We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Accessing website through SonicWall

High Priority
63 Views
Last Modified: 2020-06-10
Accessing website on one network using SSL connection (https) from internet using VPN tunnel


Network Schema
I have question for SonicWall gurus.
I have 2 network (localization) connected by Site-To-Site VPN
Both SonicWall has only one WAN IP
On first site I have Exchange server and Web Server and all working OK but I would like to install certificate and publish this website with secure access connection.
Because Exchange server is deployed over there so Port 443 is already used for OWA and Outlook Access

I was thinking to publish this https website using second SonicWall WAN IP but I don't know if this is possible.

So bottom line is I would like to get access to website on site with WAN 10.0.2.1 using address https://100.0.3.1

Any help would be appreciated.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
if the server is not for public usage, you can just pick a different port.

Using any wan address will also work in all cases.

Using any lan address will work for vpn users.

--

If none of the above fit, and you cannot move your webmail on a different port either, you can use the ssl sni feature that allows to handle queries differently based on the domain name. That probably requires a separate reverse proxy. Haproxy can do that quite easily and will run on any vm or commodity hardware. note that VERY old clients will not handle SNI. Unless you have xp users running ie6, or old appliances that send email, that probably wont be an issue.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Thank You skullnobrains  but this is Public server and it must work on port 443

I would like to know how to create rule to forward traffic through VPN tunel.

I think I must create address object from first LAN on second SonicWall, then create firewall rule that will forward request from second WAN to this address object through VPN and somehow create loopback

CERTIFIED EXPERT

Commented:
Create a regular nat rule on the sonicwall that handles the public address. The destination is the server lan address.

create a rule on the second sonic that allows wan to server.

-

If you get reasonably lucky this will work. But the vpn software may not allow wan addresses.

If you get stuck, you have 2 options.

1. Use the remote WAN address and an exotic port on the first sonic wall, and a second nat rule on the second. This is easiest to test with and my recommendation for a pure network solution.

2. Apply both source and destination nat on the first firewall. The target source address is the internal vpn address. The second firewall may need a rule allowing said address to server lan address.

Either way, the server will not be able to see the real wan address.

This is quite the clumsy setup.
A reverse proxy might be simpler...

There are a few other options involving policy routing.

But i honestly think you should rethink this.
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
SPLIT DNS.

Set up a Forward Lookup Zone in DNS for //Service.Site.Com with the internal IP of the service/server.

Then, when HTTPS hits WAN2 it will automagically get routed across the VPN to Site 1.

You could also use Application Request Routing and URLReWrite (how Microsoft does it in Azure) to use that one WAN to publish as many HTTPS/IIS services as is needed. Internet DNS for each service would point to WAN IP1.

EDIT: Not sure where the double whack is coming from.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Hi Philip
Without rule on second firewall this will work only inside both networks and ONLY if second network will have this information in their DNS or DNS will come across VPN
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
I assumed:

Site 1: DC/DNS
Site 2: SonicWALL DHCP Client's DNS points to Site 1 DC
CERTIFIED EXPERT

Commented:
None of this covers wan access.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Yes
On Site 1 there is DC and DHCP installed on Server
Site 2 only have 2 computers connected to Sonicwall and DHCP in ON on Sonicwall
so site1 :LAN IP is 10.2.10.x and site2 LAN IP 10.3.10.x but DNS on cards IPv4 configuration is set from Site1
I have DNS setup as company.local and have zone for company.com
In company.com I have A record of www server. all is working on http:// request but I would like to install certificate and run as https://
As for now it will work ONLY from inside because for outside I must publish this server on SonicWall, but I can;t because my port 443 is already published for Exchange so I was thinking to do this on second SonicWall since they're connected through VPN
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Option 1: As per my instructions. SPLIT DNS with Site 2 WAN inbound.
Option 2: Application Request Routing and URLReWrite at Site 1 (Azure/we do this)
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
What do you mean Split DNS ?
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Forward Lookup Zone for //SecondHTTPS.Domain.Com set up in AD/DNS with @ pointing to the IP of the server hosting the service.

A la Small Business Server (been doing that since I can remember).
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
And please explain me how External users let say from different country will get to the website using SECOND WAN IP on second SonicWall ?
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
At the Internet DNS host:

DNS A Record:
Name: www.SiteName.Com
IP: Site 2 WAN IP

On the DC at Site 1:
DNS Forward Lookup Zone: www.SiteName.Com
Name: @
IP: Site 1 LAN IP

DNS for SonicWALL needs to point to DC/DNS at Site 1 for this to work.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
"DNS for SonicWALL needs to point to DC/DNS at Site 1 for this to work. " - this is crucial information. :)
I'll test it tonight
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Philip, this is not working
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Try this at Site 2:
Address Object: Server IP @ Site 1
Publish HTTPS inbound to Address Object created above in NAT and Firewall.

Does www.publishedsite.com resolve to Site 1 server's IP at site 2?
CERTIFIED EXPERT

Commented:
the above cannot work. sorry.

i would strongly suggest you either

- move the server to site 2 ( and configure site 2 with it's own DNS ) so you do not need both sites to be up. that's mutualising SPOFs rather than production and counter performant.

- setup an actual reverse proxy on site 2 that can handle the traffic, provide caching, logging, and whatever security layer requires to know the remote address. still not performant, but secure and easy to setup and work with.

- purchase a second IP on site 1

- use SNI on site 1 to run both services on the same port and address. the dns name used by the client will be provided to the server or proxy. that allows to use the adequate certificate and dispatch.

the above-above pure network solutions i provided will also work but are more of a pain to setup. pick a solution. i'll help setting it up.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Philip, I did this in the first place and still did not work.

Skullnobrains -
- move the server to site 2  - not possible, Site 2 is only store with 2 computers
- setup an actual reverse proxy on site 2  - not possible, no server on site 2
- purchase a second IP on site 1  - Maybe this will be only solution
- use SNI on site 1 - I think is too complicated

I though there is a way to create route on Sonic to forward traffic from WAN2 though VPN to LAN1 and back
I think i should call SonicWall technical support and ask them how to do it.

Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
WFetch. It's older but a goodie. Or, Fiddler. Both will tell you if the server is answering through WAN 1 or WAN 2.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Philip, can you please explain ?
"If the server is answering"
From LAN2 i can nawigate website on LAN1 server using local IP or domain name, so I think problem is only with routing on SonicWall 2 because from outside when I'll use WAN2 IP, there is no response
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
OK, Philip, I think I've got SonicWall article how to do it.

https://www.sonicwall.com/support/knowledge-base/vpn-port-forwarding-over-a-site-to-site-vpn-tunnel-sonicos-enhanced/170505256117325/ 

I'll try to apply this tonight and will go back with results

CERTIFIED EXPERT

Commented:
A reverse proxy is merely a piece of software you can run on any existing server for a next to zero resource cost.

Sni is not that hard to configure and is handled by iis natively. And every single related software in unix/linux world.

I strongly suggest you opt for a solution that will not break if either dc is brought down. This mutualises spofs rather than resources.

Is your exchange server really used from the wan ? do you actually need the 443 port ? Just for autconfig ? ...
CERTIFIED EXPERT

Commented:
I reviewed the article. That basely instruct you to do what i suggested in my very first post. Forget the "if you are lucky "... according to that article, you are. Note that i do not quite trust the article. That will only work if sonicwall applies source nat. assuming the article is correct, it does.
IT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT

Commented:
yeah : the remote LAN of each site is the VPN zone of the other site.
think of a zone as an interface.
in case of doubt, the interface is whichever would be picked by the routing layer.
good to see you got it running.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.