APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

It doesn't work that way

I'm really surprised by how many times I get calls with something similar to the following:

Company A has an internal website for employee access only. They also have a branch office, not connected by a VPN, where employees need to access that same internal website. A firewall rule gives access to the branch office and all is well.. until..

Another internal webserver is set up and this has a link on the first website to allow employees to get to whatever resources are offered there. Of course this works for local employees, but does not work for those at the branch office.

Now most of you are shrugging your shoulders and saying "Yeah, so?" and you are right. But more times than I can remember I have had people who should know better (who probably *do* know better) insist "But it *should* work!"

If by chance you are one of those people, not only should it not work, there are actually multiple reasons why it doesn't, and there are multiple ways that you could make it work. Let's look at why it doesn't work first.

First question: where is the web page you are looking at right now? If you answered "At aplawrence.com on some server somewhere", you get a "Bzzt! Wrong!".. the web page is on your machine. It's been sucked down from my server, yes, but right now it's on your machine, in your RAM and (usually) cached on your hard drive. Exactly how it looks is up to your machine, not mine: my server suggests how I'd like it to look, but it's up to your browser to decide what I meant. The page is yours now, not mine.

So if it is yours, and there is a link in it that points to some internal 192.168.6 address, what is that link actually pointing at? Is there some magic in HTTP that says "Oh, I was talking to *this* IP, so if some link says some other IP, I should go ask that first IP how to get there.. I should go *through* that first IP?"

Of course there isn't. The only time HTTP makes any such assumptions is for indirect links, links that start with a slash instead of "http://". If the link says "", that's where your machine is going to try to go. Not to my machine, but to that specific address. So that's the first reason it isn't going to that other machine: it's starting from your machine, not mine.

The second reason is tcp/ip itself. Internal addresses like "192.168.6" are unrouteable private addresses - you can't get there from anywhere else on the internet. Only your local router will route private addresses, Internet routers will not, so that's another reason why you can't get there from here.

Ok, so how do you solve this? Well, one way is to route either a different public IP or a different port number to that other internal machine. That's called "port forwarding" or "virtual ip" or sometimes other terminology (you'll find it under "Gaming" on some routers). Another way is to use a VPN to connect the branch office and still another is to bring the other server's page to the first server.

But that's much different than the mental view some folks have.

Got something to add? Send me email.

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Kerio Samepage

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us