https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160592#M28331 <P>Do you use WPAD / PAC file for your proxy configuration and are local domains excluded ?</P> Thu, 27 Oct 2022 15:31:03 GMT Chris_Atkinson 2022-10-27T15:31:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160570#M28326 <P>Hello,</P><P>we have the following problem, regarding HTTP-/HTTPS-Proxy on our CheckPoint ClusterXL R81.10:</P><P>The cluster is configured as a non-transparent http/https-proxy on one cluster-vip-ip port 8080.&nbsp;We even host some websites on internal webservers, that are available via a external NAT on the cluster-xl, redirecting to internal webservers / reverse proxies:</P><P>External Client -----&gt; www -----&gt; public Cluster-IP -----&gt; NAT to Webserver -----&gt; Webserver</P><P>&nbsp;</P><P>Now when our internal clients want to view a webpage, that is hosted on our internal servers, the page is not available.</P><P>So the process is:</P><P>1. Client resolves the dns-name of the webpage to the public ip.</P><P>2. Client opens a proxy-session with the checkpoint-cluster</P><P>At this point we want to have a NAT-Rule that redirects traffic, originally sent to our public Cluster-IP (original Dst) to our internal Webserver (translated Dst).</P><P>The standard NAT-Rule doesn´t work:</P><P>Internal Clients -----&gt; public Cluster-IP:https -----&gt; Original Src. -----&gt; Internal Webserver</P><P>Is there a trick, so we can redirect http-/https-proxy-traffic to an internal server?</P><P>Thanks and best regards</P> Thu, 27 Oct 2022 11:28:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160570#M28326 Andre91 2022-10-27T11:28:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160592#M28331 <P>Do you use WPAD / PAC file for your proxy configuration and are local domains excluded ?</P> Thu, 27 Oct 2022 15:31:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160592#M28331 Chris_Atkinson 2022-10-27T15:31:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160683#M28369 <P>I am assuming both the internal clients and your webserver are accessible through the same physical interface.<BR />That means you basically need a hairpin NAT rule, something similar to what I described here:&nbsp;<A href="https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-How/m-p/8465/thread-id/13081#M13082" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-How/m-p/8465/thread-id/13081#M13082</A>&nbsp;<BR /><BR /></P> Fri, 28 Oct 2022 14:52:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/160683#M28369 PhoneBoy 2022-10-28T14:52:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/163336#M29149 <P>Thanks for the tips, we excluded our domain-names in our PAC file. That works so far</P> Mon, 28 Nov 2022 11:34:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Natting-Proxy-Traffic-to-internal-IP/m-p/163336#M29149 Andre91 2022-11-28T11:34:27Z