flosoft
asked on
Single statis IP and Sub domains
Hi,
I have a question on using sub domains with a single static ip address. I know how to use host headers in IIS, however this does not always seem to work. I am wondering if there is software out there that can parse the host headers prior to the IIS machine and send it to the appropriate machine behind it and manage this type of traffic so I could have it send www.mydomain.com go to 1 machine and mail.mydomain.com go to another say for a mail server running webmail and ftp.mydomain.com and so on and so on. I have ISA server 2004 software but that seems over kill and I also run watchguard firebox II's between the internet and my exposed machines, I have extra hardware to place a machine between my firebox and exposed machines if this is required.
If there is a way to do this with the firebox obviously that would be ideal, but I do not think this is possible... so in a nut shell I want to be able to set up something like:
www.mywebsite.com -> serverA
mail.mywebsite.com -> serverB
ftp.mywebsite.com ->serverC
and so on.
Thanks ahead of time!
I have a question on using sub domains with a single static ip address. I know how to use host headers in IIS, however this does not always seem to work. I am wondering if there is software out there that can parse the host headers prior to the IIS machine and send it to the appropriate machine behind it and manage this type of traffic so I could have it send www.mydomain.com go to 1 machine and mail.mydomain.com go to another say for a mail server running webmail and ftp.mydomain.com and so on and so on. I have ISA server 2004 software but that seems over kill and I also run watchguard firebox II's between the internet and my exposed machines, I have extra hardware to place a machine between my firebox and exposed machines if this is required.
If there is a way to do this with the firebox obviously that would be ideal, but I do not think this is possible... so in a nut shell I want to be able to set up something like:
www.mywebsite.com -> serverA
mail.mywebsite.com -> serverB
ftp.mywebsite.com ->serverC
and so on.
Thanks ahead of time!
ASKER
Hi,
Thanks for the reply, allow me to clarify. I have a single static IP exposed to the internet, yes I want the different subs to go to different servers. Setup is typical with a firewall (Firebox II) then my internal network. I did look at DNS however it would seem that I would have to then expose dns servers (at least 2 it would seem) and I am not sure if that would work anyways. What I have is a single IP exposed to the internet and then my firewall and then servers behind this, what I want to do is have someway for something to examine what an incoming packet is looking for and route the traffic properly based on either a host header or request.
www.mywebsite.com -> serverA
mail.mywebsite.com -> serverB
ftp.mywebsite.com ->serverC
I will increase the points a bit.
Thanks
Thanks for the reply, allow me to clarify. I have a single static IP exposed to the internet, yes I want the different subs to go to different servers. Setup is typical with a firewall (Firebox II) then my internal network. I did look at DNS however it would seem that I would have to then expose dns servers (at least 2 it would seem) and I am not sure if that would work anyways. What I have is a single IP exposed to the internet and then my firewall and then servers behind this, what I want to do is have someway for something to examine what an incoming packet is looking for and route the traffic properly based on either a host header or request.
www.mywebsite.com -> serverA
mail.mywebsite.com -> serverB
ftp.mywebsite.com ->serverC
I will increase the points a bit.
Thanks
You don't need that. Just create rules on the Firebox. One for FTP (TCP port 21), One for mail (TCP Proxied SMTP), and one for HTTP-Proxy (HTTP TCP 80). When you configure the inbound tab, click other and then NAT. Choose the IP address and then on the next line, type in the address of the internal server that is hosting that service....
Cheers
Cheers
Hi flosoft,
I presume from your description of the host names, you want them to be serving different functions (correct)? Well, if that is the case, most firewalls have the rules to NAT (or pass through) the public IP to your private IP for incomming traffic. Since you have three different servers (services) you still have to make sure that you have your DNS setup (external DNS entries for domain mywebsite.com). If mail.mywebsite.com is for mailing then you need to add the corresponding MX records in DNS.
I am presuming that this is a publicly accessible service that you want to provide! If yes, then irrespective of what you do internally, you need to setup your DNS records for resolving those hostnames. They can all point to the same Public IP that you have.
