R7AF
asked on
Firewalls: mapping destination sets to different webservers. Is this standard functionality?
We're going to replace our firewall, ISA Server 2000 on Windows 2000. The server is old, so needs to be replaced, and we're having other problems with ISA Server. We're hoping to solve these two problems in one go.
One of the things we need is what I call "Destination set mapping", but I'm not sure whether this is the right term. I'll give an example. We use several domain names, like xyz.com and pqr.net. We have several webservers, each serving different domain names, running Tomcat on port 8080. Some of the servers run IIS as well on port 80.
xyz.com:80 => ISA Server: Destionation Set 1 => server1:8080 (Tomcat)
pqr.net:80 => ISA Server: Destination Set 2 => server2:8080 (Tomcat)
webmail.pqr.net:80 => ISA Server: Destination Set 3 => server2:80 (IIS)
On ISA Server this is quite easy to handle. You create a destination set in the Policy Elements (a list of domain names basically), and then create Web Publishing Rules, using these destination sets. So this is pretty simple to setup.
One of the options is to buy a basic Cisco (or Sonicwall, etc) firewall, or buy a lightweight server and install Smoothwall or something similar. I would like to know whether this functionality is standard in firewalls like the simple Cisco Pix 501, or Smoothwall. Another requirement is that this functionality should be configurable using the browser (or GUI), and it should be straightforward, like ISA Server does it.
One of the things we need is what I call "Destination set mapping", but I'm not sure whether this is the right term. I'll give an example. We use several domain names, like xyz.com and pqr.net. We have several webservers, each serving different domain names, running Tomcat on port 8080. Some of the servers run IIS as well on port 80.
xyz.com:80 => ISA Server: Destionation Set 1 => server1:8080 (Tomcat)
pqr.net:80 => ISA Server: Destination Set 2 => server2:8080 (Tomcat)
webmail.pqr.net:80 => ISA Server: Destination Set 3 => server2:80 (IIS)
On ISA Server this is quite easy to handle. You create a destination set in the Policy Elements (a list of domain names basically), and then create Web Publishing Rules, using these destination sets. So this is pretty simple to setup.
One of the options is to buy a basic Cisco (or Sonicwall, etc) firewall, or buy a lightweight server and install Smoothwall or something similar. I would like to know whether this functionality is standard in firewalls like the simple Cisco Pix 501, or Smoothwall. Another requirement is that this functionality should be configurable using the browser (or GUI), and it should be straightforward, like ISA Server does it.
ASKER
Sorry, forgot that! We only use one IP-address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This functunality exists in IIS, Apache, and Tomcat (Name Based Virtual Hosts) and is usually handled there rather than at the firewall level. I do not know of any firewalls that will do host name identification. Like Sorenson said, you can use multiple IP addresses to do this easily but my suggestion is to let the web server handle the mappings if you don't want to use multiple IP addresses at your firewall.
IIS - http://support.microsoft.com/kb/190008
Apache - http://httpd.apache.org/docs/1.3/vhosts/name-based.html
Tomcat - http://confluence.atlassian.com/display/DOC/Guide+to+using+Apache+Tomcat's+Virtual+Hosts
IIS - http://support.microsoft.com/kb/190008
Apache - http://httpd.apache.org/docs/1.3/vhosts/name-based.html
Tomcat - http://confluence.atlassian.com/display/DOC/Guide+to+using+Apache+Tomcat's+Virtual+Hosts
Sorry, scratch my last comment...I misread your question...didn't notice these were on different boxes.
ASKER
@mcsween
If you're interested, I have another question open relating to IIS + Tomcat. This is another situation, not on this network.
https://www.experts-exchange.com/questions/22479817/Using-Tomcat-5-5-and-IIS-6-together-for-separate-websites-and-domain-names.html
If you're interested, I have another question open relating to IIS + Tomcat. This is another situation, not on this network.
https://www.experts-exchange.com/questions/22479817/Using-Tomcat-5-5-and-IIS-6-together-for-separate-websites-and-domain-names.html
ASKER
Is it possible to use Apache HTTPD as front-end for this? Or even Tomcat? So catching all port-80 traffic with one webserver and redirect it from there to different servers, based on domain names? We're using virtual hosts in tomcat already, but this would mean setting up a cluster or something like that? I've used virtual hosts with Apache httpd as well. How about the mail we're receiving? That's a separate server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! That's a great suggestion. It's simple and quite easy to implement. I'll look into it tomorrow, see if it really solves our problem.
ASKER
I believe Apache can be configured to redirect domain names to other physical servers. So that is a possible solution. I even believe Tomcat can do this (using workers), but I'm not sure. I haven't found the time to try this. The gateway solution is another usable option.
In the end we've chosen to install ISA Server 2004 on another server. We found someone who could handle this problem on 2004. Now we have two ISA Servers next to eachother, and the next week, we'll remove the old one.
In the end we've chosen to install ISA Server 2004 on another server. We found someone who could handle this problem on 2004. Now we have two ISA Servers next to eachother, and the next week, we'll remove the old one.
The pix 501 is configurable via PDM (pix device manager), a web based application.
I think sonicwall has the same mapping functionality, and I know that netscreen does as well.