?
Solved

Routing: Two ISP's, two servers, one port service

Posted on 2007-11-13
10
Medium Priority
?
1,276 Views
Last Modified: 2012-05-05
Routing: Two ISP's, two servers, one port service

I need to provide port 443 services on two physically separate internal IIS servers. I looked at the Linksys RV042 dual WAN router, but the docs didn't suggest that it would support port forwarding for each WAN interface separately.

I have two separate internet connections each served by separate routers. So, I've installed a second NIC in the second IIS server. But I need to work out the routing on that machine so that everything works correctly - if it's possible.

Here's the setup:

Main internet connection serves the entire local network - 10.0.10.0/24.
      Router IP - 10.0.10.1
      Port 443 forwarded to 10.0.10.3 (IIS-1 server)

Second internet connection serves second NIC in multihomed second IIS server.
        Router IP - 192.168.1.1
      Port 443 forwarded to 192.168.1.2 (IIS-2 server)

IP config of IIS-2
      NIC1 IP - 10.0.10.27 (DHCP client)
      Default Gateway - 10.0.10.1

      NIC2 IP - 192.168.1.2 (static)
      Default Gateway - none


IIS-2 Route list:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...xx xx xx xx xx xx ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.0.10.1      10.0.10.27       20
        10.0.10.0    255.255.255.0       10.0.10.27      10.0.10.27       20
       10.0.10.27  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       10
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       10
        224.0.0.0        240.0.0.0       10.0.10.27      10.0.10.27       20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       10
  255.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       1
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
Default Gateway:         10.0.10.1
===========================================================================
Persistent Routes:
  None

IIS-2 server config questions:
1. Which router should be the default gateway? Should the metric for the DG network be lower?
2. What persistent route should be added so that port 443 traffic is routed via 192.168.1.1, and internal domain traffic is routed via 10.0.10.1?
3. Should broadcasts be restricted to the main 10.0.10.0 network where the domain controller resides?

Also, I'm trying to do this config remotely via RDP, so if I can do it without locking myself out, that would save me an hour's drive which would be a plus. Port 3389 is temporarily forwarded to the IIS-2 server on both routers.

Thanks!

***Added to SBS and IIS Zones by TechSoEasy -- EE's Microsoft Zone Advisor***

Open in new window

0
Comment
Question by:cowpen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 12

Expert Comment

by:weareit
ID: 20276946
On the server that currently has 443 forwarded to it, build a dummy site with the host header value of the actual site and set it's Home Directory to be a URL.  The URL would be set to the URL of the site you want to access.

-saige-
0
 

Author Comment

by:cowpen
ID: 20284410
Wearit / saige:
Thank you - I hadn't thought about a home directory redirect on IIS-1 to a URL on IIS-2.

A couple of questions related to this potential solution:
1. The SSL application on IIS-2 requires a certificate from a third-party CA. Since this cert will specify the FQDN and be installed on IIS-2, won't a redirection from IIS-1 interfere?
2. I'm not sure what to enter for the Home Directory URL? Should it be a netbios name like https://IIS-2/, or should it be a FQDN like https://secure.mydomain.com/? If it's the latter, won't the port forwarding simply send the client right back to the dummy site on IIS-1?
3. When I try to create a dummy website on IIS-1 using port 443, I get a popup error "The SSL port cannot be the same as the TCP port." I can't find any reference to this error message.

Here is some further information that may be important:
- IIS-1 is an SBS 2003 server providing OWA on port 443.

IIS-1 Websites are as follows:
Description          Host Header         IP address             Port   SSL Port
Default Website  none                     * All Unassigned *  80    443
companyweb     companyweb        10.0.10.3                80    444

- IIS-2 is an XP-SP2 box running IIS. A proprietary web app will provide services on port 443. It must run on this machine.

Thanks!
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20286424
You cannot use a host header with port 443.  You need two separate EXTERNAL IP addresses to have two separate SSL sites because SSL is IP specific.

Since SBS 2003 uses 443 for OWA, it cannot be used for another site without the additional External IP.

Jeff
TechSoEasy
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20286489
Sorry about that... I now am rereading your question and see that you do have a separate Internet Connection for this.  

The RV042 isn't the right router for you to use in this case because it's two Internet Connections are for "load balancing and connection redundancy"  (according to Linksys:  http://snipr.com/1to3f)

If you used a single Internet Access Provider with multiple IP addresses, then you COULD use the RV042 by routing incomming traffic on a secondary IP to IIS-2.

Jeff
TechSoEasy
0
 

Author Comment

by:cowpen
ID: 20291475
Jeff,
Thanks. Right, so since I do have two internet connections, and the second IIS server is multihomed, I guess I'm back to looking for the solution to the routing / gateway situation. Just to clarify a little, a schematic of the network setup is attached in a code snippet below.
- cowpen



                          /--- IIS-1 (SBS2003 Server - OWA port 443) 
ISP1---Router---Switch ---  
          (10.0.10.0 net) \--- [NIC1 - 10.0.10.27]
                                 \
                                  IIS-2 (XP-SP2 - DG/route settings?)
                                 /
ISP2---Router----------------- [NIC1 - 192.168.1.2] (Oracle app port 443)
          (192.168.1.0 net)

Open in new window

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20296782
Well, I just found out that apparently the RV042's latest firmware (1.3.8.1) will support separate LAN IP Subnets and One-to-One NAT .  So, that would be your better way to go.... and since it can do One-to-One NAT you should just use the same IP Subnet with a single NIC in each server.

See this article for the how-to:  http://www.smallnetbuilder.com/content/view/30186/51/1/1/

Jeff
TechSoEasy
0
 

Accepted Solution

by:
cowpen earned 0 total points
ID: 20309746
The Linksys RV042 may provide the functionality needed, and I may opt for this if we decide that load balancing or failover is needed. However the original problem was resolved using existing equipment by modifying the routing table on IIS-2 as follows:

route add -p 0.0.0.0 mask 0.0.0.0 10.0.10.1
route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1
route add -p 10.0.10.0 mask 255.255.255.0 10.0.10.1
route add -p 192.168.1.0 mask 255.255.255.0 192.168.1.1

There remains only a single gateway designated as originally configured - 10.0.10.1.

Thanks for the comments and suggestions.

- cowpen
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20310581
Well, I guess that would work since you have two separate Internet connections.  Normally in a business environment, you would use a single connection with multiple inbound IP Addresses.  But glad you got it working the way you want.

Jeff
TechSoEasy
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20333956
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question