Solved

SBS 2003 DNS SUBDOMAIN SSL MULTIPLE IP ROUTING PROBLEM

Posted on 2006-06-09
12
678 Views
Last Modified: 2012-06-27
I am using using SBS 2003 and I created a subdomain sd.domain.com that is an SSL website all on the same server.  Since you can only have one SSL per IP I created a second ip address (192.168.1.9, the server is 192.168.1.10) on the same nic card.  Externally everything works fine.  If someone on the internet types https://sd.domain.com then it goes to it.  If I type that same address INternally it fails.  I need to configure something in DNS as I don't want to change internal pc users host file to point to it.  I also notice that when I type the ip address in directly for the sd.domain.com site (192.168.1.9) the site for 192.168.1.10 comes up.  I have tried putting in an Host(A) record for sd that points to 192.168.1.9 but that doesn't work.

Just to be clear I want my internal user to be able to type http://sd.domain.com and have it go to that site.  I also want to be able to type 192.168.1.9 and have it go to that site.
0
Comment
Question by:ascnd
  • 6
  • 5
12 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16879888
Your problem really is that you have created a separate PRIVATE IP address when you really need a second PUBLIC IP address for this.  

For a better analysis of your situation, please post a complete IPCONFIG /ALL from the server.

I would point out that it is HIGHLY recommended that you do not host a public web site on an SBS due to security and resource reasons.  (Your SBS is a domain controller and generally has enough to worry about without also managing a public web site).
http://blogs.msdn.com/sbsdocsteam/archive/2005/08/15/451775.aspx

Jeff
TechSoEasy
0
 

Author Comment

by:ascnd
ID: 16880975
I do have a second public IP address.  I use a SonicWall firewall and I have the public ip addresses mapped to the private ip addresses.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc01
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : xx-99-yy-88-qq-66
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.9
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.1.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.10
   Primary WINS Server . . . . . . . : 192.168.1.10
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16881883
Okay... you don't need the second private IP address because your comment that " you can only have one SSL per IP " is covered by the second EXTERNAL IP address.  You just need to use a host header to direct the traffic to the appropriate web site, and then you have to assign the second ssl certificate to that web site.

How to use host headers:  http://support.microsoft.com/kb/324287

How to assign an ssl certificate to a web site:  http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/736fe16a-218e-49fe-bef3-7edc8f897114.mspx

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16881895
Just as a reminder, this is not recommended.  I would highly suggest that you place this web site on a different machine in a DMZ if possible.  FYI, you can run IIS on Windows XP Pro or Windows 2000 Pro quite easily.  If you don't have additional hardware available this machine can be run as a virtual machine on your SBS using Virtual Server 2005 (free download from Microsoft -- but you would still need a license for whatever machine is run, such as XP Pro or Server 2003).

Here's the how-to:  http://www.microsoft.com/downloads/details.aspx?familyid=8e1b8271-17a0-4f3a-a379-19ecf37d4229&displaylang=en

Jeff
TechSoEasy
0
 

Author Comment

by:ascnd
ID: 16882924
I already have a host header.  The problem is a DNS problem on the internal network not on the WAN.  This is why I posted this on the Windows Server 2003 forum.  Everything works fine from the WAN and I already have the SSL working properly.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16882931
Then all you need is a CNAME record in your forward lookup zone for that site which will route the request to the host header.  Take a look at the way that the companyweb one is done, this would be the same thing.

Jeff
TechSoEasy
0
 

Author Comment

by:ascnd
ID: 16882983
This doesn't work.  When I type https://sd.domain.com in the internal network it times out.  The only FQDN that I can put in whan I create the CNAME for sd is the same as the companyweb which is dc01.domain.local

It's like I need to put in that when someone on the internal network types https://sd.domain.com it needs to point to 192.168.1.9 but I don't know how to do this.

What now?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16883025
When you put in the CNAME record you would only use http://sd in the internal network.... or http://sd.domain.local (same as the way companyweb works).  If you want to use http://sd.domain.com you will need to create a secondary forward lookup zone so that the domain name will resolve locally instead of going outside of the network.  Then, you still need to get rid of 192.168.1.9 because the IP address is irrelevant when you use a host header.

Is there a reason you need to be using SSL withing your internal domain?  If so, then you need to move the site off of the SBS and put it on another machine.  Or, add the "sd" host name to the current certificate.

By the way... The reason I moved this to the SBS TA is that the Windows Server 2003 experts tend to not take into account that you have a Domain Controller, Exchange, IIS, etc running on this one machine.  That can cause advice which would ultimately break some of SBS's features.

I should have asked though if you have SBS Premium with ISA, because if you did you would just create a web publishing rule that would take care of all of this.

Jeff
TechSoEasy
0
 

Author Comment

by:ascnd
ID: 16883071
Thanks for the quick replies.  I have SBS Premium but I am not using ISA.  What type of Zone do I create; Primary, Secondary, or Stub?  I need to keep the 192.168.1.9 due to the SSL thing.  By the way, the reason I am doing all this on one SBS server is simply because I want to do it that way.  I do appreciate the other information above though.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 16883543
As stated above, a SECONDARY Zone.  But I disagree with you about needing to keep the 192.168.1.9 due to the SSL certificate.  Certificates are assigned to sites, not private IP addresses.  Threrefore, it's totally unnecessary.

The issue is that you can't have another secure site coming in from the OUTSIDE over port 443 on the same EXTERNAL IP address, unless you share the SSL certificate (which is certainly possible if your domains are sd.domain.com and sbs.domain.com for instance).  If you cannot share the SSL certificate for some reason, then you would need a separate External IP which you have stated that you do have.

So, I would again ask you why you are trying to use SSL within your LAN, it doesn't make sense unless there is a third party hop between your workstations and your server.  Which I am sure is not the case because it wouldn't be on the same subnet.  SSL encrypts the traffic... this is necessary over the Internet, but rarely needed within a LAN environment.  Plus, I would think that if it were important to encrypt traffic on your LAN you would want to do it beyond just this website.

Therefore, SSL is not used locally.  Your local users should go to the website by it's simple CNAME.  If the URL is somehow linked from somewhere else and they are forced to use https://sd.domain.com then you should create an entry in their HOSTS file to redirect.

Jeff
TechSoEasy
0
 

Author Comment

by:ascnd
ID: 16885954
I actually created a primary zone and I then in that zone I created a Host(A) record that points to 192.168.1.9 and now everything works as it should internally and externally.  I am using SSL within LAN due to personal data being transmitted over our human resources site.  Thanks for your help.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now