Port Forwarding
Greetings,
I inherited a network that has 2 web servers. Exactly why there are two webservers escapes me but that's another issue... The problem is that the person who set up these servers placed one of them outside the firewall with its own static IP address. This presents me with two problems.
1) This webserver does not benefit from the protection of the firewall.
2) I can't backup its database to our domain controller, where the backup would be written to the nightly tape backup.
What I'm having trouble with is how to port forward http requests to two different servers. This seems as if it would be a common problem. The only ways I can think of to do this would be if there were different port forwarding rules for IP aliases or perhaps if ports could be forwarded based on domain names. I cannot help but think that I am missing something...
Can anyone fill me in?
Cheers!
Exceter
I inherited a network that has 2 web servers. Exactly why there are two webservers escapes me but that's another issue... The problem is that the person who set up these servers placed one of them outside the firewall with its own static IP address. This presents me with two problems.
1) This webserver does not benefit from the protection of the firewall.
2) I can't backup its database to our domain controller, where the backup would be written to the nightly tape backup.
What I'm having trouble with is how to port forward http requests to two different servers. This seems as if it would be a common problem. The only ways I can think of to do this would be if there were different port forwarding rules for IP aliases or perhaps if ports could be forwarded based on domain names. I cannot help but think that I am missing something...
Can anyone fill me in?
Cheers!
Exceter
ASKER
>> You said it has its own static IP address outside the firewall (I assume you mean a resolveable external IP). On your firewall or router, you should be able to take >> requests on port 80 to that external IP, and forward them to a static internal IP you set on the webserver you've moved inside the firewall.
Yes, I meant a resolvable external IP address. The problem is that there are two webserver and the firewall is already forwarding port 80 to the webserver that is behind the firewall. I'm trying to put them both behind a firewall.
>> What type of equipment do you have for routers/firewall? Cisco? Sonicwall?
We're running Smoothwall Corporate and it doubles as our router and our firewall.
>> Can we assume your external webserver isn't a member of the domain?
Yes, you can assume that this webserver is not a member of the domain.
Yes, I meant a resolvable external IP address. The problem is that there are two webserver and the firewall is already forwarding port 80 to the webserver that is behind the firewall. I'm trying to put them both behind a firewall.
>> What type of equipment do you have for routers/firewall? Cisco? Sonicwall?
We're running Smoothwall Corporate and it doubles as our router and our firewall.
>> Can we assume your external webserver isn't a member of the domain?
Yes, you can assume that this webserver is not a member of the domain.
Short answer:
First, create a dmz in your firewall and place the outside web server in that. Only allow port 80 in to the DMZ server from the outside (and 443, if desired). The DMZ will use a slice of your external address space so there will be no port forwarding needed there.
Then, open ports to the DMZ from the inside necessary for your backup software to access the web server.
You do not want to do any port forwarding to the inside web server; any publicly-accessible site or content should be hosted on the DMZ server.
First, create a dmz in your firewall and place the outside web server in that. Only allow port 80 in to the DMZ server from the outside (and 443, if desired). The DMZ will use a slice of your external address space so there will be no port forwarding needed there.
Then, open ports to the DMZ from the inside necessary for your backup software to access the web server.
You do not want to do any port forwarding to the inside web server; any publicly-accessible site or content should be hosted on the DMZ server.
Wow, you guys are quick!
ASKER
Well, I'm in a bit of a hard spot.
The webserver in question and the firewall both have externally resolvable IP addresses. Both webservers have WAMP (Windows Apache Mysql Php) installed. Both servers host separate interactive websites. Both servers locally host their own database. Both servers are accessed from different domain names. Both "servers" are running Windows XP Pro, which doesn't make me happy, because XP Pro has a built-in inbound 10 connection limit built into its TCP/IP stack. Neither server has redundant hard drives. Basically, I am dealing with workstation class machines with Apache installed. This makes the backup scheme all the more important.
I need to install a DMZ. The person who configured the firewall didn't install a 3rd NIC for reasons beyond my comprehension. However, I'm not quite sure what you mean when you say,
"The DMZ will use a slice of your external address space so there will be no port forwarding needed there."
If the person who created these systems understood how to use Apache virtual hosts, I wouldn't have this problem...
The webserver in question and the firewall both have externally resolvable IP addresses. Both webservers have WAMP (Windows Apache Mysql Php) installed. Both servers host separate interactive websites. Both servers locally host their own database. Both servers are accessed from different domain names. Both "servers" are running Windows XP Pro, which doesn't make me happy, because XP Pro has a built-in inbound 10 connection limit built into its TCP/IP stack. Neither server has redundant hard drives. Basically, I am dealing with workstation class machines with Apache installed. This makes the backup scheme all the more important.
