Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Port Mapping Problem (Can't access web server from outside the network)
  •  
jterschak

Messages: 6
Karma: 0
Send a private message to this user
Hello,

I put our web server behind the Kerio firewall (6.5.2 Build 5172) but we can only connect to it internally. I've tried port mapping but I can't get it to work. Any advice would be greatly appreciated! This is very frustrating.

Name - Webserver In
Source - Any
Destination - 67.105.x.x (external IP)
Service - FTP, HTTP
Action - Permit
Translation - MAP 192.168.x.x (internal server IP)
Protocol Inspector - Default

Name - Webserver Out
Source - 192.168.x.x
Destination - Firewall
Service - FTP, HTTP
Action - Permit
Translation - NAT (tried both on and off)
Protocol Inspector - Default

I've also played around with other rules. I assume I need an incoming and outgoing rule, but nothing seems to work. Please Help.

Thanks!
  •  
Adjuster

Messages: 48

Karma: -1
Send a private message to this user
Hello,

The rules should look like this:

Name - Webserver Input
Source - Internet
Destination - 67.105.x.x (external IP)
Service - FTP, HTTP
Action - Permit
Translation - MAP 192.168.xx (internal server IP)
Protocol Inspector - Default

Name - Webserver Output
Source - 192.168.x.x
Destination - Inernet
Service - FTP, HTTP
Action - Permit
Translation - NAT (tried both on and off)
Protocol Inspector - Default

____________________________
Excuse me for my english...
  •  
jterschak

Messages: 6
Karma: 0
Send a private message to this user
Thanks for the response Adjuster. This has been driving me crazy. I know it's probably my fault, but I can't figure it out.

I tried what you suggested and it didn't work. Here is some info:

Source/Destination - Internet
If I set it to this, I can't get to the website internally or externally. That goes for workstations on the network, or the webserver itself.

Source/Destination - Any
If I set it to Any for testing, I can get to www.website.com internally, but nothing externally. It also does not work through a browser on the webserver.

Any ideas?
  •  
KursadOlmez

Messages: 118
Karma: 3
Send a private message to this user
Hi jterschak,

Your inbound (from internet to your webserver behind the KWF) Traffic Policy should be like that
http://proxima.web.tr/pub/kerio/2010-06-09_021222.png

If you want to setup port mapping with KWF, your destination should be Firewall then Translate your traffic to your internal server.
  •  
Adjuster

Messages: 48

Karma: -1
Send a private message to this user

so thought he would follow such a response:

Quote:
Source / Destination - Internet
If I set it to this, I can't get to the website internally or externally. That goes for workstations on the network, or the webserver itself.

Source / Destination - Any
If I set it to Any for testing, I can get to www.website.com internally, but nothing externally. It also does not work through a browser on the webserver.


You must create a rule for the LAN and put him above the rules for the external network:

Source LAN
Destination www.website.com / Firewall
Protocol FTP / HTTP
Permit
Map to 192.168.x.x

[Updated on: Wed, 09 June 2010 07:26]


____________________________
Excuse me for my english...
  •  
jterschak

Messages: 6
Karma: 0
Send a private message to this user
So I need three rules then? I'm trying to understand how the data flows through the rules. The KWF reads the traffic rules from the top to bottom, correct?

Like this?
index.php?t=getfile&id=1942&private=0


Or should I change my rules based on KursadOlmez's suggestion?


Thanks

edit: made the pic too big. sorry

[Updated on: Wed, 09 June 2010 17:00]

  •  
KursadOlmez

Messages: 118
Karma: 3
Send a private message to this user
Hi jterschak,

If your webserver is serving only websites and no need to access to Public Network (Internet) from that webserver, you don't need to create outbound rules. I mean, if you don't browse web sites (not yours) from Internet by Internet Explorer on that server. But If you are browsing web, you may create HTTP/HTTPS (or FTP, SMTP etc. whatever you need for accessing the services to Internet).

Your situation is very similar to mine. My company is using Exchange 2007 OWA (Outlook Web Access) and Outlook AnyWhere (for MS Outlook Clients) with HTTPS protocol and we are also using our own web-based application with HTTP protocol behind the KWF.

You can see our Traffic Policy rules on the image below. This setup works perfect for us.
http://proxima.web.tr/pub/kerio/2010-06-09_215856.png

In this screenshot, frist 3 policy was created by KWF First Run Wizard.

4th policy was created by me to allow inbound (from internet to local webserver) traffic to local webserver behind the KWF (Please notice that Source, Destination and Translation sections).

And 5th rule is Default NAT policy for allowing local users (and all of my local servers) to access Internet. As you can see, NAT policy isn't checked, that means none of my client computers and local servers are able to access to Internet. Though, everybody can access Exchange 2007 OWA and Outlook Anywhere from Internet and Local Network.

NOTE: If your webserver is also serving FTP, POP3, SMTP etc. then you should add these protocols to the 4th policy in my example.

[Updated on: Wed, 09 June 2010 21:18]

  •  
jterschak

Messages: 6
Karma: 0
Send a private message to this user
KursadOlmez,

Quote:
If your webserver is serving only websites and no need to access to Public Network (Internet) from that webserver,


The webserver only needs to host our website and handle ftp. I don't need to surf the web with it. I probably should've said that better. I meant it from a communications point of view. From the server itself I was able to ping everything internal and external, and I was able to surf the web. I just couldn't ping or open the website.

Quote:
you don't need to create outbound rules.


Ok. I guess I assumed if a pc made a request to open a web page on our website, there would need to be an outgoing rule for the webserver to serve the page back to the pc.

Quote:
Your situation is very similar to mine. My company is using Exchange 2007 OWA


We are very similar! We also use Exchange 2007 OWA. That's one of the things that confused me about this whole process. I have similar rules to allow limited access to the Exchange box behind the KWF and that works fine.

I'll try your suggestions and see what happens.

Thanks
  •  
jterschak

Messages: 6
Karma: 0
Send a private message to this user
I still can't get it to work. At this point I think I have tried every combination possible.

I've tried KursadOlmez's suggestions and Adjusters suggestions. I've tried both of their suggestions at the top of the traffic rules and at the bottom of the traffic rules. If I was using more than one rule I shuffled the order of the rules to see if that would help.

I put 192.168.0.3 www.website.com into the Hosts file. Then I tried 67.105.255.255 www.website.com. Nothing seems to work.

I'm not sure how to get this to work with this method. The other night I put an extra nic into the KWF computer. If I can't get this to work I'll try a DMZ off of the KWF and see what happens.

Thanks for the suggestions. If anyone has any other ideas, please let me know!
  •  
jterschak

Messages: 6
Karma: 0
Send a private message to this user
I got it to work with the DMZ. I'll try and post something tomorrow explaining what I did to help out anyone who might read this.

Woo hoo!
Previous Topic: share behind kerio
Next Topic: ssh or console access to appliance version?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 20:51:22 CET 2017

Total time taken to generate the page: 0.00502 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.