I'm attempting to work with the SonicOS API in a project to try and automate the renewal and deployment of SSL certificates from Let's Encrypt. However, I'm unable to establish a connection to the API endpoint from behind the firewall, no matter how I try to get there:
- By LAN (X0) IP address - The connection rejects the HTTPS connection because the installed SSL certificate is for a public subdomain address (
fw.example.com
). Of course, I usually access the firewall's management interface through a browser and can interactively tell the browser to "ignore the error"/"accept the risk" and continue. However, my application is intended to run without user intervention, so that won't be happening.
- By DNS name (
https://fw.example.com
) - According to the exception thrown by my application, the firewall "actively refuses" the connection. I tried using a browser to get to the DNS name from here and I get the same thing: "Connection Refused".
- By public (X1) IP address - This is basically just so I can say that I tried it, but at least I get a different error from this connection. This one says that the connection timed out (instead of was refused) but, since the SSL certificate is issued for the DNS name, I would guess that this would ultimately result in basically the same thing as trying via the LAN IP address.
After reading the accepted answer to Sonicwall HTTPS management from LAN using WAN IP, I went in and added the following access rule and NAT policy (since the OP seems to be in a similar situation, if not for the same reasons).:
Now, at least, I'm no longer getting the "Connection Refused" error when I try to access the management interface by DNS name from here, but now I'm getting a "Connection Timed Out". I can access it from outside of our network (tested with my mobile device), so I know that it's not just outright refusing connections on that interface. I'm sure it's just a matter of "tweaking" these rules/configuration settings, but I'm not sure what I might be overlooking here. Could someone help me find what I'm missing to get these rules set up correctly?
EDIT
I already found one "issue" with the configuration as I posted in the above screenshot: I accidentally had the service set to HTTP Management instead of HTTPS Management. I corrected that in the NAT Policy Settings, but I'm still not able to get there. I'm back to getting the "Connection Refused" error when I try to get there by the DNS name in my browser.
- Original Source: Firewalled Subnets
- Translated Source: Original
- Original Destination: X1 IP
- Translated Destination: All X1 Management IP
- Original Service: HTTPS Management
- Translated Service: Original
- Inbound Interface: X1
- Outbound Interface: Any