Dear community,
i'm running an ASG8.30 as a proxy, catching all intranet host's outbound http-access, including access to webservers located in our DMZ (exterior to our proxy).
The proxy runs in "standard mode" by intention.
The targeted webserver is a development project and only selected internal hosts should be allowed to access it, and when doing so, their original private IP-addresses should show up in the webserver's logfiles. Nevertheless the webserver has (and should keep) a public IP-address since public access should be possible principially.
Initially the private host was bound to internal proxy interface only, changing that to "all" interfaces did not help the problem.
a) Assumed this constellation makes sense, all it takes is to except http access of those selected intranet-hosts to that DMZ-webserver from NATing (while webfiltering still is wanted) while all other http-access of these clients to all other public hosts still should get fully proxied.
My attempt to use a "No Nat" rule like this:
No NAT [Access www-Server] "Internal-External"
Traffic selector:private-host=>HTTP=>DMZ-web-server
Automatic Firewall rule:yes
Initial packets are logged:yes
... does not work at all: the webserver's logfile still has the proxy's external interface's IP-address.
b) Another attempt via a SNAT rule using the private address as the new address also failed silently.
c) Even more strange:
Setting a catch-all-logging-firewall rule "private-host=>ANY&LOG=>DMZ-webserver" at position "1" unveils that only the ASTARO-webadmin-access from that private-host (port 4444) is logged, while access to "http://DMZ-webserver-site:80/" is NOT logged at all.
This looks like this access does not enter iptables at all, instead it passes entirely through webproxy?!?
Thus my question:
1) Is this possible at all with ASG8.3?
2) Does the websecurity-facility have preference over the iptables-facility?
I know: running the website on a custom port would be an easy fix, but i'm interested in understanding the inner workings and also prefer to manage all client-access centrally with our proxy facility (for managment reasons, multiple admins, ...).
If anyone of you could explain that i certainly would appreciate it.
Cheers!
i'm running an ASG8.30 as a proxy, catching all intranet host's outbound http-access, including access to webservers located in our DMZ (exterior to our proxy).
The proxy runs in "standard mode" by intention.
The targeted webserver is a development project and only selected internal hosts should be allowed to access it, and when doing so, their original private IP-addresses should show up in the webserver's logfiles. Nevertheless the webserver has (and should keep) a public IP-address since public access should be possible principially.
Initially the private host was bound to internal proxy interface only, changing that to "all" interfaces did not help the problem.
a) Assumed this constellation makes sense, all it takes is to except http access of those selected intranet-hosts to that DMZ-webserver from NATing (while webfiltering still is wanted) while all other http-access of these clients to all other public hosts still should get fully proxied.
My attempt to use a "No Nat" rule like this:
No NAT [Access www-Server] "Internal-External"
Traffic selector:private-host=>HTTP=>DMZ-web-server
Automatic Firewall rule:yes
Initial packets are logged:yes
... does not work at all: the webserver's logfile still has the proxy's external interface's IP-address.
b) Another attempt via a SNAT rule using the private address as the new address also failed silently.
c) Even more strange:
Setting a catch-all-logging-firewall rule "private-host=>ANY&LOG=>DMZ-webserver" at position "1" unveils that only the ASTARO-webadmin-access from that private-host (port 4444) is logged, while access to "http://DMZ-webserver-site:80/" is NOT logged at all.
This looks like this access does not enter iptables at all, instead it passes entirely through webproxy?!?
Thus my question:
1) Is this possible at all with ASG8.3?
2) Does the websecurity-facility have preference over the iptables-facility?
I know: running the website on a custom port would be an easy fix, but i'm interested in understanding the inner workings and also prefer to manage all client-access centrally with our proxy facility (for managment reasons, multiple admins, ...).
If anyone of you could explain that i certainly would appreciate it.
Cheers!