Reverse Proxy Setup
Anyone know how to use the reverse proxy? I have it setup but then what? I setup an external url as https://mymail.domain.com and have it pointing to an internal url. When I try and go to the external url nothing really happens.
0
Sign In to comment.
Comments
Are you testing this from the Internet ? The Reverse Proxy is for remote users.
For internal users, use NAT Loopback to access an internal web server using the external IP addr or domain name.
I have tested it externally. Nothing comes up. I am assuming the webpage should just come up without a login prompt right? I might need to adjust the internal url. Wish there was a test button. But how do you add Nat Loopback?
You do NAT loopback on a policy, and it is not related to the Reverse Proxy.
NAT Loopback and Static NAT (SNAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html
You can also do this for a 1-to-1 NAT setup
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_1-to-1_c.html
ok, thanks. Any ideas on the Reverse Proxy? I changed the internal url to the servers name like https://servername. Still nothing.
Figured it out. I have 2 internet interfaces. I was connecting to the wrong one.
Good news
Well, I was wrong. It still is not working. I actually had a rule pointing my public interface to the website I am trying to proxy. So it still doesn't work. Let me understand this, should the proxy port be the same as the Access portal? Right now my Access portal resides on port 6655. Does that mean in order to use the reverse proxy I have to connect my websites to port 6655 as well?
I have a tabletop firewall model - which does not support the Access Portal, and thus the Reverse Proxy. So I can't test either.
Since no one else is commenting here, consider opening a support incident to get WG help in getting this working.
Should you find the issue, please post it, which may help others down the line.
"When I try and go to the external url nothing really happens."
What is it that you WANT to happen?
What is behind the https://mymail.domain.com URL? My guess would be a mail server, such as Exchange, and if that's true, you need to use SNAT and not the reverse proxy.
Gregg Hill
Nothing in the docs about the Reverse Proxy suggests that you need to use an alternate port for this access to work.
Once you have added a reverse proxy entry, I would expect there to be something on your Access Portal page to select to try to access the Reverse Proxy resource.
Also I don't see anything in the docs about troubleshooting the Reverse Proxy or the Access Portal
Hi @KevCar
Hopefully I've read your issue correctly:
Bear in mind that when using the Reverse Proxy with the Access Portal, the internal domain (currently) needs to be the same as the external domain (which I hope is 'fixed' at some point). What I did was:
If you configure it so the external URL is https://www.app.domain.com and your internal URL is https://someserver.domain.local.. then it won't work.
Let me know if the above reads OK..
Cheers, James
All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).
Thanks for the clarification. But even though I am doing all of this I am still not able to bring up the webpage. When I look at the traffic Monitor it shows a Unhandled External Packet. Which means there is no service configured. I did not read anywhere that is tells me I need a rule. I added a rule to the external interface and that is allowing connections to come in but it still does not work. I am getting a different error message, "PR_CONNECT_RESET_ERROR ." It seems this feature is just not ready or a better write up is required. Going to look into 3rd party Reverse Proxy or a WAF. Thanks for your help. Anyone else ever gets it working please let us know.
KevCar, I am still curious about my questions. What exactly do you have behind the Firebox that you are trying to reach? The reason I ask is that your URL of https://mymail.domain.com makes it look like you are trying to reach a mail server, and for that, SNAT should work. I used SNAT to reach my Exchange server and OWA when I had in-house email.
Gregg Hill
I already have Exchange configured behind the firewall. I also have a couple of other public websites I am wanting to protect. The Exchange was just one site I was trying. The others also do the same thing. Just trying to protect all the websites using a reverse proxy instead of having it directly accessed through a SNAT.
Hi @KevCar
You don't need any extra rules, but you do need to make sure that you have users, or groups configured within the Access Portal, with permissions to access the appropriate apps.
To get this working the first time, I followed the existing documentation. If it's not working, I'd hope it would be something simple. WG support are great with this, so I'd recommend opening a call if you're having difficulty. Don't give up on it - it works a treat (I admit I've not protected Exchange with it yet - just a few basic web services).
Cheers, James
All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).