Two web servers on TZ-300
fre
Newbie ✭
We are a small office with TZ-300, one public IP and two web servers which need to be accessed from the internet: https://app.contoso.com and https://dev.contoso.com
From this SonicWall article (https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-nat-policies-on-a-sonicwall-firewall/170505782921100/), at section “Inbound Port Address Translation via WAN (X1) IP Address”, I found how to access both servers but it requires the user to access https://1.1.1.1:4433 and https://1.1.1.1:4434 which is not suitable to our case.
I would like to know if our desired architecture work with TZ-300, and instructions.
Regards.
Best Answers
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
Hi @fre
with just one public IP address you cannot "share" port 443, because NAT does not work SNI based. I would suggest just install a reverse proxy (NGiNX would be my weapon of choice) in the DMZ and let it do the HTTPS offloading and forwarding requests based on the requested to app or dev. Sorry that there needs to be another system involved, but I see no other option.
--Michael@BWC
3 -
CORRECT ANSWERfre
Newbie ✭
Solution for this case: firewall forwarding to a NGINX server, and this proxy to our internal servers
1
Answers
Hello @fre - I would assume that both hostnames (dev.contoso.com & app.contoso.com) resolve to the same public IP, and you want to route traffic to them on the same HTTPS port (443). The firewall rules and NAT Policies would not be able to distinguish between the incoming packets since those are IP layer-based. You would need the ability for the firewall to act on the HTTP host headers or HTTPS Certificate Common names to do this granular policy. I will research to see if we have any features that can do this.
Hi @fre -- I would recommend to follow below KB for achieving your goal;
https://www.sonicwall.com/support/knowledge-base/how-can-i-enable-port-forwarding-and-allow-access-to-a-server-through-the-sonicwall/170503477349850/
Hi @John_Lasersohn thanks. Did you finished your research?
Hi @Ajishlal thanks, but this is applied to only one web server into one public IP. My need is to resolve two hostnames (two different servers) into one public IP.
Hi @BWC thanks for your reply. I will try this this solution.
hi @fre.
Its possible with SonicWALL but you would have to place the second server in different LAN zone. (Example: LAN-2)
H @fre
One you done the LAN Zone segregation, do the FQDN NAT for the web servers.
For FQDN NAT please follow the below KB;
https://www.sonicwall.com/support/knowledge-base/fqdn-fully-qualified-domain-name-based-nat/180417115915557/
Hello @Ajishlal - I do not believe having a second zone would solve this issue. I believe, as others have commented, is that you have only one public IP answering on TCP port 443, and the firewall's rules would only be aware of one public IP and two private IP addresses (or even two FQDNs which resolve to that same public IP). The challenge is some logic which would know to route based on something in the HTTPS or HTTP headers (host tag or certficate common name) to one private server or the other. I looked at our App rules, which do have a redirect Action Object available, and it may be possible, but it would require Server DPI-SSL and a bunch of other configs (Match objects, App Rules). I have not had time to make it work yet.
I did try to create a second DMZ but the firewall would direct to only one server (app.contoso.com or dev.contoso.com) according to who comes first on the priority list
So its mean simultaneously it wont work?
Let me check with my lab environment n will get back to you.
Hi @fre
Yes there is challenge while accessing the both web-server simultaneously but you can assign the NAT Policy Priority Ranking.
For example give the priority to https://app.contoso.com (if this is a production server)
@fre great to hear that at the end you got it resolved and as mentioned, NGiNX is a great choice for that kind of stuff.
--Michael@BWC