• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1282
  • Last Modified:

Routing: Two ISP's, two servers, one port service

Routing: Two ISP's, two servers, one port service

I need to provide port 443 services on two physically separate internal IIS servers. I looked at the Linksys RV042 dual WAN router, but the docs didn't suggest that it would support port forwarding for each WAN interface separately.

I have two separate internet connections each served by separate routers. So, I've installed a second NIC in the second IIS server. But I need to work out the routing on that machine so that everything works correctly - if it's possible.

Here's the setup:

Main internet connection serves the entire local network - 10.0.10.0/24.
      Router IP - 10.0.10.1
      Port 443 forwarded to 10.0.10.3 (IIS-1 server)

Second internet connection serves second NIC in multihomed second IIS server.
        Router IP - 192.168.1.1
      Port 443 forwarded to 192.168.1.2 (IIS-2 server)

IP config of IIS-2
      NIC1 IP - 10.0.10.27 (DHCP client)
      Default Gateway - 10.0.10.1

      NIC2 IP - 192.168.1.2 (static)
      Default Gateway - none


IIS-2 Route list:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...xx xx xx xx xx xx ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.0.10.1      10.0.10.27       20
        10.0.10.0    255.255.255.0       10.0.10.27      10.0.10.27       20
       10.0.10.27  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       10
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       10
        224.0.0.0        240.0.0.0       10.0.10.27      10.0.10.27       20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       10
  255.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       1
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
Default Gateway:         10.0.10.1
===========================================================================
Persistent Routes:
  None

IIS-2 server config questions:
1. Which router should be the default gateway? Should the metric for the DG network be lower?
2. What persistent route should be added so that port 443 traffic is routed via 192.168.1.1, and internal domain traffic is routed via 10.0.10.1?
3. Should broadcasts be restricted to the main 10.0.10.0 network where the domain controller resides?

Also, I'm trying to do this config remotely via RDP, so if I can do it without locking myself out, that would save me an hour's drive which would be a plus. Port 3389 is temporarily forwarded to the IIS-2 server on both routers.

Thanks!

***Added to SBS and IIS Zones by TechSoEasy -- EE's Microsoft Zone Advisor***

Open in new window

0
cowpen
Asked:
cowpen
1 Solution
 
weareitCommented:
On the server that currently has 443 forwarded to it, build a dummy site with the host header value of the actual site and set it's Home Directory to be a URL.  The URL would be set to the URL of the site you want to access.

-saige-
0
 
cowpenAuthor Commented:
Wearit / saige:
Thank you - I hadn't thought about a home directory redirect on IIS-1 to a URL on IIS-2.

A couple of questions related to this potential solution:
1. The SSL application on IIS-2 requires a certificate from a third-party CA. Since this cert will specify the FQDN and be installed on IIS-2, won't a redirection from IIS-1 interfere?
2. I'm not sure what to enter for the Home Directory URL? Should it be a netbios name like https://IIS-2/, or should it be a FQDN like https://secure.mydomain.com/? If it's the latter, won't the port forwarding simply send the client right back to the dummy site on IIS-1?
3. When I try to create a dummy website on IIS-1 using port 443, I get a popup error "The SSL port cannot be the same as the TCP port." I can't find any reference to this error message.

Here is some further information that may be important:
- IIS-1 is an SBS 2003 server providing OWA on port 443.

IIS-1 Websites are as follows:
Description          Host Header         IP address             Port   SSL Port
Default Website  none                     * All Unassigned *  80    443
companyweb     companyweb        10.0.10.3                80    444

- IIS-2 is an XP-SP2 box running IIS. A proprietary web app will provide services on port 443. It must run on this machine.

Thanks!
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You cannot use a host header with port 443.  You need two separate EXTERNAL IP addresses to have two separate SSL sites because SSL is IP specific.

Since SBS 2003 uses 443 for OWA, it cannot be used for another site without the additional External IP.

Jeff
TechSoEasy
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Sorry about that... I now am rereading your question and see that you do have a separate Internet Connection for this.  

The RV042 isn't the right router for you to use in this case because it's two Internet Connections are for "load balancing and connection redundancy"  (according to Linksys:  http://snipr.com/1to3f)

If you used a single Internet Access Provider with multiple IP addresses, then you COULD use the RV042 by routing incomming traffic on a secondary IP to IIS-2.

Jeff
TechSoEasy
0
 
cowpenAuthor Commented:
Jeff,
Thanks. Right, so since I do have two internet connections, and the second IIS server is multihomed, I guess I'm back to looking for the solution to the routing / gateway situation. Just to clarify a little, a schematic of the network setup is attached in a code snippet below.
- cowpen



                          /--- IIS-1 (SBS2003 Server - OWA port 443) 
ISP1---Router---Switch ---  
          (10.0.10.0 net) \--- [NIC1 - 10.0.10.27]
                                 \
                                  IIS-2 (XP-SP2 - DG/route settings?)
                                 /
ISP2---Router----------------- [NIC1 - 192.168.1.2] (Oracle app port 443)
          (192.168.1.0 net)

Open in new window

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, I just found out that apparently the RV042's latest firmware (1.3.8.1) will support separate LAN IP Subnets and One-to-One NAT .  So, that would be your better way to go.... and since it can do One-to-One NAT you should just use the same IP Subnet with a single NIC in each server.

See this article for the how-to:  http://www.smallnetbuilder.com/content/view/30186/51/1/1/

Jeff
TechSoEasy
0
 
cowpenAuthor Commented:
The Linksys RV042 may provide the functionality needed, and I may opt for this if we decide that load balancing or failover is needed. However the original problem was resolved using existing equipment by modifying the routing table on IIS-2 as follows:

route add -p 0.0.0.0 mask 0.0.0.0 10.0.10.1
route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1
route add -p 10.0.10.0 mask 255.255.255.0 10.0.10.1
route add -p 192.168.1.0 mask 255.255.255.0 192.168.1.1

There remains only a single gateway designated as originally configured - 10.0.10.1.

Thanks for the comments and suggestions.

- cowpen
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, I guess that would work since you have two separate Internet connections.  Normally in a business environment, you would use a single connection with multiple inbound IP Addresses.  But glad you got it working the way you want.

Jeff
TechSoEasy
0
 
Vee_ModCommented:
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now