Accessing IIS 7 Site Outside LAN
I am in the middle of transitioning from Windows SBS 2003 R2 to Exchange 2007 SP1 on a Server 2008 box with SBS 2003 as ADDC running IIS 5.0. The SBS 2003 box runs our public site, our intranet (integrated Sharepoint 2.0), backups, antivirus, etc. I also have a Transition pack for the SBS 2003, but don't want to transition it until I have successfully offloaded our e-mail to the new Exchange 2007 server.
Problem: I have been reading about a lot of issues with OWA (which about half our staff uses) when it is used in a Interop environment like this. To try to avoid some of these issues, I thought I would just move the web server role to our new Exchange box, thus gaining the benefits of IIS 7.0. I realize this is not a recommended scenario, but I am working on convincing mgmt that we need another server sometime next year to put the public site on and maybe run as an Edge Transport server. We're not a heavy-traffic site, so it's not a big security threat (no more than running everything from one SBS server before, at least).
It seems to work beautifully from inside our LAN. Even laptops that aren't joined to the domain can access the public site via FQDN or IP address while connected to our LAN. But from outside the LAN, I can only get timeouts via either method (domain name or IP).
Details: Our domain name is directed to a static IP provided by our ISP. That static IP hits a router in my server room where I forward ports 80 and 443 to my webserver. When I forward them to the SBS 2003 box, the site loads fine - internal, external, the moon (I presume) - it runs like a champ. When I forward them to the same site (copied contents to wwwroot on the new box) on my 2008 Server, it works from within the LAN, but not from outside.
I have thoroughly examined permissions, authentication settings, access accounts, and everything else I can think of to figure out why one works and the other doesn't.
Tracert from an external PC shows exactly the same results to either end machine.
I am using an AD account from the SBS 2003 machine for access - the Internet Guest Account (IUSR_<DEVICE>) - I have added the domain/account to the local users of the 2008 box as a member of IIS_IUSRS group (tried as an Administrator also). The Internet Guest Account (domain/account) has also been added to the Anonymous Authentication credentials in IIS 7 for the default site and the entire server.
The firewall on Server 2008 has rules allowing inbound HTTP & HTTPS traffic.
Like I said, it works fine internally, but times out externally. Any suggestions of what else could be causing this would be most appreciated. I am attaching some screen shots from the 2008 server.
scrAuthenticSite.jpg
scrCredent.jpg
scrFirewall.jpg
scrWWWroot.jpg
scrTest.jpg
Problem: I have been reading about a lot of issues with OWA (which about half our staff uses) when it is used in a Interop environment like this. To try to avoid some of these issues, I thought I would just move the web server role to our new Exchange box, thus gaining the benefits of IIS 7.0. I realize this is not a recommended scenario, but I am working on convincing mgmt that we need another server sometime next year to put the public site on and maybe run as an Edge Transport server. We're not a heavy-traffic site, so it's not a big security threat (no more than running everything from one SBS server before, at least).
It seems to work beautifully from inside our LAN. Even laptops that aren't joined to the domain can access the public site via FQDN or IP address while connected to our LAN. But from outside the LAN, I can only get timeouts via either method (domain name or IP).
Details: Our domain name is directed to a static IP provided by our ISP. That static IP hits a router in my server room where I forward ports 80 and 443 to my webserver. When I forward them to the SBS 2003 box, the site loads fine - internal, external, the moon (I presume) - it runs like a champ. When I forward them to the same site (copied contents to wwwroot on the new box) on my 2008 Server, it works from within the LAN, but not from outside.
I have thoroughly examined permissions, authentication settings, access accounts, and everything else I can think of to figure out why one works and the other doesn't.
Tracert from an external PC shows exactly the same results to either end machine.
I am using an AD account from the SBS 2003 machine for access - the Internet Guest Account (IUSR_<DEVICE>) - I have added the domain/account to the local users of the 2008 box as a member of IIS_IUSRS group (tried as an Administrator also). The Internet Guest Account (domain/account) has also been added to the Anonymous Authentication credentials in IIS 7 for the default site and the entire server.
The firewall on Server 2008 has rules allowing inbound HTTP & HTTPS traffic.
Like I said, it works fine internally, but times out externally. Any suggestions of what else could be causing this would be most appreciated. I am attaching some screen shots from the 2008 server.
scrAuthenticSite.jpg
scrCredent.jpg
scrFirewall.jpg
scrWWWroot.jpg
scrTest.jpg
ASKER
Oh yeah, I also tried with the Authentication credentials for anonymous access set to "Application Pool". No luck that way either.
Turned off the Windows Firewall completely also. Still no external connectivity.
Turned off the Windows Firewall completely also. Still no external connectivity.
hi,
if it works fine in the lan but times out externally, then it is not an IIS issue, it is a network problem.
when accessing from the outside, can you ping the server? when you try to ping using the hostname, does it resolve to the right ip address? when you try to ping the ip address, does it time out? When you try a traceroute (tracert) how far do you get before it fails?
did this even work before the changes were made?
cheers.
if it works fine in the lan but times out externally, then it is not an IIS issue, it is a network problem.
when accessing from the outside, can you ping the server? when you try to ping using the hostname, does it resolve to the right ip address? when you try to ping the ip address, does it time out? When you try a traceroute (tracert) how far do you get before it fails?
did this even work before the changes were made?
cheers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OMG. Was it really that easy? Of course, I overlook the simplest things. Jones911 - you hit the nail on the head. There are two NICs connected, and only one had a default gateway set. All other info on the NIC properties was identical - IP addresses one number apart, everything else correct. But one didn't have anything in default GW.
Now it works splendidly. Thanks so much. I never would have thought to trace the problem to the NIC GW.
Now it works splendidly. Thanks so much. I never would have thought to trace the problem to the NIC GW.
ASKER