4 Replies Latest reply on Mar 5, 2013 3:23 AM by ralzaga

    External HTTPs to internal HTTPs

      Hi,

          Please help me on how to create a rule that when users type on their browsers https://external_ipaddress:8101 traffic will be forwarded to https://internal_ipaddress:8400 . Thank you.

        • 1. Re: External HTTPs to internal HTTPs
          PhilM

          First question - is the service actually using HTTPS?

           

          I ask as I encountered a customer a few months ago who was running a normal HTTP server on his internal LAN and had convinced himself that by getting users on the internet to access the resource using TCP port 443 that it would automatically mean it was using HTTPS and couldn't understand when the connection worked for http://external_address:443, but not for https://external_address.

           

          Anyway, when creating rules allowing users to connect on one port, but passing that connection through to an internal (or DMZ) server using a different, the service/application definition determines the port to be used by the users (in your case 8101) and you create the rule accordingly. However, in addition to providing the rule with a re-direct host object (assuming your users are on the Internet and the destination host is sitting on a network using private addresses) you then enter "8400" in the redirect port field immediately below it.

           

          Users connect to the Firewall on port 8101, the Firewall accepts the connection on port 8101, but then changes the port number to 8400 as the traffic is passed through.

           

          -Phil.

          • 2. Re: External HTTPs to internal HTTPs

            Hi,

               

            1.) As what I understand on your post port 443 will not work when fowarded to internal address port 80, so https://external_address forwarded to http://internal address will not work so you need to access it by http://external_address:443?.

             

            2.) So if the case is a server that uses an external port 443 forwarded to internal port 443 ( https://external_address will not work when forwarded to https://internal_address)?

             

            3.) How about in my case that the server can be accessed internally using two ports 443(https) and 8400 (https://internal_address:8400), how can I access it outside using https://external_address:8101?

            • 3. Re: External HTTPs to internal HTTPs
              PhilM

              This may be a better dealt with by one of the McAfee guys on this forum - or you could raise a support ticket with support and get it dealt with officially.

               

              1.) As what I understand on your post port 443 will not work when fowarded to internal address port 80, so https://external_address forwarded to http://internal address will not work so you need to access it by http://external_address:443?.

               

              Maybe my explanation wasn't very good. In this instance, my customer had an HTTP resource on his network and he thought that by presenting it through his Firewall on port 443 (users were using an https:// URL to access it and the Firewall rule was then redirecting the connection back to port 80) that the service in question would then be using HTTPS and would therefore be encrypted.

               

              Putting the HTTPS/HTTP matter to one side for a moment, you can present any service through the Firewall on an alternative port number. For some it is necessary because they have two instances of the same service (web servers, for example), but do not have enough public IP addresses to present each server natively. So you can use the same public IP address but present of them on a different port number and use the redirect function in the rule to change the port back to the native value as the traffic passes through to the internal side.

               

              In your case where you want to use port 8101 and then redirect it to port 8400, this should work no problem. But I have reservations about the second port number (443) because if this port number is issued by the server (and not entered in the client application) I don't think you will be in control of that port number.

               

              The only example I can think of in this instance is my SSL VPN solution. It runs, naturally, on port 443. But to accommodate users who forget to type "https://" it will accept connections on port 80 (HTTP) and the server will issue an immediate HTTP redirect, forcing the client to use HTTPS on port 443. So, if I wanted to, I could decide to present the port 80 connection on a custom port (8888, for example) and when the connection hits the Firewall rule, redirect it to port 80. But when the back end server says "actually, you should be using port 443 and I am going to send a redirect to you to make this happen automatically", I don't believe I will have any control over that port number. The server has said that it is port 443, so it must use port 443.

               

              I don't know if that makes things any clearer.

              • 4. Re: External HTTPs to internal HTTPs

                Hi,

                    I created a ticket for this but while I am waiting for the response you have set your web server to redirect port 80 to 443 so besides firewall I could also set the web server to redirect traffic from 80 to 443?.