Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 13 December 2024, 07:47:58 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Cant access Webservers from within the Green Network
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Cant access Webservers from within the Green Network  (Read 13268 times)
jessy5765
Jr. Member
*
Offline Offline

Posts: 3


« on: Wednesday 11 April 2012, 04:57:36 am »

Overview: Hello, I am new to Endian. However am fluent in ESX and routing. After some troubleshooting with my Verizon ONT box I finally got everything up and running. I have all my port forwards setup and remote web access to the firewall is setup and working. So far Endian is awesome. However....

Problem: I am not able to get to my webservers from within the network now. This includes: HTTP, HTTPS, FTP, RDP.... pretty much all my port forwards.

Occurance: The dayhourminute that I moved from a Fortigate 30b Physical Firewall to Endian.

Layout:
1. I have an exchange server running Exchange 2010 SP1, this is on one server that uses HTTPS that redirects from my IIS Webserver that listens on HTTP
2. I also have an FTP Server running on the same server as my Webserver.
3. I am able to access everything from outside of my network. If I am on another network, I am able to get to my webservers, ftp, remote into my servers, everything works like it should.
4. I am using a RED/GREEN network with Verizon FiOS ISP.
5. All servers are on the GREEN Network as are all the PC's.
6. I am able to ping everything in my network and use ftp and rdp as long as I use the local IP address. As soon as I try to bring my domain(domain.com) into play nothing works.
7. I am able to ping and resolve my domain name, HOWEVER i do not get any replies it just times out.
8. I am able to ping and get replies when working on another network.

Not sure what else I can do! There must be something that I am missing.
Please Help.
Logged
timupci
Full Member
***
Offline Offline

Posts: 34


« Reply #1 on: Wednesday 11 April 2012, 05:59:31 am »

Endian Firewall (EFW) will not allow you to access web pages from your inside (green) network. For example if "test.com" is you website hosted on "server.test.com" you can not browse to just "test.com". You have to actually browse to the internal address of "server.test.com"

EFW also blocks access from Orange to Green (Server Subnet to Workstation Subnet). This is a default setting so that when you have server opened up to the internet, that all of the Green Subnet is not compromised. This is the "Inter-Zone" traffic. As I stated by default it is closed off.  You can add specific ports available between the zones, or if you choose open them completely up.

Quote
4. I am using a RED/GREEN network with Verizon FiOS ISP.
All your internet connections should be on red unless you are running a MPLS with your ISP. Red is the "Threat Zone", Green is the NATed Zone.
Logged
jessy5765
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Wednesday 11 April 2012, 06:11:31 am »

I apologize if it sounded a bit confusing for what i have setup. I meant I am not using orange or blue network; I only have Green(Internal Subnet) and Red(WAN).

My internal domain is jrm**********.local
My Internet domain is jrm**********.com

So my internal DNS will not route anything. From what I understand it should reach outside of the network, hit DNS to resolve it, and then send it back to my network... is this false?

Is there any way to make this happen? Or do I have setup "jrm***********.com" as a DNS Zone on my Domain Controller and set up all of my webservers.

Thank you
Logged
jessy5765
Jr. Member
*
Offline Offline

Posts: 3


« Reply #3 on: Wednesday 11 April 2012, 06:42:00 am »

Okay, I setup a new DNS Zone. Made all my CNAME entries and few ANAME entries and now everything seems to be working. So now when making DNS Changes I need to do internal and External DNS.....

Is this a security Feature? lol. My Fortigate would always route the traffic without any configuration. It just knew.
Logged
timupci
Full Member
***
Offline Offline

Posts: 34


« Reply #4 on: Wednesday 11 April 2012, 06:56:13 am »

Essentially you are running 2 different Domains.

From my experience you would only use the .local if you had not purchased a DNS name at all. I don't know how experienced you are at maintaining/configuring a DNS server, but you should be able to run both .local and .com; however, it takes 2 DNS servers each allowing forwarding on to the other.

So the way EFW works (or you should have your network setup this way). When putting in a request to "test.com" it will que your DNS and then access your gateway (EFW I assume). EFW then checks its DNS server provided by your ISP. Your ISP DNS points back to the IP Address of your EFW. EFW is that domain. It then forwards the packets on to the appropriate port for the service you are trying to access, IE Web Server.

The problem is, that the EFW is designed to not allow packets that have left Green to re-enter back into Green zone once they have left the EFW. This is my assumption, and has been confirmed by the developers.

My recommendation is for you to properly setup your network structure to be "test.com" instead of "test.local". When trying to access the exchange server (or any other server on your network) you should use the full domain name of "server.test.com" that way your DNS server does not send the packets out Green, but will keep them on the internal network.

test.com IP Address is your external IP Address.
server.test.com IP Address is the internal NAT IP Address.


Hopefully I did not ramble to much, and that you can understand what I am trying to explain.
Logged
timupci
Full Member
***
Offline Offline

Posts: 34


« Reply #5 on: Wednesday 11 April 2012, 06:57:53 am »

Okay, I setup a new DNS Zone. Made all my CNAME entries and few ANAME entries and now everything seems to be working. So now when making DNS Changes I need to do internal and External DNS.....

Is this a security Feature? lol. My Fortigate would always route the traffic without any configuration. It just knew.

Yes, it is a security issue. Any packet that leaves your network can not re-enter and be guaranteed clean.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com