Accessing IIS 7 Site Outside LAN

Posted on 2008-11-06
Last Modified: 2011-10-19
I am in the middle of transitioning from Windows SBS 2003 R2 to Exchange 2007 SP1 on a Server 2008 box with SBS 2003 as ADDC running IIS 5.0.  The SBS 2003 box runs our public site, our intranet (integrated Sharepoint 2.0), backups, antivirus, etc.  I also have a Transition pack for the SBS 2003, but don't want to transition it until I have successfully offloaded our e-mail to the new Exchange 2007 server.

Problem: I have been reading about a lot of issues with OWA (which about half our staff uses) when it is used in a Interop environment like this.  To try to avoid some of these issues, I thought I would just move the web server role to our new Exchange box, thus gaining the benefits of IIS 7.0.  I realize this is not a recommended scenario, but I am working on convincing mgmt that we need another server sometime next year to put the public site on and maybe run as an Edge Transport server.  We're not a heavy-traffic site, so it's not a big security threat (no more than running everything from one SBS server before, at least).

It seems to work beautifully from inside our LAN.  Even laptops that aren't joined to the domain can access the public site via FQDN or IP address while connected to our LAN.  But from outside the LAN, I can only get timeouts via either method (domain name or IP).

Details: Our domain name is directed to a static IP provided by our ISP.  That static IP hits a router in my server room where I forward ports 80 and 443 to my webserver.  When I forward them to the SBS 2003 box, the site loads fine - internal, external, the moon (I presume) - it runs like a champ.  When I forward them to the same site (copied contents to wwwroot on the new box) on my 2008 Server, it works from within the LAN, but not from outside.  

I have thoroughly examined permissions, authentication settings, access accounts, and everything else I can think of to figure out why one works and the other doesn't.  

Tracert from an external PC shows exactly the same results to either end machine.  

I am using an AD account from the SBS 2003 machine for access - the Internet Guest Account (IUSR_<DEVICE>) - I have added the domain/account to the local users of the 2008 box as a member of IIS_IUSRS group (tried as an Administrator also).  The Internet Guest Account (domain/account) has also been added to the Anonymous Authentication credentials in IIS 7 for the default site and the entire server.

The firewall on Server 2008 has rules allowing inbound HTTP & HTTPS traffic.

Like I said, it works fine internally, but times out externally.  Any suggestions of what else could be causing this would be most appreciated.  I am attaching some screen shots from the 2008 server.
Question by:InterMountainMgmt

    Author Comment

    Forgot to mention, this public site is nothing fancy.  Only serving html pages with a little Flash here and there.

    Author Comment

    Oh yeah, I also tried with the Authentication credentials for anonymous access set to "Application Pool".  No luck that way either.
    Turned off the Windows Firewall completely also.  Still no external connectivity.
    LVL 37

    Expert Comment


    if it works fine in the lan but times out externally, then it is not an IIS issue, it is a network problem.

    when accessing from the outside, can you ping the server?  when you try to ping using the hostname, does it resolve to the right ip address?  when you try to ping the ip address, does it time out?  When you try a traceroute (tracert) how far do you get before it fails?

    did this even work before the changes were made?

    LVL 19

    Accepted Solution

    Is the default gateway on the Server set to the routers IP?  It might not know how to get back out onto the net?

    Author Closing Comment

    OMG.  Was it really that easy?  Of course, I overlook the simplest things.  Jones911 - you hit the nail on the head.  There are two NICs connected, and only one had a default gateway set.  All other info on the NIC properties was identical - IP addresses one number apart, everything else correct.  But one didn't have anything in default GW.  

    Now it works splendidly.  Thanks so much.  I never would have thought to trace the problem to the NIC GW.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now