Re: Unable to get to internal sites
Craig Johnson
> I have an allow rule in for a couple of sites we have running
> internally. Rather then deploying a site wide proxy exception, I was
> wondering if there was a way to configure this on BM itself.
>
> I tried an allow rule to these internal sites, but it hasn't made a
> difference.
>
> Can that be done in BM or not?
>
Is this for sites to be accessed from internal hosts or external hosts?
Are you talking about access rules or filter exceptions?
Static NAT, or reverse proxy?
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***
Craig Johnson
> outside world.
>
There are two ways to get traffic in then, proxy or static NAT.
Both will require filter exceptions to allow the traffic.
Static nat requires another (secondary) public IP address to be nat'd
one-to-one to the internal host. Then you need filter exceptions to allow
the traffic through to the host (and to allow the return packets back from
the host).
Proxy requires you to set up a reverse (or generic) proxy to accept
traffic to a particular port (80, for http) on one of the public addresses
(can be the primary public address or a secondary), and map that
port/address to an internal host. You also need filter exceptions to
allow the traffic to the proxy's public address (and return traffic from
it). With generic proxy you also need an access rule allowing the
traffic. With reverse http proxy, you don't need a rule unless you
require authentication.
> I am not familiar with the terms used for BM. What do the filter
> exceptions actually do? I have a document that you've written on them
> also and have been trying to work out whether thats what I need to be
> looking at.
See tip #13 at my web site. The default filters block all traffic to the
public interface. The default exceptions allow certain traffic out from
the public address (and return traffic back in), for browsing and maybe
some other proxies. For inbound traffic you need to have additional
filter exceptions, and these will likely have to be created by you for
whatever traffic is desired.
>
> Using the proxy, the clients on our internal network should be able to
> access the site as the internal DNS entry theyll use to resolve it is a
> local address. To achieve this, does it require a filter exception or an
> access rule?
IF you use a proxy to get to the internal site, you will need an access
rule, but not a filter exception. There is no filtering done on the
private interface of BM, so traffic coming to internal proxy and then back
to internal host doesn't need any filter exceptions. But proxy traffic
generally needs an access rule to go anywhere.
You could also configure the browsers not to use proxy for the internal
host, but you would need to do that on a per-browser basis. (Easy ways to
do that include proxy.pac files - tip at my web site - or group policy
with ZEN or MS to push browser exceptions to IE).