[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

Firewalls: mapping destination sets to different webservers. Is this standard functionality?

We're going to replace our firewall, ISA Server 2000 on Windows 2000. The server is old, so needs to be replaced, and we're having other problems with ISA Server. We're hoping to solve these two problems in one go.

One of the things we need is what I call "Destination set mapping", but I'm not sure whether this is the right term. I'll give an example. We use several domain names, like xyz.com and pqr.net. We have several webservers, each serving different domain names, running Tomcat on port 8080. Some of the servers run IIS as well on port 80.

xyz.com:80 => ISA Server: Destionation Set 1 => server1:8080 (Tomcat)
pqr.net:80 => ISA Server: Destination Set 2 => server2:8080 (Tomcat)
webmail.pqr.net:80 => ISA Server: Destination Set 3 => server2:80 (IIS)

On ISA Server this is quite easy to handle. You create a destination set in the Policy Elements (a list of domain names basically), and then create Web Publishing Rules, using these destination sets. So this is pretty simple to setup.

One of the options is to buy a basic Cisco (or Sonicwall, etc) firewall, or buy a lightweight server and install Smoothwall or something similar. I would like to know whether this functionality is standard in firewalls like the simple Cisco Pix 501, or Smoothwall. Another requirement is that this functionality should be configurable using the browser (or GUI), and it should be straightforward, like ISA Server does it.
0
R7AF
Asked:
R7AF
  • 5
  • 3
  • 2
2 Solutions
 
SorensonCommented:
if xyz.com, pqr.net and webmail.pqr.net all point to seperate "external" ip addresses, then the translation can be done with a pix or asa.  You would statically map tcp 80 on each outside address to 8080 on the respective inside address.
The pix 501 is configurable via PDM (pix device manager), a web based application.
I think sonicwall has the same mapping functionality, and I know that netscreen does as well.
0
 
R7AFAuthor Commented:
Sorry, forgot that! We only use one IP-address.
0
 
SorensonCommented:
That makes a big difference :) .  The ISA server does it via "host header" identification.  IIS supports it as well, for hosting multiple websites on the same box.  I do not know of a way to do that with cisco.  There may be a way with sonicwall and netscreen, but I haven't seen it.  I would look at their websites for config guides.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
mcsweenSr. Network AdministratorCommented:
This functunality exists in IIS, Apache, and Tomcat (Name Based Virtual Hosts) and is usually handled there rather than at the firewall level.  I do not know of any firewalls that will do host name identification.  Like Sorenson said, you can use multiple IP addresses to do this easily but my suggestion is to let the web server handle the mappings if you don't want to use multiple IP addresses at  your firewall.

IIS - http://support.microsoft.com/kb/190008
Apache - http://httpd.apache.org/docs/1.3/vhosts/name-based.html
Tomcat - http://confluence.atlassian.com/display/DOC/Guide+to+using+Apache+Tomcat's+Virtual+Hosts
0
 
mcsweenSr. Network AdministratorCommented:
Sorry, scratch my last comment...I misread your question...didn't notice these were on different boxes.
0
 
R7AFAuthor Commented:
@mcsween
If you're interested, I have another question open relating to IIS + Tomcat. This is another situation, not on this network.

http://www.experts-exchange.com/Q_22479817.html
0
 
R7AFAuthor Commented:
Is it possible to use Apache HTTPD as front-end for this? Or even Tomcat? So catching all port-80 traffic with one webserver and redirect it from there to different servers, based on domain names? We're using virtual hosts in tomcat already, but this would mean setting up a cluster or something like that? I've used virtual hosts with Apache httpd as well. How about the mail we're receiving? That's a separate server.
0
 
mcsweenSr. Network AdministratorCommented:
What you are essentially talking about is a gateway and I do not know of any way to use Apache or Tomcat as a gateway.  You could keep your ISA server on the network behind the firewall and just forward all port 80 traffic to it from your firewall.  This would allow the ISA server to continue to act as a "WWW Gateway" while allowing you to use a hardware firewall for everything else.
0
 
R7AFAuthor Commented:
Thanks! That's a great suggestion. It's simple and quite easy to implement. I'll look into it tomorrow, see if it really solves our problem.
0
 
R7AFAuthor Commented:
I believe Apache can be configured to redirect domain names to other physical servers. So that is a possible solution. I even believe Tomcat can do this (using workers), but I'm not sure. I haven't found the time to try this. The gateway solution is another usable option.

In the end we've chosen to install ISA Server 2004 on another server. We found someone who could handle this problem on 2004. Now we have two ISA Servers next to eachother, and the next week, we'll remove the old one.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now