Single statis IP and Sub domains

Hi,
I have a question on using sub domains with a single static ip address. I know how to use host headers in IIS, however this does not always seem to work. I am wondering if there is software out there that can parse the host headers prior to the IIS machine and send it to the appropriate machine behind it and manage this type of traffic so I could have it send www.mydomain.com go to 1 machine and mail.mydomain.com go to another say for a mail server running webmail and ftp.mydomain.com and so on and so on. I have ISA server 2004 software but that seems over kill and I also run watchguard firebox II's between the internet and my exposed machines, I have extra hardware to place a machine between my firebox and exposed machines if this is required.

If there is a way to do this with the firebox obviously that would be ideal, but I do not think this is possible... so in a nut shell I want to be able to set up something like:

www.mywebsite.com -> serverA
mail.mywebsite.com -> serverB
ftp.mywebsite.com ->serverC

and so on.

Thanks ahead of time!
flosoftAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sreeraoCommented:
Hi flosoft,
I am not sure if you have already looked at the DNS options!? DNS lets you define hosts and the corresponding IP addresses!. But I presume you ahve already done that. When you say you that you want the sub-domains to be routed to different machines, I presume you mean they have to be internally routed?
Well, you can setup your firewall for the rules to route the traffic accordingly.
But more clarification on the setup would be really helpful in understanding your problem. I am not sure how you could have a single static IP on 3 different servers?

-Sree
flosoftAuthor Commented:
Hi,
Thanks for the reply, allow me to clarify. I have a single static IP exposed to the internet, yes I want the different subs to go to different servers. Setup is typical with a firewall (Firebox II) then my internal network. I did look at DNS however it would seem that I would have to then expose dns servers (at least 2 it would seem) and I am not sure if that would work anyways. What I have is a single IP exposed to the internet and then my firewall and then servers behind this, what I want to do is have someway for something to examine what an incoming packet is looking for and route the traffic properly based on either a host header or request.

www.mywebsite.com -> serverA
mail.mywebsite.com -> serverB
ftp.mywebsite.com ->serverC

I will increase the points a bit.

Thanks
cokeefe77Commented:
You don't need that.  Just create rules on the Firebox.  One for FTP (TCP port 21), One for mail (TCP Proxied SMTP), and one for HTTP-Proxy (HTTP TCP 80).  When you configure the inbound tab, click other and then NAT.  Choose the IP address and then on the next line, type in the address of the internal server that is hosting that service....

Cheers
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

sreeraoCommented:
Hi flosoft,
I presume from your description of the host names, you want them to be serving different functions (correct)? Well, if that is the case, most firewalls have the rules to NAT (or pass through) the public IP to your private IP for incomming traffic. Since you have three different servers (services) you still have to make sure that you have your DNS setup (external DNS entries for domain mywebsite.com). If mail.mywebsite.com is for mailing then you need to add the corresponding MX records in DNS.
I am presuming that this is a publicly accessible service that you want to provide! If yes, then irrespective of what you do internally, you need to setup your DNS records for resolving those hostnames. They can all point to the same Public IP that you have.
Now in your firewall, you have to set the rules for the incoming port requests (port 21 --> ftp.mywebsite.com, port 80 route to www etc.). I have done that on linksys/netgear router/firewalls and in checkpoint too. But I am not knowledgeable about Firebox. I will look at their website for documentation and find out if it is any different than other commerical firewall products and if i find anything different, i will post the instructions.

-Sree
 
cokeefe77Commented:
Open the policy manager, click on Edit | Add Service.  Add the SMTP Proxy.  Edit the Incoming Tab ...From...NAT The external address to internal server that services this service.  Do this for each of the services HTTP-Proxy and FTP.  Then save to firebox.  Enter the write passphrase...
flosoftAuthor Commented:
HI,
You would be correct in what I am doing and port forwarding will work in several cases such as ftp, most http and some other services, the problem arises with things such as webmail which ideally also runs on port 80 so a request for mail.mysite.com is not able to resolve unless I am hosting the interface for my webmail server on the www machine which I do not want to do, forwarding from my www machine also does not work because the firewall only allows port 80 to go to the www machine, the same problem will arise if say I want forums.mywebsite.com or cart.mysite.com etc and these are not on the www machine either.

I do not think my firewall can inspect and send these to the proper places so I was thinking that maybe there was some routing software that could handle this behind my firewall if I just open port 80 to all servers and let this software do the routing. The problem really resides in the port 80 having to go to 1 machine. I currently have my webmail setup on port 81 and this works, however mail.mysite.com is better and more professional than mysite.com:81. I really do not want to purchase IP's for each sub domain and I do not think it is required. If I have to I can throw a couple DNS servers in the mix, but this seems over kill and they would know my internal IP's to name as I would still only have 1 external IP thus still requireing somekind of NAT or translation to have it all work.


