3 Replies Latest reply: Feb 12, 2013 12:44 PM by cphillipsmcp RSS

    Rule for Internal Website


      Here’s the scenario: I have an internal website (privateaddress) with an external presence. Before yesterday, we used a proxy for all web-based traffic; Getting to the external address of the site worked flawlessly using a proxy within the browser. Without the proxy setting, the external address of the website is a quick page cannot be displayed.

      At this point, I realized I would need to create a new rule,maybe more. I thought the rule would be fairly simple, but it escapes me why it’s not working completely. The rule I created allows the ‘internal’ https-traffic directed to the specific external IP address to be redirected to the local IPaddress. After adding the rule, I tested; the browser spins n’ spins, but eventually times out.  Checking the firewall logs does not generate anything of note. It logs a notification (5) of the netraffic between the internal client and external IP, and the other between internal client and internal website. 

      At this point, it’s unclear to me why I cannot view the website from its external address (or name). The site is fully viewable from the client trying to connect using its private address (internal to internal).


      Any help trying to figure out a solution for allowing this communication  is much appreciated.




        • 1. Re: Rule for Internal Website

          If you have a search through this forum I think you will find one of the McAfee guys answered a request very similar to this.


          To be honest, when I went through my Firewall training back in the late 90's, this type of connection was considered to be extremely odd and the original Firewall product I was trained on (Borderware, at one point a Secure Computing-owned product), it wasn't actually possible to have traffic originate on the LAN side, pass through the Firewall, hit an IP address on the external interface and be redirected back in again. The firewall would react in a "why on earth are you trying to do that?!" manner.


          On that basis, though while this is considered normal behaviour some of the other Firewalls I work with, I have tended to adopt my original teachings. Using DNS you should be able to access the web site using its hostname. When on your internal network the host should resolve to the site's private address (meaning that the traffic never needs to try and traverse the Firewall) and when the user is outside, the same URL will resolve the to appropritate external/publix IP address (which would then pass through the Firewall quite normally).


          Is there any reason why, when you are using a client on your internal LAN, you would want to access the site using its public IP address?



          • 2. Re: Rule for Internal Website

            I’ve done some digging through the discussion boards and have not stumbled across anything relevant to my post. I’ll go back and tweak  my search to see if I get better and more relevant results.


            My DNS scenario is slightly different. My website lives into domains; one held and managed by the top-level DNS and primarily used for external traffic, and the second, isolated local DNS. Let me see if I can break it down a little more in an example: The external address is ‘mywebsite.example.com’. In my DMZ, it goes by a different address, ‘mywebsite.domain.local’.

            • 3. Re: Rule for Internal Website

              Through trial and error, it appears itneeds a NAT specified in order to work, in my case my Firewall IP.