443 proxy question
Hi, Hopefully an easy answer, but im wondering if there is a way i can proxy a 443 connection so both parties see it as coming from the firewall IP?
For example:
Internal IOT device -> Cloud IOT management service on 443
10.10.10.10 -> 200.1.1.1:443 (for example)
Instead would be 10.10.10.10 -> 199.1.1.1 (FW) -> 200.1.1.1:443
Return traffic to 10.10.10.10 would be from 199.1.1.1
Issue i'm facing is IOT kit is on a switch vlan with ACL and as the external ip responds on a random port from a changing pool of addresses via DNS name.
I dont want to open all ports/Ip's inbound to IOT Vlan.
Can the WG do this? We currently use a linux proxy server.
thanks
--
WatchGuard M4800 (x2 Cluster)
WatchGuard M690 (x2 Cluster)
Firmware : 12.10.4
0
Sign In to comment.
Comments
The firewall NATs outgoing packets from internal private IP addrs to the external IP addr of the firewall.
Reply packets are automatically allowed - no need to add policies to allow them.
Reply packet IP addrs will be seen by the internal device as the real source IP addr of the sending device.
Also, there is a proxy server type function.
Review this:
About the Explicit Proxy
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/explicit_proxy/explicit_proxy_about_c.html
Thanks Bruce, the NAT function we use and that works fine and return packets etc are ok. The issue is usually with internal ACL's that dont have this function and dont support FQDNS, so you have this issue of a pool of changing IP addresses on random ports returning traffic.
--
WatchGuard M4800 (x2 Cluster)
WatchGuard M690 (x2 Cluster)
Firmware : 12.10.4
Does the Explicit Proxy help?
Or do you need the sent packet to be TCP 443, and not a different port, such as TCP 3128?
i dont mind doing an allow all inbound from firewall IP. Just cant do it from the actual IP as it changes.
--
WatchGuard M4800 (x2 Cluster)
WatchGuard M690 (x2 Cluster)
Firmware : 12.10.4
Isn’t the access initiated from the internal IoT device?
If so, reply packets should automatically be allowed