Link to home
Start Free TrialLog in
Avatar of cowpen
cowpenFlag for United States of America

asked on

Routing: Two ISP's, two servers, one port service

Routing: Two ISP's, two servers, one port service

I need to provide port 443 services on two physically separate internal IIS servers. I looked at the Linksys RV042 dual WAN router, but the docs didn't suggest that it would support port forwarding for each WAN interface separately.

I have two separate internet connections each served by separate routers. So, I've installed a second NIC in the second IIS server. But I need to work out the routing on that machine so that everything works correctly - if it's possible.

Here's the setup:

Main internet connection serves the entire local network - 10.0.10.0/24.
      Router IP - 10.0.10.1
      Port 443 forwarded to 10.0.10.3 (IIS-1 server)

Second internet connection serves second NIC in multihomed second IIS server.
        Router IP - 192.168.1.1
      Port 443 forwarded to 192.168.1.2 (IIS-2 server)

IP config of IIS-2
      NIC1 IP - 10.0.10.27 (DHCP client)
      Default Gateway - 10.0.10.1

      NIC2 IP - 192.168.1.2 (static)
      Default Gateway - none


IIS-2 Route list:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...xx xx xx xx xx xx ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.0.10.1      10.0.10.27       20
        10.0.10.0    255.255.255.0       10.0.10.27      10.0.10.27       20
       10.0.10.27  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       10
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       10
        224.0.0.0        240.0.0.0       10.0.10.27      10.0.10.27       20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       10
  255.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       1
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
Default Gateway:         10.0.10.1
===========================================================================
Persistent Routes:
  None

IIS-2 server config questions:
1. Which router should be the default gateway? Should the metric for the DG network be lower?
2. What persistent route should be added so that port 443 traffic is routed via 192.168.1.1, and internal domain traffic is routed via 10.0.10.1?
3. Should broadcasts be restricted to the main 10.0.10.0 network where the domain controller resides?

Also, I'm trying to do this config remotely via RDP, so if I can do it without locking myself out, that would save me an hour's drive which would be a plus. Port 3389 is temporarily forwarded to the IIS-2 server on both routers.

Thanks!

***Added to SBS and IIS Zones by TechSoEasy -- EE's Microsoft Zone Advisor***

Open in new window

Avatar of weareit
weareit
Flag of United States of America image
On the server that currently has 443 forwarded to it, build a dummy site with the host header value of the actual site and set it's Home Directory to be a URL.  The URL would be set to the URL of the site you want to access.

-saige-
Avatar of cowpen
cowpen
Flag of United States of America image

ASKER

Wearit / saige:
Thank you - I hadn't thought about a home directory redirect on IIS-1 to a URL on IIS-2.

A couple of questions related to this potential solution:
1. The SSL application on IIS-2 requires a certificate from a third-party CA. Since this cert will specify the FQDN and be installed on IIS-2, won't a redirection from IIS-1 interfere?
2. I'm not sure what to enter for the Home Directory URL? Should it be a netbios name like https://IIS-2/, or should it be a FQDN like https://secure.mydomain.com/? If it's the latter, won't the port forwarding simply send the client right back to the dummy site on IIS-1?
3. When I try to create a dummy website on IIS-1 using port 443, I get a popup error "The SSL port cannot be the same as the TCP port." I can't find any reference to this error message.

Here is some further information that may be important:
- IIS-1 is an SBS 2003 server providing OWA on port 443.

IIS-1 Websites are as follows:
Description          Host Header         IP address             Port   SSL Port
Default Website  none                     * All Unassigned *  80    443
companyweb     companyweb        10.0.10.3                80    444

- IIS-2 is an XP-SP2 box running IIS. A proprietary web app will provide services on port 443. It must run on this machine.

Thanks!
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image
You cannot use a host header with port 443.  You need two separate EXTERNAL IP addresses to have two separate SSL sites because SSL is IP specific.

Since SBS 2003 uses 443 for OWA, it cannot be used for another site without the additional External IP.

Jeff
TechSoEasy
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image
Sorry about that... I now am rereading your question and see that you do have a separate Internet Connection for this.  

The RV042 isn't the right router for you to use in this case because it's two Internet Connections are for "load balancing and connection redundancy"  (according to Linksys:  http://snipr.com/1to3f)

If you used a single Internet Access Provider with multiple IP addresses, then you COULD use the RV042 by routing incomming traffic on a secondary IP to IIS-2.

Jeff
TechSoEasy
Avatar of cowpen
cowpen
Flag of United States of America image

ASKER

Jeff,
Thanks. Right, so since I do have two internet connections, and the second IIS server is multihomed, I guess I'm back to looking for the solution to the routing / gateway situation. Just to clarify a little, a schematic of the network setup is attached in a code snippet below.
- cowpen 



                          /--- IIS-1 (SBS2003 Server - OWA port 443) 
ISP1---Router---Switch ---  
          (10.0.10.0 net) \--- [NIC1 - 10.0.10.27]
                                 \
                                  IIS-2 (XP-SP2 - DG/route settings?)
                                 /
ISP2---Router----------------- [NIC1 - 192.168.1.2] (Oracle app port 443)
          (192.168.1.0 net)

Open in new window

Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image
Well, I just found out that apparently the RV042's latest firmware (1.3.8.1) will support separate LAN IP Subnets and One-to-One NAT .  So, that would be your better way to go.... and since it can do One-to-One NAT you should just use the same IP Subnet with a single NIC in each server.

See this article for the how-to:  http://www.smallnetbuilder.com/content/view/30186/51/1/1/

Jeff
TechSoEasy
ASKER CERTIFIED SOLUTION
Avatar of cowpen
cowpen
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image
Well, I guess that would work since you have two separate Internet connections.  Normally in a business environment, you would use a single connection with multiple inbound IP Addresses.  But glad you got it working the way you want.

Jeff
TechSoEasy
Avatar of Vee_Mod
Vee_Mod
Flag of United States of America image
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator