• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 936
  • Last Modified:

Accessing IIS 7 Site Outside LAN

I am in the middle of transitioning from Windows SBS 2003 R2 to Exchange 2007 SP1 on a Server 2008 box with SBS 2003 as ADDC running IIS 5.0.  The SBS 2003 box runs our public site, our intranet (integrated Sharepoint 2.0), backups, antivirus, etc.  I also have a Transition pack for the SBS 2003, but don't want to transition it until I have successfully offloaded our e-mail to the new Exchange 2007 server.

Problem: I have been reading about a lot of issues with OWA (which about half our staff uses) when it is used in a Interop environment like this.  To try to avoid some of these issues, I thought I would just move the web server role to our new Exchange box, thus gaining the benefits of IIS 7.0.  I realize this is not a recommended scenario, but I am working on convincing mgmt that we need another server sometime next year to put the public site on and maybe run as an Edge Transport server.  We're not a heavy-traffic site, so it's not a big security threat (no more than running everything from one SBS server before, at least).

It seems to work beautifully from inside our LAN.  Even laptops that aren't joined to the domain can access the public site via FQDN or IP address while connected to our LAN.  But from outside the LAN, I can only get timeouts via either method (domain name or IP).

Details: Our domain name is directed to a static IP provided by our ISP.  That static IP hits a router in my server room where I forward ports 80 and 443 to my webserver.  When I forward them to the SBS 2003 box, the site loads fine - internal, external, the moon (I presume) - it runs like a champ.  When I forward them to the same site (copied contents to wwwroot on the new box) on my 2008 Server, it works from within the LAN, but not from outside.  

I have thoroughly examined permissions, authentication settings, access accounts, and everything else I can think of to figure out why one works and the other doesn't.  

Tracert from an external PC shows exactly the same results to either end machine.  

I am using an AD account from the SBS 2003 machine for access - the Internet Guest Account (IUSR_<DEVICE>) - I have added the domain/account to the local users of the 2008 box as a member of IIS_IUSRS group (tried as an Administrator also).  The Internet Guest Account (domain/account) has also been added to the Anonymous Authentication credentials in IIS 7 for the default site and the entire server.

The firewall on Server 2008 has rules allowing inbound HTTP & HTTPS traffic.

Like I said, it works fine internally, but times out externally.  Any suggestions of what else could be causing this would be most appreciated.  I am attaching some screen shots from the 2008 server.
  • 3
1 Solution
InterMountainMgmtAuthor Commented:
Forgot to mention, this public site is nothing fancy.  Only serving html pages with a little Flash here and there.
InterMountainMgmtAuthor Commented:
Oh yeah, I also tried with the Authentication credentials for anonymous access set to "Application Pool".  No luck that way either.
Turned off the Windows Firewall completely also.  Still no external connectivity.

if it works fine in the lan but times out externally, then it is not an IIS issue, it is a network problem.

when accessing from the outside, can you ping the server?  when you try to ping using the hostname, does it resolve to the right ip address?  when you try to ping the ip address, does it time out?  When you try a traceroute (tracert) how far do you get before it fails?

did this even work before the changes were made?

Is the default gateway on the Server set to the routers IP?  It might not know how to get back out onto the net?
InterMountainMgmtAuthor Commented:
OMG.  Was it really that easy?  Of course, I overlook the simplest things.  Jones911 - you hit the nail on the head.  There are two NICs connected, and only one had a default gateway set.  All other info on the NIC properties was identical - IP addresses one number apart, everything else correct.  But one didn't have anything in default GW.  

Now it works splendidly.  Thanks so much.  I never would have thought to trace the problem to the NIC GW.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now