?
Solved

Multiple web sites with one router

Posted on 2002-06-18
8
Medium Priority
?
401 Views
Last Modified: 2012-06-21
I have two machines with private addresses hosting web sites behind one public IP address. One is a company site(IIS4 port80) and the other experimental(IIS5 port81) that crashes 3-4 times a day, so I don't want to move either site to the other machine and let IIS read a header. The experimental machine is being run on port 81 and this is a problem with some clients IT dept's won't allow access.

1. Is there a single router that will allow multiple-NAT translation so both machines can run on port 80 through one router? (I.e., will the Cisco 806 do this??)

-or-

2. Would assigning a second public address help (we have 4 according to our ISP)? I know both would not run behind the router/firewall (current problem), only the coporate site. So would that mean Internet-Switch-Router/firewall-server for the corporate and Internet-Switch-Server for the experimental(port81) skipping the firewall?

3. How quickly do you think hackers will trash the thing if just sitting on an direct address to the internet? It is IIS.

Regards,
Mike
0
Comment
Question by:MDOwens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12

Expert Comment

by:pjknibbs
ID: 7091959
We do run multiple web sites on a single IP address at my office, but we do it on a single IIS server--basically the IIS server looks at the HTTP header to see which site is being accessed to determine which pages to serve. I don't think this would work across two PCs, though, and I've never heard of ANY device which would translate a single IP address into two internal IP addresses--how would it know which machine the packet was intended for, for a start?

I would go for the second external IP address. What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo, out of interest? On our system we have at least four different machines on the internal network which are presented as four different external IP addresses, all handled by the firewall.

As for hackers and IIS--most IIS exploits rely on the standard HTTP port 80 anyway, and since that has to open to the world for IIS to work it's not likely to get hacked any faster when directly attached PROVIDED you close down all ports other than 80. This would mean not having any Windows shares open on the machine, which might cause you problems with your development.
0
 
LVL 1

Expert Comment

by:reden
ID: 7091968
it is more logical to assign another public ip address to the router and have it translated for the private ip address of the server
0
 
LVL 1

Expert Comment

by:Zook
ID: 7092144
1.

I never tried it, but as I understand "Squid" Proxy can do this. It uses the URL transmitted by the browser to distinguish transparently.

Keyword "accelerator proxy"

Check out http://www.squid-cache.org/.

Squid is often run on Linux, but they seem to have a Windows version.

2.
Sorry, I don't get the question :-(

3. If you run a Linux Box as a Firewall and as the squid proxy, this might improve your protection quite a bit.

cu
Zook
0
Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

 
LVL 8

Accepted Solution

by:
scraig84 earned 400 total points
ID: 7092436
First off, many NAT routers will allow translations for multiple external addresses, so your box would not necessarily have to sit outside with a real address.  This just depends on the router doing the translations.

However, if you were to stick with a single address, why not run the server on a different well known port that most IT organizations do allow?  As long as you are not also running those services on the same machine, it should be fine.  For example, most organizations allow ports 21 and 443.  As long as you don't run an FTP server or SSL web site on that machine you could use one of those.  

Also, if you know your way around IIS pretty well, you can set up some "dummy" sites on the current box that simply redirect users to the other port.  This way, people won't have to type anything different in their browser.  For example, if your site is www.abc.com, you could set up a site on your current "live" box and rather than giving it a home directory, you say tell it to redirect to http://www.abc.com:21.  This way the user types in a generic URL and get's redirected automatically.  Remember also when you host a site on a different port you often have to include the port in links on your site.

Hope that helps a bit.
0
 

Author Comment

by:MDOwens
ID: 7092669
"pjknibbs - What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo"
-We apparently have a low-end router/firewall that only provides a NAT for one machine. I talked with the company and that is a limitation.

"scraig84 - most organizations allow ports 21 and 443"
-I like the idea of running the site on one of these ports. I'll give this a try this morning. Don't know if I can get a response from our clients immediately or not.

"Zook - If you run a Linux Box as a Firewall and as the squid proxy"
-I've only been able to spend 2 days on a Linux box trying to get Samba to be seen on the network and had no luck. I love the idea of running a Linux box for this purpose, but I have little to no knowledge about it.


With the idea of the router translating multiple public IP addresses, can anyone suggest a particular product or what to look for in a router with this capability?

Regards,
Mike
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7092684
A router typically won't do it.  However, a proxy often will.  Even Microsofts Proxy 2.0 or ISA server should be able to do this in a reverse Proxy scenario.  However, although I know those products well, I am not a big supporter of them.
0
 

Author Comment

by:MDOwens
ID: 7092747
"pjknibbs - What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo"
-We apparently have a low-end router/firewall that only provides a NAT for one machine. I talked with the company and that is a limitation.

"scraig84 - most organizations allow ports 21 and 443"
-I like the idea of running the site on one of these ports. I'll give this a try this morning. Don't know if I can get a response from our clients immediately or not.

"Zook - If you run a Linux Box as a Firewall and as the squid proxy"
-I've only been able to spend 2 days on a Linux box trying to get Samba to be seen on the network and had no luck. I love the idea of running a Linux box for this purpose, but I have little to no knowledge about it.


With the idea of the router translating multiple public IP addresses, can anyone suggest a particular product or what to look for in a router with this capability?

Regards,
Mike
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7092772
I apologize - I misunderstood your question.  I was thinking that you were referring to a router that could forward based on the host-header name.  Linksys makes some decent low end routers and I believe they allow for multiple external IP addresses.  Also, the Cisco 800 series will definitely do it and is their lowest-end model with that capability.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This program is used to assist in finding and resolving common problems with wireless connections.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question