cowpen
asked on
Routing: Two ISP's, two servers, one port service
Routing: Two ISP's, two servers, one port service
I need to provide port 443 services on two physically separate internal IIS servers. I looked at the Linksys RV042 dual WAN router, but the docs didn't suggest that it would support port forwarding for each WAN interface separately.
I have two separate internet connections each served by separate routers. So, I've installed a second NIC in the second IIS server. But I need to work out the routing on that machine so that everything works correctly - if it's possible.
Here's the setup:
Main internet connection serves the entire local network - 10.0.10.0/24.
Router IP - 10.0.10.1
Port 443 forwarded to 10.0.10.3 (IIS-1 server)
Second internet connection serves second NIC in multihomed second IIS server.
Router IP - 192.168.1.1
Port 443 forwarded to 192.168.1.2 (IIS-2 server)
IP config of IIS-2
NIC1 IP - 10.0.10.27 (DHCP client)
Default Gateway - 10.0.10.1
NIC2 IP - 192.168.1.2 (static)
Default Gateway - none
IIS-2 Route list:
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x10003 ...xx xx xx xx xx xx ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 GT Desktop Adapter
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.10.1 10.0.10.27 20
10.0.10.0 255.255.255.0 10.0.10.27 10.0.10.27 20
10.0.10.27 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.10.27 10.0.10.27 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 10
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 10
224.0.0.0 240.0.0.0 10.0.10.27 10.0.10.27 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 10
255.255.255.255 255.255.255.255 10.0.10.27 10.0.10.27 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 10.0.10.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
IIS-2 server config questions:
1. Which router should be the default gateway? Should the metric for the DG network be lower?
2. What persistent route should be added so that port 443 traffic is routed via 192.168.1.1, and internal domain traffic is routed via 10.0.10.1?
3. Should broadcasts be restricted to the main 10.0.10.0 network where the domain controller resides?
Also, I'm trying to do this config remotely via RDP, so if I can do it without locking myself out, that would save me an hour's drive which would be a plus. Port 3389 is temporarily forwarded to the IIS-2 server on both routers.
Thanks!
I need to provide port 443 services on two physically separate internal IIS servers. I looked at the Linksys RV042 dual WAN router, but the docs didn't suggest that it would support port forwarding for each WAN interface separately.
I have two separate internet connections each served by separate routers. So, I've installed a second NIC in the second IIS server. But I need to work out the routing on that machine so that everything works correctly - if it's possible.
Here's the setup:
Main internet connection serves the entire local network - 10.0.10.0/24.
Router IP - 10.0.10.1
Port 443 forwarded to 10.0.10.3 (IIS-1 server)
Second internet connection serves second NIC in multihomed second IIS server.
Router IP - 192.168.1.1
Port 443 forwarded to 192.168.1.2 (IIS-2 server)
IP config of IIS-2
NIC1 IP - 10.0.10.27 (DHCP client)
Default Gateway - 10.0.10.1
NIC2 IP - 192.168.1.2 (static)
Default Gateway - none
IIS-2 Route list:
==========================
Interface List
0x1 ..........................
0x10003 ...xx xx xx xx xx xx ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 GT Desktop Adapter
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.10.1 10.0.10.27 20
10.0.10.0 255.255.255.0 10.0.10.27 10.0.10.27 20
10.0.10.27 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.10.27 10.0.10.27 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 10
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 10
224.0.0.0 240.0.0.0 10.0.10.27 10.0.10.27 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 10
255.255.255.255 255.255.255.255 10.0.10.27 10.0.10.27 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 10.0.10.1
==========================
Persistent Routes:
None
IIS-2 server config questions:
1. Which router should be the default gateway? Should the metric for the DG network be lower?
2. What persistent route should be added so that port 443 traffic is routed via 192.168.1.1, and internal domain traffic is routed via 10.0.10.1?
3. Should broadcasts be restricted to the main 10.0.10.0 network where the domain controller resides?
Also, I'm trying to do this config remotely via RDP, so if I can do it without locking myself out, that would save me an hour's drive which would be a plus. Port 3389 is temporarily forwarded to the IIS-2 server on both routers.
Thanks!
***Added to SBS and IIS Zones by TechSoEasy -- EE's Microsoft Zone Advisor***
ASKER
Wearit / saige:
Thank you - I hadn't thought about a home directory redirect on IIS-1 to a URL on IIS-2.
A couple of questions related to this potential solution:
1. The SSL application on IIS-2 requires a certificate from a third-party CA. Since this cert will specify the FQDN and be installed on IIS-2, won't a redirection from IIS-1 interfere?
