You are unable to access any site on the internal webserver from workstations located within the network using the http proxy.
In your web browser an error will appear such as:
Host not found.
Access from external locations through DNAT of external address works correctly.
Known to apply to the following Sophos product(s) and version(s)
Sophos UTM Software Appliance
ASG 7, ASG 8
DNS resolutions will reference the external interface address (given by the external DNS).
When the http proxy is enabled this results in a loop as the external address of the ASG is trying to access itself.
What To Do
HTTP proxy enabled
By setting a static DNS entry in the ASG all references for the internal webserver will point to the correct internal address rather than the public address.
ASG changes required:
- Go to Network > DNS > Static Entry
This setting must be set for internal websites not working through the ASG proxy so that the DNS name is forwarded to the internal IP address instead of going to the external interface.
No HTTP proxy enabled.
If no HTTP proxy is in use then using a Full NAT rule will be needed in order to resolve internal client PCs to the internal server rather than the public FQDN.
- Go to Network Security > NAT > DNAT/SNAT
- Create a new NAT rule of:
Name: Webserver Full NAT for internal redirect
Traffic Source: Internal(network)
Traffic Service: HTTP
Traffic Destination: External(Address)
NAT mode: Full NAT
Destination: Internal Server address
Destination: Service: leave blank
Source: ASG Internal(address)
Source Service: Leave blank
Automatic packet filter rule: Check