Now in your firewall, you have to set the rules for the incoming port requests (port 21 --> ftp.mywebsite.com, port 80 route to www etc.). I have done that on linksys/netgear router/firewalls and in checkpoint too. But I am not knowledgeable about Firebox. I will look at their website for documentation and find out if it is any different than other commerical firewall products and if i find anything different, i will post the instructions.
-Sree
I presume from your description of the host names, you want them to be serving different functions (correct)? Well, if that is the case, most firewalls have the rules to NAT (or pass through) the public IP to your private IP for incomming traffic. Since you have three different servers (services) you still have to make sure that you have your DNS setup (external DNS entries for domain mywebsite.com). If mail.mywebsite.com is for mailing then you need to add the corresponding MX records in DNS.
I am presuming that this is a publicly accessible service that you want to provide! If yes, then irrespective of what you do internally, you need to setup your DNS records for resolving those hostnames. They can all point to the same Public IP that you have.
Now in your firewall, you have to set the rules for the incoming port requests (port 21 --> ftp.mywebsite.com, port 80 route to www etc.). I have done that on linksys/netgear router/firewalls and in checkpoint too. But I am not knowledgeable about Firebox. I will look at their website for documentation and find out if it is any different than other commerical firewall products and if i find anything different, i will post the instructions.
-Sree
Open the policy manager, click on Edit | Add Service. Add the SMTP Proxy. Edit the Incoming Tab ...From...NAT The external address to internal server that services this service. Do this for each of the services HTTP-Proxy and FTP. Then save to firebox. Enter the write passphrase...
ASKER
HI,
You would be correct in what I am doing and port forwarding will work in several cases such as ftp, most http and some other services, the problem arises with things such as webmail which ideally also runs on port 80 so a request for mail.mysite.com is not able to resolve unless I am hosting the interface for my webmail server on the www machine which I do not want to do, forwarding from my www machine also does not work because the firewall only allows port 80 to go to the www machine, the same problem will arise if say I want forums.mywebsite.com or cart.mysite.com etc and these are not on the www machine either.
I do not think my firewall can inspect and send these to the proper places so I was thinking that maybe there was some routing software that could handle this behind my firewall if I just open port 80 to all servers and let this software do the routing. The problem really resides in the port 80 having to go to 1 machine. I currently have my webmail setup on port 81 and this works, however mail.mysite.com is better and more professional than mysite.com:81. I really do not want to purchase IP's for each sub domain and I do not think it is required. If I have to I can throw a couple DNS servers in the mix, but this seems over kill and they would know my internal IP's to name as I would still only have 1 external IP thus still requireing somekind of NAT or translation to have it all work.
I hope this clarifies some.
Upping points to 100
You would be correct in what I am doing and port forwarding will work in several cases such as ftp, most http and some other services, the problem arises with things such as webmail which ideally also runs on port 80 so a request for mail.mysite.com is not able to resolve unless I am hosting the interface for my webmail server on the www machine which I do not want to do, forwarding from my www machine also does not work because the firewall only allows port 80 to go to the www machine, the same problem will arise if say I want forums.mywebsite.com or cart.mysite.com etc and these are not on the www machine either.
I do not think my firewall can inspect and send these to the proper places so I was thinking that maybe there was some routing software that could handle this behind my firewall if I just open port 80 to all servers and let this software do the routing. The problem really resides in the port 80 having to go to 1 machine. I currently have my webmail setup on port 81 and this works, however mail.mysite.com is better and more professional than mysite.com:81. I really do not want to purchase IP's for each sub domain and I do not think it is required. If I have to I can throw a couple DNS servers in the mix, but this seems over kill and they would know my internal IP's to name as I would still only have 1 external IP thus still requireing somekind of NAT or translation to have it all work.
I hope this clarifies some.
Upping points to 100
ASKER
To cokeefe77 :
Hi Thanks for the comment, I already have this setup and my webmail runs just fine as well as the other services, the problem arises from my last statement above, I know I can allow connection on port 80 to more than 1 machine via the firebox, but am unsure how to have the subdomains know where to go. I did note that there is a WINS/DNS tab in the policy manager and I do not know if something here may help or not perhaps you can speak to that?
