(Answer) (Category) NetMAXFAQ : (Category) Advanced Configuration :
How do I configure my web/email server behind a NAT'd firewall?
Applies to: All versions of NetMAX
address-suppressed
This is an implementation issue. Although we can't really help you to implement your WebServer or Internet Server Suite, we have had quite a few customers not realize the complexities of hosting a public website or a public email server behind a NAT'd firewall using port forwarding, Traffic Rerouting, or static NAT.

This is also an implementation problem when people use our NetMAX FireWall Suite to NAT their internal network, and try to host a public webserver or email server behind the NAT on a non-NetMAX web or email server.

What causes the complexities are the following two competing issues:

  1. You need web and email clients on the Internet to resolve the FQDN of the web/email server to your firewall's public IP address.

  2. You need your web/email server and clients on your local network (behind the NAT) to resolve the FQDN of the web/email server to your web/email server's private IP address.

How this can usually be done is by having two DNS servers. An internal one, and an external one. Although there are many ways to accomplish this, we offer you the following ideas:

  1. If you are using a NetMAX FireWall to do the NAT and Traffic Rerouting, then you already have a second DNS server built into the FireWall. You probably want to allow your ISP to do your external DNS (be the primary name server for the domain name), then you can use the FireWall to do your internal DNS. Your ISP is responsible for resolving the FQDN to your firewall's public IP address for all of the Internet web clients that query them.

    Simply add the domain name(s) that you're hosting on the webserver to your NetMAX FireWall and ensure to check the box "Act as the Primary Name Server for this Domain" (even though it's not the primary name server in the real world, it is for the internal network). This is done from Home|Network|Domains. For the primary IP address, you probably want to enter the private IP address of the web/email server, but it depends on what IP address you want the domain name (without a host name preceeding it) to resolve to. Also make sure and check the box "Use the InterNIC" from Home|Network|DNS, so that clients using this as their nameserver can resolve other non-local domain names.

    Make sure that your web/email server and your internal clients are using the NetMAX FireWall's internal IP address as a domain name server, for resolution.

  2. If your NetMAX FireWall is the primary name server for your domain name, then you'll need some other internal domain name server. Because your NetMAX FireWall is already resolving the FQDN of the website to it's own public address for all the Internet web clients that query it.

    If you have NetMAX Professional to host your internal web/email server, then you can use the DNS on it to provide your internal DNS.

    Otherwise, for an inexpensive solution, you can purchase our NetMAX FireWall Suite product from a computer or bookstore near you. Just install the FireWall's license number on your NetMAX WebServer product to enable DNS on the WebServer machine. Then you can use that as your internal DNS.

    In both of these cases, you're actually hosting your internal DNS on the same machine as your web/email server.

    Of course, you may already have another domain name server available to you in the form of a Microsoft NT server, Linux server, etc, that you can use for your internal DNS.

    Again, as in option 1, ensure that your web/email server and your internal clients are using this internal domain name server for resolution.

  3. The less "complicated" method is to just add the FQDN in your web/email server's and internal client's HOSTS file. For NetMAX WebServer products, and most unix machines this file is called /etc/hosts. For Windows machines, it is generally named \\Windows\hosts. Put the private IP address of the web/email server, followed by it's FQDN, in this file. Make sure that your resolver is set to use the hosts file before using DNS. This method is not recommended, as it requires more administration, even though it may be faster to configure.

    You'll still need someone providing the external DNS for your web/email server, allowing other web/email clients on the Internet to resolve your FQDN to your firewall's public IP address.

Note: If you have only one external IP address, and are doing Traffic Rerouting, then you can only forward to one internal IP address. Which means that you have to do virtual hosting on your internal webserver to support hosting more than one domain name. If you want to do Traffic Rerouting to more than one internal IP address, then you need more than one external IP address on your NetMAX FireWall product (or whatever is doing your NAT).

Although Traffic Rerouting uses domain names to specify addresses, it is really IP based. If you have only one external IP, you can only route traffic to one internal IP, no matter how many domain names you set up.
address-suppressed

Previous: (Answer) If I don't have a firewall, how should I lockdown my NetMAX?
Next: (Answer) How do I automate the processing of my Traffic Monitor Report.
This document is: http://www.netmax.org/cgi-bin/fom.cgi?file=329
[Search] [Appearance]
This is a Faq-O-Matic 2.721.
This FAQ administered by ...Cybernet Systems Corp.