I hope this clarifies some.

Upping points to 100
flosoftAuthor Commented:
To cokeefe77 :

Hi Thanks for the comment, I already have this setup and my webmail runs just fine as well as the other services, the problem arises from my last statement above, I know I can allow connection on port 80 to more than 1 machine via the firebox, but am unsure how to have the subdomains know where to go. I did note that there is a WINS/DNS tab in the policy manager and I do not know if something here may help or not perhaps you can speak to that?

Obviously the best solution would reside in the firewall configration if possible not requiring more hardware and keeping my current security settings, however as stated I can add a machine behind this to handle all port 80 traffic and route it if needed and there is such software.

Thanks!
sreeraoCommented:
Hi,
From what I understand of your comment above, it should be possible to map external request port to a different port internally, the same way you did for www and ftp. I don't have the firebox software, but looking at their site documentation, I came across this firewall basics tutorial they posted for one of their products. I am not sure how the interface is for your version of the software but you can check this link: http://www.watchguard.com/training/lss/46/pages/networ15.htm
I am sure you can NAT your ports too! :)

-Sree
flosoftAuthor Commented:
That is how I currently have some of the servers configured, but I do not think it will help with subdomains. The reason is my single external IP, it does not examine reuqest name, only IP what I need is something that can check the name ie:

if an internet user types http://mail.mysite.com they get my webmail interface on my mail server, if the type www.mysite.com they get my www site from my web server.

www.mydomain.com= 192.168.xxx.xx1
mail.mydomain.com = 192.168.xxx.xx2

etc.

I thought this must be a common issue but apparently this question is less common than I origionally thought or perhaps I am not explaining this very well.
flosoftAuthor Commented:
Hi again all,
It seems that ISA server has some functionality to do something like what I am looking for, however I really would rather not have to use ISA just to do this. I am upping the points to 150 in a hope that someone can find a better lighter weight solution. I am open to a possible linux install between my firewall and servers to do this as well.

Thanks for all your help so far!
itolondCommented:
Hi
I am ano familair with firebox, however for host header evaluation you would need to use a firewall or IIS in the MS range of products- this limits you to either isa and or IIS
can you setup and iis server just to inspect and redirect from there?

External-----------firebox------> IIS host director   -----------> server1/server2/server3

this can be accomplished in IIS - but is may not be the way you want to do this?
flosoftAuthor Commented:
HI,
I have tried this and do currently use host headers, I tried setting up a host header:  mail.mysite.com that redirects to another server and this did not work, I think it would work if I placed a default page with a redirect to mysite.com:PORT but this is not the solution I would like to use, I am hoping there is a better way.

Thanks
itolondCommented:
Ah understood

then the only way will be server publishing rules under ISA or similar firewall product. I am not sure you could use port address translation (PAT) however you would need to do this when the web site is resolved initally (this would be differcult)
NAT will not work for reasons above (single public address)

I think your options are limited at this stage to what ahs already been mentioned
sreeraoCommented:
Hi Flosoft, itlolond,
You folks have aplty addressed the concerns. However, since you are open for Linux solution, you can look at installing Apache and use their rewrite engine module. When you first posted this question, I was almost tempted to provide you the Apache solution right away, but then read your post carefully and it mentioned MS. :)
Let me know if you would like to proceed it in that manner. Alternately, you can use Apache as your webserver instead of IIS and use their rewrite module without going through the pains of installing another intermediate server.
Linux natively has several modules available for IPCHAINing and Port forwarding. Though hostname based forwarding is not out of the box, but it is certainly do-able.

-Sree
sreeraoCommented:
Hi Flosoft,
Googling for hostname redirections, I found an interesting software. I haven't had a chance to install it, but from the documentation it looks like a pretty good one for your purpose. check one of the FAQs posted.
http://www.delegate.org/mail-lists/delegate-en/2306
And go through the product features document.

Regards.
-Sree
flosoftAuthor Commented:
Sree,
thanks for the replies. I can put a linux server / firewall in, however I need IIS because of some .net applications that I run, a linux box could sit between my firewall and my network, I am not so good with linux to know what to do, I do know they are popular for firewalls which is why I am open to it, however I would have no clue as to where to start.

Thanks
flosoftAuthor Commented:
Moderator and those who answered.

It appears that ISA Server 2004 can provide this feature via web publishing and although the suggestions here were good, none actually solved the problem as stated. I have decided to implement ISA server behind my hardware firewall to add another layer of security and to take advantage of this server / web publishing features in ISA to solve this.

I do really appreciate all your efforts.

Moderators, please either delete this question, or if you feel it was justly answered award the points accordingly.

again thanks to all who answered.
Naser GabajE&P Senior Software SpecialistCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ - Refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Naser72
EE Cleanup Volunteer
CetusMODCommented:
PAQed with points refunded (150)

CetusMOD
Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.