Obviously the best solution would reside in the firewall configration if possible not requiring more hardware and keeping my current security settings, however as stated I can add a machine behind this to handle all port 80 traffic and route it if needed and there is such software.
Thanks!
Hi Thanks for the comment, I already have this setup and my webmail runs just fine as well as the other services, the problem arises from my last statement above, I know I can allow connection on port 80 to more than 1 machine via the firebox, but am unsure how to have the subdomains know where to go. I did note that there is a WINS/DNS tab in the policy manager and I do not know if something here may help or not perhaps you can speak to that?
Obviously the best solution would reside in the firewall configration if possible not requiring more hardware and keeping my current security settings, however as stated I can add a machine behind this to handle all port 80 traffic and route it if needed and there is such software.
Thanks!
Hi,
From what I understand of your comment above, it should be possible to map external request port to a different port internally, the same way you did for www and ftp. I don't have the firebox software, but looking at their site documentation, I came across this firewall basics tutorial they posted for one of their products. I am not sure how the interface is for your version of the software but you can check this link: http://www.watchguard.com/training/lss/46/pages/networ15.htm
I am sure you can NAT your ports too! :)
-Sree
From what I understand of your comment above, it should be possible to map external request port to a different port internally, the same way you did for www and ftp. I don't have the firebox software, but looking at their site documentation, I came across this firewall basics tutorial they posted for one of their products. I am not sure how the interface is for your version of the software but you can check this link: http://www.watchguard.com/training/lss/46/pages/networ15.htm
I am sure you can NAT your ports too! :)
-Sree
ASKER
That is how I currently have some of the servers configured, but I do not think it will help with subdomains. The reason is my single external IP, it does not examine reuqest name, only IP what I need is something that can check the name ie:
if an internet user types http://mail.mysite.com they get my webmail interface on my mail server, if the type www.mysite.com they get my www site from my web server.
www.mydomain.com= 192.168.xxx.xx1
mail.mydomain.com = 192.168.xxx.xx2
etc.
I thought this must be a common issue but apparently this question is less common than I origionally thought or perhaps I am not explaining this very well.
if an internet user types http://mail.mysite.com they get my webmail interface on my mail server, if the type www.mysite.com they get my www site from my web server.
www.mydomain.com= 192.168.xxx.xx1
mail.mydomain.com = 192.168.xxx.xx2
etc.
I thought this must be a common issue but apparently this question is less common than I origionally thought or perhaps I am not explaining this very well.
ASKER
Hi again all,
It seems that ISA server has some functionality to do something like what I am looking for, however I really would rather not have to use ISA just to do this. I am upping the points to 150 in a hope that someone can find a better lighter weight solution. I am open to a possible linux install between my firewall and servers to do this as well.
Thanks for all your help so far!
It seems that ISA server has some functionality to do something like what I am looking for, however I really would rather not have to use ISA just to do this. I am upping the points to 150 in a hope that someone can find a better lighter weight solution. I am open to a possible linux install between my firewall and servers to do this as well.
Thanks for all your help so far!
Hi
I am ano familair with firebox, however for host header evaluation you would need to use a firewall or IIS in the MS range of products- this limits you to either isa and or IIS
can you setup and iis server just to inspect and redirect from there?
External-----------firebox
this can be accomplished in IIS - but is may not be the way you want to do this?
I am ano familair with firebox, however for host header evaluation you would need to use a firewall or IIS in the MS range of products- this limits you to either isa and or IIS
can you setup and iis server just to inspect and redirect from there?
External-----------firebox
this can be accomplished in IIS - but is may not be the way you want to do this?
ASKER
HI,
I have tried this and do currently use host headers, I tried setting up a host header: mail.mysite.com that redirects to another server and this did not work, I think it would work if I placed a default page with a redirect to mysite.com:PORT but this is not the solution I would like to use, I am hoping there is a better way.
Thanks
I have tried this and do currently use host headers, I tried setting up a host header: mail.mysite.com that redirects to another server and this did not work, I think it would work if I placed a default page with a redirect to mysite.com:PORT but this is not the solution I would like to use, I am hoping there is a better way.