I need to install a DMZ. The person who configured the firewall didn't install a 3rd NIC for reasons beyond my comprehension. However, I'm not quite sure what you mean when you say,
"The DMZ will use a slice of your external address space so there will be no port forwarding needed there."
If the person who created these systems understood how to use Apache virtual hosts, I wouldn't have this problem...
When I said that, I didn't know which firewall you had, or how many external addresses you own.
In my setup, we have a Cisco firewall and a "class c" range of 256 external addresses. (it's not truly class c, but that's what everyone calls it these days). We have that address space subnetted into an outside space and a DMZ space. Thus our web server has an external IP address so we do not have to use port forwarding. The firewall still limits what traffic can get to it.
For example, say your public address block is 24.126.65.0 through 24.126.65.255. If you split that in half, you can use half for your DMZ and the other half for addresses that need to be outside, like your firewalls' outside internface, a VPN if yo have one, etc.
I'm only kind of familiar with the Smoothwall product, but it does have built-in DMZ capability.
One more question: how many external IP addresses do you have?
In my setup, we have a Cisco firewall and a "class c" range of 256 external addresses. (it's not truly class c, but that's what everyone calls it these days). We have that address space subnetted into an outside space and a DMZ space. Thus our web server has an external IP address so we do not have to use port forwarding. The firewall still limits what traffic can get to it.
For example, say your public address block is 24.126.65.0 through 24.126.65.255. If you split that in half, you can use half for your DMZ and the other half for addresses that need to be outside, like your firewalls' outside internface, a VPN if yo have one, etc.
I'm only kind of familiar with the Smoothwall product, but it does have built-in DMZ capability.
One more question: how many external IP addresses do you have?
"like your firewall'S outside INTERFACE, a VPN if YOU have one, etc."
Man, I need some more coffee. Can't type or proofread yet.
Man, I need some more coffee. Can't type or proofread yet.
ASKER
That's a very interesting suggestion. The company has a T1 line that it leases from Verizon. I don't believe that it's a real T1 though. The throughput isn't nearly high enough...
So, in short, you're saying I should subnet my address space to allow for a DMZ that doesn't need NAT translation? This would eliminate the need for port forwarding?
>> One more question: how many external IP addresses do you have?
Our IP address is Class A and our subnet mask is 255.255.255.248. That leaves 3 host bits. After subtracting the network ID and broadcast addresses, that leaves 5 host addresses on our subnet? I know that we have 3 addresses in use. The webserver, firewall, and netvanta(According to the documentation) all have routeable addresses.
Short answer: 5
So, in short, you're saying I should subnet my address space to allow for a DMZ that doesn't need NAT translation? This would eliminate the need for port forwarding?
>> One more question: how many external IP addresses do you have?
Our IP address is Class A and our subnet mask is 255.255.255.248. That leaves 3 host bits. After subtracting the network ID and broadcast addresses, that leaves 5 host addresses on our subnet? I know that we have 3 addresses in use. The webserver, firewall, and netvanta(According to the documentation) all have routeable addresses.
Short answer: 5
Looks like the Smoothwall implementation of DMZ requires a separate PRIVATE address space, so my previous statement that the DMZ would use public addresses is wrong. You WILL have to configure port forwarding.
The best thing to do of course would be to put both machines in the DMZ, but then you may have to get the SmoothHost module so you can host both web servers in the DMZ.
In the short term, create your DMZ and move the outside server into it. Give it a DMZ address, then add the old address and its forward to the firewall's port forwarding entries. Then add a zone bridging entry so your backup can access the server. This is assuming that you have smoothwall corporate 4.0 or higher. If it is v.3 or lower, then you have considerably fewer options because the DMZ is not all that configurable.
How hard would it be to consolidate the two servers? Then you could give them the same IP address, update the DNS records as needed, and use host headers to direct traffic to the appropriate site.
The best thing to do of course would be to put both machines in the DMZ, but then you may have to get the SmoothHost module so you can host both web servers in the DMZ.
In the short term, create your DMZ and move the outside server into it. Give it a DMZ address, then add the old address and its forward to the firewall's port forwarding entries. Then add a zone bridging entry so your backup can access the server. This is assuming that you have smoothwall corporate 4.0 or higher. If it is v.3 or lower, then you have considerably fewer options because the DMZ is not all that configurable.
