Solved

Can Symantec Enterprise Firewall route external domain names to an internal IP address?

Posted on 2004-07-30
6
468 Views
Last Modified: 2013-11-16
Hi all,

I am trying to set up a Symantec Enterprise Server 8 on Windows 2003.  What we have are 10 different public domain names such as:

srv0.velaro.com
srv1.velaro.com
...
srv9.velaro.com

To conserve external IP address usage, we are required to have all the above domain names share the same IP address of 162.33.130.135
Internally, I have each one of those domains mapped to a different internal server, that has its own IP address.  What I need to know is if SEF can be configured to route external traffic based on a HTTP header domain name to a specific internal IP address?

Thanks!

Also, this may get over my head very quickly, so if anyone knows of a someone who is qualified to setup SEF, I'd LOVE to talk to them about paying for a few hours of their time for some remote admin.

Thanks again.

Jasen
0
Comment
Question by:jasenfici
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:batmon34
ID: 11683026
I don't think external IP addresses are that expensive...  Since you can afford 10 servers, you should be able to pay 9 additional public IPs.  Most ISPs are give them out free of charge.  They are not that exepnsive...

If you really wanna save $$, you should put all 10 sites on 1 server.  :-)
0
 

Author Comment

by:jasenfici
ID: 11683557
Its just not that easy.  ISP's are only given a specific number of addresses, and are gunshy about giving them out, even though it is possible.
I'd love to put them all on 1 server, but the servers run a pretty process intensive application that each get about a million hits a day, so its been built to be load balanced across 10.
I don't have or need 10 yet, I only have a few, but I am keeping them on 10 different internal IP addresses so that growth for me requires the simple addition of an internal machine and the reallocation of some internal IP addresses, not hte wholesale change of our firewall, routers, and public DNS settings.

Jasen
0
 
LVL 4

Expert Comment

by:batmon34
ID: 11684555
I don't think there is anything to do with your FW.  Basically you need a server in front of your 10 servers, and able to point to the right servers at back for you.  Depends one what you use.  For example, if they are web servers, then you can create a virtual directory for each server.  

frontend server: www.velaro.com, and has virtual directory for each of your server

www.velaro.com/srv0 directory ==> srv0.velaro.com server
www.velaro.com/srv1 directory ==> srv1.velaro.com server
www.velaro.com/srv2 directory ==> srv2.velaro.com server
etc...

so your public IP will give to www.velaro.com

Or, if they are exchange servers, then you simply add a Fronend Exchange server then it will talk to all the backend Exchange server.

If you worry about the load of that frontend server, then you can load balance it by adding more frontend server.  Load balance means you will have a virtual server name and a virtual IP address, and all users will get to the frontend server through that virtual IP or virtual name.  Direct access one server won't do the load balance for you.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:jasenfici
ID: 11684716
thanks, I appreciate your comment, however, it is simply not the case.  The nature of the application does not provide well for load balancing, so each server must have its own public domain name.  They all need to cycle in through the firewall, then be distributed to their proper internal server based on that domain name.

take care,
Jasen
0
 
LVL 4

Accepted Solution

by:
batmon34 earned 125 total points
ID: 11691727
If that's what your app required, I still think it is the easiest to get more public IP addresses from your ISP.  If they can't, then tell them you have to switch to some other ISP...  then they will give you the IPs.  Or, you can get more IPs yourself and ask them to route them to your circuit for you.

If you still wanna use just one public IP, try point all FQDN to the same IP address.  Then, has a simple scripting page on the front end server that will see what FQDN name that user entered to get to your frontend server, then route to the correct internal server at the back.  However, if your app server been picky about all these little things, I think you will run into more problems by going with this path.
0
 

Author Comment

by:jasenfici
ID: 11700012
Thanks for all you're help batmon34.  I really do appreciate it, and of course that would be easier, it just wasn't possible.  We have decided that SEF is just too complicated, and that while it is probably a more robust system, we have decided to go with Microsoft ISA Server 2004 instead.  It took me 2 hours to do what I had strugged with under SEF for 2 weeks with no solution in site.

Thanks again!

take care,
Jasen
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now