Solved

2 Websites on an IIS behind a Linux Firewall and a router

Posted on 2000-02-21
5
266 Views
Last Modified: 2010-03-18
I've an Internet Information Server 4.0 which is connected to a linux firewall, using the proxy squid and the rinetd package. This Firewll is connected to a Cisco router.
The problem is, that i have to use the IIS as a server for two webpages.
The adresses of this two webpages are route to the same ip-Adress. To the Adress of the firewall, which guides them to the IIS.
How can I divide the connections of these  two adresse either on the firewall or on the IIS 4.0?

Thanks to all.

0
Comment
Question by:WhiteFalcon022100
5 Comments
 
LVL 7

Expert Comment

by:lewisg
ID: 2546029
My guess is that at least one web page will require a non-standard port number. Then you need to run IPCHAINS on the linux firewall to forward the packets.

see:
http://members.home.net/ipmasq/ipmasq-HOWTO-1.81-6.html#Forwarders
0
 
LVL 3

Accepted Solution

by:
monas earned 100 total points
ID: 2547377
I suppose you don't have to use non standard ports.

First, let me ask 2 questions:

1) is squid used to transfer request from firewall to IIS?

2) how much (1 or 2) computers with IIS you are going to run/ are running/ willing to run?

The simplest case ("A") is when answer to second question is 1. In this case you have to configure IIS to support virtual servers (sorry, I never did that on IIS). They will listen on the same port and and depending on what document user will ask (http://first.your.com/xxx or http://second.your.com/yyy) - will act like connection would come to different web servers. This could be done 'cos all modern web browsers DO SEND name of the host from where they wish to get a document.

In this case you should achieve that computers behid firewall be able to access documents two different pages from this server - and you are done. No changes on firewall will be needed.

The more difficult situation is if answer to second questions is 2. You have 2 options:
- ask your ISP for second address on internet card of your firewall (case "B");
- run HTTP protocol aware proxy on firewall (case "C")

For case "B" you use "alias" feature and assign second address to the same network card which is connected to your cisco. And then using ipchains you could configure that if connection is made to the main address - you forward it to first server running IIS, if to aliased - forward to the second IIS server.

For case "C" - if you have to live with just one IP address - you don't have to configure forwarding of incoming web requests at IP (read ipchains) level. Instead all this trafic should be accepted by proxy. This proxy will look into requests, find the which server is needed, contact it, get information, and returns to the requestor.

For this case I doubt rinetd is suffitient. If you run squid just as proxy for internal computers you may consider giving it more work. Using ACL's you can configure it to allow internal clients to use it for accessing all the documents in the world,and clients comming from "internet" - just your firewalled IIS servers.

You may need to make little trique - if your firewall is allso used as DNS server, serving web addreses of those IIS servers, then you will need to include internal(firewalled) addresses to /etc/hosts table. This way any outsider's browser will get that it should contact your firewall to get info from your ISSs, but squid will know internal addresses where information is really stored.

And final notice. In case you will plan to use SSL sometime in the future - be warned that only case "B" (besides non-standard ports) will work - even domain name in such transactions are encrypted and nobody could find to what host request are comming...

Good Look!
0
 
LVL 15

Expert Comment

by:samri
ID: 2550462
WhiteFalcon,
   monas option (and explanations) surely looks good to me.  Quite complex though.
   
   Another option that you might want to consider is to work on the squid.  Perhaps you can do some rule rewriting on the squid, and let squid do the fetching for web pages from either the two internal web servers.  I would recommend this since on squid, you can actually work on the URL string that the user passed in and rewrite the header and passed it to the internal web server.  The worst part is, I can't give you a detail step-by-step on how you could do this.  I've came across this idea from http://squid.nlanr.net.  Give them a visit.

   The other option is to make use of rinetd. (I would like to apologize if monas already touch this -- reading thru his/her explanation give me a woo woo).  You need to set up your IIS to run on a different port number for each virtual domain you want to serve.  Assuming that you have:
     www.domaina.com listen on port 80  ( I'm not sure IIS can do this or not)
     www.domainb.com listen on port 81  ( )

and your internal ip is aa.bb.cc.dd which points to the box where domaina and domainb pages are hosted.


and on the firewall , alias you network interface to have two IP, look at you rinetd.conf

first-ip-address 80 aa.bb.cc.dd 80  <-- for domain www.domaina.com
second-ip-address 80 aa.bb.cc.dd 81 <-- for domain www.domainb.com


Hope this helps

samri
0
 

Author Comment

by:WhiteFalcon022100
ID: 2557005
There is one problem. I do not know whether the Cisco Router routes the Host header names to the firewall or not.
Can somebody tell me how I can find this out??
0
 
LVL 3

Expert Comment

by:monas
ID: 2557283
WhiteFalcon,

      I sure routes. Cisco works at TCP/IP level, and "host header" is at HTTP level, which is above TCP/IP. And therefore it could route all or nothing... Unless it works as a firewall also and has web proxy built in...
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now