How hard would it be to consolidate the two servers? Then you could give them the same IP address, update the DNS records as needed, and use host headers to direct traffic to the appropriate site.
Simple stuff that can be done is;
1. Create a DMZ on the firewall.
2. Put the webserver in that and DO NOT change the ip address of the webserver.
3. Use another public ip address in that same range and put it on the dmz side of the firewall.
4. Do not nat the traffic from DMZ
This way;
1. You get the firewall protection.
2. Doesn't have to change ip address of webserver (If you do that, something may not work properly?)
Cheers,
Rajesh
1. Create a DMZ on the firewall.
2. Put the webserver in that and DO NOT change the ip address of the webserver.
3. Use another public ip address in that same range and put it on the dmz side of the firewall.
4. Do not nat the traffic from DMZ
This way;
1. You get the firewall protection.
2. Doesn't have to change ip address of webserver (If you do that, something may not work properly?)
Cheers,
Rajesh
ASKER
>> The best thing to do of course would be to put both machines in the DMZ, but then you may have to get the SmoothHost module so you can host both web servers in the DMZ.
I have the SmoothHost module.
>> In the short term, create your DMZ and move the outside server into it. Give it a DMZ address, then add the old address and its forward to the firewall's port forwarding entries. Then add a zone bridging entry so your backup can access the server. This is assuming that you have smoothwall corporate 4.0 or higher. If it is v.3 or lower, then you have considerably fewer options because the DMZ is not all that configurable.
That's what I wanted to do to begin with but the port forwarding rules, for the two servers, were conflicting.
>> How hard would it be to consolidate the two servers? Then you could give them the same IP address, update the DNS records as needed, and use host headers to >> direct traffic to the appropriate site.
Not easy.
My ultimate goal is to move both websites onto a linux based apache webserver, using virtual hosts. Consolidate the databases onto a single linux based Mysql server, and put both servers on a DMZ. Unfortunately, because of the way in which the sites were written, moving the databases to a separate server is not unlike separating twins that are conjoined at the chest. Especially when neither site can be off-line for extended periods of time...
>> 1. Create a DMZ on the firewall.
>> 2. Put the webserver in that and DO NOT change the ip address of the webserver.
>> 3. Use another public ip address in that same range and put it on the dmz side of the firewall.
>> 4. Do not nat the traffic from DMZ
You're saying that I'd assign one of the external addresses to the orange nic, in the firewall, and that traffic from the dmz would be routed through that nic without the need for nat?
I have the SmoothHost module.
>> In the short term, create your DMZ and move the outside server into it. Give it a DMZ address, then add the old address and its forward to the firewall's port forwarding entries. Then add a zone bridging entry so your backup can access the server. This is assuming that you have smoothwall corporate 4.0 or higher. If it is v.3 or lower, then you have considerably fewer options because the DMZ is not all that configurable.
That's what I wanted to do to begin with but the port forwarding rules, for the two servers, were conflicting.
>> How hard would it be to consolidate the two servers? Then you could give them the same IP address, update the DNS records as needed, and use host headers to >> direct traffic to the appropriate site.
Not easy.
My ultimate goal is to move both websites onto a linux based apache webserver, using virtual hosts. Consolidate the databases onto a single linux based Mysql server, and put both servers on a DMZ. Unfortunately, because of the way in which the sites were written, moving the databases to a separate server is not unlike separating twins that are conjoined at the chest. Especially when neither site can be off-line for extended periods of time...
>> 1. Create a DMZ on the firewall.
>> 2. Put the webserver in that and DO NOT change the ip address of the webserver.
>> 3. Use another public ip address in that same range and put it on the dmz side of the firewall.
>> 4. Do not nat the traffic from DMZ
You're saying that I'd assign one of the external addresses to the orange nic, in the firewall, and that traffic from the dmz would be routed through that nic without the need for nat?
ASKER
>> >> How hard would it be to consolidate the two servers? Then you could give them the same IP address, update the DNS records as needed, and use host headers to
>> >> direct traffic to the appropriate site.
>>
>>Not easy.
Wait, I misread you. How can I use host headers to redirect traffic inside the firewall?
>> >> direct traffic to the appropriate site.
>>
>>Not easy.
Wait, I misread you. How can I use host headers to redirect traffic inside the firewall?
On a sidenote, Exceter, you can change the inbound connection limit in XP Pro SP2, if you really want to (I'm not suggesting this, but sometimes it is necessary):
From: http://blog.davidkaspar.com/archives/2005/04/windows-xp-sp2-and-event-id-4226.php?page=3
"
The second case means that SP2 is stalling your work. An unofficial patch will modify the locked tcpip.sys and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before the SP2. The patch is called EventID 4226 Patcher and can be found on LVL Lord's web site: http://lvllord.de/?lang=en&url=downloadsdownloads
."
