I need to allow multiple web servers on the NET using port 80 how do I do this??

Hi All-
I have just increased our small business from 1 IP to a bank of 5.  I want to put 3 servers on the web all using port 80.
We have our domain.   We currently use 1 IP given to support our mail server like www.maildomain.net.  We want www.IMdomain.net and www.webappsdomain.net.  We use a linksys WRTG45 router to NAT port 80 inbound to utilize webmail.  The router also is the DHCP server.  We have an internal DNS and WINS server on a Windows 2003 server.  Can anyone give me suggestions as to the cheapest yet most security oriented way to do this.  Also, being a jack of all but master of none can you explain in some detail how to do this whether it be multiple routers, proxy it somehow or use a DNS configuration of some sort or whatever??  
I'm guessing a configuration something like this.

Internet
    |
ISP (External facing IP's)
    |
Cable modem
    |
Linsys Router
    |
192.168.1.x (Internal IP's)
192.168.1.x Mail server
192.168.1.x WebApps server
192.168.1.x IMServer
192.168.1.x DNS/WINS
    |
Clients  
Thx
Tom
tdoughboyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ghostiviCommented:
By the looks of it, you will probably be changing settings on the router more then anything else.
If you want to allow 3 more IPS to connect, you must allow them to see the internet RIGHT?
Your router, does it have a DMZ window configuration? This will be your option first of all to ENABLE, and I am guessing it is already, but you must change the number of IPS allowed to connec to the internet to suite your needs...If its 3, set it at 3.

After that, you will need to open ports to the specified IPs...in the port triggering or port redirection window...you will need to enter the IPs manually in the board and allow to access on the port you want it to access. ei: 192.x.x.x ---telnet.exe---port: 21.

I hope this gets you started, lets see what other have to say!
erikdrCommented:
Agree with the multiple-IP solution.

However even with one IP you can also work as soon as you put a reverse proxy (e.g. MS ISA Server) upfront of the webservers. All external DNS names resolve to the proxy, but depending on the URL it 'forwards' (proxies) the requests to the correct internal webserver - all using port 80 of course.

Dunno which road is more easy for you, network (IP) change or adding this extra component which also has its operating/failover troubles...

HTH,

<Erik> - The Netherlands
Irwin SantosComputer Integration SpecialistCommented:
IIS which runs on your W2k3 machine can be configured to host multiple websites on a single machine via 1 ip.

You need to configure your DNS (DNS manager).

make sure you have a reverse zone to include your EXTERNAL & INTERNAL IP addresses

make zone entries for example

imdomain.net (create A record, CNAME record with a www alias)
webappsdomain.net (create A record, CNAME record with a www alias)
...etc...

make sure in the above you create at PTR record and have a reverse entry for your IP address
update your server datafiles

Create folders to house your websites such as
c:\inetpub\imdomain
c:\inetpub\webappsdomain

In IIS (Internet Information Server), create new websites
www.imdomain.net, make sure you select "header - all unassigned IP addresses", the files will be located in c:\inetpub\imdomain

www.webappsdomain.net, make sure you select "header - all unassigned IP addresses", the files will be located in c:\inetpub\webappsdomain

...etc...

Now one thing to consider is to house your website's folder/files on separate folder and better yet, another drive.  Instead of using C:\inetpub\wwwroot.

For example.. I run W2K3 too, and I have 3 drives... The first drive is ONLY for OS, the 2nd drive is for backup, and the 3rd drive is for my client files... so my websites exist as such...

e:\inetpub\clients\website1
e:\inetpub\clients\website2
e:\inetpub\clients\website3
e:\inetpub\clients\website4

As for security, there are many variables and you need to determine what you're going to run to effectively select an appropriate lock down solution, this should be a 1000pt question


OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

giltjrCommented:
You should be able to do what you want with a single IP address.  In IIS lookup hostheaders and virtual hosting.  If the users are using a browers that have HTTP 1.1 enabled, the brower will pass the host name that is in the URL to the Web Server.  The Web Server can then display a unique and different web page/site based on the host name.  In IIS they use the term host headers, in Apache the use the term Virtual Hosting.

I do not know about IIS, but in Apache you can have a default catch all virtual host for browsers that do not use HTTP 1.1.    Some browers (IE) can be configured NOT to use HTTP 1.1 (they will use 1.0), or not use use HTTP 1.1 when going though a proxy.  Some proxy servers (older ones) do not support proxying HTTP 1.1 request and will change HTTP 1.1 to HTTP 1.0.   MS IAS (or is is ISA I get them confused) started partial HTTP 1.1 support with the 2004 version.
Les MooreSr. Systems EngineerCommented:
>I have just increased our small business from 1 IP to a bank of 5.  
Am I correct that this means you now have 5 Public IP addresses? If yes, then you need a router/firewall that is capable of assigning more than one public IP to inside hosts. Most SOHO (Linksys, dlink, Netgear, etc) routers will only work with one single public IP address and can only forward one single instance of any one port to an inside host. Your WRT54G router does not have the capabilities to utilize more than the one public IP it is assigned to the WAN interface.

