Solved

Firewalls: mapping destination sets to different webservers. Is this standard functionality?

Posted on 2007-03-29
10
395 Views
Last Modified: 2013-11-16
We're going to replace our firewall, ISA Server 2000 on Windows 2000. The server is old, so needs to be replaced, and we're having other problems with ISA Server. We're hoping to solve these two problems in one go.

One of the things we need is what I call "Destination set mapping", but I'm not sure whether this is the right term. I'll give an example. We use several domain names, like xyz.com and pqr.net. We have several webservers, each serving different domain names, running Tomcat on port 8080. Some of the servers run IIS as well on port 80.

xyz.com:80 => ISA Server: Destionation Set 1 => server1:8080 (Tomcat)
pqr.net:80 => ISA Server: Destination Set 2 => server2:8080 (Tomcat)
webmail.pqr.net:80 => ISA Server: Destination Set 3 => server2:80 (IIS)

On ISA Server this is quite easy to handle. You create a destination set in the Policy Elements (a list of domain names basically), and then create Web Publishing Rules, using these destination sets. So this is pretty simple to setup.

One of the options is to buy a basic Cisco (or Sonicwall, etc) firewall, or buy a lightweight server and install Smoothwall or something similar. I would like to know whether this functionality is standard in firewalls like the simple Cisco Pix 501, or Smoothwall. Another requirement is that this functionality should be configurable using the browser (or GUI), and it should be straightforward, like ISA Server does it.
0
Comment
Question by:R7AF
  • 5
  • 3
  • 2
10 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18815815
if xyz.com, pqr.net and webmail.pqr.net all point to seperate "external" ip addresses, then the translation can be done with a pix or asa.  You would statically map tcp 80 on each outside address to 8080 on the respective inside address.
The pix 501 is configurable via PDM (pix device manager), a web based application.
I think sonicwall has the same mapping functionality, and I know that netscreen does as well.
0
 
LVL 13

Author Comment

by:R7AF
ID: 18815829
Sorry, forgot that! We only use one IP-address.
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 350 total points
ID: 18816026
That makes a big difference :) .  The ISA server does it via "host header" identification.  IIS supports it as well, for hosting multiple websites on the same box.  I do not know of a way to do that with cisco.  There may be a way with sonicwall and netscreen, but I haven't seen it.  I would look at their websites for config guides.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 18816366
This functunality exists in IIS, Apache, and Tomcat (Name Based Virtual Hosts) and is usually handled there rather than at the firewall level.  I do not know of any firewalls that will do host name identification.  Like Sorenson said, you can use multiple IP addresses to do this easily but my suggestion is to let the web server handle the mappings if you don't want to use multiple IP addresses at  your firewall.

IIS - http://support.microsoft.com/kb/190008
Apache - http://httpd.apache.org/docs/1.3/vhosts/name-based.html
Tomcat - http://confluence.atlassian.com/display/DOC/Guide+to+using+Apache+Tomcat's+Virtual+Hosts
0
 
LVL 21

Expert Comment

by:mcsween
ID: 18816420
Sorry, scratch my last comment...I misread your question...didn't notice these were on different boxes.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 13

Author Comment

by:R7AF
ID: 18816915
@mcsween
If you're interested, I have another question open relating to IIS + Tomcat. This is another situation, not on this network.

http://www.experts-exchange.com/Q_22479817.html
0
 
LVL 13

Author Comment

by:R7AF
ID: 18843083
Is it possible to use Apache HTTPD as front-end for this? Or even Tomcat? So catching all port-80 traffic with one webserver and redirect it from there to different servers, based on domain names? We're using virtual hosts in tomcat already, but this would mean setting up a cluster or something like that? I've used virtual hosts with Apache httpd as well. How about the mail we're receiving? That's a separate server.
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 150 total points
ID: 18843542
What you are essentially talking about is a gateway and I do not know of any way to use Apache or Tomcat as a gateway.  You could keep your ISA server on the network behind the firewall and just forward all port 80 traffic to it from your firewall.  This would allow the ISA server to continue to act as a "WWW Gateway" while allowing you to use a hardware firewall for everything else.
0
 
LVL 13

Author Comment

by:R7AF
ID: 18846191
Thanks! That's a great suggestion. It's simple and quite easy to implement. I'll look into it tomorrow, see if it really solves our problem.
0
 
LVL 13

Author Comment

by:R7AF
ID: 18864251
I believe Apache can be configured to redirect domain names to other physical servers. So that is a possible solution. I even believe Tomcat can do this (using workers), but I'm not sure. I haven't found the time to try this. The gateway solution is another usable option.

In the end we've chosen to install ISA Server 2004 on another server. We found someone who could handle this problem on 2004. Now we have two ISA Servers next to eachother, and the next week, we'll remove the old one.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now