From: http://blog.davidkaspar.com/archives/2005/04/windows-xp-sp2-and-event-id-4226.php?page=3
"
The second case means that SP2 is stalling your work. An unofficial patch will modify the locked tcpip.sys and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before the SP2. The patch is called EventID 4226 Patcher and can be found on LVL Lord's web site: http://lvllord.de/?lang=en&url=downloadsdownloads
."
ASKER
AdamRobinson, please see this question. Thanks a million!
https://www.experts-exchange.com/questions/22081671/Points-for-AdamRobinson.html
https://www.experts-exchange.com/questions/22081671/Points-for-AdamRobinson.html
OK; I think the water is getting a bit muddy. You cannot do as rsivanandan suggested (which is the same thing I suggested at first) because of the fact that the DMZ is a private address space on the SmoothWall.
The new port rule should not conflict with the old one if both web servers are currently working, since both servers are currently being accessed externally using different IP addresses. Assuming you have a standard private network space of 192.168.1.0/24, you presumably have a rule already for the inside server, something like this:
Protocol: TCP
External IP: (blank here means "everyone")
Connection Logging: (your choice)
Source IP: <firewall external address>
source Port: 80
User Defined: (not used unless User Defined is chosen under source port; for non-standard ports)
Destination IP: 192.168.1.27 (or whatever)
Destination port: (blank here means "same as the source port")
User Defined:
comment: Port Forward for internal web server
Enabled: checked
After setting up the DMZ with a range of 192.168.2.0/24, you would just add a new rule:
Protocol: TCP
External IP: (blank)
Connection Logging: (your choice)
Source IP: <external web server's old IP address>
source Port: 80
User Defined:
Destination IP: 192.168.2.27
Destination port:
User Defined:
comment: Port Forward for DMZ web server
Enabled: checked
Then change the IP address of the external server to 192.168.2.27 and physically move the cable. There will be some downtime as the server is moved and reconfigured, so plan accordingly. You also may need to flush the ARP cache of any devices that are outside the firewall such as a switch (if it is a managed switch) or a perimeter router.
Next, create your zone bridge so you can back up the DMZ server.
The new port rule should not conflict with the old one if both web servers are currently working, since both servers are currently being accessed externally using different IP addresses. Assuming you have a standard private network space of 192.168.1.0/24, you presumably have a rule already for the inside server, something like this:
Protocol: TCP
External IP: (blank here means "everyone")
Connection Logging: (your choice)
Source IP: <firewall external address>
source Port: 80
User Defined: (not used unless User Defined is chosen under source port; for non-standard ports)
Destination IP: 192.168.1.27 (or whatever)
Destination port: (blank here means "same as the source port")
User Defined:
comment: Port Forward for internal web server
Enabled: checked
After setting up the DMZ with a range of 192.168.2.0/24, you would just add a new rule:
Protocol: TCP
External IP: (blank)
Connection Logging: (your choice)
Source IP: <external web server's old IP address>
source Port: 80
User Defined:
Destination IP: 192.168.2.27
Destination port:
User Defined:
comment: Port Forward for DMZ web server
Enabled: checked
Then change the IP address of the external server to 192.168.2.27 and physically move the cable. There will be some downtime as the server is moved and reconfigured, so plan accordingly. You also may need to flush the ARP cache of any devices that are outside the firewall such as a switch (if it is a managed switch) or a perimeter router.
Next, create your zone bridge so you can back up the DMZ server.
ASKER
You can use the source IP address field for that? I was under the imression that the Source IP field was used to limit access to select networks and IP addresses. I would have thought that the IP address of my server would be considered a destination address, because that's where the http request is going as opposed to a source address indicating the external interface that the request came from.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I havn't forgotten this question. I've been playing around with the SmoothHost module, trying to forward ports based on the source IP address. I havn't gotten it to work yet but I still have a few things to try. With any luck, I'll post back shortly with more information.
ASKER
ylandrum, I'm going to accept your answer, as it appears to be the correct answer, for my firewall. However, as I'm unable to make it work, for whatever reason, I'll take the issue to Smoothwall and see what they have to say. Thanks for your assistance!
Good luck!
What type of equipment do you have for routers/firewall? Cisco? Sonicwall?
Can we assume your external webserver isn't a member of the domain?