Problem with an internal ZImbra server

[masterguido]

Hi everybody!
I have the following configuration: one OpenSuse 11 box (as a firewall/router/web server) and, in an internal Lan, a Ubuntu 8.04 Zimbra Mail server.
From outside I can access web site and zimbra (with a link in my main page: https//www.mysite.com)
From the internal lan I can access the web site but not zimbra, unless I write: https://192.168.1.x
I want to give my users the same link, no matter if they are coming to zimbra from outside or inside the Lan.
I have set up a split dns and with bind 9 different views (internal/external), but the problem remains.
Any suggestions?

[phoenix]

Quote:

Originally Posted by masterguido

From the internal lan I can access the web site but not zimbra, unless I write: https://192.168.1.x

If you can't access your server by it's correct url then your split DNS is not set-up correctly, search the forums for some information on what commands you need to run to diagnose the problem and post the results here.

[uxbod]

Also check /var/log/messages to ensure that you do not have a error in your internal BIND view.

[y@w]

Are you using http://www.site.com to access the website and https://www.site.com to access the Zimbra system from the outside? That's what it sounds like to me.. Does the firewall forward https traffic from the outside to your Zimbra system? If that's the case you'll need to replicate that routing setup for your internal users as well or simply just change their URL to https://mail.site.com from everywhere.

[masterguido]

Quote:

Originally Posted by y@w

Are you using http://www.site.com to access the website and https://www.site.com to access the Zimbra system from the outside? That's what it sounds like to me.. Does the firewall forward https traffic from the outside to your Zimbra system? If that's the case you'll need to replicate that routing setup for your internal users as well or simply just change their URL to https://mail.site.com from everywhere.

y@w, It is just the case. The firewall forwards https traffic from outside to zimbra box.
I can´t access https://mail.site.com from inside.
My firewall has:

Quote:

#Redirecciono entrada al puerto 443 al servidor de correo
$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 443 -j DNAT --to-destination 192.168.1.7:443
$IPT -A FORWARD -i $WAN -p tcp --dport 443 -m state --state NEW -j ACCEPT

How can I replicate this to the internal Lan?
I've tried:

Quote:

#Redirecciono entrada al puerto 443 al servidor de correo
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 443 -j DNAT --to-destination 192.168.1.7:443
$IPT -A FORWARD -i $LAN -p tcp --dport 443 -m state --state NEW -j ACCEPT

but this didn't work. What can I do?
Thanks a lot for your help

[y@w]

Hmm.. Yeah I wasn't sure if that would work or not. I actually don't know iptables very well but it looks like that should work, logically.

Just thinking out loud here.. You could setup an Apache (or whatever web server you're using) proxy and just have it listen only on your internal LAN (or both if you want to take out the DNAT rule for that matter).

[y@w]

Also, just to be sure we're on the same page.. This is what I'm assuming is happening:

From the outside:
http://www.site.com -> web server on external IP
https://www.site.com -> hits DNAT rule on external IP -> Zimbra server on internal network


From inside:
http://www.site.com -> web server on internal IP of web server
https://www.site.com -> https on internal IP of web server (which presumably isn't listening)


I just want to make sure since you did mention mail.site.com in your previous post.

[masterguido]

Quote:

Originally Posted by y@w

Also, just to be sure we're on the same page.. This is what I'm assuming is happening:
From the outside:
http://www.site.com -> web server on external IP
https://www.site.com -> hits DNAT rule on external IP -> Zimbra server on internal network
From inside:
http://www.site.com -> web server on internal IP of web server
https://www.site.com -> https on internal IP of web server (which presumably isn't listening)
I just want to make sure since you did mention mail.site.com in your previous post.

You are right:
I have mail.site.com. If I write -http://mail.site.com it takes me to my web site, but if I write https://mail.site.com it goes down to zimbra server.

[masterguido]

Do anybody have any idea/suggestion?

[phoenix]

Quote:

Originally Posted by masterguido

Do anybody have any idea/suggestion?

You've provided no diagnostic information for anyone to help you and I've already answered this question but I'll state it again, if you can't reach your server by it's url then your split DNS (and possibly your hosts file) is not set-up correctly. Search the forums on what information you need to provide for this problem.