Thanks
Ah understood
then the only way will be server publishing rules under ISA or similar firewall product. I am not sure you could use port address translation (PAT) however you would need to do this when the web site is resolved initally (this would be differcult)
NAT will not work for reasons above (single public address)
I think your options are limited at this stage to what ahs already been mentioned
then the only way will be server publishing rules under ISA or similar firewall product. I am not sure you could use port address translation (PAT) however you would need to do this when the web site is resolved initally (this would be differcult)
NAT will not work for reasons above (single public address)
I think your options are limited at this stage to what ahs already been mentioned
Hi Flosoft, itlolond,
You folks have aplty addressed the concerns. However, since you are open for Linux solution, you can look at installing Apache and use their rewrite engine module. When you first posted this question, I was almost tempted to provide you the Apache solution right away, but then read your post carefully and it mentioned MS. :)
Let me know if you would like to proceed it in that manner. Alternately, you can use Apache as your webserver instead of IIS and use their rewrite module without going through the pains of installing another intermediate server.
Linux natively has several modules available for IPCHAINing and Port forwarding. Though hostname based forwarding is not out of the box, but it is certainly do-able.
-Sree
You folks have aplty addressed the concerns. However, since you are open for Linux solution, you can look at installing Apache and use their rewrite engine module. When you first posted this question, I was almost tempted to provide you the Apache solution right away, but then read your post carefully and it mentioned MS. :)
Let me know if you would like to proceed it in that manner. Alternately, you can use Apache as your webserver instead of IIS and use their rewrite module without going through the pains of installing another intermediate server.
Linux natively has several modules available for IPCHAINing and Port forwarding. Though hostname based forwarding is not out of the box, but it is certainly do-able.
-Sree
Hi Flosoft,
Googling for hostname redirections, I found an interesting software. I haven't had a chance to install it, but from the documentation it looks like a pretty good one for your purpose. check one of the FAQs posted.
http://www.delegate.org/mail-lists/delegate-en/2306
And go through the product features document.
Regards.
-Sree
Googling for hostname redirections, I found an interesting software. I haven't had a chance to install it, but from the documentation it looks like a pretty good one for your purpose. check one of the FAQs posted.
http://www.delegate.org/mail-lists/delegate-en/2306
And go through the product features document.
Regards.
-Sree
ASKER
Sree,
thanks for the replies. I can put a linux server / firewall in, however I need IIS because of some .net applications that I run, a linux box could sit between my firewall and my network, I am not so good with linux to know what to do, I do know they are popular for firewalls which is why I am open to it, however I would have no clue as to where to start.
Thanks
thanks for the replies. I can put a linux server / firewall in, however I need IIS because of some .net applications that I run, a linux box could sit between my firewall and my network, I am not so good with linux to know what to do, I do know they are popular for firewalls which is why I am open to it, however I would have no clue as to where to start.
Thanks
ASKER
Moderator and those who answered.
It appears that ISA Server 2004 can provide this feature via web publishing and although the suggestions here were good, none actually solved the problem as stated. I have decided to implement ISA server behind my hardware firewall to add another layer of security and to take advantage of this server / web publishing features in ISA to solve this.
I do really appreciate all your efforts.
Moderators, please either delete this question, or if you feel it was justly answered award the points accordingly.
again thanks to all who answered.
It appears that ISA Server 2004 can provide this feature via web publishing and although the suggestions here were good, none actually solved the problem as stated. I have decided to implement ISA server behind my hardware firewall to add another layer of security and to take advantage of this server / web publishing features in ISA to solve this.
I do really appreciate all your efforts.
Moderators, please either delete this question, or if you feel it was justly answered award the points accordingly.
again thanks to all who answered.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ - Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Naser72
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ - Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Naser72
EE Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am not sure if you have already looked at the DNS options!? DNS lets you define hosts and the corresponding IP addresses!. But I presume you ahve already done that. When you say you that you want the sub-domains to be routed to different machines, I presume you mean they have to be internally routed?
Well, you can setup your firewall for the rules to route the traffic accordingly.
But more clarification on the setup would be really helpful in understanding your problem. I am not sure how you could have a single static IP on 3 different servers?
-Sree