affecting how I access specific internal web interfaces

Posted on 2016-08-13
Medium Priority
Last Modified: 2016-08-15

At my work we have a few Networking appliances that we have associated DNS names with internal IP addresses.  For example we may have a EMC DD160 (Storage) associated with the Name DD160A with the internal IP address of  So to access the web interface one may type:


Equally important we have the Outlook Web Access pointing to the 'Public IP address' in our Windows DNS config for the Outlook Web Access and not the Exchange server's internal IP address.  For example mail.company.net ->  This way we may type


to access the Outlook Web Access interface.

Now we have introduced a new mix in our network.  We are evaluating a web monitoring program where we have to configures our firewall to forward only "OUTBOUND" port 80 and port 443 traffic through a VPN tunnel to a web server and there the web monitoring vendor would create metrics for us regarding our user's web usage.  We have only made the rule for 1 specific Subnet (Device VLan) so we have other VLan's that are not affected by the monitoring atall.

To be honest the web reporting looks fantastic; but, one of the side affects is that anyone that is on that "Device VLan" cannot access https://mail.company.net/owa .  One must type to access the Outlook Web Access Interface.

Question 1:  Is this because when you are typing or forwarding a DNS name to an internal IP address and the associated port 443 traffic is routed inbound before it gets to the firewall so that never reaches the outbound forwarding.  So that web traffic is remaining in the network and is functional?

But the OWA is routed to an outside public IP address and that is sent tothe vendor's web server and then tot eh internet that way.  

Question2:  Why can we not connect to the OWA since the port 443 traffic is routed to the other location first?

I have another related question to follow up this
Question by:Pkafkas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 71

Expert Comment

ID: 41755393
First, your info about OWA is contradicting. You say you've pointed to the public IP, but show the LAN IP in examples.

If I read your config correctly, you've implemented policy based routing on your firewall. That means that only outbound traffic is concerned. That OWA works with the internal IP confirms that. So it has to be that DNS queries are changed, too, and the DNS lookup results in the public IP. That alone is no reason why it should not work, but probably you have issues with accessing OWA from Internet.
So you should check if DNS resolution has changed.

Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. Of course a web proxy setting needs to be rolled out to the clients, but that shouldn't be an issue in a domain. Web proxies allow for much more control over traffic.

Author Comment

ID: 41755438

I am simply stating the facts, once the outbound port forwarding has been enables the OWA stopped working if that public IP address is used.  Meaning the DNS name mail.company.net/owa which points to the Public IP address or if anyone types that public IP address from inside the LAN.

Now if I am at home or at another location and one browses to https://mail.company.net/owa the Web interface works just fine.  The problem is exclusively from inside the LAN.  If one is inside the LAN and types the Exchange server's internal IP address then the OWA works.

To me its simple; but, I wanted to verify with others.  I really like learning and understand more about how the network communications are routed and how they work.  To me, it seems as if

1.  If there is internal routing via router or DNS name to point a Web Address to an internal IP address then that port 443 browsing is re-directed to the internal IP address and that never would leave the LAN.

2.  If there is a DNS name that associated with a public IP address then that will be sent as outbound 443 traffic which is routed to the other web proxy.
        a.  But why does the OWA not accessible from the WAN.

I see what is happening; but, I do not understand why.  Other port 443 traffic that is not hosted with us like insurance web portals for example, they work just fine why does the OWA not work correctly?
LVL 71

Accepted Solution

Qlemo earned 1600 total points
ID: 41755493
Your stated points are correct

Putting aside from you wanting to undertand what is going on, changing the internal DNS entry for OWA to local should be done. That reduces a lot of friction - some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. (Local routing is no issue, of course.)

Honestly I do not know why the proxy redirection should stop OWA from working from LAN to public IP. It should work just as any other web site. The only difference I see for OWA from direct public OWA access is that traffic originates seeminkgly from the web proxy.
Restricting the web redirect to internal IPs different from the OWA server, or excluding traffic to the public OWA IP, might make a change.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Author Comment

ID: 41755501
Interesting.....  Your comment
... some firewalls have issues with traffic having to go out to the same interface it came in, with NAT applied. ...

That may be the case here.  Does anyone else want to weigh in on this question?

Assisted Solution

Member_2_5107552 earned 400 total points
ID: 41755627
What always works a dream is to create a domain in your AD DNS SERVER and call it
Mail.yourdomain.com exactly the same as your external access fqdn. (If you use yourdomain.com and create a sub domain mail then you will potentially break all your external resolving for that domain).

open the newly created domain and publish a empty a record to it, and assign the internal up address of your server

Check the new domain replicates through your environment on every DNS server that your clients resolve to.

Once you have verified replication flush the DNS cache on your test machine and ping mail.yourdomain.com

Internally you should resolve to the internal ip. Externally it should be you internet public routed ip

Disclaimer: I am using a mobile to write this so if autocorrect has bungled something then I'm sorry

Author Closing Comment

ID: 41756171
Regarding a comment on firewall policy based routing "Traditionally you do not run a policy-based route to redirect - web proxies are the way to go. " 

The policy based routing was the suggested configuration changes by the web monitoring vendor.  This way if there is a problem they can support it and provide suggestions.    These suggestions have helped in other problems that have come up regarding this project as well.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question