You can upgrade the Linksys to a more business-grade product like a Cisco PIX 501, and you can still use the Wireless features of the Linksys as a pure Access Point (disable DHCP and don't plug anything into the WAN port and just plug one of the LAN ports into your network)

For less money, the Linksys RV0x series routers will allow you to setup multiple 1-1 NAT static mappings. 1 public IP to 1 private IP.. this will let you use 1 for the interface and for all the internal users going out, and 1 for each of the publicly accessible servers.


tdoughboyAuthor Commented:
Folks-
I appreciate the quick responses being I posted this at zero dark:30 EST this morning after scouring the NET trying to educate myself on how to do this.  

>Your router, does it have a DMZ window configuration? This will be your option first of all to ENABLE, and I am >guessing it is already, but you must change the number of IPS allowed to connec to the internet to suite your >needs...If its 3, set it at 3.
The router does have a DMZ setting but only allows for one IP address.  Or is this normal? Again I'm a newbie at this.

>After that, you will need to open ports to the specified IPs...in the port triggering or port redirection window...you >will need to enter the IPs manually in the board and allow to access on the port you want it to access. ei: >192.x.x.x ---telnet.exe---port: 21.

I have already opened port 80 for the one server and forward to it.  I'm not sure how to do port 80 for the other two and don't want to x.x.x.x:81 or x.x.x.x:8080 as some companies only allow port 80 for browsing.

Now a piece of information I left out in my tired state was these are not IIS servers these are Domino servers (which host their own HTTP service).  Many apologies for that as I know there was a lot of thought put into the response by those who made comments regarding the IIS server.  

In reading several more postings using a PROXY sounds like it may work but from comments above it sounds like it would work if you can get it configured correctly.  If I did attempt this route the PROXY would go after the router but before the HTTP servers correct?

Then has been alot of posts I've read about PIX firewalls.  Is that software or hardware and do we need to just bite the bullet and have our company buy something more robust like a PIX firewall.  Only problem... will there be a huge learning curve.  Again, Many Thanks for your help with this.

Tom
giltjrCommented:
Domino support virtual hosting also, at least recent versions do.  I beleive they call it virtual hosts.
Les MooreSr. Systems EngineerCommented:
>Then has been alot of posts I've read about PIX firewalls.  Is that software or hardware and do we need to just bite the bullet and have our company buy something more robust like a PIX firewall.  Only problem... will there be a huge learning curve.

A PIX FW would certainly be a good option. It is hardware.
http://www.cisco.com/go/pix
 Or as I posted above, the Linksys RV0x series will provide what you want at a very low cost and very short learning curve.

The PIX does have a decent web-based (Java) interface GUI, but there is still a learning curve. It is such a robust product that can do many things, but is not all that easy to configure. However, there is great support right here on EE to get you going step by step..

Irwin SantosComputer Integration SpecialistCommented:
Uh....you mentioned Windows 2003 Server.. which has IIS (Internet Information Server 6).. This is a "service" that is available on your system, and pretty much the preferred method of dishing out HTTP requests.

Does your W2K3 server still apply?.. If so, use the II6 built-in.
tdoughboyAuthor Commented:
IrMoore,
>Am I correct that this means you now have 5 Public IP addresses? If yes, then you need a router/firewall that is >capable of assigning more than one public IP to inside hosts.
Answer is "Yes" I now have 5 public IP's.  I'd like to do a 1-to-1 mapping public to private IP's for all 3 servers.

>Most SOHO (Linksys, dlink, Netgear, etc) routers will
>only work with one single public IP address and can only forward one single instance of any one port to an inside >host. Your WRT54G router does not have the capabilities to utilize more than the one public IP it is assigned to >the WAN interface.

>For less money, the Linksys RV0x series routers will allow you to setup multiple 1-1 NAT static mappings. 1 public >IP to 1 private IP.. this will let you use 1 for the interface and for all the internal users going out, and 1 for each >of the publicly accessible servers.

Will either of the RV042, RV016, or RV082 allow for a 1-to-1 public to private IP NAT?  We are by no means a huge company but I'd like to be economical with our money and allow for modest growth of internet use and traffic in the coming year.

Thx
Tom

Irwin SantosComputer Integration SpecialistCommented:
I use a Cisco BR900 which handles 5 ips.... i current have 1 FTP server directly connected, 1 web/mail server, and 1 linksysBEFSR41.  Each utilize 1 IP address.  Any firewalling will be dependant upon the devices attached.  The router/cablemodem came with our service.  Perhaps you may want to check with your provider if they provide box too.  Our service is Oceanic Time Warner here in Hawaii.
Les MooreSr. Systems EngineerCommented:
Yes, any of the RV0x series will allow you to do 1-1 NAT
Check out the user guide .pdf, page 27 one-to-one NAT

http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Product_C2%26cid%3D1115416833192&pagename=Linksys%2FCommon%2FVisitorWrapper

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tdoughboyAuthor Commented:
lrmoore ,
Looks like I'll be buying the RV042 model.  After reading it's capabilities it seems like it'll do what we need for it to do.  Now on using the WRTG54 as a WAP.  I just put nothing in the "Internet Connection portion"  and leave the rest excpet DHCP I'll need to configure this on my new Router then point all my servers and clients (if necessaey) to the NEW router.   Does this sound correct?
Thx
Tom
Les MooreSr. Systems EngineerCommented:
Yes, it sounds like you understand correctly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.