Solved

Routing: Two ISP's, two servers, one port service

Posted on 2007-11-13
10
1,269 Views
Last Modified: 2012-05-05
Routing: Two ISP's, two servers, one port service

I need to provide port 443 services on two physically separate internal IIS servers. I looked at the Linksys RV042 dual WAN router, but the docs didn't suggest that it would support port forwarding for each WAN interface separately.

I have two separate internet connections each served by separate routers. So, I've installed a second NIC in the second IIS server. But I need to work out the routing on that machine so that everything works correctly - if it's possible.

Here's the setup:

Main internet connection serves the entire local network - 10.0.10.0/24.
      Router IP - 10.0.10.1
      Port 443 forwarded to 10.0.10.3 (IIS-1 server)

Second internet connection serves second NIC in multihomed second IIS server.
        Router IP - 192.168.1.1
      Port 443 forwarded to 192.168.1.2 (IIS-2 server)

IP config of IIS-2
      NIC1 IP - 10.0.10.27 (DHCP client)
      Default Gateway - 10.0.10.1

      NIC2 IP - 192.168.1.2 (static)
      Default Gateway - none


IIS-2 Route list:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...xx xx xx xx xx xx ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.0.10.1      10.0.10.27       20
        10.0.10.0    255.255.255.0       10.0.10.27      10.0.10.27       20
       10.0.10.27  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       10
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       10
        224.0.0.0        240.0.0.0       10.0.10.27      10.0.10.27       20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       10
  255.255.255.255  255.255.255.255       10.0.10.27      10.0.10.27       1
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
Default Gateway:         10.0.10.1
===========================================================================
Persistent Routes:
  None

IIS-2 server config questions:
1. Which router should be the default gateway? Should the metric for the DG network be lower?
2. What persistent route should be added so that port 443 traffic is routed via 192.168.1.1, and internal domain traffic is routed via 10.0.10.1?
3. Should broadcasts be restricted to the main 10.0.10.0 network where the domain controller resides?

Also, I'm trying to do this config remotely via RDP, so if I can do it without locking myself out, that would save me an hour's drive which would be a plus. Port 3389 is temporarily forwarded to the IIS-2 server on both routers.

Thanks!

***Added to SBS and IIS Zones by TechSoEasy -- EE's Microsoft Zone Advisor***

Open in new window

0
Comment
Question by:cowpen
10 Comments
 
LVL 12

Expert Comment

by:weareit
ID: 20276946
On the server that currently has 443 forwarded to it, build a dummy site with the host header value of the actual site and set it's Home Directory to be a URL.  The URL would be set to the URL of the site you want to access.

-saige-
0
 

Author Comment

by:cowpen
ID: 20284410
Wearit / saige:
Thank you - I hadn't thought about a home directory redirect on IIS-1 to a URL on IIS-2.

A couple of questions related to this potential solution:
1. The SSL application on IIS-2 requires a certificate from a third-party CA. Since this cert will specify the FQDN and be installed on IIS-2, won't a redirection from IIS-1 interfere?
2. I'm not sure what to enter for the Home Directory URL? Should it be a netbios name like https://IIS-2/, or should it be a FQDN like https://secure.mydomain.com/? If it's the latter, won't the port forwarding simply send the client right back to the dummy site on IIS-1?
3. When I try to create a dummy website on IIS-1 using port 443, I get a popup error "The SSL port cannot be the same as the TCP port." I can't find any reference to this error message.

Here is some further information that may be important:
- IIS-1 is an SBS 2003 server providing OWA on port 443.

IIS-1 Websites are as follows:
Description          Host Header         IP address             Port   SSL Port
Default Website  none                     * All Unassigned *  80    443
companyweb     companyweb        10.0.10.3                80    444

- IIS-2 is an XP-SP2 box running IIS. A proprietary web app will provide services on port 443. It must run on this machine.

Thanks!
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20286424
You cannot use a host header with port 443.  You need two separate EXTERNAL IP addresses to have two separate SSL sites because SSL is IP specific.

Since SBS 2003 uses 443 for OWA, it cannot be used for another site without the additional External IP.

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20286489
Sorry about that... I now am rereading your question and see that you do have a separate Internet Connection for this.  

The RV042 isn't the right router for you to use in this case because it's two Internet Connections are for "load balancing and connection redundancy"  (according to Linksys:  http://snipr.com/1to3f)

If you used a single Internet Access Provider with multiple IP addresses, then you COULD use the RV042 by routing incomming traffic on a secondary IP to IIS-2.

Jeff
TechSoEasy
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:cowpen
ID: 20291475
Jeff,
Thanks. Right, so since I do have two internet connections, and the second IIS server is multihomed, I guess I'm back to looking for the solution to the routing / gateway situation. Just to clarify a little, a schematic of the network setup is attached in a code snippet below.
- cowpen




                          /--- IIS-1 (SBS2003 Server - OWA port 443) 

ISP1---Router---Switch ---  

          (10.0.10.0 net) \--- [NIC1 - 10.0.10.27]

                                 \

                                  IIS-2 (XP-SP2 - DG/route settings?)

                                 /

ISP2---Router----------------- [NIC1 - 192.168.1.2] (Oracle app port 443)

          (192.168.1.0 net)

Open in new window

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20296782
Well, I just found out that apparently the RV042's latest firmware (1.3.8.1) will support separate LAN IP Subnets and One-to-One NAT .  So, that would be your better way to go.... and since it can do One-to-One NAT you should just use the same IP Subnet with a single NIC in each server.

See this article for the how-to:  http://www.smallnetbuilder.com/content/view/30186/51/1/1/

Jeff
TechSoEasy
0
 

Accepted Solution

by:
cowpen earned 0 total points
ID: 20309746
The Linksys RV042 may provide the functionality needed, and I may opt for this if we decide that load balancing or failover is needed. However the original problem was resolved using existing equipment by modifying the routing table on IIS-2 as follows:

route add -p 0.0.0.0 mask 0.0.0.0 10.0.10.1
route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1
route add -p 10.0.10.0 mask 255.255.255.0 10.0.10.1
route add -p 192.168.1.0 mask 255.255.255.0 192.168.1.1

There remains only a single gateway designated as originally configured - 10.0.10.1.

Thanks for the comments and suggestions.

- cowpen
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20310581
Well, I guess that would work since you have two separate Internet connections.  Normally in a business environment, you would use a single connection with multiple inbound IP Addresses.  But glad you got it working the way you want.

Jeff
TechSoEasy
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20333956
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Resolve DNS query failed errors for Exchange
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now