asked on

Windows 2003 / IIS6 / Dual NIC configuration

I have a small LAN with several HP Proliant servers all running Windows 2003. One server runs Exchange (including OWA and RPC over HTTP), another running IIS with the companies Intranet on.

The firewall points port 443 at the Exchange server for Web Outlook and 'RPC over HTTP proxy' for remote Outlook users.
The firewall also points port 8443 at the IIS server for secure web access to the company Intranet
Port 80 is closed

The IIS Server had two network cards in configured as a team using 'HP Networking' configured to a single IP address.

I now want to run a public 'Extranet' site on this server to allow access to share some of the files / database resources on the IIS box. I did the following:

Added a third NIC to the IIS server and configured it with a seperate subnet to the main LAN
Added a second firewall with a separate public IP address, pointing ports 80 and 443 to the new NIC
Registered a new domain, and pointed the DNS for www.newdomain.net at the new public IP address
Created a new website in IIS listening on the new internal IP address, using a host header value of the new domain name, and installed a new SSL certificate on port 443.

It dosen't work! When i setup the new NIC I get the following warning "Multiple default gateways are intended to provide redundancy to a single network (such as an Intranet or the Internet). They will not function properly when the gateways are on two seperate disjoint networks (such as one on the intranet and one on the Internet). Do you want to save this configuration?" to which i say yes.

I am guessing my lack of TCP/IP wherewithall has let me down here - please help!? Thanks in advance.

Chris Staunton

You probably don't need a default gateway set on the secondary nic. Remove it and make sure that people outside can get to your web server. When using two different subnets on a single windows box it will run into these type of configuration errors.

Cheers,

Chris

jmpawson

ASKER

It dosent seem to work with or without a default gateway setting.

gurutc

Hi jmpawson,

You need to configure the third NIC(really the 2nd cuz of the teaming) with a different subnet address not common to the existing LAN. This can just be a different private IP range. Like this: If your LAN is currently 192.168.1.0 with the firewall gateway as 192.168.1.1, Configure the second network, being sure that it is a completely separate physical cabling setup, as 192.168.2.0 and the gateway (your new firewall) as 192.168.2.1.

You can't have two default gateways on the same subnet and make your server use different ones for different traffic types. It's just gonna use the first one it has configured for everything if all the addresses are on the same subnet.

Good Luck!
Travis

jmpawson

ASKER

The LAN subnet is 192.168.254.0 / 255.255.255.0
The new subnet for the external acces is 192.168.252.0 / 255.255.255.0

Should be OK?

Kevin Cross

That should be OK.

LAN NIC(s) should have default gateway of your LAN router.
External NIC should have no default gateway.

Just ensure that you have NAT configured correctly to point public IP address of newdomain.net to second NIC internal IP address.

On the IIS server, you will probably need to add a persistent route using route add cmd:

ROUTE [-p] [command [destination]
[MASK netmask] [gateway] [METRIC metric] [IF interface]

-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved
when the system is restarted. Ignored for all other commands,
which always affect the appropriate persistent routes. This
option is not supported in Windows 95.

command One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination.

Have to ensure that the web server knows to route traffic back to public IP address / external access LAN through the external access NIC.

ASKER CERTIFIED SOLUTION

gurutc

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

gurutc

i meant dont set one for the 254 subnet, duh, - Travis

jmpawson

ASKER

Thanks - this is the current routing data (which is slightly beyond my understanding)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10004 ...00 0f 20 2d ec 12 ...... HP Network Team #1 - Packet Scheduler Miniport
0x20002 ...00 10 18 10 4a ba ...... HP NC7771 Gigabit Server Adapter #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.254.253 192.168.254.4 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.252.0 255.255.255.0 192.168.252.10 192.168.252.10 20
192.168.252.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.252.255 255.255.255.255 192.168.252.10 192.168.252.10 20
192.168.254.0 255.255.255.0 192.168.254.4 192.168.254.4 10
192.168.254.4 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.254.14 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.254.255 255.255.255.255 192.168.254.4 192.168.254.4 10
224.0.0.0 240.0.0.0 192.168.252.10 192.168.252.10 20
224.0.0.0 240.0.0.0 192.168.254.4 192.168.254.4 10
255.255.255.255 255.255.255.255 192.168.252.10 192.168.252.10 1
255.255.255.255 255.255.255.255 192.168.254.4 192.168.254.4 1
Default Gateway: 192.168.254.253
===========================================================================
Persistent Routes:
None

