ORIGINAL: ejhardin Are you using AD? Are you using the same AD domain address as your website?

No, not the same, though: My domain-users are in a domain like domain.intern and of course reveive Mails as domain.com. The Webserver is something like domain.com. Could this make a problem ?

On you internal DNS servers make a new zone for the web server’s public domain. So if your internal domain is example.local and your website is www.example.com then create a zone called example.com and create a “A” recorded “www” and point it to your web servers private IP (like 172.32.100.80). So your internal network is a private IP of 192.168.100.x and the DMZ is 172.32.x.x. Create a firewall rule from internal to the DMZ for service HTTP. When an internal user requests the web page your DNS server will tell the firewall that it needs to go to the DMZ, 172.32.100.80. This is an internal split DNS.

The DNS-Things is quite clear to me. But it still doesnt explain why a policy with AD-Authentification does not allow the traffic to get through whereas the sam policy without authentification works. ther must be something in there ?

Explain a little more... What is the policy and where is it failing?

Its quite simple (I am testing the AD-Authentification at the moment) Scenario without Authentification: Policy internal-Wan all any accept with nat I can surf to the outside world and can reach my internal server Scenario with authentification Same policy, but with my usergroup. I can reach the outside world but not the internal server Policy is the last one, no other policies before are suitable so that policy is triggered.

Internal server meaning the web server?