2. I'm not sure what to enter for the Home Directory URL? Should it be a netbios name like https://IIS-2/, or should it be a FQDN like https://secure.mydomain.com/? If it's the latter, won't the port forwarding simply send the client right back to the dummy site on IIS-1?
3. When I try to create a dummy website on IIS-1 using port 443, I get a popup error "The SSL port cannot be the same as the TCP port." I can't find any reference to this error message.
Here is some further information that may be important:
- IIS-1 is an SBS 2003 server providing OWA on port 443.
IIS-1 Websites are as follows:
Description Host Header IP address Port SSL Port
Default Website none * All Unassigned * 80 443
companyweb companyweb 10.0.10.3 80 444
- IIS-2 is an XP-SP2 box running IIS. A proprietary web app will provide services on port 443. It must run on this machine.
Thanks!
Thank you - I hadn't thought about a home directory redirect on IIS-1 to a URL on IIS-2.
A couple of questions related to this potential solution:
1. The SSL application on IIS-2 requires a certificate from a third-party CA. Since this cert will specify the FQDN and be installed on IIS-2, won't a redirection from IIS-1 interfere?
2. I'm not sure what to enter for the Home Directory URL? Should it be a netbios name like https://IIS-2/, or should it be a FQDN like https://secure.mydomain.com/? If it's the latter, won't the port forwarding simply send the client right back to the dummy site on IIS-1?
3. When I try to create a dummy website on IIS-1 using port 443, I get a popup error "The SSL port cannot be the same as the TCP port." I can't find any reference to this error message.
Here is some further information that may be important:
- IIS-1 is an SBS 2003 server providing OWA on port 443.
IIS-1 Websites are as follows:
Description Host Header IP address Port SSL Port
Default Website none * All Unassigned * 80 443
companyweb companyweb 10.0.10.3 80 444
- IIS-2 is an XP-SP2 box running IIS. A proprietary web app will provide services on port 443. It must run on this machine.
Thanks!
You cannot use a host header with port 443. You need two separate EXTERNAL IP addresses to have two separate SSL sites because SSL is IP specific.
Since SBS 2003 uses 443 for OWA, it cannot be used for another site without the additional External IP.
Jeff
TechSoEasy
Since SBS 2003 uses 443 for OWA, it cannot be used for another site without the additional External IP.
Jeff
TechSoEasy
Sorry about that... I now am rereading your question and see that you do have a separate Internet Connection for this.
The RV042 isn't the right router for you to use in this case because it's two Internet Connections are for "load balancing and connection redundancy" (according to Linksys: http://snipr.com/1to3f)
If you used a single Internet Access Provider with multiple IP addresses, then you COULD use the RV042 by routing incomming traffic on a secondary IP to IIS-2.
Jeff
TechSoEasy
The RV042 isn't the right router for you to use in this case because it's two Internet Connections are for "load balancing and connection redundancy" (according to Linksys: http://snipr.com/1to3f)
If you used a single Internet Access Provider with multiple IP addresses, then you COULD use the RV042 by routing incomming traffic on a secondary IP to IIS-2.
Jeff
TechSoEasy
ASKER
Jeff,
Thanks. Right, so since I do have two internet connections, and the second IIS server is multihomed, I guess I'm back to looking for the solution to the routing / gateway situation. Just to clarify a little, a schematic of the network setup is attached in a code snippet below.
- cowpen
Thanks. Right, so since I do have two internet connections, and the second IIS server is multihomed, I guess I'm back to looking for the solution to the routing / gateway situation. Just to clarify a little, a schematic of the network setup is attached in a code snippet below.
- cowpen
/--- IIS-1 (SBS2003 Server - OWA port 443)
ISP1---Router---Switch ---
(10.0.10.0 net) \--- [NIC1 - 10.0.10.27]
\
IIS-2 (XP-SP2 - DG/route settings?)
/
ISP2---Router----------------- [NIC1 - 192.168.1.2] (Oracle app port 443)
(192.168.1.0 net)
Well, I just found out that apparently the RV042's latest firmware (1.3.8.1) will support separate LAN IP Subnets and One-to-One NAT . So, that would be your better way to go.... and since it can do One-to-One NAT you should just use the same IP Subnet with a single NIC in each server.
See this article for the how-to: http://www.smallnetbuilder.com/content/view/30186/51/1/1/
Jeff
TechSoEasy
See this article for the how-to: http://www.smallnetbuilder.com/content/view/30186/51/1/1/
Jeff
TechSoEasy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, I guess that would work since you have two separate Internet connections. Normally in a business environment, you would use a single connection with multiple inbound IP Addresses. But glad you got it working the way you want.
Jeff
TechSoEasy
Jeff
TechSoEasy
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
Vee_Mod
Community Support Moderator
-saige-