To fully protect your network, you want to minimize what you have exposed to the public. When you have a web server with a public IP address and not behind a firewall, you are much more susceptible to attacks since an attacker can not only look for vulnerabilities in your site / http server, but the other ports that are open (for example, on a Windows server, SMB ports). If your web server is also a Windows Domain Controller, then you have even more possible "attack points".
This document will show you how to send specific ports from the public interface of SecureSchool to a server with a private IP address, and still make sure your internal/local users can access it.
SecureSchool, LibraryDoor, ISBossBox, and any server process (Microsoft IIS, Microsoft Exchange, Novell GroupWise, a video camera server, etc).
Before doing anything, you need to put the server in question behind SecureSchool, with an IP address ONLY on your private network. Also, it must either have it's default gateway set to SecureSchool, or if it is on a different subnet, whatever device the server default gateways to needs to have it's default gateway set to SecureSchool. For example, if the server's default gateway is a layer 3 switch, that layer 3 switch must have it's default gateway set to be SecureSchool. Also, verify that you can connect to the server by IP address from your internal network. (we'll explain why trying it with the IP address and not the hostname is important later)
Once your server is setup correctly and working, you need to add the port forward into SecureSchool. This is done in two parts: setting up any additional IP addresses for the outside interface, then setting up the port forward.
Adding an outside IP address
Since the server you're moving behind SecureSchool probably has at least one DNS name registered for it, you want to keep using that IP address. To add that IP address to SecureSchool, go to "Setup" -> "Outside IP Addresses" -> "Add"
- For the "IP Address", enter the public IP address the server used to have
- For the "Netmask", enter "255.255.255.255" if this IP address is in a subnet that is already setup on SecureSchool.
- Once you click add, you'll have a screen listing all the outside IP addresses
Adding a port forward
Now that the IP address has been added, you can setup the port forward. Go to "Firewall" -> "Port Forwarding" -> "Add Forwarded Port".
- For the "Name", name it something that makes sense to you
- For the "Inside IP Address", enter the private IP address of the server
- For the "Inside IP Address Port", enter the port that your server is listening on for the service you want to forward (for example, port 80 for web traffic, 443 for secure web traffic, 25 for SMTP, etc)
- For "Outside IP Address", select the IP address that you just added
- For "Protocol", select the appropriate protocol. (Most traffic is TCP)
- When the form is complete, click on "Submit"
You'll then see a list of your port forwards, including your new one:
Adding a host entry
Next, we need to get the traffic to go to the right place. Because traffic cannot go out the NAT and back in, we need to tell DNS that anytime someone asks for the public name of the server, return the private IP address instead of the public one. Go to "Setup" -> "Hosts" -> "Add".
- For the "IP Address", enter the private IP address of the server.
- For the "Host Name", enter the public hostname that is getting sent to the server. (For example, http://www.mydomain.com/)
- Click on "Add".
Once the host entry is added, you'll have a display like this:
Now, anytime the appliance needs to go to that hostname, it will use the IP address you specified instead of looking it up on the Internet.
Now that everything is done, click on "Commit Changes" and restart whatever is needed.