Does that provide anything helpful?

gurutc

what is gateway of 252 subnet? set that on 252 adapter as default gateway, remove def gateway on 254 subnet adapter. <-FIX

- Travis

jmpawson

ASKER

Travis - thank you that does fix it. However it stops the existing secure access to the Intranet via port 8443.

Is there anyway both can work?

gurutc

You can make that work if you configure the 252 adapter to be the ip for the 8443 access to the internal site instead of the 254 adapter. So port 80 on the 252 adapter handles the public web traffic and 8443 on the 252 adapter handles the secure access to the private site.

-Travis

gurutc

This will mean pointing the external users to a different external IP, that of the 252 router, for their 8443 based access.

- T

Kevin Cross

The server belongs to your main network which is where the bulk of your traffic is. The correct solution was to leave the main LAN with default gateway and use route table on secondary NIC, so that when traffic comes in from Internet on second gateway, the server responds through the appropriate network since both networks can get to Internet.

An alternative is to use NAT'ing on firewall instead of port forwarding. You can have one firewall NAT two different public IP addresses into network. One pointing to LAN team main IP address and then you can simply bind another IP address to LAN NIC that you point to for extranet site. Setup IIS website as you did and should work great.

gurutc

Or, what mwvisa1 said! KISS rule in action.

- Travis

gurutc

But the way you have it is more secure in keeping separate subnets for all public traffic.

- Travis

Kevin Cross

http://support.microsoft.com/default.aspx?scid=kb;en-us;157025

Kevin Cross

If you do not have any other public traffic on other router, then I would agree with Travis. Hope you find a solution that works best for your needs...Good Luck.

The previous link should be helpful; it is from Microsoft on setting up Multihomed NIC adapters.

gurutc

Thanks for the link, mwvisa1!

- Travis

jmpawson

ASKER

If I go back to leaving the LAN with its original subnet, and using the routing table - what route do i need to add?

Sorry mwvisa1 i seem to have left you without any points - which seems rude of me...

gurutc

I would give them back if i could!!!! - Travis

Kevin Cross

Static route to the public IP address on secondary firewall for newdomain.net. Since it is being NAT'd by firewall, all traffic on extranet site appear to come from same IP address, so you just have to tell server which NIC to send back that traffic to.

Just remembered to that you need to ensure that your bind order is correct. The primary NIC should be first. Second NIC should be then configured with DNS but WINS service/NETBios should be disabled/not configured.

Kevin Cross

LOL

gurutc

You could actually do this all without route tables. Just set each website up on the same server IP address and use the host-header name to choose which site is accessed. So if mr. public enters www.yourpublicsite.com in his browser, the firewall forwards this port 80 request to your server, which says he wants the public site on the same ip as my private one because his host header says so and web server sends him public site content. If mr employee enters www.yourprivatesite.com in his LAN based browser, your webserver sees the private site name in the header and send private content to mr employee.

Travis

gurutc

Then, you could restrict access to your private site to only your LAN subnet, specifically excluding access from the router's IP address.

- Travis

jmpawson

ASKER

Thank you - i think thats a better solution, because it means i can switch back to using standard SSL port 443, making simpler links etc.

Have another 500 points, oh i can't :)

gurutc

We are just not satisfied around here until we find every single dadgum possible solution! mwvisa1 had some good points and I'd still split